def check_for_permission(self):
# TODO: Works but not beautiful, needs review!
"""
Checks if current user (or role) has the required permission
for current workflow step.
Raises:
HTTPError: if user doesn't have required permissions.
"""
if self.current.task:
lane = self.current.lane_id
permission = "%s.%s.%s" % (self.current.workflow_name, lane,
self.current.task_name)
else:
permission = self.current.workflow_name
log.debug("CHECK PERM: %s" % permission)
if (self.current.task_type not in PERM_REQ_TASK_TYPES
or permission.startswith(tuple(settings.ANONYMOUS_WORKFLOWS))
or
(self.current.is_auth
and permission.startswith(tuple(settings.COMMON_WORKFLOWS)))):
return
# FIXME:needs hardening
log.debug("REQUIRE PERM: %s" % permission)
if not self.current.has_permission(permission):
raise HTTPError(
403, "You don't have required permission: %s" % permission)
def save_catalog(self):
"""
Saves the catalog data to given key
Cancels if the cmd is cancel
Notifies user with the process.
"""
if self.input["cmd"] == 'save_catalog':
try:
edited_object = dict()
for i in self.input["form"]["CatalogDatas"]:
edited_object[i["catalog_key"]] = {
"en": i["en"],
"tr": i["tr"]
}
newobj = fixture_bucket.get(self.input["object_key"])
newobj.data = edited_object
newobj.store()
# notify user by passing notify in output object
self.output[
"notify"] = "catalog: %s successfully updated." % self.input[
"object_key"]
except:
raise HTTPError(500, "Form object could not be saved")
if self.input["cmd"] == 'cancel':
self.output[
"notify"] = "catalog: %s canceled." % self.input["object_key"]
def edit_message(current):
"""
Edit a message a user own.
.. code-block:: python
# request:
{
'view':'_zops_edit_message',
'message': {
'body': string, # message text
'key': key
}
}
# response:
{
'status': string, # 'OK' for success
'code': int, # 200 for success
}
"""
current.output = {'status': 'OK', 'code': 200}
in_msg = current.input['message']
try:
msg = Message(current).objects.get(sender_id=current.user_id, key=in_msg['key'])
msg.body = in_msg['body']
msg.save()
except ObjectDoesNotExist:
raise HTTPError(404, "")
def remove_from_favorites(current):
"""
Remove a message from favorites
.. code-block:: python
# request:
{
'view':'_zops_remove_from_favorites,
'key': key,
}
# response:
{
'status': 'OK',
'code': 200
}
"""
try:
current.output = {'status': 'OK', 'code': 200}
Favorite(current).objects.get(user_id=current.user_id,
key=current.input['key']).delete()
except ObjectDoesNotExist:
raise HTTPError(404, "")
def delete_message(current):
"""
Delete a message
.. code-block:: python
# request:
{
'view':'_zops_delete_message,
'message_key': key,
}
# response:
{
'key': key,
'status': 'OK',
'code': 200
}
"""
try:
Message(current).objects.get(sender_id=current.user_id,
key=current.input['key']).delete()
current.output = {'status': 'Deleted', 'code': 200, 'key': current.input['key']}
except ObjectDoesNotExist:
raise HTTPError(404, "")
def pin_channel(current):
"""
Pin a channel to top of channel list
.. code-block:: python
# request:
{
'view':'_zops_pin_channel,
'channel_key': key,
}
# response:
{
'status': 'OK',
'code': 200
}
"""
try:
Subscriber(current).objects.filter(user_id=current.user_id,
channel_id=current.input['channel_key']).update(
pinned=True)
current.output = {'status': 'OK', 'code': 200}
except ObjectDoesNotExist:
raise HTTPError(404, "")
def __init__(self, output):
self.content = output
try:
self.json = output
print(self.json)
except:
log.exception('ERROR at RWrapper JSON load')
self.json = {}
self.code = self.json.get('code', None)
self.token = self.json.get('token')
self.form_data = self.json['forms'][
'model'] if 'forms' in self.json else {}
if 'object_key' in self.form_data:
self.object_key = self.form_data['object_key']
else:
self.object_key = self.json.get('object_id', None)
if self.code and int(self.code) >= 400:
self.raw()
raise HTTPError(self.code, (self.json.get('title', '') +
self.json.get('description', '') +
self.json.get('error', '')))
def check_for_authentication(self):
"""
Checks current workflow against :py:data:`~zengine.settings.ANONYMOUS_WORKFLOWS` list.
