from typing import Any, Dict, Iterable, List from ..utils.access_permissions import BaseAccessPermissions from ..utils.auth import async_has_perm class ItemAccessPermissions(BaseAccessPermissions): """ Access permissions container for Item and ItemViewSet. """ base_permission = "agenda.can_see" # TODO: In the following method we use full_data['is_hidden'] and # full_data['is_internal'] but this can be out of date. async def get_restricted_data( self, full_data: List[Dict[str, Any]], user_id: int ) -> List[Dict[str, Any]]: """ Returns the restricted serialized data for the instance prepared for the user. Hidden items can only be seen by managers with can_manage permission. We remove comments for non admins/managers and a lot of fields of internal items for users without permission to see internal items. """ def filtered_data(full_data, blocked_keys): """ Returns a new dict like full_data but with all blocked_keys removed. """ whitelist = full_data.keys() - blocked_keys return {key: full_data[key] for key in whitelist} # Parse data. if full_data and await async_has_perm(user_id, "agenda.can_see"): if await async_has_perm( user_id, "agenda.can_manage" ) and await async_has_perm(user_id, "agenda.can_see_internal_items"): # Managers with special permission can see everything. data = full_data elif await async_has_perm(user_id, "agenda.can_see_internal_items"): # Non managers with special permission can see everything but # comments and hidden items. data = [ full for full in full_data if not full["is_hidden"] ] # filter hidden items blocked_keys = ("comment",) data = [ filtered_data(full, blocked_keys) for full in data ] # remove blocked_keys else: # Users without special permission for internal items. # In internal and hidden case managers and non managers see only some fields # so that list of speakers is provided regardless. Hidden items can only be seen by managers. # We know that full_data has at least one entry which can be used to parse the keys. blocked_keys_internal_hidden_case = set(full_data[0].keys()) - set( ("id", "title", "speakers", "speaker_list_closed", "content_object") ) # In non internal case managers see everything and non managers see # everything but comments. if await async_has_perm(user_id, "agenda.can_manage"): blocked_keys_non_internal_hidden_case: Iterable[str] = [] can_see_hidden = True else: blocked_keys_non_internal_hidden_case = ("comment",) can_see_hidden = False data = [] for full in full_data: if full["is_hidden"]: if can_see_hidden: # Same filtering for internal and hidden items data.append( filtered_data(full, blocked_keys_internal_hidden_case) ) # If can_see_hidden is false, the user (which is a non manager) can not see anything. elif full["is_internal"]: data.append( filtered_data(full, blocked_keys_internal_hidden_case) ) else: # agenda item data.append( filtered_data(full, blocked_keys_non_internal_hidden_case) ) else: data = [] return data