2017-01-26 15:34:24 +01:00
|
|
|
from django.contrib.auth.models import AnonymousUser
|
|
|
|
|
2017-04-10 16:28:38 +02:00
|
|
|
from ..core.signals import user_data_required
|
2016-02-11 22:58:32 +01:00
|
|
|
from ..utils.access_permissions import BaseAccessPermissions
|
2017-01-26 15:34:24 +01:00
|
|
|
from ..utils.auth import anonymous_is_enabled, has_perm
|
2017-05-01 23:12:42 +02:00
|
|
|
from ..utils.collection import Collection
|
2016-02-11 22:58:32 +01:00
|
|
|
|
|
|
|
|
|
|
|
class UserAccessPermissions(BaseAccessPermissions):
|
|
|
|
"""
|
|
|
|
Access permissions container for User and UserViewSet.
|
|
|
|
"""
|
2016-09-17 22:26:23 +02:00
|
|
|
def check_permissions(self, user):
|
2016-02-11 22:58:32 +01:00
|
|
|
"""
|
2017-02-10 14:51:44 +01:00
|
|
|
Every user has read access for their model instnces.
|
2016-02-11 22:58:32 +01:00
|
|
|
"""
|
2017-02-10 14:51:44 +01:00
|
|
|
return True
|
2016-02-11 22:58:32 +01:00
|
|
|
|
2016-03-02 00:46:19 +01:00
|
|
|
def get_serializer_class(self, user=None):
|
2016-02-11 22:58:32 +01:00
|
|
|
"""
|
|
|
|
Returns different serializer classes with respect user's permissions.
|
|
|
|
"""
|
2016-09-18 16:00:31 +02:00
|
|
|
from .serializers import UserFullSerializer
|
2016-02-11 22:58:32 +01:00
|
|
|
|
2016-09-18 16:00:31 +02:00
|
|
|
return UserFullSerializer
|
2016-03-02 00:46:19 +01:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
def get_restricted_data(self, container, user):
|
2016-03-02 00:46:19 +01:00
|
|
|
"""
|
|
|
|
Returns the restricted serialized data for the instance prepared
|
|
|
|
for the user. Removes several fields for non admins so that they do
|
2016-08-31 16:53:02 +02:00
|
|
|
not get the fields they should not get.
|
2016-03-02 00:46:19 +01:00
|
|
|
"""
|
2016-08-31 16:53:02 +02:00
|
|
|
from .serializers import USERCANSEESERIALIZER_FIELDS, USERCANSEEEXTRASERIALIZER_FIELDS
|
2016-03-02 00:46:19 +01:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
def filtered_data(full_data, whitelist):
|
2017-04-28 00:50:37 +02:00
|
|
|
"""
|
2017-05-01 23:12:42 +02:00
|
|
|
Returns a new dict like full_data but only with whitelisted keys.
|
2017-04-28 00:50:37 +02:00
|
|
|
"""
|
2017-05-01 23:12:42 +02:00
|
|
|
return {key: full_data[key] for key in whitelist}
|
2017-04-28 00:50:37 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
# Expand full_data to a list if it is not one.
|
|
|
|
full_data = container.get_full_data() if isinstance(container, Collection) else [container.get_full_data()]
|
2017-04-28 00:50:37 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
# We have four sets of data to be sent:
|
|
|
|
# * full data i. e. all fields,
|
|
|
|
# * many data i. e. all fields but not the default password,
|
|
|
|
# * little data i. e. all fields but not the default password, comments and active status,
|
|
|
|
# * no data.
|
|
|
|
|
|
|
|
# Prepare field set for users with "many" data and with "little" data.
|
|
|
|
many_data_fields = set(USERCANSEEEXTRASERIALIZER_FIELDS)
|
|
|
|
many_data_fields.add('groups_id')
|
|
|
|
many_data_fields.discard('groups')
|
|
|
|
litte_data_fields = set(USERCANSEESERIALIZER_FIELDS)
|
|
|
|
litte_data_fields.add('groups_id')
|
|
|
|
litte_data_fields.discard('groups')
