示例#1
0
    def mutate(cls, root, info, **input):
        _piano = Piano.objects.get(codice=input['codice_piano'])
        _procedura_vas = ProceduraVAS.objects.get(piano=_piano)
        if info.context.user and rules.test_rule(
                'strt_core.api.can_edit_piano', info.context.user, _piano):
            try:
                _next_fase = cls.get_next_phase(_piano.fase)
                if rules.test_rule(
                        'strt_core.api.fase_{next}_completa'.format(
                            next=_next_fase), _piano, _procedura_vas):
                    _piano.fase = _fase = Fase.objects.get(nome=_next_fase)
                    piano_phase_changed.send(sender=Piano,
                                             user=info.context.user,
                                             piano=_piano)
                    _piano.save()

                    cls.update_actions_for_phase(_fase, _piano, _procedura_vas)

                    return PromozionePiano(piano_aggiornato=_piano, errors=[])
                else:
                    return GraphQLError(_("Not Allowed"), code=405)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#2
0
    def mutate(cls, root, info, **input):
        if info.context.user and rules.test_rule(
                'strt_core.api.can_access_private_area', info.context.user):
            # Fetching input arguments
            _id = input['risorsa_id']
            _uuid_cc = input['codice']
            # TODO: Andrebbe controllato se la risorsa in funzione del tipo e della fase del piano è eliminabile o meno
            try:
                _conferenza_copianificazione = ConferenzaCopianificazione.objects.get(
                    uuid=_uuid_cc)
                if rules.test_rule('strt_core.api.can_edit_piano',
                                   info.context.user,
                                   _conferenza_copianificazione.piano):
                    _risorsa = Risorsa.objects.get(uuid=_id)
                    _success = DeleteRisorsaBase.handle_downloaded_data(
                        _risorsa)
                    return DeleteRisorsaCopianificazione(
                        conferenza_copianificazione_aggiornata=
                        _conferenza_copianificazione,
                        success=_success)
                else:
                    return GraphQLError(_("Forbidden"), code=403)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)

        # Something went wrong
        return GraphQLError(_("Not Allowed"), code=405)
示例#3
0
 def mutate_and_get_payload(cls, root, info, **input):
     _piano = Piano.objects.get(codice=input['codice_piano'])
     _procedura_vas = ProceduraVAS.objects.get(piano=_piano)
     _token = info.context.session[
         'token'] if 'token' in info.context.session else None
     _organization = _piano.ente
     if info.context.user and \
     rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
     (rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'Comune') or
      rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'AC')):
         try:
             nuova_consultazione_vas = ConsultazioneVAS()
             nuova_consultazione_vas.user = info.context.user
             nuova_consultazione_vas.procedura_vas = _procedura_vas
             _consultazioni_vas_expire_days = getattr(
                 settings, 'CONSULTAZIONI_SCA_EXPIRE_DAYS', 90)
             nuova_consultazione_vas.data_scadenza = datetime.datetime.now(timezone.get_current_timezone()) + \
             datetime.timedelta(days=_consultazioni_vas_expire_days)
             nuova_consultazione_vas.save()
             return cls(nuova_consultazione_vas=nuova_consultazione_vas)
         except BaseException as e:
             tb = traceback.format_exc()
             logger.error(tb)
             return GraphQLError(e, code=500)
     else:
         return GraphQLError(_("Forbidden"), code=403)
示例#4
0
    def mutate(cls, root, info, **input):
        _procedura_vas = ProceduraVAS.objects.get(uuid=input['uuid'])
        _piano = _procedura_vas.piano
        _token = info.context.session['token'] if 'token' in info.context.session else None
        _organization = _piano.ente
        if info.context.user and \
        rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'Comune'):
            try:
                cls.update_actions_for_phase(_piano.fase, _piano, _procedura_vas)

                if _piano.is_eligible_for_promotion:
                    _piano.fase = _fase = Fase.objects.get(nome=_piano.next_phase)

                    # Notify Users
                    piano_phase_changed.send(
                        sender=Piano,
                        user=info.context.user,
                        piano=_piano,
                        message_type="piano_phase_changed")

                    _piano.save()
                    fase.promuovi_piano(_fase, _piano)

                return UploadElaboratiVAS(
                    vas_aggiornata=_procedura_vas,
                    errors=[]
                )
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#5
0
    def mutate(cls, root, info, **input):
        _procedura_vas = ProceduraVAS.objects.get(uuid=input['uuid'])
        _piano = _procedura_vas.piano
        _token = info.context.session['token'] if 'token' in info.context.session else None
        _organization = _piano.ente
        if info.context.user and \
        rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'AC'):
            try:
                _pareri_verifica_sca = _piano.azioni.filter(
                    tipologia=TIPOLOGIA_AZIONE.pareri_verifica_sca).first()
                if _pareri_verifica_sca and _pareri_verifica_sca.stato != STATO_AZIONE.nessuna:
                    return GraphQLError(_("Forbidden"), code=403)
                if not _procedura_vas.verifica_effettuata and \
                _procedura_vas.tipologia in (TIPOLOGIA_VAS.verifica, TIPOLOGIA_VAS.semplificata):
                    cls.update_actions_for_phase(_piano.fase, _piano, _procedura_vas)
                else:
                    return GraphQLError(_("Forbidden"), code=403)

