def _authorized_to_read(effective_principals, permissions): """Return True if the passed request is authorized to read the annotation. If the annotation belongs to a private group, this will return False if the authenticated user isn't a member of that group. """ read_permissions = permissions.get('read', []) read_principals = translate_annotation_principals(read_permissions) if set(read_principals).intersection(effective_principals): return True return False
def _authorized_to_read(request, permissions): """Return True if the passed request is authorized to read the annotation. If the annotation belongs to a private group, this will return False if the authenticated user isn't a member of that group. """ read_permissions = permissions.get('read', []) read_principals = translate_annotation_principals(read_permissions) if set(read_principals).intersection(request.effective_principals): return True return False
def generate_notifications(request, annotation, action): # Only send notifications when new annotations are created if action != 'create': return # If the annotation doesn't have a parent, we can't find its parent, or we # have no idea who the author of the parent is, then we can't send a # notification email. parent_id = annotation.parent_id if parent_id is None: return parent = storage.fetch_annotation(request, parent_id) if parent is None or 'user' not in parent: return # We don't send replies to the author of the parent unless they're going to # be able to read it. That means there must be some overlap between the set # of effective principals of the parent's author, and the read permissions # of the reply. child_read_permissions = annotation.get('permissions', {}).get('read', []) parent_principals = auth.effective_principals(parent['user'], request) read_principals = translate_annotation_principals(child_read_permissions) if not set(parent_principals).intersection(read_principals): return # Store the parent values as additional data data = { 'parent': parent } subscriptions = Subscriptions.get_active_subscriptions_for_a_type( types.REPLY_TYPE) for subscription in subscriptions: data['subscription'] = subscription.__json__(request) # Validate annotation if check_conditions(annotation, data): try: subject, text, html, recipients = render_reply_notification( request, annotation, parent) yield subject, text, html, recipients # ToDo: proper exception handling here except TemplateRenderException: log.exception('Failed to render subscription' ' template %s', subscription) except: log.exception('Unknown error when trying to render' ' subscription template %s', subscription)
def _authorized_to_read(request, annotation): """Return True if the passed request is authorized to read the annotation. If the annotation belongs to a private group, this will return False if the authenticated user isn't a member of that group. """ # TODO: remove this when we've diagnosed this issue if ('permissions' not in annotation or 'read' not in annotation['permissions']): request.sentry.captureMessage( 'streamer received annotation lacking valid permissions', level='warn', extra={ 'id': annotation['id'], 'permissions': json.dumps(annotation.get('permissions')), }) read_permissions = annotation.get('permissions', {}).get('read', []) read_principals = translate_annotation_principals(read_permissions) if set(read_principals).intersection(request.effective_principals): return True return False
def test_translate_annotation_principals(p_in, p_out): result = util.translate_annotation_principals(p_in) assert set(result) == set(p_out)