def test_copy_permissions_to_batches_unhydrated_project(self):
# Verify that Project.copy_permissions_to_batches() works with
# a Project model instance that is only "hydrated" with the
# 'id' field. Behavior related to this Issue:
#
# https://github.com/hltcoe/turkle/issues/136
project = Project.objects.create(
custom_permissions=True,
login_required=True,
)
group = Group.objects.create(name='testgroup')
assign_perm('can_work_on', group, project)
batch = Batch.objects.create(
custom_permissions=False,
login_required=False,
project=project,
)
self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
unhydrated_project = Project.objects.only('id', 'custom_permissions', 'login_required')\
.get(id=project.id)
unhydrated_project.copy_permissions_to_batches()
batch.refresh_from_db()
self.assertTrue(batch.custom_permissions)
self.assertTrue(batch.login_required)
self.assertTrue('can_work_on_batch' in get_group_perms(group, batch))
def test_direct_perms_only(self):
admin = User.objects.create(username='******', is_superuser=True)
self.user1.groups.add(self.group1)
self.user2.groups.add(self.group1)
assign_perm("change_contenttype", self.user1, self.obj1)
assign_perm("delete_contenttype", admin, self.obj1)
assign_perm("delete_contenttype", self.group1, self.obj1)
expected = set([self.user1, self.user2, admin])
result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=True)
self.assertEqual(set(result), expected)
self.assertEqual(set(get_user_perms(self.user1, self.obj1)), set(['change_contenttype']))
self.assertEqual(set(get_user_perms(self.user2, self.obj1)), set([]))
self.assertEqual(set(get_user_perms(admin, self.obj1)), set(['delete_contenttype']))
result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=False)
expected = set([self.user1, admin])
self.assertEqual(set(result), expected)
self.assertEqual(set(get_group_perms(self.user1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.user2, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.group1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.group2, self.obj1)), set([]))
self.assertEqual(set(get_group_perms(admin, self.obj1)), set([]))
self.assertEqual(set(get_perms(admin, self.obj1)), set(['add_contenttype', 'change_contenttype', 'delete_contenttype']))
self.assertEqual(set(get_perms(self.user1, self.obj1)), set(['change_contenttype', 'delete_contenttype']))
self.assertEqual(set(get_perms(self.user2, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_perms(self.group1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_perms(self.group2, self.obj1)), set([]))
def test_direct_perms_only(self):
admin = User.objects.create(username='******', is_superuser=True)
self.user1.groups.add(self.group1)
self.user2.groups.add(self.group1)
assign_perm("change_contenttype", self.user1, self.obj1)
assign_perm("delete_contenttype", admin, self.obj1)
assign_perm("delete_contenttype", self.group1, self.obj1)
expected = set([self.user1, self.user2, admin])
result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=True)
self.assertEqual(set(result), expected)
self.assertEqual(set(get_user_perms(self.user1, self.obj1)), set(['change_contenttype']))
self.assertEqual(set(get_user_perms(self.user2, self.obj1)), set([]))
self.assertEqual(set(get_user_perms(admin, self.obj1)), set(['delete_contenttype']))
result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=False)
expected = set([self.user1, admin])
self.assertEqual(set(result), expected)
self.assertEqual(set(get_group_perms(self.user1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.user2, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.group1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_group_perms(self.group2, self.obj1)), set([]))
self.assertEqual(set(get_group_perms(admin, self.obj1)), set([]))
self.assertEqual(set(get_perms(admin, self.obj1)), set(['add_contenttype', 'change_contenttype', 'delete_contenttype']))
self.assertEqual(set(get_perms(self.user1, self.obj1)), set(['change_contenttype', 'delete_contenttype']))
self.assertEqual(set(get_perms(self.user2, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_perms(self.group1, self.obj1)), set(['delete_contenttype']))
self.assertEqual(set(get_perms(self.group2, self.obj1)), set([]))
def get(self, request):
nodegroup_ids = JSONDeserializer().deserialize(
request.GET.get('nodegroupIds'))
identityId = request.GET.get('identityId')
identityType = request.GET.get('identityType')
ret = []
if identityType == 'group':
identity = Group.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in get_group_perms(identity, nodegroup)]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
else:
identity = User.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in get_user_perms(identity, nodegroup)]
# only get the group perms ("defaults") if no user defined object settings have been saved
if len(perms) == 0:
perms = [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in set(get_group_perms(identity, nodegroup))
]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
return JSONResponse(ret)
def update__permissions_read(sender, instance, action, **kwargs):
if instance.read_groups.all():
if action == 'pre_remove':
for group in instance.read_groups.all():
if 'view_expressionstudy' in get_group_perms(group, instance):
remove_perm('view_expressionstudy', group, instance)
if action == 'post_add':
for group in instance.read_groups.all():
if 'view_project' not in get_group_perms(group, instance):
assign_perm('view_expressionstudy', group, instance)
def update__permissions_write(sender, instance, action, **kwargs):
if instance.edit_groups.all():
if action == 'pre_remove':
for group in instance.edit_groups.all():
if 'change_project' in get_group_perms(group, instance):
remove_perm('change_expressionstudy', group, instance)
if action == 'post_add':
for group in instance.edit_groups.all():
if 'change_expressionstudy' not in get_group_perms(group, instance):
assign_perm('change_expressionstudy', group, instance)
def perform_create(self, serializer):
task_template = serializer.validated_data['template']
if ('view_tasktemplate' in get_group_perms(self.request.user, task_template)
or self.request.user.groups.filter(name='admin').exists()):
if ('change_tasktemplate' in get_group_perms(self.request.user, task_template)
or self.request.user.groups.filter(name='admin').exists()):
instance = serializer.save()
self.clone_group_permissions(instance.template, instance)
else:
raise PermissionDenied('You do not have permission to create this')
else:
raise NotFound()
def perform_create(self, serializer):
task_template = serializer.validated_data['template']
if ('view_tasktemplate' in get_group_perms(self.request.user, task_template)
or self.request.user.groups.filter(name='admin').exists()):
if ('change_tasktemplate' in get_group_perms(self.request.user, task_template)
or self.request.user.groups.filter(name='admin').exists()):
instance = serializer.save()
self.clone_group_permissions(instance.template, instance)
else:
raise PermissionDenied('You do not have permission to create this')
else:
raise NotFound()
def test_algorithm_groups_permissions_are_assigned():
alg = AlgorithmFactory()
editors_perms = get_group_perms(alg.editors_group, alg)
assert "view_algorithm" in editors_perms
assert "change_algorithm" in editors_perms
assert "execute_algorithm" in editors_perms
users_perms = get_group_perms(alg.users_group, alg)
assert "view_algorithm" in users_perms
assert "change_algorithm" not in users_perms
assert "execute_algorithm" in users_perms
def get(self, request):
if self.action == 'get_permission_manager_data':
identities = []
for group in Group.objects.all():
identities.append({
'name': group.name,
'type': 'group',
'id': group.pk,
'default_permissions': group.permissions.all()
})
for user in User.objects.filter(is_superuser=False):
groups = []
default_perms = []
for group in user.groups.all():
groups.append(group.name)
default_perms = default_perms + list(group.permissions.all())
identities.append({'name': user.email or user.username, 'groups': ', '.join(groups),
'type': 'user', 'id': user.pk, 'default_permissions': set(default_perms)})
content_type = ContentType.objects.get_for_model(models.NodeGroup)
nodegroup_permissions = Permission.objects.filter(content_type=content_type)
ret = {'identities': identities, 'permissions': nodegroup_permissions}
return JSONResponse(ret)
nodegroup_ids = JSONDeserializer().deserialize(request.GET.get('nodegroupIds'))
identityId = request.GET.get('identityId')
identityType = request.GET.get('identityType')
ret = []
if identityType == 'group':
identity = Group.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{'codename': codename, 'name': self.get_perm_name(
codename).name} for codename in get_group_perms(identity, nodegroup)]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
else:
identity = User.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{'codename': codename, 'name': self.get_perm_name(
codename).name} for codename in get_user_perms(identity, nodegroup)]
# only get the group perms ("defaults") if no user defined object settings have been saved
if len(perms) == 0:
perms = [{'codename': codename, 'name': self.get_perm_name(
codename).name} for codename in set(get_group_perms(identity, nodegroup))]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
return JSONResponse(ret)
def test_assign_permissions(times, user, service):
available_permissions = [item[0] for item in Service._meta.permissions]
