Cleaned up access.py
Removed a lot of duplicate code and added more generic checkers in
their place.
Patch by: Sverre Rabbelier
--- a/app/soc/cache/rights.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/cache/rights.py Sun Feb 01 20:44:47 2009 +0000
@@ -26,31 +26,26 @@
RIGHTS = [
- 'checkAccess',
'checkCanCreateFromRequest',
+ 'checkCanEditTimeline',
'checkCanMakeRequestToGroup',
'checkCanProcessRequest',
'checkHasPickGetArgs',
+ 'checkHasRole',
'checkHasUserEntity',
- 'checkHasHostEntity',
'checkIsActive',
+ 'checkIsAllowedToManageRole',
'checkIsApplicationAccepted',
- 'checkIsClubAdminForClub',
'checkIsDeveloper',
'checkIsDocumentReadable',
'checkIsDocumentWritable',
- 'checkIsGroupActive',
- 'checkIsHost',
- 'checkIsHostForSponsor',
+ 'checkIsHostForProgram',
'checkIsLoggedIn',
- 'checkIsMyActiveRole',
- 'checkIsMyApplication',
+ 'checkIsMyEntity',
'checkIsMyGroupAcceptedRequest',
- 'checkIsMyNotification',
- 'checkIsProgramActive',
'checkIsUnusedAccount',
'checkIsUser',
- 'checkIsUserSelf'
+ 'checkIsUserSelf',
'checkNotLoggedIn',
]
--- a/app/soc/views/helper/access.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/helper/access.py Sun Feb 01 20:44:47 2009 +0000
@@ -44,16 +44,19 @@
from soc.logic.models.club_member import logic as club_member_logic
from soc.logic.models.document import logic as document_logic
from soc.logic.models.host import logic as host_logic
+from soc.logic.models.mentor import logic as mentor_logic
from soc.logic.models.notification import logic as notification_logic
+from soc.logic.models.org_admin import logic as org_admin_logic
+from soc.logic.models.program import logic as program_logic
from soc.logic.models.request import logic as request_logic
from soc.logic.models.role import logic as role_logic
from soc.logic.models.site import logic as site_logic
-from soc.logic.models.program import logic as program_logic
+#from soc.logic.models.student import logic as student_logic
from soc.logic.models.timeline import logic as timeline_logic
from soc.logic.models.user import logic as user_logic
+from soc.views.helper import redirects
from soc.views import helper
from soc.views import out_of_band
-from soc.views.helper import redirects
DEF_NO_USER_LOGIN_MSG= ugettext(
@@ -74,6 +77,27 @@
'You need to be in the %(status)s group to %(action)s'
' documents in the %(prefix)s prefix.')
+DEF_NEED_ROLE_MSG = ugettext(
+ 'You do not have the required role.')
+
+DEF_NOT_YOUR_ENTITY_MSG = ugettext(
+ 'This entity does not belong to you.')
+
+DEF_NO_ACTIVE_GROUP_MSG = ugettext(
+ 'There is no such active group.')
+
+DEF_NO_REQUEST_MSG = ugettext(
+ 'There is no accepted request that would allow you to visit this page.')
+
+DEF_NEED_PICK_ARGS_MSG = ugettext(
+ 'The "continue" and "field" args are not both present.')
+
+DEF_REQUEST_COMPLETED_MSG = ugettext(
+ 'This request cannot be accepted (it is either completed or denied).')
+
+DEF_SCOPE_INACTIVE_MSG = ugettext(
+ 'The scope for this request is not active.')
+
DEF_PAGE_DENIED_MSG = ugettext(
'Access to this page has been restricted')
@@ -142,14 +166,14 @@
MEMBERSHIP = {
'anyone': 'allow',
- 'club_admin': 'checkIsClubAdminForScope',
- 'club_member': 'checkIsClubMemberForScope',
- 'host': 'checkHasHostEntity',
- 'org_admin': 'deny',
- 'org_mentor': 'deny',
- 'org_student': 'deny',
+ 'club_admin': ('checkHasRole', club_admin_logic),
+ 'club_member': ('checkHasRole', club_member_logic),
+ 'host': ('checkHasRole', host_logic),
+ 'org_admin': ('checkHasRole', org_admin_logic),
+ 'org_mentor': ('checkHasRole', mentor_logic),
+ 'org_student': 'deny', #('checkHasRole', student_logic),
'user': 'checkIsUser',
- 'user_self': 'checkIsUserSelf',
+ 'user_self': ('checkIsUserSelf', 'scope_path'),
}
def __init__(self, params):
@@ -410,17 +434,17 @@
raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
@allowDeveloper
- def checkIsUserSelf(self, django_args):
+ def checkIsUserSelf(self, django_args, field_name):
"""Checks whether the specified user is the logged in user.
