def test_is_publisher_user(self): """ Verify the function returns a boolean indicating if the user is part of any publisher app group. """ self.assertFalse(is_publisher_user(self.user)) self.user.groups.add(Group.objects.get(name=REVIEWER_GROUP_NAME)) self.assertTrue(is_publisher_user(self.user))
def test_is_publisher_user(self): """ Verify the function returns a boolean indicating if the user is part of any publisher app group. """ assert not is_publisher_user(self.user) self.user.groups.add(factories.GroupFactory()) assert is_publisher_user(self.user)
def get_queryset(self): """ List one course run --- parameters: - name: include_deleted_programs description: Will include deleted programs in the associated programs array required: false type: integer paramType: query multiple: false """ q = self.request.query_params.get('q') partner = self.request.site.partner edit_mode = get_query_param(self.request, 'editable') or self.request.method not in SAFE_METHODS if edit_mode and q: raise EditableAndQUnsupported() if edit_mode and (not self.request.user.is_staff and not is_publisher_user(self.request.user)): raise PermissionDenied if edit_mode: queryset = CourseRun.objects.filter_drafts() queryset = CourseEditor.editable_course_runs(self.request.user, queryset) else: queryset = self.queryset if q: qs = SearchQuerySetWrapper(CourseRun.search(q).filter(partner=partner.short_code)) # This is necessary to avoid issues with the filter backend. qs.model = self.queryset.model return qs queryset = queryset.filter(course__partner=partner) return self.get_serializer_class().prefetch_queryset(queryset=queryset)
def get_queryset(self): partner = self.request.site.partner q = self.request.query_params.get('q') # We don't want to create an additional elasticsearch index right now for draft courses, so we # try to implement a basic search behavior with this pubq parameter here against key and name. pub_q = self.request.query_params.get('pubq') edit_method = self.request.method not in SAFE_METHODS edit_mode = get_query_param(self.request, 'editable') or edit_method if edit_mode and q: raise EditableAndQUnsupported() if edit_mode and (not self.request.user.is_staff and not is_publisher_user(self.request.user)): raise PermissionDenied if edit_mode: # Start with either draft versions or real versions of the courses queryset = Course.objects.filter_drafts() queryset = CourseEditor.editable_courses(self.request.user, queryset, check_editors=edit_method) else: queryset = self.queryset if q: queryset = Course.search(q, queryset=queryset) queryset = self.get_serializer_class().prefetch_queryset(queryset=queryset, partner=partner) else: if edit_mode: course_runs = CourseRun.objects.filter_drafts(course__partner=partner) else: course_runs = CourseRun.objects.filter(course__partner=partner) if not get_query_param(self.request, 'include_hidden_course_runs'): course_runs = course_runs.exclude(hidden=True) if get_query_param(self.request, 'marketable_course_runs_only'): course_runs = course_runs.marketable().active() if get_query_param(self.request, 'marketable_enrollable_course_runs_with_archived'): course_runs = course_runs.marketable().enrollable() if get_query_param(self.request, 'published_course_runs_only'): course_runs = course_runs.filter(status=CourseRunStatus.Published) if get_query_param(self.request, 'include_deleted_programs'): programs = Program.objects.all() else: programs = Program.objects.exclude(status=ProgramStatus.Deleted) queryset = self.get_serializer_class().prefetch_queryset( queryset=queryset, course_runs=course_runs, partner=partner, programs=programs, ) if pub_q and edit_mode: return queryset.filter(Q(key__icontains=pub_q) | Q(title__icontains=pub_q)).order_by(Lower('key')) return queryset.order_by(Lower('key'))
def allow_request(self, request, view): user = request.user if user and user.is_authenticated: if user.is_superuser or user.is_staff or is_publisher_user(user): return True try: # Override this throttle's rate if applicable user_throttle = UserThrottleRate.objects.get(user=user) self.rate = user_throttle.rate self.num_requests, self.duration = self.parse_rate(self.rate) except UserThrottleRate.DoesNotExist: pass return super(OverridableUserRateThrottle, self).allow_request(request, view)
def allow_request(self, request, view): user = request.user if user and user.is_authenticated: try: # Override this throttle's rate if applicable user_throttle = UserThrottleRate.objects.get(user=user) self.rate = user_throttle.rate self.num_requests, self.duration = self.parse_rate(self.rate) except UserThrottleRate.DoesNotExist: # If we don't have a custom user override, skip throttling if they are a privileged user if user.is_superuser or user.is_staff or is_publisher_user( user): return True return super().allow_request(request, view)
def has_object_permission(self, request, view, obj): return is_publisher_user(request.user)
def has_permission(self, request, view): return request.user.is_staff or is_publisher_user(request.user)
def wrapped(request, *args, **kwargs): if is_publisher_user(request.user): return func(request, *args, **kwargs) else: return HttpResponseForbidden(u"Must be Publisher user to perform this action.")
def wrapped(request, *args, **kwargs): # pylint: disable=missing-docstring if is_publisher_user(request.user): return func(request, *args, **kwargs) else: return HttpResponseForbidden(u"Must be Publisher user to perform this action.")