def query(self, view_kwargs):
"""
query method for Discount Code List
:param view_kwargs:
:return:
"""
query_ = self.session.query(DiscountCode)
# user can only access his/her discount codes.
if view_kwargs.get('user_id'):
if has_access('is_user_itself', user_id=view_kwargs['user_id']):
user = safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id')
query_ = query_.join(User).filter(User.id == user.id)
else:
raise ForbiddenException({'source': ''}, 'You are not authorized')
if view_kwargs.get('event_identifier'):
event = safe_query(self, Event, 'identifier', view_kwargs['event_identifier'], 'event_identifier')
view_kwargs['event_id'] = event.id
# event co-organizer access required for discount codes under an event.
if view_kwargs.get('event_id'):
if has_access('is_coorganizer', event_id=view_kwargs['event_id']):
self.schema = DiscountCodeSchemaTicket
query_ = query_.filter_by(event_id=view_kwargs['event_id'])
else:
raise ForbiddenException({'source': ''}, 'Event organizer access required')
# discount_code - ticket :: many-to-many relationship
if view_kwargs.get('ticket_id') and has_access('is_coorganizer'):
self.schema = DiscountCodeSchemaTicket
ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'], 'ticket_id')
query_ = query_.filter(DiscountCode.tickets.any(id=ticket.id))
return query_
def before_update_object(self, session, data, view_kwargs):
"""
before update method to verify if session is locked before updating session object
:param event:
:param data:
:param view_kwargs:
:return:
"""
if data.get('is_locked') != session.is_locked:
if not (has_access('is_admin')
or has_access('is_organizer', event_id=session.event_id)):
raise ForbiddenException(
{'source': '/data/attributes/is-locked'},
"You don't have enough permissions to change this property",
)
if session.is_locked and data.get('is_locked') == session.is_locked:
raise ForbiddenException(
{'source': '/data/attributes/is-locked'},
"Locked sessions cannot be edited",
)
if not can_edit_after_cfs_ends(session.event_id):
raise ForbiddenException(
{'source': ''},
"Cannot edit session after the call for speaker is ended")
def before_update_object(self, feedback, data, view_kwargs):
"""
before update object method of feedback details
:param feedback:
:param data:
:param view_kwargs:
:return:
"""
if feedback and feedback.session_id:
session = Session.query.filter_by(id=feedback.session_id).first()
if session and not current_user.id == feedback.user_id:
raise ForbiddenException(
{'source': ''},
"Feedback can be updated only by user himself")
if session and not has_access('is_coorganizer',
event_id=session.event_id):
raise ForbiddenException({'source': ''},
"Event co-organizer access required")
if feedback and data.get('deleted_at'):
if has_access('is_user_itself', user_id=feedback.user_id):
delete_feedback(feedback)
else:
raise ForbiddenException(
{'source': ''},
"Feedback can be deleted only by user himself")
def before_update_object(self, speaker, data, view_kwargs):
"""
method to save image urls before updating speaker object
:param speaker:
:param data:
:param view_kwargs:
:return:
"""
if not can_edit_after_cfs_ends(speaker.event_id):
raise ForbiddenException(
{'source': ''},
"Cannot edit speaker after the call for speaker is ended")
if data.get('photo_url') and data['photo_url'] != speaker.photo_url:
start_image_resizing_tasks(speaker, data['photo_url'])
if data.get('is_email_overridden') and not has_access(
'is_organizer', event_id=speaker.event_id):
raise ForbiddenException(
{'pointer': 'data/attributes/is_email_overridden'},
'Organizer access required to override email',
)
elif (data.get('is_email_overridden')
and has_access('is_organizer', event_id=speaker.event_id)
and not data.get('email')):
data['email'] = current_user.email
def before_post(self, args, kwargs, data=None):
"""
method to add user_id to view_kwargs before post
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event', 'user'], data)
if not has_access('is_coorganizer', event_id=data['event']):
event = db.session.query(Event).filter_by(id=data['event']).one()
if event.state == "draft":
raise ObjectNotFound({'parameter': 'event_id'},
