def update(self, instance, validated_data):
request = self.context.get('request')
if 'status' in validated_data:
status_data = validated_data.pop('status')
can_change = ComplianceReportPermissions.user_can_change_status(
request.user,
instance,
new_fuel_supplier_status=status_data['fuel_supplier_status'].
status if 'fuel_supplier_status' in status_data else None,
new_analyst_status=status_data['analyst_status'].status
if 'analyst_status' in status_data else None,
new_director_status=status_data['director_status'].status
if 'director_status' in status_data else None,
new_manager_status=status_data['manager_status'].status
if 'manager_status' in status_data else None)
if not can_change:
raise PermissionDenied('Invalid status change')
if 'fuel_supplier_status' in status_data:
instance.status.fuel_supplier_status = status_data[
'fuel_supplier_status']
if instance.supplements is not None and instance.status.fuel_supplier_status.status in [
'Submitted'
]:
# supplemental note is required
if 'supplemental_note' not in validated_data:
raise serializers.ValidationError(
'supplemental note is required when submitting a '
'supplemental report')
instance.supplemental_note = validated_data.pop(
'supplemental_note')
if 'analyst_status' in status_data:
instance.status.analyst_status = status_data['analyst_status']
if 'manager_status' in status_data:
instance.status.manager_status = status_data['manager_status']
if 'director_status' in status_data:
instance.status.director_status = status_data[
'director_status']
instance.status.save()
if 'exclusion_agreement' in validated_data:
agreement_data = validated_data.pop('exclusion_agreement')
if instance.exclusion_agreement:
ExclusionAgreementRecord.objects.filter(
exclusion_agreement=instance.exclusion_agreement).delete()
exclusion_agreement = instance.exclusion_agreement
if 'records' in agreement_data:
records_data = agreement_data.pop('records')
if not instance.exclusion_agreement:
exclusion_agreement = ExclusionAgreement.objects.create(
**agreement_data, compliance_report=instance)
instance.exclusion_agreement = exclusion_agreement
for record_data in records_data:
record = ExclusionAgreementRecord.objects.create(
**record_data, exclusion_agreement=exclusion_agreement)
exclusion_agreement.records.add(record)
exclusion_agreement.save()
if instance.status.fuel_supplier_status.status in ['Submitted'] and \
not instance.has_snapshot:
# Create a snapshot
request = self.context.get('request')
snap = dict(
ExclusionReportDetailSerializer(instance,
context=self.context).data)
snap['version'] = 1 # to track deserialization version
snap['timestamp'] = datetime.now()
ComplianceReportSnapshot.objects.filter(
compliance_report=instance).delete()
ComplianceReportSnapshot.objects.create(
compliance_report=instance,
create_user=request.user,
create_timestamp=datetime.now(),
snapshot=snap)
if request:
instance.update_user = request.user
instance.save()
# all other fields are read-only
return instance
def create(self, request, *args, **kwargs):
if request.user.is_anonymous:
raise PermissionDenied(
"Only logged in users with accounts can create customer profiles"
)
return super().create(request, *args, **kwargs)
async def subscribe_todos_in_user(self, **kwargs):
user:User = self.scope["user"]
if user.is_anonymous:
raise PermissionDenied()
await self.todos_change_handler.subscribe(user=user.pk)
return {}, status.HTTP_200_OK
def attach(self, request, *args, **kwargs):
attached = False
created = False
modified = False
parent = self.get_parent_object()
relationship = getattr(parent, self.relationship)
sub_id = request.DATA.get('id', None)
data = request.DATA
# Create the sub object if an ID is not provided.
if not sub_id:
try:
response = self.create(request, *args, **kwargs)
if response.status_code != status.HTTP_201_CREATED:
return response
sub_id = response.data['id']
data = response.data
try:
location = response['Location']
except KeyError:
location = None
created = True
except Exception:
raise PermissionDenied()
