OpenSlides/openslides/users/access_permissions.py

from django.contrib.auth.models import AnonymousUser

from ..core.signals import user_data_required
from ..utils.access_permissions import BaseAccessPermissions
from ..utils.auth import anonymous_is_enabled, has_perm
from ..utils.collection import Collection


class UserAccessPermissions(BaseAccessPermissions):
    """
    Access permissions container for User and UserViewSet.
    """
    def check_permissions(self, user):
        """
        Every user has read access for their model instnces.
        """
        return True

    def get_serializer_class(self, user=None):
        """
        Returns different serializer classes with respect user's permissions.
        """
        from .serializers import UserFullSerializer

        return UserFullSerializer

    def get_restricted_data(self, container, user):
        """
        Returns the restricted serialized data for the instance prepared
        for the user. Removes several fields for non admins so that they do
        not get the fields they should not get.
        """
        from .serializers import USERCANSEESERIALIZER_FIELDS, USERCANSEEEXTRASERIALIZER_FIELDS

        def filtered_data(full_data, whitelist):
            """
            Returns a new dict like full_data but only with whitelisted keys.
            """
            return {key: full_data[key] for key in whitelist}

        # Expand full_data to a list if it is not one.
        full_data = container.get_full_data() if isinstance(container, Collection) else [container.get_full_data()]

        # We have four sets of data to be sent:
        # * full data i. e. all fields,
        # * many data i. e. all fields but not the default password,
        # * little data i. e. all fields but not the default password, comments and active status,
        # * no data.

        # Prepare field set for users with "many" data and with "little" data.
        many_data_fields = set(USERCANSEEEXTRASERIALIZER_FIELDS)
        many_data_fields.add('groups_id')
        many_data_fields.discard('groups')
        litte_data_fields = set(USERCANSEESERIALIZER_FIELDS)
        litte_data_fields.add('groups_id')
        litte_data_fields.discard('groups')

        # Check user permissions.
        if has_perm(user, 'users.can_see_name'):
            if has_perm(user, 'users.can_see_extra_data'):
                if has_perm(user, 'users.can_manage'):
                    data = full_data
                else:
                    data = [filtered_data(full, many_data_fields) for full in full_data]
            else:
                data = [filtered_data(full, litte_data_fields) for full in full_data]
        else:
            # Build a list of users, that can be seen without any permissions (with little fields).

            user_ids = set()

            # Everybody can see himself. Also everybody can see every user
            # that is required e. g. as speaker, motion submitter or
            # assignment candidate.

            # Add oneself.
            if user is not None:
                user_ids.add(user.id)

            # Get a list of all users, that are required by another app.
            receiver_responses = user_data_required.send(
                sender=self.__class__,
                request_user=user)
            for receiver, response in receiver_responses:
                user_ids.update(response)

            # Parse data.
            data = [
                filtered_data(full, litte_data_fields)
                for full
                in full_data
                if full['id'] in user_ids]

        # Reduce result to a single item or None if it was not a collection at
        # the beginning of the method.
        if isinstance(container, Collection):
            restricted_data = data
        elif data:
            restricted_data = data[0]
        else:
            restricted_data = None

        return restricted_data

    def get_projector_data(self, full_data):
        """
        Returns the restricted serialized data for the instance prepared
        for the projector. Removes several fields.
        """
        from .serializers import USERCANSEESERIALIZER_FIELDS

        # Let only some fields pass this method.
        data = {}
        for key in full_data.keys():
            if key in USERCANSEESERIALIZER_FIELDS:
                data[key] = full_data[key]
        return data


class GroupAccessPermissions(BaseAccessPermissions):
    """
    Access permissions container for Groups. Everyone can see them
    """
    def check_permissions(self, user):
        """
        Returns True if the user has read access model instances.
        """
        # Every authenticated user can retrieve groups. Anonymous users can do
        # so if they are enabled.
        return not isinstance(user, AnonymousUser) or anonymous_is_enabled()

    def get_serializer_class(self, user=None):
        """
        Returns serializer class.
        """
        from .serializers import GroupSerializer

        return GroupSerializer
Created a function to convert anything possible to a user-collectoin-element or None Changed user.has_perm(...) to has_perm(user, ...) at any place. Removed old code 2017-01-26 15:34:24 +01:00			`from django.contrib.auth.models import AnonymousUser`

User without permission to see users can now see some required users. These are - agenda item speakers, - motion submitters and supporters, - assignment candidates, - mediafile uploader and - chat message users but only if the user has respective permissions. Fixed #3002. 2017-04-10 16:28:38 +02:00			`from ..core.signals import user_data_required`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`from ..utils.access_permissions import BaseAccessPermissions`
Created a function to convert anything possible to a user-collectoin-element or None Changed user.has_perm(...) to has_perm(user, ...) at any place. Removed old code 2017-01-26 15:34:24 +01:00			`from ..utils.auth import anonymous_is_enabled, has_perm`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`from ..utils.collection import Collection`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00

			`class UserAccessPermissions(BaseAccessPermissions):`
			`"""`
			`Access permissions container for User and UserViewSet.`
			`"""`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00			`def check_permissions(self, user):`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`"""`
Better dialog handling. Many fixes. 2017-02-10 14:51:44 +01:00			`Every user has read access for their model instnces.`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`"""`
Better dialog handling. Many fixes. 2017-02-10 14:51:44 +01:00			`return True`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`def get_serializer_class(self, user=None):`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`"""`
			`Returns different serializer classes with respect user's permissions.`
			`"""`
Adds a cache system to the CollectionElement and add a Collection class that can be used to call a collection used this for the list and receive rest api. 2016-09-18 16:00:31 +02:00			`from .serializers import UserFullSerializer`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
Adds a cache system to the CollectionElement and add a Collection class that can be used to call a collection used this for the list and receive rest api. 2016-09-18 16:00:31 +02:00			`return UserFullSerializer`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`def get_restricted_data(self, container, user):`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
			`Returns the restricted serialized data for the instance prepared`
			`for the user. Removes several fields for non admins so that they do`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`not get the fields they should not get.`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`from .serializers import USERCANSEESERIALIZER_FIELDS, USERCANSEEEXTRASERIALIZER_FIELDS`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`def filtered_data(full_data, whitelist):`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`"""`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`Returns a new dict like full_data but only with whitelisted keys.`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`"""`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`return {key: full_data[key] for key in whitelist}`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Expand full_data to a list if it is not one.`
			`full_data = container.get_full_data() if isinstance(container, Collection) else [container.get_full_data()]`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# We have four sets of data to be sent:`
			`# * full data i. e. all fields,`
			`# * many data i. e. all fields but not the default password,`
			`# * little data i. e. all fields but not the default password, comments and active status,`
			`# * no data.`

			`# Prepare field set for users with "many" data and with "little" data.`
			`many_data_fields = set(USERCANSEEEXTRASERIALIZER_FIELDS)`
			`many_data_fields.add('groups_id')`
			`many_data_fields.discard('groups')`
			`litte_data_fields = set(USERCANSEESERIALIZER_FIELDS)`
			`litte_data_fields.add('groups_id')`
			`litte_data_fields.discard('groups')`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00
			`# Check user permissions.`
Performance improvements * Add caching support to users/group * Add a function has_perm that works with the cache. * Removed our session backend so other session backends (without the database) can be used 2016-12-17 09:30:20 +01:00			`if has_perm(user, 'users.can_see_name'):`
			`if has_perm(user, 'users.can_see_extra_data'):`
			`if has_perm(user, 'users.can_manage'):`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`data = full_data`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00			`else:`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`data = [filtered_data(full, many_data_fields) for full in full_data]`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00			`else:`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`data = [filtered_data(full, litte_data_fields) for full in full_data]`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00			`else:`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Build a list of users, that can be seen without any permissions (with little fields).`

			`user_ids = set()`

			`# Everybody can see himself. Also everybody can see every user`
			`# that is required e. g. as speaker, motion submitter or`
			`# assignment candidate.`

			`# Add oneself.`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`if user is not None:`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`user_ids.add(user.id)`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Get a list of all users, that are required by another app.`
User without permission to see users can now see some required users. These are - agenda item speakers, - motion submitters and supporters, - assignment candidates, - mediafile uploader and - chat message users but only if the user has respective permissions. Fixed #3002. 2017-04-10 16:28:38 +02:00			`receiver_responses = user_data_required.send(`
			`sender=self.__class__,`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`request_user=user)`
User without permission to see users can now see some required users. These are - agenda item speakers, - motion submitters and supporters, - assignment candidates, - mediafile uploader and - chat message users but only if the user has respective permissions. Fixed #3002. 2017-04-10 16:28:38 +02:00			`for receiver, response in receiver_responses:`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`user_ids.update(response)`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Parse data.`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`data = [`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`filtered_data(full, litte_data_fields)`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`for full`
			`in full_data`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`if full['id'] in user_ids]`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Reduce result to a single item or None if it was not a collection at`
			`# the beginning of the method.`
			`if isinstance(container, Collection):`
			`restricted_data = data`
			`elif data:`
			`restricted_data = data[0]`
			`else:`
			`restricted_data = None`
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`return restricted_data`
Change system for autoupdate on the projector (#2394) * Second websocket channel for the projector * Removed use of projector requirements for REST API requests. Refactored data serializing for projector websocket connection. * Refactor the way that the projector autoupdate get its data. * Fixed missing assignment slide title for hidden items. * Release all items for item list slide and list of speakers slide. Fixed error with motion workflow. * Created CollectionElement class which helps to handle autoupdate. 2016-09-17 22:26:23 +02:00
			`def get_projector_data(self, full_data):`
			`"""`
			`Returns the restricted serialized data for the instance prepared`
			`for the projector. Removes several fields.`
			`"""`
			`from .serializers import USERCANSEESERIALIZER_FIELDS`

			`# Let only some fields pass this method.`
			`data = {}`
			`for key in full_data.keys():`
			`if key in USERCANSEESERIALIZER_FIELDS:`
			`data[key] = full_data[key]`
			`return data`
Performance improvements * Add caching support to users/group * Add a function has_perm that works with the cache. * Removed our session backend so other session backends (without the database) can be used 2016-12-17 09:30:20 +01:00

			`class GroupAccessPermissions(BaseAccessPermissions):`
			`"""`
			`Access permissions container for Groups. Everyone can see them`
			`"""`
			`def check_permissions(self, user):`
			`"""`
			`Returns True if the user has read access model instances.`
			`"""`
			`# Every authenticated user can retrieve groups. Anonymous users can do`
			`# so if they are enabled.`
Created a function to convert anything possible to a user-collectoin-element or None Changed user.has_perm(...) to has_perm(user, ...) at any place. Removed old code 2017-01-26 15:34:24 +01:00			`return not isinstance(user, AnonymousUser) or anonymous_is_enabled()`
Performance improvements * Add caching support to users/group * Add a function has_perm that works with the cache. * Removed our session backend so other session backends (without the database) can be used 2016-12-17 09:30:20 +01:00
			`def get_serializer_class(self, user=None):`
			`"""`
			`Returns serializer class.`
			`"""`
			`from .serializers import GroupSerializer`

			`return GroupSerializer`