"Event: {} not found".format(data['event_id']))
if get_count(db.session.query(Event).filter_by(id=int(data['event']), is_sessions_speakers_enabled=False)) > 0:
raise ForbiddenException({'pointer': ''}, "Speakers are disabled for this Event")
if get_count(db.session.query(Speaker).filter_by(event_id=int(data['event']), email=data['email'],
deleted_at=None)) > 0:
raise ForbiddenException({'pointer': ''}, 'Speaker with this Email ID already exists')
if 'sessions' in data:
session_ids = data['sessions']
for session_id in session_ids:
if not has_access('is_session_self_submitted', session_id=session_id):
raise ObjectNotFound({'parameter': 'session_id'},
"Session: {} not found".format(session_id))
def query(self, view_kwargs):
"""
query method for Attendees List
:param view_kwargs:
:return:
"""
query_ = self.session.query(TicketHolder)
if view_kwargs.get('order_identifier'):
order = safe_query(self, Order, 'identifier', view_kwargs['order_identifier'], 'order_identifier')
if not has_access('is_registrar', event_id=order.event_id) or not has_access('is_user_itself',
id=order.user_id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
query_ = query_.join(Order).filter(Order.id == order.id)
if view_kwargs.get('ticket_id'):
ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'], 'ticket_id')
if not has_access('is_registrar', event_id=ticket.event_id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
query_ = query_.join(Ticket).filter(Ticket.id == ticket.id)
if view_kwargs.get('user_id'):
user = safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id')
if not has_access('is_user_itself', id=user.id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
query_ = query_.join(User, User.email == TicketHolder.email).filter(User.id == user.id)
query_ = event_query(self, query_, view_kwargs, permission='is_registrar')
return query_
def validate_event(user, modules, data):
if not user.can_create_event():
raise ForbiddenException({'source': ''}, "Please verify your Email")
elif data.get('is_ticketing_enabled', True) and not modules.ticket_include:
raise ForbiddenException(
{'source': '/data/attributes/is-ticketing-enabled'},
"Ticketing is not enabled in the system")
if data.get('can_pay_by_paypal', False) or data.get('can_pay_by_cheque', False) or \
data.get('can_pay_by_bank', False) or data.get('can_pay_by_stripe', False):
if not modules.payment_include:
raise ForbiddenException({'source': ''},
"Payment is not enabled in the system")
if data.get('is_donation_enabled', False) and not modules.donation_include:
raise ForbiddenException(
{'source': '/data/attributes/is-donation-enabled'},
"Donation is not enabled in the system")
if data.get('state', None) == 'published' and not user.can_publish_event():
raise ForbiddenException({'source': ''},
"Only verified accounts can publish events")
if not data.get('is_event_online') and data.get('state', None) == 'published' \
and not data.get('location_name', None):
raise ConflictException({'pointer': '/data/attributes/location-name'},
"Location is required to publish the event")
if data.get('location_name', None) and data.get('is_event_online'):
raise ConflictException({'pointer': '/data/attributes/location-name'},
"Online Event does not have any locaton")
if data.get('searchable_location_name') and data.get('is_event_online'):
raise ConflictException(
{'pointer': '/data/attributes/searchable-location-name'},
"Online Event does not have any locaton")
def validate_date(self, data, original_data):
if 'id' in original_data['data']:
session = Session.query.filter_by(
id=original_data['data']['id']).one()
if 'starts_at' not in data:
data['starts_at'] = session.starts_at
if 'ends_at' not in data:
data['ends_at'] = session.ends_at
if 'event' not in data:
data['event'] = session.event_id
if data['starts_at'] >= data['ends_at']:
raise UnprocessableEntity({'pointer': '/data/attributes/ends-at'},
"ends-at should be after starts-at")
if 'state' in data:
if data['state'] is not 'draft' or not 'pending':
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException(
{'source': ''}, 'Co-organizer access is required.')
