# HG changeset patch # User Sverre Rabbelier # Date 1233521087 0 # Node ID d8c50be19232207266c303661f73c7ec922d1255 # Parent 1d9396d75c131765ca3246e83463b5cd44cb6efb Cleaned up access.py Removed a lot of duplicate code and added more generic checkers in their place. Patch by: Sverre Rabbelier diff -r 1d9396d75c13 -r d8c50be19232 app/soc/cache/rights.py --- a/app/soc/cache/rights.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/cache/rights.py Sun Feb 01 20:44:47 2009 +0000 @@ -26,31 +26,26 @@ RIGHTS = [ - 'checkAccess', 'checkCanCreateFromRequest', + 'checkCanEditTimeline', 'checkCanMakeRequestToGroup', 'checkCanProcessRequest', 'checkHasPickGetArgs', + 'checkHasRole', 'checkHasUserEntity', - 'checkHasHostEntity', 'checkIsActive', + 'checkIsAllowedToManageRole', 'checkIsApplicationAccepted', - 'checkIsClubAdminForClub', 'checkIsDeveloper', 'checkIsDocumentReadable', 'checkIsDocumentWritable', - 'checkIsGroupActive', - 'checkIsHost', - 'checkIsHostForSponsor', + 'checkIsHostForProgram', 'checkIsLoggedIn', - 'checkIsMyActiveRole', - 'checkIsMyApplication', + 'checkIsMyEntity', 'checkIsMyGroupAcceptedRequest', - 'checkIsMyNotification', - 'checkIsProgramActive', 'checkIsUnusedAccount', 'checkIsUser', - 'checkIsUserSelf' + 'checkIsUserSelf', 'checkNotLoggedIn', ] diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/helper/access.py Sun Feb 01 20:44:47 2009 +0000 @@ -44,16 +44,19 @@ from soc.logic.models.club_member import logic as club_member_logic from soc.logic.models.document import logic as document_logic from soc.logic.models.host import logic as host_logic +from soc.logic.models.mentor import logic as mentor_logic from soc.logic.models.notification import logic as notification_logic +from soc.logic.models.org_admin import logic as org_admin_logic +from soc.logic.models.program import logic as program_logic from soc.logic.models.request import logic as request_logic from soc.logic.models.role import logic as role_logic from soc.logic.models.site import logic as site_logic -from soc.logic.models.program import logic as program_logic +#from soc.logic.models.student import logic as student_logic from soc.logic.models.timeline import logic as timeline_logic from soc.logic.models.user import logic as user_logic +from soc.views.helper import redirects from soc.views import helper from soc.views import out_of_band -from soc.views.helper import redirects DEF_NO_USER_LOGIN_MSG= ugettext( @@ -74,6 +77,27 @@ 'You need to be in the %(status)s group to %(action)s' ' documents in the %(prefix)s prefix.') +DEF_NEED_ROLE_MSG = ugettext( + 'You do not have the required role.') + +DEF_NOT_YOUR_ENTITY_MSG = ugettext( + 'This entity does not belong to you.') + +DEF_NO_ACTIVE_GROUP_MSG = ugettext( + 'There is no such active group.') + +DEF_NO_REQUEST_MSG = ugettext( + 'There is no accepted request that would allow you to visit this page.') + +DEF_NEED_PICK_ARGS_MSG = ugettext( + 'The "continue" and "field" args are not both present.') + +DEF_REQUEST_COMPLETED_MSG = ugettext( + 'This request cannot be accepted (it is either completed or denied).') + +DEF_SCOPE_INACTIVE_MSG = ugettext( + 'The scope for this request is not active.') + DEF_PAGE_DENIED_MSG = ugettext( 'Access to this page has been restricted') @@ -142,14 +166,14 @@ MEMBERSHIP = { 'anyone': 'allow', - 'club_admin': 'checkIsClubAdminForScope', - 'club_member': 'checkIsClubMemberForScope', - 'host': 'checkHasHostEntity', - 'org_admin': 'deny', - 'org_mentor': 'deny', - 'org_student': 'deny', + 'club_admin': ('checkHasRole', club_admin_logic), + 'club_member': ('checkHasRole', club_member_logic), + 'host': ('checkHasRole', host_logic), + 'org_admin': ('checkHasRole', org_admin_logic), + 'org_mentor': ('checkHasRole', mentor_logic), + 'org_student': 'deny', #('checkHasRole', student_logic), 'user': 'checkIsUser', - 'user_self': 'checkIsUserSelf', + 'user_self': ('checkIsUserSelf', 'scope_path'), } def __init__(self, params): @@ -410,17 +434,17 @@ raise out_of_band.LoginRequest(message_fmt=login_msg_fmt) @allowDeveloper - def checkIsUserSelf(self, django_args): + def