OpenSlides/server/openslides/agenda/access_permissions.py

from typing import Any, Dict, List

from ..utils.access_permissions import BaseAccessPermissions
from ..utils.auth import async_has_perm


class ItemAccessPermissions(BaseAccessPermissions):
    """
    Access permissions container for Item and ItemViewSet.
    """

    base_permission = "agenda.can_see"

    # TODO: In the following method we use full_data['is_hidden'] and
    # full_data['is_internal'] but this can be out of date.
    async def get_restricted_data(
        self, full_data: List[Dict[str, Any]], user_id: int
    ) -> List[Dict[str, Any]]:
        """
        Returns the restricted serialized data for the instance prepared
        for the user. If the user does not have agenda.can_see, no data will
        be retuned.

        Hidden items can only be seen by managers with can_manage permission. If a user
        does not have this permission, he is not allowed to see comments.

        Internal items can only be seen by users with can_see_internal_items. If a user
        does not have this permission, he is not allowed to see the duration.
        """

        def filtered_data(full_data, blocked_keys):
            """
            Returns a new dict like full_data but with all blocked_keys removed.
            """
            whitelist = full_data.keys() - blocked_keys
            return {key: full_data[key] for key in whitelist}

        # Parse data.
        if full_data and await async_has_perm(user_id, "agenda.can_see"):
            # Assume the user has all permissions. Restrict this below.
            data = full_data

            blocked_keys: List[str] = []

            # Restrict data for non managers
            if not await async_has_perm(user_id, "agenda.can_manage"):
                data = [
                    full for full in data if not full["is_hidden"]
                ]  # filter hidden items
                blocked_keys.append("comment")

            # Restrict data for users without can_see_internal_items
            if not await async_has_perm(user_id, "agenda.can_see_internal_items"):
                data = [full for full in data if not full["is_internal"]]
                blocked_keys.append("duration")

            if len(blocked_keys) > 0:
                data = [filtered_data(full, blocked_keys) for full in data]
        else:
            data = []

        return data


class ListOfSpeakersAccessPermissions(BaseAccessPermissions):
    """
    Access permissions container for ListOfSpeakers and ListOfSpeakersViewSet.
    No data will be restricted, because everyone can see the list of speakers
    at any time.
    """

    base_permission = "agenda.can_see_list_of_speakers"
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`from typing import Any, Dict, List`
more typings 2017-08-24 12:26:55 +02:00
CollectionElement and Autoupdate cleanups * change get_restricted_data and get_projector_data to always use a list * Add typings to all get_restricted_data and get_projector_data methods * Replace CollectionElementList with a real list * Fixed arguments of inform_deleted_data * Moved CollectionElementCache to cache.py and refactored it * Run tests with cache enabled (using fakeredis) 2017-09-04 00:25:45 +02:00			`from ..utils.access_permissions import BaseAccessPermissions`
Remove utils.collections.Collection class and other cleanups * Activate restricted_data_cache on inmemory cache * Use ElementCache in rest-api get requests * Get requests on the restapi return 404 when the user has no permission * Added async function for has_perm and in_some_groups * changed Cachable.get_restricted_data to be an ansync function * rewrote required_user_system * changed default implementation of access_permission.check_permission to check a given permission or check if anonymous is enabled 2018-11-01 17:30:18 +01:00			`from ..utils.auth import async_has_perm`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
"durchstich" for autoupdate optimization 2016-02-11 11:29:19 +01:00
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00			`class ItemAccessPermissions(BaseAccessPermissions):`
			`"""`
			`Access permissions container for Item and ItemViewSet.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
			`base_permission = "agenda.can_see"`
Massive refactoring for autoupdate optimization. 2016-02-11 22:58:32 +01:00
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00			`# TODO: In the following method we use full_data['is_hidden'] and`
			`# full_data['is_internal'] but this can be out of date.`
Remove utils.collections.Collection class and other cleanups * Activate restricted_data_cache on inmemory cache * Use ElementCache in rest-api get requests * Get requests on the restapi return 404 when the user has no permission * Added async function for has_perm and in_some_groups * changed Cachable.get_restricted_data to be an ansync function * rewrote required_user_system * changed default implementation of access_permission.check_permission to check a given permission or check if anonymous is enabled 2018-11-01 17:30:18 +01:00			`async def get_restricted_data(`
Run black 2019-01-06 16:22:33 +01:00			`self, full_data: List[Dict[str, Any]], user_id: int`
			`) -> List[Dict[str, Any]]:`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
			`Returns the restricted serialized data for the instance prepared`
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`for the user. If the user does not have agenda.can_see, no data will`
			`be retuned.`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`Hidden items can only be seen by managers with can_manage permission. If a user`
			`does not have this permission, he is not allowed to see comments.`
New item type internal. The old hidden type was used as internal, so everything is changed to not be shown if the item is internal. hidden is "new", and actually behaves as hidden now. 2018-08-15 11:15:54 +02:00
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`Internal items can only be seen by users with can_see_internal_items. If a user`
			`does not have this permission, he is not allowed to see the duration.`
Forwarding JSON instead of Django model instances to autoupdate loop. - Used raw SQL for createing default projector during inital migration. - Removed default_password and hidden agenda items from autoupdate data for some users. - Removed old get_collection_and_id_from_url() function. 2016-03-02 00:46:19 +01:00			`"""`
Run black 2019-01-06 16:22:33 +01:00
Changed restricted data parsing. Cached full data on startup. 2017-04-28 00:50:37 +02:00			`def filtered_data(full_data, blocked_keys):`
			`"""`
			`Returns a new dict like full_data but with all blocked_keys removed.`
			`"""`
			`whitelist = full_data.keys() - blocked_keys`
			`return {key: full_data[key] for key in whitelist}`

Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`# Parse data.`
Run black 2019-01-06 16:22:33 +01:00			`if full_data and await async_has_perm(user_id, "agenda.can_see"):`
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`# Assume the user has all permissions. Restrict this below.`
			`data = full_data`

			`blocked_keys: List[str] = []`

			`# Restrict data for non managers`
			`if not await async_has_perm(user_id, "agenda.can_manage"):`
Run black 2019-01-06 16:22:33 +01:00			`data = [`
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`full for full in data if not full["is_hidden"]`
Run black 2019-01-06 16:22:33 +01:00			`] # filter hidden items`
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00			`blocked_keys.append("comment")`

			`# Restrict data for users without can_see_internal_items`
			`if not await async_has_perm(user_id, "agenda.can_see_internal_items"):`
			`data = [full for full in data if not full["is_internal"]]`
			`blocked_keys.append("duration")`

			`if len(blocked_keys) > 0:`
			`data = [filtered_data(full, blocked_keys) for full in data]`
Refactoring of data parsing for startup and autoupdate. 2017-05-01 23:12:42 +02:00			`else:`
			`data = []`

CollectionElement and Autoupdate cleanups * change get_restricted_data and get_projector_data to always use a list * Add typings to all get_restricted_data and get_projector_data methods * Replace CollectionElementList with a real list * Fixed arguments of inform_deleted_data * Moved CollectionElementCache to cache.py and refactored it * Run tests with cache enabled (using fakeredis) 2017-09-04 00:25:45 +02:00			`return data`
Split AgendaItem and ListOfSpeakers Server: - ListOfSpeakers (LOS) is now a speprate model, containing of an id, speakers, closed and a content_object. - Moved all speaker related views from ItemViewSet to the new ListOfSpeakersViewSet. - Make Mixins for content objects of items and lists of speakers. - Migrations: Move the lists of speakers from items to the LOS model. Client: - Removed the speaker repo and moved functionality to the new ListOfSpeakersRepositoryService. - Splitted base classes for agenda item content objects to items and LOS. - CurrentAgendaItemService -> CurrentListOfSpeakersSerivce - Cleaned up the list of speakers component. 2019-04-23 16:57:35 +02:00

			`class ListOfSpeakersAccessPermissions(BaseAccessPermissions):`
			`"""`
			`Access permissions container for ListOfSpeakers and ListOfSpeakersViewSet.`
			`No data will be restricted, because everyone can see the list of speakers`
			`at any time.`
			`"""`

			`base_permission = "agenda.can_see_list_of_speakers"`