def needs_tougher_password(user): if user.source in amo.LOGIN_SOURCE_BROWSERIDS: return False from access import acl return (acl.action_allowed_user(user, 'Admin', '%') or acl.action_allowed_user(user, 'Addons', 'Edit') or acl.action_allowed_user(user, 'Addons', 'Review') or acl.action_allowed_user(user, 'Apps', 'Review') or acl.action_allowed_user(user, 'Users', 'Edit'))
def clean_password(self, field='password'): data = self.cleaned_data[field] if not data: return data if (hasattr(self, 'instance') and self.instance.pk and (action_allowed_user(self.instance, 'Editors', '%') or action_allowed_user(self.instance, 'Admin', '%'))): if not admin_re.search(data): raise forms.ValidationError(_('Letters and numbers required.')) if BlacklistedPassword.blocked(data): raise forms.ValidationError(_('That password is not allowed.')) return data
def check_acls(user, obj, acl_type): """Check ACLs.""" if acl_type == 'moz_contact': try: return user.email in obj.addon.get_mozilla_contacts() except AttributeError: return user.email in obj.thread.addon.get_mozilla_contacts() if acl_type == 'admin': return acl.action_allowed_user(user, 'Admin', '%') elif acl_type == 'reviewer': return acl.action_allowed_user(user, 'Apps', 'Review') elif acl_type == 'senior_reviewer': return acl.action_allowed_user(user, 'Apps', 'ReviewEscalated') else: raise Exception('Invalid ACL lookup.') return False
def create_receipt(webapp, user, uuid, flavour=None, contrib=None): """ Creates a receipt for use in payments. :params app: the app record. :params user: the UserProfile record. :params uuid: a uuid placed in the user field for this purchase. :params flavour: None, developer, inapp, or reviewer - the flavour of receipt. :param: contrib: the Contribution object for the purchase. """ # Unflavo(u)red receipts are for plain ol' vanilla app purchases. assert flavour in (None, 'developer', 'inapp', 'reviewer'), ( 'Invalid flavour: %s' % flavour) time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' storedata = {'id': int(webapp.pk)} # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS verify = static_url('WEBAPPS_RECEIPT_URL') if flavour == 'inapp': if not contrib: raise ValueError( 'a contribution object is required for in-app receipts') if not contrib.inapp_product: raise ValueError( 'contribution {c} does not link to an in-app product' .format(c=contrib)) storedata['contrib'] = int(contrib.pk) elif flavour in ('developer', 'reviewer'): if not (acl.action_allowed_user(user, 'Apps', 'Review') or webapp.has_author(user)): raise ValueError('User %s is not a reviewer or developer' % user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) product = {'storedata': urlencode(storedata), # Packaged and hosted apps should have an origin. If there # isn't one, fallback to the SITE_URL. 'url': webapp.origin or settings.SITE_URL} reissue = absolutify(reverse('receipt.reissue')) receipt = dict(exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, # TODO: This is temporary until detail pages get added. # TODO: bug 1020997, bug 1020999 detail=absolutify(reissue), # Currently this is a 404. reissue=absolutify(reissue), typ=typ, user={'type': 'directed-identifier', 'value': uuid}, verify=verify) return sign(receipt)
def check_acls(self, acl_type): """Check ACLs.""" user = self.user_profile obj = self.thread_obj if acl_type == 'moz_contact': return user.email in obj.addon.get_mozilla_contacts() elif acl_type == 'admin': return acl.action_allowed_user(user, 'Admin', '%') elif acl_type == 'reviewer': return acl.action_allowed_user(user, 'Apps', 'Review') elif acl_type == 'senior_reviewer': return acl.action_allowed_user(user, 'Apps', 'ReviewEscalated') else: raise 'Invalid ACL lookup.' return False
def check_acls(user, obj, acl_type): """Check ACLs.""" if acl_type == "moz_contact": try: return user.email in obj.addon.get_mozilla_contacts() except AttributeError: return user.email in obj.thread.addon.get_mozilla_contacts() if acl_type == "admin": return acl.action_allowed_user(user, "Admin", "%") elif acl_type == "reviewer": return acl.action_allowed_user(user, "Apps", "Review") elif acl_type == "senior_reviewer": return acl.action_allowed_user(user, "Apps", "ReviewEscalated") else: raise Exception("Invalid ACL lookup.") return False