if 'track' in data:
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException({'source': ''},
'Co-organizer access is required.')
if 'microlocation' in data:
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException({'source': ''},
'Co-organizer access is required.')
def query(self, view_kwargs):
"""
Method to get access codes list based on different view_kwargs
:param view_kwargs:
:return:
"""
query_ = self.session.query(AccessCode)
query_ = event_query(self,
query_,
view_kwargs,
permission='is_coorganizer')
if view_kwargs.get('user_id'):
user = safe_query(self, User, 'id', view_kwargs['user_id'],
'user_id')
if not has_access('is_user_itself', user_id=user.id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
query_ = query_.join(User).filter(User.id == user.id)
if view_kwargs.get('ticket_id'):
ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'],
'ticket_id')
if not has_access('is_coorganizer', event_id=ticket.event_id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
# access_code - ticket :: many-to-many relationship
query_ = AccessCode.query.filter(
AccessCode.tickets.any(id=ticket.id))
query_
return query_
def before_update_object(self, user, data, view_kwargs):
# TODO: Make a celery task for this
# if data.get('avatar_url') and data['original_image_url'] != user.original_image_url:
# try:
# uploaded_images = create_save_image_sizes(data['original_image_url'], 'speaker-image', user.id)
# except (urllib.error.HTTPError, urllib.error.URLError):
# raise UnprocessableEntity(
# {'source': 'attributes/original-image-url'}, 'Invalid Image URL'
# )
# data['original_image_url'] = uploaded_images['original_image_url']
# data['small_image_url'] = uploaded_images['thumbnail_image_url']
# data['thumbnail_image_url'] = uploaded_images['thumbnail_image_url']
# data['icon_image_url'] = uploaded_images['icon_image_url']
if data.get('deleted_at') != user.deleted_at:
if has_access('is_user_itself', user_id=user.id) or has_access('is_admin'):
if data.get('deleted_at'):
if len(user.events) != 0:
raise ForbiddenException({'source': ''}, "Users associated with events cannot be deleted")
elif len(user.orders) != 0:
raise ForbiddenException({'source': ''}, "Users associated with orders cannot be deleted")
else:
modify_email_for_user_to_be_deleted(user)
else:
modify_email_for_user_to_be_restored(user)
data['email'] = user.email
user.deleted_at = data.get('deleted_at')
else:
raise ForbiddenException({'source': ''}, "You are not authorized to update this information.")
users_email = data.get('email', None)
if users_email is not None:
users_email = users_email.strip()
if users_email is not None and users_email != user.email:
try:
db.session.query(User).filter_by(email=users_email).one()
except NoResultFound:
verify_fresh_jwt_in_request()
view_kwargs['email_changed'] = user.email
else:
raise ConflictException({'pointer': '/data/attributes/email'}, "Email already exists")
if has_access('is_super_admin') and data.get('is_admin') and data.get('is_admin') != user.is_admin:
user.is_admin = not user.is_admin
if has_access('is_admin') and ('is_sales_admin' in data) and data.get('is_sales_admin') != user.is_sales_admin:
user.is_sales_admin = not user.is_sales_admin
if has_access('is_admin') and ('us_marketer' in data) and data.get('is_marketer') != user.is_marketer:
user.is_marketer = not user.is_marketer
if data.get('avatar_url'):
start_image_resizing_tasks(user, data['avatar_url'])
def check_event_user_ticket_holders(order, data, element):
if element in ['event', 'user'] and data[element]\
!= str(getattr(order, element, None).id):
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