|
2016-09-17 22:26:23 +02:00
|
|
|
|
|
|
|
# Check user permissions.
|
2016-12-17 09:30:20 +01:00
|
|
|
if has_perm(user, 'users.can_see_name'):
|
|
|
|
if has_perm(user, 'users.can_see_extra_data'):
|
|
|
|
if has_perm(user, 'users.can_manage'):
|
2017-04-28 00:50:37 +02:00
|
|
|
data = full_data
|
2016-09-17 22:26:23 +02:00
|
|
|
else:
|
2017-05-01 23:12:42 +02:00
|
|
|
data = [filtered_data(full, many_data_fields) for full in full_data]
|
2016-09-17 22:26:23 +02:00
|
|
|
else:
|
2017-05-01 23:12:42 +02:00
|
|
|
data = [filtered_data(full, litte_data_fields) for full in full_data]
|
2016-09-17 22:26:23 +02:00
|
|
|
else:
|
2017-05-01 23:12:42 +02:00
|
|
|
# Build a list of users, that can be seen without any permissions (with little fields).
|
|
|
|
|
|
|
|
user_ids = set()
|
|
|
|
|
|
|
|
# Everybody can see himself. Also everybody can see every user
|
|
|
|
# that is required e. g. as speaker, motion submitter or
|
|
|
|
# assignment candidate.
|
|
|
|
|
|
|
|
# Add oneself.
|
2017-04-28 00:50:37 +02:00
|
|
|
if user is not None:
|
2017-05-01 23:12:42 +02:00
|
|
|
user_ids.add(user.id)
|
2017-04-28 00:50:37 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
# Get a list of all users, that are required by another app.
|
2017-04-10 16:28:38 +02:00
|
|
|
receiver_responses = user_data_required.send(
|
|
|
|
sender=self.__class__,
|
2017-05-01 23:12:42 +02:00
|
|
|
request_user=user)
|
2017-04-10 16:28:38 +02:00
|
|
|
for receiver, response in receiver_responses:
|
2017-05-01 23:12:42 +02:00
|
|
|
user_ids.update(response)
|
2016-09-17 22:26:23 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
# Parse data.
|
2017-04-28 00:50:37 +02:00
|
|
|
data = [
|
2017-05-01 23:12:42 +02:00
|
|
|
filtered_data(full, litte_data_fields)
|
2017-04-28 00:50:37 +02:00
|
|
|
for full
|
|
|
|
in full_data
|
2017-05-01 23:12:42 +02:00
|
|
|
if full['id'] in user_ids]
|
2017-04-28 00:50:37 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
# Reduce result to a single item or None if it was not a collection at
|
|
|
|
# the beginning of the method.
|
|
|
|
if isinstance(container, Collection):
|
|
|
|
restricted_data = data
|
|
|
|
elif data:
|
|
|
|
restricted_data = data[0]
|
|
|
|
else:
|
|
|
|
restricted_data = None
|
2017-04-28 00:50:37 +02:00
|
|
|
|
2017-05-01 23:12:42 +02:00
|
|
|
return restricted_data
|
2016-09-17 22:26:23 +02:00
|
|
|
|
2017-06-13 21:44:45 +02:00
|
|
|
def get_projector_data(self, container):
|
2016-09-17 22:26:23 +02:00
|
|
|
"""
|
|
|
|
Returns the restricted serialized data for the instance prepared
|
|
|
|
for the projector. Removes several fields.
|
|
|
|
"""
|
|
|
|
from .serializers import USERCANSEESERIALIZER_FIELDS
|
|
|
|
|
2017-06-13 21:44:45 +02:00
|
|
|
def filtered_data(full_data, whitelist):
|
|
|
|
"""
|
|
|
|
Returns a new dict like full_data but only with whitelisted keys.