checkIsUserSelf(self, django_args, field_name): """Checks whether the specified user is the logged in user. Args: django_args: the keyword args from django, only scope_path is used """ - if not 'scope_path' in django_args: + if not field_name in django_args: self.deny(django_args) - if self.user.link_id == django_args['scope_path']: + if self.user.link_id == django_args[field_name]: return raise out_of_band.AccessViolation() @@ -447,7 +471,6 @@ 'email' : self.id.email()} raise out_of_band.LoginRequest(message_fmt=message_fmt) - def checkHasUserEntity(self, django_args): """Raises an alternate HTTP response if Google Account has no User entity. @@ -467,7 +490,6 @@ return - def checkIsDeveloper(self, django_args): """Raises an alternate HTTP response if Google Account is not a Developer. @@ -483,7 +505,7 @@ self.checkIsUser(django_args) - if accounts.isDeveloper(account=self.id): + if accounts.isDeveloper(account=self.id, user=self.user): return login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { @@ -493,7 +515,8 @@ @allowDeveloper @denySidebar - def checkIsGroupActive(self, django_args, group_logic): + def checkIsActive(self, django_args, logic, + field_name='scope_path', filter_field='link_id'): """Raises an alternate HTTP response if Group status is not active. Args: @@ -505,19 +528,32 @@ * if the Group status is not active """ - fields = {'link_id': django_args['link_id']} + self.checkIsUser(django_args) + + if field_name and (field_name not in django_args): + self.deny(django_args) - if django_args.get('scope_path'): - fields['scope_path'] = django_args['scope_path'] + fields = { + filter_field: django_args[filter_field], + 'status': active, + } - group_entity = group_logic.logic.getFromKeyFieldsOr404(fields) + if field_name: + fields['scope_path'] = django_args[field_name] - if group_entity.status == 'active': + entity = logic.geForFields(fields) + + if entity: return - # TODO tell the user that this group is not active - self.deny(django_args) + raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG) + def checkHasRole(self, django_args, logic): + """Checks that the user has the specified role. + """ + + django_args['user'] = self.user + self.checkIsActive(django_args, logic, 'scope_path', 'user') def checkCanMakeRequestToGroup(self, django_args, group_logic): """Raises an alternate HTTP response if the specified group is not in an @@ -537,7 +573,7 @@ if group_entity.status != 'active': # TODO tell the user that this group is not active - self.deny(django_args) + raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG) return @@ -547,28 +583,27 @@ is from is in an inactive or invalid status access will be denied. """ - self.checkIsUser(django_args) - - user_entity = user_logic.getForCurrentAccount() + self.checkIsUserSelf(django_args, 'link_id') - if user_entity.link_id != django_args['link_id']: - self.deny(django_args) + fields = { + 'link_id': django_args['link_id'], + 'scope_path': django_args['scope_path'], + 'role': role_name, + 'status': 'group_accepted', + } - fields = {'link_id': django_args['link_id'], - 'scope_path': django_args['scope_path'], - 'role': role_name} + entity = request_logic.getFromFields(fields) - request_entity = request_logic.getFromKeyFieldsOr404(fields) + if entity and (entity.scope.status not in ['invalid', 'inactive']): + return - if request_entity.status != 'group_accepted': - # TODO tell the user that this request has not been accepted yet - self.deny(django_args) + raise out_of_band.AccessViolation(message_fmt=DEF_CANNOT_CREATE_MSG) - if request_entity.scope.status in ['invalid', 'inactive']: - # TODO tell the user that it is not possible to create this role anymore - self.deny(django_args) + def checkIsMyGroupAcceptedRequest(self, django_args): + """Checks whether the user can accept the specified request. + """ - return + self.checkCanCreateFromRequest(django_args, django_args['role']) def checkCanProcessRequest(self, django_args, role_name): """Raises an alternate HTTP response if the specified request does not exist @@ -576,96 +611,21 @@ whenever the group in the request is not active. """ - fields = {'link_id': django_args['link_id'], + fields = { + 'link_id': django_args['link_id'], 'scope_path': django_args['scope_path'], - 'role': role_name} + 'role': role_name, + } request_entity = request_logic.getFromKeyFieldsOr404(fields) if request_entity.status in ['completed', 'denied']: - # TODO tell the user that this request has been processed - self.deny(django_args) - - if request_entity.scope.status != 'active': - # TODO tell the user that this group cannot process requests - self.deny(django_args) - - return - - def checkIsMyGroupAcceptedRequest(self, django_args): - """Raises an alternate HTTP response if the specified request does not exist - or if it's status is not group_accepted. - """ - - self.checkIsUser(django_args) - - user_entity = user_logic.getForCurrentAccount() - - if user_entity.link_id != django_args['link_id']: - # not the current user's request - self.deny(django_args) - - fields = {'link_id': django_args['link_id'], - 'scope_path': django_args['scope_path'], - 'role': django_args['role']} - - request_entity = request_logic.getForFields(fields, unique=True) - - if not request_entity: - # TODO return 404 - self.deny(django_args) - - if request_entity.status != 'group_accepted': - self.deny(django_args) + raise out_of_band.AccessViolation(message_fmt=DEF_REQUEST_COMPLETED_MSG) - return - - @allowDeveloper - @denySidebar - def checkIsHost(self, django_args): - """Raises an alternate HTTP response if Google Account has no Host entity. - - Args: - request: a Django HTTP request - - Raises: - AccessViolationResponse: - * if User is not already a Host, or - * if User has not agreed to the site-wide ToS, or - * if no User exists for the logged-in Google Account, or - * if the user is not even logged in - """ - - self.checkIsUser(django_args) - - scope_path = None - - if 'scope_path' in django_args: - scope_path = django_args['scope_path'] - if 'link_id' in django_args: - scope_path = django_args['link_id'] - - fields = {'user': self.user, - 'status': 'active'} - - if scope_path: - fields['scope_path'] = scope_path - - host = host_logic.getForFields(fields, unique=True) - - if host: + if request_entity.scope.status == 'active': return - login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { - 'role': 'a Program Administrator '} - - raise out_of_band.LoginRequest(message_fmt=login_message_fmt) - - def checkHasHostEntity(self, django_args): - """Checks whether the current user has a Host entity. - """ - - self.checkIsHost({}) + raise out_of_band.AccessViolation(message_fmt=DEF_SCOPE_INACTIVE_MSG) @denySidebar @allowDeveloper @@ -680,145 +640,7 @@ self.deny(django_args) new_args = {'scope_path': program.scope_path } - self.checkIsHost(new_args) - - @allowDeveloper - def checkIsHostForSponsor(self, django_args): - """Raises an alternate HTTP response if Google Account has no Host entity - for the specified Sponsor. - - Args: - request: a Django HTTP request - - Raises: - AccessViolationResponse: - * if User is not already a Host for the specified program, or - * if User has not agreed to the site-wide ToS, or - * if no User exists for the logged-in Google Account, or - * if the user is not even logged in - """ - - self.checkIsUser(django_args) - - user = user_logic.getForCurrentAccount() - - if django_args.get('scope_path'): - scope_path = django_args['scope_path'] - else: - scope_path = django_args['link_id'] - - fields = {'user': user, - 'scope_path': scope_path, - 'status': 'active'} - - host = host_logic.getForFields(fields, unique=True) - - if host: - return - - login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { - 'role': 'a Program Administrator '} - - raise out_of_band.LoginRequest(message_fmt=login_message_fmt) - - @allowDeveloper - def checkIsClubAdminForClub(self, django_args): - """Returns an alternate HTTP response if Google Account has no Club Admin - entity for the specified club. - - Args: - django_args: a dictionary with django's arguments - - Raises: - AccessViolationResponse: if the required authorization is not met - - Returns: - None if Club Admin exists for the specified club, or a subclass of - django.http.HttpResponse which contains the alternate response - should be returned by the calling view. - """ - - self.checkIsUser(django_args) - - user = user_logic.getForCurrentAccount() - - if django_args.get('scope_path'): - scope_path = django_args['scope_path'] - else: - scope_path = django_args['link_id'] - - fields = {'user': user, - 'scope_path': scope_path, - 'status': 'active'} - - club_admin_entity = club_admin_logic.getForFields(fields, unique=True) - - if club_admin_entity: - return - - login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { - 'role': 'a Club Admin for this Club'} - - raise out_of_band.LoginRequest(message_fmt=login_message_fmt) - - @allowDeveloper - @allowIfCheckPasses('checkIsClubAdminForClub') - def checkIsClubMemberForClub(self, django_args): - """Returns an alternate HTTP response if Google Account has no Club Member - entity for the specified club. - - Args: - django_args: a dictionary with django's arguments - - Raises: - AccessViolationResponse: if the required authorization is not met - - Returns: - None if Club Member exists for the specified club, or a subclass of - django.http.HttpResponse which contains the alternate response - should be returned by the calling view. - """ - - self.checkIsUser(django_args) - - if django_args.get('scope_path'): - scope_path = django_args['scope_path'] - else: - scope_path = django_args['link_id'] - - fields = {'user': self.user, - 'scope_path': scope_path, - 'status': 'active'} - - club_member_entity = club_member_logic.getForFields(fields, unique=True) - - if club_member_entity: - return - - login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { - 'role': 'a Club Member for this Club'} - - raise out_of_band.LoginRequest(message_fmt=login_message_fmt) - - def checkIsClubAdminForScope(self, django_args): - """Checks whether the current user is a Club Mdmin. - - Args: - django_args: the keyword arguments from django, only scope_path is used - """ - - scope_path = django_args['scope_path'] - self.checkIsClubAdminForClub({'link_id': scope_path}) - - def checkIsClubMemberForScope(self, django_args): - """Checks whether the current user is a Club Mdmin. - - Args: - django_args: the keyword arguments from django, only scope_path is used - """ - - scope_path = django_args['scope_path'] - self.checkIsClubMemberForClub({'link_id': scope_path}) + self.checkHasRole(new_args, host_logic) @allowDeveloper def checkIsApplicationAccepted(self, django_args, app_logic): @@ -839,14 +661,12 @@ self.checkIsUser(django_args) - user = user_logic.getForCurrentAccount() - properties = { - 'applicant': user, + 'applicant': self.user, 'status': 'accepted' } - application = app_logic.logic.getForFields(properties, unique=True) + application = app_logic.getForFields(properties, unique=True) if application: return @@ -854,96 +674,23 @@ # TODO(srabbelier) Make this give a proper error message self.deny(django_args) - @allowDeveloper - def checkIsMyNotification(self, django_args): - """Returns an alternate HTTP response if this request is for - a Notification belonging to the current user. - - Args: - django_args: a dictionary with django's arguments - - Raises: - AccessViolationResponse: if the required authorization is not met - - Returns: - None if the current User is allowed to access this Notification. + def checkIsMyEntity(self, django_args, logic, field_name='user'): + """Checks whether the entity belongs to the user. """ self.checkIsUser(django_args) - properties = dicts.filter(django_args, ['link_id', 'scope_path']) - - notification = notification_logic.getForFields(properties, unique=True) - user = user_logic.getForCurrentAccount() - - # We need to check to see if the key's are equal since the User - # objects are different and the default __eq__ method does not check - # if the keys are equal (which is what we want). - if user.key() == notification.scope.key(): - return None - - # TODO(ljvderijk) Make this give a proper error message - self.deny(django_args) - - @allowDeveloper - def