def AssertBasePermission(self, mr):
super(PeopleList, self).AssertBasePermission(mr)
# For now, contributors who cannot view other contributors are further
# restricted from viewing any part of the member list or detail pages.
if not permissions.CanViewContributorList(mr):
raise permissions.PermissionException(
'User is not allowed to view the project people list')
def AssertBasePermission(self, mr):
"""Check that the user is allowed to access this servlet."""
super(PeopleDetail, self).AssertBasePermission(mr)
member_id = self.ValidateMemberID(mr.cnxn, mr.specified_user_id,
mr.project)
# For now, contributors who cannot view other contributors are further
# restricted from viewing any part of the member list or detail pages.
if (not permissions.CanViewContributorList(mr, mr.project)
and member_id != mr.auth.user_id):
raise permissions.PermissionException(
'User is not allowed to view other people\'s details')
def _FilterMemberData(mr, owner_ids, committer_ids, contributor_ids,
indirect_member_ids, project):
"""Return a filtered list of members that the user can view.
In most projects, everyone can view the entire member list. But,
some projects are configured to only allow project owners to see
all members. In those projects, committers and contributors do not
see any contributors. Regardless of how the project is configured
or the role that the user plays in the current project, we include
any indirect members through user groups that the user has access
to view.
Args:
mr: Commonly used info parsed from the HTTP request.
owner_views: list of user IDs for project owners.
committer_views: list of user IDs for project committers.
contributor_views: list of user IDs for project contributors.
indirect_member_views: list of user IDs for users who have
an indirect role in the project via a user group, and that the
logged in user is allowed to see.
project: the Project we're interested in.
Returns:
A list of owners, committer and visible indirect members if the user is not
signed in. If the project is set to display contributors to non-owners or
the signed in user has necessary permissions then additionally a list of
contributors.
"""
visible_members_ids = set()
# Everyone can view owners and committers
visible_members_ids.update(owner_ids)
visible_members_ids.update(committer_ids)
# The list of indirect members is already limited to ones that the user
# is allowed to see according to user group settings.
visible_members_ids.update(indirect_member_ids)
# If the user is allowed to view the list of contributors, add those too.
if permissions.CanViewContributorList(mr, project):
visible_members_ids.update(contributor_ids)
return sorted(visible_members_ids)
def GatherBaseData(self, mr, nonce):
"""Return a dict of info used on almost all pages."""
project = mr.project
project_summary = ''
project_alert = None
project_read_only = False
project_home_page = ''
project_thumbnail_url = ''
if project:
project_summary = project.summary
project_alert = _CalcProjectAlert(project)
project_read_only = project.read_only_reason
project_home_page = project.home_page
project_thumbnail_url = tracker_views.LogoView(
project).thumbnail_url
with work_env.WorkEnv(mr, self.services) as we:
is_project_starred = False
project_view = None
if mr.project:
if permissions.UserCanViewProject(mr.auth.user_pb,
mr.auth.effective_ids,
mr.project):
is_project_starred = we.IsProjectStarred(mr.project_id)
# TODO(jrobbins): should this be a ProjectView?
project_view = template_helpers.PBProxy(mr.project)
grid_x_attr = None
grid_y_attr = None
hotlist_view = None
if mr.hotlist:
users_by_id = framework_views.MakeAllUserViews(
mr.cnxn, self.services.user,
features_bizobj.UsersInvolvedInHotlists([mr.hotlist]))
hotlist_view = hotlist_views.HotlistView(
mr.hotlist, mr.perms, mr.auth, mr.viewed_user_auth.user_id,
users_by_id,
self.services.hotlist_star.IsItemStarredBy(
mr.cnxn, mr.hotlist.hotlist_id, mr.auth.user_id))
grid_x_attr = mr.x.lower()
grid_y_attr = mr.y.lower()
app_version = os.environ.get('CURRENT_VERSION_ID')
viewed_username = None
if mr.viewed_user_auth.user_view:
viewed_username = mr.viewed_user_auth.user_view.username
issue_entry_url = 'entry'
config = None
if mr.project_id and self.services.config:
with mr.profiler.Phase('getting config'):
config = self.services.config.GetProjectConfig(
mr.cnxn, mr.project_id)
grid_x_attr = (mr.x or config.default_x_attr).lower()
grid_y_attr = (mr.y or config.default_y_attr).lower()
issue_entry_url = _LoginOrIssueEntryURL(mr, config)
viewing_self = mr.auth.user_id == mr.viewed_user_auth.user_id
offer_saved_queries_subtab = (viewing_self or mr.auth.user_pb
and mr.auth.user_pb.is_site_admin)
login_url = _SafeCreateLoginURL(mr)
logout_url = _SafeCreateLogoutURL(mr)
logout_url_goto_home = users.create_logout_url('/')
version_base = _VersionBaseURL(mr.request)
