-
Notifications
You must be signed in to change notification settings - Fork 134
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #832 from onaio/readonly-perms-fix
added can view xform all perm to readonly
- v4.12.0
- v4.11.2
- v4.11.1
- v4.11.0
- v4.10.1
- v4.10.0
- v4.9.2
- v4.9.1
- v4.9.0
- v4.8.0
- v4.7.1
- v4.7.0
- v4.6.0
- v4.5.2
- v4.5.1
- v4.5.0
- v4.5.0-patch-30102024
- v4.5.0-patch-30102024-1
- v4.4.0
- v4.3.4
- v4.3.4-oidc-udpate
- v4.3.3
- v4.3.2
- v4.3.1
- v4.3.0
- v4.2.2
- v4.2.2-patch-30102024
- v4.2.2-patch-30102024-1
- v4.2.2-7
- v4.2.2-6
- v4.2.2-5
- v4.2.2-4
- v4.2.2-3
- v4.2.2-1
- v4.2.1
- v4.2.0
- v4.1.0
- v4.0.1
- v4.0.0
- v3.19.0
- v3.18.2
- v3.18.1
- v3.18.0
- v3.17.3
- v3.17.2
- v3.17.1
- v3.17.0
- v3.16.0
- v3.15.0
- v3.14.4
- v3.14.3
- v3.14.2
- v3.14.1
- v3.14.0
- v3.13.1
- v3.13.0
- v3.12.2
- v3.12.1
- v3.12.0
- v3.11.0
- v3.10.1
- v3.10.0
- v3.9.2
- v3.9.1
- v3.9.0
- v3.8.6
- v3.8.5
- v3.8.4
- v3.8.3
- v3.8.2
- v3.8.1
- v3.8.0
- v3.7.1
- v3.7.0
- v3.6.2
- v3.6.1
- v3.6.0
- v3.5.0
- v3.4.0
- v3.3.2
- v3.3.1
- v3.3.0
- v3.2.0
- v3.2.0-1
- v3.1.1
- v3.1.0
- v3.0.4
- v3.0.3
- v3.0.2
- v3.0.1
- v3.0.0
- v2.5.20
- v2.5.19
- v2.5.18
- v2.5.17
- v2.5.16
- v2.5.15
- v2.5.14
- v2.5.13
- v2.5.12
- v2.5.11
- v2.5.10
- v2.5.9
- v2.5.8
- v2.5.7
- v2.5.6
- v2.5.5
- v2.5.4
- v2.5.3
- v2.5.2
- v2.5.1
- v2.5.0
- v2.4.9
- v2.4.8
- v2.4.7
- v2.4.6
- v2.4.5
- v2.4.4
- v2.4.3
- v2.4.2
- v2.4.1
- v2.4.0
- v2.3.8
- v2.3.7
- v2.3.6
- v2.3.5
- v2.3.4
- v2.3.3
- v2.3.2
- v2.3.1
- v2.3.0
- v2.3.0-rc
- v2.2.1
- v2.2.0
- v2.1.2
- v2.1.1
- v2.1.0
- v2.0.11
- v2.0.10
- v2.0.7
- v2.0.6
- v2.0.5
- v2.0.4
- v2.0.3
- v2.0.2
- v2.0.1
- v2.0.0
- v1.19.4
- v1.19.3
- v1.19.2
- v1.19.1
- v1.19.0
- v1.18.2
- v1.18.1
- v1.18.0
- v1.17.0
- v1.16.0
- v1.15.0
- v1.14.7
- v1.14.6
- v1.14.5
- v1.14.4
- v1.14.3
- v1.14.2
- v1.14.1
- v1.14.0
- v1.13.2
- v1.13.1
- v1.13.0
- v1.12.11
- v1.12.10
- v1.12.9
- v1.12.8
- v1.12.8-rc2
- v1.12.8-rc1
- v1.12.7
- v1.12.6
- v1.12.5
- v1.12.4
- v1.12.3
- v1.12.2
- v1.12.1
- v1.12.0
- v1.12-rc.1
- v1.11.3
- v1.11.3-2
- v1.11.3-1
- v1.11.2
- v1.11.1
- v1.11
- v1.11-rc1
- v1.10.7
- v1.10.7-1
- v1.10.6
- v1.10.5
- v1.10.5-1
- v1.10.4
- v1.10.4-pre
- v1.10.3
- v1.10.2
- v1.10.1
- v1.10.0
- v1.10
- v1.9.20
- v1.9.20-1
- v1.9.19
- v1.9.19-3
- v1.9.19-2
- v1.9.19-1
- v1.9.18
- v1.9.17
- v1.9.16
- v1.9.15
- v1.9.14
- v1.9.13
- v1.9.12
- v1.9.11
- v1.9.10
- v1.9.9
- v1.9.8
- v1.9.7
- v1.9.7-1
- v1.9.6
- v1.9.6-1
- v1.9.5
- v1.9.4
- v1.9.3
- v1.9.2
- v1.9.1-hot-fix
- update-ona-oidc
- 4.2.2-2
- 3.10.0
- 1.10
- 1.9.8
Showing
3 changed files
with
133 additions
and
2 deletions.
