def filter_queryset(self, request, queryset, view):
"""
Anonymous user has no object permissions, return queryset as it is.
"""
user = request.user
project_id = view.kwargs.get(view.lookup_field)
if user.is_anonymous:
return queryset.filter(Q(shared=True))
if project_id:
int_or_parse_error(project_id,
u"Invalid value for project_id '%s' must be a"
" positive integer.")
# check if project is public and return it
try:
project = queryset.get(id=project_id)
except ObjectDoesNotExist:
raise Http404
if project.shared:
return queryset.filter(Q(id=project_id))
return super(AnonUserProjectFilter, self)\
.filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view):
"""
Anonymous user has no object permissions, return queryset as it is.
"""
user = request.user
project_id = view.kwargs.get(view.lookup_field)
if user.is_anonymous:
return queryset.filter(Q(shared=True))
if project_id:
int_or_parse_error(project_id,
u"Invalid value for project_id '%s' must be a"
" positive integer.")
# check if project is public and return it
try:
project = queryset.get(id=project_id)
except ObjectDoesNotExist:
raise Http404
if project.shared:
return queryset.filter(Q(id=project_id))
return super(AnonUserProjectFilter, self)\
.filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view):
"""
Anonymous user has no object permissions, return queryset as it is.
"""
form_id = view.kwargs.get(view.lookup_field,
view.kwargs.get('xform_pk'))
queryset = queryset.filter(deleted_at=None)
if request.user.is_anonymous:
return queryset
if form_id and view.lookup_field == 'pk':
int_or_parse_error(form_id, u'Invalid form ID: %s')
if form_id:
xform_kwargs = {view.lookup_field: form_id}
# check if form is public and return it
try:
form = queryset.get(**xform_kwargs)
except ObjectDoesNotExist:
raise Http404
if form.shared:
return queryset.filter(Q(**xform_kwargs))
return super(AnonDjangoObjectPermissionFilter, self)\
.filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view):
instance_id = request.query_params.get('instance')
if instance_id:
int_or_parse_error(instance_id, u"Invalid value for instance %s.")
instance = get_object_or_404(Instance, pk=instance_id)
queryset = queryset.filter(instance=instance)
return queryset
def filter_queryset(self, request, queryset, view):
instance_id = request.query_params.get('instance')
if instance_id:
int_or_parse_error(instance_id,
u"Invalid value for instance %s.")
instance = get_object_or_404(Instance, pk=instance_id)
queryset = queryset.filter(instance=instance)
return queryset
def filter_queryset(self, request, queryset, view):
queryset = self._xform_filter_queryset(request, queryset, view,
'instance__xform')
instance_id = request.query_params.get('instance')
if instance_id:
int_or_parse_error(
instance_id, u"Invalid value for instance_id. It must be"
" a positive integer.")
instance = get_object_or_404(Instance, pk=instance_id)
queryset = queryset.filter(instance=instance)
return queryset
def _project_filter(self, request, view, keyword):
project_id = request.query_params.get("project")
if project_id:
int_or_parse_error(project_id, u"Invalid value for projectid %s.")
project = get_object_or_404(Project, pk=project_id)
project_qs = Project.objects.filter(pk=project.id)
else:
project_qs = Project.objects.all()
projects = super(ProjectPermissionFilterMixin, self).filter_queryset(
request, project_qs, view)
return {"%s__in" % keyword: projects}
def _project_filter(self, request, view, keyword):
project_id = request.query_params.get("project")
if project_id:
int_or_parse_error(project_id, u"Invalid value for projectid %s.")
project = get_object_or_404(Project, pk=project_id)
project_qs = Project.objects.filter(pk=project.id)
else:
project_qs = Project.objects.all()
projects = super(ProjectPermissionFilterMixin, self).filter_queryset(
request, project_qs, view)
return {"%s__in" % keyword: projects}
def _xform_filter(self, request, view, keyword):
"""Use XForm permissions"""
xform = request.query_params.get('xform')
if xform:
int_or_parse_error(xform, u"Invalid value for formid %s.")
xform = get_object_or_404(XForm, pk=xform)
xform_qs = XForm.objects.filter(pk=xform.pk)
else:
xform_qs = XForm.objects.all()
xform_qs = xform_qs.filter(deleted_at=None)
if request.user.is_anonymous():
xforms = xform_qs.filter(shared_data=True)
else:
xforms = super(XFormPermissionFilterMixin,
self).filter_queryset(request, xform_qs, view)
return {"%s__in" % keyword: xforms}
def _instance_filter(self, request, view, keyword):
instance_kwarg = {}
instance_content_type = ContentType.objects.get_for_model(Instance)
instance_kwarg["content_type"] = instance_content_type
instance_id = request.query_params.get("instance")
project_id = request.query_params.get("project")
xform_id = request.query_params.get('xform')
if instance_id and project_id and xform_id:
for object_id in [instance_id, project_id]:
int_or_parse_error(
object_id, u"Invalid value for instanceid. It must be"
" a positive integer.")
