def test_groups_perms(self):
group1 = Group.objects.create(name="group1")
group2 = Group.objects.create(name="group2")
group3 = Group.objects.create(name="group3")
groups = [group1, group2, group3]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by("id"))
assign_perm("auth.change_group", self.user)
assign_perm("change_contenttype", self.user, ctypes[0])
assign_perm("change_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[2])
assign_perm("change_contenttype", groups[0], ctypes[3])
assign_perm("change_contenttype", groups[1], ctypes[3])
assign_perm("change_contenttype", groups[2], ctypes[4])
assign_perm("delete_contenttype", groups[0], ctypes[0])
objects = get_objects_for_user(self.user, ["contenttypes.change_contenttype"])
self.assertEqual(set(objects.values_list("id", flat=True)), set(ctypes[i].id for i in [0, 1, 3, 4]))
objects = get_objects_for_user(
self.user, ["contenttypes.change_contenttype", "contenttypes.delete_contenttype"]
)
self.assertEqual(set(objects.values_list("id", flat=True)), set(ctypes[i].id for i in [0, 1]))
objects = get_objects_for_user(self.user, ["contenttypes.change_contenttype"])
self.assertEqual(set(objects.values_list("id", flat=True)), set(ctypes[i].id for i in [0, 1, 3, 4]))
def test_anonymous(self):
self.user = AnonymousUser()
ctypes = ContentType.objects.all()
objects = get_objects_for_user(self.user, ["contenttypes.change_contenttype"], ctypes)
obj1 = ContentType.objects.create(model="foo", app_label="guardian-tests")
assign_perm("change_contenttype", self.user, obj1)
objects = get_objects_for_user(self.user, ["contenttypes.change_contenttype"], ctypes)
self.assertEqual(set([obj1]), set(objects))
def test_anonymous(self):
ctypes = ContentType.objects.all()
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype'], ctypes)
obj1 = ContentType.objects.create(
model='foo', app_label='guardian-tests')
assign_perm('change_contenttype', self.contributor, obj1)
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype'], ctypes)
self.assertEqual(set([obj1]), set(objects))
def test_object_based_permission_with_groups_3perms(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.contributor.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('contenttypes.change_contenttype', self.contributor)
assign_perm('change_contenttype', self.contributor, ctypes[0])
assign_perm('change_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[2])
# add_contenttype does not make sense, here just for testing purposes,
# to also cover one if branch in function.
assign_perm('add_contenttype', self.contributor, ctypes[1])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
assign_perm('add_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(
self.contributor, ['contenttypes.change_contenttype', 'contenttypes.delete_contenttype',
'contenttypes.add_contenttype'],
accept_global_perms=True)
self.assertEqual(
set(objects.values_list('id', flat=True)),
set([ctypes[0].id, ctypes[1].id]))
def test_object_based_permission_with_groups_3perms(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by("id"))
assign_perm("contenttypes.change_contenttype", self.user)
assign_perm("change_contenttype", self.user, ctypes[0])
assign_perm("change_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[2])
# add_contenttype does not make sense, here just for testing purposes,
# to also cover one if branch in function.
assign_perm("add_contenttype", self.user, ctypes[1])
assign_perm("change_contenttype", groups[0], ctypes[3])
assign_perm("change_contenttype", groups[1], ctypes[3])
assign_perm("change_contenttype", groups[2], ctypes[4])
assign_perm("delete_contenttype", groups[0], ctypes[0])
assign_perm("add_contenttype", groups[0], ctypes[0])
objects = get_objects_for_user(
self.user,
["contenttypes.change_contenttype", "contenttypes.delete_contenttype", "contenttypes.add_contenttype"],
accept_global_perms=True,
)
self.assertEqual(set(objects.values_list("id", flat=True)), set([ctypes[0].id, ctypes[1].id]))
def duplicate(self, contributor=None):
"""Duplicate (make a copy)."""
