def can_unlock(self, item, user_id):
"""
Function checks whether user can unlock the item or not.
"""
can_user_edit, error_message = superdesk.get_resource_service('archive').can_edit(item, user_id)
if can_user_edit:
if not (str(item.get(LOCK_USER, '')) == str(user_id) or
(current_user_has_privilege('archive') and current_user_has_privilege('unlock'))):
return False, 'You don\'t have permissions to unlock an item.'
else:
return False, error_message
return True, ''
def _validate_user(self, doc_user_id, doc_is_global):
session_user = get_user(required=True)
if str(session_user['_id']) != str(doc_user_id):
if not doc_is_global:
raise SuperdeskApiError.forbiddenError('Unauthorized to modify other user\'s local search.')
elif not current_user_has_privilege('global_saved_searches'):
raise SuperdeskApiError.forbiddenError('Unauthorized to modify global search.')
def _validate_on_create(doc):
"""
User can only create global report if they have 'global_saved_reports' permission
"""
if doc.get('is_global', False) and not current_user_has_privilege(
'global_saved_reports'):
raise SuperdeskApiError.forbiddenError(
'Unauthorized to create global report.')
def check_post_permission(self, post):
to_be_checked = (dict(status='open',
privilege_required='publish_post'),
dict(status='submitted',
privilege_required='submit_post'))
for rule in to_be_checked:
if 'post_status' in post and post['post_status'] == rule['status']:
if not current_user_has_privilege(rule['privilege_required']):
raise SuperdeskApiError.forbiddenError(
message='User does not have sufficient permissions.')
def check_post_permission(self, post):
to_be_checked = (
dict(status='open', privilege_required='publish_post'),
dict(status='submitted', privilege_required='submit_post')
)
for rule in to_be_checked:
if 'post_status' in post and post['post_status'] == rule['status']:
if not current_user_has_privilege(rule['privilege_required']):
raise SuperdeskApiError.forbiddenError(
message='User does not have sufficient permissions.')
def on_update(self, updates, original):
if 'name' in updates and not current_user_has_privilege(
'planning_agenda_management'):
raise SuperdeskApiError.forbiddenError(
'Insufficient privileges to update agenda.')
user = get_user()
if user and user.get(config.ID_FIELD):
updates['version_creator'] = user[config.ID_FIELD]
self._validate_unique_agenda(updates, original)
def process_subscription(self, updates, original):
"""Do subscribe user if requested"""
subscribers = updates.get('subscribers')
if not subscribers:
return
if not current_user_has_privilege('saved_searches_subscriptions'):
raise SuperdeskApiError.forbiddenError(
_('Unauthorized to modify subscriptions.'))
session_user = get_user_id(required=True)
ori_subscribers = original.get('subscribers', {})
subscribers_users = subscribers.get('user_subscriptions', [])
try:
ori_sub_users = {
(d['user'], d['scheduling'])
for d in ori_subscribers.get('user_subscriptions', [])
}
except AttributeError:
ori_sub_users = set()
updates_sub_users = {(d['user'], d['scheduling'])
for d in subscribers_users}
# users which have either new or modified subscriptions
updated_subscribers = {
s[0]
for s in set(updates_sub_users).difference(ori_sub_users)
}
# users which have subscriptions removed
removed_subscribers = {
s[0]
for s in ori_sub_users.difference(updates_sub_users)
}
if not updated_subscribers.issubset({
session_user
}) or not removed_subscribers.issubset({session_user}):
# user tries to modify other user(s) subscriptions, is she allowed to?
if not current_user_has_privilege(
'saved_searches_subscriptions_admin'):
raise SuperdeskApiError.forbiddenError(
_("Unauthorized to modify other users' subscriptions."))
def _validate_ownership(doc):
"""
Validate saved reports on update/delete
User can only update/delete their own reports, or global reports if they the
'global_saved_reports' have permission
"""
session_user = get_user(required=True)
if str(session_user['_id']) != str(doc.get('user', '')):
if not doc.get('is_global', False):
raise SuperdeskApiError.forbiddenError(
'Unauthorized to modify other user\'s local report.')
elif not current_user_has_privilege('global_saved_reports'):
raise SuperdeskApiError.forbiddenError(
'Unauthorized to modify global report.')
def can_edit(self, item, user_id):
"""
Determines if the user can edit the item or not.
"""
# TODO: modify this function when read only permissions for stages are implemented
# TODO: and Content state related checking.
if not current_user_has_privilege('archive'):
return False, 'User does not have sufficient permissions.'
item_location = item.get('task')
if item_location:
if item_location.get('desk'):
if not superdesk.get_resource_service('user_desks').is_member(user_id, item_location.get('desk')):
return False, 'User is not a member of the desk.'
elif item_location.get('user'):
if not str(item_location.get('user')) == str(user_id):
return False, 'Item belongs to another user.'
return True, ''
def can_edit(self, item, user_id):
# Check privileges
if not current_user_has_privilege('planning_planning_management'):
return False, 'User does not have sufficient permissions.'
return True, ''
def send_to(doc,
update=None,
desk_id=None,
stage_id=None,
user_id=None,
default_stage="incoming_stage"):
"""Send item to given desk and stage.
