def test_RemoveUserFromWorkgroup(self): # Does removing a user from a workgroup remove their permissions? It should! wg = models.Workgroup.objects.create(name="Test WG 1") user = get_user_model().objects.create_user('*****@*****.**','editor1') wg.managers.add(user) # Caching issue, refresh from DB with correct permissions user = get_user_model().objects.get(pk=user.pk) self.assertTrue(perms.user_in_workgroup(user,wg)) self.assertTrue(perms.user_is_workgroup_manager(user,wg)) wg.removeUser(user) # Caching issue, refresh from DB with correct permissions user = get_user_model().objects.get(pk=user.pk) self.assertFalse(perms.user_is_workgroup_manager(user,wg))
def test_RemoveUserFromWorkgroup(self): # Does removing a user from a workgroup remove their permissions? It should! wg = models.Workgroup.objects.create(name="Test WG 1") user = User.objects.create_user('editor1','','editor1') wg.managers.add(user) # Caching issue, refresh from DB with correct permissions user = User.objects.get(pk=user.pk) self.assertTrue(perms.user_in_workgroup(user,wg)) self.assertTrue(perms.user_is_workgroup_manager(user,wg)) wg.removeUser(user) # Caching issue, refresh from DB with correct permissions user = User.objects.get(pk=user.pk) self.assertFalse(perms.user_is_workgroup_manager(user,wg))
def add_members(request, iid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied if request.method == 'POST': # If the form has been submitted... form = MDRForms.workgroups.AddMembers( request.POST) # A form bound to the POST data if form.is_valid(): # process the data in form.cleaned_data as required users = form.cleaned_data['users'] roles = form.cleaned_data['roles'] for user in users: for role in roles: workgroup.giveRoleToUser(role, user) return HttpResponseRedirect( reverse("aristotle:workgroupMembers", args=[workgroup.pk])) else: form = MDRForms.workgroups.AddMembers( initial={'roles': request.GET.getlist('role')}) return render(request, "aristotle_mdr/actions/addWorkgroupMember.html", { "item": workgroup, "form": form, "role": request.GET.get('role') })
def add_members(request, iid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied if request.method == 'POST': # If the form has been submitted... form = MDRForms.workgroups.AddMembers(request.POST) # A form bound to the POST data if form.is_valid(): # process the data in form.cleaned_data as required users = form.cleaned_data['users'] roles = form.cleaned_data['roles'] for user in users: for role in roles: workgroup.giveRoleToUser(role, user) return HttpResponseRedirect(reverse("aristotle:workgroupMembers", args=[workgroup.pk])) else: form = MDRForms.workgroups.AddMembers(initial={'roles': request.GET.getlist('role')}) return render( request, "aristotle_mdr/actions/addWorkgroupMember.html", { "item": workgroup, "form": form, "role": request.GET.get('role') } )
def items(request, iid): wg = get_object_or_404(MDR.Workgroup, pk=iid) if not user_in_workgroup(request.user, wg): raise PermissionDenied items = MDR._concept.objects.filter(workgroup=iid).select_subclasses() context = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)} return paginated_list(request, items, "aristotle_mdr/workgroupItems.html", context)
def workgroupItems(request, iid): wg = get_object_or_404(MDR.Workgroup,pk=iid) if not user_in_workgroup(request.user,wg): raise PermissionDenied renderDict = {"item":wg,"workgroup":wg,"user_is_admin":user_is_workgroup_manager(request.user,wg)} renderDict['items'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses() page = render(request,"aristotle_mdr/workgroupItems.html",renderDict) return page
def workgroup(request, iid): wg = get_object_or_404(MDR.Workgroup,pk=iid) if not user_in_workgroup(request.user,wg): raise PermissionDenied renderDict = {"item":wg,"workgroup":wg,"user_is_admin":user_is_workgroup_manager(request.user,wg)} renderDict['recent'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses().order_by('-modified')[:10] #.filter("modified__gt"=(timezone.now()-datetime.timedelta(days=1)))[:10] page = render(request,wg.template,renderDict) return page
def get_context_data(self, **kwargs): # Get context from super-classes, because if may set value for workgroup context = super().get_context_data(**kwargs) context.update({ 'item': self.get_object(), 'workgroup': self.get_object(), 'user_is_admin': user_is_workgroup_manager(self.request.user, self.get_object()), }) return context
def get_context_data(self, **kwargs): # Get context from super-classes, because if may set value for workgroup context = super().get_context_data(**kwargs) context.update({ 'item': self.get_object(), 'workgroup': self.get_object(), 'user_is_admin': user_is_workgroup_manager(self.request.user, self.get_object()), }) return context
def remove_role(request, iid, role, userid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied try: user = User.objects.get(id=userid) workgroup.removeRoleFromUser(role, user) except: pass return HttpResponseRedirect(reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