Args:
django_args: the keyword args from django, only scope_path is used
"""
- if not 'scope_path' in django_args:
+ if not field_name in django_args:
self.deny(django_args)
- if self.user.link_id == django_args['scope_path']:
+ if self.user.link_id == django_args[field_name]:
return
raise out_of_band.AccessViolation()
@@ -447,7 +471,6 @@
'email' : self.id.email()}
raise out_of_band.LoginRequest(message_fmt=message_fmt)
-
def checkHasUserEntity(self, django_args):
"""Raises an alternate HTTP response if Google Account has no User entity.
@@ -467,7 +490,6 @@
return
-
def checkIsDeveloper(self, django_args):
"""Raises an alternate HTTP response if Google Account is not a Developer.
@@ -483,7 +505,7 @@
self.checkIsUser(django_args)
- if accounts.isDeveloper(account=self.id):
+ if accounts.isDeveloper(account=self.id, user=self.user):
return
login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
@@ -493,7 +515,8 @@
@allowDeveloper
@denySidebar
- def checkIsGroupActive(self, django_args, group_logic):
+ def checkIsActive(self, django_args, logic,
+ field_name='scope_path', filter_field='link_id'):
"""Raises an alternate HTTP response if Group status is not active.
Args:
@@ -505,19 +528,32 @@
* if the Group status is not active
"""
- fields = {'link_id': django_args['link_id']}
+ self.checkIsUser(django_args)
+
+ if field_name and (field_name not in django_args):
+ self.deny(django_args)
- if django_args.get('scope_path'):
- fields['scope_path'] = django_args['scope_path']
+ fields = {
+ filter_field: django_args[filter_field],
+ 'status': active,
+ }
- group_entity = group_logic.logic.getFromKeyFieldsOr404(fields)
+ if field_name:
+ fields['scope_path'] = django_args[field_name]
- if group_entity.status == 'active':
+ entity = logic.geForFields(fields)
+
+ if entity:
return
- # TODO tell the user that this group is not active
- self.deny(django_args)
+ raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG)
+ def checkHasRole(self, django_args, logic):
+ """Checks that the user has the specified role.
+ """
+
+ django_args['user'] = self.user
+ self.checkIsActive(django_args, logic, 'scope_path', 'user')
def checkCanMakeRequestToGroup(self, django_args, group_logic):
"""Raises an alternate HTTP response if the specified group is not in an
@@ -537,7 +573,7 @@
if group_entity.status != 'active':
# TODO tell the user that this group is not active
- self.deny(django_args)
+ raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_GROUP_MSG)
return
@@ -547,28 +583,27 @@
is from is in an inactive or invalid status access will be denied.
"""
- self.checkIsUser(django_args)
-
- user_entity = user_logic.getForCurrentAccount()
+ self.checkIsUserSelf(django_args, 'link_id')
- if user_entity.link_id != django_args['link_id']:
- self.deny(django_args)
+ fields = {
+ 'link_id': django_args['link_id'],
+ 'scope_path': django_args['scope_path'],
+ 'role': role_name,
+ 'status': 'group_accepted',
+ }
- fields = {'link_id': django_args['link_id'],
- 'scope_path': django_args['scope_path'],
- 'role': role_name}
+ entity = request_logic.getFromFields(fields)
- request_entity = request_logic.getFromKeyFieldsOr404(fields)
+ if entity and (entity.scope.status not in ['invalid', 'inactive']):
+ return
- if request_entity.status != 'group_accepted':
- # TODO tell the user that this request has not been accepted yet
- self.deny(django_args)
+ raise out_of_band.AccessViolation(message_fmt=DEF_CANNOT_CREATE_MSG)
- if request_entity.scope.status in ['invalid', 'inactive']:
- # TODO tell the user that it is not possible to create this role anymore
- self.deny(django_args)
+ def checkIsMyGroupAcceptedRequest(self, django_args):
+ """Checks whether the user can accept the specified request.
