def has_manage_permissions(self): """ Returns True if the user has required permissions. """ return has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_manage" )
def destroy(self, request, *args, **kwargs): if (not has_perm(self.request.user, "chat.can_manage") and self.get_object().user_id != self.request.user.id): self.permission_denied(request) disable_history() return super().destroy(request, *args, **kwargs)
def check_permission(self, request, *args, **kwargs): """ Checks if the user has the required permission. """ if self.required_permission is None: return True else: return has_perm(request.user, self.required_permission)
def check_view_permissions(self): """ Just allow list, retrieve and update. """ if self.action in ('list', 'retrieve', 'update'): return has_perm(self.request.user, 'openslides_protocol.can_write_protocol') else: return False
def check_permissions(self, user): if user is None or isinstance(user, AnonymousUser): return False if has_perm(user, 'openslides_voting.can_manage'): return True # The user can see this, if he is listed there. from .models import MotionPollBallot return MotionPollBallot.objects.filter(delegate__pk=user.id).exists()
def check_view_permissions(self): """ Returns True if the user has required permissions. """ if self.action in ('list', 'retrieve'): result = True else: result = has_perm(self.request.user, 'openslides_voting.can_manage') return result
def check_view_permissions(self): """ Returns True if the user has required permissions. """ if self.action in ( "create", "partial_update", "update", "move", "destroy", "bulk_delete", ): result = has_perm(self.request.user, "mediafiles.can_see") and has_perm( self.request.user, "mediafiles.can_manage" ) else: result = False return result
def check_view_permissions(self): """ Returns True if the user has required permissions. """ if self.action in ("list", "retrieve"): result = True else: result = has_perm(self.request.user, "chat.can_manage") return result and ENABLE_CHAT
def get_restricted_data(self, full_data, user): if not isinstance(user, CollectionElement): return [] if has_perm(user, 'openslides_voting.can_manage'): return full_data for item in full_data: if item['delegate_id'] == user.id: return [item] return []
def check_view_permissions(self): """ Just allow list, creation and generation. Do not allow updates and deletes. """ if self.action in ('list', 'retrieve', 'create', 'generate'): return self.get_access_permissions().check_permissions(self.request.user) if self.action == 'check_token': # To prevent guessing and brute forcing valid tokens, just the voting machines are # allowed to check tokens return has_perm(self.request.user, 'openslides_voting.can_see_token_voting') return False
def check_view_permissions(self): """ Returns True if the user has required permissions. """ if self.action in ("list", "retrieve"): result = self.get_access_permissions().check_permissions(self.request.user) elif self.action == "metadata": # Everybody is allowed to see the metadata. result = True elif self.action in ( "create", "partial_update", "update", "destroy", "sort_related_users", ): result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_manage" ) elif self.action == "candidature_self": result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_nominate_self" ) elif self.action == "candidature_other": result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_nominate_other" ) else: result = False return result
def check_view_permissions(self): """ Returns True if the user has required permissions. """ if self.action in ( "create", "partial_update", "update", "destroy", "sort_related_users", ): result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_manage" ) elif self.action == "candidature_self": result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_nominate_self" ) elif self.action == "candidature_other": result = has_perm(self.request.user, "assignments.can_see") and has_perm( self.request.user, "assignments.can_nominate_other" ) else: result = False return result
def check_view_permissions(self): """ Just allow list, creation and generation. Do not allow updates and deletes. """ if self.action in ('list', 'retrieve', 'create', 'generate'): return self.get_access_permissions().check_permissions( self.request.user) if self.action == 'check_token': # To prevent guessing and brute forcing valid tokens, just the voting machines are # allowed to check tokens return has_perm(self.request.user, 'openslides_voting.can_see_token_voting') return False
def get_mediafile(request, path): """ returnes the mediafile for the requested path and checks, if the user is valid to retrieve the mediafile. If not, None will be returned. A user must have all access permissions for all folders the the file itself, or the file is a special file (logo or font), then it is always returned. If the mediafile cannot be found, a Mediafile.DoesNotExist will be raised. """ if not path: raise Mediafile.DoesNotExist() parts = path.split("/") parent = None can_see = has_perm(request.user, "mediafiles.can_see") for i, part in enumerate(parts): is_directory = i < len(parts) - 1 # A .get would be sufficient, but sometimes someone has uploaded a file twice due to complicated # transaction management of two databases during create. So instead of returning a 500er (since # .get returned multiple objects) we deliver the first file. if is_directory: mediafile = Mediafile.objects.filter(parent=parent, is_directory=is_directory, title=part).first() else: mediafile = Mediafile.objects.filter( parent=parent, is_directory=is_directory, original_filename=part).first() if mediafile is None: raise Mediafile.DoesNotExist() if mediafile.access_groups.exists() and not in_some_groups( request.user.id, [group.id for group in mediafile.access_groups.all()]): can_see = False parent = mediafile # Check, if this file is projected is_projected = False for projector in Projector.objects.all(): for element in projector.elements: name = element.get("name") id = element.get("id") if name == "mediafiles/mediafile" and id == mediafile.id: is_projected = True break if not can_see and not mediafile.is_special_file and not is_projected: mediafile = None return mediafile
def withdraw_self(self, request, assignment): # Withdraw candidature. if assignment.phase == assignment.PHASE_FINISHED: raise ValidationError({ "detail": "You can not withdraw your candidature to this election because it is finished." }) if assignment.phase == assignment.PHASE_VOTING and not has_perm( request.user, "assignments.can_manage"): # To withdraw self during voting you have to be a manager. self.permission_denied(request) if not assignment.is_candidate(request.user): raise ValidationError( {"detail": "You are not a candidate of this election."}) assignment.remove_candidate(request.user) return "You have withdrawn your candidature successfully."
