def test_has_permission_failure():
# ensure a stable test since roles must be from our defined roles
assert OutputPublisher.permissions == ["publish_output"]
user = UserFactory(roles=[OutputPublisher])
assert not has_permission(user, "perm1")
def validate_application_access(user, application):
if has_permission(user, "application_manage"):
return
if application.created_by == user:
return
raise Http404
def validate_snapshot_access(request, snapshot):
"""
Validate this request can access this snapshot.
This validation uses Django's regular User auth.
"""
if snapshot.published_at:
return
if request.user.is_anonymous:
raise NotAuthenticated("Invalid user or token")
if not has_permission(request.user,
"release_file_view",
project=snapshot.workspace.project):
raise NotAuthenticated(
f"Invalid user or token for snapshot pk={snapshot.pk}")
def post(self, request, *args, **kwargs):
"""Create a Snapshot from the given list of files."""
workspace = get_object_or_404(Workspace,
name=self.kwargs["workspace_id"])
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
data = serializer.data
if not has_permission(
request.user, "snapshot_create", project=workspace.project):
raise NotAuthenticated
file_ids = set(data["file_ids"])
files = ReleaseFile.objects.filter(pk__in=file_ids)
# check all ReleaseFile IDs submitted are valid IDs
if missing := file_ids - set_from_qs(files):
raise ParseError(f"Unknown file IDs: {', '.join(missing)}")
def post(self, request, *args, **kwargs):
snapshot = get_object_or_404(
Snapshot,
workspace__name=self.kwargs["workspace_id"],
pk=self.kwargs["snapshot_id"],
)
if not has_permission(request.user,
"snapshot_publish",
project=snapshot.workspace.project):
raise NotAuthenticated
if snapshot.published_at:
# The Snapshot has already been published, don't lose the original
# information.
return Response()
snapshot.published_at = timezone.now()
snapshot.published_by = request.user
snapshot.save()
return Response()
if auth_header := request.headers.get("Authorization"):
username, _, token = auth_header.partition(":")
user = User.objects.filter(username=username).first()
if user is None:
raise NotAuthenticated("Invalid user")
if not user.has_valid_pat(token):
raise PermissionDenied
return
if request.user.is_anonymous:
raise NotAuthenticated("Invalid user or token")
if not has_permission(
request.user, "release_file_view", project=workspace.project):
raise NotAuthenticated(
f"Invalid user or token for workspace {workspace.name}")
def validate_snapshot_access(request, snapshot):
"""
Validate this request can access this snapshot.
This validation uses Django's regular User auth.
"""
if snapshot.published_at:
return
if request.user.is_anonymous:
raise NotAuthenticated("Invalid user or token")
def test_has_permission_unauthenticated():
user = AnonymousUser()
assert not has_permission(user, "perm1")