+ """
- return
+ self.checkCanCreateFromRequest(django_args, django_args['role'])
def checkCanProcessRequest(self, django_args, role_name):
"""Raises an alternate HTTP response if the specified request does not exist
@@ -576,96 +611,21 @@
whenever the group in the request is not active.
"""
- fields = {'link_id': django_args['link_id'],
+ fields = {
+ 'link_id': django_args['link_id'],
'scope_path': django_args['scope_path'],
- 'role': role_name}
+ 'role': role_name,
+ }
request_entity = request_logic.getFromKeyFieldsOr404(fields)
if request_entity.status in ['completed', 'denied']:
- # TODO tell the user that this request has been processed
- self.deny(django_args)
-
- if request_entity.scope.status != 'active':
- # TODO tell the user that this group cannot process requests
- self.deny(django_args)
-
- return
-
- def checkIsMyGroupAcceptedRequest(self, django_args):
- """Raises an alternate HTTP response if the specified request does not exist
- or if it's status is not group_accepted.
- """
-
- self.checkIsUser(django_args)
-
- user_entity = user_logic.getForCurrentAccount()
-
- if user_entity.link_id != django_args['link_id']:
- # not the current user's request
- self.deny(django_args)
-
- fields = {'link_id': django_args['link_id'],
- 'scope_path': django_args['scope_path'],
- 'role': django_args['role']}
-
- request_entity = request_logic.getForFields(fields, unique=True)
-
- if not request_entity:
- # TODO return 404
- self.deny(django_args)
-
- if request_entity.status != 'group_accepted':
- self.deny(django_args)
+ raise out_of_band.AccessViolation(message_fmt=DEF_REQUEST_COMPLETED_MSG)
- return
-
- @allowDeveloper
- @denySidebar
- def checkIsHost(self, django_args):
- """Raises an alternate HTTP response if Google Account has no Host entity.
-
- Args:
- request: a Django HTTP request
-
- Raises:
- AccessViolationResponse:
- * if User is not already a Host, or
- * if User has not agreed to the site-wide ToS, or
- * if no User exists for the logged-in Google Account, or
- * if the user is not even logged in
- """
-
- self.checkIsUser(django_args)
-
- scope_path = None
-
- if 'scope_path' in django_args:
- scope_path = django_args['scope_path']
- if 'link_id' in django_args:
- scope_path = django_args['link_id']
-
- fields = {'user': self.user,
- 'status': 'active'}
-
- if scope_path:
- fields['scope_path'] = scope_path
-
- host = host_logic.getForFields(fields, unique=True)
-
- if host:
+ if request_entity.scope.status == 'active':
return
- login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
- 'role': 'a Program Administrator '}
-
- raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-
- def checkHasHostEntity(self, django_args):
- """Checks whether the current user has a Host entity.
- """
-
- self.checkIsHost({})
+ raise out_of_band.AccessViolation(message_fmt=DEF_SCOPE_INACTIVE_MSG)
@denySidebar
@allowDeveloper
@@ -680,145 +640,7 @@
self.deny(django_args)
new_args = {'scope_path': program.scope_path }
- self.checkIsHost(new_args)
-
- @allowDeveloper
- def checkIsHostForSponsor(self, django_args):
- """Raises an alternate HTTP response if Google Account has no Host entity
- for the specified Sponsor.
-
- Args:
- request: a Django HTTP request
-
- Raises:
- AccessViolationResponse:
- * if User is not already a Host for the specified program, or
- * if User has not agreed to the site-wide ToS, or
- * if no User exists for the logged-in Google Account, or
- * if the user is not even logged in
- """
-
- self.checkIsUser(django_args)
-
- user = user_logic.getForCurrentAccount()
-
- if django_args.get('scope_path'):
- scope_path = django_args['scope_path']
- else:
- scope_path = django_args['link_id']
-
- fields = {'user': user,
- 'scope_path': scope_path,
- 'status': 'active'}
-
- host = host_logic.getForFields(fields, unique=True)
-
- if host:
- return
-
- login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
- 'role': 'a Program Administrator '}
-
- raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-
- @allowDeveloper
- def checkIsClubAdminForClub(self, django_args):
- """Returns an alternate HTTP response if Google Account has no Club Admin
- entity for the specified club.
