udata 10.3.1.dev34819__py2.py3-none-any.whl → 10.3.1.dev34849__py2.py3-none-any.whl

udata/api/fields.py

@@ -68,6 +68,14 @@ class UrlFor(String):
         )
 
 
+class Permission(Boolean):
+    def __init__(self, mapper=None, **kwargs):
+        super(Permission, self).__init__(**kwargs)
+
+    def format(self, field):
+        return field.can()
+
+
 class NextPageUrl(String):
     def output(self, key, obj, **kwargs):
         if not getattr(obj, "has_next", None):

udata/commands/fixtures.py

@@ -65,7 +65,8 @@ UNWANTED_KEYS: dict[str, list[str]] = {
         "last_modified",
         "preview_url",
     ],
-    "discussion": ["subject", "url", "class"],
+    "discussion": ["subject", "url", "class", "permissions"],
+    "discussion_message": ["permissions"],
     "user": ["uri", "page", "class", "avatar_thumbnail", "email"],
     "posted_by": ["uri", "page", "class", "avatar_thumbnail", "email"],
     "dataservice": [
@@ -154,6 +155,11 @@ def generate_fixtures_file(data_source: str, results_filename: str) -> None:
             ).json()["data"]
             for discussion in json_discussion:
                 discussion = remove_unwanted_keys(discussion, "discussion")
+                for index, message in enumerate(discussion["discussion"]):
+                    discussion["discussion"][index] = remove_unwanted_keys(
+                        message, "discussion_message"
+                    )
+
             json_fixture["discussions"] = json_discussion
 
             json_dataservices = requests.get(

udata/core/discussions/api.py

@@ -5,9 +5,9 @@ from flask_restx.inputs import boolean
 from flask_security import current_user
 
 from udata.api import API, api, fields
-from udata.auth import admin_permission
 from udata.core.dataservices.models import Dataservice
 from udata.core.dataset.models import Dataset
+from udata.core.organization.api_fields import org_ref_fields
 from udata.core.organization.models import Organization
 from udata.core.reuse.models import Reuse
 from udata.core.spam.api import SpamAPIMixin
@@ -15,23 +15,43 @@ from udata.core.spam.fields import spam_fields
 from udata.core.user.api_fields import user_ref_fields
 from udata.utils import id_or_404
 
-from .forms import DiscussionCommentForm, DiscussionCreateForm
+from .forms import (
+    DiscussionCommentForm,
+    DiscussionCreateForm,
+    DiscussionEditCommentForm,
+    DiscussionEditForm,
+)
 from .models import Discussion, Message
-from .permissions import CloseDiscussionPermission
 from .signals import on_discussion_deleted
 
 ns = api.namespace("discussions", "Discussion related operations")
 
+
+message_permissions_fields = api.model(
+    "DiscussionMessagePermissions",
+    {"delete": fields.Permission(), "edit": fields.Permission()},
+)
+
 message_fields = api.model(
     "DiscussionMessage",
     {
         "content": fields.String(description="The message body"),
         "posted_by": fields.Nested(user_ref_fields, description="The message author"),
+        "posted_by_organization": fields.Nested(
+            org_ref_fields, description="The organization to show to users", allow_null=True
+        ),
         "posted_on": fields.ISODateTime(description="The message posting date"),
+        "last_modified_at": fields.ISODateTime(description="The message last edit date"),
         "spam": fields.Nested(spam_fields),
+        "permissions": fields.Nested(message_permissions_fields),
     },
 )
 
