def delete(self, request, cell_id, username=None):
cell = Cell.objects.get(pk=cell_id)
try:
share_root = Share.objects.filter(
Q(cell__in = cell.get_ancestors()) |\
Q(cell = cell)
)[0].cell
except IndexError:
# cell is not shared, nothing to delete
raise APIBadRequest("Cell or Tree not shared")
if username:
user = User.objects.get(username=username)
# user if not owner and tries to delete another user from
# share
if request.user != share_root.owner and user != request.user:
raise APIForbidden("You don't have permission to delete "
"user '%s'" % user)
else:
# delete own share
share_root.share_set.filter(user=user).delete()
else:
# only owner can delete everything
if request.user == share_root.owner:
share_root.share_set.all().delete()
else:
raise APIForbidden("You don't have permission to delete "
"shares of cell %s" % share_root)
return rc.DELETED
def check_read_permission(function, self, request, *args, **kwargs):
cell = None
if isinstance(self, DropletHandler) or \
isinstance(self, DropletRevisionHandler):
obj = Droplet.objects.get(pk=args[0])
cell = obj.cell
elif isinstance(self, DropletRevisionDataHandler):
obj = Droplet.objects.get(pk=args[1])
cell = obj.cell
elif isinstance(self, CellHandler) or isinstance(self, CellShareHandler):
obj = Cell.objects.get(pk=args[0])
cell = obj
if cell:
# now do the check
if cell.owner == request.user:
return function(self, request, *args, **kwargs)
else:
shares = Share.objects.filter(Q(cell__in=cell.get_ancestors()) |\
Q(cell=cell)).filter(user=request.user)
if shares:
return function(self, request, *args, **kwargs)
else:
raise APIForbidden("Permission denied")
else:
raise APIForbidden("Permission denied")
def delete(self, request, user_id):
user = User.objects.get(pk=user_id)
if request.user.is_staff or request.user.is_superuser or request.user == user:
user.delete()
return rc.DELETED
else:
raise APIForbidden({
'user':
"******"
"user %s" % user.username
})
def read(self, request, user_id):
if not user_id:
user = request.user
else:
user = User.objects.get(pk=user_id)
if request.user.is_staff or request.user.is_superuser or request.user == user:
return user
else:
raise APIForbidden(
{'user': "******"})
def update(self, request, user_id):
"""
User update call. Currently used only for password changing
"""
user = User.objects.get(pk=user_id)
if request.user.is_staff or request.user.is_superuser or user == request.user:
form = UserUpdateForm(request.POST)
if not form.is_valid():
raise APIBadRequest(form.errors)
user.set_password(form.cleaned_data['password'])
user.save()
return user
else:
raise APIForbidden(
{'user': "******"})
def create(self, request):
if not getattr(settings, 'MELISSI_REGISTRATIONS_OPEN', False):
raise APIForbidden({'register': 'Registrations are closed'})
form = UserCreateForm(request.POST)
if not form.is_valid():
raise APIBadRequest(form.errors)
if User.objects.filter(Q(username=form.cleaned_data['username']) |\
Q(email=form.cleaned_data['email'])).count():
raise APIBadRequest(
{'error': 'email and / or username already exists'})
user = User.objects.create_user(form.cleaned_data['username'],
form.cleaned_data['email'],
form.cleaned_data['password'])
user.first_name = form.cleaned_data['first_name']
user.last_name = form.cleaned_data['last_name']
user.save()
return user
def create(self, request):
if request.user.is_staff or request.user.is_superuser:
form = UserCreateForm(request.POST)
if not form.is_valid():
raise APIBadRequest(form.errors)
if User.objects.filter(Q(username=form.cleaned_data['username']) |\
Q(email=form.cleaned_data['email'])).count():
raise APIBadRequest(
{'error': 'email and / or username already exists'})
user = User.objects.create_user(form.cleaned_data['username'],
form.cleaned_data['email'],
form.cleaned_data['password'])
user.first_name = form.cleaned_data['first_name']
user.last_name = form.cleaned_data['last_name']
user.save()
return user
else:
raise APIForbidden(
{'user': "******"})
def check_write_permission(function, self, request, *args, **kwargs):
cells = []
new_root_cell = False
if isinstance(self, DropletHandler):
if request.META['REQUEST_METHOD'] == 'POST':
# this is a CREATE command, the cell to put the droplet into
# is in the POSTED parameters
cells.append(Cell.objects.get(pk=request.POST.get('cell', None)))
else:
obj = Droplet.objects.get(pk=kwargs.get('droplet_id', None))
cells.append(obj.cell)
elif isinstance(self, DropletRevisionHandler):
obj = Droplet.objects.get(pk=kwargs.get('droplet_id', None))
cells.append(obj.cell)
# if this is a "move" then also fetch the cell to move into
if 'cell' in request.POST:
cells.append(Cell.objects.get(pk=request.POST.get('cell', None)))
elif isinstance(self, CellHandler):
if request.META['REQUEST_METHOD'] == 'POST':
# this is a CREATE command, the cell to put the cell into
# is in the POSTED parameters
if not request.POST.get('parent', None):
new_root_cell = True
else:
cells.append(Cell.objects.get(pk=request.POST.get('parent')))
else:
cells.append(Cell.objects.get(pk=kwargs.get('cell_id', None)))
# if this is a "move" then also fetch the cell to move into
if 'parent' in request.POST:
cells.append(
Cell.objects.get(pk=request.POST.get('parent', None)))
elif isinstance(self, CellShareHandler):
cell = Cell.objects.get(pk=kwargs.get('cell_id', None))
cells.append(cell)
if kwargs.get('user_id', None):
# this a refering to a specific user. Only user and owner
# can view / edit
user_id = int(kwargs.get('user_id'))
if not (user_id == request.user.id
or request.user.id == cell.owner.id):
# empty cells so check fails
cells = []
if new_root_cell:
return function(self, request, *args, **kwargs)
elif cells:
for cell in cells:
if not _check_write_permission(request.user, cell):
raise APIForbidden("Permission denied")
else:
return function(self, request, *args, **kwargs)
raise APIForbidden("Permission denied")