py_tasks_melange: comparison app/soc/views/helper/access.py

equal deleted inserted replaced

-:6abf12b9e646
+:3b66772d21a5
 DEF_GROUP_NOT_FOUND_MSG = ugettext(
 'The requested Group can not be found')
-def checkAccess(access_type, rights, kwargs=None):
+def denySidebar(fun):
-"""Runs all the defined checks for the specified type.
+"""Decorator that denies access if the sidebar is calling.
-Args:
-access_type: the type of request (such as 'list' or 'edit')
-rights: a dictionary containing access check functions
-kwargs: a dictionary with django's arguments
-Rights usage:
-The rights dictionary is used to check if the current user is allowed
-to view the page specified. The functions defined in this dictionary
-are always called with the provided kwargs dictionary as argument. On any
-request, regardless of what type, the functions in the 'any_access' value
-are called. If the specified type is not in the rights dictionary, all
-the functions in the 'unspecified' value are called. When the specified
-type _is_ in the rights dictionary, all the functions in that access_type's
-value are called.
 """
-# Call each access checker
+from functools import wraps
-for check in rights['any_access']:
-check(kwargs)
+@wraps(fun)
+def wrapper(self, django_args, *args, **kwargs):
-if access_type not in rights:
+if django_args.get('SIDEBAR_CALLING'):
-for check in rights['unspecified']:
+raise out_of_band.Error("Sidebar Calling")
-# No checks defined, so do the 'generic' checks and bail out
+return fun(self, django_args, *args, **kwargs)
-check(kwargs)
+return wrapper
+class Checker(object):
+"""
+The __setitem__() and __getitem__() methods are overloaded to DTRT
+when adding new access rights, and retrieving them, so use these
+rather then modifying rights directly if so desired.
+"""
+def __init__(self, params):
+"""Adopts base.rights as rights if base is set.
+"""
+base = params.get('rights') if params else None
+self.rights = base.rights if base else {}
+def __setitem__(self, key, value):
+"""Sets a value only if no old value exists.
+"""
+oldvalue = self.rights.get(key)
+self.rights[key] = oldvalue if oldvalue else value
+def __getitem__(self, key):
+"""Retrieves the right checkers and massages then into a default format.
+The result is guaranteed to be a list of 2-tuples, the first element is a
+checker (iff there is an checker with the specified name), the second
+element is a list of arguments that should be passed to the checker when
+calling it in addition to the standard django_args.
+"""
+result = []
+for i in self.rights.get(key, []):
+# Be nice an repack so that it is always a list with tuples
+if isinstance(i, tuple):
+name, arg = i
+tmp = (getattr(self, name), (arg if isinstance(arg, list) else [arg]))
+result.append(tmp)
+else:
+tmp = (getattr(self, i), [])
+result.append(tmp)
+return result
+def checkAccess(self, access_type, django_args):
+"""Runs all the defined checks for the specified type.
+Args:
+access_type: the type of request (such as 'list' or 'edit')
+rights: a dictionary containing access check functions
+django_args: a dictionary with django's arguments
+Rights usage:
+The rights dictionary is used to check if the current user is allowed
+to view the page specified. The functions defined in this dictionary
+are always called with the provided django_args dictionary as argument. On any
+request, regardless of what type, the functions in the 'any_access' value
+are called. If the specified type is not in the rights dictionary, all
+the functions in the 'unspecified' value are called. When the specified
+type _is_ in the rights dictionary, all the functions in that access_type's
+value are called.
+"""
+self.id = users.get_current_user()
+# Call each access checker
+for check, args in self['any_access']:
+check(django_args, *args)
+if access_type not in self.rights:
+for check, args in self['unspecified']:
+# No checks defined, so do the 'generic' checks and bail out
+check(django_args, *args)
+return
+for check, args in self[access_type]:
+check(django_args, *args)
+def allow(self, django_args):
+"""Never raises an alternate HTTP response.  (an access no-op, basically).
+Args:
+django_args: a dictionary with django's arguments
+"""
 return
-for check in rights[access_type]:
+def deny(self, django_args):
-check(kwargs)
+"""Always raises an alternate HTTP response.
+Args:
-def allow(kwargs):
+django_args: a dictionary with django's arguments
-"""Never raises an alternate HTTP response.  (an access no-op, basically).
+Raises:
-Args:
+always raises AccessViolationResponse if called
-kwargs: a dictionary with django's arguments
+"""
-"""
+context = django_args.get('context', {})
-return
+context['title'] = 'Access denied'
+raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context)
-def deny(kwargs):
-"""Always raises an alternate HTTP response.