# Retrive the sub object (whether created or by ID).
sub = get_object_or_400(self.model, pk=sub_id)
# likewise with creation, we never try and update
if not created:
# Update the object to make sure the data is correct, but
# verify we have permission to edit before trying to update
if not check_user_access(request.user, self.model, 'change', sub,
data):
raise PermissionDenied()
else:
sub.__dict__.update(data)
if sub.is_dirty:
sub.save()
modified = True
# Verify we have permission to attach.
if not check_user_access(request.user,
self.parent_model,
'attach',
parent,
sub,
self.relationship,
data,
skip_sub_obj_read_check=created):
raise PermissionDenied()
# Attach the object to the collection.
if sub not in relationship.all():
relationship.add(sub)
attached = True
if created:
headers = {}
if location:
headers['Location'] = location
return Response(data,
status=status.HTTP_201_CREATED,
headers=headers)
elif modified or attached:
return Response(data, status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_204_NO_CONTENT)
def update(self, request, *args, **kwargs):
profile = CreatorProfile.objects.get(pk=self.kwargs["pk"])
if not request.user == profile.owner:
raise PermissionDenied(
"You have no permissions to edit this photographer profile")
return super().update(request, *args, **kwargs)
def get_user(self, email):
try:
return User.objects.get(email=email)
except User.DoesNotExist:
raise PermissionDenied()
def get(self, request, user_id):
if not request.user.is_authenticated or request.user.osu_user_id != user_id:
raise PermissionDenied("You may only retrieve invites for the authenticated user.")
invites = Invite.objects.select_related("leaderboard", "leaderboard__owner").filter(user_id=user_id)
serialiser = UserInviteSerialiser(invites, many=True)
return Response(serialiser.data)
def validate_group(self, group):
if not group.is_member(self.context['request'].user):
raise PermissionDenied(_('You are not a member of this group.'))
return group
def create(self, request, *args, **kwargs):
if request.user:
raise PermissionDenied(detail='You already have an account')
return super().create(request, args, kwargs)
def retrieve(self, request, *args, **kwargs):
if not belongsToInstitution(request, self.get_object().institution):
raise PermissionDenied(
detail='User does not belong to the institution', code=None)
return super(StudentViewSet, self).retrieve(request, *args, **kwargs)
def destroy(self, request, *args, **kwargs):
if not isInstitutionAdmin(request, self.get_object().institution):
raise PermissionDenied(detail='User is not an admin_user',
code=None)
return super(StudentViewSet, self).destroy(request, *args, **kwargs)
def create(self, request, *args, **kwargs):
if not isInstitutionAdmin(request, getUserInstitution(request)):
raise PermissionDenied(detail='User is not an admin_user',
code=None)
return super(StudentViewSet, self).create(request, *args, **kwargs)
def get_discount(request):
if request.user.is_anonymous:
raise PermissionDenied()
host = request.META['HTTP_HOST']
user = request.user
contract_type = request.query_params['contract_type']
promo_str = request.query_params['promo']
discount = check_and_get_discount(promo_str, contract_type, user)
answer = {'discount': discount}
if 'contract_id' in request.query_params:
contract = Contract.objects.get(id=request.query_params['contract_id'])
contract_details = contract.get_details()
if host == EOSISH_URL:
kwargs = ContractSerializer().get_details_serializer(
contract.contract_type)().to_representation(contract_details)
cost = contract_details.calc_cost_eos(
