def validate_token(key, credits=1):
"""
Validate that a token is valid to authorize a setup/register operation:
* Check it's not expired
* Check it has some credits
:param credits: number of credits to decrement if valid
:return 2-tuple (<http response if error, else None>, <registration token if valid, else None>)
"""
try:
with transaction.commit_on_success():
token = RegistrationToken.objects.get(secret = key)
if not token.credits:
log.warning("Attempt to register with exhausted token %s" % key)
return HttpForbidden(), None
else:
# Decrement .credits
RegistrationToken.objects.filter(secret = key).update(credits = token.credits - credits)
except RegistrationToken.DoesNotExist:
log.warning("Attempt to register with non-existent token %s" % key)
return HttpForbidden(), None
else:
now = IMLDateTime.utcnow()
if token.expiry < now:
log.warning("Attempt to register with expired token %s (now %s, expired at %s)" % (key, now, token.expiry))
return HttpForbidden(), None
elif token.cancelled:
log.warning("Attempt to register with cancelled token %s" % key)
return HttpForbidden(), None
return None, token
def generic_item_check(self, object_list, bundle, permission):
if not self.generic_base_check(object_list, bundle):
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
checker = ObjectPermissionChecker(bundle.request.user)
if not checker.has_perm(permission, bundle.obj):
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
return True
def obj_update(self, bundle, **kwargs):
username = bundle.request.GET['username']
user = User.objects.filter(username=username)[0]
if self.can_edit(user, bundle, Bulletin) is False:
raise ImmediateHttpResponse(
HttpForbidden('You do not have permission to edit this entity')
)
# permission checks
if self.is_finalized(
Bulletin,
kwargs['pk'],
'most_recent_status_bulletin'
) and can_finalize(user) is False:
raise ImmediateHttpResponse(
HttpForbidden('This item has been finalized')
)
if can_assign_users(user) is False and 'assigned_user' in bundle.data:
del(bundle.data['assigned_user'])
# decide on available status
status_id = self.id_from_url(bundle.data)
status_update = StatusUpdate.filter_by_perm_objects.get_update_status(
user,
status_id
)
# create the commnt from the status update and the bundled comment
comment_uri = self.create_comment(
bundle.data['comment'],
status_update.id,
user
)
try:
bundle.data['bulletin_comments'].append(comment_uri)
except KeyError:
bundle.data['bulletin_comments'] = [comment_uri, ]
with reversion.create_revision():
bundle = super(BulletinResource, self)\
.obj_update(bundle, **kwargs)
reversion.add_meta(
VersionStatus,
status='edited',
user=user
)
reversion.set_user(user)
reversion.set_comment(bundle.data['comment'])
update_object.delay(username)
return bundle
def obj_create(self, bundle, **kwargs):
"""
The method called by the dispatcher when a NodeGroup resource is created.
This is the only override that allows us to access 'kwargs', which contains the
graph_id from the original request.
"""
try:
bundle.data['graph'] = Graph.objects.get(
pk=kwargs['graph_id'],
deleted=False)
except Exception:
raise ImmediateHttpResponse(
response=HttpForbidden("You can't use this graph."))