checkIsMyApplication(self, django_args, app_logic): - """Returns an alternate HTTP response if this request is for - a Application belonging to the current user. - - Args: - request: a Django HTTP request - - Raises: - AccessViolationResponse: if the required authorization is not met - - Returns: - None if the current User is allowed to access this Application. - """ - - self.checkIsUser(django_args) - - properties = dicts.filter(django_args, ['link_id']) - - application = app_logic.logic.getForFields(properties, unique=True) + fields = { + 'link_id': django_args['link_id'], + field_name: self.user, + } - if not application: - self.deny(django_args) - - # We need to check to see if the key's are equal since the User - # objects are different and the default __eq__ method does not check - # if the keys are equal (which is what we want). - if self.user.key() == application.applicant.key(): - return None - - # TODO(srabbelier) Make this give a proper error message - self.deny(django_args) - - @allowDeveloper - def checkIsMyActiveRole(self, django_args, role_logic): - """Returns an alternate HTTP response if there is no active role found for - the current user using the given role_logic. + entity = logic.getForFields(fields) - Raises: - AccessViolationResponse: if the required authorization is not met - - Returns: - None if the current User has an active role for the given role_logic. - """ - - if not self.user or self.user.link_id != django_args['link_id']: - # not my role - self.deny(django_args) + if entity: + return - fields = {'link_id': django_args['link_id'], - 'scope_path': django_args['scope_path'], - } - - role_entity = role_logic.logic.getFromKeyFieldsOr404(fields) - - if role_entity.status != 'active': - # role is not active - self.deny(django_args) - + raise out_of_band.AccessViolation(message_fmt=DEF_NOT_YOUR_ENTITY_MSG) @allowDeveloper @denySidebar @@ -967,22 +714,21 @@ try: # check if it is my role the user's own role - self.checkIsMyActiveRole(django_args, role_logic) + self.checkHasRole(django_args, role_logic) except out_of_band.Error: pass # apparently it's not the user's role so check if managing this role is allowed - fields = {'link_id': django_args['link_id'], - 'scope_path': django_args['scope_path'], - } - - role_entity = role_logic.logic.getFromKeyFieldsOr404(fields) + fields = { + 'link_id': django_args['link_id'], + 'scope_path': django_args['scope_path'], + 'status': 'active', + } - if role_entity.status != 'active': - # cannot manage this entity - self.deny(django_args) + role_entity = role_logic.logic.getForFields(fields) - fields = {'link_id': self.user.link_id, + fields = { + 'link_id': self.user.link_id, 'scope_path': django_args['scope_path'], 'status': 'active' } @@ -1011,8 +757,7 @@ if 'continue' in get_args and 'field' in get_args: return - #TODO(SRabbelier) inform user that return_url and field are required - self.deny(django_args) + raise out_of_band.Error(message_fmt=DEF_NEED_PICK_ARGS_MSG) @denySidebar @allowDeveloper @@ -1044,32 +789,6 @@ self.checkMembership('write', document.prefix, document.write_access, django_args) - @allowIfCheckPasses('checkIsHostForProgram') - def checkIsProgramVisible(self, django_args): - """Checks whether a program is visible. - """ - - if 'entity' in django_args: - program = django_args['entity'] - else: - key_fields = program_logic.getKeyFieldsFromFields(django_args) - program = program_logic.getFromKeyFields(key_fields) - - if not program: - self.deny(django_args) - - if program.status == 'visible': - return - - context = django_args.get('context', {}) - context['title'] = 'Access denied' - - message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % { - 'role': ugettext('a Program Administrator')} - - raise out_of_band.AccessViolation(DEF_DEV_LOGOUT_LOGIN_MSG_FMT, - context=context) - def checkCanEditTimeline(self, django_args): """Checks whether this program's timeline may be edited. """ @@ -1083,8 +802,9 @@ split_keyname = time_line_keyname.rsplit('/') - fields = {'scope_path' : split_keyname[0], + fields = { + 'scope_path' : split_keyname[0], 'link_id' : split_keyname[1], } - return self.checkIsHostForProgram(fields) + self.checkIsHostForProgram(fields) diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/club.py --- a/app/soc/views/models/club.