def viewable(self):
"""
Returns all elements of the model where
- the element has general_usage_setting set to global
- the element has at least one user group of the current user in usage_setting_selected_user_groups
- the element is associated to a project and the user has the view_model permission on the project (project_pks)
- the element has the model privilege 'view' or 'full_access' for the current user
- the element does not have a model privilege 'deny_edit' for the current user (deny_object_ids)
"""
from eric.projects.models.models import Resource
user = get_current_user()
if user.is_anonymous:
return self.none()
elif user.is_superuser:
return self.all()
# get all projects where the current user has the view_resource permission
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model, 'view'))
# return all objects for users with "all" permissions
if "all" in project_pks:
return self.all()
from eric.model_privileges.models import ModelPrivilege
# get all object ids where view_privilege is set to deny
deny_object_ids = ModelPrivilege.objects.for_model(self.model).filter(
user=user,
view_privilege=ModelPrivilege.DENY).values_list('object_id',
flat=True)
return self.filter(
Q(
# all resources where general_usage_setting is set to global
general_usage_setting=Resource.GLOBAL)
| Q(
# all resources where the user group of the current user is selected
usage_setting_selected_user_groups__pk__in=user.groups.
values_list('pk'))
| Q(
# all resources where the current user gets permissions from a project
projects__pk__in=project_pks)
| Q(
# get all entities where the current user is the owner
model_privileges__full_access_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user) | Q(
# get all entities where the current user has read access
model_privileges__view_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user)
| self._get_extended_viewable_filters()).exclude(
# exclude all entities that are listed in deny object ids
id__in=deny_object_ids).distinct()
def deletable(self, *args, **kwargs):
"""
Returns all elements associated to the project where the user has the delete permission of the current model
"""
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model, 'delete'))
if "all" in project_pks:
return self.filter(deleted=True).distinct()
return self.filter(project__pk__in=project_pks).distinct()
def related_project_attribute_editable(self, *args, **kwargs):
"""
Returns an `all` QuerySet if current user has the 'APP.MODEL_change_project' permission (whereas "APP"
corresponds to the managed models app label and "MODEL" corresponds to the managed models name).
Returns a `none` QuerySet else.
"""
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model,
'change_project'))
if "all" in project_pks:
return self.all().distinct()
return self.filter(project__pk__in=project_pks).distinct()
def viewable(self, *args, **kwargs):
"""
Returns all elements associated to the project where the user has the view permission of the current model
"""
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model, 'view'))
if "all" in project_pks:
return self.all().distinct()
return self.filter(
Q(
# get all entities where the current user has permissions
project__pk__in=project_pks)).distinct()
def trashable(self, *args, **kwargs):
"""
Returns all elements of the model where
- the element is associated to a project and the user has the trash_model permission on the project
(project_pks)
- the element has the model privilege 'trash' or 'full_access' for the current user
- the element does not have a model privilege 'deny_trash' for the current user (deny_object_ids)
"""
user = get_current_user()
if user.is_anonymous:
return self.none()
elif user.is_superuser:
return self.all()
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model, 'trash'))
if "all" in project_pks:
return self.filter(deleted=False)
from eric.model_privileges.models import ModelPrivilege
# get all object ids where edit_privilege is set to deny
deny_object_ids = ModelPrivilege.objects.for_model(self.model).filter(
user=user,
trash_privilege=ModelPrivilege.DENY).values_list('object_id',
flat=True)
return self.filter(
Q(
# get all entities where the current user has permissions
projects__pk__in=project_pks)
| Q(
# get all entities where the current user is the owner
model_privileges__full_access_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user)
| Q(
# get all entities where the current user has restore access
model_privileges__trash_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user)
| self._get_extended_trashable_filters()).exclude(
# exclude all entities that are listed in deny object ids
id__in=deny_object_ids).filter(
# only allow soft-deleted object
deleted=False).distinct()
def related_project_attribute_editable(self, *args, **kwargs):
"""
Returns an `all` QuerySet if current user has the 'APP.MODEL_change_project' permission (whereas "APP"
corresponds to the managed models app label and "MODEL" corresponds to the managed models name).
Returns a `none` QuerySet else.
"""
user = get_current_user()
if user.is_anonymous:
return self.none()
elif user.is_superuser:
return self.all()
project_pks = BaseProjectPermissionQuerySet.get_all_project_ids_with_permission(
self.model,
get_permission_name_without_app_label(self.model,
'change_project'))
if "all" in project_pks:
return self.all()
from eric.model_privileges.models import ModelPrivilege
# get all object ids where edit_privilege is set to deny
deny_object_ids = ModelPrivilege.objects.for_model(self.model).filter(
user=user,
edit_privilege=ModelPrivilege.DENY).values_list('object_id',
flat=True)
return self.filter(
Q(
# get all entities where the current user has permissions
projects__pk__in=project_pks)
| Q(
# get all entities where the current user is the owner
model_privileges__full_access_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user)
| Q(
# get all entities where the current user has read access
model_privileges__edit_privilege=ModelPrivilege.ALLOW,
model_privileges__user=user)).exclude(
# exclude all entities that are listed in deny object ids
id__in=deny_object_ids).distinct()