duplicate = Collection.objects.get(id=self.id)
duplicate.pk = None
duplicate.slug = None
duplicate.name = 'Copy of {}'.format(self.name)
duplicate.duplicated = now()
if contributor:
duplicate.contributor = contributor
duplicate.save(force_insert=True)
assign_contributor_permissions(duplicate)
# Fields to inherit from original data object.
duplicate.created = self.created
duplicate.save()
# Duplicate collection's entities.
entities = get_objects_for_user(contributor, 'view_entity', self.entity_set.all()) # pylint: disable=no-member
duplicated_entities = entities.duplicate(contributor=contributor)
duplicate.entity_set.add(*duplicated_entities)
# Add duplicated data objects to collection.
for duplicated_entity in duplicate.entity_set.all():
duplicate.data.add(*duplicated_entity.data.all())
return duplicate
def test_with_superuser_false(self):
self.user.is_superuser = True
ctypes = ContentType.objects.all()
obj1 = ContentType.objects.create(model="foo", app_label="guardian-tests")
assign_perm("change_contenttype", self.user, obj1)
objects = get_objects_for_user(self.user, ["contenttypes.change_contenttype"], ctypes, with_superuser=False)
self.assertEqual(set([obj1]), set(objects))
def test_with_superuser_false(self):
ctypes = ContentType.objects.all()
obj1 = ContentType.objects.create(
model='foo', app_label='guardian-tests')
assign_perm('change_contenttype', self.admin, obj1)
objects = get_objects_for_user(self.admin,
['contenttypes.change_contenttype'], ctypes, with_superuser=False)
self.assertEqual(set([obj1]), set(objects))
def test_simple(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
assign_perm("change_group", self.user, group)
objects = get_objects_for_user(self.user, ["auth.change_group"])
self.assertEqual(len(objects), len(groups))
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(set(objects), set(groups))
def test_any_of_multi_perms(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
assign_perm("auth.change_group", self.user, groups[0])
assign_perm("auth.delete_group", self.user, groups[2])
objects = get_objects_for_user(self.user, ["auth.change_group", "auth.delete_group"], any_perm=True)
self.assertEqual(len(objects), 2)
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(set(objects.values_list("name", flat=True)), set([groups[0].name, groups[2].name]))
def test_has_any_permissions(self):
# We use groups as objects.
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
assign_perm("change_group", self.user, group)
objects = get_objects_for_user(self.user, [], Group)
self.assertEqual(len(objects), len(groups))
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(set(objects), set(groups))
def test_object_based_permission_without_global_permission(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
# global permission to delete any group
perm_global = "auth.delete_group"
perm_obj = "auth.delete_group"
assign_perm(perm_global, self.user)
assign_perm(perm_obj, self.user, groups[0])
objects = get_objects_for_user(self.user, [perm_obj], accept_global_perms=False)
remove_perm(perm_global, self.user)
self.assertEqual(set(objects.values_list("name", flat=True)), set([groups[0].name]))
def test_multi_perms_no_groups(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
assign_perm("auth.change_group", self.user, group)
assign_perm("auth.delete_group", self.user, groups[1])
objects = get_objects_for_user(self.user, ["auth.change_group", "auth.delete_group"], use_groups=False)
self.assertEqual(len(objects), 1)
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(set(objects.values_list("name", flat=True)), set([groups[1].name]))
def _get_entities(self, user, ids):
"""Return entities queryset based on provided entity ids."""
queryset = get_objects_for_user(user, 'view_entity', Entity.objects.filter(id__in=ids))
actual_ids = queryset.values_list('id', flat=True)
missing_ids = list(set(ids) - set(actual_ids))
if missing_ids:
raise exceptions.ParseError(
"Entities with the following ids not found: {}" .format(', '.join(map(str, missing_ids)))
)
return queryset
def test_has_global_permission_and_object_based_permission(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
# global permission to change any group
perm_global = 'auth.change_group'
perm_obj = 'delete_group'
assign_perm(perm_global, self.contributor)
assign_perm(perm_obj, self.contributor, groups[0])
objects = get_objects_for_user(self.contributor, [perm_global, perm_obj])
remove_perm(perm_global, self.contributor)
self.assertEqual(set(objects.values_list('name', flat=True)),
set([groups[0].name]))
def test_simple(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
assign_perm('change_group', self.contributor, group)
objects = get_objects_for_user(self.contributor, ['auth.change_group'])
self.assertEqual(len(objects), len(groups))
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(
set(objects),
set(groups))
def test_has_global_permission_and_object_based_permission_any_perm(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
# global permission to change any group
perm_global = "auth.change_group"
# object based permission to change only a specific group
perm_obj = "auth.delete_group"
assign_perm(perm_global, self.user)
assign_perm(perm_obj, self.user, groups[0])
