def _check_can_read(document, user):
""" Check that the user can read.
Args:
document:
user:
Returns:
"""
# workspace case
if document.user_id != str(user.id):
# workspace is set
if hasattr(document, 'workspace') and document.workspace is not None:
# get list of accessible workspaces
accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user(
user)
# check that accessed document belongs to an accessible workspace
if document.workspace not in accessible_workspaces:
raise AccessControlError(
"The user doesn't have enough rights to access this.")
# workspace is not set
else:
raise AccessControlError(
"The user doesn't have enough rights to access this.")
def _check_data_structure_elements_access(data_structure_element_list, user):
"""Check that the user is authorized to query or retrieve all
DataStructureElement from the input list.
Args:
data_structure_element_list:
user:
Returns:
"""
for data_structure_element in data_structure_element_list:
permission = (
data_structure_element.data_structure.document_type.get_permission()
)
codename = permission.split(".")[1]
# check if user can access this type of data structure element
if user.is_anonymous:
# Check in the anonymous_group
if not Group.objects.filter(
Q(name=rights.anonymous_group) & Q(permissions__codename=codename)
):
raise AccessControlError(
"User does not have the permission to access this data structure."
)
elif not user.has_perm(permission):
raise AccessControlError(
"User does not have the permission to access this data structure."
)
# check if user is the owner
_check_data_structure_element_ownership(data_structure_element, user)
def can_write(func, *args, **kwargs):
"""Can write template.
Args:
func:
args:
kwargs:
Returns:
"""
request = get_request_from_args(*args, **kwargs)
# super user
if request.user.is_superuser:
return func(*args, **kwargs)
# anonymous cannot write
if request.user.is_anonymous:
raise AccessControlError("Template VM: The user doesn't have enough rights.")
template_version_manager = next(
(arg for arg in args if isinstance(arg, TemplateVersionManager)), None
)
# user is set
if template_version_manager.user:
if template_version_manager.user == str(request.user.id):
return func(*args, **kwargs)
# user is not set
else:
if request.user.is_staff:
return func(*args, **kwargs)
raise AccessControlError("Template VM: The user doesn't have enough rights.")
def can_read_list(func, list_id, request):
"""Can read list of version managers.
Args:
func:
list_id:
request:
Returns:
"""
# super user
if request.user.is_superuser:
return func(list_id, request=request)
document_list = func(list_id, request)
for version_manager in document_list:
# anonymous user
if request.user.is_anonymous:
if version_manager.user:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
else:
if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights."
)
# user is set
if version_manager.user and version_manager.user != str(
request.user.id):
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
return document_list
def can_write(func, *args, **kwargs):
"""Can user write
Args:
func:
*args:
**kwargs:
Returns:
"""
user = next(
(arg for arg in args
if isinstance(arg, User) or isinstance(arg, AnonymousUser)),
None,
)
if user.is_anonymous or user is None:
raise AccessControlError(
"The user doesn't have enough rights to access this document.")
if user.is_superuser:
return func(*args, **kwargs)
document = next(
(arg for arg in args if isinstance(arg, CurateDataStructure)), None)
if document.user != str(user.id):
raise AccessControlError(
"The user doesn't have enough rights to access this document.")
return func(*args, **kwargs)
def can_read_persistent_query(func, *args, **kwargs):
"""Can user read
Args:
func:
*args:
**kwargs:
Returns:
"""
user = next(
(arg for arg in args
if isinstance(arg, User) or isinstance(arg, AnonymousUser)),
None,
)
if user is None:
raise AccessControlError(
"The user doesn't have enough rights to read this query.")
query = func(*args, **kwargs)
# Anonymous can read when CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT
if user.is_anonymous:
# Allow read only for one query
if CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT and isinstance(
query, AbstractPersistentQuery):
return query
else:
raise AccessControlError(
"The user doesn't have enough rights to read this query.")
# Superuser and user can always read queries
return query
def can_read_version_manager(func, version_manager, version, request):
"""Can read global version managers.
Args:
func:
version_manager:
version:
request:
Returns:
"""
request = get_request_from_args(version_manager, version, request=request)
if request.user.is_superuser:
return func(version_manager, version, request=request)
# anonymous user
if request.user.is_anonymous:
if version_manager.user:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
else:
if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
# user is set
if version_manager.user and version_manager.user != str(request.user.id):
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
return func(version_manager, version, request=request)
def check_can_write(document, user):
"""Check that the user can write.
Args:
document:
user:
Returns:
"""
# Raise error if anonymous user
if user.is_anonymous:
raise AccessControlError("Unable to write if not authenticated.")
# TODO: data will inherit of workspace rights, which means a owner can't edit
# or delete a data if data in wkp that doesn't give hin write rights
if hasattr(document, "workspace") and document.workspace is not None:
if workspace_api.is_workspace_public(document.workspace):
has_perm_publish(user, rights.publish_data)
else:
_check_can_write_in_workspace(document.workspace, user)
# not the owner and workspace is not set or None
if document.user_id != str(user.id) and (
not hasattr(document, "workspace") or document.workspace is None
):
raise AccessControlError("The user doesn't have enough rights.")
def can_read_list(func, *args, **kwargs):
"""Can read list of version managers.