kwargs, contract.network) * (100 - discount) / 100
answer['discount_price'] = {
'EOS': cost,
'EOSISH': str(float(cost) * rate('EOS', 'EOSISH').value)
}
elif host == MY_WISH_URL:
options_cost = 0
if contract.contract_type in (5, 28) and contract_details.authio:
options_cost += AUTHIO_PRICE_USDT * NET_DECIMALS['USDT']
if contract.contract_type in VERIFICATION_CONTRACTS_IDS and contract_details.verification:
options_cost += VERIFICATION_PRICE_USDT * NET_DECIMALS['USDT']
cost = (contract.cost -
options_cost) * (100 - discount) / 100 + options_cost
answer['discount_price'] = {
'USDT':
str(cost),
'ETH':
str(int(
int(cost) / 10**6 * rate('USDT', 'ETH').value * 10**18)),
'WISH':
str(
int(
int(cost) / 10**6 * rate('USDT', 'WISH').value *
10**18)),
'BTC':
str(int(int(cost) / 10**6 * rate('USDT', 'BTC').value *
10**8)),
'TRX':
str(int(int(cost) * rate('ETH', 'TRX').value)),
'TRONISH':
str(int(int(cost) * rate('ETH', 'TRX').value))
}
elif host == TRON_URL:
kwargs = ContractSerializer().get_details_serializer(
contract.contract_type)().to_representation(contract_details)
cost = contract_details.calc_cost_tron(
kwargs, contract.network) * (100 - discount) / 100
answer['discount_price'] = {'TRX': int(cost), 'TRONISH': int(cost)}
elif host == WAVES_URL:
kwargs = ContractSerializer().get_details_serializer(
contract.contract_type)().to_representation(contract_details)
cost = contract_details.calc_cost(
kwargs, contract.network) * (100 - discount) / 100
answer['discount_price'] = {
'USDT':
str(cost),
'ETH':
str(int(
int(cost) / 10**6 * rate('USDT', 'ETH').value * 10**18)),
'WISH':
str(
int(
int(cost) / 10**6 * rate('USDT', 'WISH').value *
10**18)),
'BTC':
str(int(int(cost) / 10**6 * rate('USDT', 'BTC').value *
10**8)),
'TRX':
str(int(int(cost) * rate('ETH', 'TRX').value)),
'TRONISH':
str(int(int(cost) * rate('ETH', 'TRX').value))
}
else:
kwargs = ContractSerializer().get_details_serializer(
contract.contract_type)().to_representation(contract_details)
cost = contract_details.calc_cost(
kwargs, contract.network) * (100 - discount) / 100
answer['discount_price'] = {
'ETH':
str(cost),
'WISH':
str(int(cost * rate('ETH', 'WISH').value)),
'BTC':
str(int(cost * rate('ETH', 'BTC').value)),
'TRX':
str(int(cost) / 10**18 * rate('ETH', 'TRX').value * 10**6),
'TRONISH':
str(int(cost) / 10**18 * rate('ETH', 'TRONISH').value * 10**6)
}
return Response(answer)
def put(self, request, pk):
# Update science metadata based on resourcemetadata.xml uploaded
resource, authorized, user = view_utils.authorize(
request,
pk,
needed_permission=ACTION_TO_AUTHORIZE.EDIT_RESOURCE,
raises_exception=False)
if not authorized:
raise PermissionDenied()
files = request.FILES.values()
if len(files) == 0:
error_msg = {
'file':
'No resourcemetadata.xml file was found to update resource '
'metadata.'
}
raise ValidationError(detail=error_msg)
elif len(files) > 1:
error_msg = {
'file': ('More than one file was found. Only one file, named '
'resourcemetadata.xml, '
'can be used to update resource metadata.')
}
raise ValidationError(detail=error_msg)
scimeta = files[0]
if scimeta.content_type not in self.ACCEPT_FORMATS:
error_msg = {
'file': ("Uploaded file has content type {t}, "
"but only these types are accepted: {e}.").format(
t=scimeta.content_type,
e=",".join(self.ACCEPT_FORMATS))
}
raise ValidationError(detail=error_msg)
expect = 'resourcemetadata.xml'
if scimeta.name != expect:
error_msg = {
'file':
"Uploaded file has name {n}, but expected {e}.".format(
n=scimeta.name, e=expect)
}
raise ValidationError(detail=error_msg)
# Temp directory to store resourcemetadata.xml
tmp_dir = tempfile.mkdtemp()
try:
# Fake the bag structure so that GenericResourceMeta.read_metadata_from_resource_bag
# can read and validate the system and science metadata for us.
bag_data_path = os.path.join(tmp_dir, 'data')
os.mkdir(bag_data_path)
# Copy new science metadata to bag data path
scimeta_path = os.path.join(bag_data_path, 'resourcemetadata.xml')
shutil.copy(scimeta.temporary_file_path(), scimeta_path)
# Copy existing resource map to bag data path
# (use a file-like object as the file may be in iRODS, so we can't
# just copy it to a local path)
resmeta_path = os.path.join(bag_data_path, 'resourcemap.xml')
with open(resmeta_path, 'wb') as resmeta:
storage = get_file_storage()
resmeta_irods = storage.open(AbstractResource.sysmeta_path(pk))
shutil.copyfileobj(resmeta_irods, resmeta)
resmeta_irods.close()
try:
# Read resource system and science metadata
domain = Site.objects.get_current().domain
rm = GenericResourceMeta.read_metadata_from_resource_bag(
tmp_dir, hydroshare_host=domain)
# Update resource metadata
rm.write_metadata_to_resource(resource,
update_title=True,
update_keywords=True)
create_bag_files(resource)
except HsDeserializationDependencyException as e:
msg = (
"HsDeserializationDependencyException encountered when updating "
"science metadata for resource {pk}; depedent resource was {dep}."
)
msg = msg.format(pk=pk, dep=e.dependency_resource_id)
logger.error(msg)
raise ValidationError(detail=msg)
except HsDeserializationException as e:
raise ValidationError(detail=e.message)
resource_modified(resource, request.user, overwrite_bag=False)
return Response(data={'resource_id': pk},
status=status.HTTP_202_ACCEPTED)
finally:
shutil.rmtree(tmp_dir)
def raise_permission_error():
raise PermissionDenied("User doesn't have permission for this action.")
def validate(self, data):
if self.instance.user == self.instance.repository.owner:
raise PermissionDenied(_('The owner role can\'t be changed.'))
return data
def has_object_permission(self, request, view, obj):
message = 'You are not owner'
if obj.reseller == request.user:
return True
else:
raise PermissionDenied(detail=message)
def profile_view(request):
site_name = request.META['HTTP_HOST']
print('site is', site_name, flush=True)
if request.user.is_anonymous:
print('anonymous', flush=True)
raise PermissionDenied()
if site_name.startswith('cn'):
site_name = site_name[2:]
if site_name.startswith('local'):
print('cut local')
site_name = site_name[5:]
if site_name.startswith('trondev'):
site_name = site_name.replace('trondev', 'dev')
if site_name == WAVES_URL:
site_name = MY_WISH_URL
if site_name == RUBIC_EXC_URL:
site_name = SWAPS_URL
site = SubSite.objects.get(site_name=site_name)
user_balance = UserSiteBalance.objects.get(subsite=site, user=request.user)
if request.user.email:
user_name = request.user.email
elif request.user.first_name or request.user.last_name:
user_name = '{} {}'.format(request.user.first_name,
request.user.last_name)
else:
user_name = request.user.username
swaps_notifications = None
swaps_notification_email = None
swaps_notification_telegram_name = None
swaps_notification_type = None
swaps_notification_set = request.user.swapsnotificationdefaults_set.all()
if swaps_notification_set:
swaps_notification_set = swaps_notification_set.first()
swaps_notification_email = swaps_notification_set.email
swaps_notification_telegram_name = swaps_notification_set.telegram_name
swaps_notification_type = swaps_notification_set.notification
swaps_notifications = {
'email': swaps_notification_email,
'telegram_name': swaps_notification_telegram_name,
'notification': swaps_notification_type
}
answer = {
'username':
user_name,
'contracts':
Contract.objects.filter(user=request.user).count(),
'balance':
str(user_balance.balance),
'internal_address':
user_balance.eth_address,
'internal_btc_address':
user_balance.btc_address,
'use_totp':
request.user.profile.use_totp,
'is_social':
request.user.profile.is_social,
'id':
request.user.id,
'lang':
request.user.profile.lang,
'memo':
user_balance.memo,
'eos_address':
'mywishcoming',
'bnb_address':
BINANCE_PAYMENT_ADDRESS,
'tron_address':
hex2tronwif(user_balance.tron_address)
if user_balance.tron_address else '',
'usdt_balance':
str(
int(
int(user_balance.balance) / 10**18 *
convert('WISH', 'USDT')['USDT'] * 10**6)),
'is_swaps_admin':
request.user.profile.is_swaps_admin,
'swaps_notifications':
swaps_notifications
}
return Response(answer)
def get(self, request, user_id):
if not request.user.is_authenticated or request.user.osu_user_id != user_id:
raise PermissionDenied("You may only retrieve memberships for the authenticated user.")
