Coverage for portality/bll/services/authorisation.py: 70%

54 statements  

« prev     ^ index     » next       coverage.py v6.4.2, created at 2022-09-21 00:49 +0100

1from portality.lib.argvalidate import argvalidate 

2from portality import models, constants 

3from portality.bll import exceptions 

4 

5 

6class AuthorisationService(object): 

7 """ 

8 ~~AuthNZ:Service->AuthNZ:Feature~~ 

9 """ 

10 def can_create_update_request(self, account, journal): 

11 """ 

12 Is the given account allowed to create an update request from the given journal 

13 

14 :param account: the account doing the action 

15 :param journal: the journal the account wants to create an update request from 

16 :return: 

17 """ 

18 # first validate the incoming arguments to ensure that we've got the right thing 

19 argvalidate("can_create_update_request", [ 

20 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

21 {"arg": journal, "instance": models.Journal, "allow_none" : False, "arg_name" : "journal"}, 

22 ], exceptions.ArgumentException) 

23 

24 # if this is the super user, they have all rights 

25 if account.is_super: 

26 return True 

27 

28 if not account.has_role("publisher"): 

29 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

30 if account.id != journal.owner: 

31 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER) 

32 

33 return True 

34 

35 def can_edit_application(self, account, application): 

36 """ 

37 Is the given account allowed to edit the update request application 

38 

39 :param account: the account doing the action 

40 :param application: the application the account wants to edit 

41 :return: 

42 """ 

43 # first validate the incoming arguments to ensure that we've got the right thing 

44 argvalidate("can_edit_update_request", [ 

45 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

46 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"}, 

47 ], exceptions.ArgumentException) 

48 

49 no_auth_reason = exceptions.AuthoriseException.WRONG_ROLE 

50 

51 # if this is the super user, they have all rights 

52 if account.is_super: 

53 return True 

54 

55 if account.has_role("publisher"): 

56 if account.id != application.owner: 

57 no_auth_reason = exceptions.AuthoriseException.NOT_OWNER 

58 elif application.application_status not in [ 

59 constants.APPLICATION_STATUS_PENDING, 

60 constants.APPLICATION_STATUS_UPDATE_REQUEST, 

61 constants.APPLICATION_STATUS_REVISIONS_REQUIRED 

62 ]: 

63 no_auth_reason = exceptions.AuthoriseException.WRONG_STATUS 

64 else: 

65 return True 

66 

67 if account.has_role("edit_suggestion"): 

68 # user must be either the "admin.editor" of the suggestion, or the editor of the "admin.editor_group" 

69 # is the user the currently assigned editor of the suggestion? 

70 if application.editor == account.id: 

71 return True 

72 

73 # now check whether the user is the editor of the editor group 

74 eg = models.EditorGroup.pull_by_key("name", application.editor_group) 

75 if eg is not None and eg.editor == account.id: 

76 return True 

77 

78 raise exceptions.AuthoriseException(reason=no_auth_reason) 

79 

80 

81 

82 def can_view_application(self, account, application): 

83 """ 

84 Is the given account allowed to view the update request application 

85 

86 :param account: the account doing the action 

87 :param application: the application the account wants to edit 

88 :return: 

89 """ 

90 # first validate the incoming arguments to ensure that we've got the right thing 

91 argvalidate("can_edit_update_request", [ 

92 {"arg": account, "instance": models.Account, "allow_none" : False, "arg_name" : "account"}, 

93 {"arg": application, "instance": models.Suggestion, "allow_none" : False, "arg_name" : "application"}, 

94 ], exceptions.ArgumentException) 

95 

96 # if this is the super user, they have all rights 

97 if account.is_super: 

98 return True 

99 if not account.has_role("publisher"): 

100 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

101 if account.id != application.owner: 

102 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.NOT_OWNER) 

103 

104 return True 

105 

106 def can_edit_journal(self, account: models.Account, journal: models.Journal): 

107 """ 

108 Is the given account allowed to edit the journal record 

109 

110 :param account: the account doing the action 

111 :param journal: the journal the account wants to edit 

112 :return: 

113 """ 

114 # if this is the super user, they have all rights 

115 if account.is_super: 

116 return True 

117 

118 # An editor can edit an application when they are assigned 

119 if not account.has_role("edit_journal"): 

120 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE) 

121 

122 # user must be either the "admin.editor" of the journal, or the editor of the "admin.editor_group" 

123 # is the user the currently assigned editor of the journal? 

124 passed = False 

125 if journal.editor == account.id: 

126 passed = True 

127 

128 # now check whether the user is the editor of the editor group 

129 eg = models.EditorGroup.pull_by_key("name", journal.editor_group) # ~~->EditorGroup:Model~~ 

130 if eg is not None and eg.editor == account.id: 

131 passed = True 

132 

133 # if the user wasn't the editor or the owner of the editor group, unauthorised 

134 if passed: 

135 return True 

136 

137 raise exceptions.AuthoriseException(reason=exceptions.AuthoriseException.WRONG_ROLE)