def issue(request, addon): user = request.amo_user review = acl.action_allowed_user(user, 'Apps', 'Review') if user else None developer = addon.has_author(user) if not (review or developer): raise PermissionDenied install, flavour = ((apps.INSTALL_TYPE_REVIEWER, 'reviewer') if review else (apps.INSTALL_TYPE_DEVELOPER, 'developer')) installed, c = Installed.objects.safer_get_or_create(addon=addon, user=request.amo_user, install_type=install) error = '' receipt_cef.log(request, addon, 'sign', 'Receipt signing for %s' % flavour) receipt = None try: receipt = create_receipt(addon, user, get_uuid(addon, user), flavour=flavour) except SigningError: error = _('There was a problem installing the app.') return {'addon': addon.pk, 'receipt': receipt, 'error': error}
def verify(request, uuid): # Because this will be called at any point in the future, # use guid in the URL. addon = get_object_or_404(Addon, guid=uuid) receipt = request.read() verify = Verify(receipt, request) output = verify(check_purchase=False) # Ensure CORS headers are set. def response(data): response = http.HttpResponse(data) for header, value in get_headers(len(output)): response[header] = value return response # Only reviewers or the developers can use this which is different # from the standard receipt verification. The user is contained in the # receipt. if verify.user_id: try: user = UserProfile.objects.get(pk=verify.user_id) except UserProfile.DoesNotExist: user = None if user and (acl.action_allowed_user(user, 'Apps', 'Review') or addon.has_author(user)): amo.log(amo.LOG.RECEIPT_CHECKED, addon, user=user) return response(output) return response(verify.invalid())
def create_receipt(webapp, user, uuid, flavour=None): """ Creates a receipt for use in payments. :params app: the app record. :params user: the UserProfile record. :params uuid: a uuid placed in the user field for this purchase. :params flavour: None, developer or reviewer, the flavour of receipt. """ assert flavour in [None, 'developer', 'reviewer'], ('Invalid flavour: %s' % flavour) time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' product = { 'storedata': urlencode({'id': int(webapp.pk)}), # Packaged and hosted apps should have an origin. If there # isn't one, fallback to the SITE_URL. 'url': webapp.origin or settings.SITE_URL } # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(user, 'Apps', 'Review') or webapp.has_author(user)): raise ValueError('User %s is not a reviewer or developer' % user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) else: verify = settings.WEBAPPS_RECEIPT_URL reissue = absolutify(reverse('receipt.reissue')) receipt = dict( exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, # TODO: This is temporary until detail pages get added. detail=absolutify(reissue), # Currently this is a 404. reissue=absolutify(reissue), typ=typ, user={ 'type': 'directed-identifier', 'value': uuid }, verify=verify) return sign(receipt)
def create_receipt(installed, flavour=None): assert flavour in [None, 'developer', 'reviewer'], ('Invalid flavour: %s' % flavour) webapp = installed.addon time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' product = { 'storedata': urlencode({'id': int(webapp.pk)}), # Packaged and hosted apps should have an origin. If there # isn't one, fallback to the SITE_URL. 'url': webapp.origin or settings.SITE_URL } # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(installed.user, 'Apps', 'Review') or webapp.has_author(installed.user)): raise ValueError('User %s is not a reviewer or developer' % installed.user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) else: verify = settings.WEBAPPS_RECEIPT_URL reissue = absolutify(reverse('receipt.reissue')) receipt = dict( exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, # TODO: This is temporary until detail pages get added. detail=absolutify(reissue), # Currently this is a 404. reissue=absolutify(reissue), # Currently this is a 404. typ=typ, user={ 'type': 'directed-identifier', 'value': installed.uuid }, verify=verify) if settings.SIGNING_SERVER_ACTIVE: # The shiny new code. return sign(receipt) else: # Our old bad code. return jwt.encode(receipt, get_key(), u'RS512')
def needs_tougher_password(user): from access import acl return (acl.action_allowed_user(user, 'Admin', '%') or acl.action_allowed_user(user, 'Addons', 'Edit') or acl.action_allowed_user(user, 'Addons', 'Review') or acl.action_allowed_user(user, 'Apps', 'Review') or acl.action_allowed_user(user, 'Personas', 'Review') or acl.action_allowed_user(user, 'Users', 'Edit'))