+def checkIsLoggedIn(self, django_args):
+"""Raises an alternate HTTP response if Google Account is not logged in.
-Args:
-kwargs: a dictionary with django's arguments
+Args:
+django_args: a dictionary with django's arguments
-Raises:
-always raises AccessViolationResponse if called
+Raises:
-"""
+AccessViolationResponse:
+* if no Google Account is even logged in
-import soc.views.helper.responses
+"""
-context = kwargs.get('context', {})
+if self.id:
-context['title'] = 'Access denied'
+return
-raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context)
+raise out_of_band.LoginRequest()
+def checkNotLoggedIn(self, django_args):
-def checkIsLoggedIn(kwargs):
+"""Raises an alternate HTTP response if Google Account is logged in.
-"""Raises an alternate HTTP response if Google Account is not logged in.
+Args:
-Args:
+django_args: a dictionary with django's arguments
-kwargs: a dictionary with django's arguments
+Raises:
-Raises:
+AccessViolationResponse:
-AccessViolationResponse:
+* if a Google Account is currently logged in
-* if no Google Account is even logged in
+"""
-"""
+if not self.id:
-if users.get_current_user():
+return
-return
+raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT)
-raise out_of_band.LoginRequest()
+def checkIsUser(self, django_args):
+"""Raises an alternate HTTP response if Google Account has no User entity.
-def checkNotLoggedIn(kwargs):
-"""Raises an alternate HTTP response if Google Account is logged in.
+Args:
+django_args: a dictionary with django's arguments
-Args:
-kwargs: a dictionary with django's arguments
+Raises:
+AccessViolationResponse:
-Raises:
+* if no User exists for the logged-in Google Account, or
-AccessViolationResponse:
+* if no Google Account is logged in at all
-* if a Google Account is currently logged in
+"""
-"""
+self.checkIsLoggedIn(django_args)
-if not users.get_current_user():
-return
+user = user_logic.getForCurrentAccount()
-raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT)
+if user:
+return
-def checkIsUser(kwargs):
+raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT)
-"""Raises an alternate HTTP response if Google Account has no User entity.
+def checkAgreesToSiteToS(self, django_args):
-Args:
+"""Raises an alternate HTTP response if User has not agreed to site-wide ToS.
-kwargs: a dictionary with django's arguments
+Args:
-Raises:
+django_args: a dictionary with django's arguments
-AccessViolationResponse:
-* if no User exists for the logged-in Google Account, or
+Raises:
-* if no Google Account is logged in at all
+AccessViolationResponse:
-"""
+* if User has not agreed to the site-wide ToS, or
+* if no User exists for the logged-in Google Account, or
-checkIsLoggedIn(kwargs)
+* if no Google Account is logged in at all
+"""
-user = user_logic.getForCurrentAccount()
+self.checkIsUser(django_args)
-if user:
-return
+user = user_logic.getForCurrentAccount()
-raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT)
+if user_logic.agreesToSiteToS(user):
+return
-def checkAgreesToSiteToS(kwargs):
+# Would not reach this point of site-wide ToS did not exist, since
-"""Raises an alternate HTTP response if User has not agreed to site-wide ToS.
+# agreesToSiteToS() call above always returns True if no ToS is in effect.
+login_msg_fmt = DEF_AGREE_TO_TOS_MSG_FMT % {
-Args:
+'tos_link': redirects.getToSRedirect(site_logic.getSingleton())}
-kwargs: a dictionary with django's arguments
+raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
-Raises:
-AccessViolationResponse:
+def checkIsDeveloper(self, django_args):
-* if User has not agreed to the site-wide ToS, or
+"""Raises an alternate HTTP response if Google Account is not a Developer.
-* if no User exists for the logged-in Google Account, or
-* if no Google Account is logged in at all
+Args:
-"""
+django_args: a dictionary with django's arguments
-checkIsUser(kwargs)
+Raises:
+AccessViolationResponse:
-user = user_logic.getForCurrentAccount()
+* if User is not a Developer, or
+* if no User exists for the logged-in Google Account, or
-if user_logic.agreesToSiteToS(user):
+* if no Google Account is logged in at all
-return
+"""
-# Would not reach this point of site-wide ToS did not exist, since
+self.checkAgreesToSiteToS(django_args)
-# agreesToSiteToS() call above always returns True if no ToS is in effect.
-login_msg_fmt = DEF_AGREE_TO_TOS_MSG_FMT % {
+if accounts.isDeveloper(account=self.id):
-'tos_link': redirects.getToSRedirect(site_logic.getSingleton())}
+return
-raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
+login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
+'role': 'a Site Developer '}
-def checkIsDeveloper(kwargs):
+raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-"""Raises an alternate HTTP response if Google Account is not a Developer.
+def checkCanMakeRequestToGroup(self, django_args, group_logic):
-Args:
+"""Raises an alternate HTTP response if the specified group is not in an
-kwargs: a dictionary with django's arguments
+active state.
-Raises:
+Note that state hasn't been implemented yet
-AccessViolationResponse:
-* if User is not a Developer, or
+Args:
-* if no User exists for the logged-in Google Account, or
+group_logic: Logic module for the type of group which the request is for
-* if no Google Account is logged in at all
+"""
-"""
-checkAgreesToSiteToS(kwargs)
-if accounts.isDeveloper(account=users.get_current_user()):
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Site Developer '}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkCanMakeRequestToGroup(group_logic):
-"""Raises an alternate HTTP response if the specified group is not in an
-active state.
-Note that state hasn't been implemented yet
-Args:
-group_logic: Logic module for the type of group which the request is for
-"""
-def wrapper(kwargs):
 group_entity = role_logic.getGroupEntityFromScopePath(
-group_logic.logic, kwargs['scope_path'])
+group_logic.logic, django_args['scope_path'])
 if not group_entity:
 raise out_of_band.Error(DEF_GROUP_NOT_FOUND_MSG, status=404)
 # TODO(ljvderijk) check if the group is active
 return
-return wrapper
+def checkCanCreateFromRequest(self, django_args, role_name):
+"""Raises an alternate HTTP response if the specified request does not exist
-def checkCanCreateFromRequest(role_name):
+or if it's state is not group_accepted.
-"""Raises an alternate HTTP response if the specified request does not exist
+"""
-or if it's state is not group_accepted.
-"""
+self.checkAgreesToSiteToS(django_args)
-def wrapper(kwargs):
-checkAgreesToSiteToS(kwargs)
 user_entity = user_logic.getForCurrentAccount()
-if user_entity.link_id != kwargs['link_id']:
+if user_entity.link_id != django_args['link_id']:
-deny(kwargs)
+deny(django_args)
-fields = {'link_id': kwargs['link_id'],
+fields = {'link_id': django_args['link_id'],
-'scope_path': kwargs['scope_path'],
+'scope_path': django_args['scope_path'],
 'role': role_name}
 request_entity = request_logic.getFromFieldsOr404(**fields)
 if request_entity.state != 'group_accepted':
 # TODO tell the user that this request has not been accepted yet
-deny(kwargs)
+deny(django_args)
 return
-return wrapper
+def checkCanProcessRequest(self, django_args, role_name):
+"""Raises an alternate HTTP response if the specified request does not exist
+or if it's state is completed or denied.
-def checkCanProcessRequest(role_name):
+"""
-"""Raises an alternate HTTP response if the specified request does not exist
-or if it's state is completed or denied.
+fields = {'link_id': django_args['link_id'],
-"""
+'scope_path': django_args['scope_path'],
-def wrapper(kwargs):
-fields = {'link_id': kwargs['link_id'],
-'scope_path': kwargs['scope_path'],
 'role': role_name}
 request_entity = request_logic.getFromFieldsOr404(**fields)
 if request_entity.state in ['completed', 'denied']:
 # TODO tell the user that this request has been processed
-deny(kwargs)
+deny(django_args)
 return
-return wrapper
+def checkIsMyGroupAcceptedRequest(self, django_args):
+"""Raises an alternate HTTP response if the specified request does not exist
+or if it's state is not group_accepted.
-def checkIsMyGroupAcceptedRequest(kwargs):
+"""
-"""Raises an alternate HTTP response if the specified request does not exist
-or if it's state is not group_accepted.
+self.checkAgreesToSiteToS(django_args)
-"""
+user_entity = user_logic.getForCurrentAccount()
-checkAgreesToSiteToS(kwargs)
+if user_entity.link_id != django_args['link_id']:
-user_entity = user_logic.getForCurrentAccount()
+# not the current user's request
+return deny(django_args)
-if user_entity.link_id != kwargs['link_id']:
-# not the current user's request
+fields = {'link_id': django_args['link_id'],
-return deny(kwargs)
+'scope_path': django_args['scope_path'],
+'role': django_args['role']}
-fields = {'link_id': kwargs['link_id'],
-'scope_path': kwargs['scope_path'],
+request_entity = request_logic.getForFields(fields, unique=True)
-'role': kwargs['role']}
+if not request_entity:
-request_entity = request_logic.getForFields(fields, unique=True)
+# TODO return 404
+return deny(django_args)
-if not request_entity:
-# TODO return 404
+if request_entity.state != 'group_accepted':
-return deny(kwargs)
+return deny(django_args)
-if request_entity.state != 'group_accepted':
-return deny(kwargs)
-return
-def checkIsHost(kwargs):
-"""Raises an alternate HTTP response if Google Account has no Host entity.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse:
-* if User is not already a Host, or
-* if User has not agreed to the site-wide ToS, or
-* if no User exists for the logged-in Google Account, or
-* if the user is not even logged in
-"""
-try:
-# if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
 return
-except out_of_band.Error:
-pass
+@denySidebar
+def checkIsHost(self, django_args):
-checkAgreesToSiteToS(kwargs)
+"""Raises an alternate HTTP response if Google Account has no Host entity.
-user = user_logic.getForCurrentAccount()
+Args:
+request: a Django HTTP request
-fields = {'user': user,
-'state': 'active'}
+Raises:
+AccessViolationResponse:
-host = host_logic.getForFields(fields, unique=True)
+* if User is not already a Host, or
+* if User has not agreed to the site-wide ToS, or
-if host:
+* if no User exists for the logged-in Google Account, or
-return
+* if the user is not even logged in
+"""
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Program Administrator '}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsHostForSponsor(kwargs):
-"""Raises an alternate HTTP response if Google Account has no Host entity
-for the specified Sponsor.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse:
-* if User is not already a Host for the specified program, or
-* if User has not agreed to the site-wide ToS, or
-* if no User exists for the logged-in Google Account, or
-* if the user is not even logged in
-"""
-try:
-# if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
-return
-except out_of_band.Error:
-pass
-checkAgreesToSiteToS(kwargs)
-user = user_logic.getForCurrentAccount()
-if kwargs.get('scope_path'):
-scope_path = kwargs['scope_path']
-else:
-scope_path = kwargs['link_id']
-fields = {'user': user,
-'scope_path': scope_path,
-'state': 'active'}
-host = host_logic.getForFields(fields, unique=True)
-if host:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Program Administrator '}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsClubAdminForClub(kwargs):
-"""Returns an alternate HTTP response if Google Account has no Club Admin
-entity for the specified club.
-Args:
-kwargs: a dictionary with django's arguments
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if Club Admin exists for the specified club, or a subclass of
-django.http.HttpResponse which contains the alternate response
-should be returned by the calling view.
-"""
-try:
-# if the current user is invited to create a host profile we allow access
-checkIsDeveloper(kwargs)
-return
-except out_of_band.Error:
-pass
-checkAgreesToSiteToS(kwargs)
-user = user_logic.getForCurrentAccount()
-if kwargs.get('scope_path'):
-scope_path = kwargs['scope_path']
-else:
-scope_path = kwargs['link_id']
-fields = {'user': user,
-'scope_path': scope_path,
-'state': 'active'}
-club_admin_entity = club_admin_logic.getForFields(fields, unique=True)
-if club_admin_entity:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Club Admin for this Club'}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsApplicationAccepted(app_logic):
-"""Returns an alternate HTTP response if Google Account has no Club App
-entity for the specified Club.
-Args:
-kwargs: a dictionary with django's arguments
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if Club App  exists for the specified program, or a subclass
-of django.http.HttpResponse which contains the alternate response
-should be returned by the calling view.
-"""
-def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
+self.checkIsDeveloper(django_args)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(kwargs)
+self.checkAgreesToSiteToS(django_args)
+user = user_logic.getForCurrentAccount()
+if django_args.get('scope_path'):
+scope_path = django_args['scope_path']
+else:
+scope_path = django_args['link_id']
+fields = {'user': user,
+'scope_path': scope_path,
+'state': 'active'}
+host = host_logic.getForFields(fields, unique=True)
+self.checkAgreesToSiteToS(django_args)
+user = user_logic.getForCurrentAccount()
+fields = {'user': user,
+'state': 'active'}
+host = host_logic.getForFields(fields, unique=True)
+if host:
+return
+login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
+'role': 'a Program Administrator '}
+raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
+def checkIsHostForSponsor(self, django_args):
+"""Raises an alternate HTTP response if Google Account has no Host entity
+for the specified Sponsor.
+Args:
+request: a Django HTTP request
+Raises:
+AccessViolationResponse:
+* if User is not already a Host for the specified program, or
+* if User has not agreed to the site-wide ToS, or
+* if no User exists for the logged-in Google Account, or
+* if the user is not even logged in
+"""
+self.checkAgreesToSiteToS(django_args)
+user = user_logic.getForCurrentAccount()
+if django_args.get('scope_path'):
+scope_path = django_args['scope_path']
+else:
+scope_path = django_args['link_id']
+fields = {'user': user,
+'scope_path': scope_path,
+'state': 'active'}
+host = host_logic.getForFields(fields, unique=True)
+if host:
+return
+login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
+'role': 'a Program Administrator '}
+raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
+def checkIsClubAdminForClub(self, django_args):
+"""Returns an alternate HTTP response if Google Account has no Club Admin
+entity for the specified club.
+Args:
+django_args: a dictionary with django's arguments
+Raises:
+AccessViolationResponse: if the required authorization is not met
+Returns:
+None if Club Admin exists for the specified club, or a subclass of
+django.http.HttpResponse which contains the alternate response
+should be returned by the calling view.
+"""
+try:
+# if the current user is invited to create a host profile we allow access
+checkIsDeveloper(django_args)
+return
+except out_of_band.Error:
+pass
+self.checkAgreesToSiteToS(django_args)
+user = user_logic.getForCurrentAccount()
+if django_args.get('scope_path'):
+scope_path = django_args['scope_path']
+else:
+scope_path = django_args['link_id']
+fields = {'user': user,
+'scope_path': scope_path,
+'state': 'active'}
+club_admin_entity = club_admin_logic.getForFields(fields, unique=True)
+if club_admin_entity:
+return
+login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
+'role': 'a Club Admin for this Club'}
+raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
+def checkIsApplicationAccepted(self, django_args, app_logic):
+"""Returns an alternate HTTP response if Google Account has no Club App
+entity for the specified Club.
+Args:
+django_args: a dictionary with django's arguments
+Raises:
+AccessViolationResponse: if the required authorization is not met
+Returns:
+None if Club App  exists for the specified program, or a subclass
+of django.http.HttpResponse which contains the alternate response
+should be returned by the calling view.
+"""
+try:
+# if the current user is a developer we allow access
+checkIsDeveloper(django_args)
+return
+except out_of_band.Error:
+pass
+self.checkAgreesToSiteToS(django_args)
 user = user_logic.getForCurrentAccount()
 properties = {
 'applicant': user,
 if application:
 return
 # TODO(srabbelier) Make this give a proper error message
-deny(kwargs)
+deny(django_args)
-return wrapper
+def checkIsMyNotification(self, django_args):
+"""Returns an alternate HTTP response if this request is for
+a Notification belonging to the current user.
-def checkIsMyNotification(kwargs):
-"""Returns an alternate HTTP response if this request is for
+Args:
-a Notification belonging to the current user.
+django_args: a dictionary with django's arguments
-Args:
+Raises:
-kwargs: a dictionary with django's arguments
+AccessViolationResponse: if the required authorization is not met
-Raises:
+Returns:
-AccessViolationResponse: if the required authorization is not met
+None if the current User is allowed to access this Notification.
+"""
-Returns:
-None if the current User is allowed to access this Notification.
-"""
-try:
-# if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
-return
-except out_of_band.Error:
-pass
-checkAgreesToSiteToS(kwargs)
-properties = dicts.filter(kwargs, ['link_id', 'scope_path'])
-notification = notification_logic.getForFields(properties, unique=True)
-user = user_logic.getForCurrentAccount()
-# We need to check to see if the key's are equal since the User
-# objects are different and the default __eq__ method does not check
-# if the keys are equal (which is what we want).
-if user.key() == notification.scope.key():
-return None
-# TODO(ljvderijk) Make this give a proper error message
-deny(kwargs)
-def checkIsMyApplication(app_logic):
-"""Returns an alternate HTTP response if this request is for
-a Application belonging to the current user.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if the current User is allowed to access this Application.
-"""
-def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
+checkIsDeveloper(django_args)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(kwargs)
+self.checkAgreesToSiteToS(django_args)
-properties = dicts.filter(kwargs, ['link_id'])
+properties = dicts.filter(django_args, ['link_id', 'scope_path'])
+notification = notification_logic.getForFields(properties, unique=True)
+user = user_logic.getForCurrentAccount()
+# We need to check to see if the key's are equal since the User
+# objects are different and the default __eq__ method does not check
+# if the keys are equal (which is what we want).
