def check_permissions(self): permissions = self._view.get_permissions(self.current_user, self._view.loaded) required_permissions = self._view.get_required_permissions( self.request) # For use later on self.current_user.permissions = permissions # Check permissions if (required_permissions & permissions) != required_permissions: if self.current_user.uid is None: raise exceptions.Unauthorized() raise exceptions.Forbidden(required_permissions)
def create(self, payload, user): id = self.validate_id(str(bson.ObjectId()) if payload.get('id') is None else payload['id']) creator = user.uid if 'user' in self._collection.plugins and self._collection.plugin('user').created_is_owner: creator = 'jam-{}:{}-{}'.format(self._namespace.ref, self._collection.ref, id) if 'meta' in payload: if (user.permissions & Permissions.ADMIN) != Permissions.ADMIN: raise exceptions.Forbidden('ADMIN permission is request to alter metadata') creator = payload['meta'].get('created-by', user.uid) try: return self._collection.create(id, payload['attributes'], creator) except KeyError: raise exceptions.MalformedData()
def create(self, payload, user): id = self.validate_id( str(bson.ObjectId() ) if payload.get('id') is None else payload['id']) creator = user.uid if 'meta' in payload: if (user.permissions & Permissions.ADMIN) != Permissions.ADMIN: raise exceptions.Forbidden( 'ADMIN permission is request to alter metadata') creator = payload['meta'].get('created-by', user.uid) try: return self._collection.create(id, payload['attributes'], creator) except KeyError: raise exceptions.MalformedData()
def prepare(self): super().prepare() if self.request.method == 'OPTIONS': return # Dont do anything for OPTIONS requests loaded = [] try: for view in self._view_class.lineage(): key = view.name + '_id' if self.path_kwargs[key] is None: break loaded.append(view.load(self.path_kwargs[key], *loaded)) except exceptions.NotFound as e: err = e # Load as many resources as are available to do a permissions check # A 404 will be thrown if the user has the required permissions self._view = view(*loaded) else: err = None self._view = self._view_class(*loaded) # If this is a relationship swap out the current view with the relation if 'relationship' in self.path_kwargs: relationship = self._serializer.relations[self.path_kwargs['relationship']] self._view = relationship.view(*loaded) self._serializer = relationship.serializer() permissions = Permissions.get_permissions(self.current_user, *loaded) required_permissions = self._view.get_permissions(self.request) # For use later on self.current_user.permissions = permissions # Check permissions if (required_permissions & permissions) != required_permissions: if self.current_user.uid is None: raise exceptions.Unauthorized() raise exceptions.Forbidden(required_permissions) # Not found is always raised AFTER permissions checks if err: raise err if self.request.method in ('GET', 'DELETE'): return # GET and DELETE bodies are ignored self.payload # Force payload to load and validate