diff --git a/src/cms/api/views/page.py b/src/cms/api/views/page.py index ba706cb..6956256 100644 --- a/src/cms/api/views/page.py +++ b/src/cms/api/views/page.py @@ -100,8 +100,7 @@ def patch(self, request, *args, **kwargs): new_webpath = serializer.validated_data.get('webpath') if new_webpath and new_webpath != item.webpath: # check permissions and locks on webpath - webpath_perms = new_webpath.is_editable_by(obj=item, - user=request.user) + webpath_perms = new_webpath.is_editable_by(user=request.user) if not webpath_perms: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) @@ -122,8 +121,7 @@ def put(self, request, *args, **kwargs): new_webpath = serializer.validated_data.get('webpath') # check permissions on webpath if new_webpath != item.webpath: - webpath_perms = new_webpath.is_editable_by(obj=item, - user=request.user) + webpath_perms = new_webpath.is_editable_by(user=request.user) if not webpath_perms: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) diff --git a/src/cms/api/views/webpath.py b/src/cms/api/views/webpath.py index 5a99396..5343cd4 100644 --- a/src/cms/api/views/webpath.py +++ b/src/cms/api/views/webpath.py @@ -65,7 +65,7 @@ def post(self, request, *args, **kwargs): publisher_perms = is_publisher(permission) parent_locks_ok = EditorialBoardLockUser.check_for_locks(parent, request.user) - has_permissions = request.user.is_superuser or (publisher_perms and parent_locks_ok) + has_permissions = request.user.is_superuser or publisher_perms or parent_locks_ok if not has_permissions: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) @@ -111,17 +111,17 @@ def patch(self, request, *args, **kwargs): data=request.data, partial=True) if serializer.is_valid(raise_exception=True): - has_permission = item.is_publicable_by(user=request.user, - parent=True) + has_permission = item.is_publicable_by(user=request.user) + # parent=True) if not has_permission: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) - # if parent in request data, check permission on parent + # if parent in request data, check permission on (new) parent parent = serializer.validated_data.get('parent') + # check permissions on parent if different from actual if parent and parent != item.parent: - # check permissions on parent - has_permission = parent.is_publicable_by(user=request.user, - parent=True) + has_permission = parent.is_publicable_by(user=request.user) + # parent=True) if not has_permission: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) @@ -137,17 +137,17 @@ def put(self, request, *args, **kwargs): serializer = self.get_serializer(instance=item, data=request.data) if serializer.is_valid(raise_exception=True): - has_permission = item.is_publicable_by(user=request.user, - parent=True) + has_permission = item.is_publicable_by(user=request.user) + # parent=True) if not has_permission: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) - + # if parent in request data, check permission on (new) parent parent = serializer.validated_data.get('parent') # check permissions on parent if different from actual if parent != item.parent: - has_permission = parent.is_publicable_by(user=request.user, - parent=True) + has_permission = parent.is_publicable_by(user=request.user) + # parent=True) if not has_permission: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) @@ -160,8 +160,8 @@ def put(self, request, *args, **kwargs): def delete(self, request, *args, **kwargs): item = self.get_object() - has_permission = item.is_publicable_by(user=request.user, - parent=True) + has_permission = item.is_publicable_by(user=request.user) + # parent=True) if not has_permission: raise LoggedPermissionDenied(classname=self.__class__.__name__, resource=request.method) diff --git a/src/cms/contexts/models.py b/src/cms/contexts/models.py index 0f1e1f1..8d70926 100644 --- a/src/cms/contexts/models.py +++ b/src/cms/contexts/models.py @@ -220,50 +220,60 @@ def save(self, *args, **kwargs): def get_parent_fullpath(self): return self.parent.get_full_path() if self.parent else '' - def is_localizable_by(self, user=None, obj=None, parent=False): + def is_localizable_by(self, user=None): #,obj=None, parent=False): if not user: return False if user.is_superuser: return True - item = self if not obj else obj - parent = self.parent if parent else self - eb_permission = EditorialBoardEditors.get_permission(parent, user) + # item = self if not obj else obj + # parent = self.parent if parent else self + # eb_permission = EditorialBoardEditors.get_permission(parent, user) + eb_permission = EditorialBoardEditors.get_permission(self, user) perms = is_translator(eb_permission) - # if user has not editor permissions - if not perms: return False + # if user has translator permissions + if perms: return True + # if user has not permissions, check locks webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user) return webpath_lock_ok - def is_editable_by(self, user=None, obj=None, parent=False): + def is_editable_by(self, user=None): #, obj=None, parent=False): if not