def stat(request, slug, page=1):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (problem.state != Problem.PUBLISHED and
not checker.has_perm('read_problem', problem) and
problem.user != request.user):
raise Http404
submissions = Submission.objects.filter(problem=problem)
verdict_chart = Submission.get_verdict_distribution_graph(submissions)
incorrect_tries_chart = Solver.get_incorrect_tries_chart(problem)
solvers = Solver.objects.filter(problem=problem, solved=True)
order_by = request.GET.get('order_by', 'shortest')
if order_by.endswith('fastest'):
solvers = solvers.order_by(order_by + '_submission__time')
elif order_by.endswith('shortest'):
solvers = solvers.order_by(order_by + '_submission__length')
else:
solvers = solvers.order_by(order_by)
pagination = setup_paginator(solvers, page, 'judge-problem-stat',
{'slug': slug}, request.GET)
title = problem.slug + u': 해결한 사람들'
return render(request, "problem/stat.html",
{'title': title,
'problem': problem,
'editable': checker.has_perm('edit_problem', problem),
'verdict_chart': verdict_chart,
'incorrects_chart': incorrect_tries_chart,
'pagination': pagination,
})
def get_permitted_minutes(minutes, request, groupid): groupid = int(groupid) try: group = Group.objects.get(id=groupid) except ObjectDoesNotExist: raise Http404 own_group = request.user.is_superuser or group in request.user.groups.all() # Prefetch group permissions group_checker = ObjectPermissionChecker(group) group_checker.prefetch_perms(minutes) # Prefetch user permissions user_checker = ObjectPermissionChecker(request.user) user_checker.prefetch_perms(minutes) # Prefetch ip group permissions ip_range_group_name = request.user._ip_range_group_name if hasattr(request.user, '_ip_range_group_name') else None if ip_range_group_name: ip_range_group = Group.objects.get(name=ip_range_group_name) ip_range_group_checker = ObjectPermissionChecker(ip_range_group) permitted_minutes = [] for m in minutes: # we show all documents for which the requested group has edit permissions # e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown if not group_checker.has_perm(m.edit_permission_name, m): continue # we only show documents for which the user has view permissions if not user_checker.has_perm(MinutesDocument.get_view_permission(), m) and (not ip_range_group_name or not ip_range_group_checker.has_perm(MinutesDocument.get_view_permission(), m)): continue permitted_minutes.append(m) return permitted_minutes, own_group
def test_state_permission_update(self): """ Test if the permission are correctly updated when the state is updated """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) university_group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) assign_perm(document.view_permission_name, university_group, document) document.state = MinutesDocument.INTERNAL document.save() document = MinutesDocument.objects.get(url_title=document.url_title) checker = ObjectPermissionChecker(university_group) self.assertFalse(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertTrue(checker.has_perm(document.edit_permission_name, document)) self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def diff(request, id1, id2):
rev1 = get_object_or_404(ProblemRevision, id=id1)
rev2 = get_object_or_404(ProblemRevision, id=id2)
problem = rev1.revision_for
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('read_problem', problem) and
problem.user != request.user):
raise Http404
dmp = diff_match_patch()
def differ(text1, text2):
return text1 != text2 and dmp.diff_main(text1, text2) or None
return render(request, "problem/diff.html",
{"problem": problem,
"editable": checker.has_perm('edit_problem', problem),
"rev1": rev1,
"rev2": rev2,
"rev1link": reverse("judge-problem-old", kwargs={"id": rev1.id, "slug": problem.slug}),
"rev2link": reverse("judge-problem-old", kwargs={"id": rev2.id, "slug": problem.slug}),
"description": differ(rev1.description, rev2.description),
"input": differ(rev1.input, rev2.input),
"output": differ(rev1.output, rev2.output),
"sample_input": differ(rev1.sample_input, rev2.sample_input),
"sample_output": differ(rev1.sample_output, rev2.sample_output),
"note": differ(rev1.note, rev2.note),
"differ": differ})
def check_user_role(user, project, roles):
"""Check that a user has one of a set of roles for a project.
Administrator role satisfies any requirement.
"""
# Prefetch all user permissions for project.
checker = ObjectPermissionChecker(user)
# Check for admin privs in all cases.
has_role = checker.has_perm('can_administer', project)
if not has_role:
# Check the indicated role(s)
if isinstance(roles, string_types):
roles = [roles]
for role in roles:
if role == UserRole.Annotate:
has_role = checker.has_perm('can_annotate', project)
elif role == UserRole.Browse:
has_role = checker.has_perm('can_browse', project)
elif role == UserRole.Import:
has_role = checker.has_perm('can_import', project)
if has_role:
break
return has_role
def recent(request, page=1):
checker = ObjectPermissionChecker(request.user)
submissions = Submission.objects.all().order_by("-id")
filters = {}
empty_message = u"제출된 답안이 없습니다."
title_add = []
# only superuser can see all nonpublic submissions.
# as an exception, if we are filtering by a problem, the author can see
# nonpublic submissions. also, everybody can see their nonpublic
# submissions.
only_public = not request.user.is_superuser
if request.GET.get("problem"):
slug = request.GET["problem"]
problem = get_object_or_404(Problem, slug=slug)
if request.user == problem.user or checker.has_perm('read_problem', problem):
only_public = False
if (problem.state != Problem.PUBLISHED and
request.user != problem.user and
not checker.has_perm('read_problem', problem)):
raise Http404
submissions = submissions.filter(problem=problem)
title_add.append(slug)
filters["problem"] = slug
if "state" in request.GET:
state = request.GET["state"]
submissions = submissions.filter(state=state)
filters["state"] = state
title_add.append(Submission.STATES_KOR[int(state)])
if request.GET.get("user"):
username = request.GET["user"]
user = get_or_none(User, username=username)
if not user:
empty_message = u"해당 사용자가 없습니다."
submissions = submissions.none()
else:
submissions = submissions.filter(user=user)
filters["user"] = username
title_add.append(username)
if user == request.user:
only_public = False
if only_public:
submissions = submissions.filter(is_public=True)
return render(request, "submission/recent.html",
{"title": u"답안 목록" + (": " if title_add else "") +
",".join(title_add),
"filters": filters,
"empty_message": empty_message,
"pagination": setup_paginator(submissions, page,
"judge-submission-recent", {}, filters)})
def document_permission_overview(user, document): can_edit = user.has_perm(document.edit_permission_name, document) if not can_edit: return [] main_groups = [ settings.ANONYMOUS_GROUP_NAME, settings.UNIVERSITY_GROUP_NAME, settings.STUDENT_GROUP_NAME, settings.STAFF_GROUP_NAME, ] permissions = [] for group_name in main_groups: group = Group.objects.get(name=group_name) checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) else: permissions.append((group.name, "none")) for group in Group.objects.exclude(name__in=main_groups): checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) return permissions
def test_has_perms_using_parent_object(self):
group = Group.objects.create(name='group')
obj1 = ContentType.objects.create(
name='ct1', model='foo', app_label='guardian-tests')
obj2 = ContentType.objects.create(
name='ct2', model='bar', app_label='guardian-tests')
obj2.get_parent_object_permission = lambda: (obj1,)
assign_perms = {
group: ('change_group', 'delete_group'),
obj1: ('change_contenttype', 'delete_contenttype'),
obj2: ('delete_contenttype',),
}
# for user
check = ObjectPermissionChecker(self.user)
self.assign_perms(UserObjectPermission, assign_perms[obj1], self.user, obj1)
self.assign_perms(UserObjectPermission, assign_perms[obj2], self.user, obj2)
print "\n\n\n", '*'*30
for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])):
print 'checking perm %s in %s' % (perm, obj2)
self.assertTrue(check.has_perm(perm, obj2))
# for group
check = ObjectPermissionChecker(self.group)
self.assign_perms(GroupObjectPermission, assign_perms[obj1], self.group, obj1)
self.assign_perms(GroupObjectPermission, assign_perms[obj2], self.group, obj2)
print "\n\n\n", '-'*30
for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])):
print 'checking perm %s in %s' % (perm, obj2)
self.assertTrue(check.has_perm(perm, obj2))
def test_group_assign_perm(self):
assign_perm("add_contenttype", self.group, self.ctype)
assign_perm("change_contenttype", self.group, self.ctype)
assign_perm(self.get_permission("delete_contenttype"), self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("add_contenttype", self.ctype))
self.assertTrue(check.has_perm("change_contenttype", self.ctype))
self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_group_assign_perm_queryset(self):
assign_perm("add_contenttype", self.group, self.ctype_qset)
assign_perm("change_contenttype", self.group, self.ctype_qset)
assign_perm(self.get_permission("delete_contenttype"), self.group, self.ctype_qset)
check = ObjectPermissionChecker(self.group)
for obj in self.ctype_qset:
self.assertTrue(check.has_perm("add_contenttype", obj))
self.assertTrue(check.has_perm("change_contenttype", obj))
self.assertTrue(check.has_perm("delete_contenttype", obj))
def test_cache(self):
checker = ObjectPermissionChecker(self.mum)
with mock.patch('guardian.tests.signals.signal_get_perms_user', return_value=[], autospec=True) as mocked_handler:
get_perms.connect(mocked_handler, sender=User,
dispatch_uid='test_cache_mocked_handler')
checker.has_perm('a_custom_perm', self.user)
checker.has_perm('another_custom_perm', self.user)
self.assertEqual(mocked_handler.call_count, 1)
def old(request, id, slug):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('read_problem', problem) and
problem.user != request.user):
raise Http404
revision = get_object_or_404(ProblemRevision, id=id)
return render(request, "problem/old.html",
{"problem": problem,
"editable": checker.has_perm('edit_problem', problem),
"revision": revision})
def list(request, slug, page=1):
checker = ObjectPermissionChecker(request.user)
category = get_object_or_404(Category, slug=slug)
if not checker.has_perm('read_post', category):
return HttpResponseForbidden("Restricted category")
posts = Post.objects.filter(category=category).order_by("-id")
return render(request, "list.html",
{"write_at": category.slug if checker.has_perm('write_post', category) else None,
"title": category.name,
"category": category,
"pagination": setup_paginator(posts, page, "forum-list",
{"slug": category.slug})})
def test_publish_button(self):
"""
Test if the publish button works
"""
staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME)
document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED)
document.set_all_permissions(staff_group)
# The 1 sets the state to published
self.app.get(reverse('documents:publish', args=[document.url_title, 1]), user=self.user)
document = MinutesDocument.objects.get(url_title=document.url_title)
self.assertEqual(document.state, MinutesDocument.PUBLISHED)
group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertTrue(checker.has_perm(document.view_permission_name, document))
self.assertFalse(checker.has_perm(document.edit_permission_name, document))
self.assertFalse(checker.has_perm(document.delete_permission_name, document))
group = Group.objects.get(name=settings.STUDENT_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertTrue(checker.has_perm(document.view_permission_name, document))
self.assertFalse(checker.has_perm(document.edit_permission_name, document))
self.assertFalse(checker.has_perm(document.delete_permission_name, document))
checker = ObjectPermissionChecker(staff_group)
self.assertTrue(checker.has_perm(document.view_permission_name, document))
self.assertTrue(checker.has_perm(document.edit_permission_name, document))
self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def delete_attachment(request, id):
attachment = get_object_or_404(Attachment, id=id)
problem = attachment.problem
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('edit_problem', problem) and problem.user != request.user:
raise Http404
old_id = attachment.id
old_filename = attachment.file.name
attachment.file.delete(False)
attachment.delete()
# 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다
visible_users = get_users_with_perms(problem, with_group_users=False)
visible_groups = get_groups_with_perms(problem)
publish("problem-attachment-delete-%s" % datetime.now().strftime('%s.%f'),
"problem",
"problem-attachment",
actor=request.user,
target=problem,
timestamp=datetime.now(),
visible_users=visible_users,
visible_groups=visible_groups,
verb=u"문제 {target}에서 첨부파일 %s 을 삭제했습니다." % os.path.basename(old_filename))
return HttpResponse("[]")
def test_save_first_minutes_document(self):
# get the editor page and save the site
response = self.app.get(reverse('documents:create', args=['minutesdocument']) + '?group={}'.format(self.group.id), user=self.user)
self.assertEqual(response.status_code, 200)
form = response.forms['document-form']
text = "Lorem ipsum"
form.set('text', text)
form.set('comment', text)
form.set('url_title', slugify(text))
response = form.submit().follow()
self.assertEqual(response.status_code, 200)
document = MinutesDocument.objects.get(url_title=slugify(text))
# check whether number of versions is correct
versions = Version.objects.get_for_object(document)
self.assertEqual(len(versions), 1)
# check whether the properties of the new document are correct
self.assertEqual(document.title, MinutesDocument.generate_new_title())
self.assertEqual(document.author, self.user)
self.assertEqual(document.moderator, self.user)
self.assertEqual(document.text, text)
self.assertEqual(versions[0].revision.comment, text)
self.assertListEqual(list(document.participants.all().order_by('username')), list(self.group.user_set.all().order_by('username')))
checker = ObjectPermissionChecker(self.group)
self.assertTrue(checker.has_perm(document.edit_permission_name, document))
def clean(self):
if self.instance.id:
checker = ObjectPermissionChecker(self.request_user)
if not checker.has_perm('contacts.write_contact', self.instance):
raise ValidationError("User %s has no write permissions" %
self.request_user.username)
return super(ContactAdminForm, self).clean()
def test_group_remove_perm(self):
# assign perm first
assign_perm("change_contenttype", self.group, self.ctype)
remove_perm("change_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_group_remove_perm_queryset(self):
assign_perm("change_contenttype", self.group, self.ctype_qset)
remove_perm("change_contenttype", self.group, self.ctype_qset)
check = ObjectPermissionChecker(self.group)
for obj in self.ctype_qset:
self.assertFalse(check.has_perm("change_contenttype", obj))
def read(request, id):
post = get_object_or_404(Post, id=id)
category = post.category
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('read_post', category):
return HttpResponseForbidden("Restricted post")
return render(request, "read.html", {"post": post, "category": category})
def settable_statuses(cls, user, unit):
"""
Return the list of statuses this user is allowed to set, based on
their permissions.
"""
checker = ObjectPermissionChecker(user)
statuses = []
if checker.has_perm(APPOINTMENT__CAN_FINALIZE, unit):
statuses.extend([cls.SENT, cls.ACCEPTED, cls.DECLINED])
if checker.has_perm(APPOINTMENT__CAN_RECOMMEND, unit):
statuses.extend([cls.APPLICANT, cls.POTENTIAL, cls.RECOMMENDED,
cls.NOPE])
return statuses
def test_group_remove_perm(self):
# assign perm first
assign("change_flatpage", self.group, self.flatpage)
remove_perm("change_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def has_perm(self, user_obj, perm, obj=None):
"""
Returns ``True`` if given ``user_obj`` has ``perm`` for ``obj``. If no
``obj`` is given, ``False`` is returned.
.. note::
Remember, that if user is not *active*, all checks would return
``False``.
Main difference between Django's ``ModelBackend`` is that we can pass
``obj`` instance here and ``perm`` doesn't have to contain
``app_label`` as it can be retrieved from given ``obj``.
**Inactive user support**
If user is authenticated but inactive at the same time, all checks
always returns ``False``.
"""
# check if user_obj and object are supported
support, user_obj = check_support(user_obj, obj)
if not support:
return False
if '.' in perm:
app_label, perm = perm.split('.')
if app_label != obj._meta.app_label:
raise WrongAppError("Passed perm has app label of '%s' and "
"given obj has '%s'" % (app_label, obj._meta.app_label))
check = ObjectPermissionChecker(user_obj)
return check.has_perm(perm, obj)
def test_group_assing(self):
assign("change_flatpage", self.group, self.flatpage)
assign("delete_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_flatpage", self.flatpage))
self.assertTrue(check.has_perm("delete_flatpage", self.flatpage))
def test_group_assing(self):
assign("change_keycard", self.group, self.keycard)
assign("delete_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_keycard", self.keycard))
self.assertTrue(check.has_perm("delete_keycard", self.keycard))
def allow_bulk_destroy_resources(self, user, resource_list):
"""User must have admin permissions to delete collections."""
checker = ObjectPermissionChecker(user)
for collection in resource_list:
if not checker.has_perm('admin_collection', collection):
return False
return True
def test_group_remove_perm(self):
# assign perm first
assign("change_keycard", self.group, self.keycard)
remove_perm("change_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_keycard", self.keycard))
def bulk_assign_perm(self, perm, user_or_group, queryset):
"""
Bulk assigns permissions with given ``perm`` for an objects in ``queryset`` and
``user_or_group``.
"""
ctype = get_content_type(queryset.model)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype, codename=perm)
else:
permission = perm
checker = ObjectPermissionChecker(user_or_group)
checker.prefetch_perms(queryset)
assigned_perms = []
for instance in queryset:
if not checker.has_perm(permission.codename, instance):
kwargs = {'permission': permission, self.user_or_group_field: user_or_group}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = instance.pk
else:
kwargs['content_object'] = instance
assigned_perms.append(self.model(**kwargs))
self.model.objects.bulk_create(assigned_perms)
return assigned_perms
def go():
problem = get_or_none(Problem, id=id)
if not problem:
return {"success": False,
"error": u"존재하지 않는 문제입니다."}
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('edit_problem', problem) and problem.user != request.user:
return {"success": False,
"error": u"권한이 없습니다."}
if request.method != "POST":
return {"success": False,
"error": u"POST 접근하셔야 합니다."}
file = request.FILES["file"]
md5 = md5file(file)
target_path = os.path.join("judge-attachments", md5, file.name)
storage = DefaultStorage()
storage.save(target_path, file)
new_attachment = Attachment(problem=problem,
file=target_path)
new_attachment.save()
# 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다
visible_users = get_users_with_perms(problem, with_group_users=False)
visible_groups = get_groups_with_perms(problem)
publish("problem-attachment-%s" % datetime.now().strftime('%s.%f'),
"problem",
"problem-attachment",
actor=request.user,
target=problem,
timestamp=datetime.now(),
visible_users=visible_users,
visible_groups=visible_groups,
verb=u"문제 {target}에 첨부파일 %s 을 추가했습니다." % file.name)
return {"success": True}
def item_check(self, object_list, bundle, permission):
if not self.base_check(object_list, bundle):
raise Unauthorized("You are not allowed to access that resource.")
checker = ObjectPermissionChecker(bundle.request.user)
if not checker.has_perm(permission, bundle.obj):
raise Unauthorized("You are not allowed to access that resource.")
return True
def auth(request):
if request.user.is_superuser:
if request.method == 'GET':
return render(request, 'api/auth.html')
elif request.method == 'POST':
# 初始化权限树
user_id = request.POST.get('userId')
projects = ProjectInfo.objects.filter().order_by('-id')
perm_dict = {
AUTH_VIEW: '查询',
AUTH_UPDATE: '修改',
AUTH_DELETE: '删除'
} # 需要初始化的权限
is_superuser = False
has_add_perm_list = [] # 用户拥有的创建权限列表
auth_list = []
if user_id != DEFAULT_USER_ID:
try:
user = UserInfo.objects.get(id=user_id)
checker = ObjectPermissionChecker(user)
is_superuser = user.is_superuser
has_add_perm_list = check_add_perm_for_user(
user, add_perm_list) # 初始化创建权限部分
except ObjectDoesNotExist:
return JsonResponse(get_ajax_msg(0, 0, '没有该名用户'))
# 初始化项目权限部分
for project in projects:
flag_all = True # 全选项目权限标志
auth_dict = {}
auth_dict['name'] = project.project_name
auth_dict['value'] = project.id
auth_dict['list'] = []
for key, value in perm_dict.items():
perm_name = value
perm_value = str(project.id) + '-' + key
if user_id != DEFAULT_USER_ID:
is_auth = checker.has_perm(key, project)
else:
is_auth = False
flag_all = flag_all and is_auth # 与运算,判断是否全选权限
auth_dict['list'].append({
'name': perm_name,
'value': perm_value,
'checked': is_auth
})
auth_dict['checked'] = flag_all
auth_list.append(auth_dict)
return JsonResponse(
get_ajax_msg(
1, 1, '获取权限列表成功', {
'is_superuser': is_superuser,
'checks': ','.join(has_add_perm_list),
'trees': auth_list
}))
else:
return JsonResponse(get_ajax_msg(0, 0, '该名用户没有管理员权限'))
def post(self, request, pk=0, form=None):
form = forms.NewPost(request.POST)
if form.is_valid():
if not pk:
cur_post = models.Post()
else:
try:
pk = int(pk)
cur_post = models.Post.objects.get(pk=pk)
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('change_post', cur_post) \
and not request.user.has_perm('main.change_post'):
return HttpResponseForbidden('forbidden1')
except models.Post.DoesNotExist:
raise Http404
cur_post.title = form.cleaned_data['title']
cur_post.raw = form.cleaned_data['content']
cur_post.abstract = form.cleaned_data['abstract']
# html = markdown2.markdown(cur_post.raw, extras=['code-friendly', 'fenced-code-blocks'])
# cur_post.content_html = smart_text(html)
cur_post.author = User.objects.get(pk=form.cleaned_data['author_id']) if form.cleaned_data['author_id'] else request.user
# cur_post.author = request.user
tag_ids = request.POST.getlist('tags')
category_id = request.POST.get('category', None)
# return HttpResponse(len(tag_ids))
if request.POST.get('publish'):
cur_post.is_draft = False
msg = 'Post has been pulished!'
