py_tasks_melange: comparison app/soc/views/helper/access.py

equal deleted inserted replaced

-:1d852b58b182
+:43018f61b481
 DEF_LOGOUT_MSG_FMT = ugettext(
 'Please <a href="%(sign_out)s">sign out</a> in order to view this page')
-def checkAccess(access_type, request, rights, args=None, kwargs=None):
+def checkAccess(access_type, rights, kwargs=None):
 """Runs all the defined checks for the specified type.
 Args:
 access_type: the type of request (such as 'list' or 'edit')
-request: the Django request object
 rights: a dictionary containing access check functions
+kwargs: a dictionary with django's arguments
 Rights usage:
 The rights dictionary is used to check if the current user is allowed
 to view the page specified. The functions defined in this dictionary
-are always called with the django request object as argument. On any
+are always called with the provided kwargs dictionary as argument. On any
 request, regardless of what type, the functions in the 'any_access' value
 are called. If the specified type is not in the rights dictionary, all
 the functions in the 'unspecified' value are called. When the specified
 type _is_ in the rights dictionary, all the functions in that access_type's
 value are called.
-Returns:
-True: If all the required access checks have been made successfully
-False: If a check failed, in this case self._response will contain
-the response provided by the failed access check.
 """
 # Call each access checker
 for check in rights['any_access']:
-check(request, args, kwargs)
+check(kwargs)
 if access_type not in rights:
 for check in rights['unspecified']:
 # No checks defined, so do the 'generic' checks and bail out
-check(request, args, kwargs)
+check(kwargs)
 return
 for check in rights[access_type]:
-check(request, args, kwargs)
+check(kwargs)
-def allow(request, args, kwargs):
+def allow(kwargs):
 """Never raises an alternate HTTP response.  (an access no-op, basically).
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 """
 return
-def deny(request, args, kwargs):
+def deny(kwargs):
 """Always raises an alternate HTTP response.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 always raises AccessViolationResponse if called
 """
 import soc.views.helper.responses
-if kwargs.get('SIDEBAR_CALLING', False):
+kwargs.get('context', {})
-context = {}
-else:
-context = soc.views.helper.responses.getUniversalContext(request)
 context['title'] = 'Access denied'
 raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context)
-def checkIsLoggedIn(request, args, kwargs):
+def checkIsLoggedIn(kwargs):
 """Raises an alternate HTTP response if Google Account is not logged in.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if no Google Account is even logged in
 """
 if users.get_current_user():
 return
 raise out_of_band.LoginRequest()
-def checkNotLoggedIn(request, args, kwargs):
+def checkNotLoggedIn(kwargs):
 """Raises an alternate HTTP response if Google Account is logged in.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if a Google Account is currently logged in
 """
 if not users.get_current_user():
 return
 raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT)
-def checkIsUser(request, args, kwargs):
+def checkIsUser(kwargs):
 """Raises an alternate HTTP response if Google Account has no User entity.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if no User exists for the logged-in Google Account, or
 * if no Google Account is logged in at all
 """
-checkIsLoggedIn(request, args, kwargs)
+checkIsLoggedIn(kwargs)
-user = user_logic.getForFields({'account': users.get_current_user()},
-unique=True)
+user = user_logic.getForCurrentAccount()
 if user:
 return
 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT)
-def checkAgreesToSiteToS(request, args, kwargs):
+def checkAgreesToSiteToS(kwargs):
 """Raises an alternate HTTP response if User has not agreed to site-wide ToS.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if User has not agreed to the site-wide ToS, or
 * if no User exists for the logged-in Google Account, or
 * if no Google Account is logged in at all
 """
-checkIsUser(request, args, kwargs)
+checkIsUser(kwargs)
 user = user_logic.getForCurrentAccount()
 if user_logic.agreesToSiteToS(user):
 return
 'tos_link': redirects.getToSRedirect(site_logic.getSingleton())}
 raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
-def checkIsDeveloper(request, args, kwargs):
+def checkIsDeveloper(kwargs):
 """Raises an alternate HTTP response if Google Account is not a Developer.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if User is not a Developer, or
 * if no User exists for the logged-in Google Account, or
 * if no Google Account is logged in at all
 """
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
 if accounts.isDeveloper(account=users.get_current_user()):
 return
 login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
 def checkCanCreateFromRequest(role_name):
 """Raises an alternate HTTP response if the specified request does not exist
 or if it's state is not group_accepted.
 """
-def wrapper(request, args, kwargs):
-checkAgreesToSiteToS(request, args, kwargs)
+def wrapper(kwargs):
+checkAgreesToSiteToS(kwargs)
 user_entity = user_logic.getForCurrentAccount()
 if user_entity.link_id != kwargs['link_id']:
-deny(request, args, kwargs)
+deny(kwargs)
 fields = {'link_id': kwargs['link_id'],
 'scope_path': kwargs['scope_path'],
 'role': role_name}
 request_entity = request_logic.getFromFieldsOr404(**fields)
 if request_entity.state != 'group_accepted':
 # TODO tell the user that this request has not been accepted yet
-deny(request, args, kwargs)
+deny(kwargs)
 return
 return wrapper
 def checkCanProcessRequest(role_name):
 """Raises an alternate HTTP response if the specified request does not exist
 or if it's state is completed or denied.
 """
-def wrapper(request, args, kwargs):
+def wrapper(kwargs):
 fields = {'link_id': kwargs['link_id'],
 'scope_path': kwargs['scope_path'],
 'role': role_name}
 request_entity = request_logic.getFromFieldsOr404(**fields)
 if request_entity.state in ['completed', 'denied']:
 # TODO tell the user that this request has been processed
-deny(request, args, kwargs)
+deny(kwargs)
 return
 return wrapper
-def checkIsMyGroupAcceptedRequest(request, args, kwargs):
+def checkIsMyGroupAcceptedRequest(kwargs):
 """Raises an alternate HTTP response if the specified request does not exist
 or if it's state is not group_accepted.
 """
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
 user_entity = user_logic.getForCurrentAccount()
 if user_entity.link_id != kwargs['link_id']:
 # not the current user's request
-return deny(request, args, kwargs)
+return deny(kwargs)
 fields = {'link_id': kwargs['link_id'],
 'scope_path': kwargs['scope_path'],
 'role': kwargs['role']}
 request_entity = request_logic.getForFields(fields, unique=True)
 if not request_entity:
 # TODO return 404
-return deny(request, args, kwargs)
+return deny(kwargs)
 if request_entity.state != 'group_accepted':
-return deny(request, args, kwargs)
+return deny(kwargs)
 return
-def checkIsHost(request, args, kwargs):
+def checkIsHost(kwargs):
 """Raises an alternate HTTP response if Google Account has no Host entity.
 Args:
 request: a Django HTTP request
 * if the user is not even logged in
 """
 try:
 # if the current user is invited to create a host profile we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
-user = user_logic.getForFields({'account': users.get_current_user()},
+user = user_logic.getForCurrentAccount()
-unique=True)
 fields = {'user': user,
 'state': 'active'}
 host = host_logic.getForFields(fields, unique=True)
 'role': 'a Program Administrator '}
 raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsHostForProgram(request, args, kwargs):
+def checkIsHostForProgram(kwargs):
 """Raises an alternate HTTP response if Google Account has no Host entity
 for the specified program.
 Args:
 request: a Django HTTP request
 * if User is not already a Host for the specified program, or
 * if User has not agreed to the site-wide ToS, or
 * if no User exists for the logged-in Google Account, or
 * if the user is not even logged in
 """
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
-user = user_logic.getForFields({'account': users.get_current_user()},
-unique=True)
+user = user_logic.getForCurrentAccount()
 fields = {'user': user,
 'scope_path': kwargs['scope_path'],
 'state': 'active'}
 'role': 'a Program Administrator '}
 raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsClubAdminForClub(request, args, kwargs):
+def checkIsClubAdminForClub(kwargs):
 """Returns an alternate HTTP response if Google Account has no Club Admin
 entity for the specified club.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse: if the required authorization is not met
 Returns:
 should be returned by the calling view.
 """
 try:
 # if the current user is invited to create a host profile we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
 user = user_logic.getForCurrentAccount()
 if kwargs.get('scope_path'):
 scope_path = kwargs['scope_path']
 def checkIsApplicationAccepted(app_logic):
 """Returns an alternate HTTP response if Google Account has no Club App
 entity for the specified Club.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse: if the required authorization is not met
 Returns:
 None if Club App  exists for the specified program, or a subclass
 of django.http.HttpResponse which contains the alternate response
 should be returned by the calling view.
 """
-def wrapper(request, args, kwargs):
+def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
 user = user_logic.getForCurrentAccount()
 properties = {
 'applicant': user,
 if application:
 return
 # TODO(srabbelier) Make this give a proper error message
-deny(request, args, kwargs)
+deny(kwargs)
 return wrapper
-def checkIsMyNotification(request, args, kwargs):
+def checkIsMyNotification(kwargs):
 """Returns an alternate HTTP response if this request is for
 a Notification belonging to the current user.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse: if the required authorization is not met
 Returns:
 None if the current User is allowed to access this Notification.
 """
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
-# Mine the url for params
-try:
-callback, args, kwargs = urlresolvers.resolve(request.path)
-except Exception:
-deny(request, args, kwargs)
 properties = dicts.filter(kwargs, ['link_id', 'scope_path'])
 notification = notification_logic.getForFields(properties, unique=True)
 user = user_logic.getForCurrentAccount()
 # if the keys are equal (which is what we want).
 if user.key() == notification.scope.key():
 return None
 # TODO(ljvderijk) Make this give a proper error message
-deny(request, args, kwargs)
+deny(kwargs)
 def checkIsMyApplication(app_logic):
 """Returns an alternate HTTP response if this request is for
 a Application belonging to the current user.
 Returns:
 None if the current User is allowed to access this Application.
 """
-def wrapper(request, args, kwargs):
+def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-checkAgreesToSiteToS(request, args, kwargs)
+checkAgreesToSiteToS(kwargs)
 properties = dicts.filter(kwargs, ['link_id'])
 application = app_logic.logic.getForFields(properties, unique=True)
 if not application:
-deny(request, args, kwargs)
+deny(kwargs)
 user = user_logic.getForCurrentAccount()
 # We need to check to see if the key's are equal since the User
 # objects are different and the default __eq__ method does not check
 # if the keys are equal (which is what we want).
 if user.key() == application.applicant.key():
 return None
 # TODO(srabbelier) Make this give a proper error message
-deny(request, args, kwargs)
+deny(kwargs)
 return wrapper
 def checkIsMyActiveRole(role_logic):
 Returns:
 None if the current User has no active role for the given role_logic.
 """
-def wrapper(request, args, kwargs):
+def wrapper(kwargs):
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
 user = user_logic.getForCurrentAccount()
 if not user or user.link_id != kwargs['link_id']:
 # not my role
-deny(request, args, kwargs)
+deny(kwargs)
 fields = {'link_id': kwargs['link_id'],
 'scope_path': kwargs['scope_path']
 }
 role_entity = role_logic.logic.getForFields(fields, unique=True)
 if not role_entity:
 # no role found
-deny(request, args, kwargs)
+deny(kwargs)
 if role_entity.state == 'active':
 # this role exist and is active
 return
 else:
 # this role is not active
-deny(request, args, kwargs)
+deny(kwargs)
 return wrapper
-def checkCanInvite(request, args, kwargs):
+def checkCanInvite(kwargs):
 """Checks to see if the current user can create an invite.
 Note that if the current url is not in the default 'request' form
 this method either deny()s or performs the wrong access check.
 request: a Django HTTP request
 """
 try:
 # if the current user is a developer we allow access
-checkIsDeveloper(request, args, kwargs)
+checkIsDeveloper(kwargs)
 return
 except out_of_band.Error:
 pass
-# Mine the url for params
-try:
-callback, args, kwargs = urlresolvers.resolve(request.path)
-except Exception:
-deny(request, args, kwargs)
 # Construct a new url by reshufling the kwargs
 order = ['role', 'access_type', 'scope_path', 'link_id']
 url_params = dicts.unzip(kwargs, order)
 url = '/'.join([''] + list(url_params))
 # Mine the reshufled url
 try:
 callback, args, kwargs = urlresolvers.resolve(url)
 except Exception:
-deny(request, args, kwargs)
+deny(kwargs)
 # Get the everything we need for the access check
 params = callback.im_self.getParams()
 access_type = kwargs['access_type']
 # Perform the access check
-checkAccess(access_type, request, rights=params['rights'])
+checkAccess(access_type, rights=params['rights'], kwargs=kwargs)
-def checkHasPickGetArgs(request, arg, kwargs):
+def checkHasPickGetArgs(kwargs):
 """Raises an alternate HTTP response if the request misses get args.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 Raises:
 AccessViolationResponse:
 * if continue is not in request.GET
 * if field is not in request.GET
 """
-get_args = request.GET
+get_args = kwargs.get('GET', {})
 if 'continue' in get_args and 'field' in get_args:
 return
 #TODO(SRabbelier) inform user that return_url and field are required
-deny(request, arg, kwargs)
+deny(kwargs)
-def checkIsDocumentPublic(request, args, kwargs):
+def checkIsDocumentPublic(kwargs):
 """Checks whether a document is public.
 Args:
-request: a Django HTTP request
+kwargs: a dictionary with django's arguments
 """
 # TODO(srabbelier): A proper check needs to be done to see if the document
 # is public or not, probably involving analysing it's scope or such.
-allow(request, args, kwargs)
+allow(kwargs)

changeset 972	43018f61b481
parent 970	8b5611d5b053
child 974	2f86cbc90b65