def setup_viewer(request, file_obj): data = { 'file': file_obj, 'version': file_obj.version, 'addon': file_obj.version.addon, 'status': False, 'selected': {}, 'validate_url': '' } if (acl.check_addons_reviewer(request) or acl.check_addon_ownership( request, file_obj.version.addon, viewer=True, ignore_disabled=True)): addon = file_obj.version.addon data['validate_url'] = reverse('devhub.json_file_validation', args=[addon.slug, file_obj.id]) data['automated_signing'] = file_obj.automated_signing if file_obj.has_been_validated: data['validation_data'] = file_obj.validation.processed_validation if acl.check_addons_reviewer(request): data['file_link'] = { 'text': ugettext('Back to review'), 'url': reverse('reviewers.review', args=[data['addon'].slug]) } else: data['file_link'] = { 'text': ugettext('Back to add-on'), 'url': reverse('addons.detail', args=[data['addon'].pk]) } return data
def setup_viewer(request, file_obj): data = {'file': file_obj, 'version': file_obj.version, 'addon': file_obj.version.addon, 'status': False, 'selected': {}, 'validate_url': ''} if (acl.check_addons_reviewer(request) or acl.check_addon_ownership(request, file_obj.version.addon, viewer=True, ignore_disabled=True)): addon = file_obj.version.addon data['validate_url'] = reverse('devhub.json_file_validation', args=[addon.slug, file_obj.id]) if acl.check_addons_reviewer(request): data['annotate_url'] = reverse('devhub.annotate_file_validation', args=[addon.slug, file_obj.id]) data['automated_signing'] = file_obj.automated_signing if file_obj.has_been_validated: data['validation_data'] = file_obj.validation.processed_validation if acl.check_addons_reviewer(request): data['file_link'] = {'text': _('Back to review'), 'url': reverse('editors.review', args=[data['addon'].slug])} else: data['file_link'] = {'text': _('Back to add-on'), 'url': reverse('addons.detail', args=[data['addon'].pk])} return data
def download_file(request, file_id, type=None, file_=None, addon=None): if not file_: file_ = get_object_or_404(File.objects, pk=file_id) if not addon: addon = get_object_or_404(Addon.with_unlisted, pk=file_.version.addon_id) if addon.is_disabled or file_.status == amo.STATUS_DISABLED: if (acl.check_addon_ownership( request, addon, viewer=True, ignore_disabled=True) or acl.check_addons_reviewer(request)): return HttpResponseSendFile(request, file_.guarded_file_path, content_type='application/x-xpinstall') log.info(u'download file {file_id}: addon/file disabled or user ' u'{user_id} is not an owner'.format(file_id=file_id, user_id=request.user.pk)) raise http.Http404() if not (addon.is_listed or owner_or_unlisted_reviewer(request, addon)): log.info(u'download file {file_id}: addon is unlisted but user ' u'{user_id} is not an owner'.format(file_id=file_id, user_id=request.user.pk)) raise http.Http404 # Not listed, not owner or admin. attachment = (type == 'attachment' or not request.APP.browser) loc = urlparams(file_.get_mirror(addon, attachment=attachment), filehash=file_.hash) response = http.HttpResponseRedirect(loc) response['X-Target-Digest'] = file_.hash return response
def download_file(request, file_id, type=None, file_=None, addon=None): if not file_: file_ = get_object_or_404(File.objects, pk=file_id) if not addon: addon = get_object_or_404(Addon.with_unlisted, pk=file_.version.addon_id) if addon.is_disabled or file_.status == amo.STATUS_DISABLED: if (acl.check_addon_ownership(request, addon, viewer=True, ignore_disabled=True) or acl.check_addons_reviewer(request)): return HttpResponseSendFile(request, file_.guarded_file_path, content_type='application/x-xpinstall') log.info(u'download file {file_id}: addon/file disabled or user ' u'{user_id} is not an owner'.format(file_id=file_id, user_id=request.user.pk)) raise http.Http404() if not (addon.is_listed or owner_or_unlisted_reviewer(request, addon)): log.info(u'download file {file_id}: addon is unlisted but user ' u'{user_id} is not an owner'.format(file_id=file_id, user_id=request.user.pk)) raise http.Http404 # Not listed, not owner or admin. attachment = (type == 'attachment' or not request.APP.browser) loc = urlparams(file_.get_mirror(addon, attachment=attachment), filehash=file_.hash) response = http.HttpResponseRedirect(loc) response['X-Target-Digest'] = file_.hash return response
def allowed(request, file): try: addon = file.version.addon except ObjectDoesNotExist: raise http.Http404 # General case: addon is listed. if addon.is_listed: if ((addon.view_source and addon.status in amo.REVIEWED_STATUSES) or acl.check_addons_reviewer(request) or acl.check_addon_ownership(request, addon, viewer=True, dev=True)): return True # Public and sources are visible, or reviewer. raise PermissionDenied # Listed but not allowed. # Not listed? Needs an owner or an "unlisted" admin. else: if owner_or_unlisted_reviewer(request, addon): return True raise http.Http404 # Not listed, not owner or admin.
