def update(self, request, pk):
"""Update Location.
This requires the user to have the 'Location' institute permission
or BodyRole for the event using the location if the it is not reusable."""
# Allow insti privelege to do anything
if user_has_insti_privilege(request.user.profile, 'Location'):
return super().update(request, pk)
# Disallow modifying reusable locations or marking reusable
location = Location.objects.get(id=pk)
if 'reusable' in request.data:
if (request.data['reusable'] !=
location.reusable) or location.reusable:
return forbidden_no_privileges()
# Check if user has update privileges for each associated event
for event in location.events.all():
can_update = any([
user_has_privilege(request.user.profile, str(b.id), 'UpdE')
for b in event.bodies.all()
])
if not can_update:
return forbidden_no_privileges()
return super().update(request, pk)
def update(self, request, pk):
"""Update Event.
Needs BodyRole with `UpdE` for at least one associated body.
Disassociating bodies from the event requires the `DelE`
permission and associating needs `AddE`"""
# Prevent events without any body
if 'bodies_id' not in request.data or not request.data['bodies_id']:
return forbidden_no_privileges()
# Get difference in bodies
event = self.get_event(pk)
old_bodies_id = [str(x.id) for x in event.bodies.all()]
new_bodies_id = request.data['bodies_id']
added_bodies = diff_set(new_bodies_id, old_bodies_id)
removed_bodies = diff_set(old_bodies_id, new_bodies_id)
# Check if user can add events for new bodies
can_add_events = all([
user_has_privilege(request.user.profile, id, 'AddE')
for id in added_bodies
])
# Check if user can remove events for removed
can_del_events = all([
user_has_privilege(request.user.profile, id, 'DelE')
for id in removed_bodies
])
# Check if the user can update event for any of the old bodies
can_update = any([
user_has_privilege(request.user.profile, id, 'UpdE')
for id in old_bodies_id
])
if can_add_events and can_del_events and can_update:
# Create added unreusable venues, unlink deleted ones
old_venue_names = [x.name for x in event.venues.all()]
new_venue_names = request.data['venue_names']
added_venues = diff_set(new_venue_names, old_venue_names)
common_venues = list(
set(old_venue_names).intersection(new_venue_names))
common_venue_ids = [
str(x.id) for x in event.venues.filter(name__in=common_venues)
]
added_venue_ids = create_unreusable_locations(added_venues)
request.data['venue_ids'] = added_venue_ids + common_venue_ids
return super().update(request, pk)
return forbidden_no_privileges()
def destroy(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().destroy(request, pk)
# Check for permission
body_role = BodyRole.objects.get(id=pk)
bodyid = str(body_role.body.id)
if not user_has_privilege(request.user.profile, bodyid, 'Role'):
return forbidden_no_privileges()
# Check for former users
if body_role.former_users.count() > 0:
return forbidden_no_privileges()
return super().destroy(request, pk)
def update(self, request, pk):
"""Update/Verify an achievement.
Needs BodyRole with `VerA` or can patch own achievement"""
# Get the achievement currently in database
achievement = get_object_or_404(self.queryset, id=pk)
# Check if this is a patch request and the user is patching
if request.method == 'PATCH' and request.user.profile == achievement.user:
achievement.hidden = bool(request.data['hidden'])
achievement.save(update_fields=['hidden'])
return Response(status=204)
# Check if the user has privileges for updating
if not user_has_privilege(request.user.profile, achievement.body.id,
"VerA"):
return forbidden_no_privileges()
# Prevent achievements without any body
if 'body' not in request.data or not request.data[
'body'] or request.data['body'] != str(achievement.body.id):
return Response(
{
"message":
"invalid body",
"detail":
"The body for this achievement is changed or invalid."
},
status=400)
return super().update(request, pk)
def claim_secret(self, request, pk):
"""Claim and try to get an achievement with its secret."""
# Get object
offer = get_object_or_404(self.queryset, id=pk)
# Check if secret is valid
secret = request.data['secret']
if offer.secret and (secret == offer.secret
or secret == pyotp.TOTP(offer.secret).now()):
if request.user.profile.achievements.filter(offer=offer).exists():
return Response(
{'message': 'You already have this achievement!'})
# Create the achievement
Achievement.objects.create(title=offer.title,
description=offer.description,
admin_note='SECRET',
body=offer.body,
event=offer.event,
verified=True,
dismissed=True,
user=request.user.profile,
offer=offer)
return Response({'message': 'Achievement unlocked successfully!'},
201)
return forbidden_no_privileges()
def update(self, request, pk):
"""Update Body.
