matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

AccessControlList.objects.check_access was updated to do a

Browse Source 
Permission.check_permissions too. Remove duplicity.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
This commit is contained in:
Roberto Rosario
2017-02-22 16:47:42 -04:00
parent c8e9a625da
commit 958ce912a0
7 changed files with 83 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
mayan/apps/document_states/api_views.py
View File

@@ -1,6 +1,5 @@
from __future__ import absolute_import, unicode_literals from __future__ import absolute_import, unicode_literals
from django.core.exceptions import PermissionDenied
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
from rest_framework import generics from rest_framework import generics
@@ -8,7 +7,6 @@ from rest_framework import generics
from acls.models import AccessControlList from acls.models import AccessControlList
from documents.models import Document from documents.models import Document
from documents.permissions import permission_document_type_view from documents.permissions import permission_document_type_view
from permissions import Permission
from rest_api.filters import MayanObjectPermissionsFilter from rest_api.filters import MayanObjectPermissionsFilter
from rest_api.permissions import MayanPermission from rest_api.permissions import MayanPermission
@@ -80,13 +78,9 @@ class APIWorkflowDocumentTypeList(generics.ListCreateAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -156,13 +150,9 @@ class APIWorkflowDocumentTypeView(generics.RetrieveDestroyAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -283,13 +273,9 @@ class APIWorkflowStateListView(generics.ListCreateAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -341,13 +327,9 @@ class APIWorkflowStateView(generics.RetrieveUpdateDestroyAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -405,13 +387,9 @@ class APIWorkflowTransitionListView(generics.ListCreateAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -468,13 +446,9 @@ class APIWorkflowTransitionView(generics.RetrieveUpdateDestroyAPIView):
workflow = get_object_or_404(Workflow, pk=self.kwargs['pk']) workflow = get_object_or_404(Workflow, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, workflow permissions=permission_required, user=self.request.user,
obj=workflow
) )
return workflow return workflow
@@ -509,13 +483,9 @@ class APIWorkflowInstanceListView(generics.ListAPIView):
def get_document(self): def get_document(self):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_workflow_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_workflow_view, self.request.user, document permissions=permission_workflow_view, user=self.request.user,
obj=document
) )
return document return document
@@ -538,13 +508,9 @@ class APIWorkflowInstanceView(generics.RetrieveAPIView):
def get_document(self): def get_document(self):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_workflow_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_workflow_view, self.request.user, document permissions=permission_workflow_view, user=self.request.user,
obj=document
) )
return document return document
@@ -570,13 +536,9 @@ class APIWorkflowInstanceLogEntryListView(generics.ListCreateAPIView):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, document permissions=permission_required, user=self.request.user,
obj=document
) )
return document return document

14
mayan/apps/events/api_views.py
View File

@@ -1,7 +1,6 @@
from __future__ import absolute_import, unicode_literals from __future__ import absolute_import, unicode_literals
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from django.core.exceptions import PermissionDenied
from django.http import Http404 from django.http import Http404
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
@@ -9,7 +8,6 @@ from actstream.models import Action, any_stream
from rest_framework import generics from rest_framework import generics
from acls.models import AccessControlList from acls.models import AccessControlList
from permissions import Permission
from rest_api.permissions import MayanPermission from rest_api.permissions import MayanPermission
from .classes import Event from .classes import Event
@@ -38,18 +36,14 @@ class APIObjectEventListView(generics.ListAPIView):
raise Http404 raise Http404
def get_queryset(self): def get_queryset(self):
object = self.get_object() obj = self.get_object()
try:
Permission.check_permissions(
self.request.user, permissions=(permission_events_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_events_view, self.request.user, object permissions=permission_events_view, user=self.request.user,
obj=obj
) )
return any_stream(object) return any_stream(obj)
class APIEventTypeListView(generics.ListAPIView): class APIEventTypeListView(generics.ListAPIView):

