Skip to content

Commit

Permalink
fix: refactor webpath permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
francesco-filicetti committed Dec 17, 2024
1 parent 58fe359 commit d3dc9ca
Show file tree
Hide file tree
Showing 5 changed files with 62 additions and 56 deletions.
6 changes: 2 additions & 4 deletions src/cms/api/views/page.py
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,7 @@ def patch(self, request, *args, **kwargs):
new_webpath = serializer.validated_data.get('webpath')
if new_webpath and new_webpath != item.webpath:
# check permissions and locks on webpath
webpath_perms = new_webpath.is_editable_by(obj=item,
user=request.user)
webpath_perms = new_webpath.is_editable_by(user=request.user)
if not webpath_perms:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand All @@ -122,8 +121,7 @@ def put(self, request, *args, **kwargs):
new_webpath = serializer.validated_data.get('webpath')
# check permissions on webpath
if new_webpath != item.webpath:
webpath_perms = new_webpath.is_editable_by(obj=item,
user=request.user)
webpath_perms = new_webpath.is_editable_by(user=request.user)
if not webpath_perms:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand Down
28 changes: 14 additions & 14 deletions src/cms/api/views/webpath.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ def post(self, request, *args, **kwargs):
publisher_perms = is_publisher(permission)
parent_locks_ok = EditorialBoardLockUser.check_for_locks(parent,
request.user)
has_permissions = request.user.is_superuser or (publisher_perms and parent_locks_ok)
has_permissions = request.user.is_superuser or publisher_perms or parent_locks_ok
if not has_permissions:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand Down Expand Up @@ -111,17 +111,17 @@ def patch(self, request, *args, **kwargs):
data=request.data,
partial=True)
if serializer.is_valid(raise_exception=True):
has_permission = item.is_publicable_by(user=request.user,
parent=True)
has_permission = item.is_publicable_by(user=request.user)
# parent=True)
if not has_permission:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
# if parent in request data, check permission on parent
# if parent in request data, check permission on (new) parent
parent = serializer.validated_data.get('parent')
# check permissions on parent if different from actual
if parent and parent != item.parent:
# check permissions on parent
has_permission = parent.is_publicable_by(user=request.user,
parent=True)
has_permission = parent.is_publicable_by(user=request.user)
# parent=True)
if not has_permission:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand All @@ -137,17 +137,17 @@ def put(self, request, *args, **kwargs):
serializer = self.get_serializer(instance=item,
data=request.data)
if serializer.is_valid(raise_exception=True):
has_permission = item.is_publicable_by(user=request.user,
parent=True)
has_permission = item.is_publicable_by(user=request.user)
# parent=True)
if not has_permission:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)

# if parent in request data, check permission on (new) parent
parent = serializer.validated_data.get('parent')
# check permissions on parent if different from actual
if parent != item.parent:
has_permission = parent.is_publicable_by(user=request.user,
parent=True)
has_permission = parent.is_publicable_by(user=request.user)
# parent=True)
if not has_permission:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand All @@ -160,8 +160,8 @@ def put(self, request, *args, **kwargs):

def delete(self, request, *args, **kwargs):
item = self.get_object()
has_permission = item.is_publicable_by(user=request.user,
parent=True)
has_permission = item.is_publicable_by(user=request.user)
# parent=True)
if not has_permission:
raise LoggedPermissionDenied(classname=self.__class__.__name__,
resource=request.method)
Expand Down
70 changes: 39 additions & 31 deletions src/cms/contexts/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -220,50 +220,60 @@ def save(self, *args, **kwargs):
def get_parent_fullpath(self):
return self.parent.get_full_path() if self.parent else ''

def is_localizable_by(self, user=None, obj=None, parent=False):
def is_localizable_by(self, user=None): #,obj=None, parent=False):
if not user: return False
if user.is_superuser: return True
item = self if not obj else obj
parent = self.parent if parent else self
eb_permission = EditorialBoardEditors.get_permission(parent, user)
# item = self if not obj else obj
# parent = self.parent if parent else self
# eb_permission = EditorialBoardEditors.get_permission(parent, user)
eb_permission = EditorialBoardEditors.get_permission(self, user)
perms = is_translator(eb_permission)
# if user has not editor permissions
if not perms: return False
# if user has translator permissions
if perms: return True
# if user has not permissions, check locks
webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
return webpath_lock_ok

