Example #1
0
    def can_unlock(self, item, user_id):
        """
        Function checks whether user can unlock the item or not.
        """
        can_user_edit, error_message = superdesk.get_resource_service('archive').can_edit(item, user_id)

        if can_user_edit:
            if not (str(item.get(LOCK_USER, '')) == str(user_id) or
                    (current_user_has_privilege('archive') and current_user_has_privilege('unlock'))):
                return False, 'You don\'t have permissions to unlock an item.'
        else:
            return False, error_message

        return True, ''
Example #2
0
 def _validate_user(self, doc_user_id, doc_is_global):
     session_user = get_user(required=True)
     if str(session_user['_id']) != str(doc_user_id):
         if not doc_is_global:
             raise SuperdeskApiError.forbiddenError('Unauthorized to modify other user\'s local search.')
         elif not current_user_has_privilege('global_saved_searches'):
             raise SuperdeskApiError.forbiddenError('Unauthorized to modify global search.')
 def _validate_on_create(doc):
     """
     User can only create global report if they have 'global_saved_reports' permission
     """
     if doc.get('is_global', False) and not current_user_has_privilege(
             'global_saved_reports'):
         raise SuperdeskApiError.forbiddenError(
             'Unauthorized to create global report.')
Example #4
0
 def check_post_permission(self, post):
     to_be_checked = (dict(status='open',
                           privilege_required='publish_post'),
                      dict(status='submitted',
                           privilege_required='submit_post'))
     for rule in to_be_checked:
         if 'post_status' in post and post['post_status'] == rule['status']:
             if not current_user_has_privilege(rule['privilege_required']):
                 raise SuperdeskApiError.forbiddenError(
                     message='User does not have sufficient permissions.')
Example #5
0
 def check_post_permission(self, post):
     to_be_checked = (
         dict(status='open', privilege_required='publish_post'),
         dict(status='submitted', privilege_required='submit_post')
     )
     for rule in to_be_checked:
         if 'post_status' in post and post['post_status'] == rule['status']:
             if not current_user_has_privilege(rule['privilege_required']):
                 raise SuperdeskApiError.forbiddenError(
                     message='User does not have sufficient permissions.')
Example #6
0
    def on_update(self, updates, original):
        if 'name' in updates and not current_user_has_privilege(
                'planning_agenda_management'):
            raise SuperdeskApiError.forbiddenError(
                'Insufficient privileges to update agenda.')

        user = get_user()
        if user and user.get(config.ID_FIELD):
            updates['version_creator'] = user[config.ID_FIELD]

        self._validate_unique_agenda(updates, original)
Example #7
0
    def process_subscription(self, updates, original):
        """Do subscribe user if requested"""
        subscribers = updates.get('subscribers')
        if not subscribers:
            return
        if not current_user_has_privilege('saved_searches_subscriptions'):
            raise SuperdeskApiError.forbiddenError(
                _('Unauthorized to modify subscriptions.'))

        session_user = get_user_id(required=True)
        ori_subscribers = original.get('subscribers', {})
        subscribers_users = subscribers.get('user_subscriptions', [])
        try:
            ori_sub_users = {
                (d['user'], d['scheduling'])
                for d in ori_subscribers.get('user_subscriptions', [])
            }
        except AttributeError:
            ori_sub_users = set()
        updates_sub_users = {(d['user'], d['scheduling'])
                             for d in subscribers_users}
        # users which have either new or modified subscriptions
        updated_subscribers = {
            s[0]
            for s in set(updates_sub_users).difference(ori_sub_users)
        }
        # users which have subscriptions removed
        removed_subscribers = {
            s[0]
            for s in ori_sub_users.difference(updates_sub_users)
        }
        if not updated_subscribers.issubset({
                session_user
        }) or not removed_subscribers.issubset({session_user}):
            # user tries to modify other user(s) subscriptions, is she allowed to?
            if not current_user_has_privilege(
                    'saved_searches_subscriptions_admin'):
                raise SuperdeskApiError.forbiddenError(
                    _("Unauthorized to modify other users' subscriptions."))
    def _validate_ownership(doc):
        """
        Validate saved reports on update/delete

        User can only update/delete their own reports, or global reports if they the
        'global_saved_reports' have permission
        """
        session_user = get_user(required=True)
        if str(session_user['_id']) != str(doc.get('user', '')):
            if not doc.get('is_global', False):
                raise SuperdeskApiError.forbiddenError(
                    'Unauthorized to modify other user\'s local report.')
            elif not current_user_has_privilege('global_saved_reports'):
                raise SuperdeskApiError.forbiddenError(
                    'Unauthorized to modify global report.')
Example #9
0
    def can_edit(self, item, user_id):
        """
        Determines if the user can edit the item or not.
        """
        # TODO: modify this function when read only permissions for stages are implemented
        # TODO: and Content state related checking.

        if not current_user_has_privilege('archive'):
            return False, 'User does not have sufficient permissions.'

        item_location = item.get('task')

        if item_location:
            if item_location.get('desk'):
                if not superdesk.get_resource_service('user_desks').is_member(user_id, item_location.get('desk')):
                    return False, 'User is not a member of the desk.'
            elif item_location.get('user'):
                if not str(item_location.get('user')) == str(user_id):
                    return False, 'Item belongs to another user.'

        return True, ''
Example #10
0
 def can_edit(self, item, user_id):
     # Check privileges
     if not current_user_has_privilege('planning_planning_management'):
         return False, 'User does not have sufficient permissions.'
     return True, ''
Example #11
0
def send_to(doc,
            update=None,
            desk_id=None,
            stage_id=None,
            user_id=None,
            default_stage="incoming_stage"):
    """Send item to given desk and stage.

