py_tasks_melange: comparison app/soc/views/helper/access.py

equal deleted inserted replaced

-:1d9396d75c13
+:d8c50be19232
 from soc.logic import rights as rights_logic
 from soc.logic.models.club_admin import logic as club_admin_logic
 from soc.logic.models.club_member import logic as club_member_logic
 from soc.logic.models.document import logic as document_logic
 from soc.logic.models.host import logic as host_logic
+from soc.logic.models.mentor import logic as mentor_logic
 from soc.logic.models.notification import logic as notification_logic
+from soc.logic.models.org_admin import logic as org_admin_logic
+from soc.logic.models.program import logic as program_logic
 from soc.logic.models.request import logic as request_logic
 from soc.logic.models.role import logic as role_logic
 from soc.logic.models.site import logic as site_logic
-from soc.logic.models.program import logic as program_logic
+#from soc.logic.models.student import logic as student_logic
 from soc.logic.models.timeline import logic as timeline_logic
 from soc.logic.models.user import logic as user_logic
+from soc.views.helper import redirects
 from soc.views import helper
 from soc.views import out_of_band
-from soc.views.helper import redirects
 DEF_NO_USER_LOGIN_MSG= ugettext(
 'Please create <a href="/user/create_profile">User Profile</a>'
 ' in order to view this page.')
 ' again as %(role)s to view this page.')
 DEF_NEED_MEMBERSHIP_MSG_FMT = ugettext(
 'You need to be in the %(status)s group to %(action)s'
 ' documents in the %(prefix)s prefix.')
+DEF_NEED_ROLE_MSG = ugettext(
+'You do not have the required role.')
+DEF_NOT_YOUR_ENTITY_MSG = ugettext(
+'This entity does not belong to you.')
+DEF_NO_ACTIVE_GROUP_MSG = ugettext(
+'There is no such active group.')
+DEF_NO_REQUEST_MSG = ugettext(
+'There is no accepted request that would allow you to visit this page.')
+DEF_NEED_PICK_ARGS_MSG = ugettext(
+'The "continue" and "field" args are not both present.')
+DEF_REQUEST_COMPLETED_MSG = ugettext(
+'This request cannot be accepted (it is either completed or denied).')
+DEF_SCOPE_INACTIVE_MSG = ugettext(
+'The scope for this request is not active.')
 DEF_PAGE_DENIED_MSG = ugettext(
 'Access to this page has been restricted')
 DEF_LOGOUT_MSG_FMT = ugettext(
 rather then modifying rights directly if so desired.
 """
 MEMBERSHIP = {
 'anyone': 'allow',
-'club_admin': 'checkIsClubAdminForScope',
+'club_admin': ('checkHasRole', club_admin_logic),
-'club_member': 'checkIsClubMemberForScope',
+'club_member': ('checkHasRole', club_member_logic),
-'host': 'checkHasHostEntity',
+'host': ('checkHasRole', host_logic),
-'org_admin': 'deny',
+'org_admin': ('checkHasRole', org_admin_logic),
-'org_mentor': 'deny',
+'org_mentor': ('checkHasRole', mentor_logic),
-'org_student': 'deny',
+'org_student': 'deny', #('checkHasRole', student_logic),
 'user': 'checkIsUser',
-'user_self': 'checkIsUserSelf',
+'user_self': ('checkIsUserSelf', 'scope_path'),
 }
 def __init__(self, params):
 """Adopts base.rights as rights if base is set.
 """
 'tos_link': redirects.getToSRedirect(site_logic.getSingleton())}
 raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
 @allowDeveloper
-def checkIsUserSelf(self, django_args):
+def checkIsUserSelf(self, django_args, field_name):
 """Checks whether the specified user is the logged in user.
 Args:
 django_args: the keyword args from django, only scope_path is used
 """
-if not 'scope_path' in django_args:
+if not field_name in django_args:
 self.deny(django_args)
-if self.user.link_id == django_args['scope_path']:
+if self.user.link_id == django_args[field_name]:
 return
 raise out_of_band.AccessViolation()
 def checkIsUnusedAccount(self, django_args):
 message_fmt = DEF_USER_ACCOUNT_INVALID_MSG_FMT % {
 'email' : self.id.email()}
 raise out_of_band.LoginRequest(message_fmt=message_fmt)
 def checkHasUserEntity(self, django_args):
 """Raises an alternate HTTP response if Google Account has no User entity.