memberships = Membership.objects.select_related("leaderboard", "leaderboard__owner").annotate(score_count=Count("scores")).filter(user_id=user_id)
serialiser = UserMembershipSerialiser(memberships, many=True)
return Response(serialiser.data)
def create(self, request, patch_id, *args, **kwargs):
p = get_object_or_404(Patch, id=patch_id)
if not p.is_editable(request.user):
raise PermissionDenied()
request.patch = p
return super(CheckListCreate, self).create(request, *args, **kwargs)
class SubListCreateAPIView(SubListAPIView, ListCreateAPIView):
# Base class for a sublist view that allows for creating subobjects and
# attaching/detaching them from the parent.
# In addition to SubListAPIView properties, subclasses may define (if the
# sub_obj requires a foreign key to the parent):
# parent_key = 'field_on_model_referring_to_parent'
def get_description_context(self):
d = super(SubListCreateAPIView, self).get_description_context()
d.update({
'parent_key': getattr(self, 'parent_key', None),
})
return d
def create(self, request, *args, **kwargs):
# If the object ID was not specified, it probably doesn't exist in the
# DB yet. We want to see if we can create it. The URL may choose to
# inject it's primary key into the object because we are posting to a
# subcollection. Use all the normal access control mechanisms.
# Make a copy of the data provided (since it's readonly) in order to
# inject additional data.
if hasattr(request.DATA, 'dict'):
data = request.DATA.dict()
else:
data = request.DATA
# add the parent key to the post data using the pk from the URL
parent_key = getattr(self, 'parent_key', None)
# logger.debug('SubListCreateAPIView.create: parent_key=%s', parent_key)
if parent_key:
data[parent_key] = self.kwargs['pk']
# logger.debug('SubListCreateAPIView.create: data.parent_key=%s', data[parent_key])
# attempt to deserialize the object
try:
serializer = self.serializer_class(data=data)
if not serializer.is_valid():
# logger.debug('SubListCreateAPIView.create: serializer failed validation')
return Response(serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
except Exception, e:
# logger.debug('SubListCreateAPIView.create: serializer threw an error')
return Response("serializer errors",
status=status.HTTP_400_BAD_REQUEST)
