Sākums Izpētīt Palīdzība
Pierakstīