fix: checks on session and role-invite api and owner role (fossasia#6131)

Author: shreyanshdwivedi

app/api/admin_statistics_api/users.py

@@ -30,6 +30,7 @@ class Meta:
     admin = fields.Method("admin_count")
     verified = fields.Method("verified_count")
     unverified = fields.Method("unverified_count")
+    owner = fields.Method("owner_count")
     organizer = fields.Method("organizer_count")
     coorganizer = fields.Method("coorganizer_count")
     attendee = fields.Method("attendee_count")
@@ -53,6 +54,9 @@ def get_all_user_roles(self, role_name):
             UsersEventsRoles.role == role).distinct()
         return newquery
 
+    def owner_count(self, obj):
+        return self.get_all_user_roles('owner').count()
+
     def organizer_count(self, obj):
         return self.get_all_user_roles('organizer').count()
 

app/api/role_invites.py

@@ -112,8 +112,10 @@ def before_update_object(self, role_invite, data, view_kwargs):
         """
         user = User.query.filter_by(email=role_invite.email).first()
         if user:
-            if not has_access('is_user_itself', user_id=user.id):
-                raise UnprocessableEntity({'source': ''}, "Only users can edit their own status")
+            if not has_access('is_organizer', event_id=role_invite.event_id) and not has_access('is_user_itself',
+                                                                                                user_id=user.id):
+                raise UnprocessableEntity({'source': ''},
+                                          "Status can be updated only by event organizer or user hiself")
         if not user and not has_access('is_organizer', event_id=role_invite.event_id):
             raise UnprocessableEntity({'source': ''}, "User not registered")
         if not has_access('is_organizer', event_id=role_invite.event_id) and (len(list(data.keys())) > 1 or

app/api/sessions.py

@@ -141,7 +141,7 @@ def before_update_object(self, session, data, view_kwargs):
         :return:
         """
         if data.get('is_locked') != session.is_locked:
-            if not (has_access('is_admin') or has_access('is_organizer')):
+            if not (has_access('is_admin') or has_access('is_organizer', event_id=session.event_id)):
                 raise ForbiddenException({'source': '/data/attributes/is-locked'},
                                          "You don't have enough permissions to change this property")
 

migrations/versions/43e8c59337ag_.py

@@ -0,0 +1,43 @@
+"""Adding permissions for owner
+
+Revision ID: 43e8c59337ag
+Revises: 43e8c59337af
+Create Date: 2019-07-03 13:21:58.92665
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+import sqlalchemy_utils
+
+
+ # revision identifiers, used by Alembic.
+revision = '43e8c59337ag'
+down_revision = '43e8c59337af'
+
+
+def upgrade():
+    op.execute("INSERT INTO permissions(role_id, service_id, can_create, can_read, can_update, can_delete) \
+                VALUES((SELECT id FROM roles WHERE name='owner'), (SELECT id from services where name='track'), \
+                true, true, true, true)", execution_options=None)
+
+    op.execute("INSERT INTO permissions(role_id, service_id, can_create, can_read, can_update, can_delete) \
+                VALUES((SELECT id FROM roles WHERE name='owner'), (SELECT id from services where name='session'), \
+                true, true, true, true)", execution_options=None)
+
+    op.execute("INSERT INTO permissions(role_id, service_id, can_create, can_read, can_update, can_delete) \
+                VALUES((SELECT id FROM roles WHERE name='owner'), (SELECT id from services where name='speaker'), \
+                true, true, true, true)", execution_options=None)
+
+    op.execute("INSERT INTO permissions(role_id, service_id, can_create, can_read, can_update, can_delete) \
+                VALUES((SELECT id FROM roles WHERE name='owner'), (SELECT id from services where name='sponsor'), \
+                true, true, true, true)", execution_options=None)
+
+    op.execute("INSERT INTO permissions(role_id, service_id, can_create, can_read, can_update, can_delete) \
+                VALUES((SELECT id FROM roles WHERE name='owner'), (SELECT id from services where name='microlocation'), \
+                true, true, true, true)", execution_options=None)
+
+
+
+def downgrade():
+    op.execute("DELETE FROM permissions WHERE role_id=(SELECT id FROM roles WHERE name='owner')")

populate_db.py

@@ -210,16 +210,21 @@ def create_permissions():
     mod = Role.query.get(4)
     attend = Role.query.get(5)
     regist = Role.query.get(6)
+    ownr = Role.query.get(7)
     track = Service.query.get(1)
     session = Service.query.get(2)
     speaker = Service.query.get(3)
     sponsor = Service.query.get(4)
     microlocation = Service.query.get(5)
 
-    # For ORGANIZER
+    # For ORGANIZER and OWNER
     # All four permissions set to True
     services = [track, session, speaker, sponsor, microlocation]
     roles = [attend, regist]
+    for service in services:
+        perm, _ = get_or_create(Permission, role=ownr, service=service)
+        db.session.add(perm)
+
     for service in services:
         perm, _ = get_or_create(Permission, role=orgr, service=service)
         db.session.add(perm)