def __acl__(self):
acl = [
(Allow, Authenticated, permissions.view_context),
(Allow, Owner, permissions.modify_context),
(Allow, Owner, permissions.delete_context),
(Allow, Manager, permissions.add_subscription),
(Allow, Owner, permissions.add_subscription),
(Allow, Manager, permissions.list_activities),
(Allow, Manager, permissions.list_activities_unsubscribed),
(Allow, Owner, permissions.list_activities),
(Allow, Manager, permissions.add_activity),
(Allow, Manager, permissions.list_comments),
(Allow, Manager, permissions.manage_subcription_permissions),
(Allow, Owner, permissions.manage_subcription_permissions),
(Allow, Manager, permissions.remove_subscription),
(Allow, Owner, permissions.remove_subscription),
]
# Grant subscribe permission to the user to subscribe itself if the context policy allows it
if self["permissions"].get(
"subscribe", DEFAULT_CONTEXT_PERMISSIONS["subscribe"]
) == "public" and is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, permissions.add_subscription))
# Grant view activities
if self["permissions"].get("read", DEFAULT_CONTEXT_PERMISSIONS["read"]) == "public":
acl.append((Allow, self.request.authenticated_userid, permissions.list_activities))
# Granted permissions only if a subscription for the current actor exists
if self.subscription:
# Grant permisions only available if subscription exists. Setting this permissions
# conditionally here, causes a Forbidden to be raised when trying to modify or delete
# an inexistent subscription, event if you're a Owner or Manager.
# acl.extend([
# (Allow, Manager, permissions.manage_subcription_permissions),
# (Allow, Owner, permissions.manage_subcription_permissions),
# (Allow, Manager, permissions.remove_subscription),
# (Allow, Owner, permissions.remove_subscription),
# ])
# Grant ubsubscribe permission if the user subscription allows it
# but only if is trying to unsubscribe itself.
if "unsubscribe" in self.subscription.get("permissions", []) and is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, permissions.remove_subscription))
# Grant add_activity permission if the user subscription allows it
# but only if is trying to post as himself. This avoids Context owners to create
# activity impersonating othe users
if "write" in self.subscription.get("permissions", []) and is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, permissions.add_activity))
# Grant list_activities permission if the user subscription allows it
if "read" in self.subscription.get("permissions", []):
acl.append((Allow, self.request.authenticated_userid, permissions.list_activities))
acl.append((Allow, self.request.authenticated_userid, permissions.list_comments))
return acl
return acl
def __acl__(self):
acl = [
(Allow, Manager, view_conversation),
(Allow, Manager, view_conversation_subscription),
(Allow, Manager, modify_conversation),
(Allow, Manager, delete_conversation),
(Allow, Manager, purge_conversations),
(Allow, Manager, add_conversation_participant),
(Allow, Manager, delete_conversation_participant),
(Allow, Manager, list_messages),
(Allow, Manager, add_message),
(Allow, Owner, view_conversation),
(Allow, Owner, view_conversation_subscription),
(Allow, Owner, modify_conversation),
(Allow, Owner, delete_conversation),
]
if self.subscription:
acl.extend([
(Allow, Manager, transfer_ownership),
(Allow, Owner, transfer_ownership),
])
# Grant extra permissions mapped to the authenticated user's
# defined conversation subscription permissions
subscription = self.request.creator.getSubscription(self)
if subscription:
# Allow user to view only its own subscription
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, view_conversation_subscription))
if 'read' in subscription.get('permissions', []):
acl.append((Allow, self.request.authenticated_userid, view_conversation))
acl.append((Allow, self.request.authenticated_userid, list_messages))
if 'write' in subscription.get('permissions', []) and is_self_operation(self.request) and 'archive' not in self['tags']:
acl.append((Allow, self.request.authenticated_userid, add_message))
if 'unsubscribe' in subscription.get('permissions', []) and is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, delete_conversation_participant))
if 'invite' in subscription.get('permissions', []):
acl.append((Allow, self.request.authenticated_userid, add_conversation_participant))
if 'kick' in subscription.get('permissions', []) and not is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, delete_conversation_participant))
return acl
def __acl__(self):
acl = [
(Allow, Manager, list_activities),
(Allow, Manager, list_activities_unsubscribed),
(Allow, Manager, view_timeline),
(Allow, Manager, add_activity),
(Allow, Manager, view_subscriptions),
(Allow, Manager, list_comments),
(Allow, Manager, view_private_fields),
(Allow, Manager, modify_avatar),
(Allow, Manager, delete_token),
(Allow, Manager, list_tokens),
(Allow, Owner, modify_user),
(Allow, Owner, view_timeline),
(Allow, Owner, list_activities),
(Allow, Owner, add_activity),