+discussion_permissions_fields = api.model(
+    "DiscussionPermissions",
+    {"delete": fields.Permission(), "edit": fields.Permission(), "close": fields.Permission()},
+)
+
 discussion_fields = api.model(
     "Discussion",
     {
@@ -40,15 +60,24 @@ discussion_fields = api.model(
         "class": fields.ClassName(description="The object class", discriminator=True),
         "title": fields.String(description="The discussion title"),
         "user": fields.Nested(user_ref_fields, description="The discussion author"),
+        "organization": fields.Nested(
+            org_ref_fields, description="The discussion author", allow_null=True
+        ),
         "created": fields.ISODateTime(description="The discussion creation date"),
         "closed": fields.ISODateTime(description="The discussion closing date"),
         "closed_by": fields.Nested(
             user_ref_fields, allow_null=True, description="The user who closed the discussion"
         ),
+        "closed_by_organization": fields.Nested(
+            org_ref_fields,
+            allow_null=True,
+            description="The organization who closed the discussion",
+        ),
         "discussion": fields.Nested(message_fields),
         "url": fields.UrlFor("api.discussion", description="The discussion API URI"),
         "extras": fields.Raw(description="Extra attributes as key-value pairs"),
         "spam": fields.Nested(spam_fields),
+        "permissions": fields.Nested(discussion_permissions_fields),
     },
 )
 
@@ -60,6 +89,9 @@ start_discussion_fields = api.model(
         "subject": fields.Nested(
             api.model_reference, description="The discussion target object", required=True
         ),
+        "organization": fields.Nested(
+            org_ref_fields, allow_null=True, description="Publish in the name of this organization"
+        ),
         "extras": fields.Raw(description="Extras attributes as key-value pairs"),
     },
 )
@@ -74,6 +106,20 @@ comment_discussion_fields = api.model(
     },
 )
 
+edit_comment_discussion_fields = api.model(
+    "DiscussionEditComment",
+    {
+        "comment": fields.String(description="The new comment", required=True),
+    },
+)
+
+edit_discussion_fields = api.model(
+    "DiscussionEdit",
+    {
+        "title": fields.String(description="The new title", required=True),
+    },
+)
+
 discussion_page_fields = api.model("DiscussionPage", fields.pager(discussion_fields))
 
 parser = api.parser()
@@ -138,14 +184,30 @@ class DiscussionAPI(API):
         if discussion.closed:
             api.abort(403, "Can't add comments on a closed discussion")
         form = api.validate(DiscussionCommentForm)
-        message = Message(content=form.comment.data, posted_by=current_user.id)
-        discussion.discussion.append(message)
-        message_idx = len(discussion.discussion) - 1
+
         close = form.close.data
+        if not close and not form.comment.data:
+            api.abort(
+                400, "Can only close without message. Please provide either `close` or a `comment`."
+            )
+
+        if form.comment.data:
+            message = Message(
+                content=form.comment.data,
+                posted_by=current_user.id,
+                posted_by_organization=form.organization.data,
+            )
+            discussion.discussion.append(message)
+            message_idx = len(discussion.discussion) - 1
+        else:
+            message_idx = None
+
         if close:
-            CloseDiscussionPermission(discussion).test()
+            discussion.permissions["close"].test()
             discussion.closed_by = current_user._get_current_object()
+            discussion.closed_by_organization = form.organization.data
             discussion.closed = datetime.utcnow()
+
         discussion.save()
         if close:
             discussion.signal_close(message=message_idx)
@@ -153,12 +215,27 @@ class DiscussionAPI(API):
             discussion.signal_comment(message=message_idx)
         return discussion
 
-    @api.secure(admin_permission)
+    @api.doc("update_discussion")
+    @api.response(403, "Not allowed to update this discussion")
+    @api.expect(edit_comment_discussion_fields)
+    @api.marshal_with(discussion_fields)
+    def put(self, id):
+        """Update a discussion given its ID"""
+        discussion = Discussion.objects.get_or_404(id=id_or_404(id))
+        discussion.permissions["edit"].test()
+
+        form = api.validate(DiscussionEditForm, discussion)
+        form.save()
+
+        return discussion
+
     @api.doc("delete_discussion")
     @api.response(403, "Not allowed to delete this discussion")
     def delete(self, id):
         """Delete a discussion given its ID"""
         discussion = Discussion.objects.get_or_404(id=id_or_404(id))
+        discussion.permissions["delete"].test()
+
         discussion.delete()
         on_discussion_deleted.send(discussion)
         return "", 204
@@ -182,7 +259,26 @@ class DiscussionCommentAPI(API):
     Base class for a comment in a discussion thread.
     """
 
