cms.utils.permissions: 118 total statements, 0.0% covered

Generated: Wed 2013-03-13 10:33 CET

Source file: /media/Envs/Envs/filer-gallery/lib/python2.7/site-packages/cms/utils/permissions.py

Stats: 0 executed, 105 missed, 13 excluded, 182 ignored

  1. # -*- coding: utf-8 -*-
  2. from cms.exceptions import NoPermissionsException
  3. from cms.models import Page, PagePermission, GlobalPagePermission
  4. from cms.plugin_pool import plugin_pool
  5. from django.conf import settings
  6. from django.contrib.auth.models import User, Group
  7. from django.contrib.sites.models import Site
  8. from django.db.models import Q
  9. from django.utils.translation import ugettext_lazy as _
  10. try:
  11. from threading import local
  12. except ImportError:
  13. from django.utils._threading_local import local
  14. # thread local support
  15. _thread_locals = local()
  16. def set_current_user(user):
  17. """
  18. Assigns current user from request to thread_locals, used by
  19. CurrentUserMiddleware.
  20. """
  21. _thread_locals.user=user
  22. def get_current_user():
  23. """
  24. Returns current user, or None
  25. """
  26. return getattr(_thread_locals, 'user', None)
  27. def has_page_add_permission(request):
  28. """
  29. Return true if the current user has permission to add a new page. This is
  30. just used for general add buttons - only superuser, or user with can_add in
  31. globalpagepermission can add page.
  32. Special case occur when page is going to be added from add page button in
  33. change list - then we have target and position there, so check if user can
  34. add page under target page will occur.
  35. """
  36. opts = Page._meta
  37. if request.user.is_superuser:
  38. return True
  39. # if add under page
  40. target = request.GET.get('target', None)
  41. position = request.GET.get('position', None)
  42. if target is not None:
  43. try:
  44. page = Page.objects.get(pk=target)
  45. except Page.DoesNotExist:
  46. return False
  47. if (request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()) and
  48. has_global_page_permission(request, page.site_id, can_add=True)):
  49. return True
  50. if position in ("first-child", "last-child"):
  51. return page.has_add_permission(request)
  52. elif position in ("left", "right"):
  53. if page.parent_id:
  54. return has_generic_permission(page.parent_id, request.user, "add", page.site)
  55. #return page.parent.has_add_permission(request)
  56. else:
  57. from cms.utils.plugins import current_site
  58. site = current_site(request)
  59. if (request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()) and
  60. has_global_page_permission(request, site, can_add=True)):
  61. return True
  62. return False
  63. def has_any_page_change_permissions(request):
  64. from cms.utils.plugins import current_site
  65. return PagePermission.objects.filter(
  66. page__site=current_site(request)
  67. ).filter((
  68. Q(user=request.user) |
  69. Q(group__in=request.user.groups.all())
  70. )).exists()
  71. def has_page_change_permission(request):
  72. """
  73. Return true if the current user has permission to change any page. This is
  74. just used for building the tree - only superuser, or user with can_change in
  75. globalpagepermission can change a page.
  76. """
  77. from cms.utils.plugins import current_site
  78. opts = Page._meta
  79. if request.user.is_superuser or (
  80. request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and (
  81. has_global_page_permission(request, current_site(request), can_change=True))
  82. or has_any_page_change_permissions(request)):
  83. return True
  84. return False
  85. def has_global_page_permission(request, site, **filters):
  86. """
  87. A helper function to check for global page permissions for the current user
  88. and site. Caches the result on a request basis, so multiple calls to this
  89. funtion inside of one request/response cycle only generate one query.
  90. :param request: the Request object
  91. :param site: the Site object or ID
  92. :param filters: queryset filters, e.g. ``can_add = True``
  93. :return: ``True`` or ``False``
  94. """
  95. if not hasattr(request, '_cms_global_perms'):
  96. request._cms_global_perms = {}
  97. key = (site.pk if hasattr(site, 'pk') else int(site),) + tuple((k, v) for k, v in filters.iteritems())
  98. if key not in request._cms_global_perms:
  99. request._cms_global_perms[key] = GlobalPagePermission.objects.with_user(request.user).filter(sites__in=[site], **filters).exists()
  100. return request._cms_global_perms[key]
  101. def get_any_page_view_permissions(request, page):
  102. """
  103. Used by the admin template tag is_restricted
  104. """
  105. return PagePermission.objects.for_page(page=page).filter(can_view=True)
  106. def get_user_permission_level(user):
  107. """
  108. Returns highest user level from the page/permission hierarchy on which
  109. user haves can_change_permission. Also takes look into user groups. Higher
  110. level equals to lover number. Users on top of hierarchy have level 0. Level
  111. is the same like page.level attribute.
  112. Example:
  113. A,W level 0
  114. / \
  115. user B,GroupE level 1
  116. / \
  117. C,X D,Y,W level 2
  118. Users A, W have user level 0. GroupE and all his users have user level 1
  119. If user D is a member of GroupE, his user level will be 1, otherwise is
  120. 2.
  121. """
  122. if (user.is_superuser or
  123. GlobalPagePermission.objects.with_can_change_permissions(user).exists()):
  124. # those
  125. return 0
  126. try:
  127. permission = PagePermission.objects.with_can_change_permissions(user).order_by('page__level')[0]