elif element == 'ticket_holders':
ticket_holders = []
for ticket_holder in order.ticket_holders:
ticket_holders.append(str(ticket_holder.id))
if data[element] != ticket_holders and element not in get_updatable_fields():
raise ForbiddenException({'pointer': 'data/{}'.format(element)},
"You cannot update {} of an order".format(element))
def before_post(self, args, kwargs, data=None):
"""
before post method to verify if the event location is provided before publishing the event
and checks that the user is verified
:param args:
:param kwargs:
:param data:
:return:
"""
user = User.query.filter_by(id=kwargs['user_id']).first()
modules = Module.query.first()
if data.get('is_ticketing_enabled',
False) and not modules.ticket_include:
raise ForbiddenException(
{'source': '/data/attributes/is-ticketing-enabled'},
"Ticketing is not enabled in the system")
if data.get('can_pay_by_paypal', False) or data.get('can_pay_by_cheque', False) or \
data.get('can_pay_by_bank', False) or data.get('can_pay_by_stripe', False):
if not modules.payment_include:
raise ForbiddenException(
{'source': ''}, "Payment is not enabled in the system")
if data.get('is_donation_enabled',
False) and not modules.donation_include:
raise ForbiddenException(
{'source': '/data/attributes/is-donation-enabled'},
"Donation is not enabled in the system")
if not user.can_create_event():
raise ForbiddenException(
{'source': ''}, "Only verified accounts can create events")
if data.get('state',
None) == 'published' and not user.can_publish_event():
raise ForbiddenException(
{'source': ''}, "Only verified accounts can publish events")
if not data.get('is_event_online') and data.get('state', None) == 'published' \
and not data.get('location_name', None):
raise ConflictException(
{'pointer': '/data/attributes/location-name'},
"Location is required to publish the event")
if data.get('location_name', None) and data.get('is_event_online'):
raise ConflictException(
{'pointer': '/data/attributes/location-name'},
"Online Event does not have any locaton")
if data.get('searchable_location_name') and data.get(
'is_event_online'):
raise ConflictException(
{'pointer': '/data/attributes/searchable-location-name'},
"Online Event does not have any locaton")
def validate_fields(self, data, original_data):
is_patch_request = 'id' in original_data['data']
if is_patch_request:
try:
session = Session.query.filter_by(
id=original_data['data']['id']).one()
except NoResultFound:
raise ObjectNotFound({'parameter': '{id}'},
"Session: not found")
if 'starts_at' not in data:
data['starts_at'] = session.starts_at
if 'ends_at' not in data:
data['ends_at'] = session.ends_at
if 'event' not in data:
data['event'] = session.event_id
if data['starts_at'] and data['ends_at']:
if data['starts_at'] >= data['ends_at']:
raise UnprocessableEntity(
{'pointer': '/data/attributes/ends-at'},
"ends-at should be after starts-at",
)
if not is_patch_request and datetime.timestamp(
data['starts_at']) <= datetime.timestamp(datetime.now()):
raise UnprocessableEntity(
{'pointer': '/data/attributes/starts-at'},
"starts-at should be after current date-time",
)
if 'state' in data:
if data['state'] not in ('draft', 'pending'):
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException(
{'source': ''}, 'Co-organizer access is required.')
if 'track' in data:
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException({'source': ''},
'Co-organizer access is required.')
if 'microlocation' in data:
if not has_access('is_coorganizer', event_id=data['event']):
return ForbiddenException({'source': ''},
'Co-organizer access is required.')
