def test_rules(self): import rules rules.remove_perm('accounts.add_user') rules.add_perm('accounts.add_user', rules.always_allow) user = User.objects.create_user( username='******', nickname='user1', password='******', user_type=UserType.government) self.assertTrue(user.has_perm('accounts.add_user'))
def setup_test_perms(): """ Create missing permissions that would be defined in edx-platform, or elsewhere. edx-platform imports tests from edx-proctoring, which causes duplicate rules, so ignore the KeyError thrown by the rules package. """ try: rules.add_perm('accounts.can_retire_user', rules.is_staff) except KeyError: # pragma: no cover pass try: rules.add_perm('edx_proctoring.can_take_proctored_exam', rules.always_true) except KeyError: # pragma: no cover pass
import rules from ..profiles.models import Profile @rules.predicate def is_organiser(user, local_group): return local_group.organisers.filter(pk=user.pk).exists() @rules.predicate def is_approved(user): try: profile = user.profile except Profile.DoesNotExist: return False return profile.is_approved rules.add_perm("localgroups.create_local_group", is_approved) rules.add_perm("localgroups.change_local_group", is_organiser) rules.add_perm("localgroups.delete_local_group", is_organiser)
def get_context_data(self, **kwargs): ctx = super().get_context_data(**kwargs) ctx.update(next=urlquote(reverse("profile"))) return ctx @rules.predicate def can_change_userprofile(user, userprofile): print(user, userprofile) if not user or not userprofile: return False return userprofile.user == user rules.add_perm('userprofile.can_change', can_change_userprofile) class UserSocialAuthChangeView(LoginRequiredMixin, DetailView): model = UserSocialAuth allowed_methods = ['post'] def get_object(self, queryset=None): if queryset is None: queryset = self.get_queryset() pk = self.request.POST.get('id') if not pk: raise AttributeError("Post parameter 'id' is required.") try: obj = queryset.get(pk=pk) except ObjectDoesNotExist:
import rules from rules.predicates import is_superuser from adhocracy4.modules.predicates import (is_context_initiator, is_context_member, is_context_moderator, is_owner, is_public_context) from adhocracy4.phases.predicates import (phase_allows_add, phase_allows_change, phase_allows_comment, phase_allows_rate) from .models import MapIdea rules.add_perm('euth_maps.rate_mapidea', is_superuser | is_context_moderator | is_context_initiator | (is_context_member & phase_allows_rate)) rules.add_perm('euth_maps.comment_mapidea', is_superuser | is_context_moderator | is_context_initiator | (is_context_member & phase_allows_comment)) rules.add_perm('euth_maps.modify_mapidea', is_superuser | is_context_moderator | is_context_initiator | (is_context_member & is_owner & phase_allows_change)) rules.add_perm('euth_maps.propose_mapidea', is_superuser | is_context_moderator | is_context_initiator |
import rules @rules.predicate def is_creator(user, image): return user == image.creator.user rules.add_perm('images.view', is_creator)
from rules import add_perm, always_allow, is_authenticated, predicate @predicate def is_self(user, gestalt): return user == gestalt.user @predicate def is_public(user, gestalt): return gestalt.public add_perm('gestalten.view', is_public | (is_authenticated & is_self)) add_perm('gestalten.view_list', always_allow) add_perm('gestalten.change', is_authenticated & is_self) add_perm('gestalten.change_email', is_authenticated) add_perm('gestalten.change_password', is_authenticated) add_perm('gestalten.delete', is_authenticated) add_perm('account.confirm', always_allow) add_perm('account.set_password', is_authenticated) add_perm('account.signup', ~is_authenticated)
@rules.predicate def can_publish_podcast(user, podcast): if user.has_perm('snotes20.publish_episode'): return True if podcast.mums.filter(id=user.id).exists(): return True return False @rules.predicate def can_publish_episode(user, episode): return can_publish_podcast(user, episode.podcast) rules.add_perm('o_publish_episode', can_publish_episode) def can_view_document(user, document): return True rules.add_perm('o_view_document', can_view_document) def can_edit_document(user, document): if not user.is_authenticated(): return False return True rules.add_perm('o_edit_document', can_edit_document)
import rules @rules.predicate def is_activity_editor(user, activity): """ The following users can edit an activity: * The superuser * The activity owner """ return activity.owner == user @rules.predicate def is_activity_inspector(user, activity): """ The following users can inspect the content of an activity including student submissions and statistics: * The superuser * The activity owner """ return is_activity_editor(user, activity) or False rules.add_perm('activities.edit_activity', is_activity_editor) rules.add_perm('activities.inspect_activity', is_activity_inspector) rules.add_perm('activities.view_submission_stats', is_activity_inspector)
user=user, level=PermissionLevels.ADMIN, tenant__in=zone.tenants.all(), ).exists() @rules.predicate def is_any_tenant_admin(user): return Membership.objects.filter(user=user, level=PermissionLevels.ADMIN).exists() is_zone_tenant_member = rules.is_authenticated & is_zone_tenant_member is_zone_tenant_admin = rules.is_authenticated & is_zone_tenant_admin is_any_tenant_admin = rules.is_authenticated & is_any_tenant_admin @rules.predicate def is_admin(user): return user.is_superuser rules.add_perm('is_admin', is_admin) rules.add_perm('tenants.list_zones', rules.is_authenticated) rules.add_perm('tenants.view_zone', is_admin | is_zone_tenant_member) rules.add_perm('tenants.delete_zone', is_admin | is_zone_tenant_admin) rules.add_perm('tenants.create_zone', is_admin | is_any_tenant_admin) rules.add_perm('tenants.create_record', is_admin | is_zone_tenant_member) rules.add_perm('tenants.delete_record', is_admin | is_zone_tenant_member) rules.add_perm('tenants.edit_record', is_admin | is_zone_tenant_member)
@rules.predicate def member_of_team_role(user, role): return not user.is_anonymous and \ user.teams.filter(pk__in=role.teams.values_list('pk', flat=True)) # Team predicates @rules.predicate def member_of_team(user, team): return not user.is_anonymous and user.teams.filter(pk=team.pk).exists() # Permissions rules.add_perm('involvement', rules.always_allow) rules.add_perm('involvement.list_contactcard', is_super | has_role_perm) rules.add_perm('involvement.add_contactcard', is_super | has_role_perm) rules.add_perm('involvement.change_contactcard', is_super | member_of_team_contactcard & can_modify_contactcard) rules.add_perm('involvement.delete_contactcard', is_super | member_of_team_contactcard & can_modify_contactcard) rules.add_perm('involvement.list_application', is_super | has_role_perm) rules.add_perm('involvement.add_application', is_super | has_role_perm) rules.add_perm('involvement.change_application', is_super | member_of_team_appl & can_modify_application) rules.add_perm('involvement.delete_application', is_super | member_of_team_appl & can_modify_application)
"""Rules based permissions for the Q&A app""" # pylint: disable=missing-docstring # needed for rules # Third Party from rules import add_perm # MuckRock from muckrock.foia.rules import is_staff add_perm("qanda.block", is_staff)
# pylint: disable=unused-argument, invalid-unary-operand-type # Third Party from rules import add_perm, always_deny, is_authenticated, predicate # DocumentCloud from documentcloud.core.rules import skip_if_not_obj @predicate @skip_if_not_obj def is_private(user, organization): return organization.private @predicate @skip_if_not_obj def is_member(user, organization): return organization.has_member(user) is_public = ~is_private can_view = is_public | (is_authenticated & is_member) add_perm("organizations.view_organization", can_view) add_perm("organizations.add_organization", always_deny) add_perm("organizations.change_organization", always_deny) add_perm("organizations.delete_organization", always_deny)
'Transaction', 'TransactionSector', 'User', 'UserProjects', ] logger = logging.getLogger('akvo.rsr') # Permission rules import rules from ..permissions import (is_rsr_admin, is_org_admin, is_org_user_manager, is_org_me_manager, is_org_me_manager_or_project_editor, is_org_user, is_self, is_org_enumerator) rules.add_perm('rsr', rules.always_allow) rules.add_perm('rsr.add_benchmarkname', is_rsr_admin) rules.add_perm('rsr.change_benchmarkname', is_rsr_admin) rules.add_perm('rsr.add_country', is_rsr_admin) rules.add_perm('rsr.change_country', is_rsr_admin) rules.add_perm('rsr.add_budgetitemlabel', is_rsr_admin) rules.add_perm('rsr.change_budgetitemlabel', is_rsr_admin) rules.add_perm('rsr.add_category', is_rsr_admin) rules.add_perm('rsr.change_category', is_rsr_admin) rules.add_perm('rsr.add_focusarea', is_rsr_admin) rules.add_perm('rsr.change_focusarea', is_rsr_admin)
