refactor authorization/authen with workspace_specific role

tracim/__init__.py

 from tracim.config import CFG
 from tracim.lib.utils.auth import check_credentials
 from tracim.lib.utils.auth import Root
+from tracim.lib.utils.auth import BASIC_AUTH_WEBUI_REALM
 from tracim.views.example_api.example_api_controller import ExampleApiController
 from tracim.views.default.default_controller import DefaultController
 
     settings['CFG'] = app_config
     configurator = Configurator(settings=settings, autocommit=True)
     # Add BasicAuthPolicy + ACL AuthorizationPolicy
-    authn_policy = BasicAuthAuthenticationPolicy(check_credentials)
+    authn_policy = BasicAuthAuthenticationPolicy(
+        check_credentials,
+        realm=BASIC_AUTH_WEBUI_REALM,
+    )
     configurator.set_authorization_policy(ACLAuthorizationPolicy())
     configurator.set_authentication_policy(authn_policy)
     configurator.set_root_factory(lambda request: Root())

tracim/lib/utils/auth.py

+# -*- coding: utf-8 -*-
 import typing
+
+from json.decoder import JSONDecodeError
+from sqlalchemy.orm.exc import NoResultFound
+
+from pyramid.request import Request
 from pyramid.security import ALL_PERMISSIONS
 from pyramid.security import Allow
-from pyramid.security import Authenticated
-from tracim.lib.core.user import UserApi
+from pyramid.security import unauthenticated_userid
+
 from tracim.models.auth import Group
+from tracim.models.auth import User
+from tracim.models.data import Workspace
+from tracim.models.data import UserRoleInWorkspace
+from tracim.lib.core.user import UserApi
 from tracim.lib.core.workspace import WorkspaceApi
+from tracim.lib.core.userworkspace import RoleApi
 
 # INFO - G.M - 06-04-2018 - Auth for pyramid
 # based on this tutorial : https://docs.pylonsproject.org/projects/pyramid-cookbook/en/latest/auth/basic.html  # nopep8
+BASIC_AUTH_WEBUI_REALM = "tracim"
 
+# Global Permissions
+ADMIN_PERM = 'admin'
+MANAGE_GLOBAL_PERM = 'manage_global'
+USER_PERM = 'user'
+# Workspace-specific permission
+READ_PERM = 'read'
+CONTRIBUTE_PERM = 'contribute'
+MANAGE_CONTENT_PERM = 'manage_content'
+MANAGE_WORKSPACE_PERM = 'manage_workspace'
 
-def check_credentials(username, password, request) -> typing.Optional[dict]:
-    permissions = None
+
+def get_user(request: Request) -> typing.Optional[User]:
+    """
+    Get current pyramid user from request
+    :param request: pyramid request
+    :return:
+    """
     app_config = request.registry.settings['CFG']
     uapi = UserApi(None, session=request.dbsession, config=app_config)
+    user = None
     try:
-        user = uapi.get_one_by_email(username)
-        if user.validate_password(password):
-            permissions = []
-            for group in user.groups:
-                permissions.append(group.group_name)
-            # TODO - G.M - 06-04-2018 - Add workspace specific permission ?
-    # TODO - G.M - 06-04-2018 - Better catch for exception of bad password, bad
-    # user
-    except:
+        login = unauthenticated_userid(request)
+        user = uapi.get_one_by_email(login)
+    except NoResultFound:
         pass
+    return user
+
+
+def get_workspace(request: Request) -> typing.Optional[Workspace]:
+    """
+    Get current workspace from request
+    :param request: pyramid request
+    :return:
+    """
+    workspace = None
+    try:
+        if 'workspace_id' not in request.json_body:
+            return None
+        workspace_id = request.json_body['workspace_id']
+        wapi = WorkspaceApi(current_user=None, session=request.dbsession)
+        workspace = wapi.get_one(workspace_id)
+    except JSONDecodeError:
+        pass
+    except NoResultFound:
+        pass
+    return workspace
+
+
+def check_credentials(
+        login: str,
+        cleartext_password: str,
+        request: Request
+) -> typing.Optional[list]:
+    """
+    Check credential for pyramid basic_auth, checks also for
+    global and Workspace related permissions.
+    :param login: login of user
+    :param cleartext_password: user password in cleartext
+    :param request: Pyramid request
+    :return: None if auth failed, list of permissions if auth succeed
+    """
+    user = get_user(request)
+
+    # Do not accept invalid user
+    if not user \
+            or user.email != login \
+            or not user.validate_password(cleartext_password):
+        return None
+    permissions = []
+
+    # Global groups
+    for group in user.groups:
+        permissions.append(group.group_id)
+
+    # Current workspace related group
+    workspace = get_workspace(request)
+    if workspace:
+        roleapi = RoleApi(current_user=user, session=request.dbsession)
+        role = roleapi.get_one(
+            user_id=user.user_id,
+            workspace_id=workspace.workspace_id,
+        )
+        permissions.append(role)
+
     return permissions
 