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/club.py Sun Feb 01 20:44:47 2009 +0000 @@ -29,7 +29,8 @@ from soc.logic import dicts from soc.logic.models import user as user_logic from soc.logic.models import club_app as club_app_logic -from soc.logic.models import club as club_logic +from soc.logic.models import club as club_logic +from soc.logic.models import club_admin as club_admin_logic from soc.logic.models import request as request_logic from soc.views import out_of_band from soc.views.helper import access @@ -57,14 +58,17 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = ['checkIsClubAdminForClub', ('checkIsGroupActive', club_logic)] + rights['edit'] = [('checkHasRole', club_admin_logic.logic), + ('checkIsActive', club_logic.logic)] rights['delete'] = ['checkIsDeveloper'] rights['home'] = ['allow'] rights['list'] = ['checkIsDeveloper'] - rights['apply_member'] = ['checkIsUser', ('checkIsGroupActive', club_logic)] - rights['list_requests'] = ['checkIsClubAdminForClub'] - rights['list_roles'] = ['checkIsClubAdminForClub'] - rights['applicant'] = [('checkIsApplicationAccepted', club_app_logic)] + rights['apply_member'] = ['checkIsUser', + ('checkIsActive', club_logic.logic)] + rights['list_requests'] = [('checkHasRole', club_admin_logic.logic)] + rights['list_roles'] = [('checkHasRole', club_admin_logic.logic)] + rights['applicant'] = [('checkIsApplicationAccepted', + club_app_logic.logic)] new_params = {} new_params['logic'] = soc.logic.models.club.logic diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/club_admin.py --- a/app/soc/views/models/club_admin.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/club_admin.py Sun Feb 01 20:44:47 2009 +0000 @@ -27,6 +27,7 @@ from soc.logic import dicts from soc.logic.models import club as club_logic +from soc.logic.models import club_admin as club_admin_logic from soc.views.helper import access from soc.views.helper import dynaform from soc.views.helper import widgets @@ -50,15 +51,15 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.club_admin)] + rights['edit'] = [('checkHasRole', club_admin_logic.logic)] rights['delete'] = ['checkIsDeveloper'] - rights['invite'] = ['checkIsClubAdminForClub'] + rights['invite'] = [('checkHasRole', club_admin_logic.logic)] rights['accept_invite'] = [('checkCanCreateFromRequest', 'club_admin')] - rights['process_request'] = ['checkIsClubAdminForClub', - ('checkCanProcessRequest', 'club_admin')] - rights['manage'] = [ - ('checkIsAllowedToManageRole', [soc.logic.models.club_admin, - soc.logic.models.club_admin])] + rights['process_request'] = [('checkHasRole', club_admin_logic.logic), + ('checkCanProcessRequest', 'club_admin')] + rights['manage'] = [('checkIsAllowedToManageRole', + [soc.logic.models.club_admin, + soc.logic.models.club_admin])] new_params = {} new_params['logic'] = soc.logic.models.club_admin.logic diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/club_app.py --- a/app/soc/views/models/club_app.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/club_app.py Sun Feb 01 20:44:47 2009 +0000 @@ -28,6 +28,7 @@ from soc.logic import cleaning from soc.logic import dicts from soc.logic import models as model_logic +from soc.logic.models import host as host_logic from soc.logic.models import club_app as club_app_logic from soc.views.helper import access from soc.views.models import group_app @@ -49,11 +50,11 @@ rights = access.Checker(params) rights['create'] = ['checkIsUser'] - rights['delete'] = [('checkIsMyApplication', club_app_logic)] - rights['edit'] = [('checkIsMyApplication', club_app_logic)] + rights['delete'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])] + rights['edit'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])] rights['list'] = ['checkIsUser'] - rights['public'] = [('checkIsMyApplication', club_app_logic)] - rights['review'] = ['checkIsHost'] + rights['public'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])] + rights['review'] = [('checkHasRole', host_logic.logic)] new_params = {} diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/club_member.py --- a/app/soc/views/models/club_member.