def query(self, view_kwargs): """ query method for speakers list class :param view_kwargs: :return: """ query_ = self.session.query(Speaker) query_ = event_query(query_, view_kwargs) if view_kwargs.get('user_id'): user = safe_query_kwargs(User, view_kwargs, 'user_id') query_ = query_.join(User).filter(User.id == user.id) if view_kwargs.get('session_id'): session = safe_query_kwargs(Session, view_kwargs, 'session_id') # session-speaker :: many-to-many relationship query_ = Speaker.query.filter(Speaker.sessions.any(id=session.id)) if is_logged_in() and not has_access('is_coorganizer', event_id=session.event_id): if not has_access('is_session_self_submitted', session_id=session.id): query_ = query_.filter(Session.state == "approved" or Session.state == "accepted") return query_
def before_get(self, args, kwargs): if is_logged_in() and has_access('is_admin'): self.schema = VideoChannelSchema else: self.schema = VideoChannelSchemaPublic if kwargs.get('video_stream_id'): stream = safe_query_kwargs(VideoStream, kwargs, 'video_stream_id') kwargs['id'] = stream.channel_id
def before_get(self, args, kwargs): """ method to assign proper schema based on admin access :param args: :param kwargs: :return: """ if is_logged_in() and has_access('is_admin'): self.schema = TaxSchema else: self.schema = TaxSchemaPublic
def before_get(self, args, kwargs): """ method for assigning schema based on admin access :param args: :param kwargs: :return: """ if is_logged_in() and (has_access('is_admin') or kwargs.get('user_id')): self.schema = EventSchema else: self.schema = EventSchemaPublic
def event_query( query_, view_kwargs, event_id='event_id', event_identifier='event_identifier', permission=None, restrict=False, ): """ Queries the event according to 'event_id' and 'event_identifier' and joins for the query For draft events, a 404 is raised If the user is not logged in or does not have required permissions, 403 is raised For a draft event, unless the user is organizer+ or has access to the passed permission, 404 will always be raised, regardless of restrict being True or not. For a published event, if restrict is False, the query will allowed. If restrict is True, then the passed permission or co-organizer access will be enforced. If the permission passes, query will be allowed, otherwise, a 403 will be thrown :param event_id: String representing event_id in the view_kwargs :param event_identifier: String representing event_identifier in the view_kwargs :param query_: Query object :param view_kwargs: view_kwargs from the API :param permission: the name of the permission to be applied as a string. Default: is_coorganizer :return: """ permission = permission or 'is_coorganizer_endpoint_related_to_event' event = None if view_kwargs.get(event_id): event = safe_query_kwargs(Event, view_kwargs, event_id) elif view_kwargs.get(event_identifier): event = safe_query_kwargs(Event, view_kwargs, event_identifier, 'identifier') if event: forbidden = not is_logged_in() or not has_access(permission, event_id=event.id) if event.state != 'published' and forbidden: raise ObjectNotFound( {'parameter': event_id}, f"Event: {event.id} not found", ) if restrict and forbidden: raise ForbiddenError( {'parameter': event_id}, f"You don't have access to event {event.id}", ) query_ = query_.join(Event).filter(Event.id == event.id) return query_
def after_get_object(self, session, view_kwargs): if not session: return is_speaker_or_admin = is_logged_in() and has_access( 'is_speaker_for_session', id=session.id) if current_user: speaker_invite = SpeakerInvite.query.filter_by( email=current_user.email, session_id=session.id, status='pending').first() if (session.state not in ['accepted', 'confirmed'] and not is_speaker_or_admin and not speaker_invite): raise ObjectNotFound({'parameter': '{id}'}, "Session: not found")
def before_get(self, args, kwargs): """ method for assigning schema based on access :param args: :param kwargs: :return: """ kwargs = get_id(kwargs) if is_logged_in() and has_access('is_coorganizer', event_id=kwargs['id']): self.schema = EventSchema else: self.schema = EventSchemaPublic
