Johnetordoff · May 23, 2024 17:40
diff --git a/gistfile1.txt b/gistfile1.txt
 def check_access(node, auth, action, cas_resp):
    """Verify that user can perform requested action on resource. Raise appropriate
    error code if action cannot proceed.
    """
    permission = permission_map.get(action, None)
    if permission is None:
        raise HTTPError(http_status.HTTP_400_BAD_REQUEST)

    # Permissions for DraftNode should be based upon the draft registration
    if isinstance(node, DraftNode):
        node = node.registered_draft.first()

    if cas_resp:
        if permission == permissions.READ:
            if node.can_view_files(auth=None):
                return True
            required_scope = node.file_read_scope
        else:
            required_scope = node.file_write_scope

        if not cas_resp.authenticated \
           or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']):
            raise HTTPError(http_status.HTTP_403_FORBIDDEN)

    if permission == permissions.READ:
        if node.can_view_files(auth):
            return True
        # The user may have admin privileges on a parent node, in which
        # case they should have read permissions
        if getattr(node, 'is_registration', False) and node.registered_from.can_view(auth):
            return True
    if permission == permissions.WRITE and node.can_edit(auth):
        return True

    # Users attempting to register projects with components might not have
    # `write` permissions for all components. This will result in a 403 for
    # all `upload` actions as well as `copyfrom` actions if the component
    # in question is not public. To get around this, we have to recursively
    # check the node's parent node to determine if they have `write`
    # permissions up the stack.
    # TODO(hrybacki): is there a way to tell if this is for a registration?
    # All nodes being registered that receive the `upload` action will have
    # `node.is_registration` == True. However, we have no way of telling if
    # `copyfrom` actions are originating from a node being registered.
    # TODO This is raise UNAUTHORIZED for registrations that have not been archived yet
    if isinstance(node, AbstractNode):
        if action == 'copyfrom' or (action == 'upload' and node.is_registration):
            parent = node.parent_node
            while parent:
                if parent.can_edit(auth):
                    return True
                parent = parent.parent_node

    raise HTTPError(http_status.HTTP_403_FORBIDDEN if auth.user else http_status.HTTP_401_UNAUTHORIZED)
	def check_access(node, auth, action, cas_resp):
	"""Verify that user can perform requested action on resource. Raise appropriate
	error code if action cannot proceed.
	"""
	permission = permission_map.get(action, None)
	if permission is None:
	raise HTTPError(http_status.HTTP_400_BAD_REQUEST)

	# Permissions for DraftNode should be based upon the draft registration
	if isinstance(node, DraftNode):
	node = node.registered_draft.first()

	if cas_resp:
	if permission == permissions.READ:
	if node.can_view_files(auth=None):
	return True
	required_scope = node.file_read_scope
	else:
	required_scope = node.file_write_scope

	if not cas_resp.authenticated \
	or required_scope not in oauth_scopes.normalize_scopes(cas_resp.attributes['accessTokenScope']):
	raise HTTPError(http_status.HTTP_403_FORBIDDEN)

	if permission == permissions.READ:
	if node.can_view_files(auth):
	return True
	# The user may have admin privileges on a parent node, in which
	# case they should have read permissions
	if getattr(node, 'is_registration', False) and node.registered_from.can_view(auth):
	return True
	if permission == permissions.WRITE and node.can_edit(auth):
	return True

	# Users attempting to register projects with components might not have
	# `write` permissions for all components. This will result in a 403 for
	# all `upload` actions as well as `copyfrom` actions if the component
	# in question is not public. To get around this, we have to recursively
	# check the node's parent node to determine if they have `write`
	# permissions up the stack.
	# TODO(hrybacki): is there a way to tell if this is for a registration?
	# All nodes being registered that receive the `upload` action will have
	# `node.is_registration` == True. However, we have no way of telling if
	# `copyfrom` actions are originating from a node being registered.
	# TODO This is raise UNAUTHORIZED for registrations that have not been archived yet
	if isinstance(node, AbstractNode):
	if action == 'copyfrom' or (action == 'upload' and node.is_registration):
	parent = node.parent_node
	while parent:
	if parent.can_edit(auth):
	return True
	parent = parent.parent_node

	raise HTTPError(http_status.HTTP_403_FORBIDDEN if auth.user else http_status.HTTP_401_UNAUTHORIZED)