def is_editable_by(self, user=None, obj=None, parent=False):
def is_editable_by(self, user=None): #, obj=None, parent=False):
if not user: return False
if user.is_superuser: return True
item = self if not obj else obj
parent = self.parent if parent else self
eb_permission = EditorialBoardEditors.get_permission(parent, user)
# item = self if not obj else obj
# parent = self.parent if parent else self
eb_permission = EditorialBoardEditors.get_permission(self, user)
perms = is_editor(eb_permission)
# if user has not editor permissions
if not perms: return False
# if user can edit only created by him pages
if perms['only_created_by'] and item.created_by != user:
return False
# if user has editor permissions
if perms:
# check if permission is only for the owner
if perms['only_created_by'] and self.created_by != user:
return False
# permission granted
return True
# if user has not permissions, check locks
webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
return webpath_lock_ok

def is_publicable_by(self, user=None, obj=None, parent=False):
def is_publicable_by(self, user=None): #, obj=None, parent=False):
if not user: return False
if user.is_superuser: return True
item = self if not obj else obj
parent = self.parent if parent else self
eb_permission = EditorialBoardEditors.get_permission(parent, user)
# item = self if not obj else obj
# parent = self.parent if parent else self
# eb_permission = EditorialBoardEditors.get_permission(parent, user)
eb_permission = EditorialBoardEditors.get_permission(self, user)
perms = is_publisher(eb_permission)
# if user has not editor permissions
if not perms: return False
# if user can edit only created by him pages
if perms['only_created_by'] and item.created_by != user:
return False
# if user has publisher permissions
if perms:
# check if permission is only for the owner
if perms['only_created_by'] and self.created_by != user:
return False
# permission granted
return True
# if user has not permissions, check locks
webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
return webpath_lock_ok


def is_lockable_by(self, user):
return self.is_publicable_by(user, parent=True)
return self.is_publicable_by(user) #, parent=True)

def get_access_level(self):
for t in getattr(settings, 'AUTH_USER_GROUPS', ()):
Expand Down Expand Up @@ -390,13 +400,11 @@ def check_for_locks(cls, obj, user):
# check for locks on object
content_type = ContentType.objects.get_for_model(obj)
locks = cls.get_object_locks(content_type=content_type,
object_id=obj.pk)
# if there is not lock, ok
if not locks: return True
object_id=obj.pk,
user=user).exists()
# if user is in lock user list, has permissions
if locks.filter(user=user).exists():
return True
# else no permissions but obj is locked
if locks: return True
# if there is not lock, return False
return False # pragma: no cover

def __str__(self): # pragma: no cover
Expand Down
10 changes: 5 additions & 5 deletions src/cms/pages/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ def is_localizable_by(self, user=None):
# and check for locks on webpath
webpath = self.webpath
webpath_perms = webpath.is_localizable_by(user=user)
if not webpath_perms: return False
if webpath_perms: return True
# check for locks on object
return EditorialBoardLockUser.check_for_locks(self, user)

Expand All @@ -312,8 +312,8 @@ def is_editable_by(self, user=None):
# check if user has EditorialBoard editor permissions on object
# and check for locks on webpath
webpath = self.webpath
webpath_perms = webpath.is_editable_by(user=user, obj=self)
if not webpath_perms: return False
webpath_perms = webpath.is_editable_by(user=user)
if webpath_perms: return True
# check for locks on object
return EditorialBoardLockUser.check_for_locks(self, user)

Expand All @@ -323,8 +323,8 @@ def is_publicable_by(self, user=None):
# check if user has EditorialBoard editor permissions on object
# and check for locks on webpath
webpath = self.webpath
webpath_perms = webpath.is_publicable_by(user=user, obj=self)
if not webpath_perms: return False
webpath_perms = webpath.is_publicable_by(user=user) #, obj=self)
if webpath_perms: return True
# check for locks on object
return EditorialBoardLockUser.check_for_locks(self, user)

Expand Down
4 changes: 2 additions & 2 deletions src/cms/publications/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ def is_editable_by(self, user=None):
pub_ctxs = self.get_publication_contexts()
for pub_ctx in pub_ctxs:
webpath = pub_ctx.webpath
webpath_perms = webpath.is_editable_by(user=user, obj=self)
webpath_perms = webpath.is_editable_by(user=user)
if webpath_perms: return True
# if no permissions
return False
Expand All @@ -351,7 +351,7 @@ def is_publicable_by(self, user=None):
pub_ctxs = self.get_publication_contexts()
for pub_ctx in pub_ctxs:
webpath = pub_ctx.webpath
webpath_perms = webpath.is_publicable_by(user=user, obj=self)
webpath_perms = webpath.is_publicable_by(user=user)
if webpath_perms: return True
# if no permissions
return False
Expand Down

0 comments on commit d3dc9ca

Please sign in to comment.