def find_one(self, req, checkUser=True, **lookup): doc = super().find_one(req, **lookup) # check if the current user has permission to open a blog if checkUser and not is_admin(get_user()): # get members ids members = [str(m['user']) for m in doc.get('members', [])] # add owner id to members members.append(doc.get('original_creator')) # check if current user belongs to members, and raise an exeption if not if str(get_user().get('_id')) not in members: roles = get_resource_service('roles').find_one(req=None, _id=get_user().get('role')) if not roles: raise SuperdeskApiError.forbiddenError(message='you do not have permission to open this blog') return doc
def find_one(self, req, **lookup): doc = super().find_one(req, **lookup) # check if the current user has permission to open a blog if not is_admin(get_user()): # get members ids members = [str(m["user"]) for m in doc.get("members", [])] # add owner id to members members.append(doc.get("original_creator")) # check if current user belongs to members, and raise an exeption if not if str(get_user().get("_id")) not in members: roles = get_resource_service("roles").find_one(req=None, _id=get_user().get("role")) if not roles: raise SuperdeskApiError.forbiddenError(message="you do not have permission to open this blog") return doc
def _validate_updates(self, original, updates, user): """Validates updates to the article for the below conditions. If any of these conditions are met then exception is raised: 1. Is article locked by another user other than the user requesting for update 2. Is state of the article is Killed or Recalled? 3. Is user trying to update the package with Public Service Announcements? 4. Is user authorized to update unique name of the article? 5. Is user trying to update the genre of a broadcast article? 6. Is article being scheduled and is in a package? 7. Is article being scheduled and schedule timestamp is invalid? 8. Does article has valid crops if the article type is a picture? 9. Is article a valid package if the article type is a package? 10. Does article has a valid Embargo? 11. Make sure that there are no duplicate anpa_category codes in the article. 12. Make sure there are no duplicate subjects in the upadte 13. Item is on readonly stage. :raises: SuperdeskApiError.forbiddenError() - if state of the article is killed or user is not authorized to update unique name or if article is locked by another user SuperdeskApiError.badRequestError() - if Public Service Announcements are being added to a package or genre is being updated for a broadcast, is invalid for scheduling, the updates contain duplicate anpa_category or subject codes """ updated = original.copy() updated.update(updates) self._test_readonly_stage(original, updates) lock_user = original.get('lock_user', None) force_unlock = updates.get('force_unlock', False) str_user_id = str(user.get(config.ID_FIELD)) if user else None if lock_user and str(lock_user) != str_user_id and not force_unlock: raise SuperdeskApiError.forbiddenError( 'The item was locked by another user') if original.get(ITEM_STATE) in { CONTENT_STATE.KILLED, CONTENT_STATE.RECALLED }: raise SuperdeskApiError.forbiddenError( "Item isn't in a valid state to be updated.") if updates.get('body_footer') and is_normal_package(original): raise SuperdeskApiError.badRequestError( "Package doesn't support Public Service Announcements") if 'unique_name' in updates and not is_admin(user) \ and (user['active_privileges'].get('metadata_uniquename', 0) == 0) \ and not force_unlock: raise SuperdeskApiError.forbiddenError( "Unauthorized to modify Unique Name") # if broadcast then update to genre is not allowed. if original.get('broadcast') and updates.get('genre') and \ any(genre.get('qcode', '').lower() != BROADCAST_GENRE.lower() for genre in updates.get('genre')): raise SuperdeskApiError.badRequestError( 'Cannot change the genre for broadcast content.') if PUBLISH_SCHEDULE in updates or "schedule_settings" in updates: if is_item_in_package(original) and not force_unlock: raise SuperdeskApiError.badRequestError( 'This item is in a package and it needs to be removed before the item can be scheduled!' ) update_schedule_settings(updated, PUBLISH_SCHEDULE, updated.get(PUBLISH_SCHEDULE)) if updates.get(PUBLISH_SCHEDULE): validate_schedule( updated.get(SCHEDULE_SETTINGS, {}).get('utc_{}'.format(PUBLISH_SCHEDULE))) updates[SCHEDULE_SETTINGS] = updated.get(SCHEDULE_SETTINGS, {}) if original[ITEM_TYPE] == CONTENT_TYPE.PICTURE: CropService().validate_multiple_crops(updates, original) elif original[ITEM_TYPE] == CONTENT_TYPE.COMPOSITE: self.packageService.on_update(updates, original) # update the embargo date update_schedule_settings(updated, EMBARGO, updated.get(EMBARGO)) # Do the validation after Circular Reference