194 def decorator(fun): |
194 def decorator(fun): |
195 """Decorator that allows access if the current user is a Developer. |
195 """Decorator that allows access if the current user is a Developer. |
196 """ |
196 """ |
197 |
197 |
198 @wraps(fun) |
198 @wraps(fun) |
199 def wrapper(self, django_args, *args, **kwargs): |
199 def wrapper(self, django_args=None, *args, **kwargs): |
200 try: |
200 try: |
201 # if the check passes we allow access regardless |
201 # if the check passes we allow access regardless |
202 return self.doCheck(checker_name, django_args, []) |
202 return self.doCheck(checker_name, django_args, []) |
203 except out_of_band.Error: |
203 except out_of_band.Error: |
204 # otherwise we run the original check |
204 # otherwise we run the original check |
377 self.check(use_cache, checker_name, django_args, args) |
377 self.check(use_cache, checker_name, django_args, args) |
378 |
378 |
379 def hasMembership(self, roles, django_args): |
379 def hasMembership(self, roles, django_args): |
380 """Checks whether the user has access to any of the specified roles. |
380 """Checks whether the user has access to any of the specified roles. |
381 |
381 |
|
382 Makes use of self.MEMBERSHIP, which defines checkers specific to |
|
383 document access, as such this method should only be used when checking |
|
384 document access. |
|
385 |
382 Args: |
386 Args: |
383 roles: a list of roles to check |
387 roles: a list of roles to check |
|
388 django_args: the django args that should be passed to doCheck |
384 """ |
389 """ |
385 |
390 |
386 try: |
391 try: |
387 # we need to check manually, as we must return True! |
392 # we need to check manually, as we must return True! |
388 self.checkIsDeveloper(django_args) |
393 self.checkIsDeveloper(django_args) |
469 context = django_args.get('context', {}) |
474 context = django_args.get('context', {}) |
470 context['title'] = 'Access denied' |
475 context['title'] = 'Access denied' |
471 |
476 |
472 raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context) |
477 raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context) |
473 |
478 |
474 def checkIsLoggedIn(self, django_args): |
479 def checkIsLoggedIn(self, django_args=None): |
475 """Raises an alternate HTTP response if Google Account is not logged in. |
480 """Raises an alternate HTTP response if Google Account is not logged in. |
476 |
481 |
477 Args: |
482 Args: |
478 django_args: a dictionary with django's arguments |
483 django_args: a dictionary with django's arguments, not used |
479 |
484 |
480 Raises: |
485 Raises: |
481 AccessViolationResponse: |
486 AccessViolationResponse: |
482 * if no Google Account is even logged in |
487 * if no Google Account is even logged in |
483 """ |
488 """ |
485 if self.id: |
490 if self.id: |
486 return |
491 return |
487 |
492 |
488 raise out_of_band.LoginRequest() |
493 raise out_of_band.LoginRequest() |
489 |
494 |
490 def checkNotLoggedIn(self, django_args): |
495 def checkNotLoggedIn(self, django_args=None): |
491 """Raises an alternate HTTP response if Google Account is logged in. |
496 """Raises an alternate HTTP response if Google Account is logged in. |
492 |
497 |
493 Args: |
498 Args: |
494 django_args: a dictionary with django's arguments |
499 django_args: a dictionary with django's arguments, not used |
495 |
500 |
496 Raises: |
501 Raises: |
497 AccessViolationResponse: |
502 AccessViolationResponse: |
498 * if a Google Account is currently logged in |
503 * if a Google Account is currently logged in |
499 """ |
504 """ |
501 if not self.id: |
506 if not self.id: |
502 return |
507 return |
503 |
508 |
504 raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT) |
509 raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT) |
505 |
510 |
506 def checkIsUser(self, django_args): |
511 def checkIsUser(self, django_args=None): |
507 """Raises an alternate HTTP response if Google Account has no User entity. |
512 """Raises an alternate HTTP response if Google Account has no User entity. |
508 |
513 |
509 Args: |
514 Args: |
510 django_args: a dictionary with django's arguments |
515 django_args: a dictionary with django's arguments, not used |
511 |
516 |
512 Raises: |
517 Raises: |
513 AccessViolationResponse: |
518 AccessViolationResponse: |
514 * if no User exists for the logged-in Google Account, or |
519 * if no User exists for the logged-in Google Account, or |
515 * if no Google Account is logged in at all |
520 * if no Google Account is logged in at all |
516 * if User has not agreed to the site-wide ToS, if one exists |
521 * if User has not agreed to the site-wide ToS, if one exists |
