def location_restricted_response(request): from corehq.apps.hqwebapp.views import no_permissions msg = ( "Someone was just denied access to a page due to location-based " "access restrictions. If this happens a lot, we should investigate.") notify_exception(request, msg) return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def default(request, domain): if request.couch_user.can_edit_locations(): return HttpResponseRedirect( reverse(LocationsListView.urlname, args=[domain])) elif user_can_edit_location_types(request.couch_user, domain): return HttpResponseRedirect( reverse(LocationTypesView.urlname, args=[domain])) return no_permissions(request)
def process_view(self, request, view_fn, view_args, view_kwargs): user = getattr(request, 'couch_user', None) domain = getattr(request, 'domain', None) self.apply_location_access(request) if not request.can_access_all_locations: if not is_location_safe(view_fn, request, view_args, view_kwargs): return location_restricted_response(request) elif not user.get_sql_location(domain): return no_permissions(request, message=RESTRICTED_USER_UNASSIGNED_MSG)
def process_view(self, request, view_fn, view_args, view_kwargs): user = getattr(request, 'couch_user', None) domain = getattr(request, 'domain', None) self.apply_location_access(request) if not request.can_access_all_locations: if not is_location_safe(view_fn, request, view_args, view_kwargs): return location_restricted_response(request) elif not user.get_sql_location(domain): return no_permissions(request, message=RESTRICTED_USER_UNASSIGNED_MSG)
def _inner(req, domain, *args, **kwargs): user = req.user domain_name, domain_obj = load_domain(req, domain) def call_view(): return view_func(req, domain_name, *args, **kwargs) if not domain_obj: msg = _('The domain "{domain}" was not found.').format(domain=domain_name) raise Http404(msg) if not (user.is_authenticated and user.is_active): if _is_public_custom_report(req.path, domain_name): return call_view() else: login_url = reverse('domain_login', kwargs={'domain': domain_name}) return redirect_for_login_or_domain(req, login_url=login_url) couch_user = _ensure_request_couch_user(req) if not domain_obj.is_active: return _inactive_domain_response(req, domain_name) if domain_obj.is_snapshot: if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer(): raise Http404() return call_view() if couch_user.is_member_of(domain_obj, allow_mirroring=True): if _is_missing_two_factor(view_func, req): return TemplateResponse(request=req, template='two_factor/core/otp_required.html', status=403) elif not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) elif (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet and is_request_blocked_from_viewing_domain_due_to_sso(req, domain_obj)): # Important! Make sure this is always the final check prior # to returning call_view() below return render_untrusted_identity_provider_for_domain_view(req, domain_obj) else: return call_view() elif user.is_superuser: if domain_obj.restrict_superusers and not _page_is_whitelisted(req.path, domain_obj.name): from corehq.apps.hqwebapp.views import no_permissions msg = "This project space restricts superuser access. You must request an invite to access it." return no_permissions(req, message=msg) if not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) if (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet and is_request_using_sso(req)): # We will not support SSO for superusers at this time return HttpResponseForbidden( "SSO support is not currently available for superusers." ) return call_view() elif couch_user.is_web_user() and domain_obj.allow_domain_requests: from corehq.apps.users.views.web import DomainRequestView return DomainRequestView.as_view()(req, *args, **kwargs) else: raise Http404
