def extra_select_and_values_for_model(instance, job, table, model, prefix=None): if prefix: prefix += '__' else: prefix = '' perms = permissions(job.user, instance, model) extra_select = {} prefixed_names = [] dummy_instance = safe_get_model_class(model)() for perm in (perm for perm in perms if perm.permission_level >= FieldPermission.READ_ONLY): field_name = perm.field_name prefixed_name = prefix + field_name if field_name.startswith('udf:'): name = field_name[4:] extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name) else: if not model_hasattr(dummy_instance, field_name): # Exception will be raised downstream if you look for # a field on a model that no longer exists but still # has a stale permission record. Here we check for that # case and don't include the field if it does not exist. continue prefixed_names.append(prefixed_name) return (extra_select, prefixed_names)
def extra_select_and_values_for_model( instance, job, table, model, prefix=None): if prefix: prefix += '__' else: prefix = '' perms = permissions(job.user, instance, model) extra_select = {} prefixed_names = [] dummy_instance = safe_get_model_class(model)() for perm in (perm for perm in perms if perm.permission_level >= FieldPermission.READ_ONLY): field_name = perm.field_name prefixed_name = prefix + field_name if field_name.startswith('udf:'): name = field_name[4:] extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name) else: if not model_hasattr(dummy_instance, field_name): # Exception will be raised downstream if you look for # a field on a model that no longer exists but still # has a stale permission record. Here we check for that # case and don't include the field if it does not exist. continue prefixed_names.append(prefixed_name) return (extra_select, prefixed_names)
def get_user_permission(self, user, expectedCount, model_name='Plot', field_name='geom'): perms = permissions(user, self.instance, model_name) return self.get_permission(perms, field_name, expectedCount)
def test_empty_model_name(self): perms = permissions(self.user, self.instance) self.assertEqual( len(perms), FieldPermission.objects.filter(instance=self.instance, role=self.user.get_role( self.instance)).count())
def values_for_model( instance, job, table, model, select, select_params, prefix=None): if prefix: prefix += '__' else: prefix = '' perms = permissions(job.user, instance, model) prefixed_names = [] model_class = safe_get_model_class(model) dummy_instance = model_class() for perm in (perm for perm in perms if perm.permission_level >= FieldPermission.READ_ONLY): field_name = perm.field_name prefixed_name = prefix + field_name if field_name in getattr(model_class, 'collection_udf_settings', {}): field_definition_id = None for udfd in udf_defs(instance, model): if udfd.iscollection and udfd.name == field_name[4:]: field_definition_id = udfd.id if field_definition_id is None: continue select[prefixed_name] = ( """ WITH formatted_data AS ( SELECT concat('(', data, ')') as fdata FROM %s WHERE field_definition_id = %s and model_id = %s.id ) SELECT array_to_string(array_agg(fdata), ', ', '*') FROM formatted_data """ % (UserDefinedCollectionValue._meta.db_table, field_definition_id, table)) elif field_name.startswith('udf:'): name = field_name[4:] select[prefixed_name] = "{0}.udfs->%s".format(table) select_params.append(name) else: if not model_hasattr(dummy_instance, field_name): # Exception will be raised downstream if you look for # a field on a model that no longer exists but still # has a stale permission record. Here we check for that # case and don't include the field if it does not exist. continue prefixed_names.append(prefixed_name) return prefixed_names
def _values_for_model(instance, job, table, model, select, select_params, prefix=None): if prefix: prefix += '__' else: prefix = '' prefixed_names = [] model_class = safe_get_model_class(model) dummy_instance = model_class() for field_name in (perm.field_name for perm in permissions(job.user, instance, model) if perm.permission_level >= FieldPermission.READ_ONLY): prefixed_name = prefix + field_name if field_name.startswith('udf:'): name = field_name[4:] if name in model_class.collection_udf_settings.keys(): field_definition_id = None for udfd in udf_defs(instance, model): if udfd.iscollection and udfd.name == name: field_definition_id = udfd.id if field_definition_id is None: continue select[prefixed_name] = (""" WITH formatted_data AS ( SELECT concat('(', data, ')') as fdata FROM %s WHERE field_definition_id = %s and model_id = %s.id ) SELECT array_to_string(array_agg(fdata), ', ', '*') FROM formatted_data """ % (UserDefinedCollectionValue._meta.db_table, field_definition_id, table)) else: select[prefixed_name] = "{0}.udfs->%s".format(table) select_params.append(name) else: if not model_hasattr(dummy_instance, field_name): # Exception will be raised downstream if you look for # a field on a model that no longer exists but still # has a stale permission record. Here we check for that # case and don't include the field if it does not exist. continue prefixed_names.append(prefixed_name) return prefixed_names
def mask_unauthorized_fields(self, user): perms = permissions(user, self.instance, self._model_name) readable_fields = {perm.field_name for perm in perms if perm.allows_reads} fields = set(self._previous_state.keys()) unreadable_fields = fields - readable_fields for field_name in unreadable_fields: self.apply_change(field_name, None) self._has_been_masked = True