                return AssoggettamentoVAS(
                    vas_aggiornata=_procedura_vas,
                    errors=[]
                )
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#6
0
    def __init__(self, user, *args, **kwargs):
        super(CitationForm, self).__init__( *args, **kwargs)
        self.user = user

        if not self.is_bound:
            if not self.fields['record_status_value'].initial:
                self.fields['record_status_value'].initial = CuratedMixin.ACTIVE

        # disable fields user doesn't have access to
        if self.instance.pk:
            # Don't let the user change type_controlled.
            #self.fields['type_controlled'].widget.attrs['readonly'] = True
            #self.fields['type_controlled'].widget.attrs['disabled'] = True
            self.fields['title'].widget.attrs['placeholder'] = "No title"
            self.fields['type_controlled'].widget = forms.widgets.HiddenInput()

            if self.instance.type_controlled in [Citation.REVIEW, Citation.CHAPTER, Citation.ARTICLE, Citation.ESSAY_REVIEW]:
                self.fields['physical_details'].widget = forms.widgets.HiddenInput()
                self.fields['book_series'].widget = forms.widgets.HiddenInput()

            if self.instance.type_controlled in [Citation.THESIS]:
                self.fields['book_series'].widget = forms.widgets.HiddenInput()

            for field in self.fields:
                can_update = rules.test_rule('can_update_citation_field', user, (field, self.instance.pk))
                if not can_update:
                    self.fields[field].widget.attrs['readonly'] = True
                    self.fields[field].widget.attrs['disabled'] = True


                can_view = rules.test_rule('can_view_citation_field', user, (field, self.instance.pk))
                if not can_view:
                    self.fields[field] = forms.CharField(widget=NoViewInput())
                    self.fields[field].widget.attrs['readonly'] = True
                    self.fields[field].widget.attrs['disabled'] = True
示例#7
0
    def mutate(cls, root, info, file, **input):
        if info.context.user and rules.test_rule(
                'strt_core.api.can_access_private_area', info.context.user):
            # Fetching input arguments
            _uuid_avvio = input['codice']
            _tipo_file = input['tipo_file']

            try:
                # Validating 'Procedura VAS'
                _procedura_avvio = ProceduraAvvio.objects.get(uuid=_uuid_avvio)
                if rules.test_rule('strt_core.api.can_edit_piano',
                                   info.context.user, _procedura_avvio.piano):
                    _resources = UploadBaseBase.handle_uploaded_data(
                        file, _uuid_avvio, _procedura_avvio.piano.fase,
                        _tipo_file, info.context.user)
                    _success = False
                    if _resources and len(_resources) > 0:
                        _success = True
                        for _risorsa in _resources:
                            RisorseAvvio(procedura_avvio=_procedura_avvio,
                                         risorsa=_risorsa).save()
                    return UploadRisorsaAvvio(
                        procedura_avvio_aggiornata=_procedura_avvio,
                        success=_success,
                        file_name=_resources[0].nome)
                else:
                    return GraphQLError(_("Forbidden"), code=403)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)