# Copyright 2018, GeoSolutions Sas. # All rights reserved. # # This source code is licensed under the BSD-style license found in the # LICENSE file in the root directory of this source tree. # ######################################################################### """Permissions for accessing track resources and info These permissions are kept in memory, they do not need to be stored in the db """ import logging import rules import profiles.rules logger = logging.getLogger(__name__) for perm, predicate in { "can_list_segments": profiles.rules.is_privileged_user, "can_list_tracks": profiles.rules.is_privileged_user, "can_list_own_segments": profiles.rules.is_end_user, "can_delete_own_segments": profiles.rules.is_end_user, "can_list_own_tracks": profiles.rules.is_end_user, "can_delete_own_tracks": profiles.rules.is_end_user, }.items(): rules.add_perm("tracks.{}".format(perm), predicate)
""" Django rules for accounts """ from __future__ import absolute_import from django.conf import settings import rules @rules.predicate def can_retire_user(user): """ Returns whether the user can retire accounts """ return ( user.username == settings.RETIREMENT_SERVICE_WORKER_USERNAME or user.is_superuser ) rules.add_perm('accounts.can_retire_user', can_retire_user)
@rules.predicate def can_view(user, association): return associations_models.Association.objects.can_view(user, container='content') \ .filter(pk=association.pk).exists() @rules.predicate def is_member_of_associated_group(user, content): for group in content.get_associated_groups(): if memberships.is_member_of(user, group): return True return False rules.add_perm( 'content.list', rules.always_allow) rules.add_perm( 'content.view', can_view) rules.add_perm( 'content.comment', rules.is_authenticated & can_view) rules.add_perm( 'content.create', rules.is_authenticated) rules.add_perm(
""" request = get_request_or_stub() decoded_jwt = get_decoded_jwt_from_request(request) if not context: return False return request_user_has_implicit_access_via_jwt( decoded_jwt, ENTERPRISE_COUPON_ADMIN_ROLE, context) @rules.predicate def request_user_has_explicit_access(user, context): """ Check that if request user has explicit access to `ENTERPRISE_COUPON_ADMIN_ROLE` feature role. Returns: boolean: whether the request user has access or not """ if not context: return False return user_has_access_via_database(user, ENTERPRISE_COUPON_ADMIN_ROLE, EcommerceFeatureRoleAssignment, context=context) rules.add_perm( 'enterprise.can_view_coupon', request_user_has_implicit_access | request_user_has_explicit_access) rules.add_perm( 'enterprise.can_assign_coupon', request_user_has_implicit_access | request_user_has_explicit_access)
import rules from codeschool.lms.activities.rules import is_editor rules.add_perm('questions.edit_question', is_editor)
import rules from adhocracy4.modules import predicates as module_predicates from meinberlin.apps.contrib import predicates as contrib_predicates from . import models rules.add_perm( 'meinberlin_polls.change_poll', module_predicates.is_context_initiator | module_predicates.is_context_moderator ) rules.add_perm( 'meinberlin_polls.view_poll', (module_predicates.is_project_admin | (module_predicates.is_allowed_view_item & contrib_predicates.has_context_started)) ) rules.add_perm( 'meinberlin_polls.comment_poll', module_predicates.is_allowed_comment_item ) # It has to be ensured that the permission is always checked against a module # never a Vote object. rules.add_perm( 'meinberlin_polls.add_vote', module_predicates.is_allowed_add_item(models.Vote)
profile = user.profile return profile.role == Profile.INTERN except (ObjectDoesNotExist, AttributeError): return False @rules.predicate def is_staff(user): try: profile = user.profile return profile.role == Profile.STAFF except (ObjectDoesNotExist, AttributeError): return False rules.add_perm("planner.view_intern_site", is_intern) rules.add_perm("planner.view_staff_site", is_staff) rules.add_perm("accounts.user.view_all", is_staff) rules.add_perm("accounts.profile.view_all", is_staff) rules.add_perm("accounts.intern.view_all", is_staff) rules.add_perm("rotations.rotation.view_all", is_staff) rules.add_perm("rotations.requested_department.view_all", is_staff) rules.add_perm("rotations.rotation_request.view_all", is_staff) rules.add_perm("rotations.rotation_request_response.view_all", is_staff) rules.add_perm("rotations.rotation_request_forward.view_all", is_staff) rules.add_perm("rotations.rotation_request_forward_response.view_all", is_staff) rules.add_perm("months.internship.view_all", is_staff)
import rules from . import models @rules.predicate def is_client(role, obj): return obj and role.type == role.CLIENT_ROLE and role.client == obj rules.add_perm('clients.view_client', is_client) rules.add_perm('clients.change_client', is_client) @rules.predicate def is_own_authorization(role, obj): return obj and role.type == role.PERSON_ROLE and role.person == obj.person rules.add_perm('clients.view_authorization', is_own_authorization) rules.add_perm('clients.change_authorization', is_own_authorization) rules.add_perm('clients.delete_authorization', is_own_authorization)
