Exemplo n.º 1
0
 def and_permission(self, account, membership):
     folder = self.get_permission_object()
     self.object = folder
     target = get_object_or_404(self.get_queryset(),
                                slug=self.request.POST.get('target_slug'))
     return not folder.protected and target.can_add_folders and has_object_permission(
         membership, target, PERMISSIONS.add)
Exemplo n.º 2
0
    def build_children(self, node, activate_slug):
        children = node.children.filter(protected=False)
        membership = self.request.user.get_membership(
            get_current_account(self.request))
        # QUESTION: What is common import name for ugettext (__ here)? BTW, should I use u')' to keep it Unicode?
        result = []
        for child in children:
            is_requested_node = child.slug == activate_slug
            is_selectable = has_object_permission(membership, child,
                                                  PERMISSIONS.add)
            if is_selectable:
                result.append({
                    'id':
                    child.slug,
                    'text':
                    text_type(child.name) +
                    (' ' + _('(current)') if is_requested_node else ''),
                    'icon':
                    'fa fa-folder-o folder-icon'
                    if is_requested_node else 'fa fa-folder folder-icon',
                    'children':
                    not child.is_leaf_node(),
                })

        return result
def has_permission(context, model, permission, obj=None):
    """
    :param model: 'app_label.model'
    """
    membership = context['current_membership']
    return (shortcuts.has_role_permission(membership, model, permission)
            or shortcuts.has_object_permission(membership, obj, permission))
Exemplo n.º 4
0
 def _find_document_and_check_can_view(self, pk):
     # No filtering by folder here as any document id, for current account is alright
     document = self.get_queryset().get(pk=int(pk))
     if not has_object_permission(self.get_current_membership(), document,
                                  PERMISSIONS.view):
         raise PermissionDenied()
     return document
Exemplo n.º 5
0
 def and_permission(self, account, membership):
     target = get_object_or_404(Folder,
                                account=account,
                                slug=self.request.POST.get('target_slug'))
     self.target = target
     return target.can_add_files and has_object_permission(
         membership, target, PERMISSIONS.add)
Exemplo n.º 6
0
    def check_permissions(self, request):
        super(RestPermissionMixin, self).check_permissions(request)

        # Manual handling of @login_required to return proper response for API usage (not a redirect)
        if not request.user.is_authenticated:
            self.permission_denied(request)

        account = get_current_account_for_url(request, self.kwargs['url'])
        membership = request.user.get_membership(account)

        if hasattr(self,
                   'get_model_permission'):  # Support dynamic permissions
            model, permission = self.get_model_permission(request)
        else:
            model, permission = self.permission

        obj = self.get_permission_object()
        if (self.and_permission(account, membership)
                and ((has_role_permission(membership, model, permission)
                      or has_object_permission(membership, obj, permission))
                     or self.or_permission(account, membership))):
            return

        # Soft land folder urls to root folder instead of 403
        if 'folders/' in request.path:
            self.permission_denied(request, "No access to this folder")
Exemplo n.º 7
0
 def and_permission(self, account, membership):
     document = get_object_or_404(self.get_queryset(),
                                  id=self.kwargs['document_id'])
     self.document = document
     if document.folder and document.folder.special_field and document.account == get_current_account(
             self.request):
         return True
     if not document.downloadable:
         return False
     return has_object_permission(membership, document, PERMISSIONS.view)
Exemplo n.º 8
0
 def and_permission(self, account, membership):
     # View only explicitly allowed folders (usually RolePermission view means can view all)
     try:
         return self.action in ['list', 'create', 'lookup'
                                ] or has_object_permission(
                                    membership, self.get_object(),
                                    PERMISSIONS.view)
     except Http404:
         return True  # Ok.. you've got access to nothing.
     except:
         return False
Exemplo n.º 9
0
 def dispatch(self, request, *args, **kwargs):
     account = get_current_account(request)
     membership = request.user.get_membership(account)
     model, permission = self.permission
     obj = self.get_permission_object()
     if (self.and_permission(account, membership)
             and ((has_role_permission(membership, model, permission)
                   or has_object_permission(membership, obj, permission))
                  or self.or_permission(account, membership))):
         return super(PermissionMixin,
                      self).dispatch(request, *args, **kwargs)
     # Soft land folder urls to root folder instead of 403
     if 'folders/' in request.path:
         return redirect('folders:rootfolder_detail', url=account.url)
     raise PermissionDenied()
Exemplo n.º 10
0
 def and_permission(self, account, membership):
     # View only explicitly allowed folders (usually RolePermission view means can view all)
     return has_object_permission(membership, self.get_object(),
                                  PERMISSIONS.view)
Exemplo n.º 11
0
 def and_permission(self, account, membership):
     document = get_object_or_404(self.get_queryset(), id=self.kwargs['document_id'])
     self.document = document
     return has_object_permission(membership, document, PERMISSIONS.view)