        # Something went wrong
        return GraphQLError(_("Not Allowed"), code=405)
示例#8
0
 def __init__(self, *args, **kwargs):
     user = kwargs.pop('user')
     super(PatientTransferForm, self).__init__(*args, **kwargs)
     self.helper = FormHelper()
     self.helper.form_class = 'form-horizontal hn-form admittance'
     self.helper.form_method = 'POST'
     self.helper.label_class = 'col-lg-2'
     self.helper.field_class = 'col-lg-8'
     self.helper.layout = Layout(
         Fieldset('Patient Transfer Form',
                  'doctor',
                  'hospital',
                  'reason'
                  ),
         FormActions(
             Submit('submit', 'Submit'),
             HTML(
                 '<a class="btn btn-default" href={% if next_url %}{{ next_url }}{% else %}'
                 '{% url "registry:home" %}{% endif %}>Cancel</a>'
             )
         )
     )
     # Filter the fields for doctor and hospital based on the user requesting transfer
     # A doctor will see his name and the hospital he works at
     # An admin will see his hospital and the doctors that work there
     if rules.test_rule('is_doctor', user):
         self.fields['doctor'].queryset = Doctor.objects.filter(uuid=user.uuid)
         self.fields['hospital'].queryset = user.hospitals.all()
     elif rules.test_rule('is_administrator', user):
         self.fields['doctor'].queryset = Doctor.objects.filter(hospitals__name__exact=user.hospital.name)
         self.fields['hospital'].queryset = Hospital.objects.filter(name=user.hospital.name)
示例#9
0
 def mutate_and_get_payload(cls, root, info, **input):
     _piano = Piano.objects.get(codice=input['codice_piano'])
     _procedura_vas_data = input.get('procedura_vas')
     if info.context.user and \
     rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
     rules.test_rule('strt_core.api.can_update_piano', info.context.user, _piano):
         try:
             # ProceduraVAS (M)
             _procedura_vas_data['piano'] = _piano
             # Ente (M)
             _procedura_vas_data['ente'] = _piano.ente
             # Note (O)
             if 'note' in _procedura_vas_data:
                 _data = _procedura_vas_data.pop('note')
                 _procedura_vas_data['note'] = _data[0]
             _procedura_vas = ProceduraVAS()
             _procedura_vas.piano = _piano
             _procedura_vas_data['id'] = _procedura_vas.id
             _procedura_vas_data['uuid'] = _procedura_vas.uuid
             nuova_procedura_vas = update_create_instance(
                 _procedura_vas, _procedura_vas_data)
             return cls(nuova_procedura_vas=nuova_procedura_vas)
         except BaseException as e:
             tb = traceback.format_exc()
             logger.error(tb)
             return GraphQLError(e, code=500)
     else:
         return GraphQLError(_("Forbidden"), code=403)
示例#10
0
    def mutate(cls, root, info, **input):
        _procedura_adozione = ProceduraAdozione.objects.get(uuid=input['uuid'])
        _piano = _procedura_adozione.piano
        _token = info.context.session[
            'token'] if 'token' in info.context.session else None
        _organization = _piano.ente
        if info.context.user and rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'Regione'):
            try:
                cls.update_actions_for_phase(_piano.fase, _piano,
                                             _procedura_adozione,
                                             info.context.user, _token)

                # Notify Users
                piano_phase_changed.send(
                    sender=Piano,
                    user=info.context.user,
                    piano=_piano,
                    message_type="esito_conferenza_paesaggistica")

                return EsitoConferenzaPaesaggistica(
                    adozione_aggiornata=_procedura_adozione, errors=[])
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#11
0
    def mutate_and_get_payload(cls, root, info, **input):
        _piano = Piano.objects.get(codice=input['codice_piano'])
        _procedura_adozione_data = input.get('procedura_adozione')
        if info.context.user and \
        rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.can_update_piano', info.context.user, _piano):
            try:
                # ProceduraAdozione (M)
                _procedura_adozione_data['piano'] = _piano
                # Ente (M)
                _procedura_adozione_data['ente'] = _piano.ente

                _procedura_adozione = ProceduraAdozione()
                _procedura_adozione.piano = _piano
                _procedura_adozione.ente = _piano.ente
                _procedura_adozione_data['id'] = _procedura_adozione.id
                _procedura_adozione_data['uuid'] = _procedura_adozione.uuid
                nuova_procedura_adozione = update_create_instance(
                    _procedura_adozione, _procedura_adozione_data)

                _piano.procedura_adozione = nuova_procedura_adozione
                _piano.save()

                return cls(nuova_procedura_adozione=nuova_procedura_adozione)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#12
0
    def mutate(cls, root, info, **input):
        _procedura_avvio = ProceduraAvvio.objects.get(uuid=input['uuid'])
        _piano = _procedura_avvio.piano
        _token = info.context.session[
            'token'] if 'token' in info.context.session else None
        _organization = _piano.ente
        if info.context.user and rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'Comune'):
            try:
                cls.update_actions_for_phase(_piano.fase, _piano,
                                             _procedura_avvio,
                                             info.context.user)

                # Notify Users
                """
                TODO
                """
                # piano_phase_changed.send(
                #     sender=Piano,
                #     user=info.context.user,
                #     piano=_piano,
                #     message_type="piano_phase_changed")

                return IntegrazioniRichieste(avvio_aggiornato=_procedura_avvio,
                                             errors=[])
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#13
0
 def test_rule_can_read_datasource_pubic(self):
     d = DataSource.objects.get(name='PublicD1')
     owner = User.objects.get(email='*****@*****.**')
     other = User.objects.get(email='*****@*****.**')
     admin = User.objects.get(email='*****@*****.**')
     self.assertTrue(rules.test_rule('can_read_datasource', owner, d))
     self.assertTrue(rules.test_rule('can_read_datasource', other, d))
     self.assertTrue(rules.test_rule('can_read_datasource', admin, d))
示例#14
0
    def update_actions_for_phase(cls, fase, piano, procedura_adozione, user,
                                 token):

        # Update Azioni Piano
        # - Complete Current Actions
        _order = piano.azioni.count()

        # - Update Action state accordingly
        if fase.nome == FASE.avvio:
            _osservazioni_enti = piano.azioni.filter(
                tipologia=TIPOLOGIA_AZIONE.osservazioni_enti).first()