Args:
func:
Returns:
"""
request = get_request_from_args(*args, **kwargs)
# super user
if request and request.user.is_superuser:
return func(*args, **kwargs)
document_list = func(*args, **kwargs)
for template in document_list:
# anonymous user
if not request or request.user.is_anonymous:
if template.user:
raise AccessControlError(
"Template: The user doesn't have enough rights.")
else:
if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"Template: The user doesn't have enough rights.")
# user is set
if template.user and template.user != str(request.user.id):
raise AccessControlError(
"Template: The user doesn't have enough rights.")
return document_list
def check_can_read_list(document_list, user):
"""Check that the user can read each document of the list.
Args:
document_list:
user:
Returns:
"""
if len(document_list) > 0:
# get list of accessible workspaces
accessible_workspaces = (
workspace_api.get_all_workspaces_with_read_access_by_user(user)
)
# check access is correct
for document in document_list:
# user is document owner
if document.user_id == str(user.id):
continue
# user is not owner or document not in accessible workspace
if (
document.workspace is None
or document.workspace not in accessible_workspaces
):
raise AccessControlError("The user doesn't have enough rights.")
def can_user_set_workspace_public(func, workspace, user):
"""Check if the user is the owner of the workspace.
Args:
func:
workspace:
user:
Returns:
"""
if user.is_superuser:
return func(workspace, user)
_check_is_owner_workspace(workspace, user)
publish_perm = permissions_api.get_by_codename(rights.publish_data)
if not user.has_perm(
publish_perm.content_type.app_label + "." + publish_perm.codename
):
raise AccessControlError(
"You don't have enough rights to set public this workspace."
)
return func(workspace, user)
def can_write_in_workspace(func, document, workspace, user, codename):
""" Can user write in workspace.
Args:
func:
document:
workspace:
user:
codename:
Returns:
"""
if user.is_superuser:
return func(document, workspace, user)
if workspace is not None:
if workspace_api.is_workspace_public(workspace):
has_perm_publish(user, codename)
else:
_check_can_write_in_workspace(workspace, user)
check_can_write(document, user)
# if we can not unpublish
if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False:
# if document is in public workspace
if document.workspace is not None and workspace_api.is_workspace_public(
document.workspace):
# if target workspace is private
if workspace is None or workspace_api.is_workspace_public(
workspace) is False:
raise AccessControlError(
"The document can not be unpublished.")
return func(document, workspace, user)
def can_write_persistent_query(func, *args, **kwargs):
"""Can user read
Args:
func:
*args:
**kwargs:
Returns:
"""
user = next(
(arg for arg in args
if isinstance(arg, User) or isinstance(arg, AnonymousUser)),
None,
)
if user is None:
raise AccessControlError(
"The user doesn't have enough rights to access this query.")
# Superuser can create and update any query
if user.is_superuser:
return func(*args, **kwargs)
query = next(
(arg for arg in args if isinstance(arg, AbstractPersistentQuery)),
None,
)
# Anonymous can only create new query
if user.is_anonymous:
if query.id is None and CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
return func(*args, **kwargs)
else:
raise AccessControlError(
"The user doesn't have enough rights to access this query.")
# Owner can create and update own queries
if query.user_id == str(user.id):
return func(*args, **kwargs)
# Non-Owner
raise AccessControlError(
"The user doesn't have enough rights to access this query.")
def _check_anonymous_access(user):
"""Check anonymous access
Args:
user:
Returns:
"""
if (user is None or user.is_anonymous) and not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"The user doesn't have enough rights to access this document."
)
def _check_data_structure_element_ownership(data_structure_element, user):
"""Check if the user is the owner
Args:
data_structure_element:
user:
Returns:
"""
if data_structure_element.user and data_structure_element.user != str(user.id):
raise AccessControlError("User is not the owner of the object.")
def can_access(func, *args, **kwargs):
"""Can user access the query, only owner and superuser can update the query given as parameter
Args:
func:
*args:
**kwargs:
Returns:
"""
# Get user from parameters
user = next(
(arg for arg in args
if isinstance(arg, User) or isinstance(arg, AnonymousUser)),
None,
)
# No user, raise ACL error
if user is None:
raise AccessControlError(
"The user doesn't have enough rights to access this query")
# Superuser can access the query
if user.is_superuser:
return func(*args, **kwargs)
# Get the query from parameters
query = next((arg for arg in args if isinstance(arg, Query)), None)
# Check owner of the query
if query.user_id != str(user.id):
raise AccessControlError(
"The user doesn't have enough rights to access this query")
# Anonymous user cannot create a query if cannot access data
if (isinstance(user, AnonymousUser) and not query.id
and not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT):
raise AccessControlError(
"The user doesn't have enough rights to create a query.")
return func(*args, **kwargs)
def can_change_owner(func, document, new_user, user):
"""Can user change document's owner.