-
- Args:
- django_args: a dictionary with django's arguments
-
- Raises:
- AccessViolationResponse: if the required authorization is not met
-
- Returns:
- None if Club Admin exists for the specified club, or a subclass of
- django.http.HttpResponse which contains the alternate response
- should be returned by the calling view.
- """
-
- self.checkIsUser(django_args)
-
- user = user_logic.getForCurrentAccount()
-
- if django_args.get('scope_path'):
- scope_path = django_args['scope_path']
- else:
- scope_path = django_args['link_id']
-
- fields = {'user': user,
- 'scope_path': scope_path,
- 'status': 'active'}
-
- club_admin_entity = club_admin_logic.getForFields(fields, unique=True)
-
- if club_admin_entity:
- return
-
- login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
- 'role': 'a Club Admin for this Club'}
-
- raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-
- @allowDeveloper
- @allowIfCheckPasses('checkIsClubAdminForClub')
- def checkIsClubMemberForClub(self, django_args):
- """Returns an alternate HTTP response if Google Account has no Club Member
- entity for the specified club.
-
- Args:
- django_args: a dictionary with django's arguments
-
- Raises:
- AccessViolationResponse: if the required authorization is not met
-
- Returns:
- None if Club Member exists for the specified club, or a subclass of
- django.http.HttpResponse which contains the alternate response
- should be returned by the calling view.
- """
-
- self.checkIsUser(django_args)
-
- if django_args.get('scope_path'):
- scope_path = django_args['scope_path']
- else:
- scope_path = django_args['link_id']
-
- fields = {'user': self.user,
- 'scope_path': scope_path,
- 'status': 'active'}
-
- club_member_entity = club_member_logic.getForFields(fields, unique=True)
-
- if club_member_entity:
- return
-
- login_message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
- 'role': 'a Club Member for this Club'}
-
- raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-
- def checkIsClubAdminForScope(self, django_args):
- """Checks whether the current user is a Club Mdmin.
-
- Args:
- django_args: the keyword arguments from django, only scope_path is used
- """
-
- scope_path = django_args['scope_path']
- self.checkIsClubAdminForClub({'link_id': scope_path})
-
- def checkIsClubMemberForScope(self, django_args):
- """Checks whether the current user is a Club Mdmin.
-
- Args:
- django_args: the keyword arguments from django, only scope_path is used
- """
-
- scope_path = django_args['scope_path']
- self.checkIsClubMemberForClub({'link_id': scope_path})
+ self.checkHasRole(new_args, host_logic)
@allowDeveloper
def checkIsApplicationAccepted(self, django_args, app_logic):
@@ -839,14 +661,12 @@
self.checkIsUser(django_args)
- user = user_logic.getForCurrentAccount()
-
properties = {
- 'applicant': user,
+ 'applicant': self.user,
'status': 'accepted'
}
- application = app_logic.logic.getForFields(properties, unique=True)
+ application = app_logic.getForFields(properties, unique=True)
if application:
return
@@ -854,96 +674,23 @@
# TODO(srabbelier) Make this give a proper error message
self.deny(django_args)
- @allowDeveloper
- def checkIsMyNotification(self, django_args):
- """Returns an alternate HTTP response if this request is for
- a Notification belonging to the current user.
-
- Args:
- django_args: a dictionary with django's arguments
-
- Raises:
- AccessViolationResponse: if the required authorization is not met
-
- Returns:
- None if the current User is allowed to access this Notification.
+ def checkIsMyEntity(self, django_args, logic, field_name='user'):
+ """Checks whether the entity belongs to the user.
"""
self.checkIsUser(django_args)
- properties = dicts.filter(django_args, ['link_id', 'scope_path'])
-
- notification = notification_logic.getForFields(properties, unique=True)
- user = user_logic.getForCurrentAccount()
-
- # We need to check to see if the key's are equal since the User
- # objects are different and the default __eq__ method does not check
- # if the keys are equal (which is what we want).
- if user.key() == notification.scope.key():
- return None
-
- # TODO(ljvderijk) Make this give a proper error message
- self.deny(django_args)
-
- @allowDeveloper
- def checkIsMyApplication(self, django_args, app_logic):
- """Returns an alternate HTTP response if this request is for
- a Application belonging to the current user.
-
- Args:
- request: a Django HTTP request
-
- Raises:
- AccessViolationResponse: if the required authorization is not met
-
- Returns:
- None if the current User is allowed to access this Application.
- """
-
- self.checkIsUser(django_args)
-
- properties = dicts.filter(django_args, ['link_id'])
-
- application = app_logic.logic.getForFields(properties, unique=True)
+ fields = {
+ 'link_id': django_args['link_id'],
+ field_name: self.user,
+ }
- if not application:
- self.deny(django_args)
-
- # We need to check to see if the key's are equal since the User
- # objects are different and the default __eq__ method does not check
- # if the keys are equal (which is what we want).
- if self.user.key() == application.applicant.key():
- return None
-
- # TODO(srabbelier) Make this give a proper error message
- self.deny(django_args)
-
- @allowDeveloper
- def checkIsMyActiveRole(self, django_args, role_logic):
- """Returns an alternate HTTP response if there is no active role found for
- the current user using the given role_logic.
+ entity = logic.getForFields(fields)
- Raises:
- AccessViolationResponse: if the required authorization is not met
-
- Returns:
- None if the current User has an active role for the given role_logic.
- """
-
- if not self.user or self.user.link_id != django_args['link_id']:
- # not my role
- self.deny(django_args)
+ if entity:
+ return
- fields = {'link_id': django_args['link_id'],
- 'scope_path': django_args['scope_path'],
- }
-
- role_entity = role_logic.logic.getFromKeyFieldsOr404(fields)
-
- if role_entity.status != 'active':
- # role is not active
- self.deny(django_args)
-
+ raise out_of_band.AccessViolation(message_fmt=DEF_NOT_YOUR_ENTITY_MSG)
@allowDeveloper
@denySidebar
@@ -967,22 +714,21 @@
try:
# check if it is my role the user's own role
- self.checkIsMyActiveRole(django_args, role_logic)
+ self.checkHasRole(django_args, role_logic)
except out_of_band.Error:
pass
# apparently it's not the user's role so check if managing this role is allowed
- fields = {'link_id': django_args['link_id'],
- 'scope_path': django_args['scope_path'],
- }
-
- role_entity = role_logic.logic.getFromKeyFieldsOr404(fields)
+ fields = {
+ 'link_id': django_args['link_id'],
+ 'scope_path': django_args['scope_path'],
+ 'status': 'active',
+ }
- if role_entity.status != 'active':
- # cannot manage this entity
- self.deny(django_args)
+ role_entity = role_logic.logic.getForFields(fields)
- fields = {'link_id': self.user.link_id,
+ fields = {
+ 'link_id': self.user.link_id,
'scope_path': django_args['scope_path'],
'status': 'active'
}
@@ -1011,8 +757,7 @@
if 'continue' in get_args and 'field' in get_args:
return
- #TODO(SRabbelier) inform user that return_url and field are required
- self.deny(django_args)
+ raise out_of_band.Error(message_fmt=DEF_NEED_PICK_ARGS_MSG)
@denySidebar
@allowDeveloper
@@ -1044,32 +789,6 @@
self.checkMembership('write', document.prefix,
document.write_access, django_args)
- @allowIfCheckPasses('checkIsHostForProgram')
- def checkIsProgramVisible(self, django_args):
- """Checks whether a program is visible.
- """
-
- if 'entity' in django_args:
- program = django_args['entity']
- else:
- key_fields = program_logic.getKeyFieldsFromFields(django_args)
- program = program_logic.getFromKeyFields(key_fields)
-
- if not program:
- self.deny(django_args)
-
- if program.status == 'visible':
- return
-
- context = django_args.get('context', {})
- context['title'] = 'Access denied'
-
- message_fmt = DEF_DEV_LOGOUT_LOGIN_MSG_FMT % {
- 'role': ugettext('a Program Administrator')}
-
- raise out_of_band.AccessViolation(DEF_DEV_LOGOUT_LOGIN_MSG_FMT,
- context=context)
-
def checkCanEditTimeline(self, django_args):
"""Checks whether this program's timeline may be edited.