-    @api.secure(admin_permission)
+    @api.doc("edit_discussion_comment")
+    @api.response(403, "Not allowed to edit this comment")
+    @api.expect(edit_comment_discussion_fields)
+    @api.marshal_with(discussion_fields)
+    def put(self, id, cidx):
+        """Edit a comment given its index"""
+        discussion = Discussion.objects.get_or_404(id=id_or_404(id))
+        if len(discussion.discussion) <= cidx:
+            api.abort(404, "Comment does not exist")
+
+        message = discussion.discussion[cidx]
+        message.permissions["edit"].test()
+
+        form = api.validate(DiscussionEditCommentForm)
+
+        discussion.discussion[cidx].content = form.comment.data
+        discussion.discussion[cidx].last_modified_at = datetime.utcnow()
+        discussion.save()
+        return discussion
+
     @api.doc("delete_discussion_comment")
     @api.response(403, "Not allowed to delete this comment")
     def delete(self, id, cidx):
@@ -192,6 +288,9 @@ class DiscussionCommentAPI(API):
             api.abort(404, "Comment does not exist")
         elif cidx == 0:
             api.abort(400, "You cannot delete the first comment of a discussion")
+
+        discussion.discussion[cidx].permissions["delete"].test()
+
         discussion.discussion.pop(cidx)
         discussion.save()
         return "", 204
@@ -238,7 +337,11 @@ class DiscussionsAPI(API):
         """Create a new Discussion"""
         form = api.validate(DiscussionCreateForm)
 
-        message = Message(content=form.comment.data, posted_by=current_user.id)
+        message = Message(
+            content=form.comment.data,
+            posted_by=current_user.id,
+            posted_by_organization=form.organization.data,
+        )
         discussion = Discussion(user=current_user.id, discussion=[message])
         form.populate_obj(discussion)
         discussion.save()

udata/core/discussions/csv.py

@@ -19,4 +19,6 @@ class DiscussionCsvAdapter(csv.Adapter):
         "closed",
         "closed_by",
         ("closed_by_id", "closed_by.id"),
+        "closed_by_organization",
+        ("closed_by_organization_id", "closed_by_organization.id"),
     )

udata/core/discussions/forms.py

@@ -10,6 +10,7 @@ __all__ = ("DiscussionCreateForm", "DiscussionCommentForm")
 class DiscussionCreateForm(ModelForm):
     model_class = Discussion
 
+    organization = fields.PublishAsField(_("Publish as"), owner_field=None)
     title = fields.StringField(_("Title"), [validators.DataRequired()])
     comment = fields.StringField(
         _("Comment"), [validators.DataRequired(), validators.Length(max=COMMENT_SIZE_LIMIT)]
@@ -18,8 +19,20 @@ class DiscussionCreateForm(ModelForm):
     extras = fields.ExtrasField()
 
 
+class DiscussionEditForm(ModelForm):
+    model_class = Discussion
+
+    title = fields.StringField(_("Title"), [validators.DataRequired()])
+
+
 class DiscussionCommentForm(Form):
+    organization = fields.PublishAsField(_("Publish as"), owner_field=None)
+
+    comment = fields.StringField(_("Comment"), [validators.Length(max=COMMENT_SIZE_LIMIT)])
+    close = fields.BooleanField(default=False)
+
+
+class DiscussionEditCommentForm(Form):
     comment = fields.StringField(
         _("Comment"), [validators.DataRequired(), validators.Length(max=COMMENT_SIZE_LIMIT)]
     )
-    close = fields.BooleanField(default=False)

