def _check_permission_association_doc(request, doc_type, document_id):
if doc_type == OUTING_TYPE:
if has_permission_for_outing(request, document_id):
return True
elif doc_type == IMAGE_TYPE:
if image.is_personal(document_id) and has_been_created_by(
document_id, request.authenticated_userid):
return True
elif doc_type == ARTICLE_TYPE:
if article.is_personal(document_id) and has_been_created_by(
document_id, request.authenticated_userid):
return True
elif doc_type == XREPORT_TYPE:
if has_been_created_by(document_id, request.authenticated_userid):
return True
return False
def _check_permission_association_doc(request, doc_type, document_id):
if doc_type == OUTING_TYPE:
if has_permission_for_outing(request, document_id):
return True
elif doc_type == IMAGE_TYPE:
if image.is_personal(document_id) and has_been_created_by(
document_id, request.authenticated_userid):
return True
elif doc_type == ARTICLE_TYPE:
if article.is_personal(document_id) and has_been_created_by(
document_id, request.authenticated_userid):
return True
elif doc_type == XREPORT_TYPE:
if (has_been_created_by(document_id, request.authenticated_userid) or
is_associated_user(document_id, request.authenticated_userid)):
return True
return False
def _has_permission(request, xreport_id):
"""Check if the authenticated user has permission to view non-public
information of the xreport or th change the xreport. That is only
moderators and users that are currently assigned to the xreport
can modify it.
"""
if request.authorization is None:
return False
if request.has_permission('moderator'):
return True
return has_been_created_by(xreport_id, request.authenticated_userid)
def validate_requestor(request, **kwargs):
if request.has_permission('moderator'):
return
if 'id' not in request.validated or \
'document_type' not in request.validated:
return
document_id = request.validated['id']
document_type = request.validated['document_type']
# Only personal documents might be deleted
if document_type in (WAYPOINT_TYPE, ROUTE_TYPE, BOOK_TYPE):
request.errors.add('querystring', 'document_type',
'No permission to delete this document')
return
if not is_less_than_24h_old(document_id):
request.errors.add('querystring', 'document_id',
'Only document less than 24h old can be deleted')
return
user_id = request.authenticated_userid
if document_type == OUTING_TYPE or document_type == XREPORT_TYPE:
if not has_been_created_by(document_id, user_id):
request.errors.add(
'querystring', 'document_id',
'Only the initial author can delete this document')
return
if ((document_type == IMAGE_TYPE and image.is_personal(document_id)) or
(document_type == ARTICLE_TYPE and article.is_personal(document_id))) \
and has_been_created_by(document_id, user_id):
# Deletion is legal
return
request.errors.add('querystring', 'document_id',
'No permission to delete this document')
def put(self):
if not self.request.has_permission('moderator'):
image_id = self.request.validated['id']
image = DBSession.query(Image).get(image_id)
if image is None:
raise HTTPNotFound('No image found for id {}'.format(image_id))
if image.image_type == 'collaborative':
image_type = self.request.validated['document']['image_type']
if image_type != image.image_type:
raise HTTPBadRequest(
'Image type cannot be changed for collaborative images'
)
# personal images should only be modifiable by
# their creator and moderators
elif not has_been_created_by(image_id,
self.request.authenticated_userid):
raise HTTPForbidden('No permission to change this image')
return self._put(Image, schema_image)
def put(self):
if not self.request.has_permission('moderator'):
image_id = self.request.validated['id']
image = DBSession.query(Image).get(image_id)
if image is None:
raise HTTPNotFound('No image found for id %d' % image_id)
if image.image_type == 'collaborative':
image_type = self.request.validated['document']['image_type']
if image_type != image.image_type:
raise HTTPBadRequest(
'Image type cannot be changed for collaborative images'
)
# personal images should only be modifiable by
# their creator and moderators
elif not has_been_created_by(image_id,
self.request.authenticated_userid):
raise HTTPForbidden('No permission to change this image')
return self._put(Image, schema_image)
def _has_permission(request, xreport_id):
"""Check if the authenticated user has permission to view non-public
information of the xreport or th change the xreport. That is only
moderators and users that are currently assigned to the xreport
can modify it.
"""
if request.authorization is None:
return False
if request.has_permission('moderator'):
return True
if has_been_created_by(xreport_id, request.authenticated_userid):
return True
if is_associated_user(xreport_id, request.authenticated_userid):
return True
return False
def put(self):
if not self.request.has_permission('moderator'):
article_id = self.request.validated['id']
article = DBSession.query(Article).get(article_id)
if article is None:
raise HTTPNotFound(
'No article found for id {}'.format(article_id))
if article.article_type == 'collab':
article_type = \
self.request.validated['document']['article_type']
if article_type != article.article_type:
raise HTTPBadRequest('Article type cannot be changed '
'for collaborative articles')
# personal articles should only be modifiable by
# their creator and moderators
elif not has_been_created_by(article_id,
self.request.authenticated_userid):
raise HTTPForbidden('No permission to change this article')
return self._put(Article, schema_article)
def validate_personal_association(
request, parent_document_id, parent_document_type, child_document_id,
child_document_type, raise_exc, doc_type, is_personal, label):
document_ids = set()
if parent_document_type == doc_type:
document_ids.add(parent_document_id)
if child_document_type == doc_type:
document_ids.add(child_document_id)
for document_id in document_ids:
if is_personal(document_id) and not has_been_created_by(
document_id, request.authenticated_userid):
msg = 'no rights to modify associations with {} {}'.format(
label, document_id)
if raise_exc:
raise HTTPBadRequest(msg)
else:
request.errors.add(
'body', 'associations.{}s'.format(label), msg)
def put(self):
if not self.request.has_permission('moderator'):
article_id = self.request.validated['id']
article = DBSession.query(Article).get(article_id)
if article is None:
raise HTTPNotFound(
'No article found for id {}'.format(article_id))
if article.article_type == 'collab':
article_type = \
self.request.validated['document']['article_type']
if article_type != article.article_type:
raise HTTPBadRequest(
'Article type cannot be changed '
'for collaborative articles'
)
# personal articles should only be modifiable by
# their creator and moderators
elif not has_been_created_by(article_id,
self.request.authenticated_userid):
raise HTTPForbidden('No permission to change this article')
return self._put(Article, schema_article)
def validate_personal_association(request, parent_document_id,
parent_document_type, child_document_id,
child_document_type, raise_exc, doc_type,
is_personal, label):
document_ids = set()
if parent_document_type == doc_type:
document_ids.add(parent_document_id)
if child_document_type == doc_type:
document_ids.add(child_document_id)
for document_id in document_ids:
if is_personal(document_id) and not has_been_created_by(
document_id, request.authenticated_userid) and not \
is_associated_user(document_id, request.authenticated_userid):
msg = 'no rights to modify associations with {} {}'.format(
label, document_id)
if raise_exc:
raise HTTPBadRequest(msg)
else:
request.errors.add('body', 'associations.{}s'.format(label),
msg)
