Coverage for portality/bll/services/authorisation.py: 70%
54 statements
« prev ^ index » next coverage.py v6.4.2, created at 2022-09-13 22:06 +0100
« prev ^ index » next coverage.py v6.4.2, created at 2022-09-13 22:06 +0100
1from portality.lib.argvalidate import argvalidate
2from portality import models, constants
3from portality.bll import exceptions
6class AuthorisationService(object):
7 """
8 ~~AuthNZ:Service->AuthNZ:Feature~~
9 """
10 def can_create_update_request(self, account, journal):
11 """
12 Is the given account allowed to create an update request from the given journal
14 :param account: the account doing the action
15 :param journal: the journal the account wants to create an update request from
16 :return:
17 """
18 # first validate the incoming arguments to ensure that we've got the right thing
19 argvalidate("can_create_update_request", [
20 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
21 {"arg": journal, "instance": models.Journal, "allow_none" : False, "arg_name" : "journal"},
22 ], exceptions.ArgumentException)
24 # if this is the super user, they have all rights
25 if account.is_super:
26 return True
28 if not account.has_role("publisher"):
29 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
30 if account.id != journal.owner:
31 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER)
33 return True
35 def can_edit_application(self, account, application):
36 """
37 Is the given account allowed to edit the update request application
39 :param account: the account doing the action
40 :param application: the application the account wants to edit
41 :return:
42 """
43 # first validate the incoming arguments to ensure that we've got the right thing
44 argvalidate("can_edit_update_request", [
45 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
46 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"},
47 ], exceptions.ArgumentException)
49 no_auth_reason = exceptions.AuthoriseException.WRONG_ROLE
51 # if this is the super user, they have all rights
52 if account.is_super:
53 return True
55 if account.has_role("publisher"):
56 if account.id != application.owner:
57 no_auth_reason = exceptions.AuthoriseException.NOT_OWNER
58 elif application.application_status not in [
59 constants.APPLICATION_STATUS_PENDING,
60 constants.APPLICATION_STATUS_UPDATE_REQUEST,
61 constants.APPLICATION_STATUS_REVISIONS_REQUIRED
62 ]:
63 no_auth_reason = exceptions.AuthoriseException.WRONG_STATUS
64 else:
65 return True
67 if account.has_role("edit_suggestion"):
68 # user must be either the "admin.editor" of the suggestion, or the editor of the "admin.editor_group"
69 # is the user the currently assigned editor of the suggestion?
70 if application.editor == account.id:
71 return True
73 # now check whether the user is the editor of the editor group
74 eg = models.EditorGroup.pull_by_key("name", application.editor_group)
75 if eg is not None and eg.editor == account.id:
76 return True
78 raise exceptions.AuthoriseException(reason=no_auth_reason)
82 def can_view_application(self, account, application):
83 """
84 Is the given account allowed to view the update request application
86 :param account: the account doing the action
87 :param application: the application the account wants to edit
88 :return:
89 """
90 # first validate the incoming arguments to ensure that we've got the right thing
91 argvalidate("can_edit_update_request", [
92 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"},
93 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"},
94 ], exceptions.ArgumentException)
96 # if this is the super user, they have all rights
97 if account.is_super:
98 return True
99 if not account.has_role("publisher"):
100 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
101 if account.id != application.owner:
102 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER)
104 return True
106 def can_edit_journal(self, account: models.Account, journal: models.Journal):
107 """
108 Is the given account allowed to edit the journal record
110 :param account: the account doing the action
111 :param journal: the journal the account wants to edit
112 :return:
113 """
114 # if this is the super user, they have all rights
115 if account.is_super:
116 return True
118 # An editor can edit an application when they are assigned
119 if not account.has_role("edit_journal"):
120 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)
122 # user must be either the "admin.editor" of the journal, or the editor of the "admin.editor_group"
123 # is the user the currently assigned editor of the journal?
124 passed = False
125 if journal.editor == account.id:
126 passed = True
128 # now check whether the user is the editor of the editor group
129 eg = models.EditorGroup.pull_by_key("name", journal.editor_group) # ~~->EditorGroup:Model~~
130 if eg is not None and eg.editor == account.id:
131 passed = True
133 # if the user wasn't the editor or the owner of the editor group, unauthorised
134 if passed:
135 return True
137 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)