def __user_and_group_permissions__(): #Querysets, se utiliza para hacer busquedas en cache perms_user_list = [(perm.codename, perm.name) for perm in get_perms_for_model((User))] perms_group_list = [(perm.codename, perm.name) for perm in get_perms_for_model(Group)] perms = [] #se agrega a perms los permisos asociados a el usuario y al rol perms.extend(perms_user_list) perms.extend(perms_group_list) return perms
def set_guardian_permissions(user=None, profile=None, *args, **kwargs): if not user or not user.is_authenticated(): return if profile: for perm in get_perms_for_model(Profile): assign_perm(perm.codename, user, profile) for perm in get_perms_for_model(User)[1:]: assign_perm(perm.codename, user, user)
def __user_and_group_permissions__(): """ perimisos de grupos de usuarios. :return: lista con los permisos que pueden asignarse a usuarios. """ perms_user_list = [(perm.codename, perm.name) for perm in get_perms_for_model(User)] perms_group_list = [(perm.codename, perm.name) for perm in get_perms_for_model(Group)] perms = [] perms.extend(perms_user_list) perms.extend(perms_group_list) return perms
def wrapper(request, *args, **kwargs): success = False user = request.user # check if user has perm for Organization # if 'organization_id' in kwargs.keys(): if perm in [p.codename for p in get_perms_for_model(Organization)]: organization = Organization.objects.get(id=kwargs["organization_id"]) if user.has_perm(perm, organization): success = True else: code = 1 # or, check if user has perm for Job # elif 'job_id' in kwargs.keys(): if perm in [p.codename for p in get_perms_for_model(Job)]: job = Job.objects.get(id=kwargs["job_id"]) if user.has_perm(perm, job): success = True else: code = 2 # or, check if user has perm for JobRequest # elif 'job_id' in kwargs.keys(): if perm in [p.codename for p in get_perms_for_model(JobRequest)]: job = Job.objects.get(id=kwargs["job_id"]) jobrequest = JobRequest.objects.get(job_id=kwargs["job_id"], organization_id=kwargs["organization_id"]) if user.has_perm(perm, jobrequest): success = True else: code = 3 # or, check if user has perm for User # just check if user id is equal elif "user_id" in kwargs.keys(): if request.user == User.objects.get(id=kwargs["user_id"]): success = True else: code = 4 if success == True: return func(request, *args, **kwargs) else: message = "You do not have access to this resource. Error {0}" messages.add_message(request, messages.ERROR, message.format(code)) return render(request, "dbtest/confirm.html")
def set_object_permissions(sender, instance=None, created=False, **kwargs): if created: for perm in get_perms_for_model(UserProfile): assign_perm(perm.codename, instance.user, instance) if instance.created_by: assign_perm(perm.codename, instance.created_by, instance)
def _update_perms(target, role, container): ''' Function to update the permissions of the 'target'(User or Group) for a given container in correspondence to a given role. role can take several values corresponding to the following permissions: none - no permissions Reader - 'view' Contributor - 'view' + 'change' Editor - 'view' + 'change' + 'delete' Administrator - 'view' + 'change' + 'delete' + 'admin' ''' perms = get_perms_for_model(Container) l_perm = [] for i in range(len(perms)): l_perm.append(perms[i].codename) for permission in l_perm: remove_perm(permission, target, container) if role == 'none': if target == Group.objects.get(name='public'): container.public = False container.save() return assign('view_container', target, container) if role == 'Reader': if target == Group.objects.get(name='public'): container.public = True container.save() return assign('change_container', target, container) if role == 'Contributor': return assign('delete_container', target, container) if role == 'Editor': return assign('admin_container', target, container)
def test_view_manage_group(self): self._login_superuser() url = reverse("admin:%s_%s_permissions_manage_group" % self.obj_info, args=[self.obj.pk, self.group.id]) response = self.client.get(url) self.assertEqual(response.status_code, 200) choices = set([c[0] for c in response.context["form"].fields["permissions"].choices]) self.assertEqual(set([p.codename for p in get_perms_for_model(self.obj)]), choices) # Add some perms and check if changes were persisted perms = ["change_%s" % self.obj_info[1], "delete_%s" % self.obj_info[1]] data = {"permissions": perms} response = self.client.post(url, data, follow=True) self.assertEqual(len(response.redirect_chain), 1) self.assertEqual(response.redirect_chain[0][1], 302) self.assertEqual(set(get_perms(self.group, self.obj)), set(perms)) # Remove perm and check if change was persisted perms = ["delete_%s" % self.obj_info[1]] data = {"permissions": perms} response = self.client.post(url, data, follow=True) self.assertEqual(len(response.redirect_chain), 1) self.assertEqual(response.redirect_chain[0][1], 302) self.assertEqual(set(get_perms(self.group, self.obj)), set(perms))
