def server_validate_statement_object(stmt_object, auth):
if stmt_object['objectType'] == 'StatementRef' and not check_for_existing_statementId(stmt_object['id']):
err_msg = "No statement with ID %s was found" % stmt_object['id']
raise IDNotFoundError(err_msg)
elif stmt_object['objectType'] == 'Activity' or 'objectType' not in stmt_object:
# Check if object has definition first
# If it doesn't have definition, it doesn't matter if the user is owner or not because can't remove definition if exists
if 'definition' in stmt_object:
try:
activity = models.Activity.objects.get(activity_id=stmt_object['id'], canonical_version=True)
except models.Activity.DoesNotExist:
pass
else:
# Get authority from request
if auth:
if auth['id'].__class__.__name__ == 'Agent':
auth_name = auth['id'].name
else:
auth_name = auth['id'].username
else:
auth_name = None
# Get definition for canonical activity (if exists)
try:
activity_def = activity.object_return()['definition']
except KeyError, e:
activity_def = {}
# If definitions are different and the auths are different
if (stmt_object['definition'] != activity_def) and (activity.authoritative != '' and activity.authoritative != auth_name):
err_msg = "This ActivityID already exists, and you do not have the correct authority to create or update it."
raise Forbidden(err_msg)
def validate_oauth_scope(req_dict):
method = req_dict['method']
endpoint = req_dict['auth']['endpoint']
token = req_dict['auth']['oauth_token']
scopes = token.scope_to_list()
err_msg = "Incorrect permissions to %s at %s" % (str(method), str(endpoint))
validator = {'GET':{"/statements": True if 'all' in scopes or 'all/read' in scopes or 'statements/read' in scopes or 'statements/read/mine' in scopes else False,
"/statements/more": True if 'all' in scopes or 'all/read' in scopes or 'statements/read' in scopes or 'statements/read/mine' in scopes else False,
"/activities": True if 'all' in scopes or 'all/read' in scopes else False,
"/activities/profile": True if 'all' in scopes or 'all/read' in scopes or 'profile' in scopes else False,
"/activities/state": True if 'all' in scopes or 'all/read' in scopes or 'state' in scopes else False,
"/agents": True if 'all' in scopes or 'all/read' in scopes else False,
"/agents/profile": True if 'all' in scopes or 'all/read' in scopes or 'profile' in scopes else False
},
'HEAD':{"/statements": True if 'all' in scopes or 'all/read' in scopes or 'statements/read' in scopes or 'statements/read/mine' in scopes else False,
"/statements/more": True if 'all' in scopes or 'all/read' in scopes or 'statements/read' in scopes or 'statements/read/mine' in scopes else False,
"/activities": True if 'all' in scopes or 'all/read' in scopes else False,
"/activities/profile": True if 'all' in scopes or 'all/read' in scopes or 'profile' in scopes else False,
"/activities/state": True if 'all' in scopes or 'all/read' in scopes or 'state' in scopes else False,
"/agents": True if 'all' in scopes or 'all/read' in scopes else False,
"/agents/profile": True if 'all' in scopes or 'all/read' in scopes or 'profile' in scopes else False
},
'PUT':{"/statements": True if 'all' in scopes or 'statements/write' in scopes else False,
"/activities": True if 'all' in scopes or 'define' in scopes else False,
"/activities/profile": True if 'all' in scopes or 'profile' in scopes else False,
"/activities/state": True if 'all' in scopes or 'state' in scopes else False,
"/agents": True if 'all' in scopes or 'define' in scopes else False,
"/agents/profile": True if 'all' in scopes or 'profile' in scopes else False
},
'POST':{"/statements": True if 'all' in scopes or 'statements/write' in scopes else False,
"/activities": True if 'all' in scopes or 'define' in scopes else False,
"/activities/profile": True if 'all' in scopes or 'profile' in scopes else False,
"/activities/state": True if 'all' in scopes or 'state' in scopes else False,
"/agents": True if 'all' in scopes or 'define' in scopes else False,
"/agents/profile": True if 'all' in scopes or 'profile' in scopes else False
},
'DELETE':{"/statements": True if 'all' in scopes or 'statements/write' in scopes else False,
"/activities": True if 'all' in scopes or 'define' in scopes else False,
"/activities/profile": True if 'all' in scopes or 'profile' in scopes else False,
"/activities/state": True if 'all' in scopes or 'state' in scopes else False,
"/agents": True if 'all' in scopes or 'define' in scopes else False,
"/agents/profile": True if 'all' in scopes or 'profile' in scopes else False
}
}
# Raise forbidden if requesting wrong endpoint or with wrong method than what's in scope
if not validator[method][endpoint]:
raise Forbidden(err_msg)
# Set flag to read only statements owned by user
if 'statements/read/mine' in scopes:
req_dict['auth']['statements_mine_only'] = True
# Set flag for define - allowed to update global representation of activities/agents
if 'define' in scopes or 'all' in scopes:
req_dict['auth']['oauth_define'] = True
else:
req_dict['auth']['oauth_define'] = False
def validate_void_statement(void_id):
# Retrieve statement, check if the verb is 'voided' - if not then set the voided flag to true else return error
# since you cannot unvoid a statement and should just reissue the statement under a new ID.
try:
stmt = models.Statement.objects.get(statement_id=void_id)
except models.Statement.DoesNotExist:
err_msg = "Statement with ID %s does not exist" % void_id
raise IDNotFoundError(err_msg)
if stmt.voided:
err_msg = "Statement with ID: %s is already voided, cannot unvoid. Please re-issue the statement under a new ID." % void_id
raise Forbidden(err_msg)
def validate_oauth_state_or_profile_agent(req_dict, endpoint):
ag = req_dict['params']['agent']
token = req_dict['auth']['oauth_token']
scopes = token.scope_to_list()
if not 'all' in scopes:
if not isinstance(ag, dict):
ag = json.loads(ag)
try:
agent = models.Agent.objects.get(**ag)
except models.Agent.DoesNotExist:
err_msg = "Agent in %s cannot be found to match user in authorization" % endpoint
raise NotFound(err_msg)
if not agent in req_dict['auth']['id'].member.all():
err_msg = "Authorization doesn't match agent in %s" % endpoint
raise Forbidden(err_msg)
def validate_statementId(req_dict):
if 'statementId' in req_dict['params'] and 'voidedStatementId' in req_dict['params']:
err_msg = "Cannot have both statementId and voidedStatementId in a GET request"
raise ParamError(err_msg)
elif 'statementId' in req_dict['params']:
statementId = req_dict['params']['statementId']
voided = False
else:
statementId = req_dict['params']['voidedStatementId']
voided = True
not_allowed = ["agent", "verb", "activity", "registration",
"related_activities", "related_agents", "since",
"until", "limit", "ascending"]
bad_keys = set(not_allowed) & set(req_dict['params'].keys())
if bad_keys:
err_msg = "Cannot have %s in a GET request only 'format' and/or 'attachments' are allowed with 'statementId' and 'voidedStatementId'" % ', '.join(bad_keys)
raise ParamError(err_msg)
# Try to retrieve stmt, if DNE then return empty else return stmt info
try:
st = models.Statement.objects.get(statement_id=statementId)
except models.Statement.DoesNotExist:
err_msg = 'There is no statement associated with the id: %s' % statementId
raise IDNotFoundError(err_msg)
auth = req_dict.get('auth', None)
mine_only = auth and 'statements_mine_only' in auth
if auth:
if mine_only and st.authority.id != auth['id'].id:
err_msg = "Incorrect permissions to view statements that do not have auth %s" % str(auth['id'])
raise Forbidden(err_msg)
if st.voided != voided:
if st.voided:
err_msg = 'The requested statement (%s) is voided. Use the "voidedStatementId" parameter to retrieve your statement.' % statementId
else:
err_msg = 'The requested statement (%s) is not voided. Use the "statementId" parameter to retrieve your statement.' % statementId
raise IDNotFoundError(err_msg)
return statementId
def server_validate_statement_object(stmt_object, auth):
if stmt_object['objectType'] == 'StatementRef' and not check_for_existing_statementId(stmt_object['id']):
err_msg = "No statement with ID %s was found" % stmt_object['id']
raise IDNotFoundError(err_msg)
elif stmt_object['objectType'] == 'Activity' or 'objectType' not in stmt_object:
if 'definition' in stmt_object:
try:
activity = models.Activity.objects.get(activity_id=stmt_object['id'], canonical_version=True)
except models.Activity.DoesNotExist:
pass
else:
if auth:
if auth['id'].__class__.__name__ == 'Agent':
auth_name = auth['id'].name
else:
auth_name = auth['id'].username
else:
auth_name = None
if activity.authoritative != '' and activity.authoritative != auth_name:
err_msg = "This ActivityID already exists, and you do not have the correct authority to create or update it."
raise Forbidden(err_msg)