"""
@@ -1083,8 +802,9 @@
split_keyname = time_line_keyname.rsplit('/')
- fields = {'scope_path' : split_keyname[0],
+ fields = {
+ 'scope_path' : split_keyname[0],
'link_id' : split_keyname[1],
}
- return self.checkIsHostForProgram(fields)
+ self.checkIsHostForProgram(fields)
--- a/app/soc/views/models/club.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/club.py Sun Feb 01 20:44:47 2009 +0000
@@ -29,7 +29,8 @@
from soc.logic import dicts
from soc.logic.models import user as user_logic
from soc.logic.models import club_app as club_app_logic
-from soc.logic.models import club as club_logic
+from soc.logic.models import club as club_logic
+from soc.logic.models import club_admin as club_admin_logic
from soc.logic.models import request as request_logic
from soc.views import out_of_band
from soc.views.helper import access
@@ -57,14 +58,17 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = ['checkIsClubAdminForClub', ('checkIsGroupActive', club_logic)]
+ rights['edit'] = [('checkHasRole', club_admin_logic.logic),
+ ('checkIsActive', club_logic.logic)]
rights['delete'] = ['checkIsDeveloper']
rights['home'] = ['allow']
rights['list'] = ['checkIsDeveloper']
- rights['apply_member'] = ['checkIsUser', ('checkIsGroupActive', club_logic)]
- rights['list_requests'] = ['checkIsClubAdminForClub']
- rights['list_roles'] = ['checkIsClubAdminForClub']
- rights['applicant'] = [('checkIsApplicationAccepted', club_app_logic)]
+ rights['apply_member'] = ['checkIsUser',
+ ('checkIsActive', club_logic.logic)]
+ rights['list_requests'] = [('checkHasRole', club_admin_logic.logic)]
+ rights['list_roles'] = [('checkHasRole', club_admin_logic.logic)]
+ rights['applicant'] = [('checkIsApplicationAccepted',
+ club_app_logic.logic)]
new_params = {}
new_params['logic'] = soc.logic.models.club.logic
--- a/app/soc/views/models/club_admin.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/club_admin.py Sun Feb 01 20:44:47 2009 +0000
@@ -27,6 +27,7 @@
from soc.logic import dicts
from soc.logic.models import club as club_logic
+from soc.logic.models import club_admin as club_admin_logic
from soc.views.helper import access
from soc.views.helper import dynaform
from soc.views.helper import widgets
@@ -50,15 +51,15 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.club_admin)]
+ rights['edit'] = [('checkHasRole', club_admin_logic.logic)]
rights['delete'] = ['checkIsDeveloper']
- rights['invite'] = ['checkIsClubAdminForClub']
+ rights['invite'] = [('checkHasRole', club_admin_logic.logic)]
rights['accept_invite'] = [('checkCanCreateFromRequest', 'club_admin')]
- rights['process_request'] = ['checkIsClubAdminForClub',
- ('checkCanProcessRequest', 'club_admin')]
- rights['manage'] = [
- ('checkIsAllowedToManageRole', [soc.logic.models.club_admin,
- soc.logic.models.club_admin])]
+ rights['process_request'] = [('checkHasRole', club_admin_logic.logic),
+ ('checkCanProcessRequest', 'club_admin')]
+ rights['manage'] = [('checkIsAllowedToManageRole',
+ [soc.logic.models.club_admin,
+ soc.logic.models.club_admin])]
new_params = {}
new_params['logic'] = soc.logic.models.club_admin.logic
--- a/app/soc/views/models/club_app.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/club_app.py Sun Feb 01 20:44:47 2009 +0000
@@ -28,6 +28,7 @@
from soc.logic import cleaning
from soc.logic import dicts
from soc.logic import models as model_logic
+from soc.logic.models import host as host_logic
from soc.logic.models import club_app as club_app_logic
from soc.views.helper import access
from soc.views.models import group_app
@@ -49,11 +50,11 @@
rights = access.Checker(params)
rights['create'] = ['checkIsUser']
- rights['delete'] = [('checkIsMyApplication', club_app_logic)]
- rights['edit'] = [('checkIsMyApplication', club_app_logic)]
+ rights['delete'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])]
+ rights['edit'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])]
rights['list'] = ['checkIsUser']
