def check_for_permission(self): # TODO: Works but not beautiful, needs review! """ Checks if current user (or role) has the required permission for current workflow step. Raises: HTTPError: if user doesn't have required permissions. """ if self.current.task: lane = self.current.lane_id permission = "%s.%s.%s" % (self.current.workflow_name, lane, self.current.task_name) else: permission = self.current.workflow_name log.debug("CHECK PERM: %s" % permission) if (self.current.task_type not in PERM_REQ_TASK_TYPES or permission.startswith(tuple(settings.ANONYMOUS_WORKFLOWS)) or (self.current.is_auth and permission.startswith(tuple(settings.COMMON_WORKFLOWS)))): return # FIXME:needs hardening log.debug("REQUIRE PERM: %s" % permission) if not self.current.has_permission(permission): raise HTTPError( 403, "You don't have required permission: %s" % permission)
def save_catalog(self): """ Saves the catalog data to given key Cancels if the cmd is cancel Notifies user with the process. """ if self.input["cmd"] == 'save_catalog': try: edited_object = dict() for i in self.input["form"]["CatalogDatas"]: edited_object[i["catalog_key"]] = { "en": i["en"], "tr": i["tr"] } newobj = fixture_bucket.get(self.input["object_key"]) newobj.data = edited_object newobj.store() # notify user by passing notify in output object self.output[ "notify"] = "catalog: %s successfully updated." % self.input[ "object_key"] except: raise HTTPError(500, "Form object could not be saved") if self.input["cmd"] == 'cancel': self.output[ "notify"] = "catalog: %s canceled." % self.input["object_key"]
def edit_message(current): """ Edit a message a user own. .. code-block:: python # request: { 'view':'_zops_edit_message', 'message': { 'body': string, # message text 'key': key } } # response: { 'status': string, # 'OK' for success 'code': int, # 200 for success } """ current.output = {'status': 'OK', 'code': 200} in_msg = current.input['message'] try: msg = Message(current).objects.get(sender_id=current.user_id, key=in_msg['key']) msg.body = in_msg['body'] msg.save() except ObjectDoesNotExist: raise HTTPError(404, "")
def remove_from_favorites(current): """ Remove a message from favorites .. code-block:: python # request: { 'view':'_zops_remove_from_favorites, 'key': key, } # response: { 'status': 'OK', 'code': 200 } """ try: current.output = {'status': 'OK', 'code': 200} Favorite(current).objects.get(user_id=current.user_id, key=current.input['key']).delete() except ObjectDoesNotExist: raise HTTPError(404, "")
def delete_message(current): """ Delete a message .. code-block:: python # request: { 'view':'_zops_delete_message, 'message_key': key, } # response: { 'key': key, 'status': 'OK', 'code': 200 } """ try: Message(current).objects.get(sender_id=current.user_id, key=current.input['key']).delete() current.output = {'status': 'Deleted', 'code': 200, 'key': current.input['key']} except ObjectDoesNotExist: raise HTTPError(404, "")
def pin_channel(current): """ Pin a channel to top of channel list .. code-block:: python # request: { 'view':'_zops_pin_channel, 'channel_key': key, } # response: { 'status': 'OK', 'code': 200 } """ try: Subscriber(current).objects.filter(user_id=current.user_id, channel_id=current.input['channel_key']).update( pinned=True) current.output = {'status': 'OK', 'code': 200} except ObjectDoesNotExist: raise HTTPError(404, "")
def __init__(self, output): self.content = output try: self.json = output print(self.json) except: log.exception('ERROR at RWrapper JSON load') self.json = {} self.code = self.json.get('code', None) self.token = self.json.get('token') self.form_data = self.json['forms'][ 'model'] if 'forms' in self.json else {} if 'object_key' in self.form_data: self.object_key = self.form_data['object_key'] else: self.object_key = self.json.get('object_id', None) if self.code and int(self.code) >= 400: self.raw() raise HTTPError(self.code, (self.json.get('title', '') + self.json.get('description', '') + self.json.get('error', '')))
def check_for_authentication(self): """ Checks current workflow against :py:data:`~zengine.settings.ANONYMOUS_WORKFLOWS` list. Raises: HTTPUnauthorized: if WF needs an authenticated user and current user isn't. """ auth_required = self.current.workflow_name not in settings.ANONYMOUS_WORKFLOWS if auth_required and not self.current.is_auth: self.current.log.debug("LOGIN REQUIRED:::: %s" % self.current.workflow_name) raise HTTPError( 401, "Login required for %s" % self.current.workflow_name)
def check_for_lane_permission(self): """ One or more permissions can be associated with a lane of a workflow. In a similar way, a lane can be restricted with relation to other lanes of the workflow. This method called on lane changes and checks user has required permissions and relations. Raises: HTTPForbidden: if the current user hasn't got the required permissions and proper relations """ # TODO: Cache lane_data in app memory if self.current.lane_permission: log.debug("HAS LANE PERM: %s" % self.current.lane_permission) perm = self.current.lane_permission if not self.current.has_permission(perm): raise HTTPError( 403, "You don't have required lane permission: %s" % perm) if self.current.lane_relations: context = self.get_pool_context() log.debug("HAS LANE RELS: %s" % self.current.lane_relations) try: cond_result = eval(self.current.lane_relations, context) except: log.exception("CONDITION EVAL ERROR : %s || %s" % (self.current.lane_relations, context)) raise if not cond_result: log.debug("LANE RELATION ERR: %s %s" % (self.current.lane_relations, context)) raise HTTPError( 403, "You aren't qualified for this lane: %s" % self.current.lane_relations)
def create_initial_object(self): """ Creates an instance of default (or selected) model. If an existing objects key found in ``current.input['object_id']`` or ``current.task_data['object_id']`` or ``current.input['form']['object_key']`` then it will be retrieved from DB and assigned to ``self.object``. """ self.model_class = self.get_model_class() if self.model_class: object_id = self.current.task_data.get('object_id') if not object_id and 'form' in self.input: object_id = self.input['form'].get('object_key', None) if object_id: form_model_type = self.input['form'].get( 'model_type', None) if form_model_type != self.model_class.__name__: object_id = None if object_id: try: self.object = self.model_class( self.current).objects.get(object_id) except ObjectDoesNotExist: raise HTTPError( 404, "Possibly you are trying to retrieve a just deleted " "object or object key (%s) does not belong to current model:" " %s" % (object_id, self.model_class.__name__)) except: raise # elif 'added_obj' in self.current.task_data: # self.object = self.model_class(self.current).objects.get( # self.current.task_data['added_obj']) else: self.object = self.model_class(self.current) else: self.object = type('FakeModel', (Model, ), {})()
def check_for_permission(self): """ Checks permissions of auto-generated CRUD views. Required permissions calculated according to ``ModelName . self.cmd`` scheme. """ permission = "%s.%s" % (self.object.__class__.__name__, self.cmd) log.debug("CHECK CRUD PERM: %s" % permission) if (self.current.task_type not in PERM_REQ_TASK_TYPES or permission in settings.ANONYMOUS_WORKFLOWS): return if not self.current.has_permission(permission): raise HTTPError( 403, "You don't have required CRUD permission: %s" % permission)