OnlineJudge/account/decorators.py

import functools
import hashlib
import time

from problem.models import Problem
from contest.models import Contest, ContestType, ContestStatus, ContestRuleType
from utils.api import JSONResponse, APIError
from utils.constants import CONTEST_PASSWORD_SESSION_KEY
from .models import ProblemPermission


class BasePermissionDecorator(object):
    def __init__(self, func):
        self.func = func

    def __get__(self, obj, obj_type):
        return functools.partial(self.__call__, obj)

    def error(self, data):
        return JSONResponse.response({"error": "permission-denied", "data": data})

    def __call__(self, *args, **kwargs):
        self.request = args[1]

        if self.check_permission():
            if self.request.user.is_disabled:
                return self.error("Your account is disabled")
            return self.func(*args, **kwargs)
        else:
            return self.error("Please login first")

    def check_permission(self):
        raise NotImplementedError()


class login_required(BasePermissionDecorator):
    def check_permission(self):
        return self.request.user.is_authenticated


class super_admin_required(BasePermissionDecorator):
    def check_permission(self):
        user = self.request.user
        return user.is_authenticated and user.is_super_admin()


class admin_role_required(BasePermissionDecorator):
    def check_permission(self):
        user = self.request.user
        return user.is_authenticated and user.is_admin_role()


class problem_permission_required(admin_role_required):
    def check_permission(self):
        if not super(problem_permission_required, self).check_permission():
            return False
        if self.request.user.problem_permission == ProblemPermission.NONE:
            return False
        return True


def check_contest_password(password, contest_password):
    if not (password and contest_password):
        return False
    if password == contest_password:
        return True
    else:
        # sig#timestamp 这种形式的密码也可以，但是在界面上没提供支持
        # sig = sha256(contest_password + timestamp)[:8]
        if "#" in password:
            s = password.split("#")
            if len(s) != 2:
                return False
            sig, ts = s[0], s[1]

            if sig == hashlib.sha256((contest_password + ts).encode("utf-8")).hexdigest()[:8]:
                try:
                    ts = int(ts)
                except Exception:
                    return False
                return int(time.time()) < ts
            else:
                return False
        else:
            return False


def check_contest_permission(check_type="details"):
    """
    只供Class based view 使用，检查用户是否有权进入该contest, check_type 可选 details, problems, ranks, submissions
    若通过验证，在view中可通过self.contest获得该contest
    """

    def decorator(func):
        def _check_permission(*args, **kwargs):
            self = args[0]
            request = args[1]
            user = request.user
            if request.data.get("contest_id"):
                contest_id = request.data["contest_id"]
            else:
                contest_id = request.GET.get("contest_id")
            if not contest_id:
                return self.error("Parameter error, contest_id is required")

            try:
                # use self.contest to avoid query contest again in view.
                self.contest = Contest.objects.select_related("created_by").get(id=contest_id, visible=True)
            except Contest.DoesNotExist:
                return self.error("Contest %s doesn't exist" % contest_id)

            # Anonymous
            if not user.is_authenticated:
                return self.error("Please login first.")

            # creator or owner
            if user.is_contest_admin(self.contest):
                return func(*args, **kwargs)

            if self.contest.contest_type == ContestType.PASSWORD_PROTECTED_CONTEST:
                # password error
                if not check_contest_password(request.session.get(CONTEST_PASSWORD_SESSION_KEY, {}).get(self.contest.id), self.contest.password):
                    return self.error("Wrong password or password expired")

            # regular user get contest problems, ranks etc. before contest started
            if self.contest.status == ContestStatus.CONTEST_NOT_START and check_type != "details":
                return self.error("Contest has not started yet.")

            # check does user have permission to get ranks, submissions in OI Contest
            if self.contest.status == ContestStatus.CONTEST_UNDERWAY and self.contest.rule_type == ContestRuleType.OI:
                if not self.contest.real_time_rank and (check_type == "ranks" or check_type == "submissions"):
                    return self.error(f"No permission to get {check_type}")

            return func(*args, **kwargs)
        return _check_permission
    return decorator


def ensure_created_by(obj, user):
    e = APIError(msg=f"{obj.__class__.__name__} does not exist")
    if not user.is_admin_role():
        raise e
    if user.is_super_admin():
        return
    if isinstance(obj, Problem):
        if not user.can_mgmt_all_problem() and obj.created_by != user:
            raise e
    elif obj.created_by != user:
        raise e
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								import functools
-												修复比赛修改密码之后，之前保存的 session 仍然可以使用的问题

											
										
										
											2019-09-22 08:45:25 +00:00
+								import hashlib
 								import time
-												修复编辑题目会修改作者的问题；修复权限判断时候的逻辑错误

											
										