            _osservazioni_regione = piano.azioni.filter(
                tipologia=TIPOLOGIA_AZIONE.osservazioni_regione).first()

            _upload_osservazioni_privati = piano.azioni.filter(
                tipologia=TIPOLOGIA_AZIONE.upload_osservazioni_privati).first(
                )

            _organization = piano.ente

            if rules.test_rule('strt_core.api.is_actor', token
                               or (user, _organization), 'Regione'):
                if _osservazioni_regione and _osservazioni_regione.stato != STATO_AZIONE.nessuna:
                    _osservazioni_regione.stato = STATO_AZIONE.nessuna
                    _osservazioni_regione.data = datetime.datetime.now(
                        timezone.get_current_timezone())
                    _osservazioni_regione.save()

                    if _osservazioni_enti and _osservazioni_enti.stato != STATO_AZIONE.nessuna:
                        _osservazioni_enti.stato = STATO_AZIONE.nessuna
                        _osservazioni_enti.data = datetime.datetime.now(
                            timezone.get_current_timezone())
                        _osservazioni_enti.save()

            if rules.test_rule('strt_core.api.is_actor', token
                               or (user, _organization), 'Comune'):
                if _upload_osservazioni_privati and _upload_osservazioni_privati.stato != STATO_AZIONE.nessuna:
                    _upload_osservazioni_privati.stato = STATO_AZIONE.nessuna
                    _upload_osservazioni_privati.data = datetime.datetime.now(
                        timezone.get_current_timezone())
                    _upload_osservazioni_privati.save()

            if _upload_osservazioni_privati.stato == STATO_AZIONE.nessuna and \
            _osservazioni_regione.stato == STATO_AZIONE.nessuna:
                _controdeduzioni = Azione(
                    tipologia=TIPOLOGIA_AZIONE.controdeduzioni,
                    attore=TIPOLOGIA_ATTORE.comune,
                    order=_order,
                    stato=STATO_AZIONE.attesa)
                _controdeduzioni.save()
                _order += 1
                AzioniPiano.objects.get_or_create(azione=_controdeduzioni,
                                                  piano=piano)
        else:
            raise Exception(
                _("Fase Piano incongruente con l'azione richiesta"))
示例#15
0
    def __init__(self, user, authority_id, *args, **kwargs):
        super(PersonForm, self).__init__( *args, **kwargs)
        self.user = user
        self.authority_id = authority_id

        if authority_id:
            can_update = rules.test_rule('can_update_authority_field', user, ('person', authority_id))
            can_view = rules.test_rule('can_view_authority_field', user, ('person', authority_id))

            set_field_access(can_update, can_view, self.fields)
示例#16
0
    def mutate(cls, root, info, **input):
        _procedura_vas = ProceduraVAS.objects.get(uuid=input['uuid'])
        _piano = _procedura_vas.piano
        _token = info.context.session['token'] if 'token' in info.context.session else None
        _organization = _piano.ente
        if info.context.user and \
        rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano) and \
        rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _organization), 'SCA'):
            try:
                _pareri_vas_count = ParereVerificaVAS.objects.filter(
                    user=info.context.user,
                    procedura_vas=_procedura_vas
                )

                if _pareri_vas_count.count() == 0:
                    _parere_vas = ParereVerificaVAS(
                        inviata=True,
                        user=info.context.user,
                        procedura_vas=_procedura_vas
                    )
                    _parere_vas.save()
                elif _pareri_vas_count.count() != 1:
                    return GraphQLError(_("Forbidden"), code=403)

                _tutti_pareri_inviati = True
                for _sca in _piano.soggetti_sca.all():
                    _pareri_vas_count = ParereVerificaVAS.objects.filter(
                        user=_sca.user,
                        procedura_vas=_procedura_vas
                    ).count()
                    if _pareri_vas_count != 1:
                        _tutti_pareri_inviati = False
                        break

                if _tutti_pareri_inviati:

                    # Notify Users
                    piano_phase_changed.send(
                        sender=Piano,
                        user=info.context.user,
                        piano=_piano,
                        message_type="tutti_pareri_inviati")

                    cls.update_actions_for_phase(_piano.fase, _piano, _procedura_vas)

                return InvioPareriVerificaVAS(
                    vas_aggiornata=_procedura_vas,
                    errors=[]
                )
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#17
0
    def _get_validation_exclusions(self):
        exclude = super(CitationForm, self)._get_validation_exclusions()