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/club_member.py Sun Feb 01 20:44:47 2009 +0000 @@ -26,6 +26,7 @@ from soc.logic import dicts from soc.logic.models import club as club_logic +from soc.logic.models import club_admin as club_admin_logic from soc.views.helper import access from soc.views.helper import dynaform from soc.views.helper import widgets @@ -50,17 +51,17 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = [('checkIsMyActiveRole',soc.logic.models.club_member)] + rights['edit'] = [('checkHasRole', club_admin_logic.logic)] rights['delete'] = ['checkIsDeveloper'] - rights['invite'] = ['checkIsClubAdminForClub'] + rights['invite'] = [('checkHasRole', club_admin_logic.logic)] rights['accept_invite'] = [('checkCanCreateFromRequest','club_member')] rights['request'] = ['checkIsUser', - ('checkCanMakeRequestToGroup', club_logic)] - rights['process_request'] = ['checkIsClubAdminForClub', - ('checkCanProcessRequest','club_member')] - rights['manage'] = [ - ('checkIsAllowedToManageRole', [soc.logic.models.club_member, - soc.logic.models.club_admin])] + ('checkCanMakeRequestToGroup', club_logic)] + rights['process_request'] = [('checkHasRole', club_admin_logic.logic), + ('checkCanProcessRequest','club_member')] + rights['manage'] = [('checkIsAllowedToManageRole', + [soc.logic.models.club_member, + soc.logic.models.club_admin])] new_params = {} new_params['logic'] = soc.logic.models.club_member.logic diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/host.py --- a/app/soc/views/models/host.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/host.py Sun Feb 01 20:44:47 2009 +0000 @@ -56,16 +56,15 @@ """ rights = access.Checker(params) - rights['create'] = ['checkIsHost'] - rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.host)] - rights['invite'] = ['checkIsHost'] + rights['create'] = [('checkHasRole', host_logic.logic)] + rights['edit'] = [('checkHasRole', host_logic.logic)] + rights['invite'] = [('checkHasRole', host_logic.logic)] rights['list'] = ['checkIsDeveloper'] rights['accept_invite'] = [('checkCanCreateFromRequest','host')] - rights['process_request'] = ['checkIsHost', - ('checkCanProcessRequest','host')] - rights['manage'] = [ - ('checkIsAllowedToManageRole', [soc.logic.models.host, - soc.logic.models.host])] + rights['process_request'] = [('checkHasRole', host_logic.logic), + ('checkCanProcessRequest','host')] + rights['manage'] = [('checkIsAllowedToManageRole', + [host_logic, host_logic])] new_params = {} new_params['rights'] = rights @@ -83,7 +82,7 @@ new_params['create_extra_dynafields'] = { 'scope_path': forms.CharField(widget=forms.HiddenInput, - required=True), + required=True), 'clean_link_id': cleaning.clean_existing_user('link_id'), 'clean_home_page': cleaning.clean_url('home_page'), 'clean_blog': cleaning.clean_url('blog'), diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/mentor.py --- a/app/soc/views/models/mentor.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/mentor.py Sun Feb 01 20:44:47 2009 +0000 @@ -50,7 +50,7 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.mentor)] + rights['edit'] = [('checkHasRole', soc.logic.models.mentor.logic)] rights['delete'] = ['checkIsDeveloper'] # TODO accessCheck checkIsAdministratorForOrg rights['invite'] = ['checkIsDeveloper'] diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/notification.py --- a/app/soc/views/models/notification.