def get_pending_fields(self, user): """ Evaluates the permissions for the current user and collects fields that inheriting subclasses will want to treat as special pending_edit fields. """ perms = permissions(user, self.instance, self._model_name) fields_to_audit = [] for perm in perms: if ((perm.permission_level == FieldPermission.WRITE_WITH_AUDIT and perm.field_name in self._updated_fields())): fields_to_audit.append(perm.field_name) return fields_to_audit
def save_with_user(self, user, *args, **kwargs): updated_fields = self._updated_fields() if self.pk is None: audit_type = Audit.Type.Insert else: audit_type = Audit.Type.Update field_perm = None model = self.field_definition.model_type field = 'udf:%s' % self.field_definition.name perms = permissions(user, self.field_definition.instance, model_name=model) for perm in perms: if perm.field_name == field and perm.allows_writes: field_perm = perm break if field_perm is None: raise AuthorizeException("Cannot save UDF field '%s.%s': " "No sufficient permission found." % (model, self.field_definition.name)) if field_perm.permission_level == FieldPermission.WRITE_WITH_AUDIT: model_id = _reserve_model_id(UserDefinedCollectionValue) pending = True for field, (oldval, _) in updated_fields.iteritems(): self.apply_change(field, oldval) else: pending = False super(UserDefinedCollectionValue, self).save_with_user( user, *args, **kwargs) model_id = self.pk if audit_type == Audit.Type.Insert: updated_fields['id'] = [None, model_id] for field, (old_val, new_val) in updated_fields.iteritems(): Audit.objects.create( current_value=new_val, previous_value=old_val, model='udf:%s' % self.field_definition.pk, model_id=model_id, field=field, instance=self.field_definition.instance, user=user, action=audit_type, requires_auth=pending)
def save_with_user(self, user, *args, **kwargs): updated_fields = self._updated_fields() if self.pk is None: audit_type = Audit.Type.Insert else: audit_type = Audit.Type.Update field_perm = None model = self.field_definition.model_type field = 'udf:%s' % self.field_definition.name perms = permissions(user, self.field_definition.instance, model_name=model) for perm in perms: if perm.field_name == field and perm.allows_writes: field_perm = perm break if field_perm is None: raise AuthorizeException("Cannot save UDF field '%s.%s': " "No sufficient permission found." % (model, self.field_definition.name)) if field_perm.permission_level == FieldPermission.WRITE_WITH_AUDIT: model_id = _reserve_model_id(UserDefinedCollectionValue) pending = True for field, (oldval, _) in updated_fields.iteritems(): self.apply_change(field, oldval) else: pending = False super(UserDefinedCollectionValue, self).save_with_user(user, *args, **kwargs) model_id = self.pk if audit_type == Audit.Type.Insert: updated_fields['id'] = [None, model_id] for field, (old_val, new_val) in updated_fields.iteritems(): Audit.objects.create(current_value=new_val, previous_value=old_val, model='udf:%s' % self.field_definition.pk, model_id=model_id, field=field, instance=self.field_definition.instance, user=user, action=audit_type, requires_auth=pending)
def _get_perms_set(self, user, direct_only=False): if not self.instance: raise AuthorizeException(trans( "Cannot retrieve permissions for this object because " "it does not have an instance associated with it.")) perms = permissions(user, self.instance, self._model_name) if direct_only: perm_set = {perm.field_name for perm in perms if perm.permission_level == FieldPermission.WRITE_DIRECTLY} else: perm_set = {perm.field_name for perm in perms if perm.allows_writes} return perm_set
def _verify_user_can_apply_audit(audit, user): """ Make sure that user has "write direct" permissions for the given audit's fields. If the model is a udf collection, verify the user has write directly permission on the UDF """ # This comingling here isn't really great... # However it allows us to have a pretty external interface in that # UDF collections can have a single permission based on the original # model, instead of having to assign a bunch of new ones. from udf import UserDefinedFieldDefinition if audit.model.startswith('udf:'): udf = UserDefinedFieldDefinition.objects.get(pk=audit.model[4:]) field = 'udf:%s' % udf.name model = udf.model_type else: field = audit.field model = audit.model perms = permissions(user, audit.instance, model) foundperm = False for perm in perms: if perm.field_name == field: if perm.permission_level == FieldPermission.WRITE_DIRECTLY: foundperm = True break else: raise AuthorizeException( "User %s can't edit field %s on model %s" % (user, field, model)) if not foundperm: raise AuthorizeException( "User %s can't edit field %s on model %s (No permissions found)" % (user, field, model))
def extra_select_and_values_for_model( instance, job, table, model, prefix=None): if prefix: prefix += '__' else: prefix = '' perms = permissions(job.user, instance, model) extra_select = {} prefixed_names = [] for perm in perms: field_name = perm.field_name prefixed_name = prefix + field_name if field_name.startswith('udf:'): name = field_name[4:] extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name) prefixed_names.append(prefixed_name) return (extra_select, prefixed_names)
def _perms_for_user(self, user): return permissions(user, self.instance, self._model_name)
def test_empty_model_name(self): perms = permissions(self.user, self.instance) self.assertEqual(len(perms), FieldPermission.objects.filter( instance=self.instance, role=self.user.get_role(self.instance)) .count())
def test_empty_model_name(self): perms = permissions(self.user, self.instance) self.assertEqual(len(perms), 80)