def filter_queryset(self, request, queryset, view): """ Anonymous user has no object permissions, return queryset as it is. """ user = request.user project_id = view.kwargs.get(view.lookup_field) if user.is_anonymous: return queryset.filter(Q(shared=True)) if project_id: int_or_parse_error(project_id, u"Invalid value for project_id '%s' must be a" " positive integer.") # check if project is public and return it try: project = queryset.get(id=project_id) except ObjectDoesNotExist: raise Http404 if project.shared: return queryset.filter(Q(id=project_id)) return super(AnonUserProjectFilter, self)\ .filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view): """ Anonymous user has no object permissions, return queryset as it is. """ user = request.user project_id = view.kwargs.get(view.lookup_field) if user.is_anonymous: return queryset.filter(Q(shared=True)) if project_id: int_or_parse_error(project_id, u"Invalid value for project_id '%s' must be a" " positive integer.") # check if project is public and return it try: project = queryset.get(id=project_id) except ObjectDoesNotExist: raise Http404 if project.shared: return queryset.filter(Q(id=project_id)) return super(AnonUserProjectFilter, self)\ .filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view): """ Anonymous user has no object permissions, return queryset as it is. """ form_id = view.kwargs.get(view.lookup_field, view.kwargs.get('xform_pk')) queryset = queryset.filter(deleted_at=None) if request.user.is_anonymous: return queryset if form_id and view.lookup_field == 'pk': int_or_parse_error(form_id, u'Invalid form ID: %s') if form_id: xform_kwargs = {view.lookup_field: form_id} # check if form is public and return it try: form = queryset.get(**xform_kwargs) except ObjectDoesNotExist: raise Http404 if form.shared: return queryset.filter(Q(**xform_kwargs)) return super(AnonDjangoObjectPermissionFilter, self)\ .filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view): instance_id = request.query_params.get('instance') if instance_id: int_or_parse_error(instance_id, u"Invalid value for instance %s.") instance = get_object_or_404(Instance, pk=instance_id) queryset = queryset.filter(instance=instance) return queryset
def filter_queryset(self, request, queryset, view): instance_id = request.query_params.get('instance') if instance_id: int_or_parse_error(instance_id, u"Invalid value for instance %s.") instance = get_object_or_404(Instance, pk=instance_id) queryset = queryset.filter(instance=instance) return queryset
def filter_queryset(self, request, queryset, view): queryset = self._xform_filter_queryset(request, queryset, view, 'instance__xform') instance_id = request.query_params.get('instance') if instance_id: int_or_parse_error( instance_id, u"Invalid value for instance_id. It must be" " a positive integer.") instance = get_object_or_404(Instance, pk=instance_id) queryset = queryset.filter(instance=instance) return queryset
def _project_filter(self, request, view, keyword): project_id = request.query_params.get("project") if project_id: int_or_parse_error(project_id, u"Invalid value for projectid %s.") project = get_object_or_404(Project, pk=project_id) project_qs = Project.objects.filter(pk=project.id) else: project_qs = Project.objects.all() projects = super(ProjectPermissionFilterMixin, self).filter_queryset( request, project_qs, view) return {"%s__in" % keyword: projects}
def _project_filter(self, request, view, keyword): project_id = request.query_params.get("project") if project_id: int_or_parse_error(project_id, u"Invalid value for projectid %s.") project = get_object_or_404(Project, pk=project_id) project_qs = Project.objects.filter(pk=project.id) else: project_qs = Project.objects.all() projects = super(ProjectPermissionFilterMixin, self).filter_queryset( request, project_qs, view) return {"%s__in" % keyword: projects}
def _xform_filter(self, request, view, keyword): """Use XForm permissions""" xform = request.query_params.get('xform') if xform: int_or_parse_error(xform, u"Invalid value for formid %s.") xform = get_object_or_404(XForm, pk=xform) xform_qs = XForm.objects.filter(pk=xform.pk) else: xform_qs = XForm.objects.all() xform_qs = xform_qs.filter(deleted_at=None) if request.user.is_anonymous(): xforms = xform_qs.filter(shared_data=True) else: xforms = super(XFormPermissionFilterMixin, self).filter_queryset(request, xform_qs, view) return {"%s__in" % keyword: xforms}
