def user_is_owner_or_service_manager(request, view, obj=None):
if not obj:
return
if isinstance(obj, models.Offering):
offering = obj
elif isinstance(obj, models.Resource):
customer = structure_permissions._get_customer(obj)
if structure_permissions._has_owner_access(request.user, customer):
return
offering = obj.offering
else:
return
if offering.has_user(request.user):
return
if structure_permissions._has_owner_access(request.user,
offering.customer):
return
if offering.customer.has_user(
request.user, role=structure_models.CustomerRole.SERVICE_MANAGER):
return
raise exceptions.PermissionDenied()
def user_can_update_thumbnail(request, view, obj=None):
if not obj:
return
offering = obj
if request.user.is_staff:
return
if offering.state not in (
models.Offering.States.ACTIVE,
models.Offering.States.DRAFT,
models.Offering.States.PAUSED,
):
raise exceptions.PermissionDenied(
_('You are not allowed to update a logo.'))
else:
if structure_permissions._has_owner_access(request.user,
offering.customer):
return
if offering.customer.has_user(
request.user,
role=structure_models.CustomerRole.SERVICE_MANAGER):
return
raise exceptions.PermissionDenied()
def check_availability_of_auto_approving(items, user, project):
if user.is_staff:
return True
# Skip approval of private offering for project users
if all(item.offering.is_private for item in items):
return structure_permissions._has_admin_access(user, project)
# Skip approval of public offering belonging to the same organization under which the request is done
if all(
item.offering.shared
and item.offering.customer == project.customer
and item.offering.plugin_options.get(
'auto_approve_in_service_provider_projects'
)
is True
for item in items
):
return True
# Service provider is not required to approve termination order
if (
len(items) == 1
and items[0].type == models.OrderItem.Types.TERMINATE
and structure_permissions._has_owner_access(user, items[0].offering.customer)
):
return True
return user_can_approve_order(user, project)
def can_delete_bid(request, view, obj=None):
if not obj:
return
if request.user.is_staff:
return
if not structure_permissions._has_owner_access(request.user, obj.team.customer):
raise exceptions.PermissionDenied()
def create(self, request):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
customer = serializer.validated_data['customer']
if not structure_permissions._has_owner_access(request.user, customer):
raise exceptions.PermissionDenied()
return super(CreateByStaffOrOwnerMixin, self).create(request)
def is_owner(request, view, obj=None):
expert_request = obj
if not expert_request:
return
if not structure_permissions._has_owner_access(request.user, expert_request.project.customer):
raise exceptions.PermissionDenied()
def set_usage(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
resource = serializer.validated_data['plan_period'].resource
if not _has_owner_access(request.user, resource.offering.customer):
raise PermissionDenied(
_('Only staff and service provider owner is allowed '
'to submit usage data for marketplace resource.'))
serializer.save()
return Response(status=status.HTTP_201_CREATED)
def validate(self, attrs):
attrs = super(AllocationSerializer, self).validate(attrs)
# Skip validation on update
if self.instance:
return attrs
spl = attrs['service_project_link']
user = self.context['request'].user
if not _has_owner_access(user, spl.project.customer):
raise rf_exceptions.PermissionDenied(
_('You do not have permissions to create allocation for given project.'
))
return attrs
def user_can_terminate_resource(request, view, resource=None):
if not resource:
return
# Project manager/admin and customer owner are allowed to terminate resource.
if structure_permissions._has_admin_access(request.user, resource.project):
