def __acl__(self): acl = [ (Allow, Authenticated, permissions.view_context), (Allow, Owner, permissions.modify_context), (Allow, Owner, permissions.delete_context), (Allow, Manager, permissions.add_subscription), (Allow, Owner, permissions.add_subscription), (Allow, Manager, permissions.list_activities), (Allow, Manager, permissions.list_activities_unsubscribed), (Allow, Owner, permissions.list_activities), (Allow, Manager, permissions.add_activity), (Allow, Manager, permissions.list_comments), (Allow, Manager, permissions.manage_subcription_permissions), (Allow, Owner, permissions.manage_subcription_permissions), (Allow, Manager, permissions.remove_subscription), (Allow, Owner, permissions.remove_subscription), ] # Grant subscribe permission to the user to subscribe itself if the context policy allows it if self["permissions"].get( "subscribe", DEFAULT_CONTEXT_PERMISSIONS["subscribe"] ) == "public" and is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, permissions.add_subscription)) # Grant view activities if self["permissions"].get("read", DEFAULT_CONTEXT_PERMISSIONS["read"]) == "public": acl.append((Allow, self.request.authenticated_userid, permissions.list_activities)) # Granted permissions only if a subscription for the current actor exists if self.subscription: # Grant permisions only available if subscription exists. Setting this permissions # conditionally here, causes a Forbidden to be raised when trying to modify or delete # an inexistent subscription, event if you're a Owner or Manager. # acl.extend([ # (Allow, Manager, permissions.manage_subcription_permissions), # (Allow, Owner, permissions.manage_subcription_permissions), # (Allow, Manager, permissions.remove_subscription), # (Allow, Owner, permissions.remove_subscription), # ]) # Grant ubsubscribe permission if the user subscription allows it # but only if is trying to unsubscribe itself. if "unsubscribe" in self.subscription.get("permissions", []) and is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, permissions.remove_subscription)) # Grant add_activity permission if the user subscription allows it # but only if is trying to post as himself. This avoids Context owners to create # activity impersonating othe users if "write" in self.subscription.get("permissions", []) and is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, permissions.add_activity)) # Grant list_activities permission if the user subscription allows it if "read" in self.subscription.get("permissions", []): acl.append((Allow, self.request.authenticated_userid, permissions.list_activities)) acl.append((Allow, self.request.authenticated_userid, permissions.list_comments)) return acl return acl
def __acl__(self): acl = [ (Allow, Manager, view_conversation), (Allow, Manager, view_conversation_subscription), (Allow, Manager, modify_conversation), (Allow, Manager, delete_conversation), (Allow, Manager, purge_conversations), (Allow, Manager, add_conversation_participant), (Allow, Manager, delete_conversation_participant), (Allow, Manager, list_messages), (Allow, Manager, add_message), (Allow, Owner, view_conversation), (Allow, Owner, view_conversation_subscription), (Allow, Owner, modify_conversation), (Allow, Owner, delete_conversation), ] if self.subscription: acl.extend([ (Allow, Manager, transfer_ownership), (Allow, Owner, transfer_ownership), ]) # Grant extra permissions mapped to the authenticated user's # defined conversation subscription permissions subscription = self.request.creator.getSubscription(self) if subscription: # Allow user to view only its own subscription if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, view_conversation_subscription)) if 'read' in subscription.get('permissions', []): acl.append((Allow, self.request.authenticated_userid, view_conversation)) acl.append((Allow, self.request.authenticated_userid, list_messages)) if 'write' in subscription.get('permissions', []) and is_self_operation(self.request) and 'archive' not in self['tags']: acl.append((Allow, self.request.authenticated_userid, add_message)) if 'unsubscribe' in subscription.get('permissions', []) and is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, delete_conversation_participant)) if 'invite' in subscription.get('permissions', []): acl.append((Allow, self.request.authenticated_userid, add_conversation_participant)) if 'kick' in subscription.get('permissions', []) and not is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, delete_conversation_participant)) return acl
def __acl__(self): acl = [ (Allow, Manager, list_activities), (Allow, Manager, list_activities_unsubscribed), (Allow, Manager, view_timeline), (Allow, Manager, add_activity), (Allow, Manager, view_subscriptions), (Allow, Manager, list_comments), (Allow, Manager, view_private_fields), (Allow, Manager, modify_avatar), (Allow, Manager, delete_token), (Allow, Manager, list_tokens), (Allow, Owner, modify_user), (Allow, Owner, view_timeline), (Allow, Owner, list_activities), (Allow, Owner, add_activity), (Allow, Owner, view_subscriptions), (Allow, Owner, list_comments), (Allow, Owner, view_private_fields), (Allow, Owner, modify_avatar), (Allow, Owner, delete_token), (Allow, Authenticated, view_user_profile), (Allow, Authenticated, list_activities), ] if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, list_tokens)), acl.append((Allow, self.request.authenticated_userid, view_subscriptions)) return acl
