fix: refactor webpath permissions

UniversitaDellaCalabria · Dec 17, 2024 · ffc66ee · ffc66ee
1 parent 58fe359
commit ffc66ee
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 47 deletions.
diff --git a/src/cms/api/views/page.py b/src/cms/api/views/page.py
@@ -100,8 +100,7 @@ def patch(self, request, *args, **kwargs):
             new_webpath = serializer.validated_data.get('webpath')
             if new_webpath and new_webpath != item.webpath:
                 # check permissions and locks on webpath
-                webpath_perms = new_webpath.is_editable_by(obj=item,
-                                                           user=request.user)
+                webpath_perms = new_webpath.is_editable_by(user=request.user)
                 if not webpath_perms:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)
@@ -122,8 +121,7 @@ def put(self, request, *args, **kwargs):
             new_webpath = serializer.validated_data.get('webpath')
             # check permissions on webpath
             if new_webpath != item.webpath:
-                webpath_perms = new_webpath.is_editable_by(obj=item,
-                                                           user=request.user)
+                webpath_perms = new_webpath.is_editable_by(user=request.user)
                 if not webpath_perms:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)

diff --git a/src/cms/api/views/webpath.py b/src/cms/api/views/webpath.py
@@ -111,17 +111,17 @@ def patch(self, request, *args, **kwargs):
                                          data=request.data,
                                          partial=True)
         if serializer.is_valid(raise_exception=True):
-            has_permission = item.is_publicable_by(user=request.user,
-                                                   parent=True)
+            has_permission = item.is_publicable_by(user=request.user)
+                                                   # parent=True)
             if not has_permission:
                 raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                              resource=request.method)
-            # if parent in request data, check permission on parent
+            # if parent in request data, check permission on (new) parent
             parent = serializer.validated_data.get('parent')
+            # check permissions on parent if different from actual
             if parent and parent != item.parent:
-                # check permissions on parent
-                has_permission = parent.is_publicable_by(user=request.user,
-                                                         parent=True)
+                has_permission = parent.is_publicable_by(user=request.user)
+                                                         # parent=True)
                 if not has_permission:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)
@@ -137,17 +137,17 @@ def put(self, request, *args, **kwargs):
         serializer = self.get_serializer(instance=item,
                                          data=request.data)
         if serializer.is_valid(raise_exception=True):
-            has_permission = item.is_publicable_by(user=request.user,
-                                                   parent=True)
+            has_permission = item.is_publicable_by(user=request.user)
+                                                   # parent=True)
             if not has_permission:
                 raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                              resource=request.method)
-
+            # if parent in request data, check permission on (new) parent
             parent = serializer.validated_data.get('parent')
             # check permissions on parent if different from actual
             if parent != item.parent:
-                has_permission = parent.is_publicable_by(user=request.user,
-                                                         parent=True)
+                has_permission = parent.is_publicable_by(user=request.user)
+                                                         # parent=True)
                 if not has_permission:
                     raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                                  resource=request.method)
@@ -160,8 +160,8 @@ def put(self, request, *args, **kwargs):
 
     def delete(self, request, *args, **kwargs):
         item = self.get_object()
-        has_permission = item.is_publicable_by(user=request.user,
-                                               parent=True)
+        has_permission = item.is_publicable_by(user=request.user)
+                                               # parent=True)
         if not has_permission:
             raise LoggedPermissionDenied(classname=self.__class__.__name__,
                                          resource=request.method)

diff --git a/src/cms/contexts/models.py b/src/cms/contexts/models.py
@@ -220,50 +220,60 @@ def save(self, *args, **kwargs):
     def get_parent_fullpath(self):
         return self.parent.get_full_path() if self.parent else ''
 