udata/core/discussions/models.py

@@ -16,14 +16,37 @@ class Message(SpamMixin, db.EmbeddedDocument):
     content = db.StringField(required=True)
     posted_on = db.DateTimeField(default=datetime.utcnow, required=True)
     posted_by = db.ReferenceField("User")
+    posted_by_organization = db.ReferenceField("Organization")
+    last_modified_at = db.DateTimeField()
+
+    @property
+    def permissions(self):
+        from .permissions import DiscussionMessagePermission
+
+        return {
+            "delete": DiscussionMessagePermission(self),
+            "edit": DiscussionMessagePermission(self),
+        }
+
+    @property
+    def posted_by_name(self):
+        return (
+            self.posted_by_organization.name
+            if self.posted_by_organization
+            else self.posted_by.fullname
+        )
+
+    @property
+    def posted_by_org_or_user(self):
+        return self.posted_by_organization or self.posted_by
 
     def texts_to_check_for_spam(self):
         return [self.content]
 
     def spam_report_message(self, breadcrumb):
         message = "Spam potentiel dans le message"
-        if self.posted_by:
-            message += f" de [{self.posted_by.fullname}]({self.posted_by.external_url})"
+        if self.posted_by_org_or_user:
+            message += f" de [{self.posted_by_name}]({self.posted_by_org_or_user.external_url})"
 
         if len(breadcrumb) != 2:
             log.warning(
@@ -46,12 +69,15 @@ class Message(SpamMixin, db.EmbeddedDocument):
 
 class Discussion(SpamMixin, db.Document):
     user = db.ReferenceField("User")
+    organization = db.ReferenceField("Organization")
+
     subject = db.GenericReferenceField()
     title = db.StringField(required=True)
     discussion = db.ListField(db.EmbeddedDocumentField(Message))
     created = db.DateTimeField(default=datetime.utcnow, required=True)
     closed = db.DateTimeField()
     closed_by = db.ReferenceField("User")
+    closed_by_organization = db.ReferenceField("Organization")
     extras = db.ExtrasField()
 
     meta = {
@@ -59,6 +85,34 @@ class Discussion(SpamMixin, db.Document):
         "ordering": ["-created"],
     }
 
+    @property
+    def permissions(self):
+        from udata.core.discussions.permissions import (
+            DiscussionAuthorOrSubjectOwnerPermission,
+            DiscussionAuthorPermission,
+        )
+
+        return {
+            "delete": DiscussionAuthorPermission(self),
+            # To edit the title of a discussion we need to be the owner of the first message
+            "edit": DiscussionAuthorPermission(self),
+            "close": DiscussionAuthorOrSubjectOwnerPermission(self),
+        }
+
+    @property
+    def closed_by_name(self):
+        if self.closed_by_organization:
+            return self.closed_by_organization.name
+
+        if self.closed_by:
+            return self.closed_by.fullname
+
+        return None
+
+    @property
+    def closed_by_org_or_user(self):
+        return self.closed_by_organization or self.closed_by
+
     def person_involved(self, person):
         """Return True if the given person has been involved in the
 
@@ -113,7 +167,7 @@ class Discussion(SpamMixin, db.Document):
     def signal_new(self):
         on_new_discussion.send(self)
 
-    @spam_protected(lambda discussion, message: discussion.discussion[message])
+    @spam_protected(lambda discussion, message: discussion.discussion[message] if message else None)
     def signal_close(self, message):
         on_discussion_closed.send(self, message=message)
 

udata/core/discussions/permissions.py

@@ -1,19 +1,41 @@
 from udata.auth import Permission, UserNeed
+from udata.core.dataset.permissions import OwnablePermission
 from udata.core.organization.permissions import (
     OrganizationAdminNeed,
     OrganizationEditorNeed,
 )
 
+from .models import Discussion, Message
 
-class CloseDiscussionPermission(Permission):
-    def __init__(self, discussion):
+
+# This is a hack to because double inheritance doesn't work really well with permissions.
+# I simulate a class constructor with a function to keep the same API than other permissions
+# but use the `.union()` of two permission under the hood.
+def DiscussionAuthorOrSubjectOwnerPermission(discussion: Discussion):
+    return OwnablePermission(discussion.subject).union(DiscussionAuthorPermission(discussion))
+
+
+class DiscussionAuthorPermission(Permission):
+    def __init__(self, discussion: Discussion):
+        needs = []
+
+        if discussion.organization:
+            needs.append(OrganizationAdminNeed(discussion.organization.id))
+            needs.append(OrganizationEditorNeed(discussion.organization.id))
+        else:
+            needs.append(UserNeed(discussion.user.fs_uniquifier))
+
+        super(DiscussionAuthorPermission, self).__init__(*needs)
+
+
+class DiscussionMessagePermission(Permission):
+    def __init__(self, message: Message):
         needs = []
-        subject = discussion.subject
 