def _inner(req, domain, *args, **kwargs): user = req.user domain_name, domain_obj = load_domain(req, domain) def call_view(): return view_func(req, domain_name, *args, **kwargs) if not domain_obj: msg = _('The domain "{domain}" was not found.').format( domain=domain_name) raise Http404(msg) if not (user.is_authenticated and user.is_active): if _is_public_custom_report(req.path, domain_name): return call_view() else: login_url = reverse('domain_login', kwargs={'domain': domain_name}) return redirect_for_login_or_domain(req, login_url=login_url) couch_user = _ensure_request_couch_user(req) if not domain_obj.is_active: return _inactive_domain_response(req, domain_name) if domain_obj.is_snapshot: if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer(): raise Http404() return call_view() if couch_user.is_member_of(domain_obj, allow_mirroring=True): if _is_missing_two_factor(view_func, req): return TemplateResponse( request=req, template='two_factor/core/otp_required.html', status=403) elif not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) else: return call_view() elif user.is_superuser: if domain_obj.restrict_superusers and not _page_is_whitelisted( req.path, domain_obj.name): from corehq.apps.hqwebapp.views import no_permissions msg = "This project space restricts superuser access. You must request an invite to access it." return no_permissions(req, message=msg) if not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) return call_view() elif couch_user.is_web_user() and domain_obj.allow_domain_requests: from corehq.apps.users.views import DomainRequestView return DomainRequestView.as_view()(req, *args, **kwargs) else: raise Http404
def location_export(request, domain): headers_only = request.GET.get('download_type', 'full') == 'empty' if not request.can_access_all_locations and not headers_only: return no_permissions(request) if not LocationType.objects.filter(domain=domain).exists(): messages.error(request, _("You need to define organization levels before " "you can do a bulk import or export.")) return HttpResponseRedirect(reverse(LocationsListView.urlname, args=[domain])) include_consumption = request.GET.get('include_consumption') == 'true' download = DownloadBase() res = download_locations_async.delay(domain, download.download_id, include_consumption, headers_only) download.set_task(res) return redirect(DownloadLocationStatusView.urlname, domain, download.download_id)
def process_view(self, request, view_fn, view_args, view_kwargs): user = getattr(request, 'couch_user', None) domain = getattr(request, 'domain', None) if not domain or not user or not user.is_member_of(domain): # This is probably some non-domain page or a test, let normal auth handle it request.can_access_all_locations = True elif user.has_permission(domain, 'access_all_locations'): request.can_access_all_locations = True else: request.can_access_all_locations = False if not is_location_safe(view_fn, view_args, view_kwargs): return location_restricted_response(request) elif not user.get_sql_location(domain): return no_permissions(request, message=RESTRICTED_USER_UNASSIGNED_MSG)
def location_restricted_response(request): from corehq.apps.hqwebapp.views import no_permissions notify_exception(request, NOTIFY_EXCEPTION_MSG) return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def dispatch(self, *args, **kwargs): if (not self.couch_user.is_web_user() and (self.user_ministry is None or self.user_ministry == '')): return no_permissions(self.request) return super(ReachDashboardView, self).dispatch(*args, **kwargs)
def default(request, domain): if request.couch_user.can_edit_locations(): return HttpResponseRedirect(reverse(LocationsListView.urlname, args=[domain])) elif user_can_edit_location_types(request.couch_user, domain): return HttpResponseRedirect(reverse(LocationTypesView.urlname, args=[domain])) return no_permissions(request)
def location_restricted_response(request): from corehq.apps.hqwebapp.views import no_permissions return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def _inner(request, domain, *args, **kwargs): if is_icds_cas_project(domain): return no_permissions(request, message=DATA_INTERFACE_ACCESS_DENIED) else: return view_func(request, domain, *args, **kwargs)
def dispatch(self, *args, **kwargs): if (not self.couch_user.is_web_user() and (self.user_ministry is None or self.user_ministry == '')): return no_permissions(self.request) return super(ReachDashboardView, self).dispatch(*args, **kwargs)
def location_restricted_response(request): from corehq.apps.hqwebapp.views import no_permissions notify_exception(request, NOTIFY_EXCEPTION_MSG) return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def location_restricted_response(request): from corehq.apps.hqwebapp.views import no_permissions msg = ("Someone was just denied access to a page due to location-based " "access restrictions. If this happens a lot, we should investigate.") notify_exception(request, msg) return no_permissions(request, message=LOCATION_ACCESS_DENIED)