def workgroup(request, iid, name_slug): wg = get_object_or_404(MDR.Workgroup, pk=iid) if not slugify(wg.name).startswith(str(name_slug)): return redirect(wg.get_absolute_url()) if not user_in_workgroup(request.user, wg): raise PermissionDenied renderDict = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)} renderDict['recent'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses().order_by('-modified')[:5] page = render(request, wg.template, renderDict) return page
def members(request, iid): wg = get_object_or_404(MDR.Workgroup, pk=iid) renderDict = { "item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg) } if not user_in_workgroup(request.user, wg): raise PermissionDenied return render(request, "aristotle_mdr/workgroupMembers.html", renderDict)
def archive(request, iid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied if request.method == 'POST': # If the form has been submitted... workgroup.archived = not workgroup.archived workgroup.save() return HttpResponseRedirect(workgroup.get_absolute_url()) else: return render(request, "aristotle_mdr/actions/archive_workgroup.html", {"item": workgroup})
def archive(request, iid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied if request.method == 'POST': # If the form has been submitted... workgroup.archived = not workgroup.archived workgroup.save() return HttpResponseRedirect(workgroup.get_absolute_url()) else: return render(request, "aristotle_mdr/actions/archive_workgroup.html", {"item": workgroup})
def remove_role(request, iid, role, userid): workgroup = get_object_or_404(MDR.Workgroup, pk=iid) if not (workgroup and user_is_workgroup_manager(request.user, workgroup)): raise PermissionDenied try: user = User.objects.get(id=userid) workgroup.removeRoleFromUser(role, user) except: pass return HttpResponseRedirect( reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
def items(request, iid): wg = get_object_or_404(MDR.Workgroup, pk=iid) if not user_in_workgroup(request.user, wg): raise PermissionDenied items = MDR._concept.objects.filter(workgroup=iid).select_subclasses() context = { "item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg) } return paginated_list(request, items, "aristotle_mdr/workgroupItems.html", context)
def removeWorkgroupRole(request,iid,rolename,userid): workgroup = get_object_or_404(MDR.Workgroup,pk=iid) if not (workgroup and user_is_workgroup_manager(request.user,workgroup)): if request.user.is_anonymous(): return redirect('/accounts/login?next=%s' % request.path) else: raise PermissionDenied try: user = User.objects.get(id=userid) workgroup.removeRoleFromUser(rolename,user) except: pass return HttpResponseRedirect('/workgroup/%s/members'%(workgroup.id))
def workgroup(request, iid, name_slug): wg = get_object_or_404(MDR.Workgroup, pk=iid) if not slugify(wg.name).startswith(str(name_slug)): return redirect(wg.get_absolute_url()) if not user_in_workgroup(request.user, wg): raise PermissionDenied renderDict = { "item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg) } renderDict['recent'] = MDR._concept.objects.filter( workgroup=iid).select_subclasses().order_by('-modified')[:5] page = render(request, wg.template, renderDict) return page
def is_workgroup_manager(user,workgroup): """ A filter that acts as a wrapper around ``aristotle_mdr.perms.user_is_workgroup_manager``. Returns true if the user has permission to administer the workgroup, otherwise it returns False. If calling ``user_is_workgroup_manager`` throws an exception it safely returns False. For example:: {% if request.user|is_workgroup_manager:workgroup %} {{ something }} {% endif %} """ try: return perms.user_is_workgroup_manager(user,workgroup) except: return False
def test_is_workgroup_manager(self): self.assertTrue(perms.user_is_workgroup_manager(self.su,None)) wg = models.Workgroup.objects.create(name="Test WG") self.assertTrue(perms.user_is_workgroup_manager(self.su,wg))
def has_perm(self, user_obj, perm, obj=None): if not user_obj.is_active: return False if user_obj.is_superuser: return True app_label, perm_name = perm.split('.', 1) extensions = fetch_aristotle_settings().get('CONTENT_EXTENSIONS', []) if app_label == "aristotle_mdr" and hasattr(perms, perm_name): return getattr(perms, perm_name)(user_obj, obj) from django.apps import apps from aristotle_mdr.models import _concept perm_parts = perm_name.split("_") if len(perm_parts) == 2: model = apps.get_model(app_label, perm_parts[1]) elif obj is not None: model = type(obj) else: model = int if app_label in extensions + ["aristotle_mdr"] and issubclass(model, _concept): # This is required so that a user can correctly delete the 'concept' parent class in the admin site. # This is a rough catch all, and is designed to indicate a user could # delete an item type, but not a specific item. if ( perm_name.startswith('delete_') or perm_name.startswith('create_') or perm_name.startswith('add_') ): if