def create_receipt(installed_pk, flavour=None): assert flavour in [None, 'developer', 'reviewer'], ('Invalid flavour: %s' % flavour) installed = Installed.objects.get(pk=installed_pk) webapp = installed.addon origin = (settings.SITE_URL if webapp.is_packaged else webapp.origin) time_ = calendar.timegm(time.gmtime()) product = {'url': origin, 'storedata': urlencode({'id': int(webapp.pk)})} # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(installed.user, 'Apps', 'Review') or webapp.has_author(installed.user)): raise ValueError('User %s is not a reviewer or developer' % installed.user.pk) if flavour == 'reviewer': expiry = time_ + (60 * 60 * 24) product['type'] = flavour verify = absolutify(reverse('receipt.verify', args=[webapp.app_slug])) else: verify = settings.WEBAPPS_RECEIPT_URL detail = reverse('account.purchases.receipt', args=[webapp.pk]) reissue = webapp.get_purchase_url('reissue') receipt = dict(detail=absolutify(detail), exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, reissue=absolutify(reissue), typ='purchase-receipt', user={ 'type': 'directed-identifier', 'value': installed.uuid }, verify=verify) if settings.SIGNING_SERVER_ACTIVE: # The shiny new code. return sign(receipt) else: # Our old bad code. return jwt.encode(receipt, get_key(), u'RS512')
def needs_tougher_password(user): from access import acl return ( acl.action_allowed_user(user, "Admin", "%") or acl.action_allowed_user(user, "Addons", "Edit") or acl.action_allowed_user(user, "Addons", "Review") or acl.action_allowed_user(user, "Apps", "Review") or acl.action_allowed_user(user, "Personas", "Review") or acl.action_allowed_user(user, "Users", "Edit") )
def issue(request, addon): user = request.amo_user review = acl.action_allowed_user(user, "Apps", "Review") if user else None developer = addon.has_author(user) if not (review or developer): raise PermissionDenied installed, c = Installed.objects.safer_get_or_create(addon=addon, user=request.amo_user) error = "" flavour = "reviewer" if review else "developer" receipt_cef.log(request, addon, "sign", "Receipt signing for %s" % flavour) try: receipt = create_receipt(installed.pk, flavour=flavour) except SigningError: error = _("There was a problem installing the app.") return {"addon": addon.pk, "receipt": receipt, "error": error}
def create_receipt(webapp, user, uuid, flavour=None): """ Creates a receipt for use in payments. :params app: the app record. :params user: the UserProfile record. :params uuid: a uuid placed in the user field for this purchase. :params flavour: None, developer or reviewer, the flavour of receipt. """ assert flavour in [None, 'developer', 'reviewer'], ( 'Invalid flavour: %s' % flavour) time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' product = {'storedata': urlencode({'id': int(webapp.pk)}), # Packaged and hosted apps should have an origin. If there # isn't one, fallback to the SITE_URL. 'url': webapp.origin or settings.SITE_URL} # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(user, 'Apps', 'Review') or webapp.has_author(user)): raise ValueError('User %s is not a reviewer or developer' % user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) else: verify = settings.WEBAPPS_RECEIPT_URL reissue = absolutify(reverse('receipt.reissue')) receipt = dict(exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, # TODO: This is temporary until detail pages get added. detail=absolutify(reissue), # Currently this is a 404. reissue=absolutify(reissue), typ=typ, user={'type': 'directed-identifier', 'value': uuid}, verify=verify) return sign(receipt)
def create_receipt(installed, flavour=None): assert flavour in [None, 'developer', 'reviewer'], ( 'Invalid flavour: %s' % flavour) webapp = installed.addon time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' product = {'storedata': urlencode({'id': int(webapp.pk)}), # Packaged and hosted apps should have an origin. If there # isn't one, fallback to the SITE_URL. 'url': webapp.origin or settings.SITE_URL} # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(installed.user, 'Apps', 'Review') or webapp.has_author(installed.user)): raise ValueError('User %s is not a reviewer or developer' % installed.user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) else: verify = settings.WEBAPPS_RECEIPT_URL reissue = absolutify(reverse('receipt.reissue')) receipt = dict(exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, # TODO: This is temporary until detail pages get added. detail=absolutify(reissue), # Currently this is a 404. reissue=absolutify(reissue), # Currently this is a 404. typ=typ, user={'type': 'directed-identifier', 'value': installed.uuid}, verify=verify) if settings.SIGNING_SERVER_ACTIVE: # The shiny new code. return sign(receipt) else: # Our old bad code. return jwt.encode(receipt, get_key(), u'RS512')
