def __acl__(self): acl = [] # Convert annotator-store roles to pyramid principals for action, roles in self.model.get('permissions', {}).items(): principals = auth.translate_annotation_principals(roles) for principal in principals: # Append the converted rule tuple to the ACL rule = (Allow, principal, action) acl.append(rule) return acl
def __acl__(self): acl = [] model = self.model # Convert annotator-store roles to pyramid principals for action, roles in model.get('permissions', {}).items(): principals = auth.translate_annotation_principals(roles) for principal in principals: # Append the converted rule tuple to the ACL rule = (Allow, principal, action) acl.append(rule) return acl
def generate_notifications(request, annotation, action): # Only send notifications when new annotations are created if action != 'create': return # If the annotation doesn't have a parent, we can't find its parent, or we # have no idea who the author of the parent is, then we can't send a # notification email. parent = annotation.parent if parent is None or 'user' not in parent: return # We don't send replies to the author of the parent unless they're going to # be able to read it. That means there must be some overlap between the set # of effective principals of the parent's author, and the read permissions # of the reply. child_read_permissions = annotation.get('permissions', {}).get('read', []) parent_principals = auth.effective_principals(parent['user'], request) read_principals = translate_annotation_principals(child_read_permissions) if not set(parent_principals).intersection(read_principals): return # Store the parent values as additional data data = { 'parent': parent } subscriptions = Subscriptions.get_active_subscriptions_for_a_type( types.REPLY_TYPE) for subscription in subscriptions: data['subscription'] = subscription.__json__(request) # Validate annotation if check_conditions(annotation, data): try: subject, text, html, recipients = render_reply_notification( request, annotation, parent) yield subject, text, html, recipients # ToDo: proper exception handling here except TemplateRenderException: log.exception('Failed to render subscription' ' template %s', subscription) except: log.exception('Unknown error when trying to render' ' subscription template %s', subscription)
def _authorized_to_read(request, annotation): """Return True if the passed request is authorized to read the annotation. If the annotation belongs to a private group, this will return False if the authenticated user isn't a member of that group. """ # TODO: remove this when we've diagnosed this issue if ('permissions' not in annotation or 'read' not in annotation['permissions']): request.sentry.captureMessage( 'streamer received annotation lacking valid permissions', level='warn', extra={ 'id': annotation['id'], 'permissions': json.dumps(annotation.get('permissions')), }) read_permissions = annotation.get('permissions', {}).get('read', []) read_principals = auth.translate_annotation_principals(read_permissions) if set(read_principals).intersection(request.effective_principals): return True return False
def test_translate_annotation_principals(p_in, p_out): result = auth.translate_annotation_principals(p_in) assert set(result) == set(p_out)