Access right mixin

Closes #588 (closed)

arkindex/project/mixins.py

 from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django.views.decorators.cache import cache_page
 from rest_framework.exceptions import APIException, ValidationError
 from rest_framework.serializers import Serializer
 
+from arkindex.dataimport.models import Repository
 from arkindex.documents.models import Corpus, Right
 from arkindex.documents.serializers.search import SearchQuerySerializer
 from arkindex.project.elastic import ESQuerySet
 from arkindex.project.openapi import AutoSchema, SearchAutoSchema
 from arkindex.project.pagination import CustomCursorPagination
+from arkindex.users.models import Role
+from arkindex.users.utils import check_level_param, filter_rights
+
+
+class ACLMixin(object):
+    """
+    Access control mixin using the generic Right table.
+    """
+    _user = None
+
+    def __init__(self, user=None):
+        self._user = user
+
+    @property
+    def user(self):
+        return self._user or self.request.user
+
+    def has_access(self, instance, level):
+        check_level_param(level)
+
+        # Handle special authentications
+        if level <= Role.Guest.value and getattr(instance, 'public', False):
+            return True
+        if self.user.is_anonymous:
+            return False
+        elif self.user.is_admin or self.user.is_internal:
+            return True
+
+        return instance.memberships.filter(
+            Q(
+                # Right direcly owned by this user
+                Q(user=self.user)
+                & Q(level__gte=level)
+            )
+            | Q(
+                # Right owned by the group and by the user
+                Q(group__memberships__user=self.user)
+                & Q(level__gte=level)
+                & Q(group__memberships__level__gte=level)
+            )
+        ).exists()
+
+
+class RepositoryACLMixin(ACLMixin):
+
+    @property
+    def readable_repositories(self):
+        return Repository.objects.filter(
+            id__in=filter_rights(self.user, Repository, Role.Guest.value).values('id')
+        )
+
+    @property
+    def executable_repositories(self):
+        return Repository.objects.filter(
+            id__in=filter_rights(self.user, Repository, Role.Contributor.value).values('id')
+        )
+
+    def has_read_access(self, repo):
+        return self.has_access(repo, Role.Guest.value)
+
+    def has_execution_access(self, repo):
+        return self.has_access(repo, Role.Contributor.value)
+
+    def has_admin_access(self, repo):
+        return self.has_access(repo, Role.Admin.value)
+
+
+class NewCorpusACLMixin(ACLMixin):
+
+    @property
+    def readable_corpora(self):
+        return Corpus.objects.filter(
+            id__in=filter_rights(self.user, Corpus, Role.Guest.value).values('id')
+        )
+
+    @property
+    def writable_corpora(self):
+        return Corpus.objects.filter(
+            id__in=filter_rights(self.user, Corpus, Role.Contributor.value).values('id')
+        )
+
+    def has_read_access(self, corpus):
+        return self.has_access(corpus, Role.Guest.value)
+
+    def has_write_access(self, corpus):
+        return self.has_access(corpus, Role.Contributor.value)
+
+    def has_admin_access(self, corpus):
+        return self.has_access(corpus, Role.Admin.value)
 
 
 class CorpusACLMixin(object):