  128. except IndexError:
  129. # user is'nt assigned to any node
  130. raise NoPermissionsException
  131. return permission.page.level
  132. def get_subordinate_users(user):
  133. """
  134. Returns users queryset, containing all subordinate users to given user
  135. including users created by given user and not assigned to any page.
  136. Not assigned users must be returned, because they shouldn't get lost, and
  137. user should still have possibility to see them.
  138. Only users created_by given user which are on the same, or lover level are
  139. returned.
  140. If user haves global permissions or is a superuser, then he can see all the
  141. users.
  142. This function is currently used in PagePermissionInlineAdminForm for limit
  143. users in permission combobox.
  144. Example:
  145. A,W level 0
  146. / \
  147. user B,GroupE level 1
  148. Z / \
  149. C,X D,Y,W level 2
  150. Rules: W was created by user, Z was created by user, but is not assigned
  151. to any page.
  152. Will return [user, C, X, D, Y, Z]. W was created by user, but is also
  153. assigned to higher level.
  154. """
  155. # TODO: try to merge with PagePermissionManager.subordinate_to_user()
  156. if user.is_superuser or \
  157. GlobalPagePermission.objects.with_can_change_permissions(user):
  158. return User.objects.all()
  159. site = Site.objects.get_current()
  160. page_id_allow_list = Page.permissions.get_change_permissions_id_list(user, site)
  161. try:
  162. user_level = get_user_permission_level(user)
  163. except NoPermissionsException:
  164. # no permission so only staff and no page permissions
  165. qs = User.objects.distinct().filter(
  166. Q(is_staff=True) &
  167. Q(pageuser__created_by=user) &
  168. Q(pagepermission__page=None)
  169. )
  170. qs = qs.exclude(pk=user.id).exclude(groups__user__pk=user.id)
  171. return qs
  172. # normal query
  173. qs = User.objects.distinct().filter(
  174. Q(is_staff=True) &
  175. (Q(pagepermission__page__id__in=page_id_allow_list) & Q(pagepermission__page__level__gte=user_level))
  176. | (Q(pageuser__created_by=user) & Q(pagepermission__page=None))
  177. )
  178. qs = qs.exclude(pk=user.id).exclude(groups__user__pk=user.id)
  179. return qs
  180. def get_subordinate_groups(user):
  181. """
  182. Simillar to get_subordinate_users, but returns queryset of Groups instead
  183. of Users.
  184. """
  185. if (user.is_superuser or
  186. GlobalPagePermission.objects.with_can_change_permissions(user)):
  187. return Group.objects.all()
  188. site = Site.objects.get_current()
  189. page_id_allow_list = Page.permissions.get_change_permissions_id_list(user, site)
  190. try:
  191. user_level = get_user_permission_level(user)
  192. except NoPermissionsException:
  193. # no permission no records
  194. # page_id_allow_list is empty
  195. qs = Group.objects.distinct().filter(
  196. Q(pageusergroup__created_by=user) &
  197. Q(pagepermission__page=None)
  198. )
  199. return qs
  200. qs = Group.objects.distinct().filter(
  201. (Q(pagepermission__page__id__in=page_id_allow_list) & Q(pagepermission__page__level__gte=user_level))
  202. | (Q(pageusergroup__created_by=user) & Q(pagepermission__page=None))
  203. )
  204. return qs
  205. def has_global_change_permissions_permission(user):
  206. opts = GlobalPagePermission._meta
  207. if user.is_superuser or (
  208. user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and
  209. GlobalPagePermission.objects.with_user(user).filter(can_change=True).exists()):
  210. return True
  211. return False
  212. def has_generic_permission(page_id, user, attr, site):
  213. """
  214. Permission getter for single page with given id.
  215. """
  216. func = getattr(Page.permissions, "get_%s_id_list" % attr)
  217. permission = func(user, site)
  218. return permission == Page.permissions.GRANT_ALL or page_id in permission
  219. def get_user_sites_queryset(user):
  220. """
  221. Returns queryset of all sites available for given user.
  222. 1. For superuser always returns all sites.
  223. 2. For global user returns all sites he haves in global page permissions
  224. together with any sites he is assigned to over an page.
  225. 3. For standard user returns just sites he is assigned to over pages.
  226. """
  227. qs = Site.objects.all()
  228. if user.is_superuser:
  229. return qs
  230. global_ids = GlobalPagePermission.objects.with_user(user).filter(
  231. Q(can_add=True) | Q(can_change=True)
  232. ).values_list('id', flat=True)
  233. query = Q()
  234. if global_ids:
  235. query = Q(globalpagepermission__id__in=global_ids)
  236. # haves some global permissions assigned
  237. if not qs.filter(query).exists():
  238. # haves global permissions, but none of sites is specified,
  239. # so he haves access to all sites
  240. return qs
  241. # add some pages if he has permission to add / change them
  242. query |= Q(Q(page__pagepermission__user=user) | Q(page__pagepermission__group__user=user)) & \
  243. (Q(Q(page__pagepermission__can_add=True) | Q(page__pagepermission__can_change=True)))
  244. return qs.filter(query).distinct()
  245. def has_plugin_permission(user, plugin_type, permission_type):
  246. """
  247. Checks that a user has permissions for the plugin-type given to performe
  248. the action defined in permission_type
  249. permission_type should be 'add', 'change' or 'delete'.
  250. """
  251. plugin_class = plugin_pool.get_plugin(plugin_type)
  252. plugin_model = plugin_class.model
  253. plugin_opts = plugin_model._meta
  254. return user.has_perm('%s.%s_%s' % (plugin_opts.app_label, permission_type,
  255. plugin_opts.object_name.lower()))