Applies the outgoing and incoming macros of current and destination stages
:param doc: original document to be sent
:param update: updates for the document
:param desk: id of desk where item should be sent
:param stage: optional stage within the desk
:param default_stage: if no stage_id is passed then it determines the stage in that desk the doc is assigned,
either the the incomming stage or the working stage.
"""
original_task = doc.setdefault("task", {})
current_stage = None
if original_task.get("stage"):
current_stage = get_resource_service("stages").find_one(
req=None, _id=original_task.get("stage"))
desk = destination_stage = None
task = {
"desk": desk_id,
"stage": stage_id,
"user": original_task.get("user") if user_id is None else user_id
}
if current_stage:
apply_stage_rule(doc, update, current_stage, MACRO_OUTGOING)
if desk_id:
desk = superdesk.get_resource_service("desks").find_one(req=None,
_id=desk_id)
if not desk:
raise SuperdeskApiError.notFoundError(
_("Invalid desk identifier {desk_id}").format(desk_id=desk_id))
if not current_user_has_privilege("move") and str(user_id) not in [
str(x.get("user", "")) for x in desk.get("members", [])
]:
raise SuperdeskApiError.forbiddenError(
_("User is not member of desk: {desk_id}").format(
desk_id=desk_id))
task["desk"] = desk_id
if not stage_id:
task["stage"] = desk.get(default_stage)
destination_stage = get_resource_service("stages").find_one(
req=None, _id=desk.get(default_stage))
if stage_id:
destination_stage = get_resource_service("stages").find_one(
req=None, _id=stage_id)
if not destination_stage:
raise SuperdeskApiError.notFoundError(
_("Invalid stage identifier {stage_id}").format(
stage_id=stage_id))
task["desk"] = destination_stage["desk"]
task["stage"] = stage_id
if destination_stage:
apply_stage_rule(doc,
update,
destination_stage,
MACRO_INCOMING,
desk=desk,
task=task)
if destination_stage.get("task_status"):
task["status"] = destination_stage["task_status"]
if update:
update.setdefault("task", {})
update["task"].update(task)
update["expiry"] = get_item_expiry(desk=desk, stage=destination_stage)
else:
doc["task"].update(task)
doc["expiry"] = get_item_expiry(desk=desk, stage=destination_stage)
def send_to(doc,
update=None,
desk_id=None,
stage_id=None,
user_id=None,
default_stage='incoming_stage'):
"""Send item to given desk and stage.
Applies the outgoing and incoming macros of current and destination stages
:param doc: original document to be sent
:param update: updates for the document
:param desk: id of desk where item should be sent
:param stage: optional stage within the desk
:param default_stage: if no stage_id is passed then it determines the stage in that desk the doc is assigned,
either the the incomming stage or the working stage.
"""
original_task = doc.setdefault('task', {})
current_stage = None
if original_task.get('stage'):
current_stage = get_resource_service('stages').find_one(
req=None, _id=original_task.get('stage'))
desk = destination_stage = None
task = {
'desk': desk_id,
'stage': stage_id,
'user': original_task.get('user') if user_id is None else user_id
}
if current_stage:
apply_stage_rule(doc, update, current_stage, MACRO_OUTGOING)
if desk_id:
desk = superdesk.get_resource_service('desks').find_one(req=None,
_id=desk_id)
if not desk:
raise SuperdeskApiError.notFoundError(
_('Invalid desk identifier {desk_id}').format(desk_id=desk_id))
if not current_user_has_privilege('move') and \
str(user_id) not in [str(x.get('user', '')) for x in desk.get('members', [])]:
raise SuperdeskApiError.forbiddenError(
_('User is not member of desk: {desk_id}').format(
desk_id=desk_id))
task['desk'] = desk_id
if not stage_id:
task['stage'] = desk.get(default_stage)
destination_stage = get_resource_service('stages').find_one(
req=None, _id=desk.get(default_stage))
if stage_id:
destination_stage = get_resource_service('stages').find_one(
req=None, _id=stage_id)
if not destination_stage:
raise SuperdeskApiError.notFoundError(
_('Invalid stage identifier {stage_id}').format(
stage_id=stage_id))
task['desk'] = destination_stage['desk']
task['stage'] = stage_id
if destination_stage:
apply_stage_rule(doc,
update,
destination_stage,
MACRO_INCOMING,
desk=desk,
task=task)
if destination_stage.get('task_status'):
task['status'] = destination_stage['task_status']
if update:
update.setdefault('task', {})
update['task'].update(task)
update['expiry'] = get_item_expiry(desk=desk, stage=destination_stage)
else:
doc['task'].update(task)
doc['expiry'] = get_item_expiry(desk=desk, stage=destination_stage)
superdesk.get_resource_service('desks').apply_desk_metadata(doc, doc)
def _validate_user(self, doc_user_id, doc_is_global):
session_user = get_user(required=True)
if str(session_user['_id']) != doc_user_id and \
not (current_user_has_privilege('global_saved_searches') and doc_is_global):
raise SuperdeskApiError.forbiddenError('Unauthorized to modify global search.')
def _validate_user(self, doc_user_id, doc_is_global):
session_user = get_user(required=True)
if str(session_user['_id']) != doc_user_id and \
not (current_user_has_privilege('global_saved_searches') and doc_is_global):
raise SuperdeskApiError.forbiddenError(
'Unauthorized to modify global search.')