bundle.obj = self._meta.object_class()
bundle = self.full_hydrate(bundle)
bundle = self.save(bundle) # Prepare ManyToMany relationship
for node_id in bundle.data['nodeIds']:
try:
# The client may refer to nodes that are already gone,
# we simply ignore them
node = Node.objects.get(
graph=bundle.data['graph'],
client_id=node_id,
deleted=False)
bundle.obj.nodes.add(node)
except ObjectDoesNotExist:
pass
if 'properties' in bundle.data:
bundle.obj.set_attrs(bundle.data['properties'])
bundle.obj.save()
return self.save(bundle)
def hydrate_groups(self, bundle):
from chroma_api.group import GroupResource
# Prevent non-superusers from modifying their groups
if not bundle.request.user.is_superuser:
if 'groups' in bundle.data:
group_ids = []
for group in bundle.data['groups']:
if isinstance(group, dict):
group_ids.append(int(group['id']))
elif isinstance(group, basestring):
group_ids.append(
int(GroupResource().get_via_uri(
group, bundle.request).id))
elif isinstance(group, Bundle):
group_ids.append(int(group.obj.id))
else:
raise NotImplementedError(group.__class__)
user_group_ids = [
int(group.pk)
for group in bundle.request.user.groups.all()
]
if not set(group_ids) == set(user_group_ids):
raise ImmediateHttpResponse(HttpForbidden())
return bundle
def obj_update(self, bundle, **kwargs):
username = bundle.request.GET['username']
user = User.objects.filter(username=username)[0]
if self.is_finalized(
Incident, kwargs['pk'],
'most_recent_status_incident') and can_finalize(user) is False:
raise ImmediateHttpResponse(
HttpForbidden('This item has been finalized'))
if can_assign_users(user) is False and 'assigned_user' in bundle.data:
del (bundle.data['assigned_user'])
status_id = self.id_from_url(bundle.data)
status_update = StatusUpdate.filter_by_perm_objects.get_update_status(
user, status_id)
comment_uri = self.create_comment(bundle.data['comment'],
status_update.id, user)
try:
bundle.data['incident_comments'].append(comment_uri)
except KeyError:
bundle.data['incident_comments'] = [
comment_uri,
]
with reversion.create_revision():
bundle = super(IncidentResource, self)\
.obj_update(bundle, **kwargs)
reversion.add_meta(VersionStatus, user=user, status='edited')
reversion.set_user(user)
reversion.set_comment(bundle.data['comment'])
update_object.delay(username)
return bundle
def obj_get_list(self, bundle, **kwargs):
application_id = bundle.request.GET.get('application_id')
if not application_id:
raise NotFound('application_id parameter required')
domain = kwargs['domain']
couch_user = CouchUser.from_django_user(bundle.request.user)
if not domain_has_privilege(domain, privileges.ZAPIER_INTEGRATION
) or not couch_user.is_member_of(domain):
raise ImmediateHttpResponse(
HttpForbidden(
'You are not allowed to get list of forms for this domain')
)
results = []
application = Application.get(docid=application_id)
if not application:
return []
forms_objects = application.get_forms(bare=False)
for form_object in forms_objects:
form = form_object['form']
module = form_object['module']
form_name = '{} > {} > {}'.format(application.name,
module.default_name(),
form.default_name())
results.append(Form(form_xmlns=form.xmlns, form_name=form_name))
return results
def unauthorized_result(self, exception):
"""
@summary:change default value 401 of tastypie to 403
@param exception:
@return:
"""
raise ImmediateHttpResponse(response=HttpForbidden())
def get_region(self, request):
"""
Returns the REGION object for the passed request. Rules:
1. If the GET param `region` is `None`, return `None`. If a request
attempts to do this without authentication and one of the
'Regions:BypassFilters' permission or curator-level access to a
collection, return a 403.
2. If the GET param `region` is set and not empty, attempt to return the
region with the specified slug.
3. If request.REGION is set, return it. (If the GET param `region` is
either not set or set and empty, RegionMiddleware will attempt to
determine the region via IP address).
4. Return the worldwide region.
This method is overridden by the reviewers search api to completely
disable region filtering.
"""
region = request.GET.get('region')
if region and region == 'None':
collection_curator = (Collection.curators.through.objects.filter(
userprofile=request.amo_user).exists())
has_permission = acl.action_allowed(request, 'Regions',
'BypassFilters')
if not (collection_curator or has_permission):
raise ImmediateHttpResponse(response=HttpForbidden())
return None
elif region:
try:
return REGIONS_DICT[region]
except KeyError:
raise self.non_form_errors([('region', 'Invalid region.')])