 Args:
 django_args: a dictionary with django's arguments
 if not self.user:
 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG)
 return
 def checkIsDeveloper(self, django_args):
 """Raises an alternate HTTP response if Google Account is not a Developer.
 Args:
 * if no Google Account is logged in at all
 """
 self.checkIsUser(django_args)
-if accounts.isDeveloper(account=self.id):
+if accounts.isDeveloper(account=self.id, user=self.user):
 return
 login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
 'role': 'a Site Developer '}
 raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
 @allowDeveloper
 @denySidebar
-def checkIsGroupActive(self, django_args, group_logic):
+def checkIsActive(self, django_args, logic,
+field_name='scope_path', filter_field='link_id'):
 """Raises an alternate HTTP response if Group status is not active.
 Args:
 django_args: a dictionary with django's arguments
 AccessViolationResponse:
 * if no Group is found
 * if the Group status is not active
 """
-fields = {'link_id': django_args['link_id']}
+self.checkIsUser(django_args)
-if django_args.get('scope_path'):
+if field_name and (field_name not in django_args):
-fields['scope_path'] = django_args['scope_path']
+self.deny(django_args)
-group_entity = group_logic.logic.getFromKeyFieldsOr404(fields)
+fields = {
+filter_field: django_args[filter_field],
-if group_entity.status == 'active':
+'status': active,
-return
+}
-# TODO tell the user that this group is not active
+if field_name:
-self.deny(django_args)
+fields['scope_path'] = django_args[field_name]
+entity = logic.geForFields(fields)
+if entity:
+return
+raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG)
+def checkHasRole(self, django_args, logic):
+"""Checks that the user has the specified role.
+"""
+django_args['user'] = self.user
+self.checkIsActive(django_args, logic, 'scope_path', 'user')
 def checkCanMakeRequestToGroup(self, django_args, group_logic):
 """Raises an alternate HTTP response if the specified group is not in an
 active status.
 if not group_entity:
 raise out_of_band.Error(DEF_GROUP_NOT_FOUND_MSG, status=404)
 if group_entity.status != 'active':
 # TODO tell the user that this group is not active
-self.deny(django_args)
+raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG)
 return
 def checkCanCreateFromRequest(self, django_args, role_name):
 """Raises an alternate HTTP response if the specified request does not exist
 or if it's status is not group_accepted. Also when the group this request
 is from is in an inactive or invalid status access will be denied.
 """
-self.checkIsUser(django_args)
+self.checkIsUserSelf(django_args, 'link_id')
-user_entity = user_logic.getForCurrentAccount()
+fields = {
+'link_id': django_args['link_id'],
-if user_entity.link_id != django_args['link_id']:
-self.deny(django_args)
-fields = {'link_id': django_args['link_id'],
 'scope_path': django_args['scope_path'],
-'role': role_name}
+'role': role_name,
+'status': 'group_accepted',
-request_entity = request_logic.getFromKeyFieldsOr404(fields)
+}
-if request_entity.status != 'group_accepted':
+entity = request_logic.getFromFields(fields)
-# TODO tell the user that this request has not been accepted yet
-self.deny(django_args)
+if entity and (entity.scope.status not in ['invalid', 'inactive']):
+return
-if request_entity.scope.status in ['invalid', 'inactive']:
-# TODO tell the user that it is not possible to create this role anymore
+raise out_of_band.AccessViolation(message_fmt=DEF_CANNOT_CREATE_MSG)
-self.deny(django_args)
+def checkIsMyGroupAcceptedRequest(self, django_args):
-return
+"""Checks whether the user can accept the specified request.
+"""
+self.checkCanCreateFromRequest(django_args, django_args['role'])
 def checkCanProcessRequest(self, django_args, role_name):
 """Raises an alternate HTTP response if the specified request does not exist
 or if it's status is completed or denied. Also Raises an alternate HTTP response
 whenever the group in the request is not active.
