Accueil Explorateur Aide
Connexion
bux
/
tracim_v2
Suivre 1
Voter 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
285 Révisions
1 Branches
Aborescence: 88e7036abe
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '88e7036abe'
${ noResults }
tracim_v2/tracim/lib/utils/authorization.py

authorization.py 4.2KB
Historique Brut

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 
  1. # -*- coding: utf-8 -*-

  2. from typing import TYPE_CHECKING

  3. import functools

  4. from pyramid.interfaces import IAuthorizationPolicy

  5. from zope.interface import implementer

  6. try:

  7.     from json.decoder import JSONDecodeError

  8. except ImportError:  # python3.4

  9.     JSONDecodeError = ValueError

  10. 

  11. from tracim.exceptions import InsufficientUserWorkspaceRole

  12. from tracim.exceptions import InsufficientUserProfile

  13. if TYPE_CHECKING:

  14.     from tracim import TracimRequest

  15. ###

  16. # Pyramid default permission/authorization mecanism

  17. 

  18. # INFO - G.M - 12-04-2018 - Setiing a Default permission on view is

  19. #  needed to activate AuthentificationPolicy and

  20. # AuthorizationPolicy on pyramid request

  21. TRACIM_DEFAULT_PERM = 'tracim'

  22. 

  23. 

  24. @implementer(IAuthorizationPolicy)

  25. class AcceptAllAuthorizationPolicy(object):

  26.     """

  27.     Empty AuthorizationPolicy : Allow all request. As Pyramid need

  28.     a Authorization policy when we use AuthentificationPolicy, this

  29.     class permit use to disable pyramid authorization mecanism with

  30.     working a AuthentificationPolicy.

  31.     """

  32.     def permits(self, context, principals, permision):

  33.         return True

  34. 

  35.     def principals_allowed_by_permission(self, context, permission):

  36.         raise NotImplementedError()

  37. 

  38. ###

  39. # Authorization decorators for views

  40. 

  41. # INFO - G.M - 12-04-2018

  42. # Instead of relying on pyramid authorization mecanism

  43. # We prefer to use decorators

  44. 

  45. 

  46. def require_same_user_or_profile(group: int):

  47.     """

  48.     Decorator for view to restrict access of tracim request if candidate user

  49.     is distinct from authenticated user and not with high enough profile.

  50.     :param group: value from Group Object

  51.     like Group.TIM_USER or Group.TIM_MANAGER

  52.     :return:

  53.     """

  54.     def decorator(func):

  55.         @functools.wraps(func)

  56.         def wrapper(self, context, request: 'TracimRequest'):

  57.             auth_user = request.current_user

  58.             candidate_user = request.candidate_user

  59.             if auth_user.user_id == candidate_user.user_id or \

  60.                     auth_user.profile.id >= group:

  61.                 return func(self, context, request)

  62.             raise InsufficientUserProfile()

  63.         return wrapper

  64.     return decorator

  65. 

  66. 

  67. def require_profile(group: int):

  68.     """

  69.     Decorator for view to restrict access of tracim request if profile is

  70.     not high enough

  71.     :param group: value from Group Object

  72.     like Group.TIM_USER or Group.TIM_MANAGER

  73.     :return:

  74.     """

  75.     def decorator(func):

  76.         @functools.wraps(func)

  77.         def wrapper(self, context, request: 'TracimRequest'):

  78.             user = request.current_user

  79.             if user.profile.id >= group:

  80.                 return func(self, context, request)

  81.             raise InsufficientUserProfile()

  82.         return wrapper

  83.     return decorator

  84. 

  85. 

  86. def require_workspace_role(minimal_required_role: int):

  87.     """

  88.     Restricts access to endpoint to minimal role or raise an exception.

  89.     Check role for current_workspace.

  90.     :param minimal_required_role: value from UserInWorkspace Object like

  91.     UserRoleInWorkspace.CONTRIBUTOR or UserRoleInWorkspace.READER

  92.     :return: decorator

  93.     """

  94.     def decorator(func):

  95.         @functools.wraps(func)

  96.         def wrapper(self, context, request: 'TracimRequest'):

  97.             user = request.current_user

  98.             workspace = request.current_workspace

  99.             if workspace.get_user_role(user) >= minimal_required_role:

  100.                 return func(self, context, request)

  101.             raise InsufficientUserWorkspaceRole()

  102. 

  103.         return wrapper

  104.     return decorator

  105. 

  106. 

  107. def require_candidate_workspace_role(minimal_required_role: int):

  108.     """

  109.     Restricts access to endpoint to minimal role or raise an exception.

  110.     Check role for candidate_workspace.

  111.     :param minimal_required_role: value from UserInWorkspace Object like

  112.     UserRoleInWorkspace.CONTRIBUTOR or UserRoleInWorkspace.READER

  113.     :return: decorator

  114.     """

  115.     def decorator(func):

  116. 

  117.         def wrapper(self, context, request: 'TracimRequest'):

  118.             user = request.current_user

  119.             workspace = request.candidate_workspace

  120. 

  121.             if workspace.get_user_role(user) >= minimal_required_role:

  122.                 return func(self, context, request)

  123.             raise InsufficientUserWorkspaceRole()

  124. 

  125.         return wrapper

  126.     return decorator