messages.add_message(request, messages.SUCCESS, msg)
url = reverse('main:admin_posts')
else:
cur_post.is_draft=True
if request.POST.get('preview'):
cur_post.save()
return HttpResponse(cur_post.id)
msg = 'Draft has been saved!'
messages.add_message(request, messages.SUCCESS, msg)
url = '{0}?draft=true'.format(reverse('main:admin_posts'))
cur_post.category_id = category_id
cur_post.save()
cur_post.tags.clear()
cur_post.tags.add(*tag_ids)
assign_perm('main.change_post', request.user, cur_post)
assign_perm('main.delete_post', request.user, cur_post)
if request.POST.get('preview'):
url = reverse('main:post', kwargs={'pk':cur_post.id})
return redirect(url)
return self.get(request, form)
def Inception_exe(request): ##Inception 执行
if request.method == 'POST':
ids = request.POST.getlist('id')
sql_db = request.POST.get('sql', None)
databases = request.POST.get('databases', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = db_mysql.objects.get(id=i)
if checker.has_perm('task_db_mysql',assets, ) == True:
ids1.append(i)
else:
error_3 = "数据库没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择数据库"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not sql_db:
error_2 = "请输入命令"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port,
cmd="执行:{}".format(sql_db), user=user)
password = decrypt_p(i.db_user.password)
s = sql_exe(user=i.db_user.username, password=password, host=i.ip, port=i.port, databases=databases,sqls=sql_db)
if s == None or s['data'] == '':
s = {}
s['ip'] = i.ip
s['data'] = "返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)})
return HttpResponse(json.dumps(ret))
def test_autoprefetch_superuser_perms(self):
settings.DEBUG = True
guardian_settings.AUTO_PREFETCH = True
ProjectUserObjectPermission.enabled = False
ProjectGroupObjectPermission.enabled = False
try:
from django.db import connection
ContentType.objects.clear_cache()
group1 = Group.objects.create(name='group1')
user = User.objects.create(username='******',
is_superuser=True,
is_active=True)
assign_perm("change_group", user, self.group)
checker = ObjectPermissionChecker(user)
# Fill cache
checker._prefetch_cache()
query_count = len(connection.queries)
# Check customuser has cache attribute
self.assertTrue(hasattr(user, '_guardian_perms_cache'))
# Checking shouldn't spawn any queries
self.assertTrue(checker.has_perm("change_group", self.group))
self.assertTrue(user.has_perm("change_group", self.group))
self.assertEqual(len(connection.queries), query_count)
# Checking for other permission but for Group object again
# shouldn't spawn any query too
self.assertTrue(checker.has_perm("delete_group", self.group))
self.assertTrue(user.has_perm("delete_group", self.group))
self.assertEqual(len(connection.queries), query_count)
# Checking for same model but other instance shouldn't spawn any queries
self.assertTrue(checker.has_perm("change_group", group1))
self.assertTrue(user.has_perm("change_group", group1))
self.assertEqual(len(connection.queries), query_count)
finally:
settings.DEBUG = False
guardian_settings.AUTO_PREFETCH = False
ProjectUserObjectPermission.enabled = True
ProjectGroupObjectPermission.enabled = True
def assign_user_profile(user, _model, admins=[]):
"""
Assign Object(model) permission for the object's associated
user and site administrators
:param user: the object's associated user
:param _model: the object itself
:param admins: optional administrators for control and security reasons
:return: Boolean
"""
for admin in admins:
admin_checker = ObjectPermissionChecker(admin)
admin_has_perm = admin_checker.has_perm("profile_user", _model)
if not admin_has_perm:
assign_perm("profile_user", admin, _model)
checker = ObjectPermissionChecker(user)
has_perm = checker.has_perm("profile_user", _model)
if not has_perm:
assign_perm("profile_user", user, _model)
return user.has_perm("profile_user", _model)
def get_last_minutes_document_for_group(group):
minutes = MinutesDocument.objects.all().order_by('-date')
group_checker = ObjectPermissionChecker(group)
group_checker.prefetch_perms(minutes)
for m in minutes:
if group_checker.has_perm(m.edit_permission_name, m):
return m
return None
def test_superuser(self):
user = User.objects.create(username='******', is_superuser=True)
check = ObjectPermissionChecker(user)
ctype = ContentType.objects.get_for_model(self.ctype)
perms = sorted(
chain(*Permission.objects.filter(
content_type=ctype).values_list('codename')))
self.assertEqual(perms, check.get_perms(self.ctype))
for perm in perms:
self.assertTrue(check.has_perm(perm, self.ctype))
def _has_perm(self, user, perm, allow_admin=True):
if not is_authenticated_user(user):