Raises:
HTTPUnauthorized: if WF needs an authenticated user and current user isn't.
"""
auth_required = self.current.workflow_name not in settings.ANONYMOUS_WORKFLOWS
if auth_required and not self.current.is_auth:
self.current.log.debug("LOGIN REQUIRED:::: %s" %
self.current.workflow_name)
raise HTTPError(
401, "Login required for %s" % self.current.workflow_name)
def check_for_lane_permission(self):
"""
One or more permissions can be associated with a lane
of a workflow. In a similar way, a lane can be
restricted with relation to other lanes of the workflow.
This method called on lane changes and checks user has
required permissions and relations.
Raises:
HTTPForbidden: if the current user hasn't got the
required permissions and proper relations
"""
# TODO: Cache lane_data in app memory
if self.current.lane_permission:
log.debug("HAS LANE PERM: %s" % self.current.lane_permission)
perm = self.current.lane_permission
if not self.current.has_permission(perm):
raise HTTPError(
403, "You don't have required lane permission: %s" % perm)
if self.current.lane_relations:
context = self.get_pool_context()
log.debug("HAS LANE RELS: %s" % self.current.lane_relations)
try:
cond_result = eval(self.current.lane_relations, context)
except:
log.exception("CONDITION EVAL ERROR : %s || %s" %
(self.current.lane_relations, context))
raise
if not cond_result:
log.debug("LANE RELATION ERR: %s %s" %
(self.current.lane_relations, context))
raise HTTPError(
403, "You aren't qualified for this lane: %s" %
self.current.lane_relations)
def create_initial_object(self):
"""
Creates an instance of default (or selected) model.
If an existing objects key found in
``current.input['object_id']``
or
``current.task_data['object_id']``
or
``current.input['form']['object_key']``
then it will be retrieved from DB and assigned to ``self.object``.
"""
self.model_class = self.get_model_class()
if self.model_class:
object_id = self.current.task_data.get('object_id')
if not object_id and 'form' in self.input:
object_id = self.input['form'].get('object_key', None)
if object_id:
form_model_type = self.input['form'].get(
'model_type', None)
if form_model_type != self.model_class.__name__:
object_id = None
if object_id:
try:
self.object = self.model_class(
self.current).objects.get(object_id)
except ObjectDoesNotExist:
raise HTTPError(
404,
"Possibly you are trying to retrieve a just deleted "
"object or object key (%s) does not belong to current model:"
" %s" % (object_id, self.model_class.__name__))
except:
raise
# elif 'added_obj' in self.current.task_data:
# self.object = self.model_class(self.current).objects.get(
# self.current.task_data['added_obj'])
else:
self.object = self.model_class(self.current)
else:
self.object = type('FakeModel', (Model, ), {})()
def check_for_permission(self):
"""
Checks permissions of auto-generated CRUD views.
Required permissions calculated according to
``ModelName . self.cmd`` scheme.
"""
permission = "%s.%s" % (self.object.__class__.__name__, self.cmd)
log.debug("CHECK CRUD PERM: %s" % permission)
if (self.current.task_type not in PERM_REQ_TASK_TYPES
or permission in settings.ANONYMOUS_WORKFLOWS):
return
if not self.current.has_permission(permission):
raise HTTPError(
403,
"You don't have required CRUD permission: %s" % permission)