50
mayan/apps/linking/api_views.py
View File

@@ -1,6 +1,5 @@
from __future__ import absolute_import, unicode_literals from __future__ import absolute_import, unicode_literals
from django.core.exceptions import PermissionDenied
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
from rest_framework import generics from rest_framework import generics
@@ -8,7 +7,6 @@ from rest_framework import generics
from acls.models import AccessControlList from acls.models import AccessControlList
from documents.models import Document from documents.models import Document
from documents.permissions import permission_document_view from documents.permissions import permission_document_view
from permissions import Permission
from rest_api.filters import MayanObjectPermissionsFilter from rest_api.filters import MayanObjectPermissionsFilter
from rest_api.permissions import MayanPermission from rest_api.permissions import MayanPermission
@@ -41,13 +39,9 @@ class APIResolvedSmartLinkDocumentListView(generics.ListAPIView):
def get_document(self): def get_document(self):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_document_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_document_view, self.request.user, document permissions=permission_document_view, user=self.request.user,
obj=document
) )
return document return document
@@ -58,13 +52,9 @@ class APIResolvedSmartLinkDocumentListView(generics.ListAPIView):
pk=self.kwargs['smart_link_pk'] pk=self.kwargs['smart_link_pk']
) )
try:
Permission.check_permissions(
self.request.user, (permission_smart_link_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_smart_link_view, self.request.user, smart_link permissions=permission_smart_link_view, user=self.request.user,
obj=smart_link
) )
return smart_link return smart_link
@@ -103,13 +93,9 @@ class APIResolvedSmartLinkView(generics.RetrieveAPIView):
def get_document(self): def get_document(self):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_document_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_document_view, self.request.user, document permissions=permission_document_view, user=self.request.user,
obj=document
) )
return document return document
@@ -144,13 +130,9 @@ class APIResolvedSmartLinkListView(generics.ListAPIView):
def get_document(self): def get_document(self):
document = get_object_or_404(Document, pk=self.kwargs['pk']) document = get_object_or_404(Document, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_document_view,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_document_view, self.request.user, document permissions=permission_document_view, user=self.request.user,
obj=document
) )
return document return document
@@ -203,13 +185,9 @@ class APISmartLinkConditionListView(generics.ListCreateAPIView):
smart_link = get_object_or_404(SmartLink, pk=self.kwargs['pk']) smart_link = get_object_or_404(SmartLink, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, smart_link permissions=permission_required, user=self.request.user,
obj=smart_link
) )
return smart_link return smart_link
@@ -261,13 +239,9 @@ class APISmartLinkConditionView(generics.RetrieveUpdateDestroyAPIView):
smart_link = get_object_or_404(SmartLink, pk=self.kwargs['pk']) smart_link = get_object_or_404(SmartLink, pk=self.kwargs['pk'])
try:
Permission.check_permissions(
self.request.user, (permission_required,)
)
except PermissionDenied:
AccessControlList.objects.check_access( AccessControlList.objects.check_access(
permission_required, self.request.user, smart_link permissions=permission_required, user=self.request.user,
obj=smart_link
) )
return smart_link return smart_link