 """
-fields = {'link_id': django_args['link_id'],
+fields = {
+'link_id': django_args['link_id'],
 'scope_path': django_args['scope_path'],
-'role': role_name}
+'role': role_name,
+}
 request_entity = request_logic.getFromKeyFieldsOr404(fields)
 if request_entity.status in ['completed', 'denied']:
-# TODO tell the user that this request has been processed
+raise out_of_band.AccessViolation(message_fmt=DEF_REQUEST_COMPLETED_MSG)
-self.deny(django_args)
+if request_entity.scope.status == 'active':
-if request_entity.scope.status != 'active':
+return
-# TODO tell the user that this group cannot process requests
-self.deny(django_args)
+raise out_of_band.AccessViolation(message_fmt=DEF_SCOPE_INACTIVE_MSG)
-return
-def checkIsMyGroupAcceptedRequest(self, django_args):
-"""Raises an alternate HTTP response if the specified request does not exist
-or if it's status is not group_accepted.
-"""
-self.checkIsUser(django_args)
-user_entity = user_logic.getForCurrentAccount()
-if user_entity.link_id != django_args['link_id']:
-# not the current user's request
-self.deny(django_args)
-fields = {'link_id': django_args['link_id'],
-'scope_path': django_args['scope_path'],
-'role': django_args['role']}
-request_entity = request_logic.getForFields(fields, unique=True)
-if not request_entity:
-# TODO return 404
-self.deny(django_args)
-if request_entity.status != 'group_accepted':
-self.deny(django_args)
-return
-@allowDeveloper
-@denySidebar
-def checkIsHost(self, django_args):
-"""Raises an alternate HTTP response if Google Account has no Host entity.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse:
-* if User is not already a Host, or
-* if User has not agreed to the site-wide ToS, or
-* if no User exists for the logged-in Google Account, or
-* if the user is not even logged in
-"""
-self.checkIsUser(django_args)
-scope_path = None
-if 'scope_path' in django_args:
-scope_path = django_args['scope_path']
-if 'link_id' in django_args:
-scope_path = django_args['link_id']
-fields = {'user': self.user,
-'status': 'active'}
-if scope_path:
-fields['scope_path'] = scope_path
-host = host_logic.getForFields(fields, unique=True)
-if host:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Program Administrator '}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkHasHostEntity(self, django_args):
-"""Checks whether the current user has a Host entity.
-"""
-self.checkIsHost({})
 @denySidebar
 @allowDeveloper
 def checkIsHostForProgram(self, django_args):
 """Checks if the user is a host for the specified program.
 if not program or program.status == 'invalid':
 self.deny(django_args)
 new_args = {'scope_path': program.scope_path }
-self.checkIsHost(new_args)
+self.checkHasRole(new_args, host_logic)
-@allowDeveloper
-def checkIsHostForSponsor(self, django_args):
-"""Raises an alternate HTTP response if Google Account has no Host entity
-for the specified Sponsor.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse:
-* if User is not already a Host for the specified program, or
-* if User has not agreed to the site-wide ToS, or
-* if no User exists for the logged-in Google Account, or
-* if the user is not even logged in
-"""
-self.checkIsUser(django_args)
-user = user_logic.getForCurrentAccount()
-if django_args.get('scope_path'):
-scope_path = django_args['scope_path']
-else:
-scope_path = django_args['link_id']
-fields = {'user': user,
-'scope_path': scope_path,
-'status': 'active'}
-host = host_logic.getForFields(fields, unique=True)
-if host:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Program Administrator '}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-@allowDeveloper
-def checkIsClubAdminForClub(self, django_args):
-"""Returns an alternate HTTP response if Google Account has no Club Admin
-entity for the specified club.
-Args:
-django_args: a dictionary with django's arguments
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if Club Admin exists for the specified club, or a subclass of
-django.http.HttpResponse which contains the alternate response
-should be returned by the calling view.
-"""
-self.checkIsUser(django_args)
-user = user_logic.getForCurrentAccount()
-if django_args.get('scope_path'):
-scope_path = django_args['scope_path']
-else:
-scope_path = django_args['link_id']
-fields = {'user': user,
-'scope_path': scope_path,
-'status': 'active'}
-club_admin_entity = club_admin_logic.getForFields(fields, unique=True)
-if club_admin_entity:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Club Admin for this Club'}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-@allowDeveloper
-@allowIfCheckPasses('checkIsClubAdminForClub')
-def checkIsClubMemberForClub(self, django_args):
-"""Returns an alternate HTTP response if Google Account has no Club Member
-entity for the specified club.
-Args:
-django_args: a dictionary with django's arguments
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if Club Member exists for the specified club, or a subclass of
-django.http.HttpResponse which contains the alternate response
-should be returned by the calling view.
-"""
-self.checkIsUser(django_args)
-if django_args.get('scope_path'):
-scope_path = django_args['scope_path']
-else:
-scope_path = django_args['link_id']
-fields = {'user': self.user,
-'scope_path': scope_path,
-'status': 'active'}
-club_member_entity = club_member_logic.getForFields(fields, unique=True)
-if club_member_entity:
-return
-login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': 'a Club Member for this Club'}
-raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsClubAdminForScope(self, django_args):
-"""Checks whether the current user is a Club Mdmin.
-Args:
-django_args: the keyword arguments from django, only scope_path is used
-"""
-scope_path = django_args['scope_path']
-self.checkIsClubAdminForClub({'link_id': scope_path})
-def checkIsClubMemberForScope(self, django_args):
-"""Checks whether the current user is a Club Mdmin.
-Args:
-django_args: the keyword arguments from django, only scope_path is used
-"""
-scope_path = django_args['scope_path']
-self.checkIsClubMemberForClub({'link_id': scope_path})
 @allowDeveloper
 def checkIsApplicationAccepted(self, django_args, app_logic):
 """Returns an alternate HTTP response if Google Account has no Club App
 entity for the specified Club.
 should be returned by the calling view.
 """
 self.checkIsUser(django_args)
-user = user_logic.getForCurrentAccount()
 properties = {
-'applicant': user,
+'applicant': self.user,
 'status': 'accepted'
 }
-application = app_logic.logic.getForFields(properties, unique=True)
+application = app_logic.getForFields(properties, unique=True)
 if application:
 return
 # TODO(srabbelier) Make this give a proper error message
 self.deny(django_args)
-@allowDeveloper
+def checkIsMyEntity(self, django_args, logic, field_name='user'):
-def checkIsMyNotification(self, django_args):
+"""Checks whether the entity belongs to the user.
-"""Returns an alternate HTTP response if this request is for
-a Notification belonging to the current user.
-Args:
-django_args: a dictionary with django's arguments
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if the current User is allowed to access this Notification.
 """
 self.checkIsUser(django_args)
-properties = dicts.filter(django_args, ['link_id', 'scope_path'])
+fields = {
+'link_id': django_args['link_id'],
-notification = notification_logic.getForFields(properties, unique=True)
+field_name: self.user,
-user = user_logic.getForCurrentAccount()
+}
-# We need to check to see if the key's are equal since the User
+entity = logic.getForFields(fields)
-# objects are different and the default __eq__ method does not check
-# if the keys are equal (which is what we want).
+if entity:
-if user.key() == notification.scope.key():
+return
-return None
+raise out_of_band.AccessViolation(message_fmt=DEF_NOT_YOUR_ENTITY_MSG)
-# TODO(ljvderijk) Make this give a proper error message
-self.deny(django_args)
-@allowDeveloper
-def checkIsMyApplication(self, django_args, app_logic):
-"""Returns an alternate HTTP response if this request is for
-a Application belonging to the current user.
-Args:
-request: a Django HTTP request
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if the current User is allowed to access this Application.
-"""
-self.checkIsUser(django_args)
-properties = dicts.filter(django_args, ['link_id'])
-application = app_logic.logic.getForFields(properties, unique=True)
-if not application:
-self.deny(django_args)
-# We need to check to see if the key's are equal since the User
-# objects are different and the default __eq__ method does not check
-# if the keys are equal (which is what we want).
-if self.user.key() == application.applicant.key():
-return None
-# TODO(srabbelier) Make this give a proper error message
-self.deny(django_args)
-@allowDeveloper
-def checkIsMyActiveRole(self, django_args, role_logic):
-"""Returns an alternate HTTP response if there is no active role found for
-the current user using the given role_logic.
-Raises:
-AccessViolationResponse: if the required authorization is not met
-Returns:
-None if the current User has an active role for the given role_logic.
-"""
-if not self.user or self.user.link_id != django_args['link_id']:
-# not my role
-self.deny(django_args)
-fields = {'link_id': django_args['link_id'],
-'scope_path': django_args['scope_path'],
-}
-role_entity = role_logic.logic.getFromKeyFieldsOr404(fields)
-if role_entity.status != 'active':
-# role is not active
-self.deny(django_args)
 @allowDeveloper
 @denySidebar
 def checkIsAllowedToManageRole(self, django_args, role_logic, manage_role_logic):
 """Returns an alternate HTTP response if the user is not allowed to manage
 that belongs to the same scope as the role that needs to be managed
 """
 try:
 # check if it is my role the user's own role
-self.checkIsMyActiveRole(django_args, role_logic)
+self.checkHasRole(django_args, role_logic)
 except out_of_band.Error:
 pass
 # apparently it's not the user's role so check if managing this role is allowed
-fields = {'link_id': django_args['link_id'],
+fields = {
-'scope_path': django_args['scope_path'],
+'link_id': django_args['link_id'],
-}
+'scope_path': django_args['scope_path'],
+'status': 'active',
-role_entity = role_logic.logic.getFromKeyFieldsOr404(fields)
+}
-if role_entity.status != 'active':
+role_entity = role_logic.logic.getForFields(fields)
-# cannot manage this entity
-self.deny(django_args)
+fields = {
+'link_id': self.user.link_id,
-fields = {'link_id': self.user.link_id,
 'scope_path': django_args['scope_path'],
 'status': 'active'
 }
 manage_entity = manage_role_logic.logic.getForFields(fields, unique=True)
 get_args = django_args.get('GET', {})
 if 'continue' in get_args and 'field' in get_args:
 return
-#TODO(SRabbelier) inform user that return_url and field are required
+raise out_of_band.Error(message_fmt=DEF_NEED_PICK_ARGS_MSG)
-self.deny(django_args)
 @denySidebar
 @allowDeveloper
 def checkIsDocumentReadable(self, django_args):
 """Checks whether a document is readable.
 document = document_logic.getFromKeyFields(key_fields)
 self.checkMembership('write', document.prefix,
 document.write_access, django_args)
-@allowIfCheckPasses('checkIsHostForProgram')
-def checkIsProgramVisible(self, django_args):
-"""Checks whether a program is visible.
-"""
-if 'entity' in django_args:
-program = django_args['entity']
-else:
-key_fields = program_logic.getKeyFieldsFromFields(django_args)
-program = program_logic.getFromKeyFields(key_fields)
-if not program:
-self.deny(django_args)
-if program.status == 'visible':
-return
-context = django_args.get('context', {})
-context['title'] = 'Access denied'
-message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
-'role': ugettext('a Program Administrator')}
-raise out_of_band.AccessViolation(DEF_DEV_LOGOUT_LOGIN_MSG_FMT,
-context=context)
 def checkCanEditTimeline(self, django_args):
 """Checks whether this program's timeline may be edited.
 """
 time_line_keyname = django_args['scope_path']
 # timeline does not exists so deny
 self.deny(django_args)
 split_keyname = time_line_keyname.rsplit('/')
-fields = {'scope_path' : split_keyname[0],
+fields = {
+'scope_path' : split_keyname[0],
 'link_id' : split_keyname[1],
 }
-return self.checkIsHostForProgram(fields)
+self.checkIsHostForProgram(fields)

changeset 1163	d8c50be19232
parent 1142	da2487767ef4
child 1176	c211191e7d81