# assign_permissions expects a Group and a Service exist with the same name.
group = GroupFactory(name=service.name)
user.groups.add(group)
for permission in available_permissions:
assert not user.has_perm(permission, service)
assert permission not in get_group_perms(group, service)
for i in range(times):
assign_permissions([group])
for permission in available_permissions:
assert user.has_perm(permission, service)
assert permission in get_group_perms(group, service)
def test_group_create_with_permissions(self, django_app, groups, manager):
response = django_app.get(reverse("core:group_add"), user=manager)
form = response.form
group_name = "Testgroup"
form["name"] = group_name
form["users"].force_value([manager.id])
form["can_view_past_event"] = True
form["is_planning_group"] = True
form["publish_event_for_group"].select_multiple(texts=["Volunteers"])
form["is_hr_group"] = True
form["is_management_group"] = True
response = form.submit()
assert response.status_code == 302
group = Group.objects.get(name=group_name)
assert set(group.user_set.all()) == {manager}
assert group.permissions.filter(codename="view_past_event").exists()
assert group.permissions.filter(codename="add_event").exists()
assert "publish_event_for_group" in get_group_perms(
group, Group.objects.get(name="Volunteers"))
assert group.permissions.filter(codename="add_userprofile").exists()
assert group.permissions.filter(codename="change_userprofile").exists()
assert group.permissions.filter(codename="delete_userprofile").exists()
assert group.permissions.filter(codename="view_userprofile").exists()
assert group.permissions.filter(codename="add_group").exists()
assert group.permissions.filter(codename="change_group").exists()
assert group.permissions.filter(codename="delete_group").exists()
assert group.permissions.filter(codename="view_group").exists()
def get_user_permissions(self, nodegroup=None):
"""
get's a list of object level permissions allowed for a all users
returns an object of the form:
.. code-block:: python
{
'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions
'default': {'codename': permssion codename, 'name': permission name} # A list of group based object level permissions or model level permissions
}
Keyword Arguments:
nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object
"""
ret = []
for user in User.objects.all():
perms = {
'local': [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_user_perms(user, nodegroup)],
'default': set()
}
for group in user.groups.all():
codenames = set(get_group_perms(group, nodegroup))
if len(codenames) == 0:
codenames = set([item.codename for item in group.permissions.all()])
perms['default'].update(codenames)
perms['default'] = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in perms['default']]
if len(perms['default']) > 0:
ret.append({'username': user.email or user.username, 'email': user.email, 'perms': perms, 'type': 'user', 'id': user.pk})
return ret
def obj_perms_manage_group_view(self, request, object_pk, group_id):
"""
Manages selected groups' permissions for current object.
"""
if not self.has_change_permission(request, None):
post_url = reverse('admin:index', current_app=self.admin_site.name)
return redirect(post_url)
group = get_object_or_404(Group, id=group_id)
obj = get_object_or_404(self.get_queryset(request), pk=object_pk)
form_class = self.get_obj_perms_manage_group_form(request)
form = form_class(group, obj, request.POST or None)
if request.method == 'POST' and form.is_valid():
form.save_obj_perms()
msg = gettext("Permissions saved.")
messages.success(request, msg)
info = (
self.admin_site.name,
self.model._meta.app_label,
self.model._meta.model_name,
)
url = reverse('%s:%s_%s_permissions_manage_group' % info,
args=[obj.pk, group.id])
return redirect(url)
context = self.get_obj_perms_base_context(request, obj)
context['group_obj'] = group
context['group_perms'] = get_group_perms(group, obj)
context['form'] = form
request.current_app = self.admin_site.name
return render(request, self.get_obj_perms_manage_group_template(),
context)
def get_permissions(self, user):
# Overrides guardian mixin - doesn't return view_preprint perms, and
# returns readable perms instead of literal perms
if isinstance(user, AnonymousUser):
return []
perms = ['read_preprint', 'write_preprint', 'admin_preprint']
user_perms = sorted(set(get_group_perms(user, self)).intersection(perms), key=perms.index)
return [perm.split('_')[0] for perm in user_perms]
def get_permission_to_node(self, node):
"""
Returns the permission this OSF group has to the given node
:param node: Node object
"""
perms = get_group_perms(self.member_group, node)
return reduce_permissions(perms) if perms else None
def test_copy_project_permissions_no_custom_permissions(self):
project = Project.objects.create(
custom_permissions=False,
login_required=False,
)
group = Group.objects.create(name='testgroup')
assign_perm('can_work_on', group, project)
batch = Batch.objects.create(
custom_permissions=True,
login_required=True,
project=project,
)
self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
batch.copy_project_permissions()
self.assertFalse(batch.custom_permissions)
self.assertFalse(batch.login_required)
self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
def get_perms(self, identity, type, obj, perms):
if type == "user":
identity_perms = get_user_perms(identity, obj)
else:
identity_perms = get_group_perms(identity, obj)
res = []
for perm in identity_perms:
res += list(filter(lambda x: (x["codename"] == perm), perms))
return res
def perform_create(self, serializer):
# Ensure the user has the correct permissions on the Project
# to add a product to it.
project = serializer.validated_data['project']
if 'view_project' in get_group_perms(self.request.user, project):
instance = serializer.save(created_by=self.request.user)
self.clone_group_permissions(instance.project, instance)
else:
raise ValidationError('You do not have permission to create this')
def get(self, request):
if self.action == "get_permission_manager_data":
identities = []
for group in Group.objects.all():
identities.append({"name": group.name, "type": "group", "id": group.pk, "default_permissions": group.permissions.all()})
for user in User.objects.filter(is_superuser=False):
groups = []
default_perms = []
for group in user.groups.all():
groups.append(group.name)
default_perms = default_perms + list(group.permissions.all())
identities.append(
{
"name": user.email or user.username,
"groups": ", ".join(groups),
"type": "user",
"id": user.pk,
"default_permissions": set(default_perms),
}
)
content_type = ContentType.objects.get_for_model(models.NodeGroup)
nodegroup_permissions = Permission.objects.filter(content_type=content_type)
ret = {"identities": identities, "permissions": nodegroup_permissions}
return JSONResponse(ret)
nodegroup_ids = JSONDeserializer().deserialize(request.GET.get("nodegroupIds"))
identityId = request.GET.get("identityId")
identityType = request.GET.get("identityType")
ret = []
if identityType == "group":
identity = Group.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [
{"codename": codename, "name": self.get_perm_name(codename).name} for codename in get_group_perms(identity, nodegroup)
]
ret.append({"perms": perms, "nodegroup_id": nodegroup_id})
else:
identity = User.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [
{"codename": codename, "name": self.get_perm_name(codename).name} for codename in get_user_perms(identity, nodegroup)
]
# only get the group perms ("defaults") if no user defined object settings have been saved
if len(perms) == 0:
perms = [
{"codename": codename, "name": self.get_perm_name(codename).name}
for codename in set(get_group_perms(identity, nodegroup))
]
ret.append({"perms": perms, "nodegroup_id": nodegroup_id})
return JSONResponse(ret)
def perform_create(self, serializer):
# Ensure that only workflows that the user has permissions
# for are able to be used.
# TODO: Check for permissions on product statuses?
workflow = serializer.validated_data['workflow']
if 'view_workflow' in get_group_perms(self.request.user, workflow):
instance = serializer.save(started_by=self.request.user)
# Inherit workflow group permissions
self.clone_group_permissions(instance.workflow, instance)
else:
raise ValidationError('You do not have permission to create this')
def perform_create(self, serializer):
# Ensure the user has the correct permissions on the Project
# to add a product to it.
project = serializer.validated_data['project']
if ('change_project' in get_group_perms(self.request.user, project)
or self.request.user.groups.filter(name='admin').exists()):
instance = serializer.save(created_by=self.request.user)
self.clone_group_permissions(instance.project, instance)
else:
raise ValidationError('You do not have permission to create this')
plugins = [p(instance) for p in ProductPluginProvider.plugins]
for p in plugins:
p.create()
def perform_create(self, serializer):
