Revision c5b0bbb7 snf-astakos-app/astakos/im/functions.py

b/snf-astakos-app/astakos/im/functions.py
346 346
        raise ProjectNotFound(m)
347 347

  
348 348

  
349
def checkAllowed(entity, request_user, admin_only=False):
350
    if isinstance(entity, Project):
351
        application = entity.application
352
    elif isinstance(entity, ProjectApplication):
353
        application = entity
354
    else:
355
        m = "%s not a Project nor a ProjectApplication" % (entity,)
356
        raise ValueError(m)
357

  
358
    if not request_user or request_user.is_project_admin():
359
        return
349
ALLOWED_CHECKS = [
350
    (lambda u, a: not u or u.is_project_admin()),
351
    (lambda u, a: a.owner == u),
352
    (lambda u, a: a.applicant == u),
353
    (lambda u, a: a.chain.overall_state() == Project.O_ACTIVE
354
     or bool(a.chain.projectmembership_set.any_accepted().filter(person=u))),
355
]
356

  
357
ADMIN_LEVEL = 0
358
OWNER_LEVEL = 1
359
APPLICANT_LEVEL = 2
360
ANY_LEVEL = 3
361

  
362

  
363
def _check_yield(b, silent=False):
364
    if b:
365
        return True
360 366

  
361
    if not admin_only and application.owner == request_user:
362
        return
367
    if silent:
368
        return False
363 369

  
364 370
    m = _(astakos_messages.NOT_ALLOWED)
365 371
    raise ProjectForbidden(m)
366 372

  
367 373

  
374
def membership_check_allowed(membership, request_user,
375
                             level=OWNER_LEVEL, silent=False):
376
    r = project_check_allowed(
377
        membership.project, request_user, level, silent=True)
378

  
379
    return _check_yield(r or membership.person == request_user, silent)
380

  
381

  
382
def project_check_allowed(project, request_user,
383
                          level=OWNER_LEVEL, silent=False):
384
    return app_check_allowed(project.application, request_user, level, silent)
385

  
386

  
387
def app_check_allowed(application, request_user,
388
                      level=OWNER_LEVEL, silent=False):
389
    checks = (f(request_user, application) for f in ALLOWED_CHECKS[:level+1])
390
    return _check_yield(any(checks), silent)
391

  
392

  
368 393
def checkAlive(project):
369 394
    if not project.is_alive:
370 395
        m = _(astakos_messages.NOT_ALIVE_PROJECT) % project.id
......
372 397

  
373 398

  
374 399
def accept_membership_project_checks(project, request_user):
375
    checkAllowed(project, request_user)
400
    project_check_allowed(project, request_user)
376 401
    checkAlive(project)
377 402

  
378 403
    join_policy = project.application.member_join_policy
......
414 439
        raise ProjectConflict(m)
415 440

  
416 441
    project = membership.project
417
    checkAllowed(project, request_user)
442
    project_check_allowed(project, request_user)
418 443
    checkAlive(project)
419 444

  
420 445

  
......
436 461
        m = _(astakos_messages.NOT_MEMBERSHIP_REQUEST)
437 462
        raise ProjectConflict(m)
438 463

  
439
    if membership.person != request_user:
440
        msg = _(astakos_messages.NOT_ALLOWED)
441
        raise ProjectForbidden(msg)
442

  
464
    membership_check_allowed(membership, request_user, level=ADMIN_LEVEL)
443 465
    project = membership.project
444 466
    checkAlive(project)
445 467

  
......
459 481
        raise ProjectConflict(m)
460 482

  
461 483
    project = membership.project
462
    checkAllowed(project, request_user)
484
    project_check_allowed(project, request_user)
463 485
    checkAlive(project)
464 486

  
465 487
    leave_policy = project.application.member_leave_policy
......
513 535
        m = _(astakos_messages.NOT_ACCEPTED_MEMBERSHIP)
514 536
        raise ProjectConflict(m)
515 537

  
516
    if membership.person != request_user:
517
        msg = _(astakos_messages.NOT_ALLOWED)
518
        raise ProjectForbidden(msg)
519

  
538
    membership_check_allowed(membership, request_user, level=ADMIN_LEVEL)
520 539
    project = membership.project
521 540
    checkAlive(project)
522 541

  
......
649 668
    project = None
650 669
    if project_id is not None:
651 670
        project = get_project_for_update(project_id)
652

  
653
        if (request_user and
654
            (not project.application.owner == request_user and
655
             not request_user.is_superuser
656
             and not request_user.is_project_admin())):
657
            m = _(astakos_messages.NOT_ALLOWED)
658
            raise ProjectForbidden(m)
671
        project_check_allowed(project, request_user, level=APPLICANT_LEVEL)
659 672

  
660 673
    policies = validate_resource_policies(resources)
661 674

  
......
744 757
def cancel_application(application_id, request_user=None, reason=""):
745 758
    get_project_of_application_for_update(application_id)
746 759
    application = get_application(application_id)
747
    checkAllowed(application, request_user)
760
    app_check_allowed(application, request_user, level=APPLICANT_LEVEL)
748 761

  
749 762
    if not application.can_cancel():
750 763
        m = _(astakos_messages.APPLICATION_CANNOT_CANCEL %
......
760 773
def dismiss_application(application_id, request_user=None, reason=""):
761 774
    get_project_of_application_for_update(application_id)
762 775
    application = get_application(application_id)
763
    checkAllowed(application, request_user)
776
    app_check_allowed(application, request_user, level=APPLICANT_LEVEL)
764 777

  
765 778
    if not application.can_dismiss():
766 779
        m = _(astakos_messages.APPLICATION_CANNOT_DISMISS %
......
775 788
    get_project_of_application_for_update(application_id)
776 789
    application = get_application(application_id)
777 790

  
778
    checkAllowed(application, request_user, admin_only=True)
791
    app_check_allowed(application, request_user, level=ADMIN_LEVEL)
779 792

  
780 793
    if not application.can_deny():
781 794
        m = _(astakos_messages.APPLICATION_CANNOT_DENY %
......
809 822
    project = get_project_of_application_for_update(app_id)
810 823
    application = get_application(app_id)
811 824

  
812
    checkAllowed(application, request_user, admin_only=True)
825
    app_check_allowed(application, request_user, level=ADMIN_LEVEL)
813 826

  
814 827
    if not application.can_approve():
815 828
        m = _(astakos_messages.APPLICATION_CANNOT_APPROVE %
......
850 863

  
851 864
def terminate(project_id, request_user=None):
852 865
    project = get_project_for_update(project_id)
853
    checkAllowed(project, request_user, admin_only=True)
866
    project_check_allowed(project, request_user, level=ADMIN_LEVEL)
854 867
    checkAlive(project)
855 868

  
856 869
    project.terminate()
......
862 875

  
863 876
def suspend(project_id, request_user=None):
864 877
    project = get_project_for_update(project_id)
865
    checkAllowed(project, request_user, admin_only=True)
878
    project_check_allowed(project, request_user, level=ADMIN_LEVEL)
866 879
    checkAlive(project)
867 880

  
868 881
    project.suspend()
......
874 887

  
875 888
def resume(project_id, request_user=None):
876 889
    project = get_project_for_update(project_id)
877
    checkAllowed(project, request_user, admin_only=True)
890
    project_check_allowed(project, request_user, level=ADMIN_LEVEL)
878 891

  
879 892
    if not project.is_suspended:
880 893
        m = _(astakos_messages.NOT_SUSPENDED_PROJECT) % project.id

Also available in: Unified diff