|
|
|
|
"""
|
|
|
|
return {key: full_data[key] for key in whitelist}
|
|
|
|
|
|
|
|
# Expand full_data to a list if it is not one.
|
|
|
|
full_data = container.get_full_data() if isinstance(container, Collection) else [container.get_full_data()]
|
|
|
|
|
|
|
|
# Parse data.
|
|
|
|
litte_data_fields = set(USERCANSEESERIALIZER_FIELDS)
|
|
|
|
litte_data_fields.add('groups_id')
|
|
|
|
litte_data_fields.discard('groups')
|
|
|
|
data = [filtered_data(full, litte_data_fields) for full in full_data]
|
|
|
|
|
|
|
|
# Reduce result to a single item or None if it was not a collection at
|
|
|
|
# the beginning of the method.
|
|
|
|
if isinstance(container, Collection):
|
|
|
|
projector_data = data
|
|
|
|
elif data:
|
|
|
|
projector_data = data[0]
|
|
|
|
else:
|
|
|
|
projector_data = None
|
|
|
|
|
|
|
|
return projector_data
|
2016-12-17 09:30:20 +01:00
|
|
|
|
|
|
|
|
|
|
|
class GroupAccessPermissions(BaseAccessPermissions):
|
|
|
|
"""
|
|
|
|
Access permissions container for Groups. Everyone can see them
|
|
|
|
"""
|
|
|
|
def check_permissions(self, user):
|
|
|
|
"""
|
|
|
|
Returns True if the user has read access model instances.
|
|
|
|
"""
|
|
|
|
# Every authenticated user can retrieve groups. Anonymous users can do
|
|
|
|
# so if they are enabled.
|
2017-01-26 15:34:24 +01:00
|
|
|
return not isinstance(user, AnonymousUser) or anonymous_is_enabled()
|
2016-12-17 09:30:20 +01:00
|
|
|
|
|
|
|
def get_serializer_class(self, user=None):
|
|
|
|
"""
|
|
|
|
Returns serializer class.
|
|
|
|
"""
|
|
|
|
from .serializers import GroupSerializer
|
|
|
|
|
|
|
|
return GroupSerializer
|
2017-05-23 14:07:06 +02:00
|
|
|
|
|
|
|
|
|
|
|
class PersonalNoteAccessPermissions(BaseAccessPermissions):
|
|
|
|
"""
|
|
|
|
Access permissions container for personal notes. Every authenticated user
|
|
|
|
can handle personal notes.
|
|
|
|
"""
|
|
|
|
def check_permissions(self, user):
|
|
|
|
"""
|
|
|
|
Returns True if the user has read access model instances.
|
|
|
|
"""
|
|
|
|
# Every authenticated user can retrieve personal notes.
|
|
|
|
return not isinstance(user, AnonymousUser)
|
|
|
|
|
|
|
|
def get_serializer_class(self, user=None):
|
|
|
|
"""
|
|
|
|
Returns serializer class.
|
|
|
|
"""
|
|
|
|
from .serializers import PersonalNoteSerializer
|
|
|
|
|
|
|
|
return PersonalNoteSerializer
|
|
|
|
|
|
|
|
def get_restricted_data(self, container, user):
|
|
|
|
"""
|
|
|
|
Returns the restricted serialized data for the instance prepared
|
|
|
|
for the user. Everybody gets only his own personal notes.
|
|
|
|
"""
|
|
|
|
# Expand full_data to a list if it is not one.
|
|
|
|
full_data = container.get_full_data() if isinstance(container, Collection) else [container.get_full_data()]
|
|
|
|
|
|
|
|
# Parse data.
|
|
|
|
for full in full_data:
|
|
|
|
if full['user_id'] == user.id:
|
|
|
|
data = [full]
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
data = []
|
|
|
|
|
|
|
|
# Reduce result to a single item or None if it was not a collection at
|
|
|
|
# the beginning of the method.
|
|
|
|
if isinstance(container, Collection):
|
|
|
|
restricted_data = data
|
|
|
|
elif data:
|
|
|
|
restricted_data = data[0]
|
|
|
|
else:
|
|
|
|
restricted_data = None
|
|
|
|
|
|
|
|
return restricted_data
|