-    def is_localizable_by(self, user=None, obj=None, parent=False):
+    def is_localizable_by(self, user=None): #,obj=None, parent=False):
         if not user: return False
         if user.is_superuser: return True
-        item = self if not obj else obj
-        parent = self.parent if parent else self
-        eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        # item = self if not obj else obj
+        # parent = self.parent if parent else self
+        # eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        eb_permission = EditorialBoardEditors.get_permission(self, user)
         perms = is_translator(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
+        # if user has translator permissions
+        if perms: return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
-    def is_editable_by(self, user=None, obj=None, parent=False):
+    def is_editable_by(self, user=None): #, obj=None, parent=False):
         if not user: return False
         if user.is_superuser: return True
-        item = self if not obj else obj
-        parent = self.parent if parent else self
-        eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        # item = self if not obj else obj
+        # parent = self.parent if parent else self
+        eb_permission = EditorialBoardEditors.get_permission(self, user)
         perms = is_editor(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
-        # if user can edit only created by him pages
-        if perms['only_created_by'] and item.created_by != user:
-            return False
+        # if user has editor permissions
+        if perms:
+            # check if permission is only for the owner
+            if perms['only_created_by'] and self.created_by != user:
+                return False
+            # permission granted
+            return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
-    def is_publicable_by(self, user=None, obj=None, parent=False):
+    def is_publicable_by(self, user=None): #, obj=None, parent=False):
         if not user: return False
         if user.is_superuser: return True
-        item = self if not obj else obj
-        parent = self.parent if parent else self
-        eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        # item = self if not obj else obj
+        # parent = self.parent if parent else self
+        # eb_permission = EditorialBoardEditors.get_permission(parent, user)
+        eb_permission = EditorialBoardEditors.get_permission(self, user)
         perms = is_publisher(eb_permission)
-        # if user has not editor permissions
-        if not perms: return False
-        # if user can edit only created by him pages
-        if perms['only_created_by'] and item.created_by != user:
-            return False
+        # if user has publisher permissions
+        if perms:
+            # check if permission is only for the owner
+            if perms['only_created_by'] and self.created_by != user:
+                return False
+            # permission granted
+            return True
+        # if user has not permissions, check locks
         webpath_lock_ok = EditorialBoardLockUser.check_for_locks(self, user)
         return webpath_lock_ok
 
+
     def is_lockable_by(self, user):
-        return self.is_publicable_by(user, parent=True)
+        return self.is_publicable_by(user) #, parent=True)
 
     def get_access_level(self):
         for t in getattr(settings, 'AUTH_USER_GROUPS', ()):
@@ -392,7 +402,7 @@ def check_for_locks(cls, obj, user):
         locks = cls.get_object_locks(content_type=content_type,
                                      object_id=obj.pk)
         # if there is not lock, ok
-        if not locks: return True
+        if not locks: return False
         # if user is in lock user list, has permissions
         if locks.filter(user=user).exists():
             return True

diff --git a/src/cms/pages/models.py b/src/cms/pages/models.py
@@ -312,7 +312,7 @@ def is_editable_by(self, user=None):
         # check if user has EditorialBoard editor permissions on object
         # and check for locks on webpath
         webpath = self.webpath
-        webpath_perms = webpath.is_editable_by(user=user, obj=self)
+        webpath_perms = webpath.is_editable_by(user=user)
         if not webpath_perms: return False
         # check for locks on object
         return EditorialBoardLockUser.check_for_locks(self, user)
@@ -323,7 +323,7 @@ def is_publicable_by(self, user=None):
         # check if user has EditorialBoard editor permissions on object
         # and check for locks on webpath
         webpath = self.webpath
-        webpath_perms = webpath.is_publicable_by(user=user, obj=self)
+        webpath_perms = webpath.is_publicable_by(user=user) #, obj=self)
         if not webpath_perms: return False
         # check for locks on object
         return EditorialBoardLockUser.check_for_locks(self, user)

diff --git a/src/cms/publications/models.py b/src/cms/publications/models.py
@@ -328,7 +328,7 @@ def is_editable_by(self, user=None):
             pub_ctxs = self.get_publication_contexts()
             for pub_ctx in pub_ctxs:
                 webpath = pub_ctx.webpath
-                webpath_perms = webpath.is_editable_by(user=user, obj=self)
+                webpath_perms = webpath.is_editable_by(user=user)
                 if webpath_perms: return True
         # if no permissions
         return False
@@ -351,7 +351,7 @@ def is_publicable_by(self, user=None):
             pub_ctxs = self.get_publication_contexts()
             for pub_ctx in pub_ctxs:
                 webpath = pub_ctx.webpath
-                webpath_perms = webpath.is_publicable_by(user=user, obj=self)
+                webpath_perms = webpath.is_publicable_by(user=user)
                 if webpath_perms: return True
         # if no permissions
         return False