diff options
Diffstat (limited to 'ishtar_common/utils.py')
| -rw-r--r-- | ishtar_common/utils.py | 106 |
1 files changed, 64 insertions, 42 deletions
diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py index 09e83714b..8de745874 100644 --- a/ishtar_common/utils.py +++ b/ishtar_common/utils.py @@ -21,8 +21,9 @@ from csv import QUOTE_ALL import datetime import feedparser from functools import wraps +from guardian.exceptions import WrongAppError from itertools import chain -from inspect import currentframe, getframeinfo +from inspect import currentframe import json import logging import hashlib @@ -225,24 +226,25 @@ def import_class(full_path_classname): return model -def check_rights(rights=None, redirect_url="/"): +def check_permissions(permissions=None, redirect_url="/"): """ Decorator that checks the rights to access the view. """ def decorator(view_func): def _wrapped_view(request, *args, **kwargs): - if not rights: + if not permissions: return view_func(request, *args, **kwargs) if hasattr(request.user, "ishtaruser"): - if request.user.ishtaruser.has_right("administrator", request.session): + ishtaruser = request.user.ishtaruser + if ishtaruser.has_permission("ishtaradmin"): kwargs["current_right"] = "administrator" return view_func(request, *args, **kwargs) - for right in rights: + for permission in permissions: # be careful to put the more permissive rights first # if granted it can allow more - if request.user.ishtaruser.has_right(right, request.session): - kwargs["current_right"] = right + if ishtaruser.has_permission(permission): + kwargs["current_right"] = permission return view_func(request, *args, **kwargs) put_session_message( request.session.session_key, @@ -256,17 +258,18 @@ def check_rights(rights=None, redirect_url="/"): return decorator -def check_rights_condition(rights): +def check_permissions_condition(permissions): """ To be used to check in wizard condition_dict """ def func(self): request = self.request - if request.user.ishtaruser.has_right("administrator", request.session): + ishtaruser = request.user.ishtaruser + if ishtaruser.has_permission("ishtaradmin"): return True - for right in rights: - if request.user.ishtaruser.has_right(right, request.session): + for permission in permissions: + if ishtaruser.has_permission(permission): return True return False @@ -297,7 +300,7 @@ def check_model_access_control(request, model, available_perms=None): ishtaruser = request.user.ishtaruser except request.user._meta.model.ishtaruser.RelatedObjectDoesNotExist: return False, True - if ishtaruser.has_right("administrator", session=request.session): + if ishtaruser.has_permission("ishtaradmin"): allowed = True own = False return allowed, own @@ -305,10 +308,10 @@ def check_model_access_control(request, model, available_perms=None): content_type__app_label=model._meta.app_label, content_type__model=model._meta.model_name ) - for perm in q.values_list("codename", flat=True): + for app_name, perm in q.values_list("content_type__app_label", "codename"): if perm not in available_perms: continue - if ishtaruser.person.has_right(perm, session=request.session): + if ishtaruser.has_permission(f"{app_name}.{perm}"): allowed = True if "_own_" not in perm: own = False @@ -343,48 +346,56 @@ class OwnPerms: return None # implement for each object def can_view(self, request): - if hasattr(self, "LONG_SLUG"): - perm = "view_" + self.LONG_SLUG - else: - perm = "view_" + self.SLUG + meta = self.__class__._meta + perm = f"{meta.app_label}.view_{meta.model_name}" return self.can_do(request, perm) def can_edit(self, request): if not getattr(request.user, "ishtaruser", None): return False ishtaruser = request.user.ishtaruser - slug = self.LONG_SLUG if hasattr(self, "LONG_SLUG") else self.SLUG - if ishtaruser.has_perm("change_" + slug, session=request.session): + meta = self.