fix: refactor webpath permissions

UniversitaDellaCalabria · Dec 17, 2024 · ef0a546 · ef0a546
1 parent 58fe359
commit ef0a546
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 31 deletions.
diff --git a/src/cms/api/views/webpath.py b/src/cms/api/views/webpath.py
@@ -111,17 +111,17 @@ def patch(self, request, *args, **kwargs):
                                          data=request.data,
                                          partial=True)
         if serializer.is_valid(raise_exception=True):
-            has_permission = item.is_publicable_by(user=request.user,
-                                                   parent=True)
+            has_permission = item.is_publicable_by(user=request.user)
+                                                   # parent=True)
             if not has_permission:
                 raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                              resource=request.method)
-            # if parent in request data, check permission on parent
+            # if parent in request data, check permission on (new) parent
             parent = serializer.validated_data.get('parent')
+            # check permissions on parent if different from actual
             if parent and parent != item.parent:
-                # check permissions on parent
-                has_permission = parent.is_publicable_by(user=request.user,
-                                                         parent=True)
+                has_permission = parent.is_publicable_by(user=request.user)
+                                                         # parent=True)
                 if not has_permission:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)
@@ -137,17 +137,17 @@ def put(self, request, *args, **kwargs):
         serializer = self.get_serializer(instance=item,
                                          data=request.data)
         if serializer.is_valid(raise_exception=True):
-            has_permission = item.is_publicable_by(user=request.user,
-                                                   parent=True)
+            has_permission = item.is_publicable_by(user=request.user)
+                                                   # parent=True)
             if not has_permission:
                 raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                              resource=request.method)
-
+            # if parent in request data, check permission on (new) parent
             parent = serializer.validated_data.get('parent')
             # check permissions on parent if different from actual
             if parent != item.parent:
-                has_permission = parent.is_publicable_by(user=request.user,
-                                                         parent=True)
+                has_permission = parent.is_publicable_by(user=request.user)
+                                                         # parent=True)
                 if not has_permission:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)
@@ -160,8 +160,8 @@ def put(self, request, *args, **kwargs):
 
     def delete(self, request, *args, **kwargs):
         item = self.get_object()
-        has_permission = item.is_publicable_by(user=request.user,
-                                               parent=True)
+        has_permission = item.is_publicable_by(user=request.user)
+                                               # parent=True)
         if not has_permission:
             raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                          resource=request.method)

diff --git a/src/cms/contexts/models.py b/src/cms/contexts/models.py
@@ -227,8 +227,9 @@ def is_localizable_by(self, user=None, obj=None, parent=False):
         parent = self.parent if parent else self
         eb_permission = EditorialBoardEditors.get_permission(parent, user)
         perms = is_translator(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
+        # if user has translator permissions
+        if perms: return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
@@ -239,31 +240,39 @@ def is_editable_by(self, user=None, obj=None, parent=False):
         parent = self.parent if parent else self
         eb_permission = EditorialBoardEditors.get_permission(parent, user)
         perms = is_editor(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
-        # if user can edit only created by him pages
-        if perms['only_created_by'] and item.created_by != user:
-            return False
+        # if user has editor permissions
+        if perms:
+            # check if permission is only for the owner
+            if perms['only_created_by'] and item.created_by != user:
+                return False
+            # permission granted
+            return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
-    def is_publicable_by(self, user=None, obj=None, parent=False):
+    def is_publicable_by(self, user=None) #, obj=None, parent=False):
         if not user: return False
         if user.is_superuser: return True
-        item = self if not obj else obj
-        parent = self.parent if parent else self
-        eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        # item = self if not obj else obj
+        # parent = self.parent if parent else self
+        # eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        eb_permission = EditorialBoardEditors.get_permission(self, user)
         perms = is_publisher(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
-        # if user can edit only created by him pages
-        if perms['only_created_by'] and item.created_by != user:
-            return False
+        # if user has publisher permissions
+        if perms:
+            # check if permission is only for the owner
+            if perms['only_created_by'] and item.created_by != user:
+                return False
+            # permission granted
+            return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
+
     def is_lockable_by(self, user):
-        return self.is_publicable_by(user, parent=True)
+        return self.is_publicable_by(user) #, parent=True)
 
     def get_access_level(self):
         for t in getattr(settings, 'AUTH_USER_GROUPS', ()):

diff --git a/src/cms/pages/models.py b/src/cms/pages/models.py
@@ -323,7 +323,7 @@ def is_publicable_by(self, user=None):
         # check if user has EditorialBoard editor permissions on object
         # and check for locks on webpath
         webpath = self.webpath
-        webpath_perms = webpath.is_publicable_by(user=user, obj=self)
+        webpath_perms = webpath.is_publicable_by(user=user) #, obj=self)
         if not webpath_perms: return False
         # check for locks on object
         return EditorialBoardLockUser.check_for_locks(self, user)