X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=planetstack%2Fcore%2Fmodels%2Fuser.py;h=5a73ad77719a0bbba7bf6cbf3b047e5e0813f9fd;hb=e3c1443a080a80b287c7d2b3baca902817d31d73;hp=eec0927b7cb28df6e5715aba3c55d5aff634d560;hpb=1dc35b42a628c1a987117033139646c1e7b745a0;p=plstackapi.git

diff --git a/planetstack/core/models/user.py b/planetstack/core/models/user.py
index eec0927..5a73ad7 100644
--- a/planetstack/core/models/user.py
+++ b/planetstack/core/models/user.py
@@ -3,13 +3,15 @@ import datetime
 from collections import defaultdict
 from django.db import models
 from django.db.models import F, Q
-from core.models import PlCoreBase,Site, DashboardView
+from core.models import PlCoreBase,Site, DashboardView, DiffModelMixIn
 from core.models.site import Deployment
 from django.contrib.auth.models import AbstractBaseUser, BaseUserManager
 from timezones.fields import TimeZoneField
 from operator import itemgetter, attrgetter
 from django.core.mail import EmailMultiAlternatives
 from core.middleware import get_request
+import model_policy
+from django.core.exceptions import PermissionDenied
 
 # Create your models here.
 class UserManager(BaseUserManager):
@@ -47,10 +49,14 @@ class UserManager(BaseUserManager):
         return user
 
 class DeletedUserManager(UserManager):
-    def get_query_set(self):
+    def get_queryset(self):
         return super(UserManager, self).get_query_set().filter(deleted=True)
 
-class User(AbstractBaseUser):
+    # deprecated in django 1.7 in favor of get_queryset()
+    def get_query_set(self):
+        return self.get_queryset()
+
+class User(AbstractBaseUser, DiffModelMixIn):
 
     class Meta:
         app_label = "core"
@@ -94,6 +100,13 @@ class User(AbstractBaseUser):
     USERNAME_FIELD = 'email'
     REQUIRED_FIELDS = ['firstname', 'lastname']
 
+    PI_FORBIDDEN_FIELDS = ["is_admin", "site", "is_staff"]
+    USER_FORBIDDEN_FIELDS = ["is_admin", "is_active", "site", "is_staff", "is_readonly"]
+
+    def __init__(self, *args, **kwargs):
+        super(User, self).__init__(*args, **kwargs)
+        self._initial = self._dict # for DiffModelMixIn
+
     def isReadOnlyUser(self):
         return self.is_readonly
 
@@ -177,17 +190,44 @@ class User(AbstractBaseUser):
         self.username = self.email
         super(User, self).save(*args, **kwds)
 
+        self._initial = self._dict
+
     def send_temporary_password(self):
         password = User.objects.make_random_password()
         self.set_password(password)
         subject, from_email, to = 'OpenCloud Account Credentials', 'support@opencloud.us', str(self.email)
         text_content = 'This is an important message.'
-        userUrl=get_request().META['HTTP_ORIGIN']
+        userUrl="http://%s/" % get_request().get_host()
         html_content = """<p>Your account has been created on OpenCloud. Please log in <a href="""+userUrl+""">here</a> to activate your account<br><br>Username: """+self.email+"""<br>Temporary Password: """+password+"""<br>Please change your password once you successully login into the site.</p>"""
         msg = EmailMultiAlternatives(subject,text_content, from_email, [to])
         msg.attach_alternative(html_content, "text/html")
         msg.send()
 
+    def can_update(self, user):
+        from core.models import SitePrivilege
+        _cant_update_fieldName = None
+        if user.is_readonly:
+            return False
+        if user.is_admin:
+            return True
+        # site pis can update
+        site_privs = SitePrivilege.objects.filter(user=user, site=self.site)
+        for site_priv in site_privs:
+            if site_priv.role.role == 'pi':
+                for fieldName in self.diff.keys():
+                    if fieldName in self.PI_FORBIDDEN_FIELDS:
+                        _cant_update_fieldName = fieldName
+                        return False
+                return True
+        if (user.id == self.id):
+            for fieldName in self.diff.keys():
+                if fieldName in self.USER_FORBIDDEN_FIELDS:
+                    _cant_update_fieldName = fieldName
+                    return False
+            return True
+
+        return False
+
     @staticmethod
     def select_by_user(user):
         if user.is_admin:
@@ -203,6 +243,20 @@ class User(AbstractBaseUser):
             qs = User.objects.filter(Q(site__in=sites) | Q(id__in=user_ids))
         return qs
 
+    def save_by_user(self, user, *args, **kwds):
+        if not self.can_update(user):
+            if getattr(self, "_cant_update_fieldName", None) is not None:
+                raise PermissionDenied("You do not have permission to update field %s on object %s" % (self._cant_update_fieldName, self.__class__.__name__))
+            else:
+                raise PermissionDenied("You do not have permission to update %s objects" % self.__class__.__name__)
+
+        self.save(*args, **kwds)
+
+    def delete_by_user(self, user, *args, **kwds):
+        if not self.can_update(user):
+            raise PermissionDenied("You do not have permission to delete %s objects" % self.__class__.__name__)
+        self.delete(*args, **kwds)
+
 class UserDashboardView(PlCoreBase):
      user = models.ForeignKey(User, related_name="dashboardViews")
      dashboardView = models.ForeignKey(DashboardView, related_name="dashboardViews")