def test_user_permissions(self): self.group1.user_set.add(self.user1) assign_perm("view_collection", self.user1, self.collection) assign_perm("edit_collection", self.user1, self.collection) assign_perm("view_collection", self.user2, self.collection) assign_perm("view_collection", self.group1, self.collection) assign_perm("edit_collection", self.group1, self.collection) assign_perm("view_collection", self.group2, self.collection) expected_perms = [ {'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1'}, {'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1'}, ] perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms) self.group2.user_set.add(self.user1) expected_perms.append( {'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2'}, ) perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms) assign_perm("view_collection", self.anonymous, self.collection) expected_perms.append( {'permissions': ['view'], 'type': 'public'}, ) perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms)
def test_user_permissions(self): self.group1.user_set.add(self.user1) assign_perm("view_collection", self.user1, self.collection) assign_perm("edit_collection", self.user1, self.collection) assign_perm("view_collection", self.user2, self.collection) assign_perm("view_collection", self.group1, self.collection) assign_perm("edit_collection", self.group1, self.collection) assign_perm("view_collection", self.group2, self.collection) expected_perms = [ {"permissions": ["edit", "view"], "type": "user", "id": self.user1.pk, "name": "test_user1"}, {"permissions": ["edit", "view"], "type": "group", "id": self.group1.pk, "name": "Test group 1"}, ] perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms) self.group2.user_set.add(self.user1) expected_perms.append({"permissions": ["view"], "type": "group", "id": self.group2.pk, "name": "Test group 2"}) perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms) assign_perm("view_collection", self.anonymous, self.collection) expected_perms.append({"permissions": ["view"], "type": "public"}) perms = get_object_perms(self.collection, self.user1) six.assertCountEqual(self, expected_perms, perms)
def test_all_permissions(self): self.group1.user_set.add(self.user1) perms = get_object_perms(self.collection) self.assertEqual(len(perms), 0) assign_perm("view_collection", self.user1, self.collection) assign_perm("edit_collection", self.user1, self.collection) assign_perm("view_collection", self.user2, self.collection) expected_perms = [ {'permissions': ['edit', 'view'], 'type': 'user', 'id': self.user1.pk, 'name': 'test_user1'}, {'permissions': ['view'], 'type': 'user', 'id': self.user2.pk, 'name': 'test_user2'}, ] perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) assign_perm("view_collection", self.group1, self.collection) assign_perm("edit_collection", self.group1, self.collection) assign_perm("view_collection", self.group2, self.collection) expected_perms.extend([ {'permissions': ['edit', 'view'], 'type': 'group', 'id': self.group1.pk, 'name': 'Test group 1'}, {'permissions': ['view'], 'type': 'group', 'id': self.group2.pk, 'name': 'Test group 2'}, ]) perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) assign_perm("view_collection", self.anonymous, self.collection) expected_perms.append( {'permissions': ['view'], 'type': 'public'}, ) perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
def test_all_permissions(self): self.group1.user_set.add(self.user1) perms = get_object_perms(self.collection) self.assertEqual(len(perms), 0) assign_perm("view_collection", self.user1, self.collection) assign_perm("edit_collection", self.user1, self.collection) assign_perm("view_collection", self.user2, self.collection) expected_perms = [ { "permissions": ["edit", "view"], "type": "user", "id": self.user1.pk, "name": "test_user1", "username": "******", }, { "permissions": ["view"], "type": "user", "id": self.user2.pk, "name": "test_user2", "username": "******", }, ] perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) assign_perm("view_collection", self.group1, self.collection) assign_perm("edit_collection", self.group1, self.collection) assign_perm("view_collection", self.group2, self.collection) expected_perms.extend([ { "permissions": ["edit", "view"], "type": "group", "id": self.group1.pk, "name": "Test group 1", }, { "permissions": ["view"], "type": "group", "id": self.group2.pk, "name": "Test group 2", }, ]) perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms)) assign_perm("view_collection", self.anonymous, self.collection) expected_perms.append({"permissions": ["view"], "type": "public"}, ) perms = get_object_perms(self.collection) self.assertCountEqual(self._sort_perms(expected_perms), self._sort_perms(perms))
def detail_permissions(self, request, pk=None): """Get or set permissions API endpoint.""" obj = self.get_object() if request.method == 'POST': content_type = ContentType.objects.get_for_model(obj) payload = request.data share_content = strtobool(payload.pop('share_content', 'false')) user = request.user is_owner = user.has_perm('owner_{}'.format(content_type), obj=obj) allow_owner = is_owner or user.is_superuser check_owner_permission(payload, allow_owner) check_public_permissions(payload) check_user_permissions(payload, request.user.pk) with transaction.atomic(): update_permission(obj, payload) owner_count = UserObjectPermission.objects.filter( object_pk=obj.id, content_type=content_type, permission__codename__startswith='owner_' ).count() if not owner_count: raise exceptions.ParseError('Object must have at least one owner.') if share_content: self.set_content_permissions(user, obj, payload) return Response(get_object_perms(obj))
