user.py 3.22 KB
Edit Raw Blame History



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94


# -*- coding: utf8 -*-
# This file is part of PyBossa.
#
# Copyright (C) 2015 SciFabric LTD.
#
# PyBossa is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# PyBossa is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with PyBossa.  If not, see <http://www.gnu.org/licenses/>.
"""
PyBossa api module for domain object USER via an API.

This package adds GET method for:
    * users

"""
from api_base import APIBase
from pybossa.model.user import User
from werkzeug.exceptions import MethodNotAllowed
from flask import request
from flask.ext.login import current_user


class UserAPI(APIBase):

    """
    Class for the domain object User.

    """

    __class__ = User

    # Define private and public fields available through the API
    # (maybe should be defined in the model?) There are fields like password hash
    # that shouldn't be visible even for admins

    # Attributes that are always visible from everyone
    public_attributes = ('locale', 'name')

    # Attributes that are visible only for admins or everyone if the user
    # has privacy_mode disabled
    allowed_attributes = ('name', 'locale', 'fullname', 'created', 'info')

    def _select_attributes(self, user_data):
        privacy = self._is_user_private(user_data)
        for attribute in user_data.keys():
            self._remove_attribute_if_private(attribute, user_data, privacy)
        return user_data

    def _remove_attribute_if_private(self, attribute, user_data, privacy):
        if self._is_attribute_private(attribute, privacy):
            del user_data[attribute]

    def _is_attribute_private(self, attribute, privacy):
        return (attribute not in self.allowed_attributes or
                privacy and attribute not in self.public_attributes)

    def _is_user_private(self, user):
        return not self._is_requesting_own_data(user) and not self._is_requester_admin() and user['privacy_mode']

    def _is_requesting_own_data(self, user):
        return current_user.is_authenticated() and current_user.name == user['name']

    def _is_requester_admin(self):
        return current_user.is_authenticated() and current_user.admin

    def _custom_filter(self, filters):
        if self._private_attributes_in_request() and not self._is_requester_admin():
            filters['privacy_mode'] = False
        return filters

    def _private_attributes_in_request(self):
        for attribute in request.args.keys():
            if (attribute in self.allowed_attributes and
                    attribute not in self.public_attributes):
                return True
        return False

    def post(self):
        raise MethodNotAllowed(valid_methods=['GET'])

    def delete(self, oid=None):
        raise MethodNotAllowed(valid_methods=['GET'])

    def put(self, oid=None):
        raise MethodNotAllowed(valid_methods=['GET'])