# Ensure the user has the correct permissions on the Project
# to add a product to it.
project = serializer.validated_data['project']
if ('change_project' in get_group_perms(self.request.user, project)
or self.request.user.groups.filter(name='admin').exists()):
instance = serializer.save(created_by=self.request.user)
self.clone_group_permissions(instance.project, instance)
else:
raise ValidationError('You do not have permission to create this')
plugins = [p(instance) for p in ProductPluginProvider.plugins]
for p in plugins:
p.create()
def test_copy_permissions_to_batches_no_custom_permissions(self):
project = Project.objects.create(
custom_permissions=False,
login_required=False,
)
group = Group.objects.create(name='testgroup')
assign_perm('can_work_on', group, project)
batch = Batch.objects.create(
custom_permissions=True,
login_required=True,
project=project,
)
self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
project.copy_permissions_to_batches()
batch.refresh_from_db()
self.assertFalse(batch.custom_permissions)
self.assertFalse(batch.login_required)
# Custom permissions are not copied from Project to Batch if
# project.custom_permissions is False
self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
def has_permission(self, user, permission):
"""Returns whether the user has the given permission to the OSFGroup
:param user: Auth object
:param role: member/manange permission
:return Boolean
"""
if not user or user.is_anonymous:
return False
# Using get_group_perms to get permissions that are inferred through
# group membership - not inherited from superuser status
return '{}_{}'.format(permission,
'group') in get_group_perms(user, self)
def copy_project_permissions(self):
"""Copy 'permission' settings from associated Project to this Batch
Copies:
- `custom_permissions` flag
- `login_required` flag
- group-level access permissions
"""
self.custom_permissions = self.project.custom_permissions
self.login_required = self.project.login_required
if self.custom_permissions:
for group in get_groups_with_perms(self.project):
if 'can_work_on' in get_group_perms(group, self.project):
assign_perm('can_work_on_batch', group, self)
def assign_tmpl_perms(request, perms, groups, tmpl_inst):
user = request.user
biz = tmpl_inst.business
if user.has_perm('manage_business', biz):
# 先删除所有有当前要授权权限的分组的权限
perm_groups = get_groups_with_perms(tmpl_inst)
for group in perm_groups:
perm_list = get_group_perms(group, tmpl_inst)
for perm in perm_list:
if perm in perms:
remove_perm(perm, group, tmpl_inst)
# 给当前有权限的分组授权
for perm, group in itertools.product(perms, groups):
assign_perm(perm, group, tmpl_inst)
else:
return HttpResponseForbidden()
def get_user_permissions(self, nodegroup=None):
"""
get's a list of object level permissions allowed for a all users
returns an object of the form:
.. code-block:: python
{
'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions
'default': {'codename': permssion codename, 'name': permission name} # A list of group based object level permissions or model level permissions
}
Keyword Arguments:
nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object
"""
ret = []
for user in User.objects.all():
perms = {
'local': [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in get_user_perms(user, nodegroup)],
'default':
set()
}
for group in user.groups.all():
codenames = set(get_group_perms(group, nodegroup))
if len(codenames) == 0:
codenames = set(
[item.codename for item in group.permissions.all()])
perms['default'].update(codenames)
perms['default'] = [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in perms['default']]
if len(perms['default']) > 0:
ret.append({
'username': user.email or user.username,
'email': user.email,
'perms': perms,
'type': 'user',
'id': user.pk
})
return ret
def copy_permissions_to_batches(self):
"""Copy permissions from this Project to all associated Batches
Copies:
- `custom_permissions` flag
- `login_required` flag
- group-level access permissions
"""
self.batch_set.update(
custom_permissions=self.custom_permissions,
login_required=self.login_required,
)
if self.custom_permissions:
for group in get_groups_with_perms(self):
if 'can_work_on' in get_group_perms(group, self):
batches = self.batch_set.all()
GroupObjectPermission.objects.bulk_assign_perm(
'can_work_on_batch', group, batches)
def no_save_subscription_if_dont_have_permissions(sender, instance, **kwargs):
"""
Stop saving individual or group subscription if user or group don't have
permissions to subscribe to the alarm
:param sender: Subscription
"""
user = instance.user if instance.user else None
group = instance.group if instance.group else None
if user:
if 'can_subscribe' not in get_user_perms(user, instance.alarm):
raise ValidationError(
"User don't have permissions to subscribe to this alarm")
elif group:
if 'can_subscribe' not in get_group_perms(group, instance.alarm):
raise ValidationError(
"Group don't have permissions to subscribe to this alarm")
else:
raise ValidationError("BAD REQUEST. Check your selections.")