return
# Service provider is allowed to terminate resource too.
if structure_permissions._has_owner_access(request.user, resource.offering.customer):
return
raise exceptions.PermissionDenied()
def user_is_service_provider_owner_or_service_provider_manager(
request, view, obj=None):
if not obj:
return
if structure_permissions._has_owner_access(request.user,
obj.offering.customer):
return
if obj.offering.customer.has_user(
request.user, role=structure_models.CustomerRole.SERVICE_MANAGER):
return
raise exceptions.PermissionDenied()
def check_availability_of_auto_approving(items, user, project):
if user.is_staff:
return True
# Skip approval of private offering for project users
if all(item.offering.is_private for item in items):
return structure_permissions._has_admin_access(user, project)
# Service provider is not required to approve termination order
if (len(items) == 1 and
items[0].type == models.OrderItem.Types.TERMINATE and
structure_permissions._has_owner_access(user, items[0].offering.customer)):
return True
return user_can_approve_order(user, project)
def get_payment_profiles(serializer, customer):
user = serializer.context['request'].user
if user.is_staff or user.is_support:
return PaymentProfileSerializer(
customer.paymentprofile_set.all(),
many=True,
context={'request': serializer.context['request']},
).data
if structure_permissions._has_owner_access(user, customer):
return PaymentProfileSerializer(
customer.paymentprofile_set.filter(is_active=True),
many=True,
context={'request': serializer.context['request']},
).data
def user_can_approve_order(user, project):
if user.is_staff:
return True
if django_settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_owner_access(user, project.customer):
return True
if django_settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_manager_access(user, project):
return True
if django_settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \
structure_permissions._has_admin_access(user, project):
return True
return False
def user_can_terminate_resource(request, view, resource=None):
if not resource:
return
# Allow to terminate resource in soft-deleted project
project = structure_models.Project.all_objects.get(id=resource.project_id)
# Project manager/admin and customer owner are allowed to terminate resource.
if structure_permissions._has_admin_access(request.user, project):
return
# Service provider is allowed to terminate resource too.
if structure_permissions._has_owner_access(request.user,
resource.offering.customer):
return
raise exceptions.PermissionDenied()
def get_payment(self, token):
"""
Find Paypal payment object in the database by token
and check if current user has access to it.
:param token: string
:return: Payment object
"""
error_message = "Payment with token %s does not exist" % token
try:
payment = models.Payment.objects.get(token=token)
except models.Payment.DoesNotExist:
raise exceptions.NotFound(error_message)
if not structure_permissions._has_owner_access(self.request.user,
payment.customer):
raise exceptions.NotFound(error_message)
return payment
def set_usage(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
resource = serializer.validated_data['plan_period'].resource
if not _has_owner_access(request.user, resource.offering.customer):
raise PermissionDenied(
_('Only staff and service provider owner is allowed '
'to submit usage data for marketplace resource.'))
usage, created = serializer.save()
if created:
message = 'Usage has been created. ' 'Data: %s.' % serializer.initial_data
logger.info(message)
log.log_component_usage_creation_succeeded(usage)
else:
message = 'Usage has been updated. ' 'Data: %s.' % serializer.initial_data
logger.info(message)
log.log_component_usage_updation_succeeded(usage)
return Response(status=status.HTTP_201_CREATED)
def check_permissions_for_state_change(request, view, order=None):
if not order:
return
user = request.user
if user.is_staff:
return
if settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_owner_access(user, order.project.customer):
return
if settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_manager_access(user, order.project):
return
if settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \
structure_permissions._has_admin_access(user, order.project):
return
raise rf_exceptions.PermissionDenied()
def validate(self, attrs):
attrs = super(AllocationSerializer, self).validate(attrs)
# Skip validation on update
if self.instance:
return attrs
correct_name_regex = '^([%s]{1,63})$' % models.SLURM_ALLOCATION_REGEX
name = attrs.get('name')
if not re.match(correct_name_regex, name):
raise core_serializers.ValidationError(
_(
"Name '%s' must be 1-63 characters long, each of "
"which can only be alphanumeric or a hyphen"
)
% name
)
spl = attrs['service_project_link']
user = self.context['request'].user
if not _has_owner_access(user, spl.project.customer):
raise rf_exceptions.PermissionDenied(
_('You do not have permissions to create allocation for given project.')
)
return attrs