Needs the `UpdB` permission."""
if not user_has_privilege(request.user.profile, pk, 'UpdB'):
return forbidden_no_privileges()
return super().update(request, pk)
def destroy(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().destroy(request, pk)
bodyid = str(BodyRole.objects.get(id=pk).body.id)
if not user_has_privilege(request.user.profile, bodyid, 'Role'):
return forbidden_no_privileges()
return super().destroy(request, pk)
def create(self, request):
"""Make a request to a body for a new achievement."""
# Disallow requests without body
if 'body' not in request.data or not request.data['body']:
return forbidden_no_privileges()
return super().create(request)
def create(self, request):
"""Create Event.
Needs `AddE` permission for each body to be associated."""
# Prevent events without any body
if 'bodies_id' not in request.data or not request.data['bodies_id']:
return forbidden_no_privileges()
# Check privileges for all bodies
if all([user_has_privilege(request.user.profile, id, 'AddE')
for id in request.data['bodies_id']]):
# Fill in ids of venues
request.data['venue_ids'] = create_unreusable_locations(request.data['venue_names'])
return super().create(request)
return forbidden_no_privileges()
def create(self, request):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().create(request)
if not 'body' in request.data or not request.data['body']:
return Response({"body": "body is required"}, status=400)
if not user_has_privilege(request.user.profile, request.data['body'], 'Role'):
return forbidden_no_privileges()
return super().create(request)
def create(self, request):
"""Offer a new achievement for an event."""
# Check for event add privilege
if not user_has_privilege(request.user.profile, request.data['body'],
"AddE"):
return forbidden_no_privileges()
return super().create(request)
def destroy(self, request, pk):
"""Delete Event.
Needs `DelE` permission for all associated bodies."""
event = self.get_event(pk)
if all([user_has_privilege(request.user.profile, str(body.id), 'DelE')
for body in event.bodies.all()]):
return super().destroy(request, pk)
return forbidden_no_privileges()
def destroy(self, request, pk):
"""Update an offered achievement."""
# Get current object
offer = get_object_or_404(self.queryset, id=pk)
# Check for event add privilege
if not user_has_privilege(request.user.profile, offer.body.id, "AddE"):
return forbidden_no_privileges()
return super().destroy(request, pk)
def update(self, request, pk):
"""Update Event.
Needs BodyRole with `UpdE` for at least one associated body.
Disassociating bodies from the event requires the `DelE`
permission and associating needs `AddE`"""
# Prevent events without any body
if 'bodies_id' not in request.data or not request.data['bodies_id']:
return forbidden_no_privileges()
# Get the event currently in database
event = self.get_event(pk)
# Check if difference in bodies is valid
if not can_update_bodies(request.data['bodies_id'], event, request.user.profile):
return forbidden_no_privileges()
# Create added unreusable venues, unlink deleted ones
request.data['venue_ids'] = get_update_venue_ids(request.data['venue_names'], event)
return super().update(request, pk)
def update(self, request, pk):
if user_has_insti_privilege(request.user.profile, 'RoleB'):
return super().update(request, pk)
body = BodyRole.objects.get(id=pk).body
if request.data['body'] != str(body.id):
return Response({
'message': 'body is immutable',
'detail': 'Body cannot be changed. Create a new role.'
}, status=400)
if not user_has_privilege(request.user.profile, str(body.id), 'Role'):
return forbidden_no_privileges()
return super().update(request, pk)
def destroy(self, request, pk):
"""Delete an achievement or request.
Needs BodyRole with `VerA`"""
# Get the achievement currently in database
achievement = get_object_or_404(self.queryset, id=pk)
# Check for permission
if not user_has_privilege(request.user.profile, achievement.body.id,
"VerA"):
return forbidden_no_privileges()
return super().destroy(request, pk)
def list_body(self, request, pk):
"""List the user's achivements and requests."""
if not user_has_privilege(request.user.profile, pk, "VerA"):
return forbidden_no_privileges()
self.queryset = AchievementUserSerializer.setup_eager_loading(
self.queryset)
self.queryset = self.queryset.filter(body__id=pk, dismissed=False)
serializer = AchievementUserSerializer(self.queryset,
many=True,
context={'request': request})
return Response(serializer.data)
def update_me(self, request):
"""Update current user."""
# Create device instead of updating profile
if 'fcm_id' in request.data:
update_fcm_device(request, request.data.pop('fcm_id', None))
# Check if all fields are exposed ones
if any(f not in UserProfile.ExMeta.user_editable
for f in request.data):
return forbidden_no_privileges()
# Count as a ping
profile = request.user.profile
profile.last_ping = timezone.now()
profile.active = True
serializer = UserProfileFullSerializer(
profile, data=request.data, context=self.get_serializer_context())
if not serializer.is_valid():
return Response(serializer.errors, status=400)
serializer.save()
return Response(serializer.data)