validate_complex_fields_json(self, data, original_data)
def query(self, view_kwargs):
"""
query method for EventList class
:param view_kwargs:
:return:
"""
query_ = self.session.query(Event).filter_by(state='published')
if 'Authorization' in request.headers:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
query2 = self.session.query(Event)
query2 = query2.join(Event.roles).filter_by(user_id=current_identity.id).join(UsersEventsRoles.role). \
filter(or_(Role.name == COORGANIZER, Role.name == ORGANIZER))
query_ = query_.union(query2)
if view_kwargs.get('user_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_id'])):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
user = safe_query(db, User, 'id', view_kwargs['user_id'],
'user_id')
query_ = query_.join(Event.roles).filter_by(user_id=user.id).join(UsersEventsRoles.role). \
filter(Role.name != ATTENDEE)
if view_kwargs.get('event_type_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_type_id') ==
view_kwargs['event_type_id'])
if view_kwargs.get('event_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_topic_id') ==
view_kwargs['event_topic_id'])
if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_sub_topic_id') ==
view_kwargs['event_sub_topic_id'])
if view_kwargs.get('discount_code_id') and 'GET' in request.method:
event_id = get_id(view_kwargs)['id']
if not has_access('is_coorganizer', event_id=event_id):
raise ForbiddenException({'source': ''},
'Coorganizer access is required')
query_ = self.session.query(Event).filter(
getattr(Event, 'discount_code_id') ==
view_kwargs['discount_code_id'])
return query_
def before_update_object(self, role_invite, data, view_kwargs):
"""
Method to edit object
:param role_invite:
:param data:
:param view_kwargs:
:return:
"""
user = User.query.filter_by(email=role_invite.email).first()
if user:
if not has_access(
'is_organizer',
event_id=role_invite.event_id) and not has_access(
'is_user_itself', user_id=user.id):
raise UnprocessableEntity({
'source': ''
}, "Status can be updated only by event organizer or user hiself"
)
if 'role_name' in data and data[
'role_name'] == 'owner' and not has_access(
'is_owner', event_id=data['event']):
raise ForbiddenException({'source': ''},
'Owner access is required.')
if not user and not has_access('is_organizer',
event_id=role_invite.event_id):
raise UnprocessableEntity({'source': ''}, "User not registered")
if not has_access('is_organizer', event_id=role_invite.event_id) and (
len(list(data.keys())) > 1 or 'status' not in data):
raise UnprocessableEntity({'source': ''},
"You can only change your status")
def query(self, view_kwargs):
"""Filter news-subscriptions"""
query_ = self.session.query(NewsSubscription)
user = current_identity
if not user.is_admin:
if view_kwargs.get(
'user_id'
) is not None and user.id != view_kwargs['user_id']:
raise ForbiddenException(
{'parameter': 'user_id'},
'User {} must be yourself ({})'.format(
view_kwargs['user_id'], user.id))
query_ = query_.filter(User.id == user.id)
if view_kwargs.get('news_id') is not None:
safe_query(self, News, 'id', view_kwargs['news_id'], 'news_id')
query_ = query_.join(News).filter(
News.id == view_kwargs['news_id'])
if view_kwargs.get('user_id') is not None:
safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id')
query_ = query_.join(User).filter(
User.id == view_kwargs['user_id'])
return query_
def test_exceptions(self):
"""Check ExceptionsHelper: exceptions types"""
# Unprocessable Entity Exception
with self.assertRaises(UnprocessableEntity):
raise UnprocessableEntity(
{'pointer': '/data/attributes/min-quantity'},
"min-quantity should be less than max-quantity")
# Conflict Exception
with self.assertRaises(ConflictException):
raise ConflictException({'pointer': '/data/attributes/email'},
"Email already exists")
# Authentication Required Exception
with self.assertRaises(AuthenticationRequired):
raise AuthenticationRequired({'source': ''},
"Authentication Required")
# Forbidden Exception
with self.assertRaises(ForbiddenException):
raise ForbiddenException({'source': ''}, "Access Forbidden")
# Method Not Allowed Exception
with self.assertRaises(MethodNotAllowed):
raise MethodNotAllowed({'source': ''}, "Method Not Allowed")
def before_get(self, args, kwargs):
"""
before get method to get the resource id for fetching details
:param args:
:param kwargs:
:return:
"""
if kwargs.get('event_id') is None:
if 'GET' in request.method and has_access('is_admin'):
pass
else:
raise ForbiddenException({'source': ''},
"Admin Access Required")
elif not has_access('is_coorganizer', event_id=kwargs['event_id']):
raise ForbiddenException({'source': ''},
"Co-Organizer Access Required")
def before_create_object(self, data, view_kwargs):
user = current_identity
# Check author_id
if not user.is_admin and not user.is_super_admin and data['author'] != user.id:
raise ForbiddenException({'parameter': 'author'}, 'Author {} must be yourself ({})'.format(
data['author'], user.id))
def before_get_object(self, view_kwargs):
"""
before get method to get the resource id for fetching details
:param view_kwargs:
:return:
"""
if view_kwargs.get('attendee_id'):
attendee = safe_query(self, TicketHolder, 'id',
view_kwargs['attendee_id'], 'attendee_id')
view_kwargs['id'] = attendee.order.id
if view_kwargs.get('order_identifier'):
order = safe_query(self, Order, 'identifier',
view_kwargs['order_identifier'],
'order_identifier')
view_kwargs['id'] = order.id
elif view_kwargs.get('id'):
order = safe_query(self, Order, 'id', view_kwargs['id'], 'id')
if not has_access('is_coorganizer_or_user_itself',
event_id=order.event_id,
user_id=order.user_id):
return ForbiddenException(
{'source': ''},
'You can only access your orders or your event\'s orders')
