def get_all_listings_for_profile_by_id(current_request_username, profile_id, listing_id=None):
access_control_instance = plugin_manager.get_system_access_control_plugin()
try:
if profile_id == 'self':
profile_instance = models.Profile.objects.get(user__username=current_request_username).user
else:
profile_instance = models.Profile.objects.get(id=profile_id).user
except models.Profile.DoesNotExist:
return None
try:
listings = models.Listing.objects.filter(owners__id=profile_instance.id)
listings = listings.exclude(is_private=True)
current_profile_instance = models.Profile.objects.get(user__username=current_request_username)
# filter out listings by user's access level
titles_to_exclude = []
for i in listings:
if not i.security_marking:
logger.debug('Listing {0!s} has no security_marking'.format(i.title))
if not access_control_instance.has_access(current_profile_instance.access_control, i.security_marking):
titles_to_exclude.append(i.title)
listings = listings.exclude(title__in=titles_to_exclude) # TODO: Base it on ids
if listing_id:
filtered_listing = listings.get(id=listing_id)
else:
filtered_listing = listings.all()
return filtered_listing
except models.Listing.DoesNotExist:
return None
def to_representation(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin(
)
ret = super(ProfileSerializer, self).to_representation(data)
# Used to anonymize usernames
anonymize_identifiable_data = system_anonymize_identifiable_data(
self.context['request'].user.username)
from_current_view = self.context.get('self')
if from_current_view:
if anonymize_identifiable_data:
ret['second_party_user'] = True
else:
ret['second_party_user'] = False
check_request_self = False
if self.context['request'].user.id == ret['id']:
check_request_self = True
if anonymize_identifiable_data and not check_request_self:
ret['display_name'] = access_control_instance.anonymize_value(
'display_name')
ret['bio'] = access_control_instance.anonymize_value('bio')
ret['dn'] = access_control_instance.anonymize_value('dn')
return ret
def for_user(self, username):
# get all listings
objects = super(AccessControlListingManager, self).get_queryset()
# filter out private listings
user = Profile.objects.get(user__username=username)
if user.highest_role() == 'APPS_MALL_STEWARD':
exclude_orgs = []
elif user.highest_role() == 'ORG_STEWARD':
user_orgs = user.stewarded_organizations.all()
user_orgs = [i.title for i in user_orgs]
exclude_orgs = Agency.objects.exclude(title__in=user_orgs)
else:
user_orgs = user.organizations.all()
user_orgs = [i.title for i in user_orgs]
exclude_orgs = Agency.objects.exclude(title__in=user_orgs)
objects = objects.exclude(is_private=True,
agency__in=exclude_orgs)
access_control_instance = plugin_manager.get_system_access_control_plugin()
# filter out listings by user's access level
titles_to_exclude = []
for i in objects:
if not i.security_marking:
logger.debug('Listing {0!s} has no security_marking'.format(i.title))
if not access_control_instance.has_access(user.access_control, i.security_marking):
titles_to_exclude.append(i.title)
objects = objects.exclude(title__in=titles_to_exclude)
return objects
def validate_security_marking(self, value):
access_control_instance = plugin_manager.get_system_access_control_plugin()
# don't allow user to select a security marking that is above
# their own access level
user = generic_model_access.get_profile(
self.context['request'].user.username)
access_control_instance = plugin_manager.get_system_access_control_plugin()
if value:
if not access_control_instance.has_access(user.access_control, value):
raise serializers.ValidationError(
'Security marking too high for current user')
else:
raise serializers.ValidationError(
'Security marking is required')
return value
def for_user(self, username):
access_control_instance = plugin_manager.get_system_access_control_plugin()
# get all images
objects = super(AccessControlImageManager, self).get_queryset()
user = Profile.objects.get(user__username=username)
# filter out listings by user's access level
images_to_exclude = []
for i in objects:
if not access_control_instance.has_access(user.access_control, i.security_marking):
images_to_exclude.append(i.id)
objects = objects.exclude(id__in=images_to_exclude)
return objects
def to_representation(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin(
)
ret = super(ContactTypeSerializer, self).to_representation(data)
# Used to anonymize usernames
anonymize_identifiable_data = system_anonymize_identifiable_data(
self.context['request'].user.username)
if anonymize_identifiable_data:
ret['name'] = access_control_instance.anonymize_value(
'contact_type_name')
return ret
def to_representation(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin()
ret = super(NotificationSerializer, self).to_representation(data)
peer = ret['peer']
if peer and peer.get('_bookmark_listing_ids'):
del peer['_bookmark_listing_ids']
# Used to anonymize usernames
anonymize_identifiable_data = system_anonymize_identifiable_data(self.context['request'].user.username)
if anonymize_identifiable_data:
if peer:
peer['user']['username'] = access_control_instance.anonymize_value('username')
# TODO: Hide Peer data (erivera 2016-07-29)
return ret
def to_representation(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin(
)
ret = super(ShortProfileSerializer, self).to_representation(data)
# Used to anonymize usernames
anonymize_identifiable_data = system_anonymize_identifiable_data(
self.context['request'].user.username)
check_request_self = False
if self.context['request'].user.id == ret['id']:
check_request_self = True
if anonymize_identifiable_data and not check_request_self:
ret['display_name'] = access_control_instance.anonymize_value(
'display_name')
ret['dn'] = access_control_instance.anonymize_value('dn')
return ret
def to_representation(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin(
)
ret = super(ContactSerializer, self).to_representation(data)
# Used to anonymize usernames
anonymize_identifiable_data = system_anonymize_identifiable_data(
self.context['request'].user.username)
if anonymize_identifiable_data:
ret['secure_phone'] = access_control_instance.anonymize_value(
'secure_phone')
ret['unsecure_phone'] = access_control_instance.anonymize_value(
'unsecure_phone')
ret['secure_phone'] = access_control_instance.anonymize_value(
'secure_phone')
ret['name'] = access_control_instance.anonymize_value('name')
ret['organization'] = access_control_instance.anonymize_value(
'organization')
ret['email'] = access_control_instance.anonymize_value('email')
return ret
def retrieve(self, request, pk=None):
"""
Return an image, enforcing access control
"""
queryset = self.get_queryset()
image = get_object_or_404(queryset, pk=pk)
image_path = model_access.get_image_path(pk)
# enforce access control
user = generic_model_access.get_profile(self.request.user.username)
access_control_instance = plugin_manager.get_system_access_control_plugin()
if not access_control_instance.has_access(user.access_control,
image.security_marking):
return Response(status=status.HTTP_403_FORBIDDEN)
content_type = 'image/' + image.file_extension
try:
with open(image_path, 'rb') as f:
return HttpResponse(f.read(), content_type=content_type)
except IOError:
logger.error('No image found for pk {0:d}'.format(pk))
return Response(status=status.HTTP_404_NOT_FOUND)
def validate(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin()
# logger.debug('inside ListingSerializer.validate', extra={'request':self.context.get('request')})
user = generic_model_access.get_profile(
self.context['request'].user.username)
if not data.get('title'):
raise serializers.ValidationError('Title is required')
data['description'] = data.get('description')
data['launch_url'] = data.get('launch_url')
data['version_name'] = data.get('version_name')
data['unique_name'] = data.get('unique_name')
data['what_is_new'] = data.get('what_is_new')
data['description_short'] = data.get('description_short')
data['requirements'] = data.get('requirements')
data['is_private'] = data.get('is_private', False)
if 'security_marking' not in data:
raise serializers.ValidationError('security_marking is required')
data['security_marking'] = data.get('security_marking')
if not access_control_instance.validate_marking(data['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
# only checked on update, not create
data['is_enabled'] = data.get('is_enabled', False)
data['is_featured'] = data.get('is_featured', False)
data['approval_status'] = data.get('approval_status')
# agency
agency_title = data.get('agency')
if agency_title:
data['agency'] = agency_model_access.get_agency_by_title(agency_title['title'])
if data['agency'] is None:
raise serializers.ValidationError('Invalid Agency')
else:
data['agency'] = user.organizations.all()[0]
# listing_type
type_title = data.get('listing_type')
if type_title:
data['listing_type'] = model_access.get_listing_type_by_title(
data['listing_type']['title'])
else:
data['listing_type'] = None
# small_icon
small_icon = data.get('small_icon')
if small_icon:
if 'id' not in small_icon:
raise serializers.ValidationError('Image(small_icon) requires a {0!s}'.format('id'))
if small_icon.get('security_marking') is None:
small_icon['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(small_icon['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
else:
data['small_icon'] = None
# large_icon
large_icon = data.get('large_icon')
if large_icon:
if 'id' not in large_icon:
raise serializers.ValidationError('Image(large_icon) requires a {0!s}'.format('id'))
if large_icon.get('security_marking') is None:
large_icon['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(large_icon['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
else:
data['large_icon'] = None
# banner_icon
banner_icon = data.get('banner_icon')
if banner_icon:
if 'id' not in banner_icon:
raise serializers.ValidationError('Image(banner_icon) requires a {0!s}'.format('id'))
if banner_icon.get('security_marking') is None:
banner_icon['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(banner_icon['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
else:
data['banner_icon'] = None
