def _check_permission_association_doc(request, doc_type, document_id): if doc_type == OUTING_TYPE: if has_permission_for_outing(request, document_id): return True elif doc_type == IMAGE_TYPE: if image.is_personal(document_id) and has_been_created_by( document_id, request.authenticated_userid): return True elif doc_type == ARTICLE_TYPE: if article.is_personal(document_id) and has_been_created_by( document_id, request.authenticated_userid): return True elif doc_type == XREPORT_TYPE: if has_been_created_by(document_id, request.authenticated_userid): return True return False
def _check_permission_association_doc(request, doc_type, document_id): if doc_type == OUTING_TYPE: if has_permission_for_outing(request, document_id): return True elif doc_type == IMAGE_TYPE: if image.is_personal(document_id) and has_been_created_by( document_id, request.authenticated_userid): return True elif doc_type == ARTICLE_TYPE: if article.is_personal(document_id) and has_been_created_by( document_id, request.authenticated_userid): return True elif doc_type == XREPORT_TYPE: if (has_been_created_by(document_id, request.authenticated_userid) or is_associated_user(document_id, request.authenticated_userid)): return True return False
def _has_permission(request, xreport_id): """Check if the authenticated user has permission to view non-public information of the xreport or th change the xreport. That is only moderators and users that are currently assigned to the xreport can modify it. """ if request.authorization is None: return False if request.has_permission('moderator'): return True return has_been_created_by(xreport_id, request.authenticated_userid)
def validate_requestor(request, **kwargs): if request.has_permission('moderator'): return if 'id' not in request.validated or \ 'document_type' not in request.validated: return document_id = request.validated['id'] document_type = request.validated['document_type'] # Only personal documents might be deleted if document_type in (WAYPOINT_TYPE, ROUTE_TYPE, BOOK_TYPE): request.errors.add('querystring', 'document_type', 'No permission to delete this document') return if not is_less_than_24h_old(document_id): request.errors.add('querystring', 'document_id', 'Only document less than 24h old can be deleted') return user_id = request.authenticated_userid if document_type == OUTING_TYPE or document_type == XREPORT_TYPE: if not has_been_created_by(document_id, user_id): request.errors.add( 'querystring', 'document_id', 'Only the initial author can delete this document') return if ((document_type == IMAGE_TYPE and image.is_personal(document_id)) or (document_type == ARTICLE_TYPE and article.is_personal(document_id))) \ and has_been_created_by(document_id, user_id): # Deletion is legal return request.errors.add('querystring', 'document_id', 'No permission to delete this document')
def put(self): if not self.request.has_permission('moderator'): image_id = self.request.validated['id'] image = DBSession.query(Image).get(image_id) if image is None: raise HTTPNotFound('No image found for id {}'.format(image_id)) if image.image_type == 'collaborative': image_type = self.request.validated['document']['image_type'] if image_type != image.image_type: raise HTTPBadRequest( 'Image type cannot be changed for collaborative images' ) # personal images should only be modifiable by # their creator and moderators elif not has_been_created_by(image_id, self.request.authenticated_userid): raise HTTPForbidden('No permission to change this image') return self._put(Image, schema_image)
def put(self): if not self.request.has_permission('moderator'): image_id = self.request.validated['id'] image = DBSession.query(Image).get(image_id) if image is None: raise HTTPNotFound('No image found for id %d' % image_id) if image.image_type == 'collaborative': image_type = self.request.validated['document']['image_type'] if image_type != image.image_type: raise HTTPBadRequest( 'Image type cannot be changed for collaborative images' ) # personal images should only be modifiable by # their creator and moderators elif not has_been_created_by(image_id, self.request.authenticated_userid): raise HTTPForbidden('No permission to change this image') return self._put(Image, schema_image)
def _has_permission(request, xreport_id): """Check if the authenticated user has permission to view non-public information of the xreport or th change the xreport. That is only moderators and users that are currently assigned to the xreport can modify it. """ if request.authorization is None: return False if request.has_permission('moderator'): return True if has_been_created_by(xreport_id, request.authenticated_userid): return True if is_associated_user(xreport_id, request.authenticated_userid): return True return False
def put(self): if not self.request.has_permission('moderator'): article_id = self.request.validated['id'] article = DBSession.query(Article).get(article_id) if article is None: raise HTTPNotFound( 'No article found for id {}'.format(article_id)) if article.article_type == 'collab': article_type = \ self.request.validated['document']['article_type'] if article_type != article.article_type: raise HTTPBadRequest('Article type cannot be changed ' 'for collaborative articles') # personal articles should only be modifiable by # their creator and moderators elif not has_been_created_by(article_id, self.request.authenticated_userid): raise HTTPForbidden('No permission to change this article') return self._put(Article, schema_article)
def validate_personal_association( request, parent_document_id, parent_document_type, child_document_id, child_document_type, raise_exc, doc_type, is_personal, label): document_ids = set() if parent_document_type == doc_type: document_ids.add(parent_document_id) if child_document_type == doc_type: document_ids.add(child_document_id) for document_id in document_ids: if is_personal(document_id) and not has_been_created_by( document_id, request.authenticated_userid): msg = 'no rights to modify associations with {} {}'.format( label, document_id) if raise_exc: raise HTTPBadRequest(msg) else: request.errors.add( 'body', 'associations.{}s'.format(label), msg)
def put(self): if not self.request.has_permission('moderator'): article_id = self.request.validated['id'] article = DBSession.query(Article).get(article_id) if article is None: raise HTTPNotFound( 'No article found for id {}'.format(article_id)) if article.article_type == 'collab': article_type = \ self.request.validated['document']['article_type'] if article_type != article.article_type: raise HTTPBadRequest( 'Article type cannot be changed ' 'for collaborative articles' ) # personal articles should only be modifiable by # their creator and moderators elif not has_been_created_by(article_id, self.request.authenticated_userid): raise HTTPForbidden('No permission to change this article') return self._put(Article, schema_article)
def validate_personal_association(request, parent_document_id, parent_document_type, child_document_id, child_document_type, raise_exc, doc_type, is_personal, label): document_ids = set() if parent_document_type == doc_type: document_ids.add(parent_document_id) if child_document_type == doc_type: document_ids.add(child_document_id) for document_id in document_ids: if is_personal(document_id) and not has_been_created_by( document_id, request.authenticated_userid) and not \ is_associated_user(document_id, request.authenticated_userid): msg = 'no rights to modify associations with {} {}'.format( label, document_id) if raise_exc: raise HTTPBadRequest(msg) else: request.errors.add('body', 'associations.{}s'.format(label), msg)