+if user.key() == notification.scope.key():
+return None
+# TODO(ljvderijk) Make this give a proper error message
+deny(django_args)
+def checkIsMyApplication(self, django_args, app_logic):
+"""Returns an alternate HTTP response if this request is for
+a Application belonging to the current user.
+Args:
+request: a Django HTTP request
+Raises:
+AccessViolationResponse: if the required authorization is not met
+Returns:
+None if the current User is allowed to access this Application.
+"""
+try:
+# if the current user is a developer we allow access
+self.checkIsDeveloper(django_args)
+return
+except out_of_band.Error:
+pass
+self.checkAgreesToSiteToS(django_args)
+properties = dicts.filter(django_args, ['link_id'])
 application = app_logic.logic.getForFields(properties, unique=True)
 if not application:
-deny(kwargs)
+deny(django_args)
 user = user_logic.getForCurrentAccount()
 # We need to check to see if the key's are equal since the User
 # objects are different and the default __eq__ method does not check
 # if the keys are equal (which is what we want).
 if user.key() == application.applicant.key():
 return None
 # TODO(srabbelier) Make this give a proper error message
-deny(kwargs)
+deny(django_args)
-return wrapper
+def checkIsMyActiveRole(self, django_args, role_logic):
+"""Returns an alternate HTTP response if there is no active role found for
+the current user using the given role_logic.
-def checkIsMyActiveRole(role_logic):
-"""Returns an alternate HTTP response if there is no active role found for
+Raises:
-the current user using the given role_logic.
+AccessViolationResponse: if the required authorization is not met
-Raises:
+Returns:
-AccessViolationResponse: if the required authorization is not met
+None if the current User has no active role for the given role_logic.
+"""
-Returns:
-None if the current User has no active role for the given role_logic.
-"""
-def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(kwargs)
+checkIsDeveloper(django_args)
 return
 except out_of_band.Error:
 pass
 user = user_logic.getForCurrentAccount()
-if not user or user.link_id != kwargs['link_id']:
+if not user or user.link_id != django_args['link_id']:
 # not my role
-deny(kwargs)
+deny(django_args)
-fields = {'link_id': kwargs['link_id'],
+fields = {'link_id': django_args['link_id'],
-'scope_path': kwargs['scope_path']
+'scope_path': django_args['scope_path']
 }
 role_entity = role_logic.logic.getForFields(fields, unique=True)
 if not role_entity:
 # no role found
-deny(kwargs)
+deny(django_args)
 if role_entity.state == 'active':
 # this role exist and is active
 return
 else:
 # this role is not active
-deny(kwargs)
+deny(django_args)
-return wrapper
+def checkHasPickGetArgs(self, django_args):
+"""Raises an alternate HTTP response if the request misses get args.
-def checkHasPickGetArgs(kwargs):
+Args:
-"""Raises an alternate HTTP response if the request misses get args.
+django_args: a dictionary with django's arguments
-Args:
+Raises:
-kwargs: a dictionary with django's arguments
+AccessViolationResponse:
+* if continue is not in request.GET
-Raises:
+* if field is not in request.GET
-AccessViolationResponse:
+"""
-* if continue is not in request.GET
-* if field is not in request.GET
+get_args = django_args.get('GET', {})
-"""
+if 'continue' in get_args and 'field' in get_args:
-get_args = kwargs.get('GET', {})
+return
-if 'continue' in get_args and 'field' in get_args:
+#TODO(SRabbelier) inform user that return_url and field are required
-return
+deny(django_args)
-#TODO(SRabbelier) inform user that return_url and field are required
+def checkIsDocumentPublic(self, django_args):
-deny(kwargs)
+"""Checks whether a document is public.
+Args:
-def checkIsDocumentPublic(kwargs):
+django_args: a dictionary with django's arguments
-"""Checks whether a document is public.
+"""
-Args:
+# TODO(srabbelier): A proper check needs to be done to see if the document
-kwargs: a dictionary with django's arguments
+# is public or not, probably involving analysing it's scope or such.
-"""
+allow(django_args)
-# TODO(srabbelier): A proper check needs to be done to see if the document
-# is public or not, probably involving analysing it's scope or such.
-allow(kwargs)

changeset 1007	3b66772d21a5
parent 999	71f15c023847
child 1012	73f0b61f2d9d