cleanup CorpusFollowerPermissions

This commit is contained in:
Patrick Jentsch 2023-04-12 12:45:41 +02:00
parent 98b1c15aa0
commit 0de14ea5db
6 changed files with 34 additions and 37 deletions

View File

@ -9,14 +9,13 @@ def corpus_follower_permission_required(*permissions):
@wraps(f) @wraps(f)
def decorated_function(*args, **kwargs): def decorated_function(*args, **kwargs):
corpus_id = kwargs.get('corpus_id') corpus_id = kwargs.get('corpus_id')
corpus = Corpus.query.get_or_404(corpus_id) cfa = CorpusFollowerAssociation.query.filter_by(corpus_id=corpus_id, follower_id=current_user.id).first()
if current_user == corpus.user or current_user.is_administrator(): if cfa is None:
return f(*args, **kwargs)
if not current_user.is_following_corpus(corpus):
abort(403)
corpus_follower_association = CorpusFollowerAssociation.query.filter_by(corpus_id=corpus_id, follower_id=current_user.id).first_or_404()
if not all([corpus_follower_association.role.has_permission(p) for p in permissions]):
abort(403) abort(403)
corpus = cfa.corpus
if not (corpus.user == current_user or current_user.is_administrator()):
if not all([cfa.role.has_permission(p) for p in permissions]):
abort(403)
return f(*args, **kwargs) return f(*args, **kwargs)
return decorated_function return decorated_function
return decorator return decorator
@ -27,8 +26,8 @@ def corpus_owner_or_admin_required(f):
def decorated_function(*args, **kwargs): def decorated_function(*args, **kwargs):
corpus_id = kwargs.get('corpus_id') corpus_id = kwargs.get('corpus_id')
corpus = Corpus.query.get_or_404(corpus_id) corpus = Corpus.query.get_or_404(corpus_id)
if current_user == corpus.user or current_user.is_administrator(): if not (corpus.user == current_user or current_user.is_administrator()):
return f(*args, **kwargs) abort(403)
abort(403) return f(*args, **kwargs)
return decorated_function return decorated_function

View File

@ -1,4 +1,4 @@
from flask import current_app from flask import abort, current_app
from threading import Thread from threading import Thread
from app import db from app import db
from app.decorators import content_negotiation from app.decorators import content_negotiation

View File

@ -1,5 +1,4 @@
from flask import abort, request from flask import abort, request
from flask_login import current_user
from app import db from app import db
from app.decorators import content_negotiation from app.decorators import content_negotiation
from app.models import ( from app.models import (
@ -8,12 +7,12 @@ from app.models import (
CorpusFollowerRole, CorpusFollowerRole,
User User
) )
from ..decorators import corpus_owner_or_admin_required from ..decorators import corpus_follower_permission_required
from . import bp from . import bp
@bp.route('/<hashid:corpus_id>/followers', methods=['POST']) @bp.route('/<hashid:corpus_id>/followers', methods=['POST'])
@corpus_owner_or_admin_required @corpus_follower_permission_required('ADD_FOLLOWER')
@content_negotiation(consumes='application/json', produces='application/json') @content_negotiation(consumes='application/json', produces='application/json')
def create_corpus_followers(corpus_id): def create_corpus_followers(corpus_id):
usernames = request.json usernames = request.json
@ -32,7 +31,7 @@ def create_corpus_followers(corpus_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['PUT']) @bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>/role', methods=['PUT'])
@corpus_owner_or_admin_required @corpus_follower_permission_required('UPDATE_FOLLOWER')
@content_negotiation(consumes='application/json', produces='application/json') @content_negotiation(consumes='application/json', produces='application/json')
def update_corpus_follower_role(corpus_id, follower_id): def update_corpus_follower_role(corpus_id, follower_id):
role_name = request.json role_name = request.json
@ -52,19 +51,17 @@ def update_corpus_follower_role(corpus_id, follower_id):
@bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>', methods=['DELETE']) @bp.route('/<hashid:corpus_id>/followers/<hashid:follower_id>', methods=['DELETE'])
@corpus_follower_permission_required('REMOVE_FOLLOWER')
@content_negotiation(produces='application/json') @content_negotiation(produces='application/json')
def delete_corpus_follower(corpus_id, follower_id): def delete_corpus_follower(corpus_id, follower_id):
corpus = Corpus.query.get_or_404(corpus_id) cfa = CorpusFollowerAssociation.query.filter_by(corpus_id=corpus_id, follower_id=follower_id).first_or_404()
follower = User.query.get_or_404(follower_id) cfa.follower.unfollow_corpus(cfa.corpus)
if not (corpus.user == current_user or follower == current_user or current_user.is_administrator()):
abort(403)
if not follower.is_following_corpus(corpus):
abort(409)
follower.unfollow_corpus(corpus)
db.session.commit() db.session.commit()
response_data = { response_data = {
'message': \ 'message': (
f'"{follower.username}" is not following "{corpus.title}" anymore', f'"{cfa.follower.username}" is not following '
f'"{cfa.corpus.title}" anymore'
),
'category': 'corpus' 'category': 'corpus'
} }
return response_data, 200 return response_data, 200