def nominate_self(self, request, assignment): if assignment.phase == assignment.PHASE_FINISHED: raise ValidationError({ "detail": "You can not candidate to this election because it is finished." }) if assignment.phase == assignment.PHASE_VOTING and not has_perm( request.user, "assignments.can_manage"): # To nominate self during voting you have to be a manager. self.permission_denied(request) # If the request.user is already a candidate he can nominate himself nevertheless. assignment.add_candidate(request.user) # Send new candidate via autoupdate because users without permission # to see users may not have it but can get it now. inform_changed_data([request.user]) return "You were nominated successfully."
def get(self, request, *args, **kwargs): if not has_perm(request.user, 'agenda.can_manage'): raise PermissionDenied response = HttpResponse() response['Content-Disposition'] = 'attachment; filename=list_of_speakers.csv;' csv_writer = csv.writer(response) csv_writer.writerow(['Item', 'Person', 'Begin Time', 'End Time']) for speaker in Speaker.objects.all().order_by('item', 'weight', 'begin_time'): try: begin_time = speaker.begin_time.strftime('%d.%m.%Y %H:%M:%S') except AttributeError: begin_time = None try: end_time = speaker.end_time.strftime('%d.%m.%Y %H:%M:%S') except AttributeError: end_time = None csv_writer.writerow([str(speaker.item), str(speaker.user), begin_time, end_time]) return response
def get_mediafile(request, path): """ returnes the mediafile for the requested path and checks, if the user is valid to retrieve the mediafile. If not, None will be returned. A user must have all access permissions for all folders the the file itself, or the file is a special file (logo or font), then it is always returned. If the mediafile cannot be found, a Mediafile.DoesNotExist will be raised. """ if not path: raise Mediafile.DoesNotExist() parts = path.split("/") parent = None can_see = has_perm(request.user, "mediafiles.can_see") for i, part in enumerate(parts): is_directory = i < len(parts) - 1 if is_directory: mediafile = Mediafile.objects.get(parent=parent, is_directory=is_directory, title=part) else: mediafile = Mediafile.objects.get(parent=parent, is_directory=is_directory, original_filename=part) if mediafile.access_groups.exists() and not in_some_groups( request.user.id, [group.id for group in mediafile.access_groups.all()]): can_see = False parent = mediafile # Check, if this file is projected is_projected = False for projector in Projector.objects.all(): for element in projector.elements: name = element.get("name") id = element.get("id") if name == "mediafiles/mediafile" and id == mediafile.id: is_projected = True break if not can_see and not mediafile.is_special_file and not is_projected: mediafile = None return mediafile
def delete_other(self, request, user, assignment): # To delete candidature status you have to be a manager. if not has_perm(request.user, "assignments.can_manage"): self.permission_denied(request) if assignment.phase == assignment.PHASE_FINISHED: raise ValidationError({ "detail": "You can not delete someone's candidature to this election because it is finished." }) if not assignment.is_candidate(user): raise ValidationError({ "detail": "User {0} has no status in this election.", "args": [str(user)], }) assignment.remove_candidate(user) return Response({ "detail": "Candidate {0} was withdrawn successfully.", "args": [str(user)] })
def get(self, request, *args, **kwargs): if not has_perm(request.user, 'agenda.can_manage'): raise PermissionDenied response = HttpResponse() response[ 'Content-Disposition'] = 'attachment; filename=list_of_speakers.csv;' csv_writer = csv.writer(response) csv_writer.writerow(['Item', 'Person', 'Begin Time', 'End Time']) for speaker in Speaker.objects.all().order_by('item', 'weight', 'begin_time'): try: begin_time = speaker.begin_time.strftime('%d.%m.%Y %H:%M:%S') except AttributeError: begin_time = None try: end_time = speaker.end_time.strftime('%d.%m.%Y %H:%M:%S') except AttributeError: end_time = None csv_writer.writerow( [str(speaker.item), str(speaker.user), begin_time, end_time]) return response
