X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=planetstack%2Fcore%2Fmodels%2Fuser.py;h=1b3be299fc93fcc12ae7eb52b4ae41cd07202e14;hb=152956fa175a51f53265e6a072f754dad5929843;hp=9b54da9858060c760888d779ca03c2713b4222bc;hpb=e3ab5c3450f682b1315726fce8add6f5eddd872f;p=plstackapi.git diff --git a/planetstack/core/models/user.py b/planetstack/core/models/user.py index 9b54da9..1b3be29 100644 --- a/planetstack/core/models/user.py +++ b/planetstack/core/models/user.py @@ -13,6 +13,20 @@ from core.middleware import get_request import model_policy from django.core.exceptions import PermissionDenied +# ------ from plcorebase.py ------ +try: + # This is a no-op if observer_disabled is set to 1 in the config file + from observer import * +except: + print >> sys.stderr, "import of observer failed! printing traceback and disabling observer:" + import traceback + traceback.print_exc() + + # guard against something failing + def notify_observer(*args, **kwargs): + pass +# ------ ------ + # Create your models here. class UserManager(BaseUserManager): def create_user(self, email, firstname, lastname, password=None): @@ -100,6 +114,9 @@ class User(AbstractBaseUser, DiffModelMixIn): USERNAME_FIELD = 'email' REQUIRED_FIELDS = ['firstname', 'lastname'] + PI_FORBIDDEN_FIELDS = ["is_admin", "site", "is_staff"] + USER_FORBIDDEN_FIELDS = ["is_admin", "is_active", "site", "is_staff", "is_readonly"] + def __init__(self, *args, **kwargs): super(User, self).__init__(*args, **kwargs) self._initial = self._dict # for DiffModelMixIn @@ -200,38 +217,28 @@ class User(AbstractBaseUser, DiffModelMixIn): msg.attach_alternative(html_content, "text/html") msg.send() - def can_update_field(self, user, fieldName): - from core.models import SitePrivilege - if (user.is_admin): - # admin can update anything - return True - - # fields that a site PI can update - if fieldName in ["is_active", "is_readonly"]: - site_privs = SitePrivilege.objects.filter(user=user, site=self.site) - for site_priv in site_privs: - if site_priv.role.role == 'pi': - return True - - # fields that a user cannot update in his/her own record - if fieldName in ["is_admin", "is_active", "site", "is_staff", "is_readonly"]: - return False - - return True - def can_update(self, user): from core.models import SitePrivilege + _cant_update_fieldName = None if user.is_readonly: return False if user.is_admin: return True - if (user.id == self.id): - return True # site pis can update site_privs = SitePrivilege.objects.filter(user=user, site=self.site) for site_priv in site_privs: if site_priv.role.role == 'pi': + for fieldName in self.diff.keys(): + if fieldName in self.PI_FORBIDDEN_FIELDS: + _cant_update_fieldName = fieldName + return False return True + if (user.id == self.id): + for fieldName in self.diff.keys(): + if fieldName in self.USER_FORBIDDEN_FIELDS: + _cant_update_fieldName = fieldName + return False + return True return False @@ -252,11 +259,10 @@ class User(AbstractBaseUser, DiffModelMixIn): def save_by_user(self, user, *args, **kwds): if not self.can_update(user): - raise PermissionDenied("You do not have permission to update %s objects" % self.__class__.__name__) - - for fieldName in self.changed_fields: - if not self.can_update_field(user, fieldName): - raise PermissionDenied("You do not have permission to update field %s in object %s" % (fieldName, self.__class__.__name__)) + if getattr(self, "_cant_update_fieldName", None) is not None: + raise PermissionDenied("You do not have permission to update field %s on object %s" % (self._cant_update_fieldName, self.__class__.__name__)) + else: + raise PermissionDenied("You do not have permission to update %s objects" % self.__class__.__name__) self.save(*args, **kwds)