- rights['public'] = [('checkIsMyApplication', club_app_logic)]
- rights['review'] = ['checkIsHost']
+ rights['public'] = [('checkIsMyEntity', [club_app_logic, 'applicant'])]
+ rights['review'] = [('checkHasRole', host_logic.logic)]
new_params = {}
--- a/app/soc/views/models/club_member.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/club_member.py Sun Feb 01 20:44:47 2009 +0000
@@ -26,6 +26,7 @@
from soc.logic import dicts
from soc.logic.models import club as club_logic
+from soc.logic.models import club_admin as club_admin_logic
from soc.views.helper import access
from soc.views.helper import dynaform
from soc.views.helper import widgets
@@ -50,17 +51,17 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = [('checkIsMyActiveRole',soc.logic.models.club_member)]
+ rights['edit'] = [('checkHasRole', club_admin_logic.logic)]
rights['delete'] = ['checkIsDeveloper']
- rights['invite'] = ['checkIsClubAdminForClub']
+ rights['invite'] = [('checkHasRole', club_admin_logic.logic)]
rights['accept_invite'] = [('checkCanCreateFromRequest','club_member')]
rights['request'] = ['checkIsUser',
- ('checkCanMakeRequestToGroup', club_logic)]
- rights['process_request'] = ['checkIsClubAdminForClub',
- ('checkCanProcessRequest','club_member')]
- rights['manage'] = [
- ('checkIsAllowedToManageRole', [soc.logic.models.club_member,
- soc.logic.models.club_admin])]
+ ('checkCanMakeRequestToGroup', club_logic)]
+ rights['process_request'] = [('checkHasRole', club_admin_logic.logic),
+ ('checkCanProcessRequest','club_member')]
+ rights['manage'] = [('checkIsAllowedToManageRole',
+ [soc.logic.models.club_member,
+ soc.logic.models.club_admin])]
new_params = {}
new_params['logic'] = soc.logic.models.club_member.logic
--- a/app/soc/views/models/host.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/host.py Sun Feb 01 20:44:47 2009 +0000
@@ -56,16 +56,15 @@
"""
rights = access.Checker(params)
- rights['create'] = ['checkIsHost']
- rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.host)]
- rights['invite'] = ['checkIsHost']
+ rights['create'] = [('checkHasRole', host_logic.logic)]
+ rights['edit'] = [('checkHasRole', host_logic.logic)]
+ rights['invite'] = [('checkHasRole', host_logic.logic)]
rights['list'] = ['checkIsDeveloper']
rights['accept_invite'] = [('checkCanCreateFromRequest','host')]
- rights['process_request'] = ['checkIsHost',
- ('checkCanProcessRequest','host')]
- rights['manage'] = [
- ('checkIsAllowedToManageRole', [soc.logic.models.host,
- soc.logic.models.host])]
+ rights['process_request'] = [('checkHasRole', host_logic.logic),
+ ('checkCanProcessRequest','host')]
+ rights['manage'] = [('checkIsAllowedToManageRole',
+ [host_logic, host_logic])]
new_params = {}
new_params['rights'] = rights
@@ -83,7 +82,7 @@
new_params['create_extra_dynafields'] = {
'scope_path': forms.CharField(widget=forms.HiddenInput,
- required=True),
+ required=True),
'clean_link_id': cleaning.clean_existing_user('link_id'),
'clean_home_page': cleaning.clean_url('home_page'),
'clean_blog': cleaning.clean_url('blog'),
--- a/app/soc/views/models/mentor.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/mentor.py Sun Feb 01 20:44:47 2009 +0000
@@ -50,7 +50,7 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.mentor)]
+ rights['edit'] = [('checkHasRole', soc.logic.models.mentor.logic)]
rights['delete'] = ['checkIsDeveloper']
# TODO accessCheck checkIsAdministratorForOrg
rights['invite'] = ['checkIsDeveloper']
--- a/app/soc/views/models/notification.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/notification.py Sun Feb 01 20:44:47 2009 +0000
@@ -38,8 +38,8 @@
from soc.views.helper import lists as list_helper
from soc.views.helper import redirects
from soc.views.models import base
-from soc.logic.models import notification as notification_logic
-from soc.logic.models import user as user_logic
+from soc.logic.models.notification import logic as notification_logic
+from soc.logic.models.user import logic as user_logic
class CreateForm(helper.forms.BaseForm):
@@ -85,14 +85,14 @@
rights = access.Checker(params)
rights['unspecified'] = ['deny']
rights['edit'] = ['deny']
- rights['show'] = ['checkIsMyNotification']
- rights['delete'] = ['checkIsMyNotification']
+ rights['show'] = [('checkIsMyEntity', notification_logic)]
+ rights['delete'] = [('checkIsMyEntity', notification_logic)]
rights['list'] = ['checkIsUser']
# create is developer only for the time being to test functionality
rights['create'] = ['checkIsDeveloper']
new_params = {}
- new_params['logic'] = notification_logic.logic
+ new_params['logic'] = notification_logic
new_params['rights'] = rights
new_params['name'] = "Notification"
@@ -116,7 +116,7 @@
"""
# get the current user
- user_entity = user_logic.logic.getForCurrentAccount()
+ user_entity = user_logic.getForCurrentAccount()
# only select the notifications for this user so construct a filter
filter = {
@@ -161,7 +161,7 @@
"""
# get the current user
- current_user = user_logic.logic.getForCurrentAccount()
+ current_user = user_logic.getForCurrentAccount()
fields['link_id'] = 't%i' % (time.time())
fields['scope'] = fields['to_user']
@@ -189,7 +189,7 @@
# and the notification has not been read yet
if entity.unread:
# get the current user
- user = user_logic.logic.getForCurrentAccount()
+ user = user_logic.getForCurrentAccount()
# if the message is meant for the user that is reading it
if entity.scope.key() == user.key():
--- a/app/soc/views/models/org_admin.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/org_admin.py Sun Feb 01 20:44:47 2009 +0000
@@ -26,6 +26,7 @@
from soc.logic import dicts
from soc.logic.models import organization as org_logic
+from soc.logic.models import org_admin as org_admin_logic
from soc.views.helper import access
from soc.views.helper import dynaform
from soc.views.helper import widgets
@@ -49,7 +50,7 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = [('checkIsMyActiveRole', soc.logic.models.org_admin)]
+ rights['edit'] = [('checkHasRole', org_admin_logic.logic)]
rights['delete'] = ['checkIsDeveloper']
# TODO accessCheck checkIsAdministratorForOrg
rights['invite'] = ['checkIsDeveloper']
--- a/app/soc/views/models/program.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/program.py Sun Feb 01 20:44:47 2009 +0000
@@ -27,6 +27,7 @@
from soc.logic import dicts
from soc.logic.models import program as program_logic
+from soc.logic.models import host as host_logic
from soc.views import helper
from soc.views import out_of_band
from soc.views.helper import access
@@ -56,7 +57,7 @@
rights = access.Checker(params)
rights['any_access'] = ['allow']
rights['show'] = ['allow']
- rights['create'] = ['checkIsHost']
+ rights['create'] = [('checkHasRole', host_logic.logic)]
rights['edit'] = ['checkIsHostForProgram']
rights['delete'] = ['checkIsDeveloper']
--- a/app/soc/views/models/sponsor.py Sun Feb 01 20:41:58 2009 +0000
+++ b/app/soc/views/models/sponsor.py Sun Feb 01 20:44:47 2009 +0000
@@ -25,6 +25,7 @@
from soc.logic import dicts
+from soc.logic.models.sponsor import logic as sponsor_logic
from soc.views.helper import access
from soc.views.helper import redirects
from soc.views.models import group
@@ -48,13 +49,13 @@
rights = access.Checker(params)
rights['create'] = ['checkIsDeveloper']
- rights['edit'] = ['checkIsHostForSponsor',
- ('checkIsGroupActive', soc.logic.models.sponsor)]
+ rights['edit'] = [('checkHasRole', sponsor_logic),
+ ('checkIsActive', sponsor_logic)]
rights['delete'] = ['checkIsDeveloper']
- rights['home'] = ['checkIsHostForSponsor']
+ rights['home'] = [('checkHasRole', sponsor_logic)]
rights['list'] = ['checkIsDeveloper']
- rights['list_requests'] = ['checkIsHostForSponsor']
- rights['list_roles'] = ['checkIsHostForSponsor']
+ rights['list_requests'] = [('checkHasRole', sponsor_logic)]
+ rights['list_roles'] = [('checkHasRole', sponsor_logic)]
new_params = {}
new_params['logic'] = soc.logic.models.sponsor.logic