# Create your models here. class ContentCard(models.Model): title = models.CharField(max_length=100) message = models.TextField() objects = InheritanceManager() from_user = models.ForeignKey(User, default=1, related_name="creator") @rules.predicate def is_creator(user, card): return card.from_user == user rules.add_perm("cards.is_creator", is_creator) class ImageCard(ContentCard): image_url = models.CharField(max_length=10000, blank=True) def render(self): return self.title, self.message class TextCard(ContentCard): mood = models.CharField(max_length=100) tag = models.CharField(max_length=100, default=" ") class VideoCard(ContentCard):
from rules import add_perm, is_authenticated, predicate @predicate def is_subscribed(user, model): return user.gestalt.subscriptions \ .filter(subscribed_to_type=model.content_type, subscribed_to_id=model.id) \ .exists() add_perm('subscriptions.create', ~is_authenticated | (is_authenticated & ~is_subscribed)) add_perm('subscriptions.delete', is_authenticated & is_subscribed)
# -*- coding: utf-8 -*- import rules from rules.predicates import is_staff from rules.predicates import is_superuser from core.journal.predicates import is_journal_member from .defaults import AuthorizationConfig as AC from .predicates import HasAuthorization # This permission assume to use a 'Journal' object to perform the perm check rules.add_perm( 'authorization.manage_authorizations', is_superuser | is_staff | is_journal_member & HasAuthorization(AC.can_manage_authorizations), )
from .utils import in_editable_period # Business rules @rules.predicate def is_a_business_owner(user): return user.profile.is_owner @rules.predicate def is_business_owner(user, business): return user.profile.business == business and user.profile.is_owner rules.add_perm('cashup.view_business', is_business_owner) rules.add_perm('cashup.change_business', is_business_owner) # Personnel rules @rules.predicate def is_personnel_business_owner(user, personnel): return is_business_owner(user, personnel.business) @rules.predicate def is_personnel(user, personnel): return user.profile == personnel
from rules import predicate, add_perm, is_authenticated from speedy.core.accounts.base_rules import is_self from speedy.core.blocks.rules import there_is_block from speedy.core.accounts.models import User from .models import UserLike @predicate def already_likes(user, other_user): return UserLike.objects.filter(from_user=user, to_user=other_user).exists() @predicate def both_are_users(user, other_user): return ((isinstance(user, User)) and (isinstance(other_user, User))) add_perm('likes.like', is_authenticated & ~is_self & ~there_is_block & ~already_likes & both_are_users) add_perm('likes.unlike', is_authenticated & ~is_self & ~there_is_block & already_likes & both_are_users) add_perm('likes.view_likes', is_authenticated & is_self)
from friendship.models import Friend from rules import predicate, add_perm, is_authenticated from speedy.core.accounts.base_rules import is_self from speedy.core.blocks.rules import there_is_block @predicate def friend_request_sent(user, other_user): return other_user.id in [fr.to_user_id for fr in Friend.objects.sent_requests(user=user)] @predicate def is_friend(user, other_user): return Friend.objects.are_friends(user1=user, user2=other_user) are_friends = is_friend add_perm('friends.request', is_authenticated & ~is_self & ~friend_request_sent & ~is_friend & ~there_is_block) add_perm('friends.cancel_request', is_authenticated & friend_request_sent) add_perm('friends.view_requests', is_self) add_perm('friends.remove', is_authenticated & is_friend)
import rules from rules.predicates import is_superuser from euth.organisations.predicates import is_initiator from .predicates import is_live, is_member, is_public rules.add_perm('euth_projects.edit_project', is_superuser | is_initiator) rules.add_perm('projects.view_project', is_superuser | is_initiator | ((is_public | is_member) & is_live))
# -*- coding: utf-8 -*- import rules from rules.predicates import is_authenticated from rules.predicates import is_staff from rules.predicates import is_superuser from core.authorization.defaults import AuthorizationConfig as AC from core.authorization.predicates import HasAuthorization from core.journal.predicates import is_journal_member # This permission assume to use a 'Journal' object to perform the perm check rules.add_perm( 'editor.manage_issuesubmission', is_authenticated & ( is_superuser | is_staff | (is_journal_member & HasAuthorization(AC.can_manage_issuesubmission)) ), ) rules.add_perm( 'editor.review_issuesubmission', is_authenticated & (is_superuser | HasAuthorization(AC.can_review_issuesubmission)), )
@rules.predicate def can_view_problem(user, problem): displayable = is_challenge_displayable(user, problem.challenge) if not displayable: return False if settings.PROLOGIN_SEMIFINAL_MODE: from contest.models import Contestant return problem in Contestant.objects.get( user=user, edition=settings.PROLOGIN_EDITION).available_semifinal_problems return displayable @rules.predicate def is_code_submission_owner(user, code): return user == code.submission.user # Permissions rules.add_perm('problems.view_challenge', rules.is_staff | is_challenge_displayable) rules.add_perm('problems.view_problem', rules.is_staff | can_view_problem) rules.add_perm('problems.view_code_submission', rules.is_staff | is_code_submission_owner) rules.add_perm('problems.view_others_submissions', rules.is_staff) rules.add_perm('problems.create_problem_code_submission', rules.is_staff | can_view_problem) rules.add_perm('problems.recorrect_submission', rules.is_staff)
# Third Party Libraries import rules # Localhub from localhub.communities.rules import is_admin, is_inactive_member, is_member @rules.predicate def is_sender(user, join_request): return user == join_request.sender @rules.predicate def is_community_admin(user, join_request): return is_admin(user, join_request.community) @rules.predicate def is_join_request_allowed(user, community): return community.allow_join_requests rules.add_perm( "join_requests.create", is_join_request_allowed & ~is_member & ~is_inactive_member & rules.is_authenticated, ) rules.add_perm("join_requests.delete", is_sender | is_community_admin)
import rules @rules.predicate def is_in_relation(boby, relation): if boby in (relation.inviter, relation.invited): return True return False @rules.predicate def is_admin(boby): return boby.is_staff or boby.is_superuser rules.add_rule('can_change_bobyrelation', is_in_relation | is_admin) rules.add_rule('can_upload_users', is_admin) rules.add_perm('core.change_bobyrelation', is_in_relation | is_admin)
import rules from rules.predicates import is_superuser from adhocracy4.modules import predicates as module_predicates rules.add_perm( 'a4_candy_moderatorremark.add_moderatorremark', is_superuser | module_predicates.is_context_moderator | module_predicates.is_context_initiator) rules.add_perm( 'a4_candy_moderatorremark.change_moderatorremark', is_superuser | module_predicates.is_context_moderator | module_predicates.is_context_initiator)
if obj: if hasattr(obj, 'owner'): return user == obj.owner else: return False else: return False # 判斷物件是否為該單位人員可管理 @rules.predicate def is_org_object(user, obj): if obj: try: return user.org == obj.owner.org except: return False else: return False rules.add_perm('is_superuser', is_superuser) rules.add_perm('is_manager', is_manager) rules.add_perm('is_editor', is_editor) rules.add_perm('is_guest', is_guest) rules.add_perm('is_self', is_self) rules.add_perm('is_owner_object', is_owner_object) rules.add_perm('is_org_object', is_org_object) rules.add_perm( 'is_manager_object', (is_owner_object | (is_org_object & is_manager)) )
def is_project_admin(user, crowdsource): return (crowdsource.project_admin and crowdsource.project and crowdsource.project.has_contributor(user)) @predicate @skip_if_not_obj def has_gallery(user, crowdsource): return crowdsource.fields.filter(gallery=True).exists() is_crowdsource_admin = is_owner | is_staff | is_project_admin can_view = has_gallery | is_crowdsource_admin add_perm('crowdsource.add_crowdsource', has_feature_level(1) | is_experimental) add_perm('crowdsource.change_crowdsource', is_crowdsource_admin) add_perm('crowdsource.view_crowdsource', can_view) add_perm('crowdsource.delete_crowdsource', always_deny) add_perm('crowdsource.form_crowdsource', ~is_project_only | is_contributor | is_crowdsource_admin) def crowdsource_perm(perm): @predicate('crowdsource_perm:{}'.format(perm)) def inner(user, crowdsource_response): return user.has_perm('crowdsource.{}_crowdsource'.format(perm)) return inner
content_type = models.ForeignKey(ContentType) target_id = models.PositiveIntegerField() target = GenericForeignKey('content_type', 'target_id') view = 'accept_delete' def accept(self): object_ = self.target object_.delete() self.state = RequestStates.ACCEPTED self.save() def __str__(self): return 'Delete {}'.format(self.target) rules.add_perm('powerdns.add_deleterequest', rules.is_authenticated) class ChangeCreateRequest(Request): """Abstract change/create request""" ignore_fields = {'owner', 'created', 'modified'} class Meta: abstract = True def accept(self): object_ = self.get_object() for field_name in type(self).copy_fields: if field_name in self.ignore_fields: continue
import rules rules.add_perm('semifinal.monitor', rules.is_staff) rules.add_perm('semifinal.participate', rules.is_authenticated & rules.is_active)