# Verify we have permission to add the object as given.
if not check_user_access(request.user, self.model, 'add',
serializer.validated_data):
# logger.debug('SubListCreateAPIView.create: permission denied user=%s model=%s action=add',
# request.user, self.model._meta.verbose_name)
raise PermissionDenied()
# save the object through the serializer, reload and return the saved
# object deserialized
try:
self.pre_save(serializer.validated_data)
obj = serializer.save()
data = self.serializer_class(obj).data
except IntegrityError, e:
return Response("database integrity conflict",
status=status.HTTP_409_CONFLICT)
def check_push_permission(self, instance):
if not instance.has_push_permission(self.request.user):
raise PermissionDenied(
_('You do not have "Push" permissions in the related repository'
))
def update(self, request, *args, **kwargs):
customer = CustomerProfile.objects.get(pk=self.kwargs["pk"])
if not request.user == customer.owner:
raise PermissionDenied(
"You have no permissions to edit this customer profile")
return super().update(request, *args, **kwargs)
def _validate_user(self):
if not self.request.user.is_staff:
raise PermissionDenied()
def update(self, request, *args, **kwargs):
image = Image.objects.get(pk=self.kwargs["pk"])
if not request.user == image.owner:
raise PermissionDenied(
"You have no permissions to edit this photo")
return super().update(request, *args, **kwargs)
def collection_auth_check(request):
''' check permissions and
return a collection id (cid) if a collection exists and the user
has permission to upload. If not, a permission denied is returned.
'''
if DISABLE_BUILDING:
raise PermissionDenied(detail="Push is disabled.")
auth = request.META.get('HTTP_AUTHORIZATION', None)
# Load the body, which is json with variables
body_unicode = request.body.decode('utf-8')
body = json.loads(body_unicode)
# Get variables
tag = body.get('tag', 'latest')
name = body.get('name')
collection_name = format_collection_name(body.get('collection'))
print(tag, name, collection_name, auth, body)
# Authentication always required for push
if auth is None:
raise PermissionDenied(detail="Authentication Required")
owner = get_request_user(auth)
timestamp = generate_timestamp()
payload = "push|%s|%s|%s|%s|" % (collection_name, timestamp, name, tag)
# Validate Payload
print(payload)
if not validate_request(auth, payload, "push", timestamp):
raise PermissionDenied(detail="Unauthorized")
try:
collection = Collection.objects.get(name=collection_name)
except Collection.DoesNotExist:
collection = None
# Validate User Permissions, either for creating collection or adding
# Here we have permission if:
# 1- user collections are enabled with USER_COLLECTIONS
# 2- the user is a superuser or staff
# 3- the user is owner of a collection
if not has_permission(auth, collection, pull_permission=False):
raise PermissionDenied(detail="Unauthorized")
# If the user cannot create a new collection
if not owner.has_create_permission():
raise PermissionDenied(detail="Unauthorized")
# If we get here user has create permission, does collection exist?
if collection is None:
collection = Collection.objects.create(name=collection_name,
secret=str(uuid.uuid4()))
collection.save()
collection.owners.add(owner)
collection.save()
# Return json response with collection id
return JsonResponse({'cid': collection.id})
def destroy(self, request, *args, **kwargs):
ep = Ep.objects.get(pk=self.kwargs["pk"])
if not request.user == ep.owner:
raise PermissionDenied("You can not delete this episode")
return super().destroy(request, *args, **kwargs)
if request.user:
company = self.get_object()
if company_position := CompanyPosition.objects.filter(
company=company, user=request.user).first():
if company_position.can_edit:
return super().update(request, *args, **kwargs)
raise PermissionDenied()
def partial_update(self, request, *args, **kwargs):
if request.user:
company = self.get_object()
if company_position := CompanyPosition.objects.filter(
company=company, user=request.user).first():
if company_position.can_edit:
return super().partial_update(request, *args, **kwargs)
raise PermissionDenied()
@transaction.atomic()
def destroy(self, request, *args, **kwargs):
if request.user:
company = self.get_object()
if company_position := CompanyPosition.objects.filter(
company=company, user=request.user).first():
if company_position.is_admin:
for job in company_position.company.jobs.all():
job.delete()
for position in company_position.company.positions.all():
position.delete()
return super().destroy(request, *args, **kwargs)
raise PermissionDenied()
def is_image_owner(self, image, user):
if image.owner.id != user.id:
raise PermissionDenied()
def destroy(self, request, *args, **kwargs):
raise PermissionDenied(self.message)