return False
# Admins are almighty.
if self.is_admin(user) and allow_admin:
return True
if hasattr(self, '_permission_checker'):
checker = self._permission_checker
else:
checker = ObjectPermissionChecker(user)
# Permissions can be given per-unit
if checker.has_perm('unit:%s' % perm, self.unit):
return True
# ... or through Resource Groups
resource_group_perms = [
checker.has_perm('group:%s' % perm, rg)
for rg in self.groups.all()
]
return any(resource_group_perms)
def get_queryset_for_customer(self):
created_time = self.request.query_params.get('created_time', None)
if created_time:
self.kwargs['created_time__contains'] = created_time
queryset = Order.objects.filter(**self.kwargs)
checker = ObjectPermissionChecker(self.request.user)
checker.prefetch_perms(queryset)
return [
query for query in queryset
if checker.has_perm('app.view_order', query)
]
def rejudge(request, id):
problem = get_object_or_404(Problem, id=id)
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('edit_problem',
problem) and problem.user != request.user:
raise Http404
submissions = Submission.objects.filter(problem=problem)
for submission in submissions:
submission.rejudge()
return redirect(
reverse('judge-submission-recent') + '?problem=' + problem.slug)
def generic_item_check(self, object_list, bundle, permission):
if not self.generic_base_check(object_list, bundle):
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
checker = ObjectPermissionChecker(bundle.request.user)
if not checker.has_perm(permission, bundle.obj):
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
return True
def system_user_list(request):
obj = system_users.objects.all()
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
l = []
for i in obj:
system_u = system_users.objects.get(id=i.id)
if checker.has_perm('read_system_users', system_u) == True:
l.append(i)
return render(request, 'asset/system-user.html',
{'asset_list': l, "asset_active": "active", "system_user_list_active": "active"})
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if (request.method in permissions.SAFE_METHODS
and is_owner(obj, request)):
return True
checker = ObjectPermissionChecker(request.user)
if checker.has_perm('view_location', obj.id):
return True
return False
def latexify(request, slug):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('read_problem', problem)
and problem.user != request.user):
raise Http404
response = render(request, "problem/latexify.tex", {
"problem": problem,
"revision": problem.last_revision
})
response['Content-Type'] = 'text/plain; charset=UTF-8'
return response
def history(request, slug):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('read_problem', problem)
and problem.user != request.user):
raise Http404
revision_set = ProblemRevision.objects.filter(
revision_for=problem).order_by("-id")
ids = [rev.id for rev in revision_set[:2]]
revisions = revision_set.all()
last, second_last = -1, -1
if len(ids) >= 2:
last, second_last = ids[0], ids[1]
return render(
request, "problem/history.html", {
"problem": problem,
"editable": checker.has_perm('edit_problem', problem),
"revisions": revisions,
"last_rev": last,
"second_last_rev": second_last
})
def check_user_role(user, project, roles) -> bool:
"""Check that a user has one of a set of roles for a project.
Administrator role satisfies any requirement.
"""
# Prefetch all user permissions for project.
checker = ObjectPermissionChecker(user)
# Check for admin privs in all cases.
has_role = checker.has_perm('can_administer', project)
if not has_role:
# Check the indicated role(s)
if isinstance(roles, str):
roles = [roles]
for role in roles:
if role == UserRole.Annotate:
has_role = checker.has_perm('can_annotate', project)
elif role == UserRole.Browse:
has_role = checker.has_perm('can_browse', project)
elif role == UserRole.Fork:
has_role = checker.has_perm('can_fork', project)
elif role == UserRole.Import:
has_role = checker.has_perm('can_import', project)
elif role == UserRole.QueueComputeTask:
has_role = checker.has_perm('can_queue_compute_task', project)
if has_role:
break
return has_role
def test_prefetch_group_perms(self):
settings.DEBUG = True
try:
from django.db import connection
ContentType.objects.clear_cache()
new_group = Group.objects.create(name='new-group')
assign_perm("change_group", new_group, self.group)
assign_perm("change_group", new_group, new_group)
checker = ObjectPermissionChecker(new_group)
# Prefetch permissions
self.assertTrue(checker.prefetch_perms([self.group, new_group]))
query_count = len(connection.queries)
# Checking cache is filled
self.assertEqual(len(checker._obj_perms_cache), 2)
# Checking shouldn't spawn any queries
checker.has_perm("change_group", self.group)
self.assertEqual(len(connection.queries), query_count)
# Checking for other permission but for Group object again
# shouldn't spawn any query too
checker.has_perm("delete_group", self.group)
self.assertEqual(len(connection.queries), query_count)
# Checking for same model but other instance shouldn't spawn any queries
checker.has_perm("change_group", new_group)
self.assertEqual(len(connection.queries), query_count)
finally:
settings.DEBUG = False
def get_permitted_minutes(minutes, request, groupid):
groupid = int(groupid)
try:
group = Group.objects.get(id=groupid)
except ObjectDoesNotExist:
raise Http404
own_group = request.user.is_superuser or group in request.user.groups.all()
# Prefetch group permissions
group_checker = ObjectPermissionChecker(group)
group_checker.prefetch_perms(minutes)
# Prefetch user permissions
user_checker = ObjectPermissionChecker(request.user)
