[3/6] View level permissions - Rows (baserow#4072)

Author: bram2w

backend/src/baserow/contrib/database/api/rows/serializers.py

@@ -508,10 +508,32 @@ class MoveRowQueryParamsSerializer(serializers.Serializer):
 
 class CreateRowQueryParamsSerializer(serializers.Serializer):
     before = serializers.IntegerField(required=False)
+    view = serializers.IntegerField(required=False)
 
 
 class BatchCreateRowsQueryParamsSerializer(serializers.Serializer):
     before = serializers.IntegerField(required=False)
+    view = serializers.IntegerField(required=False)
+
+
+class GetRowQueryParamsSerializer(serializers.Serializer):
+    view = serializers.IntegerField(required=False)
+
+
+class UpdateRowQueryParamsSerializer(serializers.Serializer):
+    view = serializers.IntegerField(required=False)
+
+
+class BatchUpdateRowsQueryParamsSerializer(serializers.Serializer):
+    view = serializers.IntegerField(required=False)
+
+
+class DeleteRowQueryParamsSerializer(serializers.Serializer):
+    view = serializers.IntegerField(required=False)
+
+
+class BatchDeleteRowsQueryParamsSerializer(serializers.Serializer):
+    view = serializers.IntegerField(required=False)
 
 
 class ListRowsQueryParamsSerializer(

backend/src/baserow/contrib/database/api/rows/views.py

@@ -56,7 +56,10 @@
     ERROR_ROW_IDS_NOT_UNIQUE,
 )
 from baserow.contrib.database.api.rows.exceptions import InvalidJoinParameterException
-from baserow.contrib.database.api.rows.serializers import GetRowAdjacentSerializer
+from baserow.contrib.database.api.rows.serializers import (
+    GetRowAdjacentSerializer,
+    GetRowQueryParamsSerializer,
+)
 from baserow.contrib.database.api.tables.errors import ERROR_TABLE_DOES_NOT_EXIST
 from baserow.contrib.database.api.tokens.authentications import TokenAuthentication
 from baserow.contrib.database.api.tokens.errors import (
@@ -110,7 +113,6 @@
 from baserow.contrib.database.table.handler import TableHandler
 from baserow.contrib.database.table.models import Table
 from baserow.contrib.database.table.operations import (
-    CreateRowDatabaseTableOperationType,
     ListRowNamesDatabaseTableOperationType,
     ListRowsDatabaseTableOperationType,
 )
@@ -137,12 +139,16 @@
 from .schemas import row_names_response_schema
 from .serializers import (
     BatchCreateRowsQueryParamsSerializer,
+    BatchDeleteRowsQueryParamsSerializer,
     BatchDeleteRowsSerializer,
+    BatchUpdateRowsQueryParamsSerializer,
     CreateRowQueryParamsSerializer,
+    DeleteRowQueryParamsSerializer,
     ListRowsQueryParamsSerializer,
     MoveRowQueryParamsSerializer,
     RowHistorySerializer,
     RowSerializer,
+    UpdateRowQueryParamsSerializer,
     get_batch_row_serializer_class,
     get_example_batch_rows_serializer_class,
     get_example_row_serializer_class,
@@ -481,6 +487,13 @@ def get(self, request, table_id, query_params):
                 description="If provided then the newly created row will be "
                 "positioned before the row with the provided id.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the row is created in a view. This can result "
+                "in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="user_field_names",
                 location=OpenApiParameter.QUERY,
@@ -547,6 +560,7 @@ def get(self, request, table_id, query_params):
         {
             UserNotInWorkspace: ERROR_USER_NOT_IN_GROUP,
             TableDoesNotExist: ERROR_TABLE_DOES_NOT_EXIST,
+            ViewDoesNotExist: ERROR_VIEW_DOES_NOT_EXIST,
             NoPermissionToTable: ERROR_NO_PERMISSION_TO_TABLE,
             RowDoesNotExist: ERROR_ROW_DOES_NOT_EXIST,
             CannotCreateRowsInTable: ERROR_CANNOT_CREATE_ROWS_IN_TABLE,
@@ -567,13 +581,6 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
 
         TokenHandler().check_table_permissions(request, "create", table, False)
 
-        CoreHandler().check_permissions(
-            request.user,
-            CreateRowDatabaseTableOperationType.type,
-            workspace=table.database.workspace,
-            context=table,
-        )
-
         user_field_names = extract_user_field_names_from_params(request.GET)
         send_webhook_events = extract_send_webhook_events_from_params(request.GET)
 
@@ -591,13 +598,17 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
             else None
         )
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         try:
             row = action_type_registry.get_by_type(CreateRowActionType).do(
                 request.user,
                 table,
                 data,
                 model=model,
                 before_row=before_row,
+                view=view,
                 user_field_names=user_field_names,
                 send_webhook_events=send_webhook_events,
             )
@@ -740,6 +751,13 @@ class RowView(APIView):
                 type=OpenApiTypes.INT,
                 description="Returns the row related the provided value.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the row if fetched in a view. This can result "
+                "in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="user_field_names",
                 location=OpenApiParameter.QUERY,
@@ -800,7 +818,8 @@ class RowView(APIView):
         }
     )
     @allowed_includes("metadata")
-    def get(self, request, table_id, row_id, metadata):
+    @validate_query_parameters(GetRowQueryParamsSerializer)
+    def get(self, request, table_id, row_id, metadata, query_params: dict):
         """
         Responds with a serializer version of the row related to the provided row_id
         and table_id.
@@ -815,9 +834,12 @@ def get(self, request, table_id, row_id, metadata):
                 raise TokenCannotIncludeRowMetadata()
             token_handler.check_table_permissions(db_token, "read", table)
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         user_field_names = extract_user_field_names_from_params(request.GET)
         model = table.get_model()
-        row = RowHandler().get_row(request.user, table, row_id, model)
+        row = RowHandler().get_row(request.user, table, row_id, model, view=view)
         serializer_class = get_row_serializer_class(
             model, RowSerializer, is_response=True, user_field_names=user_field_names
         )
@@ -846,6 +868,13 @@ def get(self, request, table_id, row_id, metadata):
                 type=OpenApiTypes.INT,
                 description="Updates the row related to the value.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the row is updated in a view. This can result "
+                "in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="user_field_names",
                 location=OpenApiParameter.QUERY,
@@ -917,7 +946,10 @@ def get(self, request, table_id, row_id, metadata):
     )
     @atomic_with_retry_on_deadlock()
     @require_request_data_type(dict)
-    def patch(self, request: Request, table_id: int, row_id: int) -> Response:
+    @validate_query_parameters(UpdateRowQueryParamsSerializer)
+    def patch(
+        self, request: Request, table_id: int, row_id: int, query_params
+    ) -> Response:
         """
         Updates the row with the given row_id for the table with the given
         table_id. Also the post data is validated according to the tables field types.
@@ -935,6 +967,10 @@ def patch(self, request: Request, table_id: int, row_id: int) -> Response:
 
         user_field_names = extract_user_field_names_from_params(request.GET)
         send_webhook_events = extract_send_webhook_events_from_params(request.GET)
+
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         field_ids, field_names = None, None
 
         if user_field_names:
@@ -959,6 +995,7 @@ def patch(self, request: Request, table_id: int, row_id: int) -> Response:
                     table,
                     [data],
                     model=model,
+                    view=view,
                     send_webhook_events=send_webhook_events,
                 )
                 .updated_rows[0]
@@ -980,6 +1017,13 @@ def patch(self, request: Request, table_id: int, row_id: int) -> Response:
                 type=OpenApiTypes.INT,
                 description="Deletes the row in the table related to the value.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the row is deleted in a view. This can result "
+                "in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="row_id",
                 location=OpenApiParameter.PATH,
@@ -1028,7 +1072,8 @@ def patch(self, request: Request, table_id: int, row_id: int) -> Response:
         }
     )
     @atomic_with_retry_on_deadlock()
-    def delete(self, request, table_id, row_id):
+    @validate_query_parameters(DeleteRowQueryParamsSerializer)
+    def delete(self, request, table_id, row_id, query_params):
         """
         Deletes an existing row with the given row_id for table with the given
         table_id.
@@ -1039,8 +1084,15 @@ def delete(self, request, table_id, row_id):
         table = TableHandler().get_table(table_id)
         TokenHandler().check_table_permissions(request, "delete", table, False)
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         action_type_registry.get_by_type(DeleteRowActionType).do(
-            request.user, table, row_id, send_webhook_events=send_webhook_events
+            request.user,
+            table,
+            row_id,
+            view=view,
+            send_webhook_events=send_webhook_events,
         )
 
         return Response(status=204)
@@ -1184,6 +1236,13 @@ class BatchRowsView(APIView):
                 description="If provided then the newly created rows will be "
                 "positioned before the row with the provided id.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the rows are created in a view. This can result "
+                "in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="user_field_names",
                 location=OpenApiParameter.QUERY,
@@ -1283,6 +1342,9 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
             else None
         )
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         row_validation_serializer = get_row_serializer_class(
             model, user_field_names=user_field_names
         )
@@ -1299,6 +1361,7 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
                 table,
                 data["items"],
                 before_row,
+                view=view,
                 model=model,
                 send_webhook_events=send_webhook_events,
             )
@@ -1327,6 +1390,13 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
                 type=OpenApiTypes.INT,
                 description="Updates the rows in the table.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the rows are updated in a view. This can "
+                "result in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="user_field_names",
                 location=OpenApiParameter.QUERY,
@@ -1407,7 +1477,8 @@ def post(self, request: Request, table_id: int, query_params) -> Response:
         }
     )
     @atomic_with_retry_on_deadlock()
-    def patch(self, request, table_id):
+    @validate_query_parameters(BatchUpdateRowsQueryParamsSerializer)
+    def patch(self, request, table_id, query_params):
         """
         Updates all provided rows at once for the table with
         the given table_id.
@@ -1421,6 +1492,9 @@ def patch(self, request, table_id):
         user_field_names = extract_user_field_names_from_params(request.GET)
         send_webhook_events = extract_send_webhook_events_from_params(request.GET)
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         row_validation_serializer = get_row_serializer_class(
             model,
             user_field_names=user_field_names,
@@ -1440,6 +1514,7 @@ def patch(self, request, table_id):
                 table,
                 data["items"],
                 model=model,
+                view=view,
                 send_webhook_events=send_webhook_events,
             )
             rows = updated_data.updated_rows
@@ -1474,6 +1549,13 @@ class BatchDeleteRowsView(APIView):
                 type=OpenApiTypes.INT,
                 description="Deletes the rows in the table related to the value.",
             ),
+            OpenApiParameter(
+                name="view",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+                description="Provide if the rows are deleted in a view. This can "
+                "result in different permission checking and default values.",
+            ),
             OpenApiParameter(
                 name="send_webhook_events",
                 location=OpenApiParameter.QUERY,
@@ -1524,7 +1606,10 @@ class BatchDeleteRowsView(APIView):
         }
     )
     @atomic_with_retry_on_deadlock()
-    def post(self, request: Request, table_id: int, data: Dict[str, Any]) -> Response:
+    @validate_query_parameters(BatchDeleteRowsQueryParamsSerializer)
+    def post(
+        self, request: Request, table_id: int, data: Dict[str, Any], query_params
+    ) -> Response:
         """
         Batch deletes existing rows based on provided row ids for the table with
         the given table_id.
@@ -1535,10 +1620,14 @@ def post(self, request: Request, table_id: int, data: Dict[str, Any]) -> Respons
 
         send_webhook_events = extract_send_webhook_events_from_params(request.GET)
 
+        view_id = query_params.get("view")
+        view = ViewHandler().get_view(view_id) if view_id else None
+
         action_type_registry.get_by_type(DeleteRowsActionType).do(
             request.user,
             table,
             row_ids=data["items"],
+            view=view,
             send_webhook_events=send_webhook_events,
         )