def post(self, request): form = FeedForm.create_from_request(request) if not form.is_valid(): raise ValidationException(request, form) if not has_object_permission('check_catalog_manage', request.user, form.cleaned_data['catalog_id']): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) if Feed.objects.filter( catalog=form.cleaned_data['catalog_id'], url_name=form.cleaned_data['url_name']).exists(): raise ProblemDetailException( request, _("Feed with same url_name already exists in same catalog"), status=HTTPStatus.CONFLICT) feed = Feed(creator=request.user) form.populate(feed) feed.save() if 'entries' in form.cleaned_data.keys(): feed.entries.add(*form.cleaned_data['entries']) if 'parents' in form.cleaned_data.keys(): feed.parents.add(*form.cleaned_data['parents']) return SingleResponse(request, feed, serializer=FeedSerializer.Base, status=HTTPStatus.CREATED)
def post(self, request): form = CreateAuthorForm.create_from_request(request) if not form.is_valid(): raise ValidationException(request, form) if not has_object_permission('check_catalog_write', request.user, form.cleaned_data['catalog_id']): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) if Author.objects.filter( catalog=form.cleaned_data['catalog_id'], name=form.cleaned_data['name'], surname=form.cleaned_data['surname']).exists(): raise ProblemDetailException( request, _("Author already exists in the catalog"), status=HTTPStatus.CONFLICT) author = Author() form.populate(author) author.save() return SingleResponse(request, author, serializer=AuthorSerializer.Detailed, status=HTTPStatus.CREATED)
def get(self, request, remote_id): try: remote = Remote.objects.get(pk=remote_id) except Remote.DoesNotExist: raise ApiException(request, _('Remote does not exist.'), status_code=HTTPStatus.NOT_FOUND) if not has_object_permission('check_remote', request.user, remote): raise ApiException(request, _('User is unauthorized.'), status_code=HTTPStatus.FORBIDDEN) return SingleResponse(request, remote, serializer=RemoteSerializer.Base)
def _get_entry(request, catalog_id: uuid.UUID, entry_id: uuid.UUID, checker: str = 'check_entry_manage') -> Entry: try: entry = Entry.objects.get(pk=entry_id, catalog_id=catalog_id) except Entry.DoesNotExist: raise ProblemDetailException(request, _("Entry not found"), status=HTTPStatus.NOT_FOUND) if not has_object_permission(checker, request.user, entry): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) return entry
def _get_feed(request, feed_id: UUID) -> Feed: try: feed = Feed.objects.select_related('catalog').get(pk=feed_id) except Feed.DoesNotExist as e: raise ProblemDetailException(request, _("Feed not found"), status=HTTPStatus.NOT_FOUND, previous=e) if not has_object_permission('check_catalog_manage', request.user, feed.catalog): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) return feed
def get(self, request, project_id): try: project = Project.objects.get(pk=project_id) except Project.DoesNotExist: raise ApiException(request, _('Project does not exist.'), status_code=HTTPStatus.NOT_FOUND) if not has_object_permission('check_project', request.user, project): raise ApiException(request, _('User is unauthorized.'), status_code=HTTPStatus.FORBIDDEN) return SingleResponse(request, project, serializer=ProjectSerializer.Detail)
def _get_author(request, author_id: UUID, checker: str = 'check_catalog_manage') -> Author: try: author = Author.objects.select_related('catalog').get(pk=author_id) except Author.DoesNotExist as e: raise ProblemDetailException(request, _("Author not found"), status=HTTPStatus.NOT_FOUND, previous=e) if not has_object_permission(checker, request.user, author.catalog): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) return author
def _get_catalog(request, catalog_id: UUID, checker: str = 'check_catalog_manage') -> Catalog: try: catalog = Catalog.objects.get(pk=catalog_id) except Catalog.DoesNotExist as e: raise ProblemDetailException(request, _("Catalog not found"), status=HTTPStatus.NOT_FOUND, previous=e) if not has_object_permission(checker, request.user, catalog): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) return catalog
def _get_acquisition(request, acquisition_id: UUID, checker: str = 'check_catalog_manage') -> Acquisition: try: acquisition = Acquisition.objects.select_related( 'entry__catalog').get(pk=acquisition_id) except Acquisition.DoesNotExist: raise ProblemDetailException(request, _("Acquisition not found"), status=HTTPStatus.NOT_FOUND) if not has_object_permission(checker, request.user, acquisition.entry.catalog): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) return acquisition
def post(self, request, catalog_id: uuid.UUID): try: catalog = Catalog.objects.get(pk=catalog_id) except Catalog.DoesNotExist as e: raise ProblemDetailException(request, _("Catalog not found"), status=HTTPStatus.NOT_FOUND, previous=e) if not has_object_permission('check_catalog_write', request.user, catalog): raise ProblemDetailException(request, _("Insufficient permissions"), status=HTTPStatus.FORBIDDEN) form = EntryForm.create_from_request(request) form.fields['category_ids'].queryset = form.fields['category_ids'].queryset.filter(catalog=catalog) form.fields['author_id'].queryset = form.fields['author_id'].queryset.filter(catalog=catalog) if not form.is_valid(): raise ValidationException(request, form) entry = Entry(creator=request.user, catalog=catalog) service = EntryService(catalog, request.user) service.populate(entry, form) return SingleResponse(request, entry, serializer=EntrySerializer.Detailed, status=HTTPStatus.CREATED)
def test_abac_authorization_no_role(self, abstract_objects, no_role_user): assert not has_object_permission('check_abac', no_role_user, abstract_objects)
def test_abac_authorization_manager(self, abstract_objects, manager_user): assert has_object_permission('check_abac', manager_user, abstract_objects)
def test_abac_authorization_admin(self, abstract_objects, super_user): assert has_object_permission('check_abac', super_user, abstract_objects)
def test_duplicate_name(self, abstract_objects, manager_user): with pytest.raises(Exception): has_object_permission('check_exception', manager_user, abstract_objects)