def update_account(self, pk):
user = get_user(pk)
originator = get_user(self.request)
if not originator.is_superuser or originator.pk == user.pk:
raise exceptions.PermissionDenied("user must be superuser to change an account other than their own")
kwargs = json.loads(self.request.REQUEST.get('user', self.request.body))
hydroshare.update_account(user, **kwargs)
return HttpResponse(pk, content_type='text/plain')
def update_account(self, pk):
user = get_user(pk)
originator = get_user(self.request)
if not originator.is_superuser or originator.pk == user.pk:
raise exceptions.PermissionDenied(
"user must be superuser to change an account other than their own"
)
kwargs = json.loads(self.request.REQUEST.get('user',
self.request.body))
hydroshare.update_account(user, **kwargs)
return HttpResponse(pk, content_type='text/plain')
def create_group(self):
creator = get_user(self.request)
if not get_user(self.request).is_authenticated():
raise exceptions.PermissionDenied("user must be authenticated to create a group.")
params = CreateOrListGroups.CreateGroupForm(self.request.REQUEST)
if params.is_valid():
r = params.cleaned_data
r['owners'] = set(r['owners']) if r['owners'] else set()
r['owners'].add(creator)
g = hydroshare.create_group(**r)
return HttpResponse(g.name, content_type='text/plain')
else:
raise exceptions.ValidationError('invalid request')
def create_account(self):
if not get_user(self.request).is_superuser:
if settings.DEBUG or ("hydroshare.org" in self.request.META.get(
'HTTP_REFERER', '')): # fixme insecure vs spoofed header
active = False
else:
raise exceptions.PermissionDenied(
"user must be superuser to create an account")
else:
active = True
params = utils.create_form(CreateOrListAccounts.CreateAccountForm,
self.request)
if params.is_valid():
r = params.cleaned_data
ret = hydroshare.create_account(email=r['email'],
username=r['username'],
first_name=r['first_name'],
last_name=r['last_name'],
superuser=r['superuser'],
password=r['password'],
groups=r['groups'],
active=active)
return HttpResponse(ret, content_type='text/plain')
def authorize(request,
res_id,
edit=False,
view=False,
full=False,
superuser=False,
raises_exception=True):
"""
Authorizes the user making this request for the OR of the parameters. If the user has ANY permission set to True in
the parameter list, then this returns True else False.
"""
user = get_user(request)
res = hydroshare.utils.get_resource_by_shortkey(res_id)
has_edit = res.edit_users.filter(pk=user.pk).exists()
has_view = res.view_users.filter(pk=user.pk).exists()
has_full = res.owners.filter(pk=user.pk).exists()
authorized = (edit and has_edit) or \
(view and (has_view or res.public)) or \
(full and has_full) or \
(superuser and user.is_superuser)
if raises_exception and not authorized:
raise PermissionDenied()
else:
return res, authorized, user
def get_resource_list(self):
params = utils.create_form(GetResourceList.GetResourceListForm,
self.request)
if params.is_valid():
r = params.cleaned_data
if r['dc']:
r['dc'] = json.loads(r['dc'])
else:
r['dc'] = {}
ret = []
resource_table = hydroshare.get_resource_list(**r)
originator = get_user(self.request)
for resources in resource_table:
for r in filter(
lambda x: x.public or x.view_users.filter(
pk=originator.pk).exists() or x.view_groups.
filter(pk__in=[g.pk for g in originator.groups.all()]),
resources):
ret.append(r.short_id)
return json_or_jsonp(self.request, ret)
else:
raise exceptions.ValidationError('invalid request')
def create_resource(self):
if not get_user(self.request).is_authenticated():
print self.request.user
raise exceptions.PermissionDenied('user must be logged in.')
params = utils.create_form(ResourceCRUD.CreateResourceForm,
self.request)
if params.is_valid():
r = params.cleaned_data
res = hydroshare.create_resource(
resource_type=r['resource_type'],
owner=self.request.user,
title=r['title'],
edit_users=r['edit_users'],
view_users=r['view_users'],
edit_groups=r['edit_groups'],
view_groups=r['view_groups'],
keywords=r['keywords'],
dublin_metadata=json.loads(r['dublin_metadata'])
if r['dublin_metadata'] else {},
files=self.request.FILES.values(),
**{
k: v
for k, v in self.request.REQUEST.items() if k not in r
})
return HttpResponse(res.short_id, content_type='text/plain')
else:
raise exceptions.ValidationError(params.errors)
def authorize(request, res_id, edit=False, view=False, full=False, superuser=False, raises_exception=True):
"""
Authorizes the user making this request for the OR of the parameters. If the user has ANY permission set to True in
the parameter list, then this returns True else False.