def query(self, view_kwargs): """ query method for resource list :param view_kwargs: :return: """ if is_logged_in(): verify_jwt_in_request() if current_user.is_super_admin or current_user.is_admin: query_ = self.session.query(Ticket) elif view_kwargs.get('event_id') and has_access( 'is_organizer', event_id=view_kwargs['event_id']): query_ = self.session.query(Ticket) else: query_ = self.session.query(Ticket).filter_by(is_hidden=False) else: query_ = self.session.query(Ticket).filter_by(is_hidden=False) if view_kwargs.get('ticket_tag_id'): ticket_tag = safe_query_kwargs(TicketTag, view_kwargs, 'ticket_tag_id') query_ = query_.join(ticket_tags_table).filter_by( ticket_tag_id=ticket_tag.id) query_ = event_query(query_, view_kwargs) if view_kwargs.get('access_code_id'): access_code = safe_query_kwargs(AccessCode, view_kwargs, 'access_code_id') # access_code - ticket :: many-to-many relationship query_ = Ticket.query.filter( Ticket.access_codes.any(id=access_code.id)) if view_kwargs.get('discount_code_id'): discount_code = safe_query_kwargs( DiscountCode, view_kwargs, 'discount_code_id', ) # discount_code - ticket :: many-to-many relationship query_ = Ticket.query.filter( Ticket.discount_codes.any(id=discount_code.id)) if view_kwargs.get('order_identifier'): order = safe_query_kwargs(Order, view_kwargs, 'order_identifier', 'identifier') ticket_ids = [] for ticket in order.tickets: ticket_ids.append(ticket.id) query_ = query_.filter(Ticket.id.in_(tuple(ticket_ids))) return query_
def query(self, view_kwargs): query_ = UserFollowGroup.query if view_kwargs.get('user_id') is not None: user = safe_query_kwargs(User, view_kwargs, 'user_id') if user != current_user or not is_logged_in(): raise ForbiddenError({'pointer': 'user_id'}) query_ = query_.filter_by(user_id=user.id) elif view_kwargs.get('group_id') is not None: group = safe_query_kwargs(Group, view_kwargs, 'group_id') query_ = query_.filter_by(group_id=group.id) return query_
def before_get(self, args, kwargs): """ before get method to get the resource id for fetching details :param args: :param kwargs: :return: """ if 'id' in kwargs: try: tax = Tax.query.filter_by(id=kwargs['id']).one() except NoResultFound: raise ObjectNotFound({'parameter': 'id'}, f"Tax: Not found for id {id}") if is_logged_in() and has_access('is_coorganizer', event_id=tax.event_id): self.schema = TaxSchema else: self.schema = TaxSchemaPublic else: if is_logged_in() and has_access('is_coorganizer', event_id=kwargs['event_id']): self.schema = TaxSchema else: self.schema = TaxSchemaPublic
def before_get(self, args, kwargs): refresh = request.args.get('refresh') if refresh == 'true': refresh_settings() kwargs['id'] = 1 if is_logged_in(): verify_jwt_in_request() if current_user.is_admin or current_user.is_super_admin: self.schema = SettingSchemaAdmin else: self.schema = SettingSchemaNonAdmin else: self.schema = SettingSchemaPublic
def get_event_query(): query_ = Event.query if get_jwt_identity() is None or not current_user.is_staff: # If user is not admin, we only show published events query_ = query_.filter_by(state=Event.State.PUBLISHED) if is_logged_in(): # For a specific user accessing the API, we show all # events managed by them, even if they're not published verify_jwt_in_request() query2 = Event.query query2 = (query2.join(Event.roles).filter_by( user_id=current_user.id).join(UsersEventsRoles.role).filter( or_( Role.name == Role.COORGANIZER, Role.name == Role.ORGANIZER, Role.name == Role.OWNER, ))) query_ = query_.union(query2) return query_
def before_update_object(self, group, data, view_kwargs): """ before update object method of group details :param group: :param data: :param view_kwargs: :return: """ user = User.query.filter_by(id=current_user.id).one() if not is_logged_in() or not is_owner_or_organizer(group, user): raise ForbiddenError({'source': 'user_id'}, "Group owner or organizer access required") for event in data.get('events', []): if not has_access('is_owner', event_id=event): raise ForbiddenError({'source': ''}, "Event owner access required") if data.get('banner_url'): start_image_resizing_tasks(group, data['banner_url'])
def before_post(self, args, kwargs, data): """ before post method to check for required relationship and proper permission :param args: :param kwargs: :param data: :return: """ require_relationship(['event'], data) if is_logged_in(): verify_jwt_in_request() else: raise ForbiddenError( {'source': ''}, 'Only Authorized Users can favourite an event' ) data['user'] = current_user.id user_favourite_event = find_user_favourite_event_by_id(event_id=data['event']) if user_favourite_event: raise ConflictError( {'pointer': '/data/relationships/event'}, "Event already favourited" )
def query(self, view_kwargs): query_ = UserFavouriteSession.query if view_kwargs.get('user_id'): user = safe_query_kwargs(User, view_kwargs, 'user_id') if user != current_user and not ( (is_logged_in() and has_access('is_admin')) or user.is_profile_public): raise ForbiddenError({'pointer': 'user_id'}) query_ = query_.filter_by(user_id=user.id) elif view_kwargs.get('session_id'): session = safe_query_kwargs(Session, view_kwargs, 'session_id') query_ = query_.filter_by(session_id=session.id) elif view_kwargs.get('event_id'): event = safe_query_kwargs(Event, view_kwargs, 'event_id') query_ = query_.join( UserFavouriteSession.session).filter_by(event_id=event.id) elif not has_access('is_admin'): raise ForbiddenError({'pointer': 'user_id'}, 'Admin Access Required') return query_