def allowed(request, file): try: addon = file.version.addon except ObjectDoesNotExist: raise http.Http404 # General case: addon is listed. if addon.is_listed: if ((addon.view_source and addon.status in amo.REVIEWED_STATUSES) or acl.check_addons_reviewer(request) or acl.check_addon_ownership( request, addon, viewer=True, dev=True)): return True # Public and sources are visible, or reviewer. raise PermissionDenied # Listed but not allowed. # Not listed? Needs an owner or an "unlisted" admin. else: if owner_or_unlisted_reviewer(request, addon): return True raise http.Http404 # Not listed, not owner or admin.
def allowed(request, file): try: version = file.version addon = version.addon except ObjectDoesNotExist: raise http.Http404 # General case: addon is listed. if version.channel == amo.RELEASE_CHANNEL_LISTED: # We don't show the file-browser publicly because of potential DOS # issues, we're working on a fix but for now, let's not do this. # (cgrebs, 06042017) is_owner = acl.check_addon_ownership(request, addon, dev=True) if (acl.check_addons_reviewer(request) or is_owner): return True # Public and sources are visible, or reviewer. raise PermissionDenied # Listed but not allowed. # Not listed? Needs an owner or an "unlisted" admin. else: if owner_or_unlisted_reviewer(request, addon): return True raise http.Http404 # Not listed, not owner or admin.
def reviewlog(request): data = request.GET.copy() if not data.get('start') and not data.get('end'): today = date.today() data['start'] = date(today.year, today.month, 1) form = ReviewLogForm(data) approvals = ActivityLog.objects.review_log() if not acl.check_unlisted_addons_reviewer(request): # Only display logs related to unlisted versions to users with the # right permission. list_channel = amo.RELEASE_CHANNEL_LISTED approvals = approvals.filter(versionlog__version__channel=list_channel) if not acl.check_addons_reviewer(request): approvals = approvals.exclude( versionlog__version__addon__type__in=amo.GROUP_TYPE_ADDON) if not acl.check_static_theme_reviewer(request): approvals = approvals.exclude( versionlog__version__addon__type=amo.ADDON_STATICTHEME) if form.is_valid(): data = form.cleaned_data if data['start']: approvals = approvals.filter(created__gte=data['start']) if data['end']: approvals = approvals.filter(created__lt=data['end']) if data['search']: term = data['search'] approvals = approvals.filter( Q(commentlog__comments__icontains=term) | Q(addonlog__addon__name__localized_string__icontains=term) | Q(user__display_name__icontains=term) | Q(user__username__icontains=term)).distinct() pager = amo.utils.paginate(request, approvals, 50) data = context(request, form=form, pager=pager) return render(request, 'reviewers/reviewlog.html', data)
def allowed(request, file): try: version = file.version addon = version.addon except ObjectDoesNotExist: raise http.Http404 # General case: addon is listed. if version.channel == amo.RELEASE_CHANNEL_LISTED: # We don't show the file-browser publicly because of potential DOS # issues, we're working on a fix but for now, let's not do this. # (cgrebs, 06042017) is_owner = acl.check_addon_ownership( request, addon, viewer=True, dev=True) if (acl.check_addons_reviewer(request) or is_owner): return True # Public and sources are visible, or reviewer. raise PermissionDenied # Listed but not allowed. # Not listed? Needs an owner or an "unlisted" admin. else: if owner_or_unlisted_reviewer(request, addon): return True raise http.Http404 # Not listed, not owner or admin.