@predicate def can_access(user, contribution): for association in contribution.container.associations.all(): if can_view(user, association): return True return False @predicate def is_conversation(user, contribution): return contribution.container.is_conversation @predicate def is_creator(user, contribution): return contribution.author == user.gestalt @predicate def is_multi_user_contribution(user, contribution): associations = contribution.container.associations return associations.count() > 1 or associations.first().entity.is_group add_perm('contributions.delete', ~is_conversation & is_authenticated & is_creator) add_perm('contributions.reply_to_author', is_multi_user_contribution & can_access) add_perm('contributions.view_internal', is_authenticated & is_member_of_associated_group)
import rules @rules.predicate def event_is_active(user, event): return event and event.is_active @rules.predicate def edition_is_active(user, edition): return edition and edition.is_active @rules.predicate def can_download_home(user, contestant): return contestant.is_home_public or contestant.user == user rules.add_perm('contest.submit_qualification', rules.is_authenticated & event_is_active) rules.add_perm('correction.can_correct', rules.is_staff) rules.add_perm('contest.can_download_home', can_download_home | rules.is_staff) rules.add_perm('contest.interschool.view_leaderboard', edition_is_active)
import rules @rules.predicate def is_feedback_author(user, feedback): return user == feedback.user @rules.predicate def was_first_feedback_for_contactpoint(user, contactpoint): return contactpoint.feedback.filter(user=user).count() == 1 rules.add_perm('contact.feedback_create', is_feedback_author | rules.is_staff) rules.add_perm('contact.feedback_publish', was_first_feedback_for_contactpoint | rules.is_staff)
from .models import AccessLevelChoice import rules @rules.predicate def has_access_permission(user, product): if product.access_level == AccessLevelChoice.private.name: if product.seller != user: return False return True rules.add_perm('products.can_access', has_access_permission)
settings.AUTH_USER_MODEL, null=False, blank=False, related_name='issued_authorisations', ) authorised = models.ForeignKey( settings.AUTH_USER_MODEL, null=False, blank=False, related_name='received_authorisations', ) content_type = models.ForeignKey(ContentType) target_id = models.PositiveIntegerField() target = GenericForeignKey('content_type', 'target_id') def __str__(self): return '{} authorised {} to {}'.format( self.owner, self.authorised, self.target, ) rules.add_perm('powerdns.add_authorisation', rules.is_authenticated) rules.add_perm( 'powerdns.change_authorisation', (rules.is_superuser | is_owner) ) rules.add_perm( 'powerdns.delete_authorisation', (rules.is_superuser | is_owner) )
import rules from mcod.lib.rules import assigned_to_organization, users_is_editor rules.add_perm('resources', rules.always_allow) rules.add_perm('resources.add_resource', assigned_to_organization) rules.add_perm('resources.view_resource', assigned_to_organization) rules.add_perm('resources.change_resource', assigned_to_organization) rules.add_perm('resources.delete_resource', users_is_editor) rules.add_perm('resources.view_resourcetrash', users_is_editor) rules.add_perm('resources.change_resourcetrash', users_is_editor)
import rules from rules.predicates import is_superuser from euth.modules.predicates import (is_context_initiator, is_context_member, is_context_moderator, is_public_context) from euth.phases.predicates import phase_allows_comment rules.add_perm('euth_documents.comment_paragraph', is_superuser | is_context_moderator | is_context_initiator | (is_context_member & phase_allows_comment)) rules.add_perm('euth_documents.comment_document', is_superuser | is_context_moderator | is_context_initiator | (is_context_member & phase_allows_comment)) rules.add_perm('euth_documents.create_document', is_superuser | is_context_moderator | is_context_initiator) rules.add_perm('euth_documents.view_paragraph', is_superuser | is_context_moderator | is_context_initiator | is_context_member | is_public_context)
