def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)
else:
return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
referent = obj.referent
if not isinstance(referent, Preprint):
return True
return super(PreprintIdentifierDetailPermissions, self).has_object_permission(request, view, referent)
def has_object_permission(self, request, view, obj):
user = request.user
assert_resource_type(obj, self.acceptable_models)
if not user:
return False
if user.has_perm('view_institutional_metrics', obj):
return True
return False
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method != 'DELETE' and is_prereg_admin(auth.user):
return True
if isinstance(obj, DraftRegistration):
obj = obj.branched_from
return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method != 'DELETE' and is_prereg_admin(auth.user):
return True
if isinstance(obj, DraftRegistration):
obj = obj.branched_from
return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return True
else:
return auth.user and obj.has_permission(auth.user, MANAGE)
def has_object_permission(self, request, view, obj):
context = request.parser_context['kwargs']
preprint = self.load_resource(context, view)
assert_resource_type(preprint, self.acceptable_models)
if preprint.is_retracted and request.method in permissions.SAFE_METHODS:
return preprint.can_view_files(get_user_auth(request))
return super(PreprintFilesPermissions, self).has_object_permission(request, view, preprint)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if isinstance(obj, DraftRegistration):
obj = obj.branched_from
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.has_permission(auth.user, osf_permissions.ADMIN)
else:
return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj):
"""
Admin perms are required to delete a node
"""
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method == 'DELETE':
return obj.has_permission(auth.user, osf_permissions.ADMIN)
return True
def has_object_permission(self, request, view, obj):
"""
Admin perms are required to delete a node
"""
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method == 'DELETE':
return obj.has_permission(auth.user, osf_permissions.ADMIN)
return True
def has_object_permission(self, request, view, obj):
"""
To make changes, user must be an admin contributor. Admin group membership is not sufficient.
"""
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)
else:
return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj):
# Preprints cannot be registrations
if isinstance(obj, Preprint):
return True
if not isinstance(obj, AbstractNode):
obj = AbstractNode.load(request.parser_context['kwargs'][view.node_lookup_url_kwarg])
assert_resource_type(obj, self.acceptable_models)
if obj.is_registration:
return request.method in permissions.SAFE_METHODS
return True
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
node = self.load_resource(request.parser_context['kwargs'], view)
if request.method in permissions.SAFE_METHODS:
return node.is_public or node.can_view(auth)
elif request.method == 'DELETE':
# If deleting an OSF group from a node, you either need admin perms
# or you need to be an OSF group manager
return node.has_permission(auth.user, osf_permissions.ADMIN) or obj.has_permission(auth.user, 'manage')
else:
return node.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if not auth.user:
return False
if request.method in permissions.SAFE_METHODS:
return obj.is_contributor(auth.user)
else:
return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
context = request.parser_context['kwargs']
node = self.load_resource(context, view)
user = OSFUser.load(context['user_id'])
if request.method in permissions.SAFE_METHODS:
return node.is_public or node.can_view(auth)
elif request.method == 'DELETE':
return node.has_permission(auth.user, osf_permissions.ADMIN) or auth.user == user
else:
return node.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
context = request.parser_context['kwargs']
preprint = self.load_resource(context, view)
auth = get_user_auth(request)
user = OSFUser.load(context['user_id'])
if request.method in permissions.SAFE_METHODS:
return super(ContributorDetailPermissions, self).has_object_permission(request, view, preprint)
elif request.method == 'DELETE':
return preprint.has_permission(auth.user, osf_permissions.ADMIN) or auth.user == user
else:
return preprint.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
if not isinstance(obj, OSFGroup):
obj = OSFGroup.load(request.parser_context['kwargs']['group_id'])
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return True
elif request.method == 'DELETE':
user = OSFUser.load(request.parser_context['kwargs']['user_id'])
# You must have manage permissions on the OSFGroup to remove a member,
# unless you are removing yourself
return obj.has_permission(auth.user, MANAGE) or auth.user == user
else:
return auth.user and obj.has_permission(auth.user, MANAGE)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
parent_node = AbstractNode.load(request.parser_context['kwargs']['node_id'])
pointer_node = NodeRelation.load(request.parser_context['kwargs']['node_link_id']).child