There are no files selected for viewing
122 changes: 122 additions & 0 deletions
122
onadata/apps/api/management/commands/fix_readonly_role_perms.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
from guardian.shortcuts import get_perms | ||
|
||
from django.core.management.base import BaseCommand, CommandError | ||
from django.contrib.auth.models import User | ||
from django.utils.translation import gettext as _ | ||
from django.conf import settings | ||
from onadata.apps.api.models import Team | ||
|
||
|
||
from onadata.libs.permissions import ReadOnlyRole, DataEntryRole,\ | ||
EditorRole, ManagerRole, OwnerRole, ReadOnlyRoleNoDownload,\ | ||
DataEntryOnlyRole, DataEntryMinorRole, EditorMinorRole | ||
from onadata.libs.utils.model_tools import queryset_iterator | ||
|
||
|
||
class Command(BaseCommand): | ||
args = '<app model [created_perm] >' | ||
help = _(u"Reassign permission to the model when permissions are changed") | ||
|
||
def handle(self, *args, **options): | ||
self.stdout.write("Re-assigining started", ending='\n') | ||
|
||
if not args: | ||
raise CommandError('Param not set. <app model [created_perm]>') | ||
|
||
if len(args) < 3: | ||
raise CommandError('Param not set. <app model [created_perm]>') | ||
|
||
app = args[0] | ||
model = args[1] | ||
username = args[2] | ||
new_perms = list(args[3:]) | ||
|
||
if username == "all": | ||
users = User.objects.exclude( | ||
username__iexact=settings.ANONYMOUS_DEFAULT_USERNAME | ||
) | ||
|
||
teams = Team.objects.all() | ||
else: | ||
users = User.objects.filter(username=username) | ||
teams = Team.objects.filter(organization__username=username) | ||
# Get all the users | ||
for user in queryset_iterator(users): | ||
self.reassign_perms(user, app, model, new_perms) | ||
|
||
for team in queryset_iterator(teams): | ||
self.reassign_perms(team, app, model, new_perms) | ||
|
||
self.stdout.write("Re-assigining finished", ending='\n') | ||
|
||
def reassign_perms(self, user, app, model, new_perm): | ||
""" | ||
Gets all the permissions the user has on objects and assigns the new | ||
permission to them | ||
:param user: | ||
:param app: | ||
:param model: | ||
:param new_perm: | ||
:return: | ||
""" | ||
|
||
# Get the unique permission model objects filtered by content type | ||
# for the user | ||
if isinstance(user, Team): | ||
if model == "project": | ||
objects = user.projectgroupobjectpermission_set.filter( | ||
group_id=user.pk).distinct('content_object_id') | ||
else: | ||
objects = user.xformgroupobjectpermission_set.filter( | ||
group_id=user.pk).distinct('content_object_id') | ||
else: | ||
if model == 'project': | ||
objects = user.projectuserobjectpermission_set.all() | ||
else: | ||
objects = user.xformuserobjectpermission_set.all() | ||
|
||
for perm_obj in objects: | ||
obj = perm_obj.content_object | ||
ROLES = [ReadOnlyRoleNoDownload, | ||
ReadOnlyRole, | ||
DataEntryOnlyRole, | ||
DataEntryMinorRole, | ||
DataEntryRole, | ||
EditorMinorRole, | ||
EditorRole, | ||
ManagerRole, | ||
OwnerRole] | ||
|
||
# For each role reassign the perms | ||
for role_class in reversed(ROLES): | ||
# want to only process for readonly perms | ||
if role_class.user_has_role(user, obj) or role_class \ | ||
not in [ReadOnlyRoleNoDownload, ReadOnlyRole]: | ||
continue | ||
|
||
if self.check_role(role_class, user, obj, new_perm): | ||
# If true | ||
role_class.add(user, obj) | ||
break | ||
|
||
def check_role(self, role_class, user, obj, new_perm=[]): | ||
""" | ||
Test if the user has the role for the object provided | ||
:param role_class: | ||
:param user: | ||
:param obj: | ||
:param new_perm: | ||
:return: | ||
""" | ||
# remove the new permission because the old model doesnt have it | ||
perm_list = role_class.class_to_permissions[type(obj)] | ||
old_perm_set = set(perm_list) | ||
newly_added_perm = set(new_perm) | ||
|
||
if newly_added_perm.issubset(old_perm_set): | ||
diff_set = old_perm_set.difference(newly_added_perm) | ||
|
||
if isinstance(user, Team): | ||
return set(get_perms(user, obj)) == diff_set | ||
|
||
return user.has_perms(list(diff_set), obj) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters