From 3dfab4615a0753b4309c1371f292a99e9f77c717 Mon Sep 17 00:00:00 2001
From: Branson Stephens <branson.stephens@ligo.org>
Date: Thu, 6 Aug 2015 12:52:40 -0500
Subject: [PATCH] Fixed bug with permissions button.
---
gracedb/api.py | 53 +++++++++++++++++++++++++++++++-
gracedb/views.py | 79 ++++++++++++++++++++++++++++--------------------
2 files changed, 98 insertions(+), 34 deletions(-)
diff --git a/gracedb/api.py b/gracedb/api.py
index 198fdb398..a4a7c5171 100644
--- a/gracedb/api.py
+++ b/gracedb/api.py
@@ -1329,7 +1329,30 @@ class GroupEventPermissionDetail(APIView):
object_pk=event.id,
group=group,
permission=permission)
+ event.refresh_perms()
# Add this gop to the return dictionary
+
+ # XXX if the event is a subclass, we need to create perms on the
+ # underlying event as well.
+ # XXX Is this bad? It sort of feels like a side-effect.
+ if not type(event) is Event:
+ # how to get the permission object?
+ shortname = permission.codename.split('_')[0]
+ underlying_event = Event.objects.get(id=event.id)
+ underlying_model = underlying_event.__class__.__name__.lower()
+ codename = shortname + '_' + underlying_model
+ try:
+ underlying_permission = Permission.objects.get(codename=codename)
+ except Permission.DoesNotExist:
+ msg = "Problem creating permission: Could not find underlying event perm."
+ return Response(msg, status = status.HTTP_500_INTERNAL_SERVER_ERROR)
+ ugop, ucreated = GroupObjectPermission.objects.get_or_create(
+ content_type=getContentType(underlying_event),
+ object_pk=underlying_event.id,
+ group=group,
+ permission=underlying_permission)
+ underlying_event.refresh_perms()
+
except Exception, e:
# We're gonna blame the user here.
return Response("Problem creating permission: %" % str(e),
@@ -1362,10 +1385,38 @@ class GroupEventPermissionDetail(APIView):
object_pk=event.id,
group=group,
permission=permission)
+ gop.delete()
+ event.refresh_perms()
+
+ # XXX if the event is a subclass, we need to delete perms on the
+ # underlying event as well.
+ # XXX Is this bad? It sort of feels like a side-effect.
+ if not type(event) is Event:
+ # how to get the permission object?
+ shortname = permission.codename.split('_')[0]
+ underlying_event = Event.objects.get(id=event.id)
+ underlying_model = underlying_event.__class__.__name__.lower()
+ codename = shortname + '_' + underlying_model
+ try:
+ underlying_permission = Permission.objects.get(codename=codename)
+ except Permission.DoesNotExist:
+ msg = "Problem creating permission: Could not find underlying event perm."
+ return Response(msg, status = status.HTTP_500_INTERNAL_SERVER_ERROR)
+ ugop = GroupObjectPermission.objects.get(
+ content_type=getContentType(underlying_event),
+ object_pk=underlying_event.id,
+ group=group,
+ permission=underlying_permission)
+ ugop.delete()
+ underlying_event.refresh_perms()
+
except GroupObjectPermission.DoesNotExist:
return Response("GroupObjectPermission not found.",
status=status.HTTP_404_NOT_FOUND)
- gop.delete()
+ except Exception, e:
+ return Response("Problem deleting permission: %s" % str(e),
+ status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+
rv = {'message': 'Permission successfully deleted.'}
return Response(rv, status=status.HTTP_200_OK)
diff --git a/gracedb/views.py b/gracedb/views.py
index 358c174d6..3496f0441 100644
--- a/gracedb/views.py
+++ b/gracedb/views.py
@@ -662,36 +662,8 @@ def file_list(request, event):
# log messages.) If the action is 'protect', both of these
# permissions are removed for the group in question.
#
-@event_and_auth_required
-def modify_permissions(request, event):
- # Get group_name and action from POST
- if not request.method=='POST':
- msg = 'Modify_permissions only allows POST.'