def _instance_filter(self, request, view, keyword): instance_kwarg = {} instance_content_type = ContentType.objects.get_for_model(Instance) instance_kwarg["content_type"] = instance_content_type instance_id = request.query_params.get("instance") project_id = request.query_params.get("project") xform_id = request.query_params.get('xform') if instance_id and project_id and xform_id: for object_id in [instance_id, project_id]: int_or_parse_error( object_id, u"Invalid value for instanceid. It must be" " a positive integer.") instance = get_object_or_404(Instance, pk=instance_id) # test if user has permissions on the project if xform_id: xform = get_object_or_404(XForm, pk=xform_id) parent = xform.instances.filter(id=instance.id) and xform else: return {} project = get_object_or_404(Project, pk=project_id) project_qs = Project.objects.filter(pk=project.id) if parent and parent.project == project: projects = super(InstancePermissionFilterMixin, self).filter_queryset(request, project_qs, view) instances = [instance.id] if projects else [] instance_kwarg["%s__in" % keyword] = instances return instance_kwarg else: return {} else: return instance_kwarg
def _instance_filter(self, request, view, keyword): instance_kwarg = {} instance_content_type = ContentType.objects.get_for_model(Instance) instance_kwarg["content_type"] = instance_content_type instance_id = request.query_params.get("instance") project_id = request.query_params.get("project") xform_id = request.query_params.get('xform') if instance_id and project_id and xform_id: for object_id in [instance_id, project_id]: int_or_parse_error(object_id, u"Invalid value for instanceid %s.") instance = get_object_or_404(Instance, pk=instance_id) # test if user has permissions on the project if xform_id: xform = get_object_or_404(XForm, pk=xform_id) parent = xform.instances.filter(id=instance.id) and xform else: return {} project = get_object_or_404(Project, pk=project_id) project_qs = Project.objects.filter(pk=project.id) if parent and parent.project == project: projects = super( InstancePermissionFilterMixin, self).filter_queryset( request, project_qs, view) instances = [instance.id] if projects else [] instance_kwarg["%s__in" % keyword] = instances return instance_kwarg else: return {} else: return instance_kwarg
def _xform_filter(self, request, view, keyword): """Use XForm permissions""" xform = request.query_params.get('xform') public_forms = XForm.objects.none() if xform: int_or_parse_error(xform, u"Invalid value for formid %s.") self.xform = get_object_or_404(XForm, pk=xform) xform_qs = XForm.objects.filter(pk=self.xform.pk) public_forms = XForm.objects.filter(pk=self.xform.pk, shared_data=True) else: xform_qs = XForm.objects.all() xform_qs = xform_qs.filter(deleted_at=None) if request.user.is_anonymous: xforms = xform_qs.filter(shared_data=True) else: xforms = super(XFormPermissionFilterMixin, self).filter_queryset( request, xform_qs, view) | public_forms return {"%s__in" % keyword: xforms}
def filter_queryset(self, request, queryset, view): """ Anonymous user has no object permissions, return queryset as it is. """ form_id = view.kwargs.get(view.lookup_field, view.kwargs.get('xform_pk')) lookup_field = view.lookup_field queryset = queryset.filter(deleted_at=None) if request.user.is_anonymous: return queryset if form_id: if lookup_field == 'pk': int_or_parse_error( form_id, u'Invalid form ID. It must be a positive' ' integer') try: if lookup_field == 'uuid': form_id = UUID(form_id) form = queryset.get( Q(uuid=form_id.hex) | Q(uuid=str(form_id))) else: xform_kwargs = {lookup_field: form_id} form = queryset.get(**xform_kwargs) except ObjectDoesNotExist: raise Http404 # Check if form is public and return it if form.shared: if lookup_field == 'uuid': return queryset.filter( Q(uuid=form_id.hex) | Q(uuid=str(form_id))) else: return queryset.filter(Q(**xform_kwargs)) return super(AnonDjangoObjectPermissionFilter, self)\ .filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view): """ Anonymous user has no object permissions, return queryset as it is. """ form_id = view.kwargs.get(view.lookup_field) queryset = queryset.filter(deleted_at=None) if request.user.is_anonymous: return queryset if form_id and view.lookup_field == 'pk': int_or_parse_error(form_id, u'Invalid form ID: %s') if form_id: xform_kwargs = {view.lookup_field: form_id} # check if form is public and return it try: form = queryset.get(**xform_kwargs) except ObjectDoesNotExist: raise Http404 if form.shared: return queryset.filter(Q(**xform_kwargs)) return super(AnonDjangoObjectPermissionFilter, self)\ .filter_queryset(request, queryset, view)
def test_int_or_parse_error_with_valid_value(self): valid_val = "100" returned_val = int_or_parse_error(valid_val, u"Invalid value for formid") self.assertIsNone(returned_val)
def test_int_or_parse_error_with_html_str(self): html_str = "<p>thisishtml<p>" with self.assertRaises(ParseError) as err: int_or_parse_error(html_str, u"Invalid value for formid") self.assertEqual(err.exception.args[0], 'Invalid value for formid')
def test_int_or_parse_error_with_url(self): url = "http://api.ona.iovrocndwm.detectify.io" with self.assertRaises(ParseError) as err: int_or_parse_error(url, u"Invalid value for formid") self.assertEqual(err.exception.args[0], 'Invalid value for formid')