objects = get_objects_for_user(self.user, [perm_global, perm_obj], any_perm=True, accept_global_perms=True)
remove_perm(perm_global, self.user)
self.assertEqual(set(objects), set(Group.objects.all()))
def test_has_global_permission_only(self):
group_names = ["group1", "group2", "group3"]
for name in group_names:
Group.objects.create(name=name)
# global permission to change any group
perm = "auth.change_group"
assign_perm(perm, self.user)
objects = get_objects_for_user(self.user, perm)
remove_perm(perm, self.user)
self.assertEqual(set(objects), set(Group.objects.all()))
def test_any_of_multi_perms(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
assign_perm('auth.change_group', self.contributor, groups[0])
assign_perm('auth.delete_group', self.contributor, groups[2])
objects = get_objects_for_user(self.contributor, ['auth.change_group',
'auth.delete_group'], any_perm=True)
self.assertEqual(len(objects), 2)
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(
set(objects.values_list('name', flat=True)),
set([groups[0].name, groups[2].name]))
def test_groups_perms(self):
group1 = Group.objects.create(name='group1')
group2 = Group.objects.create(name='group2')
group3 = Group.objects.create(name='group3')
groups = [group1, group2, group3]
for group in groups:
self.contributor.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('auth.change_group', self.contributor)
assign_perm('change_contenttype', self.contributor, ctypes[0])
assign_perm('change_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[2])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype'])
self.assertEqual(
set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1, 3, 4]))
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype',
'contenttypes.delete_contenttype'])
self.assertEqual(
set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1]))
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype'])
self.assertEqual(
set(objects.values_list('id', flat=True)),
set(ctypes[i].id for i in [0, 1, 3, 4]))
def test_has_global_permission_only(self):
group_names = ['group1', 'group2', 'group3']
for name in group_names:
Group.objects.create(name=name)
# global permission to change any group
perm = 'auth.change_group'
assign_perm(perm, self.contributor)
objects = get_objects_for_user(self.contributor, perm)
remove_perm(perm, self.contributor)
self.assertEqual(set(objects),
set(Group.objects.all()))
def test_multi_perms_no_groups(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
assign_perm('auth.change_group', self.contributor, group)
assign_perm('auth.delete_group', self.contributor, groups[1])
objects = get_objects_for_user(self.contributor, ['auth.change_group',
'auth.delete_group'], use_groups=False)
self.assertEqual(len(objects), 1)
self.assertTrue(isinstance(objects, QuerySet))
self.assertEqual(
set(objects.values_list('name', flat=True)),
set([groups[1].name]))
def duplicate(self, contributor=None, inherit_collections=False):
"""Duplicate (make a copy)."""
duplicate = Entity.objects.get(id=self.id)
duplicate.pk = None
duplicate.slug = None
duplicate.name = 'Copy of {}'.format(self.name)
duplicate.duplicated = now()
if contributor:
duplicate.contributor = contributor
duplicate.save(force_insert=True)
assign_contributor_permissions(duplicate)
# Override fields that are automatically set on create.
duplicate.created = self.created
duplicate.save()
# Duplicate entity's data objects.
data = get_objects_for_user(contributor, 'view_data', self.data.all()) # pylint: disable=no-member
duplicated_data = data.duplicate(contributor)
duplicate.data.add(*duplicated_data)
if inherit_collections:
collections = get_objects_for_user(
contributor,
'add_collection',
self.collections.all() # pylint: disable=no-member
)
for collection in collections:
collection.entity_set.add(duplicate)
copy_permissions(collection, duplicate)
collection.data.add(*duplicated_data)
for datum in duplicated_data:
copy_permissions(collection, datum)
return duplicate
def filter_queryset(self, request, queryset, view):
"""Filter permissions queryset."""
user = request.user
app_label = queryset.model._meta.app_label # pylint: disable=protected-access
model_name = queryset.model._meta.model_name # pylint: disable=protected-access
kwargs = {}
if model_name == 'storage':
model_name = 'data'
kwargs['perms_filter'] = 'data__pk__in'
permission = '{}.view_{}'.format(app_label, model_name)
return get_objects_for_user(user, permission, queryset, **kwargs)
def duplicate(self, request, *args, **kwargs):
"""Duplicate (make copy of) ``Collection`` models."""
if not request.user.is_authenticated:
raise exceptions.NotFound
ids = self.get_ids(request.data)
queryset = get_objects_for_user(request.user, 'view_collection', Collection.objects.filter(id__in=ids))
actual_ids = queryset.values_list('id', flat=True)
missing_ids = list(set(ids) - set(actual_ids))
if missing_ids:
raise exceptions.ParseError(
"Collections with the following ids not found: {}".format(', '.join(map(str, missing_ids)))
)
duplicated = queryset.duplicate(contributor=request.user)
serializer = self.get_serializer(duplicated, many=True)
return Response(serializer.data)
def perform_get_or_create(self, request, *args, **kwargs):
"""Perform "get_or_create" - return existing object if found."""