- return HttpResponseBadRequest(msg)
-
- group_name = request.POST.get('group_name', None)
- action = request.POST.get('action', None)
-
- if not group_name or not action:
- msg = 'Modify_permissons requires both group_name and action in POST.'
- return HttpResponseBadRequest(msg)
-
- # Make sure the user is authorized.
- if action=='expose':
- if not request.user.has_perm('guardian.add_groupobjectpermission'):
- msg = "You aren't authorized to create permission objects."
- return HttpResponseForbidden(msg)
- elif action=='protect':
- if not request.user.has_perm('guardian.delete_groupobjectpermission'):
- msg = "You aren't authorized to delete permission objects."
- return HttpResponseForbidden(msg)
-
- # Get the group
- try:
- g = AuthGroup.objects.get(name=group_name)
- except Group.DoesNotExist:
- return HttpResponseNotFound('Group not found')
+def update_event_perms_for_group(event, group, action):
# Get the content type out
model_name = event.__class__.__name__.lower()
ctype = ContentType.objects.get(app_label='gracedb', model=model_name)
@@ -704,17 +676,17 @@ def modify_permissions(request, event):
if action=='expose':
# Create two group object permissions
GroupObjectPermission.objects.get_or_create(
- content_type=ctype, group=g, permission=view,
+ content_type=ctype, group=group, permission=view,
object_pk=event.id)
GroupObjectPermission.objects.get_or_create(
- content_type=ctype, group=g, permission=change,
+ content_type=ctype, group=group, permission=change,
object_pk=event.id)
elif action=='protect':
# Retrieve both group object permissions
# Delete them
try:
gop = GroupObjectPermission.objects.get(
- content_type=ctype, group=g, permission=change,
+ content_type=ctype, group=group, permission=change,
object_pk=event.id)
gop.delete()
except GroupObjectPermission.DoesNotExist:
@@ -722,16 +694,57 @@ def modify_permissions(request, event):
pass
try:
gop = GroupObjectPermission.objects.get(
- content_type=ctype, group=g, permission=view,
+ content_type=ctype, group=group, permission=view,
object_pk=event.id)
gop.delete()
except GroupObjectPermission.DoesNotExist:
# Couldn't find it. Take no action.
pass
+
+ # lastly
+ event.refresh_perms()
+
+@event_and_auth_required
+def modify_permissions(request, event):
+ # Get group_name and action from POST
+ if not request.method=='POST':
+ msg = 'Modify_permissions only allows POST.'
+ return HttpResponseBadRequest(msg)
+
+ group_name = request.POST.get('group_name', None)
+ action = request.POST.get('action', None)
+
+ if not group_name or not action:
+ msg = 'Modify_permissons requires both group_name and action in POST.'
+ return HttpResponseBadRequest(msg)
+
+ # Make sure the user is authorized.
+ if action=='expose':
+ if not request.user.has_perm('guardian.add_groupobjectpermission'):
+ msg = "You aren't authorized to create permission objects."
+ return HttpResponseForbidden(msg)
+ elif action=='protect':
+ if not request.user.has_perm('guardian.delete_groupobjectpermission'):
+ msg = "You aren't authorized to delete permission objects."
+ return HttpResponseForbidden(msg)
else:
msg = "Unknown action. Choices are 'expose' and 'protect'."
return HttpResponseBadRequest(msg)
+ # Get the group
+ try:
+ g = AuthGroup.objects.get(name=group_name)
+ except Group.DoesNotExist:
+ return HttpResponseNotFound('Group not found')
+
+ update_event_perms_for_group(event, g, action)
+
+ # In case this is a subclass, let's check and assign default
+ # perms on the underlying Event as well.
+ if not type(event) is Event:
+ underlying_event = Event.objects.get(id=event.id)
+ update_event_perms_for_group(underlying_event, g, action)
+
# Finished. Redirect back to the event.
return HttpResponseRedirect(reverse("view", args=[event.graceid()]))
--
GitLab