        # remove fields that user isn't allowed to modify
        if self.instance.pk:
            for field in self.fields:
                can_update = rules.test_rule('can_update_citation_field', self.user, (field, self.instance.pk))
                can_view = rules.test_rule('can_view_citation_field', self.user, (field, self.instance.pk))
                if not can_update or not can_view:
                    exclude.append(field)
        return exclude
示例#18
0
def check_rule(rule, fn: callable = None, **kwargs):
    """
    Return a middleware that validates if the current user respects the
    given rule.
    """
    import rules

    if fn is None:
        test = (lambda r: rules.test_rule(rule, r.user))
    else:
        test = (lambda r: rules.test_rule(rule, r.user, fn(r)))
    return access_control(test, **kwargs)
    def test_default_permission(self):
        self.assertTrue(
            rules.test_rule('exportdb.can_export', self.super_user)
        )

        self.assertFalse(
            rules.test_rule('exportdb.can_export', self.normal_user)
        )

        self.assertFalse(
            rules.test_rule('exportdb.can_export', self.staff_user)
        )
示例#20
0
    def _get_validation_exclusions(self):
        exclude = super(PersonForm, self)._get_validation_exclusions()

        if self.authority_id:
            # remove fields that user isn't allowed to modify
            can_update = rules.test_rule('can_update_authority_field', self.user, ('person', self.authority_id))
            can_view = rules.test_rule('can_view_authority_field', self.user, ('person', self.authority_id))

            for field in self.fields:
                if not can_update or not can_view:
                    exclude.append(field)

        return exclude
示例#21
0
    def test_rule_can_read_datasource_internal(self):
        d = DataSource.objects.get(name='InternalD1')
        owner = User.objects.get(email='*****@*****.**')
        other = User.objects.get(email='*****@*****.**')
        admin = User.objects.get(email='*****@*****.**')
        suser = User.objects.get(email='*****@*****.**')
        guser = User.objects.get(email='*****@*****.**')

        self.assertTrue(rules.test_rule('can_read_datasource', owner, d))
        self.assertTrue(rules.test_rule('can_read_datasource', admin, d))
        self.assertFalse(rules.test_rule('can_read_datasource', other, d))
        self.assertTrue(rules.test_rule('can_read_datasource', suser, d))
        self.assertTrue(rules.test_rule('can_read_datasource', guser, d))
示例#22
0
    def _get_validation_exclusions(self):
        exclude = super(PartDetailsForm, self)._get_validation_exclusions()

        # remove fields that user isn't allowed to modify
        if self.citation_id:
            can_update = rules.test_rule('can_update_citation_field', self.user, ('part_details', self.citation_id))
            can_view = rules.test_rule('can_view_citation_field', self.user, ('part_details', self.citation_id))

            for field in self.fields:
                if not can_update or not can_view:
                    exclude.append(field)

        return exclude
示例#23
0
 def is_valid(self, boby):
     valid = super(UploadUsersForm, self).is_valid()
     if not valid:
         return False
     if not rules.test_rule('can_upload_users', boby):
         raise PermissionDenied
     return True
示例#24
0
    def mutate(cls, root, info, file, **input):
        if rules.test_rule('strt_core.api.can_access_private_area', info.context.user):
            # Fetching input arguments
            _uuid_vas = input['codice']
            _tipo_file = input['tipo_file']

            try:
                # Validating 'Procedura VAS'
                _procedura_vas = ProceduraVAS.objects.get(uuid=_uuid_vas)
                _resources = UploadBaseBase.handle_uploaded_data(
                    file,
                    _uuid_vas,
                    _procedura_vas.piano.fase,
                    _tipo_file
                )
                _success = False
                if _resources and len(_resources) > 0:
                    _success = True
                    for _risorsa in _resources:
                        RisorseVas(procedura_vas=_procedura_vas, risorsa=_risorsa).save()
                return UploadRisorsaVAS(procedura_vas_aggiornata=_procedura_vas, success=_success)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)

        # Something went wrong
        return GraphQLError(_("Not Allowed"), code=405)
    def process_view(self, request, view_func, view_args, view_kwargs):

        request.is_appadmin = False

        # the admin has to use localcosmos_server.urls to not conflict with the commercial installation
        # online_content needs the correct urlconf
        if '/app-admin/' in request.path:

            request.is_appadmin = True

            if 'app_uid' not in view_kwargs:
                raise ImproperlyConfigured(
                    'all app-admin urls require app_uid as an url kwarg')

            app = App.objects.get(uid=view_kwargs['app_uid'])
            request.app = app

            login_path = reverse('log_in')

            if login_path not in request.path:

                user = request.user
                if not user.is_authenticated:
                    url = '{0}?next={1}'.format(reverse('log_in'),
                                                request.path)
                    return redirect(url)

                has_access = rules.test_rule('app_admin.has_access', user, app)
                if not has_access:
                    raise PermissionDenied

            request.urlconf = 'localcosmos_server.urls'
            set_urlconf('localcosmos_server.urls')

