def _check_can_read(document, user): """ Check that the user can read. Args: document: user: Returns: """ # workspace case if document.user_id != str(user.id): # workspace is set if hasattr(document, 'workspace') and document.workspace is not None: # get list of accessible workspaces accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user( user) # check that accessed document belongs to an accessible workspace if document.workspace not in accessible_workspaces: raise AccessControlError( "The user doesn't have enough rights to access this.") # workspace is not set else: raise AccessControlError( "The user doesn't have enough rights to access this.")
def _check_data_structure_elements_access(data_structure_element_list, user): """Check that the user is authorized to query or retrieve all DataStructureElement from the input list. Args: data_structure_element_list: user: Returns: """ for data_structure_element in data_structure_element_list: permission = ( data_structure_element.data_structure.document_type.get_permission() ) codename = permission.split(".")[1] # check if user can access this type of data structure element if user.is_anonymous: # Check in the anonymous_group if not Group.objects.filter( Q(name=rights.anonymous_group) & Q(permissions__codename=codename) ): raise AccessControlError( "User does not have the permission to access this data structure." ) elif not user.has_perm(permission): raise AccessControlError( "User does not have the permission to access this data structure." ) # check if user is the owner _check_data_structure_element_ownership(data_structure_element, user)
def can_write(func, *args, **kwargs): """Can write template. Args: func: args: kwargs: Returns: """ request = get_request_from_args(*args, **kwargs) # super user if request.user.is_superuser: return func(*args, **kwargs) # anonymous cannot write if request.user.is_anonymous: raise AccessControlError("Template VM: The user doesn't have enough rights.") template_version_manager = next( (arg for arg in args if isinstance(arg, TemplateVersionManager)), None ) # user is set if template_version_manager.user: if template_version_manager.user == str(request.user.id): return func(*args, **kwargs) # user is not set else: if request.user.is_staff: return func(*args, **kwargs) raise AccessControlError("Template VM: The user doesn't have enough rights.")
def can_read_list(func, list_id, request): """Can read list of version managers. Args: func: list_id: request: Returns: """ # super user if request.user.is_superuser: return func(list_id, request=request) document_list = func(list_id, request) for version_manager in document_list: # anonymous user if request.user.is_anonymous: if version_manager.user: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") else: if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "Version Manager: The user doesn't have enough rights." ) # user is set if version_manager.user and version_manager.user != str( request.user.id): raise AccessControlError( "Version Manager: The user doesn't have enough rights.") return document_list
def can_write(func, *args, **kwargs): """Can user write Args: func: *args: **kwargs: Returns: """ user = next( (arg for arg in args if isinstance(arg, User) or isinstance(arg, AnonymousUser)), None, ) if user.is_anonymous or user is None: raise AccessControlError( "The user doesn't have enough rights to access this document.") if user.is_superuser: return func(*args, **kwargs) document = next( (arg for arg in args if isinstance(arg, CurateDataStructure)), None) if document.user != str(user.id): raise AccessControlError( "The user doesn't have enough rights to access this document.") return func(*args, **kwargs)
def can_read_persistent_query(func, *args, **kwargs): """Can user read Args: func: *args: **kwargs: Returns: """ user = next( (arg for arg in args if isinstance(arg, User) or isinstance(arg, AnonymousUser)), None, ) if user is None: raise AccessControlError( "The user doesn't have enough rights to read this query.") query = func(*args, **kwargs) # Anonymous can read when CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT if user.is_anonymous: # Allow read only for one query if CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT and isinstance( query, AbstractPersistentQuery): return query else: raise AccessControlError( "The user doesn't have enough rights to read this query.") # Superuser and user can always read queries return query
def can_read_version_manager(func, version_manager, version, request): """Can read global version managers. Args: func: version_manager: version: request: Returns: """ request = get_request_from_args(version_manager, version, request=request) if request.user.is_superuser: return func(version_manager, version, request=request) # anonymous user if request.user.is_anonymous: if version_manager.user: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") else: if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") # user is set if version_manager.user and version_manager.user != str(request.user.id): raise AccessControlError( "Version Manager: The user doesn't have enough rights.") return func(version_manager, version, request=request)
def check_can_write(document, user): """Check that the user can write. Args: document: user: Returns: """ # Raise error if anonymous user if user.is_anonymous: raise AccessControlError("Unable to write if not authenticated.") # TODO: data will inherit of workspace rights, which means a owner can't edit # or delete a data if data in wkp that doesn't give hin write rights if hasattr(document, "workspace") and document.workspace is not None: if workspace_api.is_workspace_public(document.workspace): has_perm_publish(user, rights.publish_data) else: _check_can_write_in_workspace(document.workspace, user) # not the owner and workspace is not set or None if document.user_id != str(user.id) and ( not hasattr(document, "workspace") or document.workspace is None ): raise AccessControlError("The user doesn't have enough rights.")