check passes in Package Service self.validate_embargo(updated) if EMBARGO in updates or "schedule_settings" in updates: updates[SCHEDULE_SETTINGS] = updated.get(SCHEDULE_SETTINGS, {}) # Ensure that there are no duplicate categories in the update category_qcodes = [ q['qcode'] for q in updates.get('anpa_category', []) or [] ] if category_qcodes and len(category_qcodes) != len( set(category_qcodes)): raise SuperdeskApiError.badRequestError( "Duplicate category codes are not allowed") # Ensure that there are no duplicate subjects in the update subject_qcodes = [q['qcode'] for q in updates.get('subject', []) or []] if subject_qcodes and len(subject_qcodes) != len(set(subject_qcodes)): raise SuperdeskApiError.badRequestError( "Duplicate subjects are not allowed")
def _validate_updates(self, original, updates, user): """ Validates updates to the article for the below conditions, if any of them then exception is raised: 1. Is article locked by another user other than the user requesting for update 2. Is state of the article is Killed? 3. Is user trying to update the package with Public Service Announcements? 4. Is user authorized to update unique name of the article? 5. Is user trying to update the genre of a broadcast article? 6. Is article being scheduled and is in a package? 7. Is article being scheduled and schedule timestamp is invalid? 8. Does article has valid crops if the article type is a picture? 9. Is article a valid package if the article type is a package? 10. Does article has a valid Embargo? 11. Make sure that there are no duplicate anpa_category codes in the article. 12. Make sure there are no duplicate subjects in the upadte :raises: SuperdeskApiError.forbiddenError() - if state of the article is killed or user is not authorized to update unique name or if article is locked by another user SuperdeskApiError.badRequestError() - if Public Service Announcements are being added to a package or genre is being updated for a broadcast, is invalid for scheduling, the updates contain duplicate anpa_category or subject codes """ lock_user = original.get('lock_user', None) force_unlock = updates.get('force_unlock', False) str_user_id = str(user.get(config.ID_FIELD)) if user else None if lock_user and str(lock_user) != str_user_id and not force_unlock: raise SuperdeskApiError.forbiddenError('The item was locked by another user') if original.get(ITEM_STATE) == CONTENT_STATE.KILLED: raise SuperdeskApiError.forbiddenError("Item isn't in a valid state to be updated.") if updates.get('body_footer') and is_normal_package(original): raise SuperdeskApiError.badRequestError("Package doesn't support Public Service Announcements") if 'unique_name' in updates and not is_admin(user) \ and (user['active_privileges'].get('metadata_uniquename', 0) == 0): raise SuperdeskApiError.forbiddenError("Unauthorized to modify Unique Name") # if broadcast then update to genre is not allowed. if original.get('broadcast') and updates.get('genre') and \ any(genre.get('value', '').lower() != BROADCAST_GENRE.lower() for genre in updates.get('genre')): raise SuperdeskApiError.badRequestError('Cannot change the genre for broadcast content.') if updates.get('publish_schedule') and original[ITEM_STATE] != CONTENT_STATE.SCHEDULED \ and datetime.datetime.fromtimestamp(0).date() != updates['publish_schedule'].date(): if is_item_in_package(original): raise SuperdeskApiError.badRequestError( 'This item is in a package and it needs to be removed before the item can be scheduled!') package = TakesPackageService().get_take_package(original) or {} validate_schedule(updates['publish_schedule'], package.get(SEQUENCE, 1)) if original[ITEM_TYPE] == CONTENT_TYPE.PICTURE: CropService().validate_multiple_crops(updates, original) elif original[ITEM_TYPE] == CONTENT_TYPE.COMPOSITE: self.packageService.on_update(updates, original) # Do the validation after Circular Reference check passes in Package Service updated = original.copy() updated.update(updates) self.validate_embargo(updated) # Ensure that there are no duplicate categories in the update category_qcodes = [q['qcode'] for q in updates.get('anpa_category', []) or []] if category_qcodes and len(category_qcodes) != len(set(category_qcodes)): raise SuperdeskApiError.badRequestError("Duplicate category codes are not allowed") # Ensure that there are no duplicate subjects in the update subject_qcodes = [q['qcode'] for q in updates.get('subject', []) or []] if subject_qcodes and len(subject_qcodes) != len(set(subject_qcodes)): raise SuperdeskApiError.badRequestError("Duplicate subjects are not allowed")