def rm_org_perms(sender, instance=None, **kwargs): perms = get_perms_for_model(apps.get_model('app_mgr', 'Organization')) instance.org.admin_group.user_set.remove(instance.user) instance.org.member_group.user_set.remove(instance.user) for perm in perms: remove_perm(perm.codename, instance.user, instance.org)
def create_owner_team_and_permissions(sender, instance, created, **kwargs): """ Signal handler that creates the Owner team and assigns group and user permissions. """ if created: team = Team.objects.create( name=Team.OWNER_TEAM_NAME, organization=instance.user, created_by=instance.created_by) content_type = ContentType.objects.get( app_label='api', model='organizationprofile') permission, created = Permission.objects.get_or_create( codename="is_org_owner", name="Organization Owner", content_type=content_type) team.permissions.add(permission) instance.creator.groups.add(team) for perm in get_perms_for_model(instance.__class__): assign_perm(perm.codename, instance.user, instance) if instance.creator: assign_perm(perm.codename, instance.creator, instance) if instance.created_by and instance.created_by != instance.creator: assign_perm(perm.codename, instance.created_by, instance)
def assign_forum_permissions(request, id, gid): if not request.user.is_superuser: return HttpResponseForbidden() obj = get_object_or_404(Forum, id=id) group = get_object_or_404(Group, id=gid) obj_permissions = get_perms_for_model(Forum).exclude(codename__in=["add_forum", "can_views_forums"]) ctype = ContentType.objects.get_for_model(obj) perms = [] for group_perm in GroupObjectPermission.objects.filter(group=group, content_type=ctype, object_pk=obj.id): perms.append(group_perm.permission) # print perms PermissionsForm = get_permissions_form(obj_permissions.select_related(), initial=perms) if request.method == "POST": form = PermissionsForm(request.POST) if form.is_valid(): for perm in obj_permissions: remove_perm(perm.codename, group, obj) for perm in form.cleaned_data["perms"]: assign(perm.codename, group, obj) else: form = PermissionsForm() return render(request, "forum/frontend/edit_permissions.html", {"forum": obj, "group": group, "form": form})
def save(self, *args, **kwargs): self._set_title() old_id_string = self.id_string self._set_id_string() self._set_encrypted_field() # check if we have an existing id_string, # if so, the one must match but only if xform is NOT new if self.pk and old_id_string and old_id_string != self.id_string: raise XLSFormError( _(u"Your updated form's id_string '%(new_id)s' must match " "the existing forms' id_string '%(old_id)s'." % {'new_id': self.id_string, 'old_id': old_id_string})) if getattr(settings, 'STRICT', True) and \ not re.search(r"^[\w-]+$", self.id_string): raise XLSFormError(_(u'In strict mode, the XForm ID must be a ' 'valid slug and contain no spaces.')) if not self.sms_id_string: try: # try to guess the form's wanted sms_id_string # from it's json rep (from XLSForm) # otherwise, use id_string to ensure uniqueness self.sms_id_string = json.loads(self.json).get('sms_keyword', self.id_string) except: self.sms_id_string = self.id_string super(XForm, self).save(*args, **kwargs) for perm in get_perms_for_model(XForm): assign_perm(perm.codename, self.user, self)
def set_object_permissions(sender, instance=None, created=False, **kwargs): if created: for perm in get_perms_for_model(Team): assign_perm(perm.codename, instance.organization, instance) if instance.created_by: assign_perm(perm.codename, instance.created_by, instance)
def user_project_permissions(request): """ If a user is authenticated, this method returns a dictionary that stores whether the user has a specific permission on a project. If a user is not authenticated and the request is done by the anonymous user, the permissions for the anonymous user are returned. Otherwise, this dictionary will be empty. """ result = {} if request.user.is_authenticated() or request.user.is_anonymous: projectPerms = get_perms_for_model(Project) permNames = [perm.codename for perm in projectPerms] # Find out what permissions a user actually has for any of those projects. projects = get_objects_and_perms_for_user(request.user, permNames, Project, any_perm = True) # Build the result data structure for project_id in projects: userPerms = projects[project_id] # Iterate the codenames of available permissions and store # whether the user has them for a specific project for permName in permNames: if permName not in result: result[permName] = {} result[permName][project_id] = permName in userPerms # Obtain the list of groups of the user groups = list(Group.objects.filter(user=request.user).values_list('name', flat=True)) else: groups = [] return HttpResponse(json.dumps((result, groups)))