517 """ |
522 """ |
518 |
523 |
519 self.checkIsLoggedIn(django_args) |
524 self.checkIsLoggedIn() |
520 |
525 |
521 if not self.user: |
526 if not self.user: |
522 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG) |
527 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG) |
523 |
528 |
524 if user_logic.agreesToSiteToS(self.user): |
529 if user_logic.agreesToSiteToS(self.user): |
534 @allowDeveloper |
539 @allowDeveloper |
535 def checkIsUserSelf(self, django_args, field_name): |
540 def checkIsUserSelf(self, django_args, field_name): |
536 """Checks whether the specified user is the logged in user. |
541 """Checks whether the specified user is the logged in user. |
537 |
542 |
538 Args: |
543 Args: |
539 django_args: the keyword args from django, only scope_path is used |
544 django_args: the keyword args from django, only field_name is used |
540 """ |
545 """ |
541 |
546 |
542 self.checkIsUser(django_args) |
547 self.checkIsUser() |
543 |
548 |
544 if not field_name in django_args: |
549 if not field_name in django_args: |
545 self.deny(django_args) |
550 self.deny() |
546 |
551 |
547 if self.user.link_id == django_args[field_name]: |
552 if self.user.link_id == django_args[field_name]: |
548 return |
553 return |
549 |
554 |
550 raise out_of_band.AccessViolation(DEF_NOT_YOUR_ENTITY_MSG) |
555 raise out_of_band.AccessViolation(DEF_NOT_YOUR_ENTITY_MSG) |
551 |
556 |
552 def checkIsUnusedAccount(self, django_args): |
557 def checkIsUnusedAccount(self, django_args=None): |
553 """Raises an alternate HTTP response if Google Account has a User entity. |
558 """Raises an alternate HTTP response if Google Account has a User entity. |
554 |
559 |
555 Args: |
560 Args: |
556 django_args: a dictionary with django's arguments |
561 django_args: a dictionary with django's arguments, not used |
557 |
562 |
558 Raises: |
563 Raises: |
559 AccessViolationResponse: |
564 AccessViolationResponse: |
560 * if a User exists for the logged-in Google Account, or |
565 * if a User exists for the logged-in Google Account, or |
561 * if a User has this Gooogle Account in their formerAccounts list |
566 * if a User has this Gooogle Account in their formerAccounts list |
571 |
576 |
572 message_fmt = DEF_USER_ACCOUNT_INVALID_MSG_FMT % { |
577 message_fmt = DEF_USER_ACCOUNT_INVALID_MSG_FMT % { |
573 'email' : self.id.email()} |
578 'email' : self.id.email()} |
574 raise out_of_band.LoginRequest(message_fmt=message_fmt) |
579 raise out_of_band.LoginRequest(message_fmt=message_fmt) |
575 |
580 |
576 def checkHasUserEntity(self, django_args): |
581 def checkHasUserEntity(self, django_args=None): |
577 """Raises an alternate HTTP response if Google Account has no User entity. |
582 """Raises an alternate HTTP response if Google Account has no User entity. |
578 |
583 |
579 Args: |
584 Args: |
580 django_args: a dictionary with django's arguments |
585 django_args: a dictionary with django's arguments |
581 |
586 |
583 AccessViolationResponse: |
588 AccessViolationResponse: |
584 * if no User exists for the logged-in Google Account, or |
589 * if no User exists for the logged-in Google Account, or |
585 * if no Google Account is logged in at all |
590 * if no Google Account is logged in at all |
586 """ |
591 """ |
587 |
592 |
588 self.checkIsLoggedIn(django_args) |
593 self.checkIsLoggedIn() |
589 |
594 |
590 if not self.user: |
595 if self.user: |
591 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG) |
596 return |
592 |
597 |
593 return |
598 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG) |
594 |
599 |
595 def checkIsDeveloper(self, django_args): |
600 def checkIsDeveloper(self, django_args=None): |
596 """Raises an alternate HTTP response if Google Account is not a Developer. |
601 """Raises an alternate HTTP response if Google Account is not a Developer. |
597 |
602 |
598 Args: |
603 Args: |
599 django_args: a dictionary with django's arguments |
604 django_args: a dictionary with django's arguments, not used |
600 |
605 |
601 Raises: |
606 Raises: |
602 AccessViolationResponse: |
607 AccessViolationResponse: |
603 * if User is not a Developer, or |
608 * if User is not a Developer, or |
604 * if no User exists for the logged-in Google Account, or |
609 * if no User exists for the logged-in Google Account, or |
807 |
812 |
808 @allowDeveloper |
813 @allowDeveloper |
809 @denySidebar |
814 @denySidebar |
810 def checkIsActivePeriod(self, django_args, period_name, key_name_arg): |
815 def checkIsActivePeriod(self, django_args, period_name, key_name_arg): |
811 """Checks if the given period is active for the given program. |
