taiga
/
taiga-back
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updating permissions for supporting public projects

remotes/origin/enhancement/email-actions
Alejandro Alonso 2015-02-05 14:00:21 +01:00 committed by David Barragán Merino
parent efc666c793
commit 79e9682531
4 changed files with 49 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
taiga/base/filters.py
View File

@ -212,7 +212,7 @@ class CanViewProjectObjFilterBackend(FilterBackend):
qs = qs.filter((Q(id__in=projects_list) | qs = qs.filter((Q(id__in=projects_list) |
Q(public_permissions__contains=["view_project"]))) Q(public_permissions__contains=["view_project"])))
else: else:
qs = qs.filter(public_permissions__contains=["view_project"]) qs = qs.filter(anon_permissions__contains=["view_project"])
return super().filter_queryset(request, qs.distinct(), view) return super().filter_queryset(request, qs.distinct(), view)
@ -229,22 +229,49 @@ class IsProjectMemberFilterBackend(FilterBackend):
return super().filter_queryset(request, queryset.distinct(), view) return super().filter_queryset(request, queryset.distinct(), view)
class MembersFilterBackend(filters.BaseFilterBackend): class MembersFilterBackend(PermissionBasedFilterBackend):
permission = "view_project"
def filter_queryset(self, request, queryset, view): def filter_queryset(self, request, queryset, view):
project_id = request.QUERY_PARAMS.get('project', None) project_id = None
project = None
qs = queryset
if "project" in request.QUERY_PARAMS:
try:
project_id = int(request.QUERY_PARAMS["project"])
except:
logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"]))
raise exc.BadRequest("'project' must be an integer value.")
if project_id: if project_id:
project_model = apps.get_model('projects', 'Project') Project = apps.get_model('projects', 'Project')
project = get_object_or_404(project_model, pk=project_id) project = get_object_or_404(Project, pk=project_id)
if (request.user.is_authenticated() and
project.memberships.filter(user=request.user).exists()): if request.user.is_authenticated() and request.user.is_superuser:
return queryset.filter(memberships__project=project).distinct() qs = qs
elif request.user.is_authenticated():
memberships_qs = Membership.objects.filter(user=request.user)
if project_id:
memberships_qs = memberships_qs.filter(project_id=project_id)
memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) |
Q(is_owner=True))
projects_list = [membership.project_id for membership in memberships_qs]
if project and not "view_project" in project.public_permissions:
qs = qs.none()
qs = qs.filter(Q(memberships__project_id__in=projects_list) |
Q(memberships__project__public_permissions__contains=[self.permission])|
Q(id=request.user.id))
else: else:
raise exc.PermissionDenied(_("You don't have permisions to see this project users.")) if project and not "view_project" in project.anon_permissions:
qs = qs.none()
if request.user.is_superuser: qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission])
return queryset
return [] return qs.distinct()
class BaseIsProjectAdminFilterBackend(object): class BaseIsProjectAdminFilterBackend(object):

6
taiga/projects/permissions.py
View File

@ -52,12 +52,12 @@ class ProjectPermission(TaigaResourcePermission):
destroy_perms = IsProjectOwner() destroy_perms = IsProjectOwner()
modules_perms = IsProjectOwner() modules_perms = IsProjectOwner()
list_perms = AllowAny() list_perms = AllowAny()
stats_perms = AllowAny() stats_perms = HasProjectPerm('view_project')
member_stats_perms = HasProjectPerm('view_project') member_stats_perms = HasProjectPerm('view_project')
star_perms = IsAuthenticated() star_perms = IsAuthenticated()
unstar_perms = IsAuthenticated() unstar_perms = IsAuthenticated()
issues_stats_perms = AllowAny() issues_stats_perms = HasProjectPerm('view_project')
issues_filters_data_perms = AllowAny() issues_filters_data_perms = HasProjectPerm('view_project')
tags_perms = HasProjectPerm('view_project') tags_perms = HasProjectPerm('view_project')
tags_colors_perms = HasProjectPerm('view_project') tags_colors_perms = HasProjectPerm('view_project')
fans_perms = HasProjectPerm('view_project') fans_perms = HasProjectPerm('view_project')

6
taiga/users/api.py
View File

@ -30,6 +30,7 @@ from taiga.auth.tokens import get_user_for_token
from taiga.base.decorators import list_route from taiga.base.decorators import list_route
from taiga.base.decorators import detail_route from taiga.base.decorators import detail_route
from taiga.base.api import ModelCrudViewSet from taiga.base.api import ModelCrudViewSet
from taiga.base.filters import PermissionBasedFilterBackend
from taiga.base.api.utils import get_object_or_404 from taiga.base.api.utils import get_object_or_404
from taiga.base.filters import MembersFilterBackend from taiga.base.filters import MembersFilterBackend
from taiga.projects.votes import services as votes_service from taiga.projects.votes import services as votes_service
@ -46,14 +47,11 @@ from . import permissions
from .signals import user_cancel_account as user_cancel_account_signal from .signals import user_cancel_account as user_cancel_account_signal
######################################################
## User
######################################################
class UsersViewSet(ModelCrudViewSet): class UsersViewSet(ModelCrudViewSet):
permission_classes = (permissions.UserPermission,) permission_classes = (permissions.UserPermission,)
serializer_class = serializers.UserSerializer serializer_class = serializers.UserSerializer
queryset = models.User.objects.all() queryset = models.User.objects.all()
filter_backends = (MembersFilterBackend,)
def create(self, *args, **kwargs): def create(self, *args, **kwargs):
raise exc.NotSupported() raise exc.NotSupported()

8
tests/integration/resources_permissions/test_users_resources.py
View File

@ -86,7 +86,7 @@ def test_user_delete(client, data):
] ]
results = helper_test_http_method(client, 'delete', url, None, users) results = helper_test_http_method(client, 'delete', url, None, users)
assert results == [401, 403, 204] assert results == [404, 404, 204]
def test_user_list(client, data): def test_user_list(client, data):
@ -101,14 +101,14 @@ def test_user_list(client, data):
response = client.get(url) response = client.get(url)
users_data = json.loads(response.content.decode('utf-8')) users_data = json.loads(response.content.decode('utf-8'))
assert len(users_data) == 0 assert len(users_data) == 1
assert response.status_code == 200 assert response.status_code == 200
client.login(data.other_user) client.login(data.other_user)
response = client.get(url) response = client.get(url)
users_data = json.loads(response.content.decode('utf-8')) users_data = json.loads(response.content.decode('utf-8'))
assert len(users_data) == 0 assert len(users_data) == 1
assert response.status_code == 200 assert response.status_code == 200
client.login(data.superuser) client.login(data.superuser)
@ -146,7 +146,7 @@ def test_user_patch(client, data):
patch_data = json.dumps({"full_name": "test"}) patch_data = json.dumps({"full_name": "test"})
results = helper_test_http_method(client, 'patch', url, patch_data, users) results = helper_test_http_method(client, 'patch', url, patch_data, users)
assert results == [401, 200, 403, 200] assert results == [404, 200, 404, 200]
def test_user_action_change_password(client, data): def test_user_action_change_password(client, data):