"""
user = get_user(request)
try:
res = hydroshare.utils.get_resource_by_shortkey(res_id, or_404=False)
except ObjectDoesNotExist:
raise NotFound(detail="No resource was found for resource id:%s" % res_id)
has_edit = res.edit_users.filter(pk=user.pk).exists()
has_view = res.view_users.filter(pk=user.pk).exists()
has_full = res.owners.filter(pk=user.pk).exists()
authorized = (
(edit and has_edit)
or (view and (has_view or res.public))
or (full and has_full)
or (superuser and user.is_superuser)
)
if raises_exception and not authorized:
raise PermissionDenied()
else:
return res, authorized, user
def set_group_owner(self, g, u):
originator = get_user(self.request)
g = group_from_id(g)
if not GroupOwnership.objects.filter(group=g, user=originator).exists():
raise exceptions.PermissionDenied("user must be a group owner to change group ownership.")
else:
hydroshare.set_group_owner(g, u)
return HttpResponse(g.name, content_type='text/plain')
def create_group(self):
creator = get_user(self.request)
if not get_user(self.request).is_authenticated():
raise exceptions.PermissionDenied(
"user must be authenticated to create a group.")
params = utils.create_form(CreateOrListGroups.CreateGroupForm,
self.request)
if params.is_valid():
r = params.cleaned_data
r['owners'] = set(r['owners']) if r['owners'] else set()
r['owners'].add(creator)
g = hydroshare.create_group(**r)
return HttpResponse(g.name,
content_type='text/plain',
status='201')
else:
raise exceptions.ValidationError('invalid request')
def set_group_owner(self, g, u):
originator = get_user(self.request)
g = group_from_id(g)
if not GroupOwnership.objects.filter(group=g,
user=originator).exists():
raise exceptions.PermissionDenied(
"user must be a group owner to change group ownership.")
else:
hydroshare.set_group_owner(g, u)
return HttpResponse(g.name,
content_type='text/plain',
status='204')
def create_account(self):
if not get_user(self.request).is_superuser:
raise exceptions.PermissionDenied("user must be superuser to create an account")
params = CreateOrListAccounts.CreateAccountForm(self.request.REQUEST)
if params.is_valid():
r = params.cleaned_data
ret = hydroshare.create_account(
email=r['email'],
username=r['username'],
first_name=r['first_name'],
last_name=r['last_name'],
superuser=r['superuser'],
groups=r['groups']
)
return HttpResponse(ret, content_type='text/plain')
def get_resource_list(self):
params = ResourceCRUD.GetResourceListForm(self.request.REQUEST)
if params.is_valid():
r = params.cleaned_data
if r['dc']:
r['dc'] = json.loads(r['dc'])
else:
r['dc'] = {}
ret = []
resource_table = hydroshare.get_resource_list(**r)
originator = get_user(self.request)
for resources in resource_table:
for r in filter(lambda x: authorize(self.request, x.short_id, view=True), resources):
ret.append(r.short_id)
return json_or_jsonp(self.request, ret)
else:
raise exceptions.ValidationError('invalid request')
def create_resource(self):
if not get_user(self.request).is_authenticated():
raise exceptions.PermissionDenied('user must be logged in.')
params = ResourceCRUD.CreateResourceForm(self.request.REQUEST)
if params.is_valid():
r = params.cleaned_data
res = hydroshare.create_resource(
resource_type=r['resource_type'],
edit_users=r['edit_users'],
view_users=r['view_users'],
edit_groups=r['edit_groups'],
view_groups=r['view_groups'],
keywords=r['keywords'],
dublin_metadata=json.loads(r['dublin_metadata']) if r['dublin_metadata'] else {},
files=self.request.FILES.values(),
**{k: v for k, v in self.request.REQUEST.items() if k not in r}
)
return HttpResponse(res.short_id, content_type='text/plain')
else:
raise exceptions.ValidationError('invalid request')
def get_resource_list(self):
params = GetResourceList.GetResourceListForm(self.request.REQUEST)
if params.is_valid():
r = params.cleaned_data
if r['dc']:
r['dc'] = json.loads(r['dc'])
else:
r['dc'] = {}
ret = []
resource_table = hydroshare.get_resource_list(**r)
originator = get_user(self.request)
for resources in resource_table:
for r in filter(lambda x:
x.public or
x.view_users.filter(pk=originator.pk).exists() or
x.view_groups.filter(pk__in=[g.pk for g in originator.groups.all()]), resources):
ret.append(r.short_id)
return json_or_jsonp(self.request, ret)
else:
raise exceptions.ValidationError('invalid request')
def get_resource_list(self):
params = utils.create_form(ResourceCRUD.GetResourceListForm,
self.request)
if params.is_valid():
r = params.cleaned_data
if r['dc']:
r['dc'] = json.loads(r['dc'])
else:
r['dc'] = {}
ret = []
resource_table = hydroshare.get_resource_list(**r)
originator = get_user(self.request)
for resources in resource_table:
for r in filter(
lambda x: authorize(
self.request, x.short_id, view=True), resources):
ret.append(r.short_id)
return json_or_jsonp(self.request, ret)
else:
raise exceptions.ValidationError(params.errors)
def create_account(self):
if not get_user(self.request).is_superuser:
if settings.DEBUG or ("hydroshare.org" in self.request.META.get('HTTP_REFERER', '')): # fixme insecure vs spoofed header
active=False
else:
raise exceptions.PermissionDenied("user must be superuser to create an account")
else:
active=True
params = utils.create_form(CreateOrListAccounts.CreateAccountForm, self.request)
if params.is_valid():
r = params.cleaned_data
ret = hydroshare.create_account(
email=r['email'],
username=r['username'],
first_name=r['first_name'],
last_name=r['last_name'],
superuser=r['superuser'],
password=r['password'],
groups=r['groups'],
active=active
)
return HttpResponse(ret, content_type='text/plain')