def on_update(self, updates, original): updates[ITEM_OPERATION] = ITEM_UPDATE is_update_allowed(original) user = get_user() if 'publish_schedule' in updates and original['state'] == 'scheduled': # this is an deschedule action self.deschedule_item(updates, original) # check if there is a takes package and deschedule the takes package. package = TakesPackageService().get_take_package(original) if package and package.get('state') == 'scheduled': package_updates = {'publish_schedule': None, 'groups': package.get('groups')} self.patch(package.get(config.ID_FIELD), package_updates) return if updates.get('publish_schedule'): if datetime.datetime.fromtimestamp(0).date() == updates.get('publish_schedule').date(): # publish_schedule field will be cleared updates['publish_schedule'] = None else: # validate the schedule if is_item_in_package(original): raise SuperdeskApiError.badRequestError(message='This item is in a package' + ' it needs to be removed before the item can be scheduled!') package = TakesPackageService().get_take_package(original) or {} validate_schedule(updates.get('publish_schedule'), package.get(SEQUENCE, 1)) if 'unique_name' in updates and not is_admin(user) \ and (user['active_privileges'].get('metadata_uniquename', 0) == 0): raise SuperdeskApiError.forbiddenError("Unauthorized to modify Unique Name") remove_unwanted(updates) if self.__is_req_for_save(updates): update_state(original, updates) lock_user = original.get('lock_user', None) force_unlock = updates.get('force_unlock', False) updates.setdefault('original_creator', original.get('original_creator')) str_user_id = str(user.get('_id')) if user else None if lock_user and str(lock_user) != str_user_id and not force_unlock: raise SuperdeskApiError.forbiddenError('The item was locked by another user') updates['versioncreated'] = utcnow() set_item_expiry(updates, original) updates['version_creator'] = str_user_id set_sign_off(updates, original=original) update_word_count(updates) if force_unlock: del updates['force_unlock'] # create crops crop_service = ArchiveCropService() crop_service.validate_multiple_crops(updates, original) crop_service.create_multiple_crops(updates, original) if original[ITEM_TYPE] == CONTENT_TYPE.COMPOSITE: self.packageService.on_update(updates, original) update_version(updates, original) # Do the validation after Circular Reference check passes in Package Service updated = original.copy() updated.update(updates) self.validate_embargo(updated)
def on_update(self, updates, original): updates[ITEM_OPERATION] = ITEM_UPDATE is_update_allowed(original) user = get_user() if 'publish_schedule' in updates and original['state'] == 'scheduled': # this is an deschedule action self.deschedule_item(updates, original) # check if there is a takes package and deschedule the takes package. package = TakesPackageService().get_take_package(original) if package and package.get('state') == 'scheduled': package_updates = { 'publish_schedule': None, 'groups': package.get('groups') } self.patch(package.get(config.ID_FIELD), package_updates) return if updates.get('publish_schedule'): if datetime.datetime.fromtimestamp(0).date() == updates.get( 'publish_schedule').date(): # publish_schedule field will be cleared updates['publish_schedule'] = None else: # validate the schedule if is_item_in_package(original): raise SuperdeskApiError.\ badRequestError(message='This item is in a package' + ' it needs to be removed before the item can be scheduled!') package = TakesPackageService().get_take_package( original) or {} validate_schedule(updates.get('publish_schedule'), package.get(SEQUENCE, 1)) if 'unique_name' in updates and not is_admin(user) \ and (user['active_privileges'].get('metadata_uniquename', 0) == 0): raise SuperdeskApiError.forbiddenError( "Unauthorized to modify Unique Name") remove_unwanted(updates) if self.__is_req_for_save(updates): update_state(original, updates) lock_user = original.get('lock_user', None) force_unlock = updates.get('force_unlock', False) updates.setdefault('original_creator', original.get('original_creator')) str_user_id = str(user.get('_id')) if user else None if lock_user and str(lock_user) != str_user_id and not force_unlock: raise SuperdeskApiError.forbiddenError( 'The item was locked by another user') updates['versioncreated'] = utcnow() set_item_expiry(updates, original) updates['version_creator'] = str_user_id set_sign_off(updates, original=original) update_word_count(updates) if force_unlock: del updates['force_unlock'] # create crops crop_service = ArchiveCropService() crop_service.validate_multiple_crops(updates, original) crop_service.create_multiple_crops(updates, original) if original[ITEM_TYPE] == CONTENT_TYPE.COMPOSITE: self.packageService.on_update(updates, original) update_version(updates, original) # Do the validation after Circular Reference check passes in Package Service updated = original.copy() updated.update(updates) self.validate_embargo(updated)