except User.DoesNotExist: logger.error( f'Permission is_instructor_in_course_id: user {user.id} is not an instructor in course {course_id}' ) result = False # set cache self.context[f"{user.id}|{course_id}"] = result return result is_admin_or_enrolled_in_course = is_admin | is_enrolled_in_course is_admin_or_enrolled_in_course_or_load_pending = is_admin_or_enrolled_in_course | course_is_not_loaded is_admin_or_enrolled_in_course_id = is_admin | is_enrolled_in_course_id is_admin_or_instructor_in_course = is_admin | is_instructor_in_course is_admin_or_instructor_in_course_id = is_admin | is_instructor_in_course_id # api rules.add_perm('dashboard.get_course_info', is_admin_or_enrolled_in_course_or_load_pending) rules.add_perm('dashboard.update_course_info', is_admin_or_instructor_in_course) rules.add_perm('dashboard.resource_access_within_week', is_admin_or_enrolled_in_course) rules.add_perm('dashboard.grade_distribution', is_admin_or_enrolled_in_course) rules.add_perm('dashboard.update_user_default_selection_for_views', is_admin_or_enrolled_in_course) rules.add_perm('dashboard.get_user_default_selection', is_admin_or_enrolled_in_course) rules.add_perm('dashboard.assignments', is_admin_or_enrolled_in_course)
import rules @rules.predicate def is_teacher(user, page): """ The following users are treated as teachers: * The superuser * The page owner """ return page.owner == user rules.add_perm('attendance.see_passphrase', is_teacher) rules.add_perm('activities.edit_passphrase', is_teacher)
from rules import predicate, add_perm, is_authenticated from speedy.core.accounts.base_rules import is_self from speedy.core.blocks.rules import there_is_block from speedy.core.accounts.models import User from .models import UserLike @predicate def you_like_user(user, other_user): return UserLike.objects.filter(from_user=user, to_user=other_user).exists() @predicate def user_likes_you(user, other_user): return UserLike.objects.filter(from_user=other_user, to_user=user).exists() @predicate def both_are_users(user, other_user): return ((isinstance(user, User)) and (isinstance(other_user, User))) add_perm( 'likes.like', is_authenticated & ~is_self & ~there_is_block & ~you_like_user & both_are_users) add_perm( 'likes.unlike', is_authenticated & ~is_self & ~there_is_block & you_like_user & both_are_users) add_perm('likes.view_likes', is_authenticated & is_self)
# -*- coding: utf-8 -*- from __future__ import absolute_import from __future__ import unicode_literals import rules from rules.predicates import is_staff from rules.predicates import is_superuser from wikilegis.core.models import Bill @rules.predicate def is_bill_editor(user, bill): if bill is None: return Bill.objects.filter(editors__pk__in=user.groups.values('pk')).count() else: return user.groups.filter(pk__in=bill.editors.values('pk')).count() > 0 @rules.predicate def is_segment_editor(user, segment): return is_bill_editor(user, segment.bill if segment else None) rules.add_perm('core.change_bill', is_superuser | is_staff & is_bill_editor) rules.add_perm('core.add_billsegment', is_superuser | is_staff & is_segment_editor) rules.add_perm('core.change_billsegment', is_superuser | is_staff & is_segment_editor) rules.add_perm('core.delete_billsegment', is_superuser | is_staff & is_segment_editor)
def allow_check(user): return True @rules.predicate() def is_event_creator(user, content): print('content', content) print('user', user) # return content.created_by == user # return Event.objects.filter(created_by=user).exists() @rules.predicate def can_create_event(user): # write some predicate here instead of just returning True return True rules.add_perm('event_app.create_event', is_user) rules.add_perm('event_app.delete_event', is_event_creator) rules.add_perm('event_app.list_events', allow_check) rules.add_perm('event_app.update_event', allow_check) """ Example Usage of rules: @rules.predicate def is_a_climber(user): return Climber.objects.filter(user=user).exists() @rules.predicate def is_a_routesetter(user): return RouteSetter.objects.filter(user=user).exists()
from rules import add_perm, is_authenticated, predicate @predicate def is_subscribed(user, model): return user.gestalt.subscriptions \ .filter(subscribed_to_type=model.content_type, subscribed_to_id=model.id) \ .exists() add_perm('subscriptions.create', ~is_authenticated | (is_authenticated & ~is_subscribed)) add_perm('subscriptions.delete', is_authenticated & is_subscribed) add_perm('subscriptions.delete_request', ~is_authenticated)
@rules.predicate def has_explicit_access_to_reporting_api(user, obj): """ Check that if request user has explicit access to `ENTERPRISE_REPORTING_CONFIG_ADMIN_ROLE` feature role. Returns: boolean: whether the request user has access or not """ return user_has_access_via_database( user, ENTERPRISE_REPORTING_CONFIG_ADMIN_ROLE, EnterpriseFeatureUserRoleAssignment, obj) rules.add_perm( 'enterprise.can_access_admin_dashboard', has_implicit_access_to_dashboard | has_explicit_access_to_dashboard) rules.add_perm('enterprise.can_view_catalog', has_implicit_access_to_catalog | has_explicit_access_to_catalog) rules.add_perm( 'enterprise.can_enroll_learners', has_implicit_access_to_enrollment_api | has_explicit_access_to_enrollment_api) rules.add_perm( 'enterprise.can_manage_reporting_config', has_implicit_access_to_reporting_api | has_explicit_access_to_reporting_api)
ordering = ['-updated'] class Issue(models.Model): content_type = models.ForeignKey(ContentType) object_id = models.PositiveIntegerField() target = GenericForeignKey('content_type', 'object_id') name = models.CharField(max_length=256) def get_absolute_url(self): return self.target.get_absolute_url() @rules.predicate def is_dog_owner(user, dog): return dog.owner == user rules.add_perm('core.change_dog', is_dog_owner) def dog_with_empty_gallery(self): return True # FIXME def default_dog(self): return self.dogs.first() User.empty_gallery = dog_with_empty_gallery User.default_dog = default_dog
).exists() @rules.predicate def is_reviewer(user, obj): if not user or user.is_anonymous or not obj: return False from pretalx.person.models import EventPermission return user.is_administrator or EventPermission.objects.filter( user=user, event=obj.event, is_reviewer=True ).exists() @rules.predicate def is_administrator(user, obj): return user.is_administrator @rules.predicate def person_can_view_information(user, obj): event = obj.event submissions = event.submissions.filter(speakers__in=[user]) if obj.include_submitters: return submissions.exists() if obj.exclude_unconfirmed: return submissions.filter(state=SubmissionStates.CONFIRMED).exists() return submissions.filter(state__in=[SubmissionStates.CONFIRMED, SubmissionStates.ACCEPTED]).exists() rules.add_perm('person.view_information', is_orga | person_can_view_information)
# -*- coding: utf-8 -*- import rules from rules.predicates import is_authenticated from rules.predicates import is_staff from rules.predicates import is_superuser from core.authorization.defaults import AuthorizationConfig as AC from core.authorization.predicates import HasAuthorization rules.add_perm( 'royalty_reports.consult_royalty_reports', is_authenticated & ( is_superuser | is_staff | HasAuthorization(AC.can_consult_royalty_reports) ), )
import rules from rules.predicates import is_superuser from adhocracy4.modules.predicates import (is_context_initiator, is_context_moderator) from adhocracy4.phases.predicates import phase_allows_add from .models import Question rules.add_perm('a4_candy_questions.change_question', is_superuser | is_context_moderator | is_context_initiator) rules.add_perm('a4_candy_questions.propose_question', phase_allows_add(Question)) rules.add_perm('a4_candy_questions.view_question', rules.always_allow)
from features.groups import rules as groups from features.memberships import predicates as memberships import rules rules.add_perm( 'sharing.recommend_group', rules.always_allow) rules.add_perm( 'sharing.invite_member', rules.is_authenticated & memberships.is_member_of & ~groups.is_closed)
import rules from accounts.models import User from .models import Event, Schedule @rules.predicate def is_schedule_owner(user: User, schedule: Schedule): return schedule.user == user @rules.predicate def is_superuser(user: User): return user.is_superuser @rules.predicate def is_event_owner(user: User, event: Event): return event.schedule.user == user rules.add_perm("scheduling.change_schedule", is_schedule_owner | is_superuser) rules.add_perm("scheduling.view_schedule", is_schedule_owner | is_superuser) rules.add_perm("scheduling.delete_schedule", is_schedule_owner | is_superuser) rules.add_perm("scheduling.change_event", is_event_owner | is_superuser) rules.add_perm("scheduling.view_event", is_event_owner | is_superuser) rules.add_perm("scheduling.delete_event", is_event_owner | is_superuser)
from rules import add_perm, always_allow, is_authenticated, predicate from features.memberships import predicates as memberships @predicate def is_closed(user, group): return group.closed @predicate def is_group(user, entity): return entity.is_group add_perm('groups.create_group', always_allow) add_perm('groups.view', always_allow) add_perm('groups.view_list', always_allow) add_perm('groups.change', is_authenticated & memberships.is_member_of) add_perm('groups.change_subscriptions_memberships', is_authenticated)
}) class Meta: ordering = ['begin', 'name'] unique_together = ('community', 'slug') @rules.predicate def can_edit_event(user, event): if not user or not event: return False return user.has_perm('community.can_edit', event.community) rules.add_perm('event.can_edit', can_edit_event) @rules.predicate def is_subscriber(user, event): if not user or not event: return False return user in event.community.subscribers.all() rules.add_perm('event.can_rsvp', is_subscriber) rules.add_perm('event.can_create_comment', is_subscriber) class EventRSVP(TimeStampedModel):