__class__._meta + perm = f"{meta.app_label}.change_{meta.model_name}" + if ishtaruser.has_permission(perm): return True - if not ishtaruser.has_perm("change_own_" + slug, session=request.session): + own_perm = f"{meta.app_label}.change_own_{meta.model_name}" + if not ishtaruser.has_permission(own_perm): return False return self.is_own(ishtaruser) - def can_do(self, request, action_name): + def can_do(self, request, permission): """ Check permission availability for the current object. :param request: request object - :param action_name: action name eg: "change_find" - "own" variation is - checked + :param permission: action name eg: "archaelogical_finds.change_find" - "own" + variation is checked :return: boolean """ if not getattr(request.user, "ishtaruser", None): return False - splited = action_name.split("_") - action_own_name = splited[0] + "_own_" + "_".join(splited[1:]) - user = request.user - if action_name == "view_findbasket": - action_own_name = "view_own_find" - action_name = "view_find" - return user.ishtaruser.has_right(action_name, request.session) or ( - user.ishtaruser.has_right(action_own_name, request.session) - and self.is_own(user.ishtaruser) - ) + + if "_findbasket" in permission: + permission = permission.replace("basket", "") + ishtaruser = request.user.ishtaruser + + if ishtaruser.has_permission(permission): + return True + app, perm = permission.split(".") + p = perm.split("_") + own = f"{app}.{p[0]}_own_{('_').join(p[1:])}" + try: + return ishtaruser.has_permission(own, self) + except WrongAppError: + # normaly occurs when, for instance, add doc permission is required + # for an item with document attached but the item is not a document. + # own permission is irrelevant: return False + return False def is_own(self, user, alt_query_own=None): """ Check if the current object is owned by the user """ + print("ishtar_common/utils.py - 370 - DELETE") IshtarUser = apps.get_model("ishtar_common", "IshtarUser") if isinstance(user, IshtarUser): ishtaruser = user @@ -406,6 +417,7 @@ class OwnPerms: """ Check if the user own some items """ + print("ishtar_common/utils.py - 392 - DELETE") IshtarUser = apps.get_model("ishtar_common", "IshtarUser") if isinstance(user, IshtarUser): ishtaruser = user @@ -1139,9 +1151,7 @@ def get_random_item_image_link(request): return "" ishtar_user = request.user.ishtaruser - if not ishtar_user.has_right( - "ishtar_common.view_document", session=request.session - ): + if not ishtar_user.has_permission("ishtar_common.view_document"): return "" q = ( @@ -1945,17 +1955,23 @@ def get_urls_for_model( """ Generate get and show url for a model """ + app_label = model._meta.app_label + model_name = model._meta.model_name urls = [ url( r"show-{}(?:/(?P<pk>.+))?/(?P<type>.+)?$".format(model.SLUG), - check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])( + check_permissions( + [f"{app_label}.view_{model_name}", + f"{app_label}.view_own_{model_name}"])( getattr(views, "show_" + model.SLUG) ), name="show-" + model.SLUG, ), url( r"^display-{}/(?P<pk>.+)/$".format(model.SLUG), - check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])( + check_permissions( + [f"{app_label}.view_{model_name}", + f"{app_label}.view_own_{model_name}"])( getattr(views, "display_" + model.SLUG) ), name="display-" + model.SLUG, @@ -1965,7 +1981,9 @@ def get_urls_for_model( urls += [ url( r"get-{}/own/(?P<type>.+)?$".format(model.SLUG), - check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])( + check_permissions( + [f"{app_label}.view_{model_name}", + f"{app_label}.view_own_{model_name}"])( getattr(views, "get_" + model.SLUG) ), name="get-own-" + model.SLUG, @@ -1976,7 +1994,9 @@ def get_urls_for_model( urls += [ url( r"get-{}/(?P<type>.+)?$".format(model.SLUG), - check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])( + check_permissions( + [f"{app_label}.view_{model_name}", + f"{app_label}.view_own_{model_name}"])( getattr(views, "get_" + model.SLUG) ), name="get-" + model.SLUG, @@ -1987,7 +2007,9 @@ def get_urls_for_model( urls += [ url( r"autocomplete-{}/$".format(model.SLUG), - check_rights(["view_" + model.SLUG, "view_own_" + model.SLUG])( + check_permissions( + [f"{app_label}.view_{model_name}", + f"{app_label}.view_own_{model_name}"])( getattr(views, "autocomplete_" + model.SLUG) ), name="autocomplete-" + model.SLUG, |