    Applies the outgoing and incoming macros of current and destination stages

    :param doc: original document to be sent
    :param update: updates for the document
    :param desk: id of desk where item should be sent
    :param stage: optional stage within the desk
    :param default_stage: if no stage_id is passed then it determines the stage in that desk the doc is assigned,
            either the the incomming stage or the working stage.
    """

    original_task = doc.setdefault("task", {})
    current_stage = None
    if original_task.get("stage"):
        current_stage = get_resource_service("stages").find_one(
            req=None, _id=original_task.get("stage"))
    desk = destination_stage = None
    task = {
        "desk": desk_id,
        "stage": stage_id,
        "user": original_task.get("user") if user_id is None else user_id
    }

    if current_stage:
        apply_stage_rule(doc, update, current_stage, MACRO_OUTGOING)

    if desk_id:
        desk = superdesk.get_resource_service("desks").find_one(req=None,
                                                                _id=desk_id)
        if not desk:
            raise SuperdeskApiError.notFoundError(
                _("Invalid desk identifier {desk_id}").format(desk_id=desk_id))

        if not current_user_has_privilege("move") and str(user_id) not in [
                str(x.get("user", "")) for x in desk.get("members", [])
        ]:
            raise SuperdeskApiError.forbiddenError(
                _("User is not member of desk: {desk_id}").format(
                    desk_id=desk_id))

        task["desk"] = desk_id
        if not stage_id:
            task["stage"] = desk.get(default_stage)
            destination_stage = get_resource_service("stages").find_one(
                req=None, _id=desk.get(default_stage))

    if stage_id:
        destination_stage = get_resource_service("stages").find_one(
            req=None, _id=stage_id)
        if not destination_stage:
            raise SuperdeskApiError.notFoundError(
                _("Invalid stage identifier {stage_id}").format(
                    stage_id=stage_id))

        task["desk"] = destination_stage["desk"]
        task["stage"] = stage_id

    if destination_stage:
        apply_stage_rule(doc,
                         update,
                         destination_stage,
                         MACRO_INCOMING,
                         desk=desk,
                         task=task)
        if destination_stage.get("task_status"):
            task["status"] = destination_stage["task_status"]

    if update:
        update.setdefault("task", {})
        update["task"].update(task)
        update["expiry"] = get_item_expiry(desk=desk, stage=destination_stage)
    else:
        doc["task"].update(task)
        doc["expiry"] = get_item_expiry(desk=desk, stage=destination_stage)
Example #12
0
def send_to(doc,
            update=None,
            desk_id=None,
            stage_id=None,
            user_id=None,
            default_stage='incoming_stage'):
    """Send item to given desk and stage.

    Applies the outgoing and incoming macros of current and destination stages

    :param doc: original document to be sent
    :param update: updates for the document
    :param desk: id of desk where item should be sent
    :param stage: optional stage within the desk
    :param default_stage: if no stage_id is passed then it determines the stage in that desk the doc is assigned,
            either the the incomming stage or the working stage.
    """

    original_task = doc.setdefault('task', {})
    current_stage = None
    if original_task.get('stage'):
        current_stage = get_resource_service('stages').find_one(
            req=None, _id=original_task.get('stage'))
    desk = destination_stage = None
    task = {
        'desk': desk_id,
        'stage': stage_id,
        'user': original_task.get('user') if user_id is None else user_id
    }

    if current_stage:
        apply_stage_rule(doc, update, current_stage, MACRO_OUTGOING)

    if desk_id:
        desk = superdesk.get_resource_service('desks').find_one(req=None,
                                                                _id=desk_id)
        if not desk:
            raise SuperdeskApiError.notFoundError(
                _('Invalid desk identifier {desk_id}').format(desk_id=desk_id))

        if not current_user_has_privilege('move') and \
                str(user_id) not in [str(x.get('user', '')) for x in desk.get('members', [])]:
            raise SuperdeskApiError.forbiddenError(
                _('User is not member of desk: {desk_id}').format(
                    desk_id=desk_id))

        task['desk'] = desk_id
        if not stage_id:
            task['stage'] = desk.get(default_stage)
            destination_stage = get_resource_service('stages').find_one(
                req=None, _id=desk.get(default_stage))

    if stage_id:
        destination_stage = get_resource_service('stages').find_one(
            req=None, _id=stage_id)
        if not destination_stage:
            raise SuperdeskApiError.notFoundError(
                _('Invalid stage identifier {stage_id}').format(
                    stage_id=stage_id))

        task['desk'] = destination_stage['desk']
        task['stage'] = stage_id

    if destination_stage:
        apply_stage_rule(doc,
                         update,
                         destination_stage,
                         MACRO_INCOMING,
                         desk=desk,
                         task=task)
        if destination_stage.get('task_status'):
            task['status'] = destination_stage['task_status']

    if update:
        update.setdefault('task', {})
        update['task'].update(task)
        update['expiry'] = get_item_expiry(desk=desk, stage=destination_stage)
    else:
        doc['task'].update(task)
        doc['expiry'] = get_item_expiry(desk=desk, stage=destination_stage)
        superdesk.get_resource_service('desks').apply_desk_metadata(doc, doc)
Example #13
0
 def _validate_user(self, doc_user_id, doc_is_global):
     session_user = get_user(required=True)
     if str(session_user['_id']) != doc_user_id and \
             not (current_user_has_privilege('global_saved_searches') and doc_is_global):
         raise SuperdeskApiError.forbiddenError('Unauthorized to modify global search.')
 def _validate_user(self, doc_user_id, doc_is_global):
     session_user = get_user(required=True)
     if str(session_user['_id']) != doc_user_id and \
             not (current_user_has_privilege('global_saved_searches') and doc_is_global):
         raise SuperdeskApiError.forbiddenError(
             'Unauthorized to modify global search.')