def __acl__(self):
acl = []
# Convert annotator-store roles to pyramid principals
for action, roles in self.model.get('permissions', {}).items():
principals = auth.translate_annotation_principals(roles)
for principal in principals:
# Append the converted rule tuple to the ACL
rule = (Allow, principal, action)
acl.append(rule)
return acl
def __acl__(self):
acl = []
model = self.model
# Convert annotator-store roles to pyramid principals
for action, roles in model.get('permissions', {}).items():
principals = auth.translate_annotation_principals(roles)
for principal in principals:
# Append the converted rule tuple to the ACL
rule = (Allow, principal, action)
acl.append(rule)
return acl
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent = annotation.parent
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent = annotation.parent
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def _authorized_to_read(request, annotation):
"""Return True if the passed request is authorized to read the annotation.
If the annotation belongs to a private group, this will return False if the
authenticated user isn't a member of that group.
"""
# TODO: remove this when we've diagnosed this issue
if ('permissions' not in annotation or
'read' not in annotation['permissions']):
request.sentry.captureMessage(
'streamer received annotation lacking valid permissions',
level='warn',
extra={
'id': annotation['id'],
'permissions': json.dumps(annotation.get('permissions')),
})
read_permissions = annotation.get('permissions', {}).get('read', [])
read_principals = auth.translate_annotation_principals(read_permissions)
if set(read_principals).intersection(request.effective_principals):
return True
return False
def test_translate_annotation_principals(p_in, p_out):
result = auth.translate_annotation_principals(p_in)
assert set(result) == set(p_out)