return getattr(request, 'REGION', mkt.regions.WORLDWIDE)
def generic_list_check(self, object_list, bundle, permission):
if not self.generic_base_check(object_list, bundle):
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
# raise Unauthorized("You are not allowed to access that resource.")
return get_objects_for_user(bundle.request.user, permission,
object_list)
def obj_update(self, bundle, **kwargs):
username = bundle.request.GET['username']
user = User.objects.filter(username=username)[0]
bundle.data['id'] = kwargs['pk']
if self.can_edit(user, bundle, Actor) is False:
raise ImmediateHttpResponse(
HttpForbidden(
'You do not have permission to edit this entity'))
if self.is_finalized(
Actor, kwargs['pk'],
'most_recent_status_actor') and can_finalize(user) is False:
raise ImmediateHttpResponse(
HttpForbidden('This item has been finalized'))
if can_assign_users(user) is False and 'assigned_user' in bundle.data:
del (bundle.data['assigned_user'])
status_id = self.id_from_url(bundle.data)
status_update = StatusUpdate.filter_by_perm_objects.get_update_status(
user, status_id)
comment_uri = self.create_comment(bundle.data['comment'],
status_update.id, user)
if "condition" not in bundle.data:
bundle.data['condition'] = None
if "POB" not in bundle.data:
bundle.data['POB'] = None
if "current_location" not in bundle.data:
bundle.data['current_location'] = None
try:
bundle.data['actor_comments'].append(comment_uri)
except KeyError:
bundle.data['actor_comments'] = [
comment_uri,
]
with reversion.create_revision():
bundle = super(ActorResource, self)\
.obj_update(bundle, **kwargs)
reversion.add_meta(VersionStatus, status='edited', user=user)
reversion.set_user(user)
reversion.set_comment(bundle.data['comment'])
update_object.delay(username)
return bundle
def __init__(self, wallet=None):
response = {
'error': 'wrong_pincode',
'message': 'El código pin introducido no es correcto'
}
self.response = HttpForbidden(content=json.dumps(response),
content_type='application/json')
def remove_children(self, request, **kwargs):
try:
obj = self.cached_obj_get(request=request,
**self.remove_api_resource_names(kwargs))
except ObjectDoesNotExist:
return HttpGone()
except MultipleObjectsReturned:
return HttpMultipleChoices("More than one resource "
"is found at this URI.")
if request.method == 'POST':
data = json.loads(request.POST.items()[0][0])
if 'image' in data:
if isinstance(data['image'], list):
for URI in data['image']:
try:
im = Image.objects.get(
uuid=uuid_re.search(URI).group()
)
obj.image_set.remove(im)
except ObjectDoesNotExist:
return HttpResponseNotFound(
'At least one of the image '
'URI\'s cannot be found')
else:
raise ImmediateHttpResponse(response=HttpForbidden(
'Image URI\'s must be in an array'))
if 'wordbox' in data:
if isinstance(data['wordbox'], list):
for URI in data['wordbox']:
try:
wb = WordBox.objects.get(uuid=uuid_re.search(
URI).group())
obj.wordbox_set.remove(wb)
except ObjectDoesNotExist:
return HttpResponseNotFound(
'At least one of the wordbox '
'URI\'s cannot be found')
else:
raise ImmediateHttpResponse(response=HttpForbidden(
'Wordbox URI\'s must be in an array'))
else:
raise ImmediateHttpResponse(response=HttpResponse(status=405))
return HttpCreated()
def __init__(self, invitations_used=None):
response = {
'error': 'all_invites_sent',
'message': 'Ya has enviado el máximo de invitaciones disponibles'
}
if invitations_used:
response['invitations_used'] = invitations_used
self.response = HttpForbidden(content=json.dumps(response), content_type='application/json')
def reject_access(self, perm=None):
json = ''
if perm:
resp = {
'permissionDenied': perm.name,
}
json = self.resource_obj._meta.serializer.to_json(resp)
return HttpForbidden(json, mimetype='application/json')
def delete_detail(self, object_list, bundle):
try:
if self.gen_kwargs_func:
kwargs = self.gen_kwargs_func(bundle.obj.__dict__)
else:
kwargs = {}
kwargs['model'] = self.model
return self.auth_delete_func == None or self.auth_delete_func(bundle.request.user, **kwargs)
except PermissionDenied:
raise ImmediateHttpResponse(HttpForbidden(UNAUTHORIZED_MESSAGE))
def obj_create(self, bundle, request=None, **kwargs):
bundle.obj = Obj()
bundle.obj.id = 1
backend = get_backend('linkedin', bundle.request, bundle.request.path)
backend.name = 'linkedin'
access_token_url = 'https://www.linkedin.com/uas/oauth2/accessToken'
names = getattr(settings, 'LINKEDIN_EXTRA_DATA')
extra = ','.join(dict(names).keys())
people_api_url = 'https://api.linkedin.com/v1/people/' \
'~:({})'.format(extra)
payload = dict(client_id=bundle.data['clientId'],
redirect_uri=bundle.data['redirectUri'],
client_secret=backend.consumer.secret,
code=bundle.data['code'],
grant_type='authorization_code')
# Step 1. Exchange authorization code for access token.
r = requests.post(access_token_url, data=payload)
response = json.loads(r.text)
params = dict(oauth2_access_token=response['access_token'],
format='json')
# Step 2. Retrieve information about the current user.
r = requests.get(people_api_url, params=params)
profile = json.loads(r.text)
data = {}
for key in profile.keys():
value = profile.get(key)
alias = self.convert(key)
data[alias] = value
uid = data.get('id')
social_user = UserSocialAuth.get_social_auth('linkedin', uid)
if social_user is None:
social_user = UserSocialAuth.create_social_auth(
bundle.request.user, uid, 'linkedin')
social_user.extra_data = data
social_user.save()
else:
raise ImmediateHttpResponse(
HttpForbidden("Linkedin already associated"))
extra_data = params
if extra_data and social_user.extra_data != extra_data:
if social_user.extra_data:
social_user.extra_data.update(extra_data)
else:
social_user.extra_data = extra_data
social_user.save()
return bundle
def obj_get_list(self, bundle, **kwargs):
domain = kwargs['domain']
couch_user = CouchUser.from_django_user(bundle.request.user)
if not domain_has_privilege(domain, privileges.ZAPIER_INTEGRATION) or not couch_user.is_member_of(domain):
raise ImmediateHttpResponse(
HttpForbidden('You are not allowed to get list of case types for this domain')
)
case_types = get_case_types_for_domain_es(domain)
results = [CaseType(case_type=case_type) for case_type in case_types]
return results
def __init__(self, wallet=None):
response = {
'error':
'not_enough_balance',
'message':
'El monedero no tiene suficiente saldo disponible para realizar la operación'
}
self.response = HttpForbidden(content=json.dumps(response),
content_type='application/json')
def reregister(request):
if request.method != 'POST':
return HttpResponseNotAllowed(['POST'])
fqdn = MessageView.valid_fqdn(request)
if not fqdn:
return HttpForbidden()
host_attributes = json.loads(request.body)
ValidatedClientView.valid_certs[request.META['HTTP_X_SSL_CLIENT_SERIAL']] = host_attributes['fqdn']
ManagedHost.objects.filter(fqdn=fqdn).update(fqdn=host_attributes['fqdn'], address=host_attributes['address'])
return HttpResponse()
def generic_base_check(self, object_list, bundle):
"""
Returns False if either:
a) if the `object_list.model` doesn't have a `_meta` attribute
b) the `bundle.request` object doesn have a `user` attribute
"""
klass = self.base_checks(bundle.request, object_list.model)
if klass is False:
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
return True
def obj_create(self, bundle, **kwargs):
if hasattr(bundle.request.user, 'owner'):
if hasattr(self._meta.object_class, 'source'):
kwargs['source'] = bundle.request.user.owner.source
if hasattr(self._meta.object_class, 'owner'):
kwargs['owner'] = bundle.request.user.owner
if hasattr(self._meta.object_class, 'event'):
kwargs['event__source'] = bundle.request.user.owner.source
return super(Content, self).obj_create(bundle, **kwargs)
raise ImmediateHttpResponse(response=HttpForbidden())
def apply_authorization_limits(self, request, object_list):
if hasattr(request.user, 'owner'):
if hasattr(self._meta.object_class, 'source'):
return object_list.filter(source=request.user.owner.source)
if hasattr(self._meta.object_class, 'owner'):
return object_list.filter(owner=request.user.owner)
if hasattr(self._meta.object_class, 'event'):
return object_list.filter(
event__source=request.user.owner.source)
return object_list
raise ImmediateHttpResponse(response=HttpForbidden())
def login(self, request, *args, **kwargs):
username = request.POST['username']
password = request.POST['password']
user = auth.authenticate(username=username, password=password)