if request.method in permissions.SAFE_METHODS:
has_parent_auth = parent_node.can_view(auth)
has_pointer_auth = pointer_node.can_view(auth)
public = pointer_node.is_public
has_auth = public or (has_parent_auth and has_pointer_auth)
return has_auth
else:
has_auth = parent_node.can_edit(auth)
return has_auth
def has_object_permission(self, request, view, obj):
from api.nodes.views import NodeStorageProvider
if isinstance(obj, BaseAddonSettings):
obj = obj.owner
if isinstance(obj, (NodeStorageProvider)):
obj = obj.node
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)
else:
return obj.can_edit(auth)
def has_object_permission(self, request, view, obj):
from api.nodes.views import NodeStorageProvider
if isinstance(obj, BaseAddonSettings):
obj = obj.owner
if isinstance(obj, (NodeStorageProvider)):
obj = obj.node
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)
else:
return obj.can_edit(auth)
def has_object_permission(self, request, view, obj):
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if not auth:
return False
if isinstance(obj, DraftRegistration) and isinstance(
obj.branched_from, Node):
obj = obj.branched_from
if request.method in permissions.SAFE_METHODS:
return obj.is_contributor(auth.user)
else:
return obj.can_edit(auth)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if not obj.is_retracted:
return True
if (obj.is_retracted and obj.ever_public):
# Tombstone page should be public
return True
auth = get_user_auth(request)
if auth.user is None:
raise exceptions.NotFound
if auth.user.has_perm('view_submissions', obj.provider):
if request.method not in permissions.SAFE_METHODS:
# Withdrawn preprints should not be editable
raise exceptions.PermissionDenied(detail='Withdrawn preprints may not be edited')
return True
raise exceptions.NotFound
def has_object_permission(self, request, view, obj):
if isinstance(obj, OsfStorageFolder):
obj = obj.target
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
if auth.user is None:
return obj.verified_publishable
else:
user_has_permissions = (
obj.verified_publishable or
(obj.is_public and auth.user.has_perm('view_submissions', obj.provider)) or
obj.has_permission(auth.user, osf_permissions.ADMIN) or
(obj.is_contributor(auth.user) and obj.machine_state != DefaultStates.INITIAL.value)
)
return user_has_permissions
else:
if not obj.has_permission(auth.user, osf_permissions.ADMIN):
raise exceptions.PermissionDenied(detail='User must be an admin to make these preprint edits.')
return True
def has_object_permission(self, request, view, obj):
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
collection = obj.collection
auth = get_user_auth(request)
if request.method in permissions.SAFE_METHODS:
return collection.is_public or auth.user and auth.user.has_perm(
'read_collection', collection)
elif request.method in ['PUT', 'PATCH']:
return obj.guid.referent.has_permission(
auth.user, WRITE) or auth.user.has_perm(
'write_collection', collection)
elif request.method == 'DELETE':
# Restricted to collection and project admins.
return obj.guid.referent.has_permission(
auth.user, ADMIN) or auth.user.has_perm(
'admin_collection', collection)
return False
def has_object_permission(self, request, view, obj):
from api.nodes.views import NodeStorageProvider
if isinstance(obj, BaseAddonSettings):
obj = obj.owner
if isinstance(obj, NodeStorageProvider):
obj = obj.node
if isinstance(obj, dict):
obj = obj.get('self', None)
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
if isinstance(obj, DraftRegistration) and isinstance(obj.branched_from, Node):
obj = obj.branched_from
if isinstance(obj, Registration) and obj.provider:
if obj.provider.get_group('moderator').user_set.filter(id=request.user.id).exists():
return True
if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)
else:
return obj.can_edit(auth)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
return obj.is_public
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if isinstance(obj, PrivateLink):
obj = view.get_node()
auth = get_user_auth(request)
return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if request.method not in permissions.SAFE_METHODS:
return obj.is_public
return True
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
return obj.is_public or obj.can_view(auth)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if request.method not in permissions.SAFE_METHODS:
return obj.is_public
return True
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
return obj.is_public or obj.can_view(auth)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
if isinstance(obj, PrivateLink):
obj = view.get_node()
auth = get_user_auth(request)
return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj):
assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)
return obj.has_permission(auth.user, 'admin')
def has_object_permission(self, request, view, obj):
if isinstance(obj, DraftNode):
obj = obj.registered_draft.first()
assert_resource_type(obj, self.acceptable_models)
return super(ContributorOnDraftRegistration,
self).has_object_permission(request, view, obj)