user_checker.prefetch_perms(minutes)
# Prefetch ip group permissions
ip_range_group_name = request.user._ip_range_group_name if hasattr(
request.user, '_ip_range_group_name') else None
if ip_range_group_name:
ip_range_group = Group.objects.get(name=ip_range_group_name)
ip_range_group_checker = ObjectPermissionChecker(ip_range_group)
permitted_minutes = []
for m in minutes:
# we show all documents for which the requested group has edit permissions
# e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown
if not group_checker.has_perm(m.edit_permission_name, m):
continue
# we only show documents for which the user has view permissions
if not user_checker.has_perm(
MinutesDocument.get_view_permission(),
m) and (not ip_range_group_name
or not ip_range_group_checker.has_perm(
MinutesDocument.get_view_permission(), m)):
continue
permitted_minutes.append(m)
return permitted_minutes, own_group
def test_publish_student_button(self):
"""
Test if the publish for students only button works
"""
staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME)
document = mommy.make(MinutesDocument,
participants=self.participants,
moderator=self.moderator,
state=MinutesDocument.UNPUBLISHED)
document.set_all_permissions(staff_group)
# The 4 sets the state to published_student
self.app.get(reverse('documents:publish', args=[document.url_title,
4]),
user=self.user)
document = MinutesDocument.objects.get(url_title=document.url_title)
self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT)
group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertFalse(
checker.has_perm(document.view_permission_name, document))
self.assertFalse(
checker.has_perm(document.edit_permission_name, document))
self.assertFalse(
checker.has_perm(document.delete_permission_name, document))
group = Group.objects.get(name=settings.STUDENT_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertTrue(
checker.has_perm(document.view_permission_name, document))
self.assertFalse(
checker.has_perm(document.edit_permission_name, document))
self.assertFalse(
checker.has_perm(document.delete_permission_name, document))
checker = ObjectPermissionChecker(staff_group)
self.assertTrue(
checker.has_perm(document.view_permission_name, document))
self.assertTrue(
checker.has_perm(document.edit_permission_name, document))
self.assertTrue(
checker.has_perm(document.delete_permission_name, document))
def sftp_file(request): ##上传
if request.method == "GET":
obj = get_objects_for_user(request.user, 'asset.change_asset')
return render(request, 'tasks/sftp.html', {'asset_list': obj, "tasks_active": "active", "sftp_active": "active"})
if request.method == 'POST':
ids = request.POST.getlist('id')
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
local_path= request.POST.get("local_path")
server_path= request.POST.get("server_path")
ids1 = []
for i in ids:
assets = asset.objects.get(id=i)
if checker.has_perm('delete_asset', assets, ) == True:
ids1.append(i)
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择主机"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not local_path or not server_path :
error_2 = "请输入上传文件目录及文件名"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = asset.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
s = sftp(ip=i.network_ip, port=i.port, username=i.system_user.username, password=i.system_user.password,local_path=local_path, server_path=server_path
)
historys = history.objects.create(ip=i.network_ip, root=i.system_user, port=i.port, cmd="上传{}".format(server_path), user=user)
if s == None or s['data'] == '':
s={}
s['ip']=i.network_ip
s['data']="返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({"ip": i.network_ip, "data": "账号密码不对,{}".format(e)})
return HttpResponse(json.dumps(ret))
def revert(request, id, slug):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('edit_problem', problem)
and problem.user != request.user):
raise Http404
revision = ProblemRevision.objects.get(id=id)
old_id = revision.id
revision.id = None
revision_form = ProblemRevisionEditForm(data=None, instance=revision)
revision_form.save(problem, request.user, summary=u"리비전 %s로 복구." % old_id)
return redirect(
reverse("judge-problem-read", kwargs={"slug": problem.slug}))
def has_overlapping_permissions(self, reservation, reservables, user):
# do NOT use method on reservation object! It checks
# object.reservations which does not exist when called from
# method has_permission.
overlapping = reservation.get_overlapping_reservations(reservables)
checker = ObjectPermissionChecker(user)
for res in overlapping:
for r in res.reservables.all():
if r in (reservables.all()
and not checker.has_perm('double_reserve', r)):
raise rest_framework.exceptions.PermissionDenied(
detail=_('Double booking not allowed'))
return True
def submit(request, slug):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
# read_problem permission owners and problem authors can opt in for nonpublic submissions.
# nobody can submit public submissions to problems that are not published.
if ((request.user == problem.user
or checker.has_perm('read_problem', problem))
and problem.state == Problem.PUBLISHED):
form = AdminSubmitForm(data=request.POST or None)
else:
form = SubmitForm(data=request.POST or None,
public=(problem.state == Problem.PUBLISHED))
if request.method == "POST" and form.is_valid():
form.save(request.user, problem)
return redirect(reverse("judge-submission-recent"))
return render(
request, "problem/submit.html", {
"form": form,
"editable": checker.has_perm("edit_problem", problem),
"problem": problem
})
def get_queryset(self):
