def post(self, request):
form = FeedForm.create_from_request(request)
if not form.is_valid():
raise ValidationException(request, form)
if not has_object_permission('check_catalog_manage', request.user,
form.cleaned_data['catalog_id']):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
if Feed.objects.filter(
catalog=form.cleaned_data['catalog_id'],
url_name=form.cleaned_data['url_name']).exists():
raise ProblemDetailException(
request,
_("Feed with same url_name already exists in same catalog"),
status=HTTPStatus.CONFLICT)
feed = Feed(creator=request.user)
form.populate(feed)
feed.save()
if 'entries' in form.cleaned_data.keys():
feed.entries.add(*form.cleaned_data['entries'])
if 'parents' in form.cleaned_data.keys():
feed.parents.add(*form.cleaned_data['parents'])
return SingleResponse(request,
feed,
serializer=FeedSerializer.Base,
status=HTTPStatus.CREATED)
def post(self, request):
form = CreateAuthorForm.create_from_request(request)
if not form.is_valid():
raise ValidationException(request, form)
if not has_object_permission('check_catalog_write', request.user,
form.cleaned_data['catalog_id']):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
if Author.objects.filter(
catalog=form.cleaned_data['catalog_id'],
name=form.cleaned_data['name'],
surname=form.cleaned_data['surname']).exists():
raise ProblemDetailException(
request,
_("Author already exists in the catalog"),
status=HTTPStatus.CONFLICT)
author = Author()
form.populate(author)
author.save()
return SingleResponse(request,
author,
serializer=AuthorSerializer.Detailed,
status=HTTPStatus.CREATED)
def get(self, request, remote_id):
try:
remote = Remote.objects.get(pk=remote_id)
except Remote.DoesNotExist:
raise ApiException(request, _('Remote does not exist.'), status_code=HTTPStatus.NOT_FOUND)
if not has_object_permission('check_remote', request.user, remote):
raise ApiException(request, _('User is unauthorized.'), status_code=HTTPStatus.FORBIDDEN)
return SingleResponse(request, remote, serializer=RemoteSerializer.Base)
def _get_entry(request, catalog_id: uuid.UUID, entry_id: uuid.UUID, checker: str = 'check_entry_manage') -> Entry:
try:
entry = Entry.objects.get(pk=entry_id, catalog_id=catalog_id)
except Entry.DoesNotExist:
raise ProblemDetailException(request, _("Entry not found"), status=HTTPStatus.NOT_FOUND)
if not has_object_permission(checker, request.user, entry):
raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN)
return entry
def _get_feed(request, feed_id: UUID) -> Feed:
try:
feed = Feed.objects.select_related('catalog').get(pk=feed_id)
except Feed.DoesNotExist as e:
raise ProblemDetailException(request,
_("Feed not found"),
status=HTTPStatus.NOT_FOUND,
previous=e)
if not has_object_permission('check_catalog_manage', request.user,
feed.catalog):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
return feed
def get(self, request, project_id):
try:
project = Project.objects.get(pk=project_id)
except Project.DoesNotExist:
raise ApiException(request,
_('Project does not exist.'),
status_code=HTTPStatus.NOT_FOUND)
if not has_object_permission('check_project', request.user, project):
raise ApiException(request,
_('User is unauthorized.'),
status_code=HTTPStatus.FORBIDDEN)
return SingleResponse(request,
project,
serializer=ProjectSerializer.Detail)
def _get_author(request,
author_id: UUID,
checker: str = 'check_catalog_manage') -> Author:
try:
author = Author.objects.select_related('catalog').get(pk=author_id)
except Author.DoesNotExist as e:
raise ProblemDetailException(request,
_("Author not found"),
status=HTTPStatus.NOT_FOUND,
previous=e)
if not has_object_permission(checker, request.user, author.catalog):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
return author
def _get_catalog(request,
catalog_id: UUID,
checker: str = 'check_catalog_manage') -> Catalog:
try:
catalog = Catalog.objects.get(pk=catalog_id)
except Catalog.DoesNotExist as e:
raise ProblemDetailException(request,
_("Catalog not found"),
status=HTTPStatus.NOT_FOUND,
previous=e)
if not has_object_permission(checker, request.user, catalog):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
return catalog
def _get_acquisition(request,
acquisition_id: UUID,
checker: str = 'check_catalog_manage') -> Acquisition:
try:
acquisition = Acquisition.objects.select_related(
'entry__catalog').get(pk=acquisition_id)
except Acquisition.DoesNotExist:
raise ProblemDetailException(request,
_("Acquisition not found"),
status=HTTPStatus.NOT_FOUND)
if not has_object_permission(checker, request.user,
acquisition.entry.catalog):
raise ProblemDetailException(request,
_("Insufficient permissions"),
status=HTTPStatus.FORBIDDEN)
return acquisition
def post(self, request, catalog_id: uuid.UUID):
try:
catalog = Catalog.objects.get(pk=catalog_id)
except Catalog.DoesNotExist as e:
raise ProblemDetailException(request, _("Catalog not found"), status=HTTPStatus.NOT_FOUND, previous=e)
if not has_object_permission('check_catalog_write', request.user, catalog):
raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN)
form = EntryForm.create_from_request(request)
form.fields['category_ids'].queryset = form.fields['category_ids'].queryset.filter(catalog=catalog)
form.fields['author_id'].queryset = form.fields['author_id'].queryset.filter(catalog=catalog)
if not form.is_valid():
raise ValidationException(request, form)
entry = Entry(creator=request.user, catalog=catalog)
service = EntryService(catalog, request.user)
service.populate(entry, form)
return SingleResponse(request, entry, serializer=EntrySerializer.Detailed, status=HTTPStatus.CREATED)
def test_abac_authorization_no_role(self, abstract_objects, no_role_user):
assert not has_object_permission('check_abac', no_role_user,
abstract_objects)
def test_abac_authorization_manager(self, abstract_objects, manager_user):
assert has_object_permission('check_abac', manager_user,
abstract_objects)
def test_abac_authorization_admin(self, abstract_objects, super_user):
assert has_object_permission('check_abac', super_user,
abstract_objects)
def test_duplicate_name(self, abstract_objects, manager_user):
with pytest.raises(Exception):
has_object_permission('check_exception', manager_user,
abstract_objects)