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
process = serializer.validated_data.get('process')
process_input = request.data.get('input', {})
fill_with_defaults(process_input, process.input_schema)
checksum = get_data_checksum(process_input, process.slug, process.version)
data_qs = Data.objects.filter(
checksum=checksum,
process__persistence__in=[Process.PERSISTENCE_CACHED, Process.PERSISTENCE_TEMP],
)
data_qs = get_objects_for_user(request.user, 'view_data', data_qs)
if data_qs.exists():
data = data_qs.order_by('created').last()
serializer = self.get_serializer(data)
return Response(serializer.data)
def test_object_based_permission_with_groups_2perms(self):
group_names = ["group1", "group2", "group3"]
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.user.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by("id"))
assign_perm("contenttypes.change_contenttype", self.user)
assign_perm("change_contenttype", self.user, ctypes[0])
assign_perm("change_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[1])
assign_perm("delete_contenttype", self.user, ctypes[2])
assign_perm("change_contenttype", groups[0], ctypes[3])
assign_perm("change_contenttype", groups[1], ctypes[3])
assign_perm("change_contenttype", groups[2], ctypes[4])
assign_perm("delete_contenttype", groups[0], ctypes[0])
objects = get_objects_for_user(
self.user, ["contenttypes.change_contenttype", "contenttypes.delete_contenttype"], accept_global_perms=True
)
self.assertEqual(set(objects.values_list("id", flat=True)), set([ctypes[0].id, ctypes[1].id, ctypes[2].id]))
def handle_get_process_requirements(
self, message: Message[int],
manager: "Processor") -> Response[dict]:
"""Return the requirements for the process with the given id."""
process_id = message.message_data
filtered_process = get_objects_for_user(
manager.contributor,
get_full_perm("view", Process),
Process.objects.filter(pk=process_id),
)
process_requirements, process_slug = filtered_process.values_list(
"requirements", "slug").get()
resources = process_requirements.get("resources", {})
# Get limit defaults and overrides.
limit_defaults = getattr(settings, "FLOW_PROCESS_RESOURCE_DEFAULTS",
{})
limit_overrides = getattr(settings, "FLOW_PROCESS_RESOURCE_OVERRIDES",
{})
limits = {}
limits["cores"] = int(resources.get("cores", 1))
max_cores = getattr(settings, "FLOW_PROCESS_MAX_CORES", None)
if max_cores:
limits["cores"] = min(limits["cores"], max_cores)
memory = limit_overrides.get("memory", {}).get(process_slug, None)
if memory is None:
memory = int(
resources.get(
"memory",
# If no memory resource is configured, check settings.
limit_defaults.get("memory", 4096),
))
limits["memory"] = memory
process_requirements["resources"] = limits
return message.respond_ok(process_requirements)
def duplicate(self, contributor=None, inherit_collection=False):
"""Duplicate (make a copy)."""
duplicate = Entity.objects.get(id=self.id)
duplicate.pk = None
duplicate.slug = None
duplicate.name = 'Copy of {}'.format(self.name)
duplicate.duplicated = now()
if contributor:
duplicate.contributor = contributor
duplicate.collection = None
if inherit_collection:
if not contributor.has_perm('add_collection', self.collection):
raise ValidationError(
"You do not have add permission on collection {}.".format(
self.collection))
duplicate.collection = self.collection
duplicate.save(force_insert=True)
assign_contributor_permissions(duplicate)
# Override fields that are automatically set on create.
duplicate.created = self.created
duplicate.save()
# Duplicate entity's data objects.
data = get_objects_for_user(contributor, 'view_data', self.data.all()) # pylint: disable=no-member
duplicated_data = data.duplicate(contributor,
inherit_collection=inherit_collection)
duplicate.data.add(*duplicated_data)
# Permissions
assign_contributor_permissions(duplicate)
copy_permissions(duplicate.collection, duplicate)
return duplicate
def perform_get_or_create(self, request, *args, **kwargs):
"""Perform "get_or_create" - return existing object if found."""