obj is None: return perms.user_is_editor(user_obj) else: return perms.user_can_edit(user_obj, obj) if app_label in extensions + ["aristotle_mdr"]: if perm_name == "delete_concept_from_admin": return obj is None or perms.user_can_edit(user_obj, obj) if perm == "aristotle_mdr.can_create_metadata": return perms.user_is_editor(user_obj) if perm == "aristotle_mdr.view_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_leave_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.change_workgroup_memberships": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.change_workgroup": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.can_archive_workgroup": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.can_view_discussions_in_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_post_discussion_in_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_view_discussion_post": return perms.user_in_workgroup(user_obj, obj.workgroup) if perm == "aristotle_mdr.view_registrationauthority_details": return ( perms.user_is_registation_authority_manager(user_obj, obj) or perms.user_is_registrar(user_obj, obj) ) if perm == "aristotle_mdr.change_registrationauthority": return perms.user_is_registation_authority_manager(user_obj, obj) if perm == "aristotle_mdr.change_registrationauthority_memberships": return perms.user_is_registation_authority_manager(user_obj, obj) from aristotle_mdr.contrib.links import perms as link_perms if perm == "aristotle_mdr_links.add_link": return link_perms.user_can_make_link(user_obj) return super().has_perm(user_obj, perm, obj)
def test_is_workgroup_manager(self): self.assertTrue(perms.user_is_workgroup_manager(self.su,None))
def has_perm(self, user_obj, perm, obj=None): if not user_obj.is_active: return False if user_obj.is_superuser: return True app_label, perm_name = perm.split('.', 1) extensions = fetch_aristotle_settings().get('CONTENT_EXTENSIONS', []) if app_label == "aristotle_mdr" and hasattr(perms, perm_name): return getattr(perms, perm_name)(user_obj, obj) from django.apps import apps from aristotle_mdr.models import _concept perm_parts = perm_name.split("_") if len(perm_parts) == 2: model = apps.get_model(app_label, perm_parts[1]) else: model = int if app_label in extensions + ["aristotle_mdr"] and issubclass( model, _concept): # This is required so that a user can correctly delete the 'concept' parent class in the admin site. # This is a rough catch all, and is designed to indicate a user could # delete an item type, but not a specific item. if (perm_name.startswith('delete_') or perm_name.startswith('create_') or perm_name.startswith('add_')): if obj is None: return perms.user_is_editor(user_obj) else: return perms.user_can_edit(user_obj, obj) if app_label in extensions + ["aristotle_mdr"]: if perm_name == "delete_concept_from_admin": return obj is None or perms.user_can_edit(user_obj, obj) if perm == "aristotle_mdr.can_create_metadata": return perms.user_is_editor(user_obj) if perm == "aristotle_mdr.view_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_leave_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.change_workgroup_memberships": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.change_workgroup": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.can_archive_workgroup": return perms.user_is_workgroup_manager(user_obj, obj) if perm == "aristotle_mdr.can_view_discussions_in_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_post_discussion_in_workgroup": return perms.user_in_workgroup(user_obj, obj) if perm == "aristotle_mdr.can_view_discussion_post": return perms.user_in_workgroup(user_obj, obj.workgroup) if perm == "aristotle_mdr.view_registrationauthority_details": return (perms.user_is_registation_authority_manager(user_obj, obj) or perms.user_is_registrar(user_obj, obj)) if perm == "aristotle_mdr.change_registrationauthority": return perms.user_is_registation_authority_manager(user_obj, obj) if perm == "aristotle_mdr.change_registrationauthority_memberships": return perms.user_is_registation_authority_manager(user_obj, obj) from aristotle_mdr.contrib.links import perms as link_perms if perm == "aristotle_mdr_links.add_link": return link_perms.user_can_make_link(user_obj) return super(AristotleBackend, self).has_perm(user_obj, perm, obj)
def is_workgroup_manager(self, wg=None): return perms.user_is_workgroup_manager(self.user, wg)
def is_workgroup_manager(self,wg): return perms.user_is_workgroup_manager(self.user,wg)
def test_is_workgroup_manager(self): wg = models.Workgroup.objects.create(name="Test WG", stewardship_organisation=self.steward_org_1) self.assertTrue(perms.user_is_workgroup_manager(self.su,wg))
def members(request, iid): wg = get_object_or_404(MDR.Workgroup, pk=iid) renderDict = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)} if not user_in_workgroup(request.user, wg): raise PermissionDenied return render(request, "aristotle_mdr/workgroupMembers.html", renderDict)