def user_project_permissions(request): """ If a user is authenticated, this method returns a dictionary that stores whether the user has a specific permission on a project. If a user is not authenticated, the request is done by Django's anonymous user, which is different from Guardian's anonymous user. In this case, no permissions are returned, because Django's anonymous user does not have a user profile. A middleware should make sure Guardian's anonymous user is used for anonymous requests, because it reports as authenticated and a profile will be returned. """ permissions = {} if request.user.is_authenticated: projectPerms = get_perms_for_model(Project) permNames = [perm.codename for perm in projectPerms] # Find out what permissions a user actually has for any of those projects. projects = get_objects_and_perms_for_user(request.user, permNames, Project, any_perm = True) # Build the result data structure for project_id in projects: userPerms = projects[project_id] # Iterate the codenames of available permissions and store # whether the user has them for a specific project for permName in permNames: perm_projects = permissions.get(permName) if not perm_projects: perm_projects = [] permissions[permName] = perm_projects if permName in userPerms: perm_projects.append(project_id) # Obtain the list of groups of the user groups = list(Group.objects.filter(user=request.user).values_list('name', flat=True)) else: groups = [] return JsonResponse((permissions, groups), safe=False)
def formfield_for_dbfield(self, db_field, **kwargs): if db_field.name == 'permission': perm_choices = get_perms_for_model(self.parent_model) kwargs['queryset'] = perm_choices kwargs.pop('request', None) return db_field.formfield(**kwargs) return super(BasePermissionInline, self).formfield_for_dbfield(db_field, **kwargs)
def project_post_save(sender, instance, created, **kwargs): """ Automatically assigns all permissions to the owner. If the owner changes it's up to the user/developer to remove the previous owner's permissions. """ for perm in get_perms_for_model(sender).all(): assign_perm(perm.codename, instance.owner, instance)
def assign_topic_permissions(request, id, gid): if not request.user.is_superuser: return HttpResponseForbidden() obj = get_object_or_404(Topic, id=id) group = get_object_or_404(Group, id=gid) obj_permissions = get_perms_for_model(Topic).exclude(codename__in=['add_topic', ]) ctype = ContentType.objects.get_for_model(obj) perms = [] for group_perm in GroupObjectPermission.objects.filter(group=group,content_type=ctype, object_pk=obj.id): perms.append(group_perm.permission) PermissionsForm = get_permissions_form(obj_permissions.select_related(), initial=perms) if request.method == 'POST': form = PermissionsForm(request.POST) if form.is_valid(): for perm in obj_permissions: remove_perm(perm.codename, group, obj) for perm in form.cleaned_data['perms']: assign(perm.codename, group, obj ) else: form = PermissionsForm() return render(request, 'forum/frontend/edit_topic_permissions.html', { 'topic': obj, 'group': group, 'form':form, })
def get_model_perm(user, model, perm_prefix='access_'): group_permissions = user.groups.first().permissions.all() package, __ = model.__module__.split('.') for perm in get_perms_for_model(model): if perm_prefix in perm.codename and perm in group_permissions: return package + '.' + perm.codename return None
def get_obj_perms_field_choices(self): """ Returns choices for object permissions management field. Default: list of tuples ``(codename, name)`` for each ``Permission`` instance for the managed object. """ choices = [(p.codename, p.name) for p in get_perms_for_model(self.obj)] return choices
def setUpTestData(cls): cls.user = mommy.make(UserProfile) cls.group = mommy.make(Group, make_m2m=True) for permission in get_perms_for_model(InformationDocument): permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename) assign_perm(permission_name, cls.group) cls.group.save() mommy.make(InformationDocument)
def set_api_permissions_for_user(user): models = [ UserProfile, XForm, MergedXForm, Project, Team, OrganizationProfile, Note ] for model in models: for perm in get_perms_for_model(model): assign_perm('%s.%s' % (perm.content_type.app_label, perm.codename), user)