instance = get_object_or_404(Instance, pk=instance_id)
# test if user has permissions on the project
if xform_id:
xform = get_object_or_404(XForm, pk=xform_id)
parent = xform.instances.filter(id=instance.id) and xform
else:
return {}
project = get_object_or_404(Project, pk=project_id)
project_qs = Project.objects.filter(pk=project.id)
if parent and parent.project == project:
projects = super(InstancePermissionFilterMixin,
self).filter_queryset(request, project_qs,
view)
instances = [instance.id] if projects else []
instance_kwarg["%s__in" % keyword] = instances
return instance_kwarg
else:
return {}
else:
return instance_kwarg
def _instance_filter(self, request, view, keyword):
instance_kwarg = {}
instance_content_type = ContentType.objects.get_for_model(Instance)
instance_kwarg["content_type"] = instance_content_type
instance_id = request.query_params.get("instance")
project_id = request.query_params.get("project")
xform_id = request.query_params.get('xform')
if instance_id and project_id and xform_id:
for object_id in [instance_id, project_id]:
int_or_parse_error(object_id,
u"Invalid value for instanceid %s.")
instance = get_object_or_404(Instance, pk=instance_id)
# test if user has permissions on the project
if xform_id:
xform = get_object_or_404(XForm, pk=xform_id)
parent = xform.instances.filter(id=instance.id) and xform
else:
return {}
project = get_object_or_404(Project, pk=project_id)
project_qs = Project.objects.filter(pk=project.id)
if parent and parent.project == project:
projects = super(
InstancePermissionFilterMixin, self).filter_queryset(
request, project_qs, view)
instances = [instance.id] if projects else []
instance_kwarg["%s__in" % keyword] = instances
return instance_kwarg
else:
return {}
else:
return instance_kwarg
def _xform_filter(self, request, view, keyword):
"""Use XForm permissions"""
xform = request.query_params.get('xform')
public_forms = XForm.objects.none()
if xform:
int_or_parse_error(xform, u"Invalid value for formid %s.")
self.xform = get_object_or_404(XForm, pk=xform)
xform_qs = XForm.objects.filter(pk=self.xform.pk)
public_forms = XForm.objects.filter(pk=self.xform.pk,
shared_data=True)
else:
xform_qs = XForm.objects.all()
xform_qs = xform_qs.filter(deleted_at=None)
if request.user.is_anonymous:
xforms = xform_qs.filter(shared_data=True)
else:
xforms = super(XFormPermissionFilterMixin, self).filter_queryset(
request, xform_qs, view) | public_forms
return {"%s__in" % keyword: xforms}
def filter_queryset(self, request, queryset, view):
"""
Anonymous user has no object permissions, return queryset as it is.
"""
form_id = view.kwargs.get(view.lookup_field,
view.kwargs.get('xform_pk'))
lookup_field = view.lookup_field
queryset = queryset.filter(deleted_at=None)
if request.user.is_anonymous:
return queryset
if form_id:
if lookup_field == 'pk':
int_or_parse_error(
form_id, u'Invalid form ID. It must be a positive'
' integer')
try:
if lookup_field == 'uuid':
form_id = UUID(form_id)
form = queryset.get(
Q(uuid=form_id.hex) | Q(uuid=str(form_id)))
else:
xform_kwargs = {lookup_field: form_id}
form = queryset.get(**xform_kwargs)
except ObjectDoesNotExist:
raise Http404
# Check if form is public and return it
if form.shared:
if lookup_field == 'uuid':
return queryset.filter(
Q(uuid=form_id.hex) | Q(uuid=str(form_id)))
else:
return queryset.filter(Q(**xform_kwargs))
return super(AnonDjangoObjectPermissionFilter, self)\
.filter_queryset(request, queryset, view)
def filter_queryset(self, request, queryset, view):
"""
Anonymous user has no object permissions, return queryset as it is.
"""
form_id = view.kwargs.get(view.lookup_field)
queryset = queryset.filter(deleted_at=None)
if request.user.is_anonymous:
return queryset
if form_id and view.lookup_field == 'pk':
int_or_parse_error(form_id, u'Invalid form ID: %s')
if form_id:
xform_kwargs = {view.lookup_field: form_id}
# check if form is public and return it
try:
form = queryset.get(**xform_kwargs)
except ObjectDoesNotExist:
raise Http404
if form.shared:
return queryset.filter(Q(**xform_kwargs))
return super(AnonDjangoObjectPermissionFilter, self)\
.filter_queryset(request, queryset, view)
def test_int_or_parse_error_with_valid_value(self):
valid_val = "100"
returned_val = int_or_parse_error(valid_val,
u"Invalid value for formid")
self.assertIsNone(returned_val)
def test_int_or_parse_error_with_html_str(self):
html_str = "<p>thisishtml<p>"
with self.assertRaises(ParseError) as err:
int_or_parse_error(html_str, u"Invalid value for formid")
self.assertEqual(err.exception.args[0], 'Invalid value for formid')
def test_int_or_parse_error_with_url(self):
url = "http://api.ona.iovrocndwm.detectify.io"
with self.assertRaises(ParseError) as err:
int_or_parse_error(url, u"Invalid value for formid")
self.assertEqual(err.exception.args[0], 'Invalid value for formid')