# large_banner_icon
large_banner_icon = data.get('large_banner_icon')
if large_banner_icon:
if 'id' not in large_banner_icon:
raise serializers.ValidationError('Image(large_banner_icon) requires a {0!s}'.format('id'))
if large_banner_icon.get('security_marking') is None:
large_banner_icon['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(large_banner_icon['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
else:
data['large_banner_icon'] = None
# Screenshot
screenshots = data.get('screenshots')
if screenshots is not None:
screenshots_out = []
image_require_fields = ['id']
for screenshot_set in screenshots:
if ('small_image' not in screenshot_set or
'large_image' not in screenshot_set):
raise serializers.ValidationError(
'Screenshot Set requires {0!s} fields'.format('small_image, large_icon'))
screenshot_small_image = screenshot_set.get('small_image')
screenshot_large_image = screenshot_set.get('large_image')
for field in image_require_fields:
if field not in screenshot_small_image:
raise serializers.ValidationError('Screenshot Small Image requires a {0!s}'.format(field))
for field in image_require_fields:
if field not in screenshot_large_image:
raise serializers.ValidationError('Screenshot Large Image requires a {0!s}'.format(field))
if not screenshot_small_image.get('security_marking'):
screenshot_small_image['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(screenshot_small_image['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
if not screenshot_large_image.get('security_marking'):
screenshot_large_image['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(screenshot_large_image['security_marking']):
raise errors.InvalidInput('security_marking is invalid')
screenshots_out.append(screenshot_set)
data['screenshots'] = screenshots_out
else:
data['screenshots'] = None
if 'contacts' in data:
required_fields = ['email', 'name', 'contact_type']
for contact in data['contacts']:
if 'secure_phone' not in contact:
contact['secure_phone'] = None
if 'unsecure_phone' not in contact:
contact['unsecure_phone'] = None
for field in required_fields:
if field not in contact:
raise serializers.ValidationError(
'Contact requires a {0!s}'.format(field))
owners = []
if 'owners' in data:
for owner in data['owners']:
owners.append(generic_model_access.get_profile(
owner['user']['username']))
data['owners'] = owners
categories = []
if 'categories' in data:
for category in data['categories']:
categories.append(category_model_access.get_category_by_title(
category['title']))
data['categories'] = categories
# tags will be created (if necessary) in create()
if 'tags' in data:
pass
intents = []
if 'intents' in data:
for intent in data['intents']:
intents.append(intent_model_access.get_intent_by_action(
intent['action']))
data['intents'] = intents
# doc urls will be created in create()
if 'doc_urls' in data:
pass
# logger.debug('leaving ListingSerializer.validate', extra={'request':self.context.get('request')})
return data
def validate(self, data):
access_control_instance = plugin_manager.get_system_access_control_plugin(
)
# logger.debug('inside ListingSerializer.validate', extra={'request':self.context.get('request')})
profile = generic_model_access.get_profile(
self.context['request'].user.username)
# This checks to see if value exist as a key and value is not None
if not data.get('title'):
raise serializers.ValidationError('Title is required')
if 'security_marking' not in data:
raise serializers.ValidationError('Security Marking is Required')
# Assign a default security_marking level if none is provided
if not data.get('security_marking'):
data['security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(
data['security_marking']):
raise serializers.ValidationError(
'Security Marking Format is Invalid')
# Don't allow user to select a security marking that is above
# their own access level
if not system_has_access_control(profile.user.username,
data.get('security_marking')):
raise serializers.ValidationError(
'Security marking too high for current user')
data['description'] = data.get('description')
data['launch_url'] = data.get('launch_url')
data['version_name'] = data.get('version_name')
data['unique_name'] = data.get('unique_name')
data['what_is_new'] = data.get('what_is_new')
data['description_short'] = data.get('description_short')
data['requirements'] = data.get('requirements')
data['is_private'] = data.get('is_private', False)
data['security_marking'] = data.get('security_marking')
# only checked on update, not create
data['is_enabled'] = data.get('is_enabled', False)
data['is_featured'] = data.get('is_featured', False)
data['approval_status'] = data.get('approval_status')
# Agency
agency_title = None if data.get('agency') is None else data.get(
'agency', {}).get('title')
if agency_title:
data['agency'] = agency_model_access.get_agency_by_title(
agency_title)
if data['agency'] is None:
raise serializers.ValidationError('Invalid Agency')
else:
data['agency'] = profile.organizations.all()[0]
# Listing Type
type_title = None if data.get('listing_type') is None else data.get(
'listing_type', {}).get('title')