def can_read_list(func, *args, **kwargs): """Can read list of version managers. Args: func: Returns: """ request = get_request_from_args(*args, **kwargs) # super user if request and request.user.is_superuser: return func(*args, **kwargs) document_list = func(*args, **kwargs) for template in document_list: # anonymous user if not request or request.user.is_anonymous: if template.user: raise AccessControlError( "Template: The user doesn't have enough rights.") else: if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "Template: The user doesn't have enough rights.") # user is set if template.user and template.user != str(request.user.id): raise AccessControlError( "Template: The user doesn't have enough rights.") return document_list
def check_can_read_list(document_list, user): """Check that the user can read each document of the list. Args: document_list: user: Returns: """ if len(document_list) > 0: # get list of accessible workspaces accessible_workspaces = ( workspace_api.get_all_workspaces_with_read_access_by_user(user) ) # check access is correct for document in document_list: # user is document owner if document.user_id == str(user.id): continue # user is not owner or document not in accessible workspace if ( document.workspace is None or document.workspace not in accessible_workspaces ): raise AccessControlError("The user doesn't have enough rights.")
def can_user_set_workspace_public(func, workspace, user): """Check if the user is the owner of the workspace. Args: func: workspace: user: Returns: """ if user.is_superuser: return func(workspace, user) _check_is_owner_workspace(workspace, user) publish_perm = permissions_api.get_by_codename(rights.publish_data) if not user.has_perm( publish_perm.content_type.app_label + "." + publish_perm.codename ): raise AccessControlError( "You don't have enough rights to set public this workspace." ) return func(workspace, user)
def can_write_in_workspace(func, document, workspace, user, codename): """ Can user write in workspace. Args: func: document: workspace: user: codename: Returns: """ if user.is_superuser: return func(document, workspace, user) if workspace is not None: if workspace_api.is_workspace_public(workspace): has_perm_publish(user, codename) else: _check_can_write_in_workspace(workspace, user) check_can_write(document, user) # if we can not unpublish if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False: # if document is in public workspace if document.workspace is not None and workspace_api.is_workspace_public( document.workspace): # if target workspace is private if workspace is None or workspace_api.is_workspace_public( workspace) is False: raise AccessControlError( "The document can not be unpublished.") return func(document, workspace, user)
def can_write_persistent_query(func, *args, **kwargs): """Can user read Args: func: *args: **kwargs: Returns: """ user = next( (arg for arg in args if isinstance(arg, User) or isinstance(arg, AnonymousUser)), None, ) if user is None: raise AccessControlError( "The user doesn't have enough rights to access this query.") # Superuser can create and update any query if user.is_superuser: return func(*args, **kwargs) query = next( (arg for arg in args if isinstance(arg, AbstractPersistentQuery)), None, ) # Anonymous can only create new query if user.is_anonymous: if query.id is None and CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: return func(*args, **kwargs) else: raise AccessControlError( "The user doesn't have enough rights to access this query.") # Owner can create and update own queries if query.user_id == str(user.id): return func(*args, **kwargs) # Non-Owner raise AccessControlError( "The user doesn't have enough rights to access this query.")
def _check_anonymous_access(user): """Check anonymous access Args: user: Returns: """ if (user is None or user.is_anonymous) and not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "The user doesn't have enough rights to access this document." )
def _check_data_structure_element_ownership(data_structure_element, user): """Check if the user is the owner Args: data_structure_element: user: Returns: """ if data_structure_element.user and data_structure_element.user != str(user.id): raise AccessControlError("User is not the owner of the object.")
def can_access(func, *args, **kwargs): """Can user access the query, only owner and superuser can update the query given as parameter Args: func: *args: **kwargs: Returns: """ # Get user from parameters user = next( (arg for arg in args if isinstance(arg, User) or isinstance(arg, AnonymousUser)), None, ) # No user, raise ACL error if user is None: raise AccessControlError( "The user doesn't have enough rights to access this query") # Superuser can access the query if user.is_superuser: return func(*args, **kwargs) # Get the query from parameters query = next((arg for arg in args if isinstance(arg, Query)), None) # Check owner of the query if query.user_id != str(user.id): raise AccessControlError( "The user doesn't have enough rights to access this query") # Anonymous user cannot create a query if cannot access data if (isinstance(user, AnonymousUser) and not query.id and not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT): raise AccessControlError( "The user doesn't have enough rights to create a query.") return func(*args, **kwargs)
def can_change_owner(func, document, new_user, user): """Can user change document's owner. Args: func: document: new_user: user: Returns: """ if user.is_anonymous: raise AccessControlError( "The user doesn't have enough rights to access this document.") if user.is_superuser: return func(document, new_user, user) if document.user == str(user.id): return func(document, new_user, user) raise AccessControlError( "The user doesn't have enough rights to access this document.")
def can_user_modify_template_version_manager(template_version_manager, user): """ Check that user can modify the template version manager. Args: template_version_manager: user: Returns: """ if user.is_superuser is False and user.is_staff is False: if template_version_manager.user != user.id: raise AccessControlError( "You don't have the permission to update this object.")
def _check_is_owner_workspace(workspace, user): """Check that user is the owner of the workspace. Args: workspace: user: Returns: """ if workspace.owner != str(user.id): raise AccessControlError( "The user does not have the permission. The user is not the owner of this workspace." )
def has_perm_publish(user, codename): """ Does the user have the permission to publish. Args: user codename Returns """ publish_perm = permissions_api.get_by_codename(codename) if not user.has_perm(publish_perm.content_type.app_label + '.' + publish_perm.codename): raise AccessControlError( "The user doesn't have enough rights to publish.")
def can_write_blob(func, blob, user): """Does the user has permission to write blob. Args: func: blob: user: Returns: """ if user.is_anonymous: raise AccessControlError("Unable to insert blob if not authenticated.") return func(blob, user)
def can_read(func, document_id, request): """Can read document. Args: func: document_id: request: Returns: """ request = get_request_from_args(document_id, request=request) # super user if request.user.is_superuser: return func(document_id, request=request) # get the document document = func(document_id, request=request) # anonymous user if request.user.is_anonymous: if document.user: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") else: if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") # user is set if document.user and document.user != str(request.user.id): raise AccessControlError( "Version Manager: The user doesn't have enough rights.") return document
def _check_can_write_data(request, accessed_object): """Check if the object can be accessed by the user in write mode. Args: request: accessed_object: Returns: """ try: # Super user can access everything if not request.user.is_superuser: check_can_write(accessed_object.data, request.user) except Exception as e: raise AccessControlError(str(e))
def _check_can_write_in_workspace(workspace, user): """ Check that user can write in the workspace. Args: workspace: user: Returns: """ accessible_workspaces = workspace_api.get_all_workspaces_with_write_access_by_user( user) if workspace not in accessible_workspaces: raise AccessControlError( "The user does not have the permission to write into this workspace." )
def can_read_global(func, *args, **kwargs): """Can read global version managers. Args: func: *args: **kwargs: Returns: """ request = get_request_from_args(*args, **kwargs) if request.user.is_anonymous: if not CAN_ANONYMOUS_ACCESS_PUBLIC_DOCUMENT: raise AccessControlError( "Version Manager: The user doesn't have enough rights.") return func(*args, **kwargs)
def _check_can_read(document_list, user): """Can read from list id. Args: document_list: user: Returns: """ # check access is correct for document in document_list: # user is document owner if document.user == str(user.id): continue # user is not owner or document raise AccessControlError("The user doesn't have enough rights.")
def _check_owner(request, accessed_object): """Check if the object can be accessed by the user. Args: request: accessed_object: Returns: """ # Super user can access everything if not request.user.is_superuser: # If not the owner of the accessed object if str(request.user.id) != accessed_object.user: raise AccessControlError("You are not the owner of the " + get_form_label() + " that you are trying to access")
def can_change_owner(func, data, new_user, user): """ Can user change data's owner. Args: func: data: new_user: user: Returns: """ if user.is_superuser: return func(data, new_user, user) if data.user_id != str(user.id): raise AccessControlError("The user doesn't have enough rights to access this " + get_data_label() + ".") return func(data, new_user, user)
def has_perm_administration(func, *args, **kwargs): """ Is the given user has administration rights. Args: func: *args: **kwargs: Returns: """ try: if args[0].is_superuser: return func(*args, **kwargs) except Exception as e: logger.warning("has_perm_administration threw an exception: ".format( str(e))) raise AccessControlError("The user doesn't have enough rights.")
def is_superuser(func, *args, **kwargs): """Is the user a superuser. Args: func: *args: **kwargs: Returns: """ try: request = kwargs["request"] if request and request.user.is_superuser: return func(*args, **kwargs) except Exception as e: logger.warning("has_perm_administration threw an exception: ".format(str(e))) raise AccessControlError("The user doesn't have enough rights.")