Merge pull request #260 from taigaio/public-projects

Public projects
2015-03-09 12:49:02 +01:00 · 2015-03-09 12:49:02 +01:00 · 92c1c39790
parent efc666c793 cff56f1d86
commit 92c1c39790
9 changed files with 122 additions and 26 deletions
--- a/taiga/base/filters.py
+++ b/taiga/base/filters.py
@ -212,7 +212,7 @@ class CanViewProjectObjFilterBackend(FilterBackend):
            qs = qs.filter((Q(id__in=projects_list) |
                            Q(public_permissions__contains=["view_project"])))
        else:
-            qs = qs.filter(public_permissions__contains=["view_project"])
+            qs = qs.filter(anon_permissions__contains=["view_project"])

        return super().filter_queryset(request, qs.distinct(), view)

@ -229,22 +229,50 @@ class IsProjectMemberFilterBackend(FilterBackend):
        return super().filter_queryset(request, queryset.distinct(), view)


-class MembersFilterBackend(filters.BaseFilterBackend):
+class MembersFilterBackend(PermissionBasedFilterBackend):
+    permission = "view_project"
+
    def filter_queryset(self, request, queryset, view):
-        project_id = request.QUERY_PARAMS.get('project', None)
+        project_id = None
+        project = None
+        qs = queryset
+        if "project" in request.QUERY_PARAMS:
+            try:
+                project_id = int(request.QUERY_PARAMS["project"])
+            except:
+                logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"]))
+                raise exc.BadRequest("'project' must be an integer value.")
+
        if project_id:
-            project_model = apps.get_model('projects', 'Project')
-            project = get_object_or_404(project_model, pk=project_id)
-            if (request.user.is_authenticated() and
-                    project.memberships.filter(user=request.user).exists()):
-                return queryset.filter(memberships__project=project).distinct()
-            else:
-                raise exc.PermissionDenied(_("You don't have permisions to see this project users."))
+            Project = apps.get_model('projects', 'Project')
+            project = get_object_or_404(Project, pk=project_id)

-        if request.user.is_superuser:
-            return queryset
+        if request.user.is_authenticated() and request.user.is_superuser:
+            qs = qs
+        elif request.user.is_authenticated():
+            Membership = apps.get_model('projects', 'Membership')
+            memberships_qs = Membership.objects.filter(user=request.user)
+            if project_id:
+                memberships_qs = memberships_qs.filter(project_id=project_id)
+            memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) |
+                                                   Q(is_owner=True))

-        return []
+            projects_list = [membership.project_id for membership in memberships_qs]
+
+            if project and not "view_project" in project.public_permissions:
+                qs = qs.none()
+
+            qs = qs.filter(Q(memberships__project_id__in=projects_list) |
+                           Q(memberships__project__public_permissions__contains=[self.permission])|
+                           Q(id=request.user.id))
+
+        else:
+            if project and not "view_project" in project.anon_permissions:
+                qs = qs.none()
+
+            qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission])
+
+        return qs.distinct()


 class BaseIsProjectAdminFilterBackend(object):
--- a/taiga/permissions/service.py
+++ b/taiga/permissions/service.py
@ -103,3 +103,17 @@ def get_user_project_permissions(user, project):
        anon_permissions = project.anon_permissions if project.anon_permissions is not None else []

    return set(owner_permissions + members_permissions + public_permissions + anon_permissions)
+
+
+def set_base_permissions_for_project(project):
+    if project.is_private:
+        project.anon_permissions = []
+        project.public_permissions = []
+
+    else:
+        """
+        If a project is public anonymous and registered users should have at least visualization permissions
+        """
+        anon_permissions = list(map(lambda perm: perm[0], ANON_PERMISSIONS))
+        project.anon_permissions = list(set(project.anon_permissions + anon_permissions))
+        project.public_permissions = list(set(project.public_permissions + anon_permissions))
--- a/taiga/projects/api.py
+++ b/taiga/projects/api.py
@ -36,6 +36,7 @@ from taiga.projects.mixins.on_destroy import MoveOnDestroyMixin
 from taiga.projects.userstories.models import UserStory
 from taiga.projects.tasks.models import Task
 from taiga.projects.issues.models import Issue
+from taiga.permissions import service as permissions_service

 from . import serializers
 from . import models
@ -46,7 +47,6 @@ from .votes import serializers as votes_serializers
 from .votes import services as votes_service
 from .votes.utils import attach_votescount_to_queryset

-
 ######################################################
 ## Project
 ######################################################
@ -168,6 +168,20 @@ class ProjectViewSet(ModelCrudViewSet):
        services.remove_user_from_project(request.user, project)
        return response.Ok()

+    def _set_base_permissions(self, obj):
+        update_permissions = False
+        if not obj.id:
+            if not obj.is_private:
+                # Creating a public project
+                update_permissions = True
+        else:
+            if self.get_object().is_private != obj.is_private:
+                # Changing project public state
+                update_permissions = True
+
+        if update_permissions:
+            permissions_service.set_base_permissions_for_project(obj)
+
    def pre_save(self, obj):
        if not obj.id:
            obj.owner = self.request.user
@ -176,6 +190,7 @@ class ProjectViewSet(ModelCrudViewSet):
        if not obj.id:
            obj.template = self.request.QUERY_PARAMS.get('template', None)