if type_title:
data['listing_type'] = model_access.get_listing_type_by_title(
type_title)
else:
data['listing_type'] = None
# Images
image_keys = [
'small_icon', 'large_icon', 'banner_icon', 'large_banner_icon'
]
for image_key in image_keys:
current_image_value = data.get(image_key)
if current_image_value:
if 'id' not in current_image_value:
raise serializers.ValidationError(
'Image({!s}) requires a {!s}'.format(image_key, 'id'))
if current_image_value.get('security_marking') is None:
current_image_value[
'security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(
current_image_value['security_marking']):
raise errors.InvalidInput(
'{!s} Security Marking is invalid'.format(image_key))
else:
data[image_key] = None
# Screenshot
screenshots = data.get('screenshots')
if screenshots is not None:
screenshots_out = []
image_require_fields = ['id']
for screenshot_set in screenshots:
if ('small_image' not in screenshot_set
or 'large_image' not in screenshot_set):
raise serializers.ValidationError(
'Screenshot Set requires {0!s} fields'.format(
'small_image, large_icon'))
screenshot_small_image = screenshot_set.get('small_image')
screenshot_large_image = screenshot_set.get('large_image')
for field in image_require_fields:
if field not in screenshot_small_image:
raise serializers.ValidationError(
'Screenshot Small Image requires a {0!s}'.format(
field))
for field in image_require_fields:
if field not in screenshot_large_image:
raise serializers.ValidationError(
'Screenshot Large Image requires a {0!s}'.format(
field))
if not screenshot_small_image.get('security_marking'):
screenshot_small_image[
'security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(
screenshot_small_image['security_marking']):
raise errors.InvalidInput('Security Marking is invalid')
if not screenshot_large_image.get('security_marking'):
screenshot_large_image[
'security_marking'] = constants.DEFAULT_SECURITY_MARKING
if not access_control_instance.validate_marking(
screenshot_large_image['security_marking']):
raise errors.InvalidInput('Security Marking is invalid')
screenshots_out.append(screenshot_set)
data['screenshots'] = screenshots_out
else:
data['screenshots'] = None
# Contacts
if 'contacts' in data:
for contact in data['contacts']:
if 'name' not in contact:
raise serializers.ValidationError(
'Contact requires [name] field')
if 'email' not in contact:
raise serializers.ValidationError(
'Contact requires [email] field')
if 'secure_phone' not in contact:
contact['secure_phone'] = None
if 'unsecure_phone' not in contact:
contact['unsecure_phone'] = None
if 'contact_type' not in contact:
raise serializers.ValidationError(
'Contact requires [contact_type] field')
contact_type = contact.get('contact_type')
contact_type_name = None if contact_type is None else contact_type.get(
'name')
if not contact_type_name:
raise serializers.ValidationError(
'Contact field requires correct format')
contact_type_instance = contact_type_model_access.get_contact_type_by_name(
contact_type_name)
if not contact_type_instance:
raise serializers.ValidationError(
'Contact Type [{}] not found'.format(
contact_type_name))
# owners
owners = []
if 'owners' in data:
for owner in data['owners']:
user_dict = owner.get('user')
user_username = None if user_dict is None else user_dict.get(
'username')
if not user_username:
raise serializers.ValidationError(
'Owner field requires correct format')
owner_profile = generic_model_access.get_profile(user_username)
if not owner_profile:
raise serializers.ValidationError(
'Owner Profile not found')
# Don't allow user to select a security marking that is above
# their own access level
if not system_has_access_control(owner_profile.user.username,
data.get('security_marking')):
raise serializers.ValidationError(
'Security marking too high for current owner profile')
owners.append(owner_profile)
data['owners'] = owners
# Categories
categories = []
if 'categories' in data:
for category in data['categories']:
category_title = category.get('title')
if not category_title:
raise serializers.ValidationError(
'Categories field requires correct format')
category_instance = category_model_access.get_category_by_title(
category_title)
if not category_instance:
raise serializers.ValidationError(
'Category [{}] not found'.format(category_title))
categories.append(category_instance)
data['categories'] = categories
# Intents
intents = []
if 'intents' in data:
for intent in data['intents']:
intent_action = intent.get('action')
if not intent_action:
raise serializers.ValidationError(
'Intent field requires correct format')
intent_instance = intent_model_access.get_intent_by_action(
intent_action)
if not intent_instance:
raise serializers.ValidationError(
'Intent Action [{}] not found'.format(intent_action))
intents.append(intent_instance)
data['intents'] = intents
# doc urls will be created in create()
if 'doc_urls' in data:
pass
# tags will be created (if necessary) in create()
if 'tags' in data:
pass
# logger.debug('leaving ListingSerializer.validate', extra={'request':self.context.get('request')})
return data