Args:
func:
document:
new_user:
user:
Returns:
"""
if user.is_anonymous:
raise AccessControlError(
"The user doesn't have enough rights to access this document.")
if user.is_superuser:
return func(document, new_user, user)
if document.user == str(user.id):
return func(document, new_user, user)
raise AccessControlError(
"The user doesn't have enough rights to access this document.")
def can_user_modify_template_version_manager(template_version_manager, user):
""" Check that user can modify the template version manager.
Args:
template_version_manager:
user:
Returns:
"""
if user.is_superuser is False and user.is_staff is False:
if template_version_manager.user != user.id:
raise AccessControlError(
"You don't have the permission to update this object.")
def _check_is_owner_workspace(workspace, user):
"""Check that user is the owner of the workspace.
Args:
workspace:
user:
Returns:
"""
if workspace.owner != str(user.id):
raise AccessControlError(
"The user does not have the permission. The user is not the owner of this workspace."
)
def has_perm_publish(user, codename):
""" Does the user have the permission to publish.
Args:
user
codename
Returns
"""
publish_perm = permissions_api.get_by_codename(codename)
if not user.has_perm(publish_perm.content_type.app_label + '.' +
publish_perm.codename):
raise AccessControlError(
"The user doesn't have enough rights to publish.")
def can_write_blob(func, blob, user):
"""Does the user has permission to write blob.
Args:
func:
blob:
user:
Returns:
"""
if user.is_anonymous:
raise AccessControlError("Unable to insert blob if not authenticated.")
return func(blob, user)
def can_read(func, document_id, request):
"""Can read document.
Args:
func:
document_id:
request:
Returns:
"""
request = get_request_from_args(document_id, request=request)
# super user
if request.user.is_superuser:
return func(document_id, request=request)
# get the document
document = func(document_id, request=request)
# anonymous user
if request.user.is_anonymous:
if document.user:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
else:
if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
# user is set
if document.user and document.user != str(request.user.id):
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
return document
def _check_can_write_data(request, accessed_object):
"""Check if the object can be accessed by the user in write mode.
Args:
request:
accessed_object:
Returns:
"""
try:
# Super user can access everything
if not request.user.is_superuser:
check_can_write(accessed_object.data, request.user)
except Exception as e:
raise AccessControlError(str(e))
def _check_can_write_in_workspace(workspace, user):
""" Check that user can write in the workspace.
Args:
workspace:
user:
Returns:
"""
accessible_workspaces = workspace_api.get_all_workspaces_with_write_access_by_user(
user)
if workspace not in accessible_workspaces:
raise AccessControlError(
"The user does not have the permission to write into this workspace."
)
def can_read_global(func, *args, **kwargs):
"""Can read global version managers.
Args:
func:
*args:
**kwargs:
Returns:
"""
request = get_request_from_args(*args, **kwargs)
if request.user.is_anonymous:
if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT:
raise AccessControlError(
"Version Manager: The user doesn't have enough rights.")
return func(*args, **kwargs)
def _check_can_read(document_list, user):
"""Can read from list id.
Args:
document_list:
user:
Returns:
"""
# check access is correct
for document in document_list:
# user is document owner
if document.user == str(user.id):
continue
# user is not owner or document
raise AccessControlError("The user doesn't have enough rights.")
def _check_owner(request, accessed_object):
"""Check if the object can be accessed by the user.
Args:
request:
accessed_object:
Returns:
"""
# Super user can access everything
if not request.user.is_superuser:
# If not the owner of the accessed object
if str(request.user.id) != accessed_object.user:
raise AccessControlError("You are not the owner of the " +
get_form_label() +
" that you are trying to access")
def can_change_owner(func, data, new_user, user):
""" Can user change data's owner.
Args:
func:
data:
new_user:
user:
Returns:
"""
if user.is_superuser:
return func(data, new_user, user)
if data.user_id != str(user.id):
raise AccessControlError("The user doesn't have enough rights to access this " + get_data_label() + ".")
return func(data, new_user, user)
def has_perm_administration(func, *args, **kwargs):
""" Is the given user has administration rights.
Args:
func:
*args:
**kwargs:
Returns:
"""
try:
if args[0].is_superuser:
return func(*args, **kwargs)
except Exception as e:
logger.warning("has_perm_administration threw an exception: ".format(
str(e)))
raise AccessControlError("The user doesn't have enough rights.")
def is_superuser(func, *args, **kwargs):
"""Is the user a superuser.
Args:
func:
*args:
**kwargs:
Returns:
"""
try:
request = kwargs["request"]
if request and request.user.is_superuser:
return func(*args, **kwargs)
except Exception as e:
logger.warning("has_perm_administration threw an exception: ".format(str(e)))
raise AccessControlError("The user doesn't have enough rights.")