        return None
示例#26
0
 def get(self, request, *args, **kwargs):
     """Check that the object to be edited belongs to user that created it"""
     self.object = self.get_object()
     if rules.test_rule('edit_author', self.request.user, self.object):
         return self.render_to_response(self.get_context_data())
     messages.error(self.request, CONTEXT_MESSAGES['OPERATION_FAILED'])
     return redirect(self.get_success_url())
示例#27
0
    def __init__(self, *args, **kwargs):
        user = kwargs.pop('user')
        super(AppointmentSchedulingForm, self).__init__(*args, **kwargs)
        self.helper = FormHelper()
        self.helper.form_class = 'form-horizontal hn-form appointment'
        self.helper.form_method = 'POST'
        self.helper.form_action = reverse_lazy('registry:appt_create')
        self.helper.label_class = 'col-lg-2'
        self.helper.field_class = 'col-lg-8'

        self.helper.layout = Layout(
                Fieldset('Appointment Scheduling',
                         Div(
                                 Div('time', css_class='col-lg-3'),
                                 css_class='row',
                         ),
                         'doctor',
                         'patient',
                         'location',
                         ),
                FormActions(
                        Submit('submit', 'Submit'),
                        HTML(
                                '<a class="btn btn-default" href={% if next_url %}{{ next_url }}{% else %}'
                                '{% url "registry:home" %}{% endif %}>Cancel</a>')
                )
        )
        if rules.test_rule('is_patient', user):
            self.fields['patient'].queryset = Patient.objects.filter(uuid=user.uuid)
        # elif rules.test_rule('is_doctor', user):
        #    self.fields['patient'].queryset = Patient.objects.filter(provider=user)
        # elif rules.test_rule('is_nurse', user):
        #    self.fields['patient'].queryset = Patient.objects.filter(pref_hospital=user.hospital)
        self.fields['time'].widget.attrs['timepicker'] = True
示例#28
0
    def post(self, request, *args, **kwargs):
        self.object = self.get_object()
        community = self.object
        try:
            user_subscription = CommunitySubscription.objects.get(
                user=request.user, community=community)
        except CommunitySubscription.DoesNotExist:
            messages.warning(
                request, 'You cannot unsubscribe when you are not subscribed')
            return redirect(community)

        if not rules.test_rule('can_unsubscribe', request.user,
                               user_subscription):
            messages.error(
                request, 'You cannot unsubscribe when you are the last owner')
            return redirect(community)

        EventRSVP.objects.filter(event__pk__in=Event.objects.upcoming().filter(
            community=community).values_list('pk', flat=True),
                                 user=request.user).delete()
        user_subscription.delete()
        messages.success(
            request,
            'Successfully unsubscribed from "{}"'.format(community.name))
        return redirect(community)
示例#29
0
    def mutate(cls, root, info, **input):
        _piano = Piano.objects.get(codice=input['codice_piano'])
        if info.context.user and rules.test_rule(
                'strt_core.api.can_edit_piano', info.context.user, _piano):
            try:
                if _piano.is_eligible_for_promotion:
                    _piano.fase = _fase = Fase.objects.get(
                        nome=_piano.next_phase)

                    # Notify Users
                    piano_phase_changed.send(
                        sender=Piano,
                        user=info.context.user,
                        piano=_piano,
                        message_type="piano_phase_changed")

                    _piano.save()
                    fase.promuovi_piano(_fase, _piano)

                    return PromozionePiano(piano_aggiornato=_piano, errors=[])
                else:
                    return GraphQLError(_("Not Allowed"), code=405)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
    def dispatch(self, request, *args, **kwargs):
        has_access = rules.test_rule('app.is_admin', request.user, request.app)

        if not has_access:
            raise PermissionDenied

        return super().dispatch(request, *args, **kwargs)
示例#31
0
    def init_with_context(self, context):
        self.available_children.append(modules.LinkList)

        # Initiatives
        self.children.append(RecentInitiatives())
        self.children.append(MyReviewingInitiatives())

        # Activities
        self.children.append(RecentActivities())
        self.children.append(RecentEvents())
        self.children.append(RecentFunding())
        self.children.append(RecentAssignments())

        # Payouts
        self.children.append(PayoutsReadForApprovalDashboardModule())

        # Other
        self.children.append(
            modules.RecentActions(_('Recent Actions'), 10, column=0, order=0))
        self.children.append(RecentMembersDashboard())
        if rules.test_rule('exportdb.can_export', context['request'].user):
            metrics_children = [
                {
                    'title': _('Export metrics'),
                    'url': reverse_lazy('exportdb_export'),
                },
            ]
            self.children.append(
                LinkList(_('Export Metrics'), children=metrics_children))
示例#32
0
    def qs(self):
        # The query context can be found in self.request.
        _enti = []
        _memberships = None
        if rules.test_rule('strt_core.api.can_access_private_area',
                           self.request.user):
            _memberships = self.request.user.memberships
            if _memberships:
                for _m in _memberships.all():
                    if _m.type.code == settings.RESPONSABILE_ISIDE_CODE:
                        # RESPONSABILE_ISIDE_CODE cannot access to Piani at all
                        continue
                    else:
                        _enti.append(_m.organization.code)