View File

@ -2,11 +2,11 @@ from datetime import datetime
from flask import abort, current_app, request, url_for from flask import abort, current_app, request, url_for
from flask_login import current_user from flask_login import current_user
from threading import Thread from threading import Thread
from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required from app import db
from app import db, hashids
from app.decorators import content_negotiation from app.decorators import content_negotiation
from app.models import Corpus, CorpusFollowerRole from app.models import Corpus, CorpusFollowerRole
from . import bp from . import bp
from .decorators import corpus_follower_permission_required, corpus_owner_or_admin_required
@bp.route('/<hashid:corpus_id>', methods=['DELETE']) @bp.route('/<hashid:corpus_id>', methods=['DELETE'])
@ -58,10 +58,9 @@ def build_corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/generate-share-link', methods=['POST']) @bp.route('/<hashid:corpus_id>/generate-share-link', methods=['POST'])
@corpus_follower_permission_required('GENERATE_SHARE_LINK') @corpus_follower_permission_required('ADD_FOLLOWER')
@content_negotiation(consumes='application/json', produces='application/json') @content_negotiation(consumes='application/json', produces='application/json')
def generate_corpus_share_link(corpus_id): def generate_corpus_share_link(corpus_id):
corpus_hashid = hashids.encode(corpus_id)
data = request.json data = request.json
if not isinstance(data, dict): if not isinstance(data, dict):
abort(400) abort(400)
@ -75,7 +74,8 @@ def generate_corpus_share_link(corpus_id):
cfr = CorpusFollowerRole.query.filter_by(name=role_name).first() cfr = CorpusFollowerRole.query.filter_by(name=role_name).first()
if cfr is None: if cfr is None:
abort(400) abort(400)
token = current_user.generate_follow_corpus_token(corpus_hashid, role_name, expiration_date) corpus = Corpus.query.get_or_404(corpus_id)
token = current_user.generate_follow_corpus_token(corpus.hashid, role_name, expiration_date)
corpus_share_link = url_for( corpus_share_link = url_for(
'corpora.follow_corpus', 'corpora.follow_corpus',
corpus_id=corpus_id, corpus_id=corpus_id,

View File

@ -1,7 +1,6 @@
from flask import abort, flash, redirect, render_template, url_for from flask import abort, flash, redirect, render_template, url_for
from flask_breadcrumbs import register_breadcrumb from flask_breadcrumbs import register_breadcrumb
from flask_login import current_user from flask_login import current_user
from .decorators import corpus_follower_permission_required
from app import db from app import db
from app.models import ( from app.models import (
Corpus, Corpus,
@ -10,6 +9,7 @@ from app.models import (
User User
) )
from . import bp from . import bp
from .decorators import corpus_follower_permission_required
from .forms import CreateCorpusForm from .forms import CreateCorpusForm
from .utils import ( from .utils import (
corpus_endpoint_arguments_constructor as corpus_eac, corpus_endpoint_arguments_constructor as corpus_eac,
@ -73,8 +73,8 @@ def corpus(corpus_id):
@bp.route('/<hashid:corpus_id>/analyse') @bp.route('/<hashid:corpus_id>/analyse')
@register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac)
@corpus_follower_permission_required('VIEW') @corpus_follower_permission_required('VIEW')
@register_breadcrumb(bp, '.entity.analyse', 'Analyse', endpoint_arguments_constructor=corpus_eac)
def analyse_corpus(corpus_id): def analyse_corpus(corpus_id):
corpus = Corpus.query.get_or_404(corpus_id) corpus = Corpus.query.get_or_404(corpus_id)
return render_template( return render_template(
@ -101,6 +101,7 @@ def import_corpus():
@bp.route('/<hashid:corpus_id>/export') @bp.route('/<hashid:corpus_id>/export')
@corpus_follower_permission_required('VIEW')
@register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac) @register_breadcrumb(bp, '.entity.export', 'Export', endpoint_arguments_constructor=corpus_eac)
def export_corpus(corpus_id): def export_corpus(corpus_id):
abort(503) abort(503)

View File

@ -116,9 +116,9 @@ class CorpusFollowerPermission(IntEnum):
ADD_CORPUS_FILE = 2 ADD_CORPUS_FILE = 2
UPDATE_CORPUS_FILE = 4 UPDATE_CORPUS_FILE = 4
REMOVE_CORPUS_FILE = 8 REMOVE_CORPUS_FILE = 8
GENERATE_SHARE_LINK = 16 ADD_FOLLOWER = 16
REMOVE_FOLLOWER = 32 UPDATE_FOLLOWER = 32
UPDATE_FOLLOWER = 64 REMOVE_FOLLOWER = 64
@staticmethod @staticmethod
def get(corpus_follower_permission: Union['CorpusFollowerPermission', int, str]) -> 'CorpusFollowerPermission': def get(corpus_follower_permission: Union['CorpusFollowerPermission', int, str]) -> 'CorpusFollowerPermission':
@ -448,9 +448,9 @@ class CorpusFollowerRole(HashidMixin, db.Model):
CorpusFollowerPermission.ADD_CORPUS_FILE, CorpusFollowerPermission.ADD_CORPUS_FILE,
CorpusFollowerPermission.UPDATE_CORPUS_FILE, CorpusFollowerPermission.UPDATE_CORPUS_FILE,
CorpusFollowerPermission.REMOVE_CORPUS_FILE, CorpusFollowerPermission.REMOVE_CORPUS_FILE,
CorpusFollowerPermission.GENERATE_SHARE_LINK, CorpusFollowerPermission.ADD_FOLLOWER,
CorpusFollowerPermission.REMOVE_FOLLOWER, CorpusFollowerPermission.UPDATE_FOLLOWER,
CorpusFollowerPermission.UPDATE_FOLLOWER CorpusFollowerPermission.REMOVE_FOLLOWER
] ]
} }
default_role_name = 'Viewer' default_role_name = 'Viewer'