+        self._set_base_permissions(obj)
        super().pre_save(obj)

    def destroy(self, request, *args, **kwargs):
--- a/taiga/projects/migrations/0017_fix_is_private_for_projects.py
+++ b/taiga/projects/migrations/0017_fix_is_private_for_projects.py
@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+
+def update_existing_projects(apps, schema_editor):
+    Project = apps.get_model("projects", "Project")
+    Project.objects.filter(is_private=False).update(is_private=True)
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('projects', '0016_fix_json_field_not_null'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='project',
+            name='is_private',
+            field=models.BooleanField(verbose_name='is private', default=True),
+            preserve_default=True,
+        ),
+        migrations.RunPython(update_existing_projects),
+    ]
--- a/taiga/projects/models.py
+++ b/taiga/projects/models.py
@ -160,7 +160,7 @@ class Project(ProjectDefaults, TaggedMixin, models.Model):
                                        default=[],
                                        verbose_name=_("user permissions"),
                                        choices=USER_PERMISSIONS)
-    is_private = models.BooleanField(default=False, null=False, blank=True,
+    is_private = models.BooleanField(default=True, null=False, blank=True,
                                     verbose_name=_("is private"))

    tags_colors = TextArrayField(dimension=2, null=False, blank=True, verbose_name=_("tags colors"), default=[])
--- a/taiga/projects/permissions.py
+++ b/taiga/projects/permissions.py
@ -52,12 +52,12 @@ class ProjectPermission(TaigaResourcePermission):
    destroy_perms = IsProjectOwner()
    modules_perms = IsProjectOwner()
    list_perms = AllowAny()
-    stats_perms = AllowAny()
+    stats_perms = HasProjectPerm('view_project')
    member_stats_perms = HasProjectPerm('view_project')
    star_perms = IsAuthenticated()
    unstar_perms = IsAuthenticated()
-    issues_stats_perms = AllowAny()
-    issues_filters_data_perms = AllowAny()
+    issues_stats_perms = HasProjectPerm('view_project')
+    issues_filters_data_perms = HasProjectPerm('view_project')
    tags_perms = HasProjectPerm('view_project')
    tags_colors_perms = HasProjectPerm('view_project')
    fans_perms = HasProjectPerm('view_project')
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@ -30,6 +30,7 @@ from taiga.auth.tokens import get_user_for_token
 from taiga.base.decorators import list_route
 from taiga.base.decorators import detail_route
 from taiga.base.api import ModelCrudViewSet
+from taiga.base.filters import PermissionBasedFilterBackend
 from taiga.base.api.utils import get_object_or_404
 from taiga.base.filters import MembersFilterBackend
 from taiga.projects.votes import services as votes_service
@ -46,14 +47,11 @@ from . import permissions
 from .signals import user_cancel_account as user_cancel_account_signal


-######################################################
-## User
-######################################################
-
 class UsersViewSet(ModelCrudViewSet):
    permission_classes = (permissions.UserPermission,)
    serializer_class = serializers.UserSerializer
    queryset = models.User.objects.all()
+    filter_backends = (MembersFilterBackend,)

    def create(self, *args, **kwargs):
        raise exc.NotSupported()
--- a/tests/integration/resources_permissions/test_users_resources.py
+++ b/tests/integration/resources_permissions/test_users_resources.py
@ -86,7 +86,7 @@ def test_user_delete(client, data):
    ]

    results = helper_test_http_method(client, 'delete', url, None, users)
-    assert results == [401, 403, 204]
+    assert results == [404, 404, 204]


 def test_user_list(client, data):
@ -101,14 +101,14 @@ def test_user_list(client, data):

    response = client.get(url)
    users_data = json.loads(response.content.decode('utf-8'))
-    assert len(users_data) == 0
+    assert len(users_data) == 1
    assert response.status_code == 200

    client.login(data.other_user)

    response = client.get(url)
    users_data = json.loads(response.content.decode('utf-8'))
-    assert len(users_data) == 0
+    assert len(users_data) == 1
    assert response.status_code == 200

    client.login(data.superuser)
@ -146,7 +146,7 @@ def test_user_patch(client, data):

    patch_data = json.dumps({"full_name": "test"})
    results = helper_test_http_method(client, 'patch', url, patch_data, users)
-    assert results == [401, 200, 403, 200]
+    assert results == [404, 200, 404, 200]


 def test_user_action_change_password(client, data):
--- a/tests/integration/test_projects.py
+++ b/tests/integration/test_projects.py
@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
 from taiga.base.utils import json
 from taiga.projects.services import stats as stats_services
 from taiga.projects.history.services import take_snapshot
+from taiga.permissions.permissions import ANON_PERMISSIONS

 from .. import factories as f

@ -235,3 +236,19 @@ def test_edit_membership_only_owner(client):
    response = client.json.patch(url, json.dumps(data))
    assert response.status_code == 400
    assert response.data["is_owner"][0] == "At least one of the user must be an active admin"
+
+
+def test_anon_permissions_generation_when_making_project_public(client):
+    user = f.UserFactory.create()
+    project = f.ProjectFactory.create(is_private=True)
+    role = f.RoleFactory.create(project=project, permissions=["view_project", "modify_project"])
+    membership = f.MembershipFactory.create(project=project, user=user, role=role, is_owner=True)
+    assert project.anon_permissions == []
+    client.login(user)
+    url = reverse("projects-detail", kwargs={"pk": project.pk})
+    data = {"is_private": False}
+    response = client.json.patch(url, json.dumps(data))
+    assert response.status_code == 200
+    anon_permissions = list(map(lambda perm: perm[0], ANON_PERMISSIONS))
+    assert set(anon_permissions).issubset(set(response.data["anon_permissions"]))
+    assert set(anon_permissions).issubset(set(response.data["public_permissions"]))