def _check_can_read_data(data, user): """ Check that the user can read a data. Args: data: user: Returns: """ # workspace case if data.user_id != str(user.id): # workspace is set if hasattr(data, 'workspace') and data.workspace is not None: # get list of accessible workspaces accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user( user) # check that accessed data belongs to an accessible workspace if data.workspace not in accessible_workspaces: raise AccessControlError( "The user doesn't have enough rights to access this " + get_data_label() + ".") # workspace is not set else: raise AccessControlError( "The user doesn't have enough rights to access this " + get_data_label() + ".")
def can_write_data_workspace(func, data, workspace, user): """ Can user write data in workspace. Args: func: data: workspace: user: Returns: """ if user.is_superuser: return func(data, workspace, user) if workspace is not None: if workspace_api.is_workspace_public(workspace): has_perm_publish_data(user) else: _check_can_write_workspace(workspace, user) check_can_write_data(data, user) # if we can not unpublish data if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False: # if data is in public workspace if data.workspace is not None and workspace_api.is_workspace_public(data.workspace): # if target workspace is private if workspace is None or workspace_api.is_workspace_public(workspace) is False: raise AccessControlError("The data can not be unpublished.") return func(data, workspace, user)
def has_perm_publish_data(user): """ Does the user have the permission to publish a data. Args: user Returns """ publish_perm = permissions_api.get_by_codename(rights.publish_data) if not user.has_perm(publish_perm.content_type.app_label + '.' + publish_perm.codename): raise AccessControlError("The user doesn't have enough rights to publish this data.")
def _check_is_owner_workspace(workspace, user): """ Check that user is the owner of the workspace. Args: workspace: user: Returns: """ if workspace.owner != str(user.id): raise AccessControlError("The user does not have the permission. The user is not the owner of this workspace.")
def _check_can_write_workspace(workspace, user): """ Check that user can write in the workspace. Args: workspace: user: Returns: """ accessible_workspaces = workspace_api.get_all_workspaces_with_write_access_by_user(user) if workspace not in accessible_workspaces: raise AccessControlError("The user does not have the permission to write into this workspace.")
def can_user_modify_template_version_manager(template_version_manager, user): """ Check that user can modify the template version manager. Args: template_version_manager: user: Returns: """ if user.is_superuser is False and user.is_staff is False: if template_version_manager.user != user.id: raise AccessControlError( "You don't have the permission to update this object.")
def has_perm_administration(func, *args, **kwargs): """ Is the given user has administration rights. Args: func: *args: **kwargs: Returns: """ try: if args[0].is_superuser: return func(*args, **kwargs) except Exception: pass raise AccessControlError("The user doesn't have enough rights to access this data.")
def can_change_owner(func, data, new_user, user): """ Can user change data's owner. Args: func: data: new_user: user: Returns: """ if user.is_superuser: return func(data, new_user, user) if data.user_id != str(user.id): raise AccessControlError("The user doesn't have enough rights to access this data.") return func(data, new_user, user)
def validate_id(self, id): """ Validate id field Args: id: Returns: """ request = self.context.get('request') try: blob_object = blob_api.get_by_id(id) except DoesNotExist: raise Http404 if request.user.is_superuser is False and str(request.user.id) != blob_object.user_id: raise AccessControlError("You don't have the permission to delete this id: {0}".format(id)) return id
def _check_can_read_data_list(data_list, user): """ Check that the user can read each data of the list. Args: data_list: user: Returns: """ if len(data_list) > 0: # get list of accessible workspaces accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user(user) # check access is correct for data in data_list: # user is data owner if data.user_id == str(user.id): continue # user is not owner or data not in accessible workspace if data.workspace is None or data.workspace not in accessible_workspaces: raise AccessControlError("The user doesn't have enough rights to access this data.")
def can_delete_workspace(func, workspace, user): """ Can user delete a workspace. Args: func: workspace: user: Returns: """ if user.is_superuser: return func(workspace, user) _check_is_owner_workspace(workspace, user) if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False: if workspace.is_public: raise AccessControlError("The workspace can not be deleted.") return func(workspace, user)
def can_user_set_workspace_public(func, workspace, user): """ Check if the user is the owner of the workspace. Args: func: workspace: user: Returns: """ if user.is_superuser: return func(workspace, user) _check_is_owner_workspace(workspace, user) publish_perm = permissions_api.get_by_codename(rights.publish_data) if not user.has_perm(publish_perm.content_type.app_label + '.' + publish_perm.codename): raise AccessControlError("You don't have enough rights to set public this workspace.") return func(workspace, user)