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/notification.py Sun Feb 01 20:44:47 2009 +0000 @@ -38,8 +38,8 @@ from soc.views.helper import lists as list_helper from soc.views.helper import redirects from soc.views.models import base -from soc.logic.models import notification as notification_logic -from soc.logic.models import user as user_logic +from soc.logic.models.notification import logic as notification_logic +from soc.logic.models.user import logic as user_logic class CreateForm(helper.forms.BaseForm): @@ -85,14 +85,14 @@ rights = access.Checker(params) rights['unspecified'] = ['deny'] rights['edit'] = ['deny'] - rights['show'] = ['checkIsMyNotification'] - rights['delete'] = ['checkIsMyNotification'] + rights['show'] = [('checkIsMyEntity', notification_logic)] + rights['delete'] = [('checkIsMyEntity', notification_logic)] rights['list'] = ['checkIsUser'] # create is developer only for the time being to test functionality rights['create'] = ['checkIsDeveloper'] new_params = {} - new_params['logic'] = notification_logic.logic + new_params['logic'] = notification_logic new_params['rights'] = rights new_params['name'] = "Notification" @@ -116,7 +116,7 @@ """ # get the current user - user_entity = user_logic.logic.getForCurrentAccount() + user_entity = user_logic.getForCurrentAccount() # only select the notifications for this user so construct a filter filter = { @@ -161,7 +161,7 @@ """ # get the current user - current_user = user_logic.logic.getForCurrentAccount() + current_user = user_logic.getForCurrentAccount() fields['link_id'] = 't%i' % (time.time()) fields['scope'] = fields['to_user'] @@ -189,7 +189,7 @@ # and the notification has not been read yet if entity.unread: # get the current user - user = user_logic.logic.getForCurrentAccount() + user = user_logic.getForCurrentAccount() # if the message is meant for the user that is reading it if entity.scope.key() == user.key(): diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/org_admin.py --- a/app/soc/views/models/org_admin.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/org_admin.py Sun Feb 01 20:44:47 2009 +0000 @@ -26,6 +26,7 @@ from soc.logic import dicts from soc.logic.models import organization as org_logic +from soc.logic.models import org_admin as org_admin_logic from soc.views.helper import access from soc.views.helper import dynaform from soc.views.helper import widgets @@ -49,7 +50,7 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.org_admin)] + rights['edit'] = [('checkHasRole', org_admin_logic.logic)] rights['delete'] = ['checkIsDeveloper'] # TODO accessCheck checkIsAdministratorForOrg rights['invite'] = ['checkIsDeveloper'] diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/program.py --- a/app/soc/views/models/program.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/program.py Sun Feb 01 20:44:47 2009 +0000 @@ -27,6 +27,7 @@ from soc.logic import dicts from soc.logic.models import program as program_logic +from soc.logic.models import host as host_logic from soc.views import helper from soc.views import out_of_band from soc.views.helper import access @@ -56,7 +57,7 @@ rights = access.Checker(params) rights['any_access'] = ['allow'] rights['show'] = ['allow'] - rights['create'] = ['checkIsHost'] + rights['create'] = [('checkHasRole', host_logic.logic)] rights['edit'] = ['checkIsHostForProgram'] rights['delete'] = ['checkIsDeveloper'] diff -r 1d9396d75c13 -r d8c50be19232 app/soc/views/models/sponsor.py --- a/app/soc/views/models/sponsor.py Sun Feb 01 20:41:58 2009 +0000 +++ b/app/soc/views/models/sponsor.py Sun Feb 01 20:44:47 2009 +0000 @@ -25,6 +25,7 @@ from soc.logic import dicts +from soc.logic.models.sponsor import logic as sponsor_logic from soc.views.helper import access from soc.views.helper import redirects from soc.views.models import group @@ -48,13 +49,13 @@ rights = access.Checker(params) rights['create'] = ['checkIsDeveloper'] - rights['edit'] = ['checkIsHostForSponsor', - ('checkIsGroupActive', soc.logic.models.sponsor)] + rights['edit'] = [('checkHasRole', sponsor_logic), + ('checkIsActive', sponsor_logic)] rights['delete'] = ['checkIsDeveloper'] - rights['home'] = ['checkIsHostForSponsor'] + rights['home'] = [('checkHasRole', sponsor_logic)] rights['list'] = ['checkIsDeveloper'] - rights['list_requests'] = ['checkIsHostForSponsor'] - rights['list_roles'] = ['checkIsHostForSponsor'] + rights['list_requests'] = [('checkHasRole', sponsor_logic)] + rights['list_roles'] = [('checkHasRole', sponsor_logic)] new_params = {} new_params['logic'] = soc.logic.models.sponsor.logic