def location_restricted_response(request):
from corehq.apps.hqwebapp.views import no_permissions
msg = (
"Someone was just denied access to a page due to location-based "
"access restrictions. If this happens a lot, we should investigate.")
notify_exception(request, msg)
return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def default(request, domain):
if request.couch_user.can_edit_locations():
return HttpResponseRedirect(
reverse(LocationsListView.urlname, args=[domain]))
elif user_can_edit_location_types(request.couch_user, domain):
return HttpResponseRedirect(
reverse(LocationTypesView.urlname, args=[domain]))
return no_permissions(request)
def process_view(self, request, view_fn, view_args, view_kwargs):
user = getattr(request, 'couch_user', None)
domain = getattr(request, 'domain', None)
self.apply_location_access(request)
if not request.can_access_all_locations:
if not is_location_safe(view_fn, request, view_args, view_kwargs):
return location_restricted_response(request)
elif not user.get_sql_location(domain):
return no_permissions(request, message=RESTRICTED_USER_UNASSIGNED_MSG)
def process_view(self, request, view_fn, view_args, view_kwargs):
user = getattr(request, 'couch_user', None)
domain = getattr(request, 'domain', None)
self.apply_location_access(request)
if not request.can_access_all_locations:
if not is_location_safe(view_fn, request, view_args, view_kwargs):
return location_restricted_response(request)
elif not user.get_sql_location(domain):
return no_permissions(request, message=RESTRICTED_USER_UNASSIGNED_MSG)
def _inner(req, domain, *args, **kwargs):
user = req.user
domain_name, domain_obj = load_domain(req, domain)
def call_view(): return view_func(req, domain_name, *args, **kwargs)
if not domain_obj:
msg = _('The domain "{domain}" was not found.').format(domain=domain_name)
raise Http404(msg)
if not (user.is_authenticated and user.is_active):
if _is_public_custom_report(req.path, domain_name):
return call_view()
else:
login_url = reverse('domain_login', kwargs={'domain': domain_name})
return redirect_for_login_or_domain(req, login_url=login_url)
couch_user = _ensure_request_couch_user(req)
if not domain_obj.is_active:
return _inactive_domain_response(req, domain_name)
if domain_obj.is_snapshot:
if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer():
raise Http404()
return call_view()
if couch_user.is_member_of(domain_obj, allow_mirroring=True):
if _is_missing_two_factor(view_func, req):
return TemplateResponse(request=req, template='two_factor/core/otp_required.html', status=403)
elif not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
elif (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_blocked_from_viewing_domain_due_to_sso(req, domain_obj)):
# Important! Make sure this is always the final check prior
# to returning call_view() below
return render_untrusted_identity_provider_for_domain_view(req, domain_obj)
else:
return call_view()
elif user.is_superuser:
if domain_obj.restrict_superusers and not _page_is_whitelisted(req.path, domain_obj.name):
from corehq.apps.hqwebapp.views import no_permissions
msg = "This project space restricts superuser access. You must request an invite to access it."
return no_permissions(req, message=msg)
if not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
if (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_using_sso(req)):
# We will not support SSO for superusers at this time
return HttpResponseForbidden(
"SSO support is not currently available for superusers."
)
return call_view()
elif couch_user.is_web_user() and domain_obj.allow_domain_requests:
from corehq.apps.users.views.web import DomainRequestView
return DomainRequestView.as_view()(req, *args, **kwargs)
else:
raise Http404
def _inner(req, domain, *args, **kwargs):
user = req.user
domain_name, domain_obj = load_domain(req, domain)
def call_view():
return view_func(req, domain_name, *args, **kwargs)
if not domain_obj:
msg = _('The domain "{domain}" was not found.').format(
domain=domain_name)
raise Http404(msg)
if not (user.is_authenticated and user.is_active):
if _is_public_custom_report(req.path, domain_name):
return call_view()
else:
login_url = reverse('domain_login',
kwargs={'domain': domain_name})
return redirect_for_login_or_domain(req, login_url=login_url)
couch_user = _ensure_request_couch_user(req)
if not domain_obj.is_active:
return _inactive_domain_response(req, domain_name)
if domain_obj.is_snapshot:
if not hasattr(req,
'couch_user') or not req.couch_user.is_previewer():
raise Http404()
return call_view()
if couch_user.is_member_of(domain_obj, allow_mirroring=True):
if _is_missing_two_factor(view_func, req):
return TemplateResponse(
request=req,
template='two_factor/core/otp_required.html',
status=403)
elif not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
else:
return call_view()
elif user.is_superuser:
if domain_obj.restrict_superusers and not _page_is_whitelisted(
req.path, domain_obj.name):
from corehq.apps.hqwebapp.views import no_permissions
msg = "This project space restricts superuser access. You must request an invite to access it."