(Allow, Owner, view_subscriptions),
(Allow, Owner, list_comments),
(Allow, Owner, view_private_fields),
(Allow, Owner, modify_avatar),
(Allow, Owner, delete_token),
(Allow, Authenticated, view_user_profile),
(Allow, Authenticated, list_activities),
]
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, list_tokens)),
acl.append((Allow, self.request.authenticated_userid, view_subscriptions))
return acl
def __acl__(self):
acl = [
(Allow, Manager, permissions.list_tokens),
(Allow, Manager, permissions.add_token),
(Allow, Manager, permissions.delete_token),
(Allow, Manager, permissions.view_token),
(Allow, Owner, permissions.view_token),
(Allow, Owner, permissions.delete_token)
]
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, permissions.add_token))
return acl
def __acl__(self):
acl = [
(Allow, Manager, view_activity),
(Allow, Manager, delete_activity),
(Allow, Manager, list_comments),
(Allow, Manager, add_comment),
(Allow, Manager, favorite),
(Allow, Manager, unfavorite),
(Allow, Manager, like),
(Allow, Owner, view_activity),
(Allow, Owner, delete_activity),
]
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, favorite))
if self.has_favorite_from(self.request.actor):
acl.append((Allow, self.request.authenticated_userid, unfavorite))
# When checking permissions directly on the object (For example when determining
# the visible fields), request.context.owner will be related to the owner of where we are posting the
# activity, for example, when posting to a context, the context), so we need to provide permissions
# for the owner of the object itself, or the flatten will result empty...
if is_owner(self, self.request.authenticated_userid):
acl.append((Allow, self.request.authenticated_userid, view_activity))
# If we have an activity that has contexts, grant view_activity if the context
# subscription provides the read permission.
#
# There's two use case where the actor's that just posted the activity may not have a subscription.
# 1. A Manager is posting in a context as himself (not impersonating) and he's not subscribed.
# As we allow this in static acls, a manager will already have the permissions granted below.
# 2. A Manager is posting in a context as a context, so the context won't be subcribed in any way.
# As the user authenticated wil be a manager, it will already have the permissions granted below.
if self.get("contexts", []) and hasattr(self.request.actor, "getSubscription"):
from max.models import Context
# When dealing with context activities, request context will be already loaded, so reuse it
activity_context_same_as_request_context = (
isinstance(self.request.context, Context)
and self.request.context["hash"] == self["contexts"][0]["hash"]
)
if activity_context_same_as_request_context:
context = self.request.context
else:
# When activity context is not loaded, instantiate a lazy one
context = Context.from_object(self.request, self["contexts"][0])
subscription = self.request.actor.getSubscription(context)
if subscription:
permissions = subscription.get("permissions", [])
if "read" in permissions:
acl.append((Allow, self.request.authenticated_userid, view_activity))
acl.append((Allow, self.request.authenticated_userid, list_comments))
# Allow like on non impersonated requests
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, like))
if "flag" in permissions:
acl.append((Allow, self.request.authenticated_userid, flag))
acl.append((Allow, self.request.authenticated_userid, unflag))
if "delete" in permissions:
acl.append((Allow, self.request.authenticated_userid, delete_activity))
acl.append((Allow, self.request.authenticated_userid, delete_comment))
if "write" in permissions:
acl.append((Allow, self.request.authenticated_userid, add_comment))
# If no susbcription found, check context policy
else:
# XXX This should be cached at resource level
context.wake()
if context.get("permissions", {}).get("read", DEFAULT_CONTEXT_PERMISSIONS["read"]) == "public":
acl.append((Allow, self.request.authenticated_userid, view_activity))
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, like))
# Only context activites can be flagged/unflagged, so we give permissions to
# Manager here, as it don't make sense to do it globally
acl.extend([(Allow, Manager, flag), (Allow, Manager, unflag)])
# Activies without a context are considered public to all authenticated users, so commentable.
# Those activities commments also will be readable by all authenticated users.
# Owners of activities can delete them outside contexts.
else:
acl.extend(
[
(Allow, Authenticated, view_activity),
(Allow, Authenticated, add_comment),
(Allow, Owner, delete_comment),
(Allow, Authenticated, list_comments),
]
)
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, like))
# Allow unlike only if actor has a like on this activity.
# Allow Managers to unlike likes from other users
if self.has_like_from(self.request.actor):
acl.append((Allow, Manager, unlike))
if is_self_operation(self.request):
acl.append((Allow, self.request.authenticated_userid, unlike))
return acl