816 """Checks if the given period is active for the given program. |
812 |
817 |
813 Args: |
818 Args: |
814 django_args: a dictionary with django's arguments. |
819 django_args: a dictionary with django's arguments. |
815 period_name: the name of the period which is checked. |
820 period_name: the name of the period which is checked. |
816 key_name_arg: the entry in django_args that specifies the given program |
821 key_name_arg: the entry in django_args that specifies the given program |
817 keyname. If none is given the key_name is constructed from django_args |
822 keyname. If none is given the key_name is constructed from django_args |
842 def checkCanCreateOrgApp(self, django_args, period_name): |
847 def checkCanCreateOrgApp(self, django_args, period_name): |
843 """Checks to see if the program in the scope_path is accepting org apps |
848 """Checks to see if the program in the scope_path is accepting org apps |
844 """ |
849 """ |
845 |
850 |
846 if 'seed' in django_args: |
851 if 'seed' in django_args: |
847 return self.checkIsActivePeriod(django_args['seed'], |
852 return self.checkIsActivePeriod(django_args['seed'], |
848 period_name, 'scope_path') |
853 period_name, 'scope_path') |
849 else: |
854 else: |
850 return |
855 return |
851 |
856 |
852 @allowDeveloper |
857 @allowDeveloper |
1086 def checkCanStudentPropose(self, django_args, key_location): |
1091 def checkCanStudentPropose(self, django_args, key_location): |
1087 """Checks if the program for this student accepts proposals. |
1092 """Checks if the program for this student accepts proposals. |
1088 |
1093 |
1089 Args: |
1094 Args: |
1090 django_args: a dictionary with django's arguments |
1095 django_args: a dictionary with django's arguments |
1091 key_location: the key for django_args in which the key_name |
1096 key_location: the key for django_args in which the key_name |
1092 from the student is stored |
1097 from the student is stored |
1093 """ |
1098 """ |
1094 |
1099 |
1095 self.checkIsUser(django_args) |
1100 self.checkIsUser(django_args) |
1096 |
1101 |
1117 def checkIsStudent(self, django_args, key_location, status): |
1122 def checkIsStudent(self, django_args, key_location, status): |
1118 """Checks if the current user is the given student. |
1123 """Checks if the current user is the given student. |
1119 |
1124 |
1120 Args: |
1125 Args: |
1121 django_args: a dictionary with django's arguments |
1126 django_args: a dictionary with django's arguments |
1122 key_location: the key for django_args in which the key_name |
1127 key_location: the key for django_args in which the key_name |
1123 from the student is stored |
1128 from the student is stored |
1124 status: the allowed status for the student |
1129 status: the allowed status for the student |
1125 """ |
1130 """ |
1126 |
1131 |
1127 self.checkIsUser(django_args) |
1132 self.checkIsUser(django_args) |
1173 |
1178 |
1174 @allowDeveloper |
1179 @allowDeveloper |
1175 @denySidebar |
1180 @denySidebar |
1176 def checkIsAllowedToManageRole(self, django_args, role_logic, manage_role_logic): |
1181 def checkIsAllowedToManageRole(self, django_args, role_logic, manage_role_logic): |
1177 """Returns an alternate HTTP response if the user is not allowed to manage |
1182 """Returns an alternate HTTP response if the user is not allowed to manage |
1178 the role given in args. |
1183 the role given in args. |
1179 |
1184 |
1180 Args: |
1185 Args: |
1181 role_logic: determines the logic for the role in args. |
1186 role_logic: determines the logic for the role in args. |
1182 manage_role_logic: determines the logic for the role which is allowed |
1187 manage_role_logic: determines the logic for the role which is allowed |
1183 to manage this role. |
1188 to manage this role. |
1184 |
1189 |
1185 Raises: |
1190 Raises: |
1186 AccessViolationResponse: if the required authorization is not met |
1191 AccessViolationResponse: if the required authorization is not met |
1187 |
1192 |
1188 Returns: |
1193 Returns: |
1189 None if the given role is active and belongs to the current user. |
1194 None if the given role is active and belongs to the current user. |
1190 None if the current User has an active role (from manage_role_logic) |
1195 None if the current User has an active role (from manage_role_logic) |
1191 that belongs to the same scope as the role that needs to be managed |
1196 that belongs to the same scope as the role that needs to be managed |
1192 """ |
1197 """ |
1193 |
1198 |
1194 try: |
1199 try: |
1195 # check if it is my role the user's own role |
1200 # check if it is my role the user's own role |