self.define_contributor(request)
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
process = serializer.validated_data.get("process")
process_input = request.data.get("input", {})
fill_with_defaults(process_input, process.input_schema)
checksum = get_data_checksum(process_input, process.slug,
process.version)
data_qs = Data.objects.filter(
checksum=checksum,
process__persistence__in=[
Process.PERSISTENCE_CACHED,
Process.PERSISTENCE_TEMP,
],
)
data_qs = get_objects_for_user(request.user, "view_data", data_qs)
if data_qs.exists():
data = data_qs.order_by("created").last()
serializer = self.get_serializer(data)
return Response(serializer.data)
def test_object_based_permission_with_groups_2perms(self):
group_names = ['group1', 'group2', 'group3']
groups = [Group.objects.create(name=name) for name in group_names]
for group in groups:
self.contributor.groups.add(group)
# Objects to operate on
ctypes = list(ContentType.objects.all().order_by('id'))
assign_perm('contenttypes.change_contenttype', self.contributor)
assign_perm('change_contenttype', self.contributor, ctypes[0])
assign_perm('change_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[1])
assign_perm('delete_contenttype', self.contributor, ctypes[2])
assign_perm('change_contenttype', groups[0], ctypes[3])
assign_perm('change_contenttype', groups[1], ctypes[3])
assign_perm('change_contenttype', groups[2], ctypes[4])
assign_perm('delete_contenttype', groups[0], ctypes[0])
objects = get_objects_for_user(self.contributor,
['contenttypes.change_contenttype',
'contenttypes.delete_contenttype'], accept_global_perms=True)
self.assertEqual(
set(objects.values_list('id', flat=True)),
set([ctypes[0].id, ctypes[1].id, ctypes[2].id]))
def _filter_queryset(self, perms, queryset):
"""Filter object objects by permissions of user in request."""
user = self.request.user if self.request else AnonymousUser()
return get_objects_for_user(user, perms, queryset)
def test_klass_as_manager(self):
assign_perm("auth.change_group", self.contributor, self.group)
objects = get_objects_for_user(self.contributor, ["auth.change_group"],
Group.objects)
self.assertEqual([obj.name for obj in objects], [self.group.name])
def test_short_codenames_with_klass(self):
assign_perm('contenttypes.change_contenttype', self.contributor, self.ctype)
objects = get_objects_for_user(self.contributor,
['change_contenttype'], ContentType)
self.assertEqual([obj.name for obj in objects], [self.ctype.name])
def create(self, request, *args, **kwargs):
"""Create a resource."""
collections = request.data.get('collections', [])
# check that user has permissions on all collections that Data
# object will be added to
for collection_id in collections:
try:
collection = Collection.objects.get(pk=collection_id)
except Collection.DoesNotExist:
return Response({'collections': ['Invalid pk "{}" - object does not exist.'.format(collection_id)]},
status=status.HTTP_400_BAD_REQUEST)
if not request.user.has_perm('add_collection', obj=collection):
if request.user.is_authenticated():
raise exceptions.PermissionDenied
else:
raise exceptions.NotFound
# translate processe's slug to id
process_slug = request.data.get('process', None)
process_query = Process.objects.filter(slug=process_slug).order_by('version')
if not process_query.exists():
# XXX: security - is it ok to reveal which processes (don't) exist?
return Response({'process': ['Invalid process slug "{}" - object does not exist.'.format(process_slug)]},
status=status.HTTP_400_BAD_REQUEST)
process = process_query.last()
request.data['process'] = process.pk
# check that user has permission on the process
if not request.user.has_perm('view_process', obj=process):
if request.user.is_authenticated():
raise exceptions.PermissionDenied
else:
raise exceptions.NotFound
# perform "get_or_create" if requested - return existing object
# if found
if kwargs.pop('get_or_create', False):
process_input = request.data.get('input', {})
# use default values if they are not given
for field_schema, fields, path in iterate_schema(process_input, process.input_schema):
if 'default' in field_schema and field_schema['name'] not in fields:
dict_dot(process_input, path, field_schema['default'])
checksum = get_data_checksum(process_input, process.slug, process.version)
data_qs = Data.objects.filter(
checksum=checksum,
process__persistence__in=[Process.PERSISTENCE_CACHED, Process.PERSISTENCE_TEMP],
)
data_qs = get_objects_for_user(request.user, 'view_data', data_qs)
if data_qs.exists():
data = data_qs.order_by('created').last()
serializer = self.get_serializer(data)
return Response(serializer.data)
# create the objects
resp = super(ResolweCreateDataModelMixin, self).create(request, *args, **kwargs)
# run manager
manager.communicate()
return resp
def filter_objects(self, user: UserClass, queryset: QuerySet,
data: Data) -> QuerySet:
"""Filter the objects for the given user."""
