Coverage for portality / bll / services / authorisation.py: 68%

56 statements  

« prev     ^ index     » next       coverage.py v7.13.5, created at 2026-05-05 00:09 +0100

1from portality.lib.argvalidate import argvalidate 

2from portality import models, constants 

3from portality.bll import exceptions 

4 

5 

6class AuthorisationService(object): 

7 """ 

8 ~~AuthNZ:Service->AuthNZ:Feature~~ 

9 """ 

10 def can_create_update_request(self, account, journal): 

11 """ 

12 Is the given account allowed to create an update request from the given journal 

13 

14 :param account: the account doing the action 

15 :param journal: the journal the account wants to create an update request from 

16 :return: 

17 """ 

18 # first validate the incoming arguments to ensure that we've got the right thing 

19 argvalidate("can_create_update_request", [ 

20 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

21 {"arg": journal, "instance": models.Journal, "allow_none" : False, "arg_name" : "journal"}, 

22 ], exceptions.ArgumentException) 

23 

24 # if this is the super user, they have all rights 

25 if account.is_super: 

26 return True 

27 

28 if not account.has_role("publisher"): 

29 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

30 if account.id != journal.owner: 

31 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER) 

32 

33 return True 

34 

35 def can_edit_application(self, account, application): 

36 """ 

37 Is the given account allowed to edit the update request application 

38 

39 :param account: the account doing the action 

40 :param application: the application the account wants to edit 

41 :return: 

42 """ 

43 # first validate the incoming arguments to ensure that we've got the right thing 

44 argvalidate("can_edit_update_request", [ 

45 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

46 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"}, 

47 ], exceptions.ArgumentException) 

48 

49 no_auth_reason = exceptions.AuthoriseException.WRONG_ROLE 

50 

51 # if this is the super user, they have all rights 

52 if account.is_super: 

53 return True 

54 

55 if account.has_role("publisher"): 

56 if account.id != application.owner: 

57 no_auth_reason = exceptions.AuthoriseException.NOT_OWNER 

58 elif application.application_status not in [ # ~~-> ApplicationStatuses:Config~~ 

59 constants.APPLICATION_STATUS_PENDING, 

60 constants.APPLICATION_STATUS_UPDATE_REQUEST, 

61 constants.APPLICATION_STATUS_REVISIONS_REQUIRED 

62 ]: 

63 no_auth_reason = exceptions.AuthoriseException.WRONG_STATUS 

64 else: 

65 return True 

66 

67 if account.has_role("edit_suggestion"): 

68 # user must be either the "admin.editor" of the suggestion, or the editor of the "admin.editor_group" 

69 # is the user the currently assigned editor of the suggestion? 

70 if application.editor == account.id: 

71 return True 

72 

73 # now check whether the user is the editor of the editor group 

74 if not application.editor_group: 

75 return False 

76 

77 eg = models.EditorGroup.pull_by_key("name", application.editor_group) 

78 if eg is not None and eg.editor == account.id: 

79 return True 

80 

81 raise exceptions.AuthoriseException(reason=no_auth_reason) 

82 

83 

84 

85 def can_view_application(self, account, application): 

86 """ 

87 Is the given account allowed to view the update request application 

88 

89 :param account: the account doing the action 

90 :param application: the application the account wants to edit 

91 :return: 

92 """ 

93 # first validate the incoming arguments to ensure that we've got the right thing 

94 argvalidate("can_edit_update_request", [ 

95 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

96 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"}, 

97 ], exceptions.ArgumentException) 

98 

99 # if this is the super user, they have all rights 

100 if account.is_super: 

101 return True 

102 if not account.has_role("publisher"): 

103 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

104 if account.id != application.owner: 

105 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER) 

106 

107 return True 

108 

109 def can_edit_journal(self, account: models.Account, journal: models.Journal): 

110 """ 

111 Is the given account allowed to edit the journal record 

112 

113 :param account: the account doing the action 

114 :param journal: the journal the account wants to edit 

115 :return: 

116 """ 

117 # if this is the super user, they have all rights 

118 if account.is_super: 

119 return True 

120 

121 # An editor can edit an application when they are assigned 

122 if not account.has_role("edit_journal"): 

123 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

124 

125 # user must be either the "admin.editor" of the journal, or the editor of the "admin.editor_group" 

126 # is the user the currently assigned editor of the journal? 

127 passed = False 

128 if journal.editor == account.id: 

129 passed = True 

130 

131 # now check whether the user is the editor of the editor group 

132 eg = models.EditorGroup.pull_by_key("name", journal.editor_group) # ~~->EditorGroup:Model~~ 

133 if eg is not None and eg.editor == account.id: 

134 passed = True 

135 

136 # if the user wasn't the editor or the owner of the editor group, unauthorised 

137 if passed: 

138 return True 

139 

140 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)