def get_community_of(obj):
from django.contrib.auth.models import Group, User
from curia import get_current_community
if isinstance(obj, Group):
return obj
if isinstance(obj, User):
return get_current_community()
try:
return obj.owner_group
except AttributeError:
return None
def get_community_of(obj):
from django.contrib.auth.models import Group, User
from curia import get_current_community
if isinstance(obj, Group):
return obj
if isinstance(obj, User):
return get_current_community()
try:
return obj.owner_group
except AttributeError:
return None
def has_admin_access(user, obj, content_type, command):
from curia.authentication.models import UserPermission
try:
community = get_current_community()
permission = UserPermission.objects.get(user=user, object_id=community.id, content_type=get_content_type(community), command='administrate %s' % content_type)
if permission.deny:
return PermissionResponse(False, u'user is anti-admin for %s' % content_type)
else:
return PermissionResponse(True, u'user is admin for %s' % content_type)
except UserPermission.DoesNotExist:
return None
def has_admin_access(user, obj, content_type, command):
from curia.authentication.models import UserPermission
try:
community = get_current_community()
permission = UserPermission.objects.get(
user=user,
object_id=community.id,
content_type=get_content_type(community),
command='administrate %s' % content_type)
if permission.deny:
return PermissionResponse(
False, u'user is anti-admin for %s' % content_type)
else:
return PermissionResponse(True,
u'user is admin for %s' % content_type)
except UserPermission.DoesNotExist:
return None
def has_perm(user, obj, command):
owner = get_owner(obj)
if owner == user:
return PermissionResponse(True,
'user always has access on owned objects')
from curia.authentication.models import GroupPermission
from django.contrib.auth.models import User, Group
if get_community_of(obj).meta.created_by == user:
return PermissionResponse(True, 'user is creator of current community')
if command == 'add':
if hasattr(obj, 'deleted') and obj.deleted:
return PermissionResponse(
True, 'add access is always denied on deleted objects')
# translate from function naming convention to django permission naming convention
if command == 'edit':
command = 'change'
if obj == None:
obj = user
if obj == user and command == 'view':
return PermissionResponse(True, u'user can always view himself')
if user.is_anonymous():
return has_perm(get_public_user(), obj, command)
if user != get_public_user():
p = has_perm(user=get_public_user(), obj=obj, command=command)
if p:
return p
response = has_django_perm(user, obj, command)
if response is not None:
return response
content_type = get_content_type(obj)
if user != get_public_user():
response = has_admin_access(user, obj, content_type, command)
if response is not None:
return response
response = has_access_on_object(user, obj, content_type, command)
if response is not None:
return response
response = has_group_access_on_object(user, obj, content_type, command)
if response is not None:
return response
# check content type level access
everyone_permissions = get_objects_from(GroupPermission,
group=get_everyone_group(),
command=command,
content_type=content_type,
object_id=obj.id)
if len(everyone_permissions) != 0:
if everyone_permissions[0].deny:
return PermissionResponse(False, u'everyone is denied access')
else:
return PermissionResponse(True, u'everyone is granted access')
response = has_access_on_content_type(user, content_type, command)
if response is not None:
return response
response = has_group_access_on_content_type(user, content_type, command)
if response is not None:
return response
if owner != None:
# check global access on the owner
response = has_perm(user=user, obj=owner, command=command)
# ignore access denied here, because we will check defaults and then return access denied later if need be
if response:
return response
# default access levels
if obj == user:
return PermissionResponse(
True, u'user has full access on self unless specifically denied')
if command == 'view' or command == 'add':
if isinstance(obj, Group):
if user in obj.user_set.all():
return PermissionResponse(
True,
'everyone has view and add access by default in groups they are part of'
)
community = get_current_community()
if obj != community and get_community_of(obj) != community:
raise WrongCommunityException(obj)
if command == 'view' and isinstance(obj, User):
if obj in community.user_set.all() and user in community.user_set.all(
):
return PermissionResponse(
True,
u'everyone has view access on a user if they are in a community that the user in question is a member of'
)
#if (command == 'change' or command == 'add') and isinstance(obj, Group):
# if obj.id in [group.id for group in user.groups.all()]:
# return PermissionResponse(True, 'members have change access by default on groups they are a member of')
if hasattr(obj, 'has_default_permission'):
response = obj.has_default_permission(user, command)
if response is not None:
return response
if ' ' in command:
return has_perm(user=user, obj=obj, command=command.split()[0])
return PermissionResponse(
False, u'%s has no %s permissions on %s' % (user, command, obj))
def has_perm(user, obj, command):
owner = get_owner(obj)
if owner == user:
return PermissionResponse(True, 'user always has access on owned objects')
from curia.authentication.models import GroupPermission
from django.contrib.auth.models import User, Group
if get_community_of(obj).meta.created_by == user:
return PermissionResponse(True, 'user is creator of current community')
if command == 'add':
if hasattr(obj, 'deleted') and obj.deleted:
return PermissionResponse(True, 'add access is always denied on deleted objects')
# translate from function naming convention to django permission naming convention
if command == 'edit':
command = 'change'
if obj == None:
obj = user
if obj == user and command == 'view':
return PermissionResponse(True, u'user can always view himself')
if user.is_anonymous():
return has_perm(get_public_user(), obj, command)
if user != get_public_user():
p = has_perm(user=get_public_user(), obj=obj, command=command)
if p:
return p
response = has_django_perm(user, obj, command)
if response is not None:
return response
content_type = get_content_type(obj)
if user != get_public_user():
response = has_admin_access(user, obj, content_type, command)
if response is not None:
return response
response = has_access_on_object(user, obj, content_type, command)
if response is not None:
return response
response = has_group_access_on_object(user, obj, content_type, command)
if response is not None:
return response
# check content type level access
everyone_permissions = get_objects_from(GroupPermission, group=get_everyone_group(), command=command, content_type=content_type, object_id=obj.id)
if len(everyone_permissions) != 0:
if everyone_permissions[0].deny:
return PermissionResponse(False, u'everyone is denied access')
else:
return PermissionResponse(True, u'everyone is granted access')
response = has_access_on_content_type(user, content_type, command)
if response is not None:
return response
response = has_group_access_on_content_type(user, content_type, command)
if response is not None:
return response
if owner != None:
# check global access on the owner
response = has_perm(user=user, obj=owner, command=command)
# ignore access denied here, because we will check defaults and then return access denied later if need be
if response:
return response
# default access levels
if obj == user:
return PermissionResponse(True, u'user has full access on self unless specifically denied')
if command == 'view' or command == 'add':
if isinstance(obj, Group):
if user in obj.user_set.all():
return PermissionResponse(True, 'everyone has view and add access by default in groups they are part of')
community = get_current_community()
if obj != community and get_community_of(obj) != community:
raise WrongCommunityException(obj)
if command == 'view' and isinstance(obj, User):
if obj in community.user_set.all() and user in community.user_set.all():
return PermissionResponse(True, u'everyone has view access on a user if they are in a community that the user in question is a member of')
#if (command == 'change' or command == 'add') and isinstance(obj, Group):
# if obj.id in [group.id for group in user.groups.all()]:
# return PermissionResponse(True, 'members have change access by default on groups they are a member of')
if hasattr(obj, 'has_default_permission'):
response = obj.has_default_permission(user, command)
if response is not None:
return response
if ' ' in command:
return has_perm(user=user, obj=obj, command=command.split()[0])
return PermissionResponse(False, u'%s has no %s permissions on %s' % (user, command, obj))
