OpenSlides/openslides/agenda/access_permissions.py

from typing import Any, Dict, Iterable, List

from ..utils.access_permissions import BaseAccessPermissions
from ..utils.auth import async_has_perm


class ItemAccessPermissions(BaseAccessPermissions):
    """
    Access permissions container for Item and ItemViewSet.
    """

    base_permission = "agenda.can_see"

    # TODO: In the following method we use full_data['is_hidden'] and
    # full_data['is_internal'] but this can be out of date.
    async def get_restricted_data(
        self, full_data: List[Dict[str, Any]], user_id: int
    ) -> List[Dict[str, Any]]:
        """
        Returns the restricted serialized data for the instance prepared
        for the user.

        Hidden items can only be seen by managers with can_manage permission.

        We remove comments for non admins/managers and a lot of fields of
        internal items for users without permission to see internal items.
        """

        def filtered_data(full_data, blocked_keys):
            """
            Returns a new dict like full_data but with all blocked_keys removed.
            """
            whitelist = full_data.keys() - blocked_keys
            return {key: full_data[key] for key in whitelist}

        # Parse data.
        if full_data and await async_has_perm(user_id, "agenda.can_see"):
            if await async_has_perm(
                user_id, "agenda.can_manage"
            ) and await async_has_perm(user_id, "agenda.can_see_internal_items"):
                # Managers with special permission can see everything.
                data = full_data
            elif await async_has_perm(user_id, "agenda.can_see_internal_items"):
                # Non managers with special permission can see everything but
                # comments and hidden items.
                data = [
                    full for full in full_data if not full["is_hidden"]
                ]  # filter hidden items
                blocked_keys = ("comment",)
                data = [
                    filtered_data(full, blocked_keys) for full in data
                ]  # remove blocked_keys
            else:
                # Users without special permission for internal items.

                # In internal and hidden case managers and non managers see only some fields
                # so that list of speakers is provided regardless. Hidden items can only be seen by managers.
                # We know that full_data has at least one entry which can be used to parse the keys.
                blocked_keys_internal_hidden_case = set(full_data[0].keys()) - set(
                    ("id", "title", "speakers", "speaker_list_closed", "content_object")
                )

                # In non internal case managers see everything and non managers see
                # everything but comments.
                if await async_has_perm(user_id, "agenda.can_manage"):
                    blocked_keys_non_internal_hidden_case: Iterable[str] = []
                    can_see_hidden = True
                else:
                    blocked_keys_non_internal_hidden_case = ("comment",)
                    can_see_hidden = False

                data = []
                for full in full_data:
                    if full["is_hidden"] and can_see_hidden:
                        # Same filtering for internal and hidden items
                        data.append(
                            filtered_data(full, blocked_keys_internal_hidden_case)
                        )
                    elif full["is_internal"]:
                        data.append(
                            filtered_data(full, blocked_keys_internal_hidden_case)
                        )
                    else:  # agenda item
                        data.append(
                            filtered_data(full, blocked_keys_non_internal_hidden_case)
                        )
        else:
            data = []

        return data
Remove CollectionElement * Use user_id: int instead of Optional[CollectionElment] in utils * Rewrote autoupdate system without CollectionElement 2018-11-03 23:40:20 +01:00			`from typing import Any, Dict, Iterable, List`
more typings 2017-08-24 12:26:55 +02:00
CollectionElement and Autoupdate cleanups * change get_restricted_data and get_projector_data to always use a list * Add typings to all get_restricted_data and get_projector_data methods * Replace CollectionElementList with a real list * Fixed arguments of inform_deleted_data * Moved CollectionElementCache to cache.py and refactored it * Run tests with cache enabled (using fakeredis) 2017-09-04 00:25:45 +02:00			`from ..utils.access_permissions import BaseAccessPermissions`
Remove utils.collections.Collection class and other cleanups * Activate restricted_data_cache on inmemory cache * Use ElementCache in rest-api get requests * Get requests on the restapi return 404 when the user has no permission * Added async function for has_perm and in_some_groups * changed Cachable.get_restricted_data to be an ansync function * rewrote required_user_system * changed default implementation of access_permission.check_permission to check a given permission or check if anonymous is enabled 2018-11-01 17:30:18 +01:00			`from ..utils.auth import async_has_perm`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
"durchstich" for autoupdate optimization 2016-02-11 11:29:19 +01:00
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`class ItemAccessPermissions(BaseAccessPermissions):`
			`"""`
			`Access permissions container for Item and ItemViewSet.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
			`base_permission = "agenda.can_see"`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# TODO: In the following method we use full_data['is_hidden'] and`
			`# full_data['is_internal'] but this can be out of date.`
Remove utils.collections.Collection class and other cleanups * Activate restricted_data_cache on inmemory cache * Use ElementCache in rest-api get requests * Get requests on the restapi return 404 when the user has no permission * Added async function for has_perm and in_some_groups * changed Cachable.get_restricted_data to be an ansync function * rewrote required_user_system * changed default implementation of access_permission.check_permission to check a given permission or check if anonymous is enabled 2018-11-01 17:30:18 +01:00			`async def get_restricted_data(`
Run black 2019-01-06 16:22:33 +01:00			`self, full_data: List[Dict[str, Any]], user_id: int`
			`) -> List[Dict[str, Any]]:`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
			`Returns the restricted serialized data for the instance prepared`
			`for the user.`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`Hidden items can only be seen by managers with can_manage permission.`

Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`We remove comments for non admins/managers and a lot of fields of`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`internal items for users without permission to see internal items.`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
Run black 2019-01-06 16:22:33 +01:00
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`def filtered_data(full_data, blocked_keys):`
			`"""`
			`Returns a new dict like full_data but with all blocked_keys removed.`
			`"""`
			`whitelist = full_data.keys() - blocked_keys`
			`return {key: full_data[key] for key in whitelist}`

Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Parse data.`
Run black 2019-01-06 16:22:33 +01:00			`if full_data and await async_has_perm(user_id, "agenda.can_see"):`
			`if await async_has_perm(`
			`user_id, "agenda.can_manage"`
			`) and await async_has_perm(user_id, "agenda.can_see_internal_items"):`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Managers with special permission can see everything.`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`data = full_data`
Run black 2019-01-06 16:22:33 +01:00			`elif await async_has_perm(user_id, "agenda.can_see_internal_items"):`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# Non managers with special permission can see everything but`
			`# comments and hidden items.`
Run black 2019-01-06 16:22:33 +01:00			`data = [`
			`full for full in full_data if not full["is_hidden"]`
			`] # filter hidden items`
			`blocked_keys = ("comment",)`
			`data = [`
			`filtered_data(full, blocked_keys) for full in data`
			`] # remove blocked_keys`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`else:`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# Users without special permission for internal items.`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# In internal and hidden case managers and non managers see only some fields`
			`# so that list of speakers is provided regardless. Hidden items can only be seen by managers.`
Fixed agenda get_restricted_data() if no agenda items exist. 2018-08-23 09:48:47 +02:00			`# We know that full_data has at least one entry which can be used to parse the keys.`
Run black 2019-01-06 16:22:33 +01:00			`blocked_keys_internal_hidden_case = set(full_data[0].keys()) - set(`
			`("id", "title", "speakers", "speaker_list_closed", "content_object")`
			`)`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# In non internal case managers see everything and non managers see`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# everything but comments.`
Run black 2019-01-06 16:22:33 +01:00			`if await async_has_perm(user_id, "agenda.can_manage"):`
drop python 3.5 2018-08-22 22:00:08 +02:00			`blocked_keys_non_internal_hidden_case: Iterable[str] = []`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`can_see_hidden = True`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`else:`
Run black 2019-01-06 16:22:33 +01:00			`blocked_keys_non_internal_hidden_case = ("comment",)`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`can_see_hidden = False`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00
			`data = []`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`for full in full_data:`
Run black 2019-01-06 16:22:33 +01:00			`if full["is_hidden"] and can_see_hidden:`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# Same filtering for internal and hidden items`
Run black 2019-01-06 16:22:33 +01:00			`data.append(`
			`filtered_data(full, blocked_keys_internal_hidden_case)`
			`)`
			`elif full["is_internal"]:`
			`data.append(`
			`filtered_data(full, blocked_keys_internal_hidden_case)`
			`)`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`else: # agenda item`
Run black 2019-01-06 16:22:33 +01:00			`data.append(`
			`filtered_data(full, blocked_keys_non_internal_hidden_case)`
			`)`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`else:`
			`data = []`

CollectionElement and Autoupdate cleanups * change get_restricted_data and get_projector_data to always use a list * Add typings to all get_restricted_data and get_projector_data methods * Replace CollectionElementList with a real list * Fixed arguments of inform_deleted_data * Moved CollectionElementCache to cache.py and refactored it * Run tests with cache enabled (using fakeredis) 2017-09-04 00:25:45 +02:00			`return data`