def __acl__(self): acl = [ (Allow, Manager, permissions.list_tokens), (Allow, Manager, permissions.add_token), (Allow, Manager, permissions.delete_token), (Allow, Manager, permissions.view_token), (Allow, Owner, permissions.view_token), (Allow, Owner, permissions.delete_token) ] if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, permissions.add_token)) return acl
def __acl__(self): acl = [ (Allow, Manager, view_activity), (Allow, Manager, delete_activity), (Allow, Manager, list_comments), (Allow, Manager, add_comment), (Allow, Manager, favorite), (Allow, Manager, unfavorite), (Allow, Manager, like), (Allow, Owner, view_activity), (Allow, Owner, delete_activity), ] if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, favorite)) if self.has_favorite_from(self.request.actor): acl.append((Allow, self.request.authenticated_userid, unfavorite)) # When checking permissions directly on the object (For example when determining # the visible fields), request.context.owner will be related to the owner of where we are posting the # activity, for example, when posting to a context, the context), so we need to provide permissions # for the owner of the object itself, or the flatten will result empty... if is_owner(self, self.request.authenticated_userid): acl.append((Allow, self.request.authenticated_userid, view_activity)) # If we have an activity that has contexts, grant view_activity if the context # subscription provides the read permission. # # There's two use case where the actor's that just posted the activity may not have a subscription. # 1. A Manager is posting in a context as himself (not impersonating) and he's not subscribed. # As we allow this in static acls, a manager will already have the permissions granted below. # 2. A Manager is posting in a context as a context, so the context won't be subcribed in any way. # As the user authenticated wil be a manager, it will already have the permissions granted below. if self.get("contexts", []) and hasattr(self.request.actor, "getSubscription"): from max.models import Context # When dealing with context activities, request context will be already loaded, so reuse it activity_context_same_as_request_context = ( isinstance(self.request.context, Context) and self.request.context["hash"] == self["contexts"][0]["hash"] ) if activity_context_same_as_request_context: context = self.request.context else: # When activity context is not loaded, instantiate a lazy one context = Context.from_object(self.request, self["contexts"][0]) subscription = self.request.actor.getSubscription(context) if subscription: permissions = subscription.get("permissions", []) if "read" in permissions: acl.append((Allow, self.request.authenticated_userid, view_activity)) acl.append((Allow, self.request.authenticated_userid, list_comments)) # Allow like on non impersonated requests if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, like)) if "flag" in permissions: acl.append((Allow, self.request.authenticated_userid, flag)) acl.append((Allow, self.request.authenticated_userid, unflag)) if "delete" in permissions: acl.append((Allow, self.request.authenticated_userid, delete_activity)) acl.append((Allow, self.request.authenticated_userid, delete_comment)) if "write" in permissions: acl.append((Allow, self.request.authenticated_userid, add_comment)) # If no susbcription found, check context policy else: # XXX This should be cached at resource level context.wake() if context.get("permissions", {}).get("read", DEFAULT_CONTEXT_PERMISSIONS["read"]) == "public": acl.append((Allow, self.request.authenticated_userid, view_activity)) if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, like)) # Only context activites can be flagged/unflagged, so we give permissions to # Manager here, as it don't make sense to do it globally acl.extend([(Allow, Manager, flag), (Allow, Manager, unflag)]) # Activies without a context are considered public to all authenticated users, so commentable. # Those activities commments also will be readable by all authenticated users. # Owners of activities can delete them outside contexts. else: acl.extend( [ (Allow, Authenticated, view_activity), (Allow, Authenticated, add_comment), (Allow, Owner, delete_comment), (Allow, Authenticated, list_comments), ] ) if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, like)) # Allow unlike only if actor has a like on this activity. # Allow Managers to unlike likes from other users if self.has_like_from(self.request.actor): acl.append((Allow, Manager, unlike)) if is_self_operation(self.request): acl.append((Allow, self.request.authenticated_userid, unlike)) return acl