# expire the pending order if time limit is over.
set_expiry_for_order(order)
def is_move_comment_author(view, view_args, view_kwargs, *args, **kwargs):
user = current_identity
if user.is_admin:
return True
try:
move_comment = MoveComment.query.filter(
MoveComment.id == kwargs['move_comment_id']).one()
except NoResultFound: # pragma: no cover
raise ObjectNotFound(
'MoveComment %s not found.' % kwargs['move_comment_id'],
{'source': 'move_comment_id'})
if move_comment.author_id == user.id:
return True
if app.config['ALLOW_GEOKRET_OWNER_TO_MODERATE_MOVE_COMMENTS']:
# Allow GeoKret owner to moderate move comments if necessary
if move_comment.move.geokret.owner_id == user.id:
return True
if app.config['ALLOW_MOVE_AUTHOR_TO_MODERATE_MOVE_COMMENTS']:
# Allow Move author to moderate move comments if necessary
if move_comment.move.author_id == user.id:
return True
raise ForbiddenException('Access denied.', {'source': 'move_comment_id'})
def before_update_object(self, event, data, view_kwargs):
"""
method to save image urls before updating event object
:param event:
:param data:
:param view_kwargs:
:return:
"""
if has_access(
'is_admin') and data.get('deleted_at') != event.deleted_at:
if len(event.orders) != 0:
raise ForbiddenException(
{'source': ''},
"Event associated with orders cannot be deleted")
else:
event.deleted_at = data.get('deleted_at')
if 'is_event_online' not in data and event.is_event_online \
or 'is_event_online' in data and not data['is_event_online']:
if data.get('state', None) == 'published' and not data.get(
'location_name', None):
raise ConflictException(
{'pointer': '/data/attributes/location-name'},
"Location is required to publish the event")
if data.get('original_image_url') and data[
'original_image_url'] != event.original_image_url:
start_image_resizing_tasks(event, data['original_image_url'])
def before_post(self, args, kwargs, data):
"""
before post method to check for required relationship and proper permission
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event'], data)
if not has_access('is_coorganizer', event_id=data['event']):
raise ForbiddenException({'source': ''},
'Co-organizer access is required.')
if get_count(
db.session.query(Event).filter_by(
id=int(data['event']), is_sponsors_enabled=False)) > 0:
raise ForbiddenException({'pointer': ''},
"Sponsors are disabled for this Event")
def before_post(self, args, kwargs, data):
"""
before post method to check for required relationship and proper permission
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event'], data)
if not has_access('is_organizer', event_id=data['event']):
raise ForbiddenException({'source': ''},
"Minimum Organizer access required")
if get_count(
db.session.query(Event).filter_by(
id=int(data['event']), can_pay_by_stripe=False)) > 0:
raise ForbiddenException(
{'pointer': ''}, "Stripe payment is disabled for this Event")
def before_delete_object(self, order, view_kwargs):
"""
method to check for proper permissions for deleting
:param order:
:param view_kwargs:
:return:
"""
if not has_access('is_coorganizer', event_id=order.event.id):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
def before_delete_object(self, obj, kwargs):
"""
before delete object method for attendee detail
:param obj:
:param kwargs:
:return:
"""
if not has_access('is_registrar', event_id=obj.event_id):
raise ForbiddenException({'source': 'User'}, 'You are not authorized to access this.')
