def check_permissions(self):
permissions = self._view.get_permissions(self.current_user,
self._view.loaded)
required_permissions = self._view.get_required_permissions(
self.request)
# For use later on
self.current_user.permissions = permissions
# Check permissions
if (required_permissions & permissions) != required_permissions:
if self.current_user.uid is None:
raise exceptions.Unauthorized()
raise exceptions.Forbidden(required_permissions)
def create(self, payload, user):
id = self.validate_id(str(bson.ObjectId()) if payload.get('id') is None else payload['id'])
creator = user.uid
if 'user' in self._collection.plugins and self._collection.plugin('user').created_is_owner:
creator = 'jam-{}:{}-{}'.format(self._namespace.ref, self._collection.ref, id)
if 'meta' in payload:
if (user.permissions & Permissions.ADMIN) != Permissions.ADMIN:
raise exceptions.Forbidden('ADMIN permission is request to alter metadata')
creator = payload['meta'].get('created-by', user.uid)
try:
return self._collection.create(id, payload['attributes'], creator)
except KeyError:
raise exceptions.MalformedData()
def create(self, payload, user):
id = self.validate_id(
str(bson.ObjectId()
) if payload.get('id') is None else payload['id'])
creator = user.uid
if 'meta' in payload:
if (user.permissions & Permissions.ADMIN) != Permissions.ADMIN:
raise exceptions.Forbidden(
'ADMIN permission is request to alter metadata')
creator = payload['meta'].get('created-by', user.uid)
try:
return self._collection.create(id, payload['attributes'], creator)
except KeyError:
raise exceptions.MalformedData()
def prepare(self):
super().prepare()
if self.request.method == 'OPTIONS':
return # Dont do anything for OPTIONS requests
loaded = []
try:
for view in self._view_class.lineage():
key = view.name + '_id'
if self.path_kwargs[key] is None:
break
loaded.append(view.load(self.path_kwargs[key], *loaded))
except exceptions.NotFound as e:
err = e
# Load as many resources as are available to do a permissions check
# A 404 will be thrown if the user has the required permissions
self._view = view(*loaded)
else:
err = None
self._view = self._view_class(*loaded)
# If this is a relationship swap out the current view with the relation
if 'relationship' in self.path_kwargs:
relationship = self._serializer.relations[self.path_kwargs['relationship']]
self._view = relationship.view(*loaded)
self._serializer = relationship.serializer()
permissions = Permissions.get_permissions(self.current_user, *loaded)
required_permissions = self._view.get_permissions(self.request)
# For use later on
self.current_user.permissions = permissions
# Check permissions
if (required_permissions & permissions) != required_permissions:
if self.current_user.uid is None:
raise exceptions.Unauthorized()
raise exceptions.Forbidden(required_permissions)
# Not found is always raised AFTER permissions checks
if err:
raise err
if self.request.method in ('GET', 'DELETE'):
return # GET and DELETE bodies are ignored
self.payload # Force payload to load and validate