Merge pull request CenterForOpenScience#10536 from cslzchen/feature/c…

…edar-bug-fix

[Cedar] Bug-fix: Fix Permission

api/cedar_metadata_records/permissions.py

@@ -14,7 +14,6 @@ class CedarMetadataRecordPermission(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
 
         assert isinstance(obj, CedarMetadataRecord), 'obj must be a CedarMetadataRecord'
-
         auth = get_user_auth(request)
 
         permission_source = obj.guid.referent
@@ -24,6 +23,7 @@ def has_object_permission(self, request, view, obj):
             return False
 
         if request.method in permissions.SAFE_METHODS:
-            is_public = permission_source.is_public and obj.is_published
-            return is_public or permission_source.can_view(auth)
+            if not obj.is_published:
+                return permission_source.can_edit(auth)
+            return permission_source.is_public or permission_source.can_view(auth)
         return permission_source.can_edit(auth)

api/cedar_metadata_records/serializers.py

@@ -2,11 +2,13 @@
 
 from django.db import IntegrityError
 from rest_framework import serializers as ser
+from rest_framework.exceptions import PermissionDenied, NotFound
 
 from api.base.exceptions import InvalidModelValueError, JSONAPIException
 from api.base.serializers import JSONAPISerializer, LinksField, RelationshipField
-from api.base.utils import absolute_reverse
+from api.base.utils import absolute_reverse, get_user_auth
 from api.cedar_metadata_records.utils import get_guids_related_view, get_guids_related_view_kwargs
+from api.cedar_metadata_records.utils import can_create_record
 
 from osf.exceptions import ValidationError
 from osf.models import CedarMetadataRecord, CedarMetadataTemplate, Guid
@@ -112,6 +114,12 @@ def create(self, validated_data):
         template = validated_data.pop('template')
         metadata = validated_data.pop('metadata')
         is_published = validated_data.pop('is_published')
+
+        auth = get_user_auth(self.context['request'])
+        if not can_create_record(auth, guid):
+            raise PermissionDenied
+        if not template.is_active():
+            raise NotFound
         record = CedarMetadataRecord(guid=guid, template=template, metadata=metadata, is_published=is_published)
         try:
             record.save()

api/cedar_metadata_records/utils.py

@@ -27,3 +27,27 @@ def get_guids_related_view_kwargs(obj):
         return {'file_id': '<guid._id>'}
     else:
         raise NotImplementedError()
+
+def can_view_record(user_auth, record):
+
+    permission_source = record.guid.referent
+
+    if isinstance(permission_source, BaseFileNode):
+        permission_source = permission_source.target
+    elif not isinstance(permission_source, (Node, Registration)):
+        return False
+
+    if not record.is_published:
+        return permission_source.can_edit(user_auth)
+    return permission_source.is_public or permission_source.can_view(user_auth)
+
+def can_create_record(user_auth, guid):
+
+    permission_source = guid.referent
+
+    if isinstance(permission_source, BaseFileNode):
+        permission_source = permission_source.target
+    elif not isinstance(permission_source, (Node, Registration)):
+        return False
+
+    return permission_source.can_edit(user_auth)

api/cedar_metadata_records/views.py

@@ -15,12 +15,14 @@
 )
 from api.base.versioning import PrivateVersioning
 from api.base.views import JSONAPIBaseView
+from api.base.utils import get_user_auth
 from api.cedar_metadata_records.permissions import CedarMetadataRecordPermission
 from api.cedar_metadata_records.serializers import (
     CedarMetadataRecordsListSerializer,
     CedarMetadataRecordsListCreateSerializer,
     CedarMetadataRecordsDetailSerializer,
 )
+from api.cedar_metadata_records.utils import can_view_record
 from framework.auth.oauth_scopes import CoreScopes
 
 from osf.models import CedarMetadataRecord
@@ -54,7 +56,10 @@ def get_serializer_class(self):
             return CedarMetadataRecordsListSerializer
 
     def get_default_queryset(self):
-        return CedarMetadataRecord.objects.filter(is_published=True)
+        published_records = CedarMetadataRecord.objects.filter(is_published=True)
+        user_auth = get_user_auth(self.request)
+        record_ids = [record.id for record in published_records if can_view_record(user_auth, record)]
+        return CedarMetadataRecord.objects.filter(pk__in=record_ids)
 
     def get_queryset(self):
         return self.get_queryset_from_request()
@@ -79,9 +84,11 @@ class CedarMetadataRecordDetail(JSONAPIBaseView, RetrieveUpdateDestroyAPIView):
 
     def get_object(self):
         try:
-            return CedarMetadataRecord.objects.get(_id=self.kwargs['record_id'])
+            record = CedarMetadataRecord.objects.get(_id=self.kwargs['record_id'])
         except CedarMetadataRecord.DoesNotExist:
             raise NotFound
+        self.check_object_permissions(self.request, record)
+        return record
 
 class CedarMetadataRecordMetadataDownload(JSONAPIBaseView, RetrieveAPIView):
 
@@ -102,9 +109,11 @@ class CedarMetadataRecordMetadataDownload(JSONAPIBaseView, RetrieveAPIView):
 
     def get_object(self):
         try:
-            return CedarMetadataRecord.objects.get(_id=self.kwargs['record_id'])
+            record = CedarMetadataRecord.objects.get(_id=self.kwargs['record_id'])
         except CedarMetadataRecord.DoesNotExist:
             raise NotFound
+        self.check_object_permissions(self.request, record)
+        return record
 
     def get_serializer_class(self):
         return None

osf/models/cedar_metadata.py

@@ -20,6 +20,9 @@ def __unicode__(self):
     def get_semantic_iri(self):
         return self.cedar_id
 
+    def is_active(self):
+        return self.active
+
 
 class CedarMetadataRecord(ObjectIDMixin, BaseModel):