def get_obj_perms_field_choices(self): """ Returns choices for object permissions management field. Default: list of tuples ``(codename, name)`` for each ``Permission`` instance for the managed object. """ choices = [] for p in shortcuts.get_perms_for_model(self.model): if not p.codename.startswith("add_") and not p.codename.startswith("delete_"): choices.append((p.codename, p.codename)) return choices
def test_get_perms_for_model(self): self.assertEqual(get_perms_for_model(self.user).count(), 3) self.assertTrue(list(get_perms_for_model(self.user)) == list(get_perms_for_model(User))) self.assertEqual(get_perms_for_model(Permission).count(), 3) model_str = "contenttypes.ContentType" self.assertEqual( sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(ContentType).values_list()) ) obj = ContentType() self.assertEqual( sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(obj).values_list()) )
def get_objects_and_perms_for_user(user, codenames, klass, use_groups=True, any_perm=False): """ Similar to what guardian's get_objects_for_user method does, this method return a dictionary of object IDs (!) of model klass objects with the permissions the user has on them associated. These permissions may result from explicit user permissions or implicit group ones. Parts of the source code are takes from django-guardian. Note, that there an object list is returned. In contrast this method returns object IDs and the permissions on the actual objects. """ # Get QuerySet on and ContentType of the model queryset = _get_queryset(klass) ctype = ContentType.objects.get_for_model(queryset.model) # A super user has all permissions available on all the objects # of a model. if user.is_superuser: # Get all permissions for the model perms = get_perms_for_model(klass) permNames = set(perm.codename for perm in perms) pk_dict = {} for p in queryset: pk_dict[p.id] = permNames return pk_dict # Extract a list of tuples that contain an object's primary # key and a permission codename that the user has on them. user_obj_perms = UserObjectPermission.objects\ .filter(user=user)\ .filter(permission__content_type=ctype)\ .filter(permission__codename__in=codenames)\ .values_list('object_pk', 'permission__codename') data = list(user_obj_perms) if use_groups: groups_obj_perms = GroupObjectPermission.objects\ .filter(group__user=user)\ .filter(permission__content_type=ctype)\ .filter(permission__codename__in=codenames)\ .values_list('object_pk', 'permission__codename') data += list(groups_obj_perms) # sorting/grouping by pk (first in result tuple) keyfunc = lambda t: int(t[0]) data = sorted(data, key=keyfunc) # Create the result dictionary, associating one object id # with a set of permissions the user has for it. pk_dict = {} for pk, group in groupby(data, keyfunc): obj_codenames = set((e[1] for e in group)) if any_perm or codenames.issubset(obj_codenames): pk_dict[pk] = obj_codenames return pk_dict
def setUp(self): self.user = UserProfile.objects.create_user("testuser") self.user.save() self.group = Group.objects.create(name="test_group") for permission in get_perms_for_model(InformationDocument): permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename) assign_perm(permission_name, self.group) self.group.save() document = InformationDocument(title="title", text="text", author=self.user) document.save()
def test_get_perms_for_model(self): self.assertEqual(get_perms_for_model(self.user).count(), 3) self.assertTrue(list(get_perms_for_model(self.user)) == list(get_perms_for_model(User))) self.assertEqual(get_perms_for_model(Permission).count(), 3) model_str = 'guardian.Keycard' self.assertEqual( sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(Keycard).values_list())) key = Keycard() self.assertEqual( sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(key).values_list()))
def set_object_permissions(sender, instance=None, created=False, **kwargs): if created: for perm in get_perms_for_model(Team): assign_perm(perm.codename, instance.organization, instance) organization = instance.organization.profile if instance.created_by: assign_perm(perm.codename, instance.created_by, instance) if hasattr(organization, 'creator') and \ organization.creator != instance.created_by: assign_perm(perm.codename, organization.creator, instance) if organization.created_by != instance.created_by: assign_perm(perm.codename, organization.created_by, instance)
def get_elements_with_perms_cls(element, cls, attach_perms=False): """ This is a slightly adapted version of guardians group retrieval. It doesn't need an object instance. """ ctype = ContentType.objects.get_for_model(cls) if not attach_perms: return element.objects.all() else: elements = {} for elem in get_elements_with_perms_cls(element, cls): if not elem in elements: elements[elem] = get_perms_for_model(cls) return elements