-        if getattr(subject, "organization"):
-            needs.append(OrganizationAdminNeed(subject.organization.id))
-            needs.append(OrganizationEditorNeed(subject.organization.id))
-        elif subject.owner:
-            needs.append(UserNeed(subject.owner.fs_uniquifier))
+        if message.posted_by_organization:
+            needs.append(OrganizationAdminNeed(message.posted_by_organization.id))
+            needs.append(OrganizationEditorNeed(message.posted_by_organization.id))
+        else:
+            needs.append(UserNeed(message.posted_by.fs_uniquifier))
 
-        super(CloseDiscussionPermission, self).__init__(*needs)
+        super(DiscussionMessagePermission, self).__init__(*needs)

udata/core/discussions/tasks.py

@@ -42,7 +42,7 @@ def notify_new_discussion_comment(discussion_id, message=None):
     if isinstance(discussion.subject, NOTIFY_DISCUSSION_SUBJECTS):
         recipients = owner_recipients(discussion) + [m.posted_by for m in discussion.discussion]
         recipients = list({u.id: u for u in recipients if u != message.posted_by}.values())
-        subject = _("%(user)s commented your discussion", user=message.posted_by.fullname)
+        subject = _("%(user)s commented your discussion", user=message.posted_by_name)
 
         mail.send(
             subject, recipients, "new_discussion_comment", discussion=discussion, message=message
@@ -54,10 +54,10 @@ def notify_new_discussion_comment(discussion_id, message=None):
 @connect(on_discussion_closed, by_id=True)
 def notify_discussion_closed(discussion_id, message=None):
     discussion = Discussion.objects.get(pk=discussion_id)
-    message = discussion.discussion[message]
+    message = discussion.discussion[message] if message else None
     if isinstance(discussion.subject, NOTIFY_DISCUSSION_SUBJECTS):
         recipients = owner_recipients(discussion) + [m.posted_by for m in discussion.discussion]
-        recipients = list({u.id: u for u in recipients if u != message.posted_by}.values())
+        recipients = list({u.id: u for u in recipients if u != discussion.closed_by}.values())
         subject = _("A discussion has been closed")
         mail.send(subject, recipients, "discussion_closed", discussion=discussion, message=message)
     else:

udata/core/spam/models.py

@@ -193,6 +193,10 @@ def spam_protected(get_model_to_check=None):
             base_model = args[0]
             if get_model_to_check:
                 model_to_check = get_model_to_check(*args, **kwargs)
+
+                if not model_to_check:
+                    f(*args, **kwargs)
+                    return
             else:
                 model_to_check = base_model
 

udata/forms/fields.py

@@ -782,14 +782,16 @@ class PublishAsField(ModelFieldMixin, Field):
                 raise validators.ValidationError(_("You must be authenticated"))
             elif not OrganizationPrivatePermission(self.data).can():
                 raise validators.ValidationError(_("Permission denied for this organization"))
-            # Ensure either owner field or this field value is unset
-            owner_field = form._fields[self.owner_field]
-            if self.raw_data:
-                owner_field.data = None
-            elif getattr(form._obj, self.short_name) and not owner_field.data:
-                pass
-            else:
-                self.data = None
+
+            if self.owner_field:
+                # Ensure either owner field or this field value is unset
+                owner_field = form._fields[self.owner_field]
+                if self.raw_data:
+                    owner_field.data = None
+                elif getattr(form._obj, self.short_name) and not owner_field.data:
+                    pass
+                else:
+                    self.data = None
         return True