def after_get_object(self, event, view_kwargs): if event and event.state == "draft": if not is_logged_in() or not has_access('is_coorganizer', event_id=event.id): raise ObjectNotFound({'parameter': '{id}'}, "Event: not found")
def after_get_object(self, session, view_kwargs): is_speaker_or_admin = is_logged_in() and has_access( 'is_speaker_for_session', id=session.id ) if session.state not in ['accepted', 'confirmed'] and not is_speaker_or_admin: raise ObjectNotFound({'parameter': '{id}'}, "Session: not found")
def query(self, view_kwargs): """ query method for EventList class :param view_kwargs: :return: """ query_ = self.session.query(Event) if get_jwt_identity() is None or not current_user.is_staff: # If user is not admin, we only show published events query_ = query_.filter_by(state='published') if is_logged_in(): # For a specific user accessing the API, we show all # events managed by them, even if they're not published verify_jwt_in_request() query2 = self.session.query(Event) query2 = (query2.join(Event.roles).filter_by( user_id=current_user.id).join(UsersEventsRoles.role).filter( or_( Role.name == COORGANIZER, Role.name == ORGANIZER, Role.name == OWNER, ))) query_ = query_.union(query2) if view_kwargs.get('user_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name != ATTENDEE)) if view_kwargs.get('user_owner_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_owner_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_owner_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == OWNER)) if view_kwargs.get('user_organizer_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_organizer_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_organizer_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == ORGANIZER)) if view_kwargs.get('user_coorganizer_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_coorganizer_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_coorganizer_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == COORGANIZER)) if view_kwargs.get( 'user_track_organizer_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int( view_kwargs['user_track_organizer_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query( User, 'id', view_kwargs['user_track_organizer_id'], 'user_organizer_id', ) query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == TRACK_ORGANIZER)) if view_kwargs.get('user_registrar_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_registrar_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_registrar_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == REGISTRAR)) if view_kwargs.get('user_moderator_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_moderator_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_moderator_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == MODERATOR)) if view_kwargs.get('user_marketer_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_marketer_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_marketer_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == MARKETER)) if view_kwargs.get('user_sales_admin_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_sales_admin_id'])): raise ForbiddenError({'source': ''}, 'Access Forbidden') user = safe_query_kwargs(User, view_kwargs, 'user_sales_admin_id') query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join( UsersEventsRoles.role).filter(Role.name == SALES_ADMIN)) if view_kwargs.get('event_type_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_type_id') == view_kwargs['event_type_id']) if view_kwargs.get('event_topic_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_topic_id') == view_kwargs['event_topic_id']) if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_sub_topic_id') == view_kwargs['event_sub_topic_id']) if view_kwargs.get('discount_code_id') and 'GET' in request.method: event_id = get_id(view_kwargs)['id'] if not has_access('is_coorganizer', event_id=event_id): raise ForbiddenError({'source': ''}, 'Coorganizer access is required') query_ = self.session.query(Event).filter( getattr(Event, 'discount_code_id') == view_kwargs['discount_code_id']) return query_
def before_get(self, args, kwargs): if is_logged_in() and has_access('is_admin'): self.schema = VideoChannelSchema else: self.schema = VideoChannelSchemaPublic