def assign_perm(self, team, org): for perm in get_perms_for_model(Team): org = org.user \ if isinstance(org, OrganizationProfile) else org assign_perm(perm.codename, org, team) if team.created_by: assign_perm(perm.codename, team.created_by, team) if hasattr(org.profile, 'creator') and \ org.profile.creator != team.created_by: assign_perm(perm.codename, org.profile.creator, team) if org.profile.created_by != team.created_by: assign_perm(perm.codename, org.profile.created_by, team)
def permission_callback(sender, instance, created, *args, **kwargs): """ callback that assigns default permissions to the saved object """ if sender not in Document.__subclasses__() or not created: return permissions = get_perms_for_model(instance) groups = Group.objects.all() for group in groups: for permission in group.permissions.all(): if permission in permissions: assign_perm(permission.codename, group, instance)
class ItemPermissionSerializer(serializers.Serializer): permission = serializers.ChoiceField(choices=[(perm.codename, perm.name) for perm in get_perms_for_model(TaskItem)]) list_member = serializers.IntegerField(required=True) def validate_list_member(self, value): task_list = self.context['task_list'] try: return task_list.members.get(pk=value) except ObjectDoesNotExist: raise serializers.ValidationError("User not a member of list") def create(self, validated_data): item = validated_data.get('item') list_member = validated_data.get('list_member') added_permission = validated_data.get('permission') assigned_perm = assign_perm(perm=added_permission, user_or_group=list_member, obj=item) return assigned_perm
def get(self, request): """Return a list of permissions Get the list of the permissions for a group on a resource. These determine the access for the users in the group on the resource Args: request: Django Rest framework request Returns: List of permissions """ try: obj_list = [] group = request.query_params.get('group', None) collection = request.query_params.get('collection', None) experiment = request.query_params.get('experiment', None) channel = request.query_params.get('channel', None) # get permission sets for models col_perms = [ perm.codename for perm in get_perms_for_model(Collection) ] exp_perms = [ perm.codename for perm in get_perms_for_model(Experiment) ] channel_perms = [ perm.codename for perm in get_perms_for_model(Channel) ] resource_object = self.get_object(collection, experiment, channel) if group and resource_object: group = Group.objects.get(name=group) resource_type = resource_object[1] # filtering on both group and resource resource = resource_object[0] perms = get_perms(group, resource) if len(perms) == 0: # Nothing to return data = {'permission-sets': []} return Response(data, status=status.HTTP_200_OK) if resource_type == 'collection': obj = { 'group': group.name, 'collection': resource.name, 'permissions': perms } obj_list.append(obj) data = {'permission-sets': obj_list} elif resource_type == 'experiment': obj = { 'group': group.name, 'collection': resource.collection.name, 'experiment': resource.name, 'permissions': perms } obj_list.append(obj) data = {'permission-sets': obj_list} else: obj = { 'group': group.name, 'collection': resource.experiment.collection.name, 'experiment': resource.experiment.name, 'channel': resource.name, 'permissions': perms } obj_list.append(obj) data = {'permission-sets': obj_list} elif resource_object and not group: # filtering on resource resource = resource_object[0] resource_type = resource_object[1] list_member_groups = request.user.groups.all() for group in list_member_groups: perms = get_perms(group, resource) if resource_type == 'collection' and len(perms) > 0: obj = { 'group': group.name, 'collection': resource.name, 'permissions': perms } obj_list.append(obj) elif resource_type == 'experiment' and len(perms) > 0: obj = { 'group': group.name, 'collection': resource.collection.name, 'experiment': resource.name, 'permissions': perms } obj_list.append(obj) elif resource_type == 'channel' and len(perms) > 0: obj = { 'group': group.name, 'collection': resource.experiment.collection.name, 'experiment': resource.experiment.name, 'channel': resource.name, 'permissions': perms } obj_list.append(obj) data = {'permission-sets': obj_list} elif group and not resource_object: # filtering on group group = Group.objects.get(name=group) col_list = get_objects_for_group(group, perms=col_perms, klass=Collection, any_perm=True) for col in col_list: col_perms = get_perms(group, col) obj = { 'group': group.name, 'collection': col.name, 'permissions': col_perms } obj_list.append(obj) exp_list = get_objects_for_group(group, perms=exp_perms, klass=Experiment, any_perm=True) for exp in exp_list: exp_perms = get_perms(group, exp) obj_list.append({ 'group': group.name, 