base_data = {
# EZT does not have constants for True and False, so we pass them in.
'True':
ezt.boolean(True),
'False':
ezt.boolean(False),
'local_mode':
ezt.boolean(settings.local_mode),
'site_name':
settings.site_name,
'show_search_metadata':
ezt.boolean(False),
'page_template':
self._PAGE_TEMPLATE,
'main_tab_mode':
self._MAIN_TAB_MODE,
'project_summary':
project_summary,
'project_home_page':
project_home_page,
'project_thumbnail_url':
project_thumbnail_url,
'hotlist_id':
mr.hotlist_id,
'hotlist':
hotlist_view,
'hostport':
mr.request.host,
'absolute_base_url':
'%s://%s' % (mr.request.scheme, mr.request.host),
'project_home_url':
None,
'link_rel_canonical':
None, # For specifying <link rel="canonical">
'projectname':
mr.project_name,
'project':
project_view,
'project_is_restricted':
ezt.boolean(_ProjectIsRestricted(mr)),
'offer_contributor_list':
ezt.boolean(permissions.CanViewContributorList(mr, mr.project)),
'logged_in_user':
mr.auth.user_view,
'form_token':
None, # Set to a value below iff the user is logged in.
'form_token_path':
None,
'token_expires_sec':
None,
'xhr_token':
None, # Set to a value below iff the user is logged in.
'flag_spam_token':
None,
'nonce':
nonce,
'perms':
mr.perms,
'warnings':
mr.warnings,
'errors':
mr.errors,
'viewed_username':
viewed_username,
'viewed_user':
mr.viewed_user_auth.user_view,
'viewed_user_pb':
template_helpers.PBProxy(mr.viewed_user_auth.user_pb),
'viewing_self':
ezt.boolean(viewing_self),
'viewed_user_id':
mr.viewed_user_auth.user_id,
'offer_saved_queries_subtab':
ezt.boolean(offer_saved_queries_subtab),
'currentPageURL':
mr.current_page_url,
'currentPageURLEncoded':
mr.current_page_url_encoded,
'login_url':
login_url,
'logout_url':
logout_url,
'logout_url_goto_home':
logout_url_goto_home,
'continue_issue_id':
mr.continue_issue_id,
'feedback_email':
settings.feedback_email,
'category_css':
None, # Used to specify a category of stylesheet
'category2_css':
None, # specify a 2nd category of stylesheet if needed.
'page_css':
None, # Used to add a stylesheet to a specific page.
'can':
mr.can,
'query':
mr.query,
'colspec':
None,
'sortspec':
mr.sort_spec,
# Options for issuelist display
'grid_x_attr':
grid_x_attr,
'grid_y_attr':
grid_y_attr,
'grid_cell_mode':
mr.cells,
'grid_mode':
None,
'list_mode':
None,
'chart_mode':
None,
'issue_entry_url':
issue_entry_url,
'is_cross_project':
ezt.boolean(False),
# for project search (some also used in issue search)
'start':
mr.start,
'num':
mr.num,
'groupby':
mr.group_by_spec,
'q_field_size': (min(
framework_constants.MAX_ARTIFACT_SEARCH_FIELD_SIZE,
max(framework_constants.MIN_ARTIFACT_SEARCH_FIELD_SIZE,
len(mr.query) + framework_constants.AUTOSIZE_STEP))),
'mode':
None, # Display mode, e.g., grid mode.
'ajah':
mr.ajah,
'table_title':
mr.table_title,
'alerts':
alerts.AlertsView(mr), # For alert.ezt
'project_alert':
project_alert,
'title':
None, # First part of page title
'title_summary':
None, # Appended to title on artifact detail pages
# TODO(jrobbins): make sure that the templates use
# project_read_only for project-mutative actions and if any
# uses of read_only remain.
'project_read_only':
ezt.boolean(project_read_only),
'site_read_only':
ezt.boolean(settings.read_only),
'banner_time':
servlet_helpers.GetBannerTime(settings.banner_time),
'read_only':
ezt.boolean(settings.read_only or project_read_only),
'site_banner_message':
settings.banner_message,
'robots_no_index':
None,
'analytics_id':
settings.analytics_id,
'is_project_starred':
ezt.boolean(is_project_starred),
'version_base':
version_base,
'app_version':
app_version,
'gapi_client_id':
settings.gapi_client_id,
'viewing_user_page':
ezt.boolean(False),
'old_ui_url':
None,
'is_member':
ezt.boolean(False),
}
if mr.project:
base_data['project_home_url'] = '/p/%s' % mr.project_name
# Always add xhr-xsrf token because even anon users need some
# pRPC methods, e.g., autocomplete, flipper, and charts.
base_data['token_expires_sec'] = xsrf.TokenExpiresSec()
base_data['xhr_token'] = xsrf.GenerateToken(mr.auth.user_id,
xsrf.XHR_SERVLET_PATH)
# Always add other anti-xsrf tokens when the user is logged in.
if mr.auth.user_id:
form_token_path = self._FormHandlerURL(mr.request.path)
base_data['form_token'] = xsrf.GenerateToken(
mr.auth.user_id, form_token_path)
base_data['form_token_path'] = form_token_path
return base_data