def issue(request, addon): user = request.amo_user review = acl.action_allowed_user(user, 'Apps', 'Review') if user else None developer = addon.has_author(user) if not (review or developer): return http.HttpResponseForbidden() installed, c = Installed.objects.safer_get_or_create(addon=addon, user=request.amo_user) error = '' flavour = 'reviewer' if review else 'developer' receipt_cef.log(request, addon, 'sign', 'Receipt signing for %s' % flavour) try: receipt = create_receipt(installed.pk, flavour=flavour) except SigningError: error = _('There was a problem installing the app.') return {'addon': addon.pk, 'receipt': receipt, 'error': error}
def issue(request, addon): user = request.amo_user review = acl.action_allowed_user(user, 'Apps', 'Review') if user else None author = addon.has_author(user) if not user or not (review or author): return http.HttpResponseForbidden() installed, c = Installed.objects.safer_get_or_create(addon=addon, user=request.amo_user) error = '' flavour = 'reviewer' if review else 'developer' receipt_cef.log(request, addon, 'sign', 'Receipt signing for %s' % flavour) try: receipt = create_receipt(installed.pk, flavour=flavour) except SigningError: error = _('There was a problem installing the app.') return {'addon': addon.pk, 'receipt': receipt, 'error': error}
def needs_tougher_password(user): if user.source in amo.LOGIN_SOURCE_BROWSERIDS: return False from access import acl return ( acl.action_allowed_user(user, "Admin", "%") or acl.action_allowed_user(user, "Addons", "Edit") or acl.action_allowed_user(user, "Addons", "Review") or acl.action_allowed_user(user, "Apps", "Review") or acl.action_allowed_user(user, "Personas", "Review") or acl.action_allowed_user(user, "Users", "Edit") )
def verify(request, addon): receipt = request.read() verify = Verify(receipt, request) output = verify(check_purchase=False) # Only reviewers or the developers can use this which is different # from the standard receipt verification. The user is contained in the # receipt. if verify.user_id: try: user = UserProfile.objects.get(pk=verify.user_id) except UserProfile.DoesNotExist: user = None if user and (acl.action_allowed_user(user, "Apps", "Review") or addon.has_author(user)): amo.log(amo.LOG.RECEIPT_CHECKED, addon, user=user) return http.HttpResponse(output, verify.get_headers(len(output))) return http.HttpResponse(verify.invalid(), verify.get_headers(verify.invalid()))
def create_receipt(installed_pk, flavour=None): assert flavour in [None, 'developer', 'reviewer'], ( 'Invalid flavour: %s' % flavour) installed = Installed.objects.get(pk=installed_pk) webapp = installed.addon origin = (settings.SITE_URL if webapp.is_packaged else webapp.origin) time_ = calendar.timegm(time.gmtime()) typ = 'purchase-receipt' product = {'url': origin, 'storedata': urlencode({'id': int(webapp.pk)})} # Generate different receipts for reviewers or developers. expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS if flavour: if not (acl.action_allowed_user(installed.user, 'Apps', 'Review') or webapp.has_author(installed.user)): raise ValueError('User %s is not a reviewer or developer' % installed.user.pk) # Developer and reviewer receipts should expire after 24 hours. expiry = time_ + (60 * 60 * 24) typ = flavour + '-receipt' verify = absolutify(reverse('receipt.verify', args=[webapp.guid])) else: verify = settings.WEBAPPS_RECEIPT_URL detail = reverse('account.purchases.receipt', args=[webapp.pk]) reissue = webapp.get_purchase_url('reissue') receipt = dict(detail=absolutify(detail), exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, reissue=absolutify(reissue), typ=typ, user={'type': 'directed-identifier', 'value': installed.uuid}, verify=verify) if settings.SIGNING_SERVER_ACTIVE: # The shiny new code. return sign(receipt) else: # Our old bad code. return jwt.encode(receipt, get_key(), u'RS512')