'collection': exp.collection.name, 'experiment': exp.name, 'permissions': exp_perms }) ch_list = get_objects_for_group(group, perms=channel_perms, klass=Channel, any_perm=True) for channel in ch_list: channel_perms = get_perms(group, channel) obj_list.append({ 'group': group.name, 'collection': channel.experiment.collection.name, 'experiment': channel.experiment.name, 'channel': channel.name, 'permissions': channel_perms }) data = {'permission-sets': obj_list} else: # no filtering list_member_groups = request.user.groups.all() for group in list_member_groups: col_list = get_objects_for_group(group, perms=col_perms, klass=Collection, any_perm=True) for col in col_list: col_perms = get_perms(group, col) obj = { 'group': group.name, 'collection': col.name, 'permissions': col_perms } obj_list.append(obj) exp_list = get_objects_for_group(group, perms=exp_perms, klass=Experiment, any_perm=True) for exp in exp_list: exp_perms = get_perms(group, exp) obj_list.append({ 'group': group.name, 'collection': exp.collection.name, 'experiment': exp.name, 'permissions': col_perms }) ch_list = get_objects_for_group(group, perms=channel_perms, klass=Channel, any_perm=True) for channel in ch_list: channel_perms = get_perms(group, channel) obj_list.append({ 'group': group.name, 'collection': channel.experiment.collection.name, 'experiment': channel.experiment.name, 'channel': channel.name, 'permissions': col_perms }) data = {'permission-sets': obj_list} return Response(data, status=status.HTTP_200_OK) except Group.DoesNotExist: return BossGroupNotFoundError(group) except Permission.DoesNotExist: return BossHTTPError( "Invalid permissions in post".format( request.data['permissions']), ErrorCodes.UNRECOGNIZED_PERMISSION) except BossError as err: return err.to_http()
def user_permitted_tree(user): """Generate a dictionary of the representing a folder tree composed of the elements the user is allowed to acccess. """ # Init user_tree = {} # Dynamically collect permission to avoid hardcoding # Note: Any permission to an element is the same as read permission so # they are all included. file_perm_list = [ f'data_driven_acquisition.{perm}' for perm in get_perms_for_model( 'data_driven_acquisition.File').values_list('codename', flat=True) ] folder_perm_list = [ f'data_driven_acquisition.{perm}' for perm in get_perms_for_model('data_driven_acquisition.Folder'). values_list('codename', flat=True) ] # Collect all permistted elements permitted_folders = get_objects_for_user(user, folder_perm_list, any_perm=True).all() permitted_files = get_objects_for_user(user, file_perm_list, any_perm=True).all() # Add all permitted folders to the user tree with their content and parents. for folder_obj in permitted_folders: # Get the folder content as tree tree = get_folder_tree(folder_obj) # Try to place the tree in the user tree if not place_folder_in_tree(user_tree, folder_obj, tree): # The parent is not in the user tree. # Cresting the parent folder at root level and then completing the # climb to the package level, mergin as needed. user_tree[folder_obj] = tree user_tree = climb_to_package(user_tree, folder_obj) # Add all permitted files to the user tree with theirs parents. for file_obj in permitted_files: # Add to user tree iof the parent folder is already there. if not place_file_in_tree(user_tree, file_obj): # Cold not find the parent folder in the tree. # Creating a base tree with the parent folder # the file at root level and the climbing up to the Package # Merging when required tree = { "files": [ file_obj, ] } user_tree[file_obj.parent] = tree user_tree = climb_to_package(user_tree, file_obj.parent) return user_tree
def get_editable_perms(): editable_perms = get_config_value('EDITABLE_PERMISSIONS') perms = [(p.codename, p.name) for p in get_perms_for_model(Project) if p.codename in editable_perms] perms.sort(key=lambda pair: pair[0]) return perms
def get_permissions(self): """ Return a list of permissions related with this object """ return get_perms_for_model(self)
def set_api_permissions_for_user(user): models = [UserProfile, XForm, Project, Team, OrganizationProfile, Note] for model in models: for perm in get_perms_for_model(model): assign_perm('%s.%s' % (perm.content_type.app_label, perm.codename), user)