        token = self.request.session.get('token', None)
        if token:
            _allowed_pianos = [
                _pt.piano.codice
                for _pt in PianoAuthTokens.objects.filter(token__key=token)
            ]
            return super(PianoUserMembershipFilter, self).qs.filter(
                codice__in=_allowed_pianos).order_by('-last_update')
        else:
            return super(
                PianoUserMembershipFilter,
                self).qs.filter(ente__code__in=_enti).order_by('-last_update')
示例#33
0
    def mutate(cls, root, info, file, **input):
        if rules.test_rule('strt_core.api.can_access_private_area', info.context.user):
            # Fetching input arguments
            _codice_piano = input['codice']
            _tipo_file = input['tipo_file']

            try:
                # Validating 'Piano'
                _piano = Piano.objects.get(codice=_codice_piano)
                _resources = UploadBaseBase.handle_uploaded_data(
                    file,
                    _codice_piano,
                    _piano.fase,
                    _tipo_file
                )
                _success = False
                if _resources and len(_resources) > 0:
                    _success = True
                    for _risorsa in _resources:
                        RisorsePiano(piano=_piano, risorsa=_risorsa).save()
                return UploadFile(piano_aggiornato=_piano, success=_success,file_name=_resources[0].nome)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)

        # Something went wrong
        return GraphQLError(_("Not Allowed"), code=405)
示例#34
0
 def is_valid(self, boby):
     valid = super(UploadUsersForm, self).is_valid()
     if not valid:
         return False
     if not rules.test_rule('can_upload_users', boby):
         raise PermissionDenied
     return True
示例#35
0
    def mutate_and_get_payload(cls, root, info, **input):
        _procedura_avvio = ProceduraAvvio.objects.get(uuid=input['uuid'])
        _procedura_avvio_data = input.get('procedura_avvio')
        if 'piano' in _procedura_avvio_data:
            # This cannot be changed
            _procedura_avvio_data.pop('piano')
        _piano = _procedura_avvio.piano
        _token = info.context.session[
            'token'] if 'token' in info.context.session else None
        _ente = _piano.ente
        if info.context.user and \
        rules.test_rule('strt_core.api.can_edit_piano', info.context.user, _piano):
            try:
                if 'uuid' in _procedura_avvio_data:
                    _procedura_avvio_data.pop('uuid')
                    # This cannot be changed

                if 'data_creazione' in _procedura_avvio_data:
                    _procedura_avvio_data.pop('data_creazione')
                    # This cannot be changed

                # Ente (M)
                if 'ente' in _procedura_avvio_data:
                    _procedura_avvio_data.pop('ente')
                    # This cannot be changed

                # Tipologia (O)
                if 'conferenza_copianificazione' in _procedura_avvio_data and \
                (rules.test_rule('strt_users.is_superuser', info.context.user) or is_RUP(info.context.user) or
                 rules.test_rule('strt_core.api.is_actor', _token or (info.context.user, _ente), 'Comune')):
                    _conferenza_copianificazione = _procedura_avvio_data.pop(
                        'conferenza_copianificazione')
                    if _conferenza_copianificazione and _conferenza_copianificazione in TIPOLOGIA_CONF_COPIANIFIZAZIONE:
                        _procedura_avvio_data[
                            'conferenza_copianificazione'] = _conferenza_copianificazione

                procedura_avvio_aggiornata = update_create_instance(
                    _procedura_avvio, _procedura_avvio_data)

                return cls(
                    procedura_avvio_aggiornata=procedura_avvio_aggiornata)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)
        else:
            return GraphQLError(_("Forbidden"), code=403)
示例#36
0
    def mutate(self, info, **input):
        if info.context.user and rules.test_rule('strt_users.can_access_private_area', info.context.user) and \
        (rules.test_rule('strt_users.is_superuser', info.context.user) or is_RUP(info.context.user)):

            # Fetching input arguments
            _id = input['uuid']
            try:
                _contatto = Contatto.objects.get(uuid=_id)
                _contatto.delete()

                return DeleteContatto(success=True, uuid=_id)
            except BaseException as e:
                tb = traceback.format_exc()
                logger.error(tb)
                return GraphQLError(e, code=500)

        return DeleteContatto(success=False)
示例#37
0
    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed following rule 'can_read_datasource',

        if request.method in permissions.SAFE_METHODS:
            return rules.test_rule('can_read_workspace', request.user, obj)