def issue(request, addon): user = request.amo_user review = acl.action_allowed_user(user, 'Apps', 'Review') if user else None developer = addon.has_author(user) if not (review or developer): raise PermissionDenied install, flavour = ((apps.INSTALL_TYPE_REVIEWER, 'reviewer') if review else (apps.INSTALL_TYPE_DEVELOPER, 'developer')) installed, c = Installed.objects.safer_get_or_create(addon=addon, user=request.amo_user, install_type=install) error = '' receipt_cef.log(request, addon, 'sign', 'Receipt signing for %s' % flavour) receipt = None try: receipt = create_receipt(installed.pk, flavour=flavour) except SigningError: error = _('There was a problem installing the app.') return {'addon': addon.pk, 'receipt': receipt, 'error': error}
def verify(request, addon): receipt = request.raw_post_data verify = Verify(addon.pk, receipt, request) output = verify(check_purchase=False) # Only reviewers or the authors can use this which is different # from the standard receipt verification. The user is contained in the # receipt. if verify.user_id: try: user = UserProfile.objects.get(pk=verify.user_id) except UserProfile.DoesNotExist: user = None if user and (acl.action_allowed_user(user, 'Apps', 'Review') or addon.has_author(user)): amo.log(amo.LOG.RECEIPT_CHECKED, addon, user=user) return http.HttpResponse(output, verify.get_headers(len(output))) return http.HttpResponse(verify.invalid(), verify.get_headers(verify.invalid()))
def create_receipt(installed_pk, flavour=None): assert flavour in [None, 'author', 'reviewer'], ( 'Invalid flavour: %s' % flavour) installed = Installed.objects.get(pk=installed_pk) addon_pk = installed.addon.pk time_ = calendar.timegm(time.gmtime()) product = {'url': installed.addon.origin, 'storedata': urlencode({'id': int(addon_pk)})} # Generate different receipts for reviewers or authors. if flavour in ['author', 'reviewer']: if not (acl.action_allowed_user(installed.user, 'Apps', 'Review') or installed.addon.has_author(installed.user)): raise ValueError('User %s is not a reviewer or author' % installed.user.pk) expiry = time_ + (60 * 60 * 24) product['type'] = flavour verify = absolutify(reverse('reviewers.receipt.verify', args=[installed.addon.app_slug])) else: expiry = time_ + settings.WEBAPPS_RECEIPT_EXPIRY_SECONDS verify = '%s%s' % (settings.WEBAPPS_RECEIPT_URL, addon_pk) detail = reverse('account.purchases.receipt', args=[addon_pk]) reissue = installed.addon.get_purchase_url('reissue') receipt = dict(detail=absolutify(detail), exp=expiry, iat=time_, iss=settings.SITE_URL, nbf=time_, product=product, reissue=absolutify(reissue), typ='purchase-receipt', user={'type': 'directed-identifier', 'value': installed.uuid}, verify=absolutify(verify)) if settings.SIGNING_SERVER_ACTIVE: # The shiny new code. return sign(receipt) else: # Our old bad code. return jwt.encode(receipt, get_key(), u'RS512')
def verify(request, uuid): # Because this will be called at any point in the future, # use guid in the URL. addon = get_object_or_404(Addon, guid=uuid) receipt = request.read() verify = Verify(receipt, request) output = verify(check_purchase=False) # Only reviewers or the developers can use this which is different # from the standard receipt verification. The user is contained in the # receipt. if verify.user_id: try: user = UserProfile.objects.get(pk=verify.user_id) except UserProfile.DoesNotExist: user = None if user and (acl.action_allowed_user(user, 'Apps', 'Review') or addon.has_author(user)): amo.log(amo.LOG.RECEIPT_CHECKED, addon, user=user) return response(output) return response(verify.invalid())
def inner(view, request, guid=None, **kwargs): try: addon = Addon.unfiltered.get(guid=guid) except Addon.DoesNotExist: if allow_missing: addon = None else: return Response({'error': _('Could not find add-on with ' 'id "{}".').format(guid)}, status=status.HTTP_404_NOT_FOUND) # Call the view if there is no add-on, the current user is an # auther of the add-on or the current user is an admin and the # request is a GET. if addon is None or ( addon.has_author(request.user) or (request.method == 'GET' and acl.action_allowed_user(request.user, 'Addons', 'Edit'))): return fn(view, request, addon=addon, **kwargs) else: return Response( {'error': _('You do not own this addon.')}, status=status.HTTP_403_FORBIDDEN)
def is_staff(self): from access import acl return acl.action_allowed_user(self, 'Admin', '%')
def is_staff(self): from access import acl return acl.action_allowed_user(self, "Admin", "%")
def needs_tougher_password(user): from access.acl import action_allowed_user return (action_allowed_user(user, 'Editors', '%') or action_allowed_user(user, 'Admin', '%'))
def needs_tougher_password(user): from access.acl import action_allowed_user return action_allowed_user(user, "Editors", "%") or action_allowed_user(user, "Admin", "%")