24
mayan/apps/metadata/tests/test_api.py
View File

@@ -60,8 +60,10 @@ class MetadataTypeAPITestCase(BaseAPITestCase):
self._create_metadata_type() self._create_metadata_type()
response = self.client.delete( response = self.client.delete(
reverse('rest_api:metadatatype-detail', reverse(
args=(self.metadata_type.pk,)) 'rest_api:metadatatype-detail',
args=(self.metadata_type.pk,)
)
) )
self.assertEqual(response.status_code, 204) self.assertEqual(response.status_code, 204)
@@ -72,8 +74,10 @@ class MetadataTypeAPITestCase(BaseAPITestCase):
self._create_metadata_type() self._create_metadata_type()
response = self.client.get( response = self.client.get(
reverse('rest_api:metadatatype-detail', reverse(
args=(self.metadata_type.pk,)) 'rest_api:metadatatype-detail',
args=(self.metadata_type.pk,)
)
) )
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertEqual( self.assertEqual(
@@ -84,8 +88,10 @@ class MetadataTypeAPITestCase(BaseAPITestCase):
self._create_metadata_type() self._create_metadata_type()
response = self.client.patch( response = self.client.patch(
reverse('rest_api:metadatatype-detail', reverse(
args=(self.metadata_type.pk,)), data={ 'rest_api:metadatatype-detail',
args=(self.metadata_type.pk,)
), data={
'label': TEST_METADATA_TYPE_LABEL_2, 'label': TEST_METADATA_TYPE_LABEL_2,
'name': TEST_METADATA_TYPE_NAME_2 'name': TEST_METADATA_TYPE_NAME_2
} }
@@ -102,8 +108,10 @@ class MetadataTypeAPITestCase(BaseAPITestCase):
self._create_metadata_type() self._create_metadata_type()
response = self.client.put( response = self.client.put(
reverse('rest_api:metadatatype-detail', reverse(
args=(self.metadata_type.pk,)), data={ 'rest_api:metadatatype-detail',
args=(self.metadata_type.pk,)
), data={
'label': TEST_METADATA_TYPE_LABEL_2, 'label': TEST_METADATA_TYPE_LABEL_2,
'name': TEST_METADATA_TYPE_NAME_2 'name': TEST_METADATA_TYPE_NAME_2
} }

2
mayan/apps/navigation/classes.py
View File

@@ -273,7 +273,7 @@ class Link(object):
except VariableDoesNotExist: except VariableDoesNotExist:
pass pass
# If this link has a required permission check that the user have it # If this link has a required permission check that the user has it
# too # too
if self.permissions: if self.permissions:
if resolved_object: if resolved_object:

53
mayan/apps/permissions/api_views.py
View File

@@ -1,14 +1,9 @@
from __future__ import unicode_literals from __future__ import unicode_literals
from django.shortcuts import get_object_or_404
from rest_framework import generics from rest_framework import generics
from acls.models import AccessControlList
from rest_api.filters import MayanObjectPermissionsFilter from rest_api.filters import MayanObjectPermissionsFilter
from rest_api.permissions import MayanPermission from rest_api.permissions import MayanPermission
from user_management.permissions import permission_group_view
from user_management.serializers import GroupSerializer
from .classes import Permission from .classes import Permission
from .models import Role from .models import Role
@@ -61,54 +56,6 @@ class APIRoleListView(generics.ListCreateAPIView):
return super(APIRoleListView, self).post(*args, **kwargs) return super(APIRoleListView, self).post(*args, **kwargs)
class APIRolePermissionList(generics.ListCreateAPIView):
"""
Returns a list of all the permissions of a role.
"""
mayan_object_permissions = {
'GET': (permission_role_view,),
'POST': (permission_role_edit,)
}
permission_classes = (MayanPermission,)
def get_serializer_class(self):
if self.request.method == 'GET':
return PermissionSerializer
elif self.request.method == 'POST':
return RoleNewPermissionSerializer
def get_serializer_context(self):
"""
Extra context provided to the serializer class.
"""
return {
'format': self.format_kwarg,
'request': self.request,
'role': self.get_role(),
'view': self
}
def get_queryset(self):
return [
permission.volatile_permission for permission in self.get_role().permissions.all()
]
def get_role(self):
return get_object_or_404(Role, pk=self.kwargs['pk'])
def perform_create(self, serializer):
serializer.save(role=self.get_role())
def post(self, request, *args, **kwargs):
"""
Add a list of permissions to a role.
"""
return super(APIRolePermissionList, self).post(
request, *args, **kwargs
)
class APIRoleView(generics.RetrieveUpdateDestroyAPIView): class APIRoleView(generics.RetrieveUpdateDestroyAPIView):
mayan_object_permissions = { mayan_object_permissions = {
'GET': (permission_role_view,), 'GET': (permission_role_view,),

1
mayan/apps/tags/serializers.py
View File

@@ -8,7 +8,6 @@ from rest_framework.reverse import reverse
from acls.models import AccessControlList from acls.models import AccessControlList
from documents.models import Document from documents.models import Document
from permissions import Permission
from .models import Tag from .models import Tag
from .permissions import permission_tag_attach from .permissions import permission_tag_attach