 
-class Root:
-    # root
-    __acl__ = (
-        (Allow, Group.TIM_ADMIN_GROUPNAME, ALL_PERMISSIONS),
-        (Allow, Group.TIM_MANAGER_GROUPNAME, 'manager'),
-        (Allow, Group.TIM_USER_GROUPNAME, 'user'),
-    )
+class Root(object):
+    """
+    Root of all Pyramid requests, used to store global acl
+    """
+    __acl__ = ()

tracim/views/default/default_controller.py

 from pyramid.httpexceptions import HTTPForbidden
 from pyramid.security import forget
 
+from tracim.lib.utils.auth import MANAGE_CONTENT_PERM
+from tracim.lib.utils.auth import MANAGE_WORKSPACE_PERM
+from tracim.lib.utils.auth import MANAGE_GLOBAL_PERM
+from tracim.lib.utils.auth import READ_PERM
+from tracim.lib.utils.auth import CONTRIBUTE_PERM
+from tracim.lib.utils.auth import ADMIN_PERM
+from tracim.lib.utils.auth import USER_PERM
+
 
 class DefaultController(Controller):
 
         return {'project': project}
 
     @classmethod
+    def test_contributor_page(cls, request):
+        try:
+            app_config = request.registry.settings['CFG']
+            project = 'contributor'
+        except Exception as e:
+            return Response(e, content_type='text/plain', status=500)
+        return {'project': project}
+
+    @classmethod
     def test_admin_page(cls, request):
         try:
             app_config = request.registry.settings['CFG']
             return Response(e, content_type='text/plain', status=500)
         return {'project': project}
 
-
     def bind(self, configurator: Configurator):
         configurator.add_static_view('static', 'static', cache_max_age=3600)
         configurator.add_view(
             renderer='tracim:templates/mytemplate.jinja2',
         )
 
+        configurator.add_route('test_contributor', '/test_contributor')
+        configurator.add_view(
+            self.test_contributor_page,
+            route_name='test_contributor',
+            renderer='tracim:templates/mytemplate.jinja2',
+            permission=CONTRIBUTE_PERM,
+        )
         configurator.add_route('test_admin', '/test_admin')
         configurator.add_view(
             self.test_admin_page,
             route_name='test_admin',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission='admin',
+            permission=ADMIN_PERM,
         )
         configurator.add_route('test_manager', '/test_manager')
         configurator.add_view(
             self.test_user_page,
             route_name='test_manager',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission='manager',
+            permission=MANAGE_GLOBAL_PERM,
         )
         configurator.add_route('test_user', '/test_user')
         configurator.add_view(
             self.test_user_page,
             route_name='test_user',
             renderer='tracim:templates/mytemplate.jinja2',
-            permission='user',
+            permission=USER_PERM,
         )
         configurator.add_forbidden_view(self.forbidden_view)