# For bulk requests, queryset is formed from request body.
if is_bulk_request(self.request):
auth = get_user_auth(self.request)
collection_ids = [coll['id'] for coll in self.request.data]
collections = Collection.objects.filter(guids___id__in=collection_ids)
checker = ObjectPermissionChecker(auth.user)
for collection in collections:
if not checker.has_perm('write_collection', collection):
raise PermissionDenied
return collections
else:
return self.get_queryset_from_request()
def test_cache_for_queries_count(self):
settings.DEBUG = True
try:
from django.db import connection
ContentType.objects.clear_cache()
checker = ObjectPermissionChecker(self.user)
# has_perm on Checker should spawn only two queries plus one extra
# for fetching the content type first time we check for specific
# model and two more content types as there are additional checks
# at get_user_obj_perms_model and get_group_obj_perms_model
query_count = len(connection.queries)
res = checker.has_perm("change_group", self.group)
if 'guardian.testapp' in settings.INSTALLED_APPS:
expected = 5
else:
# TODO: This is strange, need to investigate; totally not sure
# why there are more queries if testapp is not included
expected = 11
self.assertEqual(len(connection.queries), query_count + expected)
# Checking again shouldn't spawn any queries
query_count = len(connection.queries)
res_new = checker.has_perm("change_group", self.group)
self.assertEqual(res, res_new)
self.assertEqual(len(connection.queries), query_count)
# Checking for other permission but for Group object again
# shouldn't spawn any query too
query_count = len(connection.queries)
checker.has_perm("delete_group", self.group)
self.assertEqual(len(connection.queries), query_count)
# Checking for same model but other instance should spawn 2 queries
new_group = Group.objects.create(name='new-group')
query_count = len(connection.queries)
checker.has_perm("change_group", new_group)
self.assertEqual(len(connection.queries), query_count + 2)
# Checking for permission for other model should spawn 4 queries
# every added direct relation adds one more query..
# (again: content type and actual permissions for the object...
query_count = len(connection.queries)
checker.has_perm("change_user", self.user)
self.assertEqual(len(connection.queries), query_count + 4)
finally:
settings.DEBUG = False
def Inception_query_databases(request): ##Inception 查询 数据库 名字
if request.method == 'POST':
ids = request.POST.getlist('id')
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = db_mysql.objects.get(id=i)
if checker.has_perm('task_db_mysql', assets, ) == True:
ids1.append(i)
else:
error_3 = "数据库没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择数据库"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port,
cmd="查询数据库库名字".format(), user=user)
password = decrypt_p(i.db_user.password)
a = sql_query(user=i.db_user.username, password=password, host=i.ip, port=i.port,db='mysql')
s1 = a.connectmysql(sql="select SCHEMA_NAME from information_schema.SCHEMATA;")
s2 = []
for z in s1:
s2.append(z[0])
s = {'ip':i.ip,'data':s2}
ret['data'].append(s)
except Exception as e:
ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)})
return HttpResponse(json.dumps(ret))
def commandTask(request,code):
checker = ObjectPermissionChecker(request.user)
add = checker.has_perm('SystemManage.access_to_Function',Function.objects.get(name='添加命令分发'))
detail = checker.has_perm('SystemManage.access_to_Function',Function.objects.get(name='添加命令分发'))
if request.method=='POST':
data = request.POST
if request.user.is_superuser:
tableData = models.CommandTask.objects.all()
else:
tableData = models.CommandTask.objects.filter(createBy=request.user)
if data['name']:
tableData = tableData.filter(name__icontains=data['name'])
if data['cmdline']:
tableData = tableData.filter(cmdline__icontains=data['cmdline'])
paginator = Paginator(tableData,settings.ITEMS_PER_PAGE) #模板需要
page = int(request.GET.get('page',1)) #模板需要
start = max(page-5,0)
page_range = paginator.page_range[start:start+10] #模板需要
cur_page = paginator.page(page) #模板需要
return render(request,'TaskManage/commandtasktablelist.html',locals())
else:
form = forms.CommandTaskSearchForm()
return render(request,'TaskManage/commandtask.html',locals())
def __init__(self, request: HttpRequest, *args, **kwargs):
super().__init__(*args, **kwargs)
# Disable non-editable fields
person_fields = set([field.name for field in Person.syncable_fields()
]).intersection(set(self.fields))
if self.instance:
checker = ObjectPermissionChecker(request.user)
checker.prefetch_perms([self.instance])
for field in person_fields:
if not checker.has_perm(f"core.change_person_field_{field}",
self.instance):
self.fields[field].disabled = True
def get_permissions(user_or_group: Union[User, Group], object_list: QuerySet) -> List[ObjectPermission]:
permissions = []
perm_checker = ObjectPermissionChecker(user_or_group)
perm_checker.prefetch_perms(object_list)
opts = object_list.model._meta
perm_view = get_permission_codename('view', opts)
perm_change = get_permission_codename('change', opts)
perm_delete = get_permission_codename('delete', opts)
for obj in object_list:
permissions.append(
ObjectPermission(
obj=obj,
can_view=perm_checker.has_perm(perm_view, obj),
can_change=perm_checker.has_perm(perm_change, obj),
can_delete=perm_checker.has_perm(perm_delete, obj),
)
)
return permissions
def system_user_del(request):
ret = {'status': True, 'error': None, }
if request.method == "POST":
try:
id = request.POST.get("nid", None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
system_u = system_users.objects.get(id=id)
if checker.has_perm('delete_system_users', system_u, ) == True:
system_u.delete()
GroupObjectPermission.objects.filter(object_pk=id).delete()
except Exception as e:
ret['status'] = False
ret['error'] = '删除请求错误,{}'.format(e)
return HttpResponse(json.dumps(ret))