if user is None:
raise ImmediateHttpResponse(HttpUnauthorized())
if not user.is_active:
raise ImmediateHttpResponse(HttpForbidden())
auth.login(request, user)
return self.create_response(request,
self._serialize_user(request, user))
def read_list(self, object_list, bundle):
try:
if self.gen_kwargs_func and len(object_list) > 0:
kwargs = self.gen_kwargs_func(object_list[0].__dict__)
else:
kwargs = {}
kwargs['model'] = self.model
if self.filter_list_func:
return self.filter_list_func(object_list, bundle.request.user)
elif self.auth_get_list_func == None or self.auth_get_list_func(bundle.request.user, **kwargs):
return object_list
except PermissionDenied:
raise ImmediateHttpResponse(HttpForbidden(UNAUTHORIZED_MESSAGE))
def obj_get_list(self, bundle, **kwargs):
domain = kwargs['domain']
couch_user = CouchUser.from_django_user(bundle.request.user)
if not domain_has_privilege(domain, privileges.ZAPIER_INTEGRATION) or not couch_user.is_member_of(domain):
raise ImmediateHttpResponse(
HttpForbidden('You are not allowed to get list of usernames for this domain')
)
user_ids_username_pairs = get_all_user_id_username_pairs_by_domain(domain)
results = [UserInfo(user_id=user_pair[0], user_name=raw_username(user_pair[1]))
for user_pair in user_ids_username_pairs]
return results
def read_detail(self, object_list, bundle):
# if permissions aren't enabled just pass through
if ENABLE_GUARDIAN_PERMISSIONS == False:
return True
klass = self.base_checks(bundle.request, bundle.obj.__class__)
read_list = []
if klass is False:
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
permission = '%s.view_%s' % (klass._meta.app_label,
klass._meta.verbose_name)
for obj in object_list:
if bundle.request.user.has_perm(permission, obj):
read_list.append(obj)
if read_list:
return True
raise ImmediateHttpResponse(
HttpForbidden("You are not allowed to access that resource."))
def hydrate(self, bundle):
# Make sure that owners are assigned correctly
bundle.obj.owner = bundle.request.user
# Get the user-specified project, and make sure that it is his.
# This is not an authorization problem for the (graph) resource itself,
# so it must be handled here and not in the auth class.
try:
project = Project.objects.get(pk=bundle.request.GET['project'],
owner=bundle.request.user)
bundle.obj.project = project
except Exception:
raise ImmediateHttpResponse(response=HttpForbidden(
"You can't use this project for your new graph."))
# Fill the graph with the GraphML data
bundle.obj.from_graphml(bundle.request.body)
return bundle
def obj_get_list(self, bundle, domain, **kwargs):
config = get_document_or_404(CaseExportInstance, domain,
self.config_id)
if raise_odata_permissions_issues(bundle.request.couch_user, domain,
config):
raise ImmediateHttpResponse(
HttpForbidden(
ugettext_noop(
"You do not have permission to view this feed.")))
query = get_case_export_base_query(domain, config.case_type)
for filter in config.get_filters():
query = query.filter(filter.to_es_filter())
if not bundle.request.couch_user.has_permission(
domain, 'access_all_locations'):
query = query_location_restricted_cases(query, bundle.request)
return query
def mark_news_read(self, request, **kwargs):
"""
Special view which enables to override the root route /user/ for accessing the
data of currently authenticated user and not the listing of all users.
:param request:
:param kwargs:
:return:
"""
self.method_check(request, allowed=['patch'])
self.is_authenticated(request)
user = getattr(request, 'user', None)
if not user or user.is_anonymous():
return HttpForbidden()
News.objects.get(pk=int(kwargs['pk'])).user.add(user)
return HttpResponse(status=200)