permission_name = get_full_perm("view", queryset.model)
return get_objects_for_user(user, permission_name, queryset)
def _filter_queryset(self, perms, queryset):
"""Filter object objects by permissions of user in request."""
user = self.request.user if self.request else AnonymousUser()
return get_objects_for_user(user, perms, queryset)
def test_ensure_returns_queryset(self):
objects = get_objects_for_user(self.contributor, ['auth.change_group'])
self.assertTrue(isinstance(objects, QuerySet))
def test_klass_as_queryset(self):
assign_perm('auth.change_group', self.contributor, self.group)
objects = get_objects_for_user(self.contributor, ['auth.change_group'],
Group.objects.all())
self.assertEqual([obj.name for obj in objects], [self.group.name])
def test_perms_single(self):
perm = 'auth.change_group'
assign_perm(perm, self.contributor, self.group)
self.assertEqual(set(get_objects_for_user(self.contributor, perm)),
set(get_objects_for_user(self.contributor, [perm])))
def test_empty_perms_sequence(self):
objects = get_objects_for_user(self.contributor, [],
Group.objects.all())
self.assertEqual(set(objects), set())
def test_superuser(self):
ctypes = ContentType.objects.all()
objects = get_objects_for_user(self.admin,
['contenttypes.change_contenttype'],
ctypes)
self.assertEqual(set(ctypes), set(objects))
def create(self, request, *args, **kwargs):
"""Create a resource."""
collections = request.data.get('collections', [])
# check that user has permissions on all collections that Data
# object will be added to
for collection_id in collections:
try:
collection = Collection.objects.get(pk=collection_id)
except Collection.DoesNotExist:
return Response(
{
'collections': [
'Invalid pk "{}" - object does not exist.'.format(
collection_id)
]
},
status=status.HTTP_400_BAD_REQUEST)
if not request.user.has_perm('add_collection', obj=collection):
if request.user.has_perm('view_collection', obj=collection):
raise exceptions.PermissionDenied(
"You don't have `ADD` permission on collection (id: {})."
.format(collection_id))
else:
raise exceptions.NotFound(
"Collection not found (id: {}).".format(collection_id))
# translate processe's slug to id
process_slug = request.data.get('process', None)
process_query = Process.objects.filter(slug=process_slug)
process_query = get_objects_for_user(request.user, 'view_process',
process_query)
try:
process = process_query.latest()
except Process.DoesNotExist:
return Response(
{
'process': [
'Invalid process slug "{}" - object does not exist.'.
format(process_slug)
]
},
status=status.HTTP_400_BAD_REQUEST)
request.data['process'] = process.pk
# perform "get_or_create" if requested - return existing object
# if found
if kwargs.pop('get_or_create', False):
process_input = request.data.get('input', {})
# use default values if they are not given
for field_schema, fields, path in iterate_schema(
process_input, process.input_schema):
if 'default' in field_schema and field_schema[
'name'] not in fields:
dict_dot(process_input, path, field_schema['default'])
checksum = get_data_checksum(process_input, process.slug,
process.version)
data_qs = Data.objects.filter(
checksum=checksum,
process__persistence__in=[
Process.PERSISTENCE_CACHED, Process.PERSISTENCE_TEMP
],
)
data_qs = get_objects_for_user(request.user, 'view_data', data_qs)
if data_qs.exists():
data = data_qs.order_by('created').last()
serializer = self.get_serializer(data)
return Response(serializer.data)
# create the objects
resp = super(DataViewSet, self).create(request, *args, **kwargs)
# run manager
manager.communicate()
return resp
def test_short_codenames_with_klass(self):
assign_perm("contenttypes.change_contenttype", self.user, self.ctype)
objects = get_objects_for_user(self.user, ["change_contenttype"], ContentType)
self.assertEqual([obj.name for obj in objects], [self.ctype.name])