										
											2018-04-17 15:53:49 +00:00
+								from problem.models import Problem
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								from contest.models import Contest, ContestType, ContestStatus, ContestRuleType
-												fix permission

											
										
										
											2018-01-04 11:27:41 +00:00
+								from utils.api import JSONResponse, APIError
-												修复比赛修改密码之后，之前保存的 session 仍然可以使用的问题

											
										
										
											2019-09-22 08:45:25 +00:00
+								from utils.constants import CONTEST_PASSWORD_SESSION_KEY
-												fix permission

											
										
										
											2018-01-04 11:27:41 +00:00
+								from .models import ProblemPermission
-												contest and contest_problems api.
add ordering for contest and submission models

											
										
										
											2017-07-17 13:28:06 +00:00
-												增加 login_required decorator 和对应的测试

											
										
										
											2015-08-04 05:22:37 +00:00
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								class BasePermissionDecorator(object):
 								    def __init__(self, func):
 								        self.func = func
-												增加 login_required decorator 和对应的测试

											
										
										
											2015-08-04 05:22:37 +00:00
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								    def __get__(self, obj, obj_type):
 								        return functools.partial(self.__call__, obj)
-												add some tests

											
										
										
											2016-10-29 18:17:35 +00:00
+								    def error(self, data):
-												使用Python3和更科学的API写法

											
										
										
											2016-11-19 04:32:23 +00:00
+								        return JSONResponse.response({"error": "permission-denied", "data": data})
-												add some tests

											
										
										
											2016-10-29 18:17:35 +00:00
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								    def __call__(self, *args, **kwargs):
-												add some tests

											
										
										
											2016-10-29 18:17:35 +00:00
+								        self.request = args[1]
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
 								        if self.check_permission():
-												修改账户系统以及部分用户权限写法

增加部分测试和注释，完善国际化

											
										
										
											2016-06-23 04:19:16 +00:00
+								            if self.request.user.is_disabled:
-												remove i18n

											
										
										
											2017-04-18 18:03:48 +00:00
+								                return self.error("Your account is disabled")
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								            return self.func(*args, **kwargs)
-												增加 @admin_required 修饰符代码和对应的测试

											
										
										
											2015-08-06 04:25:16 +00:00
+								        else:
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            return self.error("Please login first")
-												增加判断管理员权限的 decorator

											
										
										
											2015-09-22 08:18:32 +00:00
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								    def check_permission(self):
 								        raise NotImplementedError()
 								class login_required(BasePermissionDecorator):
 								    def check_permission(self):
-												update to django 2.0

											
										
										
											2019-03-11 03:25:10 +00:00
+								        return self.request.user.is_authenticated
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
 								class super_admin_required(BasePermissionDecorator):
 								    def check_permission(self):
-												rename some method and add some decorator

											
										
										
											2017-02-10 03:41:01 +00:00
+								        user = self.request.user
-												update to django 2.0

											
										
										
											2019-03-11 03:25:10 +00:00
+								        return user.is_authenticated and user.is_super_admin()
-												增加判断管理员权限的 decorator

											
										
										
											2015-09-22 08:18:32 +00:00
-												rename some method and add some decorator

											
										
										
											2017-02-10 03:41:01 +00:00
+								class admin_role_required(BasePermissionDecorator):
-												修复 account 里面失败的测试；优化权限 decorator 的写法

											
										
										
											2015-10-14 01:57:43 +00:00
+								    def check_permission(self):
-												rename some method and add some decorator

											
										
										
											2017-02-10 03:41:01 +00:00
+								        user = self.request.user
-												update to django 2.0

											
										
										
											2019-03-11 03:25:10 +00:00
+								        return user.is_authenticated and user.is_admin_role()
-												rename some method and add some decorator

											
										
										
											2017-02-10 03:41:01 +00:00
 								class problem_permission_required(admin_role_required):
 								    def check_permission(self):
 								        if not super(problem_permission_required, self).check_permission():
 								            return False
 								        if self.request.user.problem_permission == ProblemPermission.NONE:
 								            return False
 								        return True
-												contest and contest_problems api.
add ordering for contest and submission models

											
										
										
											2017-07-17 13:28:06 +00:00
-												修复比赛修改密码之后，之前保存的 session 仍然可以使用的问题

											
										
										
											2019-09-22 08:45:25 +00:00
+								def check_contest_password(password, contest_password):
 								    if not (password and contest_password):
 								        return False
 								    if password == contest_password:
 								        return True
 								    else:
 								        # sig#timestamp 这种形式的密码也可以，但是在界面上没提供支持
 								        # sig = sha256(contest_password + timestamp)[:8]
 								        if "#" in password:
 								            s = password.split("#")
 								            if len(s) != 2:
 								                return False
 								            sig, ts = s[0], s[1]
 								            if sig == hashlib.sha256((contest_password + ts).encode("utf-8")).hexdigest()[:8]:
 								                try:
 								                    ts = int(ts)
 								                except Exception:
 								                    return False
 								                return int(time.time()) < ts
 								            else:
 								                return False
 								        else:
 								            return False
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								def check_contest_permission(check_type="details"):
-												contest and contest_problems api.
add ordering for contest and submission models

											
										
										
											2017-07-17 13:28:06 +00:00
+								    """
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								    只供Class based view 使用，检查用户是否有权进入该contest, check_type 可选 details, problems, ranks, submissions
-												contest and contest_problems api.
add ordering for contest and submission models

											
										
										
											2017-07-17 13:28:06 +00:00
+								    若通过验证，在view中可通过self.contest获得该contest
 								    """
-												separate contest submission and regular submission

											
										
										
											2017-09-30 02:26:54 +00:00
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								    def decorator(func):
 								        def _check_permission(*args, **kwargs):
 								            self = args[0]
 								            request = args[1]
 								            user = request.user
-												封榜后管理员可以通过force_update查看最新rankings

											
										
										
											2017-12-03 07:36:31 +00:00
+								            if request.data.get("contest_id"):
 								                contest_id = request.data["contest_id"]
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            else:
 								                contest_id = request.GET.get("contest_id")
 								            if not contest_id:
-												支持选取已有题目作为比赛题目

											
										
										
											2017-12-03 10:52:32 +00:00
+								                return self.error("Parameter error, contest_id is required")
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
 								            try:
 								                # use self.contest to avoid query contest again in view.
 								                self.contest = Contest.objects.select_related("created_by").get(id=contest_id, visible=True)
 								            except Contest.DoesNotExist:
 								                return self.error("Contest %s doesn't exist" % contest_id)
-												比赛相关api都需要登录

											
										
										
											2018-06-30 06:40:35 +00:00
+								            # Anonymous
-												update to django 2.0

											
										
										
											2019-03-11 03:25:10 +00:00
+								            if not user.is_authenticated:
-												比赛相关api都需要登录

											
										
										
											2018-06-30 06:40:35 +00:00
+								                return self.error("Please login first.")
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            # creator or owner
-												比赛相关api都需要登录

											
										
										
											2018-06-30 06:40:35 +00:00
+								            if user.is_contest_admin(self.contest):
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								                return func(*args, **kwargs)
 								            if self.contest.contest_type == ContestType.PASSWORD_PROTECTED_CONTEST:
 								                # password error
-												修复比赛修改密码之后，之前保存的 session 仍然可以使用的问题

											
										
										
											2019-09-22 08:45:25 +00:00
+								                if not check_contest_password(request.session.get(CONTEST_PASSWORD_SESSION_KEY, {}).get(self.contest.id), self.contest.password):
 								                    return self.error("Wrong password or password expired")
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
-												submission exists api

											
										
										
											2017-11-23 11:11:12 +00:00
+								            # regular user get contest problems, ranks etc. before contest started
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            if self.contest.status == ContestStatus.CONTEST_NOT_START and check_type != "details":
 								                return self.error("Contest has not started yet.")
-												完善contest和announcement单元测试

											
										
										
											2017-11-28 08:20:29 +00:00
+								            # check does user have permission to get ranks, submissions in OI Contest
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            if self.contest.status == ContestStatus.CONTEST_UNDERWAY and self.contest.rule_type == ContestRuleType.OI:
 								                if not self.contest.real_time_rank and (check_type == "ranks" or check_type == "submissions"):
 								                    return self.error(f"No permission to get {check_type}")
-												添加contest access api

											
										
										
											2017-07-20 07:52:11 +00:00
-												完善contest权限控制

											
										
										
											2017-10-27 10:36:29 +00:00
+								            return func(*args, **kwargs)
 								        return _check_permission
 								    return decorator
-												fix permission

											
										
										
											2018-01-04 11:27:41 +00:00
 								def ensure_created_by(obj, user):
-												修复编辑题目会修改作者的问题；修复权限判断时候的逻辑错误

											
										
										
											2018-04-17 15:53:49 +00:00
+								    e = APIError(msg=f"{obj.__class__.__name__} does not exist")
 								    if not user.is_admin_role():
 								        raise e
-												修复一系列超级管理员无法操作其他用户比赛和题目的问题

											
										
										
											2018-06-30 06:41:00 +00:00
+								    if user.is_super_admin():
 								        return
-												修复编辑题目会修改作者的问题；修复权限判断时候的逻辑错误

											
										
										
											2018-04-17 15:53:49 +00:00
+								    if isinstance(obj, Problem):
 								        if not user.can_mgmt_all_problem() and obj.created_by != user:
 								            raise e
 								    elif obj.created_by != user:
 								        raise e