def detail_permissions(self, request, pk=None): """Get or set permissions API endpoint.""" obj = self.get_object() if request.method == 'POST': content_type = ContentType.objects.get_for_model(obj) payload = request.data share_content = strtobool(payload.pop('share_content', 'false')) user = request.user is_owner = user.has_perm('owner_{}'.format(content_type), obj=obj) allow_owner = is_owner or user.is_superuser check_owner_permission(payload, allow_owner) check_public_permissions(payload) check_user_permissions(payload, request.user.pk) with transaction.atomic(): update_permission(obj, payload) owner_count = UserObjectPermission.objects.filter( object_pk=obj.id, content_type=content_type, permission__codename__startswith='owner_').count() if not owner_count: raise exceptions.ParseError( 'Object must have at least one owner.') if share_content: self.set_content_permissions(user, obj, payload) return Response(get_object_perms(obj))
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument """Object serializer.""" # TODO: These permissions queries may be expensive. Should we limit or optimize this? data = super(SerializerWithPermissions, serializer_self).to_representation(instance) data['current_user_permissions'] = get_object_perms( instance, self.request.user) return data
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument """Object serializer.""" data = super().to_representation(instance) if ('fields' not in self.request.query_params or 'current_user_permissions' in self.request.query_params['fields']): data['current_user_permissions'] = get_object_perms(instance, self.request.user) return data
def to_representation(serializer_self, instance: models.Model): """Object serializer.""" data = super().to_representation(instance) if ("fields" not in self.request.query_params or "current_user_permissions" in self.request.query_params["fields"]): data["current_user_permissions"] = get_object_perms( instance, self.request.user, True) return data
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument """Object serializer.""" data = super().to_representation(instance) if ('fields' not in self.request.query_params or 'current_user_permissions' in self.request.query_params['fields']): data['current_user_permissions'] = get_object_perms( instance, self.request.user) return data
def detail_permissions(self, request, pk=None): """API endpoint to get/set permissions.""" obj = self.get_object() if request.method == 'POST': content_type = ContentType.objects.get_for_model(obj) owner_perm = 'owner_{}'.format(content_type) if not (request.user.has_perm(owner_perm, obj=obj) or request.user.is_superuser): self._filter_owner_permission(request.data) self._filter_public_permissions(request.data) self._filter_user_permissions(request.data, request.user.pk) self._update_permission(obj, request.data) return Response(get_object_perms(obj))
def detail_permissions(self, request, pk=None): """Get or set permissions API endpoint.""" obj = self.get_object() if request.method == 'POST': content_type = ContentType.objects.get_for_model(obj) owner_perm = 'owner_{}'.format(content_type) if not (request.user.has_perm(owner_perm, obj=obj) or request.user.is_superuser): self._filter_owner_permission(request.data) self._filter_public_permissions(request.data) self._filter_user_permissions(request.data, request.user.pk) self._update_permission(obj, request.data) return Response(get_object_perms(obj))
def detail_permissions(self, request: Request, pk=None) -> Response: """Get or set permissions API endpoint.""" # The object is taken from the queryset on the view for which # permissions are prefetched for the current user only. # This implies that obj.permission_group.permissions returns # permissions for the current user. # To get all the permissions we have to perform a refresh from the # database. This must only be done if user has share permission on the # given object otherwise only his permissions must be returned. obj = self.get_object() if obj.has_permission(Permission.SHARE, request.user): obj.refresh_from_db() audit_manager = AuditManager.global_instance() if request.method == "POST": audit_manager.log_message("Permissions updated: %s", request.data) allow_owner = obj.is_owner( request.user) or request.user.is_superuser check_owner_permission(request.data, allow_owner, obj) check_public_permissions(request.data) check_user_permissions(request.data, request.user.pk) with transaction.atomic(): update_permission(obj, request.data) owner_count = obj.permission_group.permissions.filter( value=Permission.OWNER.value, user__isnull=False).count() if not owner_count: raise exceptions.ParseError( "Object must have at least one owner.") else: audit_manager.log_message("Permissions read: %s", request.data) return Response(get_object_perms(obj))
def to_representation(serializer_self, instance): # pylint: disable=no-self-argument """Object serializer.""" # TODO: These permissions queries may be expensive. Should we limit or optimize this? data = super(SerializerWithPermissions, serializer_self).to_representation(instance) data['permissions'] = get_object_perms(instance, self.request.user) return data