return no_permissions(req, message=msg)
if not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
return call_view()
elif couch_user.is_web_user() and domain_obj.allow_domain_requests:
from corehq.apps.users.views import DomainRequestView
return DomainRequestView.as_view()(req, *args, **kwargs)
else:
raise Http404
def location_export(request, domain):
headers_only = request.GET.get('download_type', 'full') == 'empty'
if not request.can_access_all_locations and not headers_only:
return no_permissions(request)
if not LocationType.objects.filter(domain=domain).exists():
messages.error(request, _("You need to define organization levels before "
"you can do a bulk import or export."))
return HttpResponseRedirect(reverse(LocationsListView.urlname, args=[domain]))
include_consumption = request.GET.get('include_consumption') == 'true'
download = DownloadBase()
res = download_locations_async.delay(domain, download.download_id,
include_consumption, headers_only)
download.set_task(res)
return redirect(DownloadLocationStatusView.urlname, domain, download.download_id)
def process_view(self, request, view_fn, view_args, view_kwargs):
user = getattr(request, 'couch_user', None)
domain = getattr(request, 'domain', None)
if not domain or not user or not user.is_member_of(domain):
# This is probably some non-domain page or a test, let normal auth handle it
request.can_access_all_locations = True
elif user.has_permission(domain, 'access_all_locations'):
request.can_access_all_locations = True
else:
request.can_access_all_locations = False
if not is_location_safe(view_fn, view_args, view_kwargs):
return location_restricted_response(request)
elif not user.get_sql_location(domain):
return no_permissions(request,
message=RESTRICTED_USER_UNASSIGNED_MSG)
def location_restricted_response(request):
from corehq.apps.hqwebapp.views import no_permissions
notify_exception(request, NOTIFY_EXCEPTION_MSG)
return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def dispatch(self, *args, **kwargs):
if (not self.couch_user.is_web_user()
and (self.user_ministry is None or self.user_ministry == '')):
return no_permissions(self.request)
return super(ReachDashboardView, self).dispatch(*args, **kwargs)
def default(request, domain):
if request.couch_user.can_edit_locations():
return HttpResponseRedirect(reverse(LocationsListView.urlname, args=[domain]))
elif user_can_edit_location_types(request.couch_user, domain):
return HttpResponseRedirect(reverse(LocationTypesView.urlname, args=[domain]))
return no_permissions(request)
def location_restricted_response(request):
from corehq.apps.hqwebapp.views import no_permissions
return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def _inner(request, domain, *args, **kwargs):
if is_icds_cas_project(domain):
return no_permissions(request,
message=DATA_INTERFACE_ACCESS_DENIED)
else:
return view_func(request, domain, *args, **kwargs)
def dispatch(self, *args, **kwargs):
if (not self.couch_user.is_web_user()
and (self.user_ministry is None or self.user_ministry == '')):
return no_permissions(self.request)
return super(ReachDashboardView, self).dispatch(*args, **kwargs)
def location_restricted_response(request):
from corehq.apps.hqwebapp.views import no_permissions
notify_exception(request, NOTIFY_EXCEPTION_MSG)
return no_permissions(request, message=LOCATION_ACCESS_DENIED)
def location_restricted_response(request):
from corehq.apps.hqwebapp.views import no_permissions
msg = ("Someone was just denied access to a page due to location-based "
"access restrictions. If this happens a lot, we should investigate.")
notify_exception(request, msg)
return no_permissions(request, message=LOCATION_ACCESS_DENIED)
