Skip to content

permissions#

DatasetAccessPolicy#

Bases: BaseAccessPolicy

Source code in src/apps/core/permissions.py 
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
class DatasetAccessPolicy(BaseAccessPolicy):
    statements = [
        {
            "action": [
                "update",
                "destroy",
                "partial_update",
                "new_version",
                "create_draft",
                "publish",
            ],
            "principal": "authenticated",
            "effect": "allow",
            "condition": "is_edit_allowed",
        },
        {
            "action": "convert_from_legacy",
            "principal": "*",
            "effect": "allow",
        },
        {
            # Note that there is no actual "download" action in the viewset at the moment.
            "action": ["<op:download>"],
            "principal": "*",
            "effect": "allow",
            "condition": "is_download_allowed",
        },
        {
            "action": ["<op:custom_metadata_owner>"],
            "principal": "group:service",
            "effect": "allow",
        },
        {
            "action": ["<op:flush>"],  # hard delete dataset
            "effect": "allow",
            "principal": "authenticated",
            "condition": ["is_edit_allowed", "is_flush_allowed"],
        },
        {
            "action": ["create"],
            "principal": "authenticated",
            "effect": "allow",  # Catalog permission checked in viewset perform_create
        },
    ] + BaseAccessPolicy.statements

    def is_edit_allowed(self, request, view, action) -> bool:
        dataset = view.get_object()
        return dataset.has_permission_to_edit(request.user)

    def is_flush_allowed(self, request, view, action) -> bool:
        dataset = view.get_object()
        if dataset.state == "draft":
            return True  # Drafts are always hard deleted
        if catalog := dataset.data_catalog:
            # Hard delete is allowed for catalog admins in harvested catalogs
            return catalog.harvested and DataCatalogAccessPolicy().query_object_permission(
                user=request.user, object=catalog, action="<op:admin_dataset>"
            )
        return False

    def is_metadata_owner(self, request, view, action) -> bool:
        dataset = view.get_object()
        logger.info(request.user)
        if dataset.metadata_owner:
            return request.user == dataset.metadata_owner.user
        else:
            return False

    def is_download_allowed(self, request, view, action) -> bool:
        dataset = view.get_object()
        if access_rights := dataset.access_rights:
            return access_rights.is_data_available(request, dataset)
        return False

    @classmethod
    def scope_queryset(cls, request, queryset):
        from .models import Dataset

        if (q := super().scope_queryset(request, queryset)) is not None:
            return q
        elif request.user.is_anonymous:
            return queryset.filter(state=Dataset.StateChoices.PUBLISHED)
        groups = request.user.groups.all()
        return queryset.filter(
            Q(state=Dataset.StateChoices.PUBLISHED)
            | Q(metadata_owner__user=request.user)
            | Q(system_creator=request.user)
            | Q(data_catalog__dataset_groups_admin__in=groups)
        ).distinct()

    @classmethod
    def scope_queryset_owned_or_shared(cls, request, queryset):
        from .models import Dataset

        if request.user.is_anonymous:
            return Dataset.available_objects.none()
        return queryset.filter(metadata_owner__user=request.user)

DataCatalogAccessPolicy#

Bases: BaseAccessPolicy

Source code in src/apps/core/permissions.py 
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
class DataCatalogAccessPolicy(BaseAccessPolicy):
    statements = [
        {
            "action": ["create"],
            "principal": "group:service",
            "effect": "allow",
        },
        {
            "action": ["update", "partial_update", "destroy"],
            "principal": "group:service",
            "effect": "allow",
            "condition": "is_system_creator",
        },
        {
            "action": ["<op:create_dataset>"],
            "principal": "authenticated",
            "effect": "allow",
            "condition": "is_creating_datasets_allowed",
        },
        {
            "action": ["<op:admin_dataset>"],
            "principal": "authenticated",
            "effect": "allow",
            "condition": "is_dataset_admin",
        },
    ] + BaseAccessPolicy.statements

    def is_creating_datasets_allowed(self, request, view, action) -> bool:
        """Return True if user is allowed to create datasets in this catalog."""
        user = request.user
        if user.is_superuser:
            return True

        catalog = view.get_object()
        user_groups = user.groups.all()
        return catalog.dataset_groups_create.intersection(user_groups).exists()

    def is_dataset_admin(self, request, view, action) -> bool:
        """Return True if user is allowed to edit all datasets in this catalog."""
        user = request.user
        if user.is_superuser:
            return True

        catalog = view.get_object()
        user_groups = user.groups.all()
        return catalog.dataset_groups_admin.intersection(user_groups).exists()

is_creating_datasets_allowed(request, view, action) #

Return True if user is allowed to create datasets in this catalog.

Source code in src/apps/core/permissions.py 
136
137
138
139
140
141
142
143
144
def is_creating_datasets_allowed(self, request, view, action) -> bool:
    """Return True if user is allowed to create datasets in this catalog."""
    user = request.user
    if user.is_superuser:
        return True

    catalog = view.get_object()
    user_groups = user.groups.all()
    return catalog.dataset_groups_create.intersection(user_groups).exists()

is_dataset_admin(request, view, action) #

Return True if user is allowed to edit all datasets in this catalog.

Source code in src/apps/core/permissions.py 
146
147
148
149
150
151
152
153
154
def is_dataset_admin(self, request, view, action) -> bool:
    """Return True if user is allowed to edit all datasets in this catalog."""
    user = request.user
    if user.is_superuser:
        return True

    catalog = view.get_object()
    user_groups = user.groups.all()
    return catalog.dataset_groups_admin.intersection(user_groups).exists()

LegacyDatasetAccessPolicy#

Bases: BaseAccessPolicy

Source code in src/apps/core/permissions.py 
157
158
159
160
161
162
163
164
class LegacyDatasetAccessPolicy(BaseAccessPolicy):
    statements = [
        {
            "action": ["create", "update", "partial_update", "destroy"],
            "principal": "group:v2_migration",
            "effect": "allow",
        },
    ] + BaseAccessPolicy.statements

DatasetNestedAccessPolicy#

Bases: BaseAccessPolicy

Source code in src/apps/core/permissions.py 
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
class DatasetNestedAccessPolicy(BaseAccessPolicy):
    statements = [
        {
            "action": ["create", "update", "partial_update", "destroy"],
            "principal": "authenticated",
            "effect": "allow",
            "condition": "is_dataset_owner",
        },
    ] + BaseAccessPolicy.statements

    def is_dataset_owner(self, request, view, action) -> bool:
        dataset = view.get_dataset_instance()
        if not dataset.metadata_owner:
            return request.user == dataset.system_creator
        else:
            return (
                request.user == dataset.metadata_owner.user
                or request.user == dataset.system_creator
            )

ContractAccessPolicy#

Bases: BaseAccessPolicy

Source code in src/apps/core/permissions.py 
188
189
class ContractAccessPolicy(BaseAccessPolicy):
    pass