-
Notifications
You must be signed in to change notification settings - Fork 16
/
authorisation.py
137 lines (110 loc) · 5.75 KB
/
authorisation.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
from portality.lib.argvalidate import argvalidate
from portality import models, constants
from portality.bll import exceptions
class AuthorisationService(object):
"""
~~AuthNZ:Service->AuthNZ:Feature~~
"""
def can_create_update_request(self, account, journal):
"""
Is the given account allowed to create an update request from the given journal
:param account: the account doing the action
:param journal: the journal the account wants to create an update request from
:return:
"""
# first validate the incoming arguments to ensure that we've got the right thing
argvalidate("can_create_update_request", [
{"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
{"arg": journal, "instance": models.Journal, "allow_none" : False, "arg_name" : "journal"},
], exceptions.ArgumentException)
# if this is the super user, they have all rights
if account.is_super:
return True
if not account.has_role("publisher"):
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
if account.id != journal.owner:
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER)
return True
def can_edit_application(self, account, application):
"""
Is the given account allowed to edit the update request application
:param account: the account doing the action
:param application: the application the account wants to edit
:return:
"""
# first validate the incoming arguments to ensure that we've got the right thing
argvalidate("can_edit_update_request", [
{"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
{"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"},
], exceptions.ArgumentException)
no_auth_reason = exceptions.AuthoriseException.WRONG_ROLE
# if this is the super user, they have all rights
if account.is_super:
return True
if account.has_role("publisher"):
if account.id != application.owner:
no_auth_reason = exceptions.AuthoriseException.NOT_OWNER
elif application.application_status not in [
constants.APPLICATION_STATUS_PENDING,
constants.APPLICATION_STATUS_UPDATE_REQUEST,
constants.APPLICATION_STATUS_REVISIONS_REQUIRED
]:
no_auth_reason = exceptions.AuthoriseException.WRONG_STATUS
else:
return True
if account.has_role("edit_suggestion"):
# user must be either the "admin.editor" of the suggestion, or the editor of the "admin.editor_group"
# is the user the currently assigned editor of the suggestion?
if application.editor == account.id:
return True
# now check whether the user is the editor of the editor group
eg = models.EditorGroup.pull_by_key("name", application.editor_group)
if eg is not None and eg.editor == account.id:
return True
raise exceptions.AuthoriseException(reason=no_auth_reason)
def can_view_application(self, account, application):
"""
Is the given account allowed to view the update request application
:param account: the account doing the action
:param application: the application the account wants to edit
:return:
"""
# first validate the incoming arguments to ensure that we've got the right thing
argvalidate("can_edit_update_request", [
{"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
{"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"},
], exceptions.ArgumentException)
# if this is the super user, they have all rights
if account.is_super:
return True
if not account.has_role("publisher"):
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
if account.id != application.owner:
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER)
return True
def can_edit_journal(self, account: models.Account, journal: models.Journal):
"""
Is the given account allowed to edit the journal record
:param account: the account doing the action
:param journal: the journal the account wants to edit
:return:
"""
# if this is the super user, they have all rights
if account.is_super:
return True
# An editor can edit an application when they are assigned
if not account.has_role("edit_journal"):
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
# user must be either the "admin.editor" of the journal, or the editor of the "admin.editor_group"
# is the user the currently assigned editor of the journal?
passed = False
if journal.editor == account.id:
passed = True
# now check whether the user is the editor of the editor group
eg = models.EditorGroup.pull_by_key("name", journal.editor_group) # ~~->EditorGroup:Model~~
if eg is not None and eg.editor == account.id:
passed = True
# if the user wasn't the editor or the owner of the editor group, unauthorised
if passed:
return True
raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)