def get(self, request, group_name=None): """ Get all groups Args: request: Django rest framework request group_name: Group name from the request Returns: Group if the group exists """ if group_name is not None: try: group = Group.objects.get(name=group_name) bgroup = BossGroup.objects.get(group=group) data = {"name": group.name, "owner": bgroup.creator.username} resources = [] # get permission sets for models col_perms = [ perm.codename for perm in get_perms_for_model(Collection) ] exp_perms = [ perm.codename for perm in get_perms_for_model(Experiment) ] channel_perms = [ perm.codename for perm in get_perms_for_model(Channel) ] # get objects for the group col_list = get_objects_for_group(group, perms=col_perms, klass=Collection, any_perm=True) exp_list = get_objects_for_group(group, perms=exp_perms, klass=Experiment, any_perm=True) ch_list = get_objects_for_group(group, perms=channel_perms, klass=Channel, any_perm=True) for col in col_list: obj = {'collection': col.name} resources.append(obj) for exp in exp_list: obj = { 'collection': exp.collection.name, 'experiment': exp.name } resources.append(obj) for ch in ch_list: obj = { 'collection': ch.experiment.collection.name, 'experiment': ch.experiment.name, 'channel': ch.name } resources.append(obj) data['resources'] = resources return Response(data, status=200) except Group.DoesNotExist: return BossGroupNotFoundError(group_name) else: # Get all the groups that the logged in user is a member of list_member_groups = request.user.groups.values_list('name', flat=True) member_groups = [name for name in list_member_groups] # Get all groups that the user has maintainer permissions on group_perms = [ perm.codename for perm in get_perms_for_model(BossGroup) ] list_maintainer_groups = get_objects_for_user(request.user, group_perms, klass=BossGroup, any_perm=True) maintainer_groups = [ bgroup.group.name for bgroup in list_maintainer_groups ] if 'filter' in request.query_params and request.query_params[ 'filter'] == 'member': data = {'groups': member_groups} return Response(data, status=200) elif 'filter' in request.query_params and request.query_params[ 'filter'] == 'maintainer': data = {'groups': maintainer_groups} return Response(data, status=200) elif 'filter' not in request.query_params: all_groups = list(set(member_groups).union(maintainer_groups)) data = {'groups': all_groups} else: return BossHTTPError( 'Unrecogizes value {} in filter. Valid parameters are member or maintainer.', ErrorCodes.UNABLE_TO_VALIDATE) return Response(data, status=200)
def add_event_permissions(group): perms = get_perms_for_model(Event) for perm in perms: assign_perm(perm, group)
def _assign_organization_team_perms(organization, user): owners_team = get_organization_owners_team(organization.profile) members_team = get_organization_members_team(organization.profile) for perm in get_perms_for_model(Team): assign_perm(perm.codename, user, owners_team) assign_perm(perm.codename, user, members_team)
def __init__(self, request_user, editing_user, organization=None, league=None, *args, **kwargs): self.organization = organization # current organization we are editing self.league = league # league we are editing if on non-org-admin page self.request_user = request_user # user requesting this page self.editing_user = editing_user # user we are editing self.regex = re.compile('^(org|league)(\d+)\_([A-Za-z0-9_]+)$') self.helper = FormHelper() super(PermissionsForm, self).__init__(*args, **kwargs) if not self.organization and not self.league: raise ValidationError("Both organization and league cannot be empty.") if not self.organization: self.organization = self.league.organization # If leagues is left blank, we assume we are probably wanting to grab # from all the leagues under the specified organization. The way this is # setup could be confusing, I guess if you want to REALLY use it wrong. # if not self.league: # pass leagues = None # First, check if the current editing user has priviliges to edit # users is this organization. if self.request_user.has_perm("league:org_admin", self.organization): user_organization_perms = get_user_perms(self.editing_user, organization) self.organization_permissions = [] # Get available permissions for both organizaiton and league models for permission in get_perms_for_model(Organization): if permission.codename not in settings.RINK_PERMISSIONS_IGNORE: self.organization_permissions.append(permission) # Dynamically create inputs for each organization and league permissions for permission in self.organization_permissions: initial = False if permission.codename in user_organization_perms: initial = True self.fields["{}{}_{}".format("org", organization.pk, permission.codename)] = forms.BooleanField( label="{} - {}".format(organization, permission.name), required=False, initial=initial, ) # Since we are a super admin, use all the leagues in our current org leagues = League.objects.filter(organization=organization) # Next, if we are a user who only has access to a league (not an organization) # only allow them to change permissions for that league. elif self.league and self.request_user.has_perm("league:league_admin", self.league): leagues = League.objects.filter(pk=self.league.pk) # Apparently you are not any kind of admin. Bye! else: raise PermissionDenied("You don't seem to be an admin of an organization or league. #88") self.league_permissions = [] for permission in get_perms_for_model(League): if permission.codename not in settings.RINK_PERMISSIONS_IGNORE: self.league_permissions.append(permission) for league in leagues: user_league_permissions = get_user_perms(self.editing_user, league) for permission in self.league_permissions: initial = False if permission.codename in user_league_permissions: initial = True self.fields["{}{}_{}".format("league", league.pk, permission.codename)] = forms.BooleanField( label="{} - {}".format(league, permission.name), required=False, initial=initial, ) self.helper.add_input(Submit('submit', 'Submit'))
def set_object_permissions(sender, instance=None, created=False, **kwargs): if created: for perm in get_perms_for_model(XForm): assign_perm(perm.codename, instance.user, instance)
def fork(request: HttpRequest, project_id) -> JsonResponse: """Attempt to create a new project based on the passed in project ID. --- parameters: - name: name description: Name of new project required: true type: string - name: description description: Description of new project required: false type: string - name: copy_volumes description: Whether volumes will be copied to the new project required: false type: boolean defaultValue: false - name: project_token description: Whether or not a new project token should be generated required: false type: boolean defaultValue: false - name: add_to_favorites description: Whether or not the new project is marked as a favorite required: false type: boolean defaultValue: true """ name = request.POST.get('name') if not name: raise ValueError('Need new project name') description = request.POST.get('description') copy_volumes = get_request_bool(request.POST, 'copy_volumes', False) create_project_token = get_request_bool(request.POST, 'project_token', False) project_token_approval_needed = get_request_bool( request.POST, 'project_token_approval_needed', False) project_token_default_perms = get_request_list( request.POST, 'project_token_default_permissions', []) add_to_favorites = get_request_bool(request.POST, 'add_to_favorites', True) current_p = get_object_or_404(Project, pk=project_id) new_p = get_object_or_404(Project, pk=project_id) new_p.id = None new_p.title = name new_p.comment = description new_p.save() # Copy all project-stack links ps_links = ProjectStack.objects.filter(project=current_p) for ps in ps_links: ps.id = None ps.project = new_p ps.save() # Assign read/write/import permissions for new fork assign_perm('can_browse', request.user, new_p) assign_perm('can_annotate', request.user, new_p) assign_perm('can_import', request.user, new_p) assign_perm('can_fork', request.user, new_p) assign_perm('can_administer', request.user, new_p) assign_perm('delete_project', request.user, new_p) # Creat basic classes and relations validate_project_setup(new_p.id, request.user.id, fix=True) # If the source project is a tracing project, make the clone as well one. # A local import is used here to avoid a high potential for circular imports. from catmaid.control.tracing import check_tracing_setup, setup_tracing if check_tracing_setup(project_id): setup_tracing(new_p.id) if copy_volumes: cursor = connection.cursor() cursor.execute( """ INSERT INTO catmaid_volume (user_id, project_id, creation_time, edition_time, editor_id, name, comment, geometry, area, volume, watertight, meta_computed) SELECT user_id, %(new_project_id)s, creation_time, edition_time, editor_id, name, comment, geometry, area, volume, watertight, meta_computed FROM catmaid_volume WHERE project_id = %(project_id)s; """, { 'project_id': project_id, 'new_project_id': new_p.id }) project_token_str = None if create_project_token: allowed_permissions = set( get_perms_for_model(Project).values_list('codename', flat=True)) unknown_permissions = set( project_token_default_perms) - allowed_permissions if unknown_permissions: raise ValueError( f'Unknown permissions: {", ".join(unknown_permissions)}') project_token = ProjectToken.objects.create( **{ 'user_id': request.user.id, 'project_id': new_p.id, 'name': "", 'needs_approval': project_token_approval_needed, 'default_permissions': project_token_default_perms, }) project_token.name = f'Project token #{project_token.id}' project_token.save() project_token_str = project_token.token if add_to_favorites: FavoriteProject.objects.create(**{ 'project_id': new_p.id, 'user_id': request.user.id, }) return JsonResponse({ 'new_project_id': new_p.id, 'n_copied_stack_links': len(ps_links), 'project_token': project_token_str, })