def filter_for_authorizations(
self, scope: Scope,
authorizations: models.QuerySet) -> models.QuerySet:
"""
Filter objects whitelisted by the authorizations.
For BRC, authorizations are defined around ``Autorisatie.besluittype``,
limiting scopes that apply for the ``besluittype`` at hand.
This means that ``besluiten`` are included if, and only if:
* the ``besluittype`` is provided in ``authorizations``
* the scopes for the ``besluittype`` in each ``authorization`` contain the
required``scope``
:param scope: a (possibly complex) scope that must be granted on the
authorizations
:param authorizations: queryset of
:class:`vng_api_common.authorizations.Autorisatie` objects
:return: a queryset of filtered results according to the
authorizations provided
"""
prefix = ("" if not self.authorizations_lookup else
f"{self.authorizations_lookup}__")
# keep a list of allowed besluittypen
besluittypen = []
for authorization in authorizations:
if scope.is_contained_in(authorization.scopes):
besluittype_path = urlparse(authorization.besluittype).path
besluittype = get_resource_for_path(besluittype_path)
besluittypen.append(besluittype)
# filtering:
# * only allow the white-listed besluittypen, explicitly
queryset = self.filter(**{f"{prefix}besluittype__in": besluittypen})
return queryset
"""
Defines the scopes used in the CMC component.
"""
from vng_api_common.scopes import Scope
SCOPE_KLANTEN_ALLES_VERWIJDEREN = Scope(
"klanten.verwijderen",
description="""
**Laat toe om**:
* klanten te verwijderen
""",
)
SCOPE_KLANTEN_ALLES_LEZEN = Scope(
"klanten.lezen",
description="""
**Laat toe om**:
* klanten te lezen
* klantdetails op te vragen
""",
)
SCOPE_KLANTEN_BIJWERKEN = Scope(
"klanten.bijwerken",
description="""
**Laat toe om**:
* attributen van een klant te wijzingen
def filter_for_authorizations(
self, scope: Scope,
authorizations: models.QuerySet) -> models.QuerySet:
"""
Filter objects whitelisted by the authorizations.
For ZRC, authorizations are defined around ``Autorisatie.zaaktype``,
with a ``max_vertrouwelijkheidaanduiding`` limiting the confidentiality
level of ``zaken`` (inclusive), and scopes that apply for the
``zaaktype`` at hand.
This means that ``zaken`` are included if, and only if:
* the ``zaaktype`` is provided in ``authorizations``
* the scopes for the ``zaaktype`` in each ``authorization`` contain the
required``scope``
* the ``zaak.vertrouwelijkheidaanduiding`` is less then or equal to the
``authorization.max_vertrouwelijkheidaanduiding``
:param scope: a (possibly complex) scope that must be granted on the
authorizations
:param authorizations: queryset of
:class:`vng_api_common.authorizations.Autorisatie` objects
:return: a queryset of filtered results according to the
authorizations provided
"""
# keep a list of allowed zaaktypen
zaaktypen = []
prefix = ("" if not self.authorizations_lookup else
f"{self.authorizations_lookup}__")
# annotate the queryset so we can map a string value to a logical number
order_case = VertrouwelijkheidsAanduiding.get_order_expression(
f"{prefix}vertrouwelijkheidaanduiding")
# build the case/when to map the max_vertrouwelijkheidaanduiding based
# on the ``zaaktype``
vertrouwelijkheidaanduiding_whens = []
for authorization in authorizations:
# test if this authorization has the scope that's needed
if not scope.is_contained_in(authorization.scopes):
continue
# this zaaktype is allowed
zaaktype_path = urlparse(authorization.zaaktype).path
zaaktype = get_resource_for_path(zaaktype_path)
zaaktypen.append(zaaktype)
# extract the order and map it to the database value
choice_item = VertrouwelijkheidsAanduiding.get_choice(
authorization.max_vertrouwelijkheidaanduiding)
vertrouwelijkheidaanduiding_whens.append(
When(**{f"{prefix}zaaktype": zaaktype},
then=Value(choice_item.order)))
# apply the order annnotation so we can filter later
annotations = {f"{prefix}_va_order": order_case}
# filtering:
# * only allow the white-listed zaaktypen, explicitly
# * apply the filtering to limit cases within case-types to the maximal
# confidentiality level
filters = {
f"{prefix}zaaktype__in":
zaaktypen,
f"{prefix}_va_order__lte":
Case(*vertrouwelijkheidaanduiding_whens,
output_field=IntegerField()),
}
# bring it all together now to build the resulting queryset
queryset = self.annotate(**annotations).filter(**filters)
return queryset
"""
Defines the scopes used in the ZTC component.
We keep things extremely simple - you can either read or write. Currently
writes are not supported yet in the API.
"""
from vng_api_common.scopes import Scope
SCOPE_CATALOGI_READ = Scope(
"catalogi.lezen",
description="""
**Laat toe om**:
* leesoperaties uit te voeren in de API. Alle resources zijn beschikbaar.