def has_permission(self, request, view): return ((request.method in SAFE_METHODS and acl.action_allowed(request, 'ReviewerTools', 'View')) or acl.check_addons_reviewer(request))
def wrapper(request, *args, **kw): if _view_on_get(request) or acl.check_addons_reviewer(request): return f(request, *args, **kw) raise PermissionDenied
def is_reviewer(channel): return (acl.check_addons_reviewer(request) if channel == amo.RELEASE_CHANNEL_LISTED else acl.check_unlisted_addons_reviewer(request))
def global_settings(request): """ Storing standard AMO-wide information used in global headers, such as account links and settings. """ account_links = [] tools_links = [] context = {} tools_title = ugettext('Tools') is_reviewer = False if request.user.is_authenticated(): user = request.user profile = request.user is_reviewer = (acl.check_addons_reviewer(request) or acl.check_personas_reviewer(request)) account_links.append({ 'text': ugettext('My Profile'), 'href': profile.get_url_path() }) if user.is_artist: account_links.append({ 'text': ugettext('My Themes'), 'href': profile.get_themes_url_path() }) account_links.append({ 'text': ugettext('Account Settings'), 'href': reverse('users.edit') }) account_links.append({ 'text': ugettext('My Collections'), 'href': reverse('collections.user', args=[user.username]) }) if user.favorite_addons: account_links.append({ 'text': ugettext('My Favorites'), 'href': reverse('collections.detail', args=[user.username, 'favorites']) }) account_links.append({ 'text': ugettext('Log out'), 'href': reverse('users.logout') + '?to=' + urlquote(request.path), }) if request.user.is_developer: tools_links.append({ 'text': ugettext('Manage My Submissions'), 'href': reverse('devhub.addons') }) links = [ { 'text': ugettext('Submit a New Add-on'), 'href': reverse('devhub.submit.agreement') }, { 'text': ugettext('Submit a New Theme'), 'href': reverse('devhub.themes.submit') }, { 'text': ugettext('Developer Hub'), 'href': reverse('devhub.index') }, ] links.append({ 'text': ugettext('Manage API Keys'), 'href': reverse('devhub.api_key') }) tools_links += links if is_reviewer: tools_links.append({ 'text': ugettext('Reviewer Tools'), 'href': reverse('reviewers.dashboard') }) if (acl.action_allowed(request, amo.permissions.ADMIN) or acl.action_allowed(request, amo.permissions.ADMIN_TOOLS_VIEW)): tools_links.append({ 'text': ugettext('Admin Tools'), 'href': reverse('zadmin.index') }) context['user'] = request.user else: context['user'] = AnonymousUser() context.update({ 'account_links': account_links, 'settings': settings, 'amo': amo, 'tools_links': tools_links, 'tools_title': tools_title, 'ADMIN_MESSAGE': get_config('site_notice'), 'is_reviewer': is_reviewer }) return context
def global_settings(request): """ Storing standard AMO-wide information used in global headers, such as account links and settings. """ account_links = [] tools_links = [] context = {} tools_title = _('Tools') is_reviewer = False if request.user.is_authenticated(): user = request.user profile = request.user is_reviewer = (acl.check_addons_reviewer(request) or acl.check_personas_reviewer(request)) account_links.append({'text': _('My Profile'), 'href': profile.get_url_path()}) if user.is_artist: account_links.append({'text': _('My Themes'), 'href': profile.get_user_url('themes')}) account_links.append({'text': _('Account Settings'), 'href': reverse('users.edit')}) account_links.append({ 'text': _('My Collections'), 'href': reverse('collections.user', args=[user.username])}) if user.favorite_addons: account_links.append( {'text': _('My Favorites'), 'href': reverse('collections.detail', args=[user.username, 'favorites'])}) account_links.append({ 'text': _('Log out'), 'href': reverse('users.logout') + '?to=' + urlquote(request.path), }) if request.user.is_developer: tools_links.append({'text': _('Manage My Submissions'), 'href': reverse('devhub.addons')}) links = [ {'text': _('Submit a New Add-on'), 'href': reverse('devhub.submit.1')}, {'text': _('Submit a New Theme'), 'href': reverse('devhub.themes.submit')}, {'text': _('Developer Hub'), 'href': reverse('devhub.index')}, ] if waffle.switch_is_active('signing-api'): links.append({'text': _('Manage API Keys'), 'href': reverse('devhub.api_key')}) tools_links += links if is_reviewer: tools_links.append({'text': _('Editor Tools'), 'href': reverse('editors.home')}) if (acl.action_allowed(request, 'Admin', '%') or acl.action_allowed(request, 'AdminTools', 'View')): tools_links.append({'text': _('Admin Tools'), 'href': reverse('zadmin.home')}) context['user'] = request.user else: context['user'] = AnonymousUser() context.update({'account_links': account_links, 'settings': settings, 'amo': amo, 'tools_links': tools_links, 'tools_title': tools_title, 'ADMIN_MESSAGE': get_config('site_notice'), 'is_reviewer': is_reviewer}) return context
def has_permission(self, request, view): return ((request.method in SAFE_METHODS and acl.action_allowed( request, amo.permissions.REVIEWER_TOOLS_VIEW)) or acl.check_addons_reviewer(request))