def apply_limits(self, request, object_list): # Exclude archives from these lists archives = object_list.filter(source__primary=True, source__label='archive') object_list = object_list.exclude(id__in=[a.id for a in archives]) tag_string = request.GET.get('tag', '') modified = request.GET.get('modified', '') vocabulary = dict((key[len('vocabulary-'):], val.split(",")) for key, val in request.GET.items() if key.startswith('vocabulary-')) invisible = [] for asset in object_list: # Hack -- call the authorization layer directly notes = SherdNoteResource()._meta.authorization.apply_limits( request, asset.sherdnote_set, False) if not cached_course_is_member(asset.course, request.user): invisible.append(asset.id) elif len(tag_string) > 0 and not self.is_tagged(notes, tag_string): invisible.append(asset.id) elif len(modified) > 0 and not self.in_date_range(notes, modified): invisible.append(asset.id) elif (len(vocabulary) > 0 and not self.has_vocabulary(notes, vocabulary)): invisible.append(asset.id) return object_list.exclude(id__in=invisible).order_by('id')
def read(self, coll, course, user): if not course: return False course_collaboration = cached_course_collaboration(course) return (coll.context == course_collaboration and cached_course_is_member(course, user))
def apply_limits(self, request, object_list, exclude_global=True): if request.user.is_authenticated(): if exclude_global: # only request user's global annotations object_list = object_list.exclude(~Q(author=request.user), range1__isnull=True) # Make sure the requesting user is allowed to see this note invisible = [] courses = {} for note in object_list.select_related('asset__course'): course = note.asset.course # Cache this out per course/user. It's just too slow otherwise if not course.id in courses.keys(): courses[course.id] = {'whitelist': None} is_faculty = cached_course_is_faculty(course, request.user) if (not course_details.all_selections_are_visible(course) and not is_faculty): courses[course.id]['whitelist'] = list(course.faculty) courses[course.id]['whitelist'].append(request.user) if not cached_course_is_member(course, request.user): invisible.append(note.id) elif (courses[course.id]['whitelist'] and not note.author in courses[course.id]['whitelist']): # apply per course limitations # the user or a faculty member must be the selection author invisible.append(note.id) return object_list.exclude(id__in=invisible).order_by('id') elif request.public: # attribute "public" set on request when requesting a # public_to_world essay. all notes are public by default return object_list.order_by('id') else: return []
def has_object_permission(self, request, view, obj): if not cached_course_is_member(obj.course, request.user): raise PermissionDenied return True
def test_cached_course_is_member(self): self.assertTrue( cached_course_is_member(self.sample_course, self.student_one)) self.assertTrue( cached_course_is_member(self.sample_course, self.student_one))
def test_cached_course_is_member(self): self.assertTrue(cached_course_is_member(self.sample_course, self.student_one)) self.assertTrue(cached_course_is_member(self.sample_course, self.student_one))