""",
)
SCOPE_CATALOGI_WRITE = Scope(
"catalogi.schrijven",
description="""
**Laat toe om**:
* schrijfoperaties uit te voeren in de API. Alle resources zijn beschikbaar.
""",
)
SCOPE_CATALOGI_FORCED_DELETE = Scope(
"catalogi.geforceerd-verwijderen",
description="""
**Laat toe om**:
# SPDX-License-Identifier: EUPL-1.2
# Copyright (C) 2019 - 2020 Dimpact
"""
Defines the scopes used in the ZRC component.
The Exxellence authorisation model is taken into consideration as well, see
https://wiki.exxellence.nl/display/KPORT/2.+Zaaktype+autorisaties
"""
from vng_api_common.scopes import Scope
SCOPE_AUTORISATIES_LEZEN = Scope(
"autorisaties.lezen",
description="""
**Laat toe om**:
* autorisaties te lezen
""",
)
SCOPE_AUTORISATIES_BIJWERKEN = Scope(
"autorisaties.bijwerken",
description="""
**Laat toe om**:
* autorisaties te maken
* autorisaties te wijzigen
* autorisaties te verwijderen
""",
)
"""
Defines the scopes used in the ZRC component.
The Exxellence authorisation model is taken into consideration as well, see
https://wiki.exxellence.nl/display/KPORT/2.+Zaaktype+autorisaties
"""
from vng_api_common.scopes import Scope
SCOPE_ZAKEN_CREATE = Scope('zaken.aanmaken',
description="""
**Laat toe om**:
* een zaak aan te maken
* de eerste status bij een zaak te zetten
* zaakobjecten aan te maken
* rollen aan te maken
""")
SCOPE_ZAKEN_BIJWERKEN = Scope('zaken.bijwerken',
description="""
**Laat toe om**:
* attributen van een zaak te wijzingen
""")
SCOPE_STATUSSEN_TOEVOEGEN = Scope('zaken.statussen.toevoegen',
description="""
**Laat toe om**:
* Statussen toe te voegen voor een zaak
"""
Defines the scopes used in the CMC component.
"""
from vng_api_common.scopes import Scope
SCOPE_CONTACTMOMENTEN_ALLES_VERWIJDEREN = Scope(
"contactmomenten.verwijderen",
description="""
**Laat toe om**:
* contactmomenten te verwijderen
""",
)
SCOPE_CONTACTMOMENTEN_ALLES_LEZEN = Scope(
"contactmomenten.lezen",
description="""
**Laat toe om**:
* contactmomenten te lezen
* contactmomentdetails op te vragen
""",
)
SCOPE_CONTACTMOMENTEN_BIJWERKEN = Scope(
"contactmomenten.bijwerken",
description="""
**Laat toe om**:
* attributen van een contactmoment te wijzingen
class DummyView(APIView):
permission_classes = (BaseAuthRequired, )
required_scopes = {"post": Scope("dummy", private=True)}
def post(self, request):
return Response({})
"""
Defines the scopes used in the NC component.
"""
from vng_api_common.scopes import Scope
SCOPE_NOTIFICATIES_CONSUMEREN = Scope('notificaties.consumeren',
description="""
**Laat toe om**:
* abonnementen aan te maken
* abonnementen te wijzigen
* abonnementen te verwijderen
* abonnementen te lezen
* kanalen te lezen
""")
SCOPE_NOTIFICATIES_PUBLICEREN = Scope('notificaties.publiceren',
description="""
**Laat toe om**:
* kanalen te lezen
* kanalen aan te maken
* kanalen te wijzigen
* kanalen te verwijderen
* abonnementen te lezen
* notificaties te versturen aan dit component
* notificaties te versturen aan abonnees
""")
"""
Defines the scopes used in the DRC component.
"""
from vng_api_common.scopes import Scope
SCOPE_DOCUMENTEN_ALLES_VERWIJDEREN = Scope(
"documenten.verwijderen",
description="""
**Laat toe om**:
* documenten te verwijderen
""",
)
SCOPE_DOCUMENTEN_ALLES_LEZEN = Scope(
"documenten.lezen",
description="""
**Laat toe om**:
* documenten te lezen
* documentdetails op te vragen
""",
)
SCOPE_DOCUMENTEN_BIJWERKEN = Scope(
"documenten.bijwerken",
description="""
**Laat toe om**:
* attributen van een document te wijzingen
"""
Defines the scopes used in the ZRC component.