def check_resource_instance_permissions(user, resourceid, permission):
"""
Checks if a user has permission to access a resource instance
Arguments:
user -- the user to check
resourceid -- the id of the resource
permission -- the permission codename (e.g. 'view_resourceinstance') for which to check
"""
result = {}
try:
resource = ResourceInstance.objects.get(resourceinstanceid=resourceid)
result["resource"] = resource
all_perms = get_perms(user, resource)
if len(all_perms) == 0: # no permissions assigned. permission implied
result["permitted"] = "unknown"
return result
else:
user_permissions = get_user_perms(user, resource)
if "no_access_to_resourceinstance" in user_permissions: # user is restricted
result["permitted"] = False
return result
elif permission in user_permissions: # user is permitted
result["permitted"] = True
return result
group_permissions = get_group_perms(user, resource)
if "no_access_to_resourceinstance" in group_permissions: # group is restricted - no user override
result["permitted"] = False
return result
elif permission in group_permissions: # group is permitted - no user override
result["permitted"] = True
return result
if permission not in all_perms: # neither user nor group explicitly permits or restricts.
result["permitted"] = False # restriction implied
return result
except ObjectDoesNotExist:
return None
return result
def obj_perms_manage_group_view(self, request, object_pk, group_id):
"""
Manages selected groups' permissions for current object.
"""
if not self.has_change_permission(request, None):
post_url = reverse('admin:index', current_app=self.admin_site.name)
return redirect(post_url)
group = get_object_or_404(Group, id=group_id)
obj = get_object_or_404(self.get_queryset(request), pk=object_pk)
form_class = self.get_obj_perms_manage_group_form(request)
form = form_class(group, obj, request.POST or None)
if request.method == 'POST' and form.is_valid():
form.save_obj_perms()
msg = ugettext("Permissions saved.")
messages.success(request, msg)
info = (
self.admin_site.name,
self.model._meta.app_label,
get_model_name(self.model)
)
url = reverse(
'%s:%s_%s_permissions_manage_group' % info,
args=[obj.pk, group.id]
)
return redirect(url)
context = self.get_obj_perms_base_context(request, obj)
context['group_obj'] = group
context['group_perms'] = get_group_perms(group, obj)
context['form'] = form
request.current_app = self.admin_site.name
if django.VERSION >= (1, 10):
return render(request, self.get_obj_perms_manage_group_template(), context)
return render_to_response(self.get_obj_perms_manage_group_template(), context, RequestContext(request))
def test_group_edit(self, django_app, groups, manager):
group = manager.groups.first()
response = django_app.get(reverse("core:group_edit",
kwargs={"pk": group.id}),
user=manager)
form = response.form
group_name = "New name"
form["name"] = group_name
form["users"].force_value([manager.id])
form["can_view_past_event"] = False
form["is_planning_group"] = False
form["publish_event_for_group"].select_multiple(texts=["Volunteers"])
response = form.submit()
assert response.status_code == 302
group.refresh_from_db()
assert group.name == group_name
assert set(group.user_set.all()) == {manager}
assert not group.permissions.filter(
codename="view_past_event").exists()
assert not group.permissions.filter(codename="add_event").exists()
assert "publish_event_for_group" not in get_group_perms(
group, Group.objects.get(name="Volunteers"))
def inner_decorator(request, roles=roles, *args, **kwargs):
p = Project.objects.get(pk=kwargs['project_id'])
u = request.user
has_role = check_user_role(u, p, roles)
is_token_authenticated = getattr(request, '_is_token_authenticated', False)
# If a request is authenticated through an API token permissions are
# required, endpoints that require write/annotate permissions also
# need to have the TokenAnnotate permission. This is enforced also
# for admin accounts.
if is_token_authenticated and not contains_read_roles(roles) and \
settings.REQUIRE_EXTRA_TOKEN_PERMISSIONS:
has_role = 'can_annotate_with_token' in get_user_perms(u, p) or \
'can_annotate_with_token' in get_group_perms(u, p)
if has_role:
# The user can execute the function.
return f(request, *args, **kwargs)
else:
msg = "User '{}' with ID {} does not have the required permissions in " \
"project {}".format(u.username, u.id, int(kwargs['project_id']))
raise PermissionError(msg)
def handle(self, *args, **options):
analysis_read_perm = Analysis.get_read_perm()
analysis_write_perm = Analysis.get_write_perm()
variant_tag_read_perm = VariantTag.get_read_perm()
variant_tag_write_perm = VariantTag.get_write_perm()
PERM_CONVERTER = {
analysis_read_perm: variant_tag_read_perm,
analysis_write_perm: variant_tag_write_perm,
}
num_tags = 0
for variant_tag in VariantTag.objects.filter(analysis__isnull=False):
# Convert existing analysis permissions
for group in get_groups_with_perms(variant_tag.analysis):
for old_perm in get_group_perms(group, variant_tag.analysis):
perm = PERM_CONVERTER[old_perm]
assign_perm(perm, group, variant_tag)
# Default permissions for user
assign_permission_to_user_and_groups(variant_tag.user, variant_tag)
num_tags += 1
print(f"Set permission on {num_tags} tags")
def get_perms(request, biz_cc_id):
template_id = request.GET.get('template_id')
try:
template = TaskTemplate.objects.get(pk=template_id,
business__cc_id=biz_cc_id)
except TaskTemplate.DoesNotExist:
return HttpResponseForbidden()
fill_params_groups = []
execute_task_groups = []
groups = get_groups_with_perms(template)
# 获取有权限的分组列表
for group in groups:
perm_list = get_group_perms(group, template)
for perm in perm_list:
if perm == FILL_PARAMS_PERM_NAME:
fill_params_groups.append(
{"show_name": group.name.split("\x00")[-1]})
elif perm == EXECUTE_TASK_PERM_NAME:
execute_task_groups.append(
{"show_name": group.name.split("\x00")[-1]})
# 获取有权限的人员列表
users = get_users_with_perms(template)
for user in users:
perm_list = get_user_perms(user, template)
for perm in perm_list:
if perm == FILL_PARAMS_PERM_NAME:
fill_params_groups.append({"show_name": user.username})
elif perm == EXECUTE_TASK_PERM_NAME:
execute_task_groups.append({"show_name": user.username})
ctx = {
'result': True,
'data': {
'fill_params_groups': fill_params_groups,
'execute_task_groups': execute_task_groups,
}
}
return JsonResponse(ctx)
def get_group_permissions(self, nodegroup=None):
"""
get's a list of object level permissions allowed for a all groups
returns an object of the form:
.. code-block:: python
{
'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions
'default': {'codename': permssion codename, 'name': permission name} # A list of model level permissions
}
Keyword Arguments:
nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object
"""
ret = []
for group in Group.objects.all():
perms = {
'local': [{
'codename': codename,
'name': self.get_perm_name(codename).name
} for codename in get_group_perms(group, nodegroup)],
'default': [{
'codename': item.codename,
'name': item.name
} for item in group.permissions.all()]
}
if len(perms['default']) > 0:
ret.append({
'name': group.name,
'perms': perms,
'type': 'group',
'id': group.pk
})
return ret
def get_obj_perms_field_initial(self):
perms = get_group_perms(self.group, self.obj)
return perms
def get_group_permissions(self, nodegroup=None):
"""
get's a list of object level permissions allowed for a all groups
returns an object of the form:
.. code-block:: python
{
'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions
'default': {'codename': permssion codename, 'name': permission name} # A list of model level permissions
}
Keyword Arguments:
nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object
"""
ret = []
for group in Group.objects.all():
perms = {
'local': [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_group_perms(group, nodegroup)],
'default': [{'codename': item.codename, 'name': item.name} for item in group.permissions.all()]
}
if len(perms['default']) > 0:
ret.append({'name': group.name, 'perms': perms, 'type': 'group', 'id': group.pk})
return ret
def get(self, request):
nodegroup_ids = JSONDeserializer().deserialize(request.GET.get('nodegroupIds'))
identityId = request.GET.get('identityId')
identityType = request.GET.get('identityType')
ret = []
if identityType == 'group':
identity = Group.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_group_perms(identity, nodegroup)]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
else:
identity = User.objects.get(pk=identityId)
for nodegroup_id in nodegroup_ids:
nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id)
perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_user_perms(identity, nodegroup)]
# only get the group perms ("defaults") if no user defined object settings have been saved
if len(perms) == 0:
perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in set(get_group_perms(identity, nodegroup))]
ret.append({'perms': perms, 'nodegroup_id': nodegroup_id})
return JSONResponse(ret)