def nominate_other(self, request, user, assignment): if assignment.phase == assignment.PHASE_FINISHED: raise ValidationError( { "detail": "You can not nominate someone to this election because it is finished." } ) if assignment.phase == assignment.PHASE_VOTING and not has_perm( request.user, "assignments.can_manage" ): # To nominate another user during voting you have to be a manager. self.permission_denied(request) if assignment.is_candidate(user): raise ValidationError( {"detail": "User {0} is already nominated.", "args": [str(user)]} ) assignment.add_candidate(user) # Send new candidate via autoupdate because users without permission # to see users may not have it but can get it now. inform_changed_data(user) return Response( {"detail": "User {0} was nominated successfully.", "args": [str(user)]} )
def validate_input_data(self, data, voting_type, user): """ returns the validated data or raises a ValidationError. The correct format is [{<vote>}, {<vote>}, ...], where vote is a dict with { value: <has to be there, but has to be checked separatly>, id: <keypad_number, not id!>, keypad: <keypad_instance>, bl: <keypad_battery_level>, token: <token_string>, token_instance: <token>, } id and bl are required if the voting type is votecollector and permitted if the type is not votecollector. The keypad is added during the validation. The token has to be given, if the voting type is token_based_electronic. The token_instance is queried during the validation. Also, the user has to have the 'can_see_token_voting' permission. Additional fields in the dict are not cleared. If the voting type is not votecollector, the length of the list has to be one. """ if isinstance(data, bytes): data = data.decode('utf-8') try: votes = json.loads(data) except ValueError: raise ValidationError({'detail': 'The content is malformed.'}) if not isinstance(votes, list): votes = [votes] if not voting_type.startswith('votecollector') and len(votes) != 1: raise ValidationError({'detail': 'Just one vote has to be given'}) for vote in votes: if not isinstance(vote, dict): raise ValidationError({'detail': 'All votes have to be a dict'}) if 'value' not in vote: raise ValidationError({'detail': 'A vote value is missing'}) if voting_type.startswith('votecollector'): # Check, if bl, id and sn is given and valid. if not {'bl', 'id', 'sn'}.issubset(vote): raise ValidationError({'detail': 'bl, id and sn are necessary for the votecollector'}) if not isinstance(vote['bl'], int) or not isinstance(vote['id'], int): raise ValidationError({'detail': 'bl and id has to be int.'}) try: keypad = Keypad.objects.get(number=vote['id']) except Keypad.DoesNotExist: # Keypad might have been deleted after voting has started. keypad = None vote['keypad'] = keypad elif voting_type == 'token_based_electronic': # Check, if a valid token is given if not has_perm(user, 'openslides_voting.can_see_token_voting'): raise ValidationError({'detail': 'The user does not have the permission to vote with tokens.'}) token = vote.get('token') if not isinstance(token, str): raise ValidationError({'detail': 'The token has to be a string.'}) if len(token) > 128: raise ValidationError({'detail': 'The token length must be lesser then 128.'}) try: token_instance = VotingToken.objects.get(token=token) except VotingToken.DoesNotExist: raise ValidationError({'detail': 'The voting token is not valid.'}) vote['token_instance'] = token_instance return votes
def check_view_permissions(self): return has_perm(self.request.user, 'openslides_votecollector.can_manage')
def check_permissions(self, user): """ Returns True if the user has VoteCollector access. """ return has_perm(user, 'openslides_votecollector.can_manage')
def check_perm(user): if has_perm(user, perm): return True if raise_exception: raise PermissionDenied return False
def check_permissions(self, user): return has_perm(user, 'openslides_voting.can_manage')
def check_permissions(self, user): """ Returns True if the user has read access for motions or assignments. """ return has_perm(user, 'motions.can_see') or has_perm(user, 'assignments.can_see')
def check_view_permissions(self): return has_perm(self.request.user, 'openslides_protocol.can_write_protocol')
def check_permissions(self, user): """ Returns True if the user has read access for motions or assignments. """ return has_perm(user, 'motions.can_see') or has_perm( user, 'assignments.can_see')
def check_permissions(self, user): return has_perm(user, 'openslides_protocol.can_write_protocol')
def check_view_permissions(self): return has_perm(self.request.user, "assignments.can_see")