def before_get_object(self, view_kwargs):
"""
before get object method for attendee detail
:param view_kwargs:
:return:
"""
attendee = safe_query(self, TicketHolder, 'id', view_kwargs['id'], 'attendee_id')
if not has_access('is_registrar_or_user_itself', user_id=current_identity.id, event_id=attendee.event_id):
raise ForbiddenException({'source': 'User'}, 'You are not authorized to access this.')
def before_get(self, args, kwargs):
"""
before get method to get the resource id for fetching details
:param args:
:param kwargs:
:return:
"""
if kwargs.get('event_id') and not has_access('is_coorganizer', event_id=kwargs['event_id']):
raise ForbiddenException({'source': ''}, "Co-Organizer Access Required")
def is_user_itself(view, view_args, view_kwargs, *args, **kwargs):
"""
Allows admin and super admin access to any resource irrespective of id.
Otherwise the user can only access his/her resource.
"""
user = current_identity
if not user.is_admin and str(user.id) != str(kwargs['user_id']):
raise ForbiddenException('Access Forbidden', {'source': 'user_id'})
return True
def before_create_object(self, data, view_kwargs):
"""
before create object method for OrderListPost Class
:param data:
:param view_kwargs:
:return:
"""
free_ticket_quantity = 0
for ticket_holder in data['ticket_holders']:
# Ensuring that the attendee exists and doesn't have an associated order.
try:
ticket_holder_object = self.session.query(TicketHolder).filter_by(id=int(ticket_holder),
deleted_at=None).one()
if ticket_holder_object.order_id:
raise ConflictException({'pointer': '/data/relationships/attendees'},
"Order already exists for attendee with id {}".format(str(ticket_holder)))
except NoResultFound:
raise ConflictException({'pointer': '/data/relationships/attendees'},
"Attendee with id {} does not exists".format(str(ticket_holder)))
if ticket_holder_object.ticket.type == 'free':
free_ticket_quantity += 1
if not current_user.is_verified and free_ticket_quantity == len(data['ticket_holders']):
raise ForbiddenException(
{'pointer': '/data/relationships/user', 'code': 'unverified-user'},
"Unverified user cannot place free orders"
)
if data.get('cancel_note'):
del data['cancel_note']
if data.get('payment_mode') != 'free' and not data.get('amount'):
raise ConflictException({'pointer': '/data/attributes/amount'},
"Amount cannot be null for a paid order")
if not data.get('amount'):
data['amount'] = 0
# Apply discount only if the user is not event admin
if data.get('discount_code') and not has_access('is_coorganizer', event_id=data['event']):
discount_code = safe_query_without_soft_deleted_entries(self, DiscountCode, 'id', data['discount_code'],
'discount_code_id')
if not discount_code.is_active:
raise UnprocessableEntity({'source': 'discount_code_id'}, "Inactive Discount Code")
else:
now = pytz.utc.localize(datetime.utcnow())
valid_from = discount_code.valid_from
valid_till = discount_code.valid_till
if not (valid_from <= now <= valid_till):
raise UnprocessableEntity({'source': 'discount_code_id'}, "Inactive Discount Code")
if not TicketingManager.match_discount_quantity(discount_code, None, data['ticket_holders']):
raise UnprocessableEntity({'source': 'discount_code_id'}, 'Discount Usage Exceeded')
if discount_code.event.id != int(data['event']):
raise UnprocessableEntity({'source': 'discount_code_id'}, "Invalid Discount Code")
