def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return obj.is_public or obj.can_view(auth) else: return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) referent = obj.referent if not isinstance(referent, Preprint): return True return super(PreprintIdentifierDetailPermissions, self).has_object_permission(request, view, referent)
def has_object_permission(self, request, view, obj): user = request.user assert_resource_type(obj, self.acceptable_models) if not user: return False if user.has_perm('view_institutional_metrics', obj): return True return False
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method != 'DELETE' and is_prereg_admin(auth.user): return True if isinstance(obj, DraftRegistration): obj = obj.branched_from return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return True else: return auth.user and obj.has_permission(auth.user, MANAGE)
def has_object_permission(self, request, view, obj): context = request.parser_context['kwargs'] preprint = self.load_resource(context, view) assert_resource_type(preprint, self.acceptable_models) if preprint.is_retracted and request.method in permissions.SAFE_METHODS: return preprint.can_view_files(get_user_auth(request)) return super(PreprintFilesPermissions, self).has_object_permission(request, view, preprint)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) if isinstance(obj, DraftRegistration): obj = obj.branched_from auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return obj.has_permission(auth.user, osf_permissions.ADMIN) else: return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj): """ Admin perms are required to delete a node """ assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method == 'DELETE': return obj.has_permission(auth.user, osf_permissions.ADMIN) return True
def has_object_permission(self, request, view, obj): """ To make changes, user must be an admin contributor. Admin group membership is not sufficient. """ assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return obj.is_public or obj.can_view(auth) else: return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj): # Preprints cannot be registrations if isinstance(obj, Preprint): return True if not isinstance(obj, AbstractNode): obj = AbstractNode.load(request.parser_context['kwargs'][view.node_lookup_url_kwarg]) assert_resource_type(obj, self.acceptable_models) if obj.is_registration: return request.method in permissions.SAFE_METHODS return True
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) node = self.load_resource(request.parser_context['kwargs'], view) if request.method in permissions.SAFE_METHODS: return node.is_public or node.can_view(auth) elif request.method == 'DELETE': # If deleting an OSF group from a node, you either need admin perms # or you need to be an OSF group manager return node.has_permission(auth.user, osf_permissions.ADMIN) or obj.has_permission(auth.user, 'manage') else: return node.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): if isinstance(obj, dict): obj = obj.get('self', None) assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if not auth.user: return False if request.method in permissions.SAFE_METHODS: return obj.is_contributor(auth.user) else: return obj.is_admin_contributor(auth.user)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) context = request.parser_context['kwargs'] node = self.load_resource(context, view) user = OSFUser.load(context['user_id']) if request.method in permissions.SAFE_METHODS: return node.is_public or node.can_view(auth) elif request.method == 'DELETE': return node.has_permission(auth.user, osf_permissions.ADMIN) or auth.user == user else: return node.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) context = request.parser_context['kwargs'] preprint = self.load_resource(context, view) auth = get_user_auth(request) user = OSFUser.load(context['user_id']) if request.method in permissions.SAFE_METHODS: return super(ContributorDetailPermissions, self).has_object_permission(request, view, preprint) elif request.method == 'DELETE': return preprint.has_permission(auth.user, osf_permissions.ADMIN) or auth.user == user else: return preprint.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): if not isinstance(obj, OSFGroup): obj = OSFGroup.load(request.parser_context['kwargs']['group_id']) assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return True elif request.method == 'DELETE': user = OSFUser.load(request.parser_context['kwargs']['user_id']) # You must have manage permissions on the OSFGroup to remove a member, # unless you are removing yourself return obj.has_permission(auth.user, MANAGE) or auth.user == user else: return auth.user and obj.has_permission(auth.user, MANAGE)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) parent_node = AbstractNode.load(request.parser_context['kwargs']['node_id']) pointer_node = NodeRelation.load(request.parser_context['kwargs']['node_link_id']).child if request.method in permissions.SAFE_METHODS: has_parent_auth = parent_node.can_view(auth) has_pointer_auth = pointer_node.can_view(auth) public = pointer_node.is_public has_auth = public or (has_parent_auth and has_pointer_auth) return has_auth else: has_auth = parent_node.can_edit(auth) return has_auth
def has_object_permission(self, request, view, obj): from api.nodes.views import NodeStorageProvider if isinstance(obj, BaseAddonSettings): obj = obj.owner if isinstance(obj, (NodeStorageProvider)): obj = obj.node if isinstance(obj, dict): obj = obj.get('self', None) assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return obj.is_public or obj.can_view(auth) else: return obj.can_edit(auth)
def has_object_permission(self, request, view, obj): if isinstance(obj, dict): obj = obj.get('self', None) assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if not auth: return False if isinstance(obj, DraftRegistration) and isinstance( obj.branched_from, Node): obj = obj.branched_from if request.method in permissions.SAFE_METHODS: return obj.is_contributor(auth.user) else: return obj.can_edit(auth)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) if not obj.is_retracted: return True if (obj.is_retracted and obj.ever_public): # Tombstone page should be public return True auth = get_user_auth(request) if auth.user is None: raise exceptions.NotFound if auth.user.has_perm('view_submissions', obj.provider): if request.method not in permissions.SAFE_METHODS: # Withdrawn preprints should not be editable raise exceptions.PermissionDenied(detail='Withdrawn preprints may not be edited') return True raise exceptions.NotFound
def has_object_permission(self, request, view, obj): if isinstance(obj, OsfStorageFolder): obj = obj.target assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: if auth.user is None: return obj.verified_publishable else: user_has_permissions = ( obj.verified_publishable or (obj.is_public and auth.user.has_perm('view_submissions', obj.provider)) or obj.has_permission(auth.user, osf_permissions.ADMIN) or (obj.is_contributor(auth.user) and obj.machine_state != DefaultStates.INITIAL.value) ) return user_has_permissions else: if not obj.has_permission(auth.user, osf_permissions.ADMIN): raise exceptions.PermissionDenied(detail='User must be an admin to make these preprint edits.') return True
def has_object_permission(self, request, view, obj): if isinstance(obj, dict): obj = obj.get('self', None) assert_resource_type(obj, self.acceptable_models) collection = obj.collection auth = get_user_auth(request) if request.method in permissions.SAFE_METHODS: return collection.is_public or auth.user and auth.user.has_perm( 'read_collection', collection) elif request.method in ['PUT', 'PATCH']: return obj.guid.referent.has_permission( auth.user, WRITE) or auth.user.has_perm( 'write_collection', collection) elif request.method == 'DELETE': # Restricted to collection and project admins. return obj.guid.referent.has_permission( auth.user, ADMIN) or auth.user.has_perm( 'admin_collection', collection) return False
def has_object_permission(self, request, view, obj): from api.nodes.views import NodeStorageProvider if isinstance(obj, BaseAddonSettings): obj = obj.owner if isinstance(obj, NodeStorageProvider): obj = obj.node if isinstance(obj, dict): obj = obj.get('self', None) assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) if isinstance(obj, DraftRegistration) and isinstance(obj.branched_from, Node): obj = obj.branched_from if isinstance(obj, Registration) and obj.provider: if obj.provider.get_group('moderator').user_set.filter(id=request.user.id).exists(): return True if request.method in permissions.SAFE_METHODS: return obj.is_public or obj.can_view(auth) else: return obj.can_edit(auth)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) return obj.is_public
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) if isinstance(obj, PrivateLink): obj = view.get_node() auth = get_user_auth(request) return obj.has_permission(auth.user, osf_permissions.ADMIN)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) if request.method not in permissions.SAFE_METHODS: return obj.is_public return True
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) return obj.is_public or obj.can_view(auth)
def has_object_permission(self, request, view, obj): assert_resource_type(obj, self.acceptable_models) auth = get_user_auth(request) return obj.has_permission(auth.user, 'admin')
def has_object_permission(self, request, view, obj): if isinstance(obj, DraftNode): obj = obj.registered_draft.first() assert_resource_type(obj, self.acceptable_models) return super(ContributorOnDraftRegistration, self).has_object_permission(request, view, obj)