The Exxellence authorisation model is taken into consideration as well, see
https://wiki.exxellence.nl/display/KPORT/2.+Zaaktype+autorisaties
"""
from vng_api_common.scopes import Scope
SCOPE_ZAKEN_CREATE = Scope('zds.scopes.zaken.aanmaken',
description="""
**Laat toe om**:
* een zaak aan te maken
* de eerste status bij een zaak te zetten
* zaakobjecten aan te maken
* rollen aan te maken
""")
SCOPE_ZAKEN_BIJWERKEN = Scope('zds.scopes.zaken.bijwerken',
description="""
**Laat toe om**:
* attributen van een zaak te wijzingen
""")
SCOPE_STATUSSEN_TOEVOEGEN = Scope('zds.scopes.statussen.toevoegen',
description="""
**Laat toe om**:
* Statussen toe te voegen voor een zaak
def filter_for_authorizations(
self, scope: Scope, authorizations: models.QuerySet
) -> models.QuerySet:
"""
Filter objects whitelisted by the authorizations.
For DRC, authorizations are defined around ``Autorisatie.informatieobjecttype``,
with a ``max_vertrouwelijkheidaanduiding`` limiting the confidentiality
level of ``informatieobjecten`` (inclusive), and scopes that apply for the
``informatieobjecttype`` at hand.
This means that ``informatieobjecten`` are included if, and only if:
* the ``informatieobjecttype`` is provided in ``authorizations``
* the scopes for the ``informatieobjecttype`` in each ``authorization`` contain the
required``scope``
* the ``informatieobjecttype.vertrouwelijkheidaanduiding`` is less then or equal to the
``authorization.max_vertrouwelijkheidaanduiding``
:param scope: a (possibly complex) scope that must be granted on the
authorizations
:param authorizations: queryset of
:class:`vng_api_common.authorizations.Autorisatie` objects
:return: a queryset of filtered results according to the
authorizations provided
"""
# keep a list of allowed informatieobjecttypen
informatieobjecttypen = []
# annotate the queryset so we can map a string value to a logical number
order_case = VertrouwelijkheidsAanduiding.get_order_expression(
"vertrouwelijkheidaanduiding"
)
# build the case/when to map the max_vertrouwelijkheidaanduiding based
# on the ``informatieobjecttype``
vertrouwelijkheidaanduiding_whens = []
for authorization in authorizations:
# test if this authorization has the scope that's needed
if not scope.is_contained_in(authorization.scopes):
continue
# this informatieobjecttype is allowed
informatieobjecttypen.append(authorization.informatieobjecttype)
# extract the order and map it to the database value
choice_item = VertrouwelijkheidsAanduiding.get_choice(
authorization.max_vertrouwelijkheidaanduiding
)
vertrouwelijkheidaanduiding_whens.append(
When(
**{"informatieobjecttype": authorization.informatieobjecttype},
then=Value(choice_item.order),
)
)
# apply the order annnotation so we can filter later
annotations = {"_va_order": order_case}
# filtering:
# * only allow the white-listed informatieobjecttypen, explicitly
# * apply the filtering to limit cases within case-types to the maximal
# confidentiality level
filters = {
"informatieobjecttype__in": informatieobjecttypen,
"_va_order__lte": Case(
*vertrouwelijkheidaanduiding_whens, output_field=IntegerField()
),
}
if self.authorizations_lookup:
# If the current queryset is not an InformatieObjectQuerySet, first
# retrieve the canonical IDs of EnkelvoudigInformatieObjects
# for which the user is authorized and then return the objects
# related to those EnkelvoudigInformatieObjectCanonicals
model = apps.get_model("datamodel", "EnkelvoudigInformatieObject")
filtered = (
model.objects.annotate(**annotations)
.filter(**filters)
.values("canonical")
)
queryset = self.filter(informatieobject__in=filtered)
# bring it all together now to build the resulting queryset
else:
queryset = self.annotate(**annotations).filter(**filters)
return queryset
from vng_api_common.scopes import Scope
SCOPE_AUDITTRAILS_LEZEN = Scope(
"audittrails.lezen",
description="""
**Laat toe om**:
* audittrails op te lijsten
* audittrail details op te vragen
""",
)
"""
Defines the scopes used in the ZTC component.
We keep things extremely simple - you can either read or write. Currently
writes are not supported yet in the API.
"""
from vng_api_common.scopes import Scope
SCOPE_ZAAKTYPES_READ = Scope(
"zaaktypes.lezen",
description="""
**Laat toe om**:
* leesoperaties uit te voeren in de API. Alle resources zijn beschikbaar.
""",
)
SCOPE_ZAAKTYPES_WRITE = Scope(
"zaaktypes.schrijven",
description="""
**Laat toe om**:
* schrijfoperaties uit te voeren in de API. Alle resources zijn beschikbaar.
""",
)
"""
Defines the scopes used in the ZRC component.
The Exxellence authorisation model is taken into consideration as well, see
https://wiki.exxellence.nl/display/KPORT/2.+Zaaktype+autorisaties
"""
from vng_api_common.scopes import Scope
EXAMPLE_SCOPE = Scope(
'zds.scopes.domain.example',
description="""
**Laat toe om**:
* ...
"""
)