user: return False if user.is_superuser: return True - item = self if not obj else obj - parent = self.parent if parent else self - eb_permission = EditorialBoardEditors.get_permission(parent, user) + # item = self if not obj else obj + # parent = self.parent if parent else self + eb_permission = EditorialBoardEditors.get_permission(self, user) perms = is_editor(eb_permission) - # if user has not editor permissions - if not perms: return False - # if user can edit only created by him pages - if perms['only_created_by'] and item.created_by != user: - return False + # if user has editor permissions + if perms: + # check if permission is only for the owner + if perms['only_created_by'] and self.created_by != user: + return False + # permission granted + return True + # if user has not permissions, check locks webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user) return webpath_lock_ok - def is_publicable_by(self, user=None, obj=None, parent=False): + def is_publicable_by(self, user=None): #, obj=None, parent=False): if not user: return False if user.is_superuser: return True - item = self if not obj else obj - parent = self.parent if parent else self - eb_permission = EditorialBoardEditors.get_permission(parent, user) + # item = self if not obj else obj + # parent = self.parent if parent else self + # eb_permission = EditorialBoardEditors.get_permission(parent, user) + eb_permission = EditorialBoardEditors.get_permission(self, user) perms = is_publisher(eb_permission) - # if user has not editor permissions - if not perms: return False - # if user can edit only created by him pages - if perms['only_created_by'] and item.created_by != user: - return False + # if user has publisher permissions + if perms: + # check if permission is only for the owner + if perms['only_created_by'] and self.created_by != user: + return False + # permission granted + return True + # if user has not permissions, check locks webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user) return webpath_lock_ok + def is_lockable_by(self, user): - return self.is_publicable_by(user, parent=True) + return self.is_publicable_by(user) #, parent=True) def get_access_level(self): for t in getattr(settings, 'AUTH_USER_GROUPS', ()): @@ -391,12 +401,9 @@ def check_for_locks(cls, obj, user): content_type = ContentType.objects.get_for_model(obj) locks = cls.get_object_locks(content_type=content_type, object_id=obj.pk) - # if there is not lock, ok - if not locks: return True # if user is in lock user list, has permissions - if locks.filter(user=user).exists(): - return True - # else no permissions but obj is locked + if locks.filter(user=user).exists(): return True + # if there is not lock, return False return False # pragma: no cover def __str__(self): # pragma: no cover diff --git a/src/cms/pages/models.py b/src/cms/pages/models.py index c2e7435..669d09e 100644 --- a/src/cms/pages/models.py +++ b/src/cms/pages/models.py @@ -302,7 +302,7 @@ def is_localizable_by(self, user=None): # and check for locks on webpath webpath = self.webpath webpath_perms = webpath.is_localizable_by(user=user) - if not webpath_perms: return False + if webpath_perms: return True # check for locks on object return EditorialBoardLockUser.check_for_locks(self, user) @@ -312,8 +312,8 @@ def is_editable_by(self, user=None): # check if user has EditorialBoard editor permissions on object # and check for locks on webpath webpath = self.webpath - webpath_perms = webpath.is_editable_by(user=user, obj=self) - if not webpath_perms: return False + webpath_perms = webpath.is_editable_by(user=user) + if webpath_perms: return True # check for locks on object return EditorialBoardLockUser.check_for_locks(self, user) @@ -323,8 +323,8 @@ def is_publicable_by(self, user=None): # check if user has EditorialBoard editor permissions on object # and check for locks on webpath webpath = self.webpath - webpath_perms = webpath.is_publicable_by(user=user, obj=self) - if not webpath_perms: return False + webpath_perms = webpath.is_publicable_by(user=user) #, obj=self) + if webpath_perms: return True # check for locks on object return EditorialBoardLockUser.check_for_locks(self, user) diff --git a/src/cms/publications/models.py b/src/cms/publications/models.py index 2a71b5c..54dcc68 100644 --- a/src/cms/publications/models.py +++ b/src/cms/publications/models.py @@ -328,7 +328,7 @@ def is_editable_by(self, user=None): pub_ctxs = self.get_publication_contexts() for pub_ctx in pub_ctxs: webpath = pub_ctx.webpath - webpath_perms = webpath.is_editable_by(user=user, obj=self) + webpath_perms = webpath.is_editable_by(user=user) if webpath_perms: return True # if no permissions return False @@ -351,7 +351,7 @@ def is_publicable_by(self, user=None): pub_ctxs = self.get_publication_contexts() for pub_ctx in pub_ctxs: webpath = pub_ctx.webpath - webpath_perms = webpath.is_publicable_by(user=user, obj=self) + webpath_perms = webpath.is_publicable_by(user=user) if webpath_perms: return True # if no permissions return False