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user
示例#38
0
def validate_fields_with_rules(user,
                               data,
                               error_message='Not found',
                               **kwargs):
    for field, rule_name in kwargs.items():
        assert rules.rule_exists(rule_name)
        if field in data and not rules.test_rule(rule_name, user, data[field]):
            raise ApplicationValidationError(field, [error_message])
示例#39
0
 def post(self, request, *args, **kwargs):
     user_social_auth = self.get_object()
     if not rules.test_rule('can_delete_user_social_auth', request.user, user_social_auth):
         messages.error(request, "Can not remove the last social account unless a password has been set.")
         return redirect('profile')
     assert isinstance(user_social_auth, UserSocialAuth)
     user_social_auth.delete()
     return redirect('profile')
示例#40
0
 def get_object(self, qs=None):
     if qs:
         self.object = qs.get(id=self.kwargs['pk'])
         if not rules.test_rule('can_change_snip', self.request,
                                self.object):
             raise PermissionDenied
         return self.object
     raise ValueError('Queryset is none')
示例#41
0
    def post(self, request, *args, **kwargs):
        subscription = self.get_object()
        if rules.test_rule('is_last_owner', request.user, subscription):
            messages.error(request, 'You cannot change your role when you are the last owner')
            return redirect(subscription.community)

        subscription.role = kwargs['role']
        subscription.save()
        return redirect(subscription.community)
示例#42
0
    def __init__(self, user, *args, **kwargs):
        super(AuthorityForm, self).__init__(*args, **kwargs)
        if not self.is_bound:
            if not self.fields['record_status_value'].initial:
                self.fields['record_status_value'].initial = CuratedMixin.ACTIVE

        self.user = user

        # disable fields user doesn't have access to
        if self.instance.pk:
            for field in self.fields:
                can_update = rules.test_rule('can_update_authority_field', user, (field, self.instance.pk))
                if not can_update:
                    self.fields[field].widget.attrs['readonly'] = True

                can_view = rules.test_rule('can_view_authority_field', user, (field, self.instance.pk))
                if not can_view:
                    self.fields[field] = forms.CharField(widget=NoViewInput())
                    self.fields[field].widget.attrs['readonly'] = True
示例#43
0
    def __init__(self, user, citation_id=None, *args, **kwargs):
        super(PartDetailsForm, self).__init__( *args, **kwargs)
        self.user = user
        self.citation_id = citation_id

        self.fields['volume_begin'].widget.attrs['placeholder'] = "Begin #"
        self.fields['volume_end'].widget.attrs['placeholder'] = "End #"
        self.fields['volume_free_text'].widget.attrs['placeholder'] = "Volume"
        self.fields['issue_begin'].widget.attrs['placeholder'] = "Begin #"
        self.fields['issue_end'].widget.attrs['placeholder'] = "End #"
        self.fields['issue_free_text'].widget.attrs['placeholder'] = "Issue"
        self.fields['page_begin'].widget.attrs['placeholder'] = "Begin #"
        self.fields['page_end'].widget.attrs['placeholder'] = "End #"
        self.fields['pages_free_text'].widget.attrs['placeholder'] = "Pages"
        self.fields['extent'].widget.attrs['placeholder'] = "Extent"
        self.fields['extent_note'].widget.attrs['placeholder'] = "Extent note"


        if citation_id:
            can_update = rules.test_rule('can_update_citation_field', user, ('part_details', citation_id))
            can_view = rules.test_rule('can_view_citation_field', user, ('part_details', citation_id))

            set_field_access(can_update, can_view, self.fields)
示例#44
0
    def get(self, request, *args, **kwargs):
        self.object = self.get_object()
        community = self.object
        try:
            user_subscription = CommunitySubscription.objects.get(
                user=request.user, community=community)
        except CommunitySubscription.DoesNotExist:
            messages.warning(request, 'You cannot unsubscribe when you are not subscribed')
            return redirect(community)

        if not rules.test_rule('can_unsubscribe', request.user, user_subscription):
            messages.error(request, 'You cannot unsubscribe when you are the last owner')
            return redirect(community)

        return super().get(request, *args, **kwargs)
示例#45
0
    def post(self, request, *args, **kwargs):
        self.object = self.get_object()
        community = self.object
        try:
            user_subscription = CommunitySubscription.objects.get(
                user=request.user, community=community)
        except CommunitySubscription.DoesNotExist:
            messages.warning(request, 'You cannot unsubscribe when you are not subscribed')
            return redirect(community)

        if not rules.test_rule('can_unsubscribe', request.user, user_subscription):
            messages.error(request, 'You cannot unsubscribe when you are the last owner')
            return redirect(community)

        EventRSVP.objects.upcoming.filter(
            event__community=community, user=request.user).delete()
        user_subscription.delete()
        messages.success(request, 'Successfully unsubscribed from "{}"'.format(community.name))
        return redirect(community)
示例#46
0
 def dispatch(self, request, *args, **kwargs):
     if not rules.test_rule('exportdb.can_export', request.user):
         raise PermissionDenied
     return super(ExportPermissionMixin, self).dispatch(request, *args, **kwargs)
示例#47
0
 def test_single(self, user, rule):
     """
     Return True if user has permission.
     """
     return user.is_superuser or rules.test_rule(rule, user, self.model)
 def test_permission_testings(self):
     with mock.patch('rules.is_staff', return_value=True):
         self.assertTrue(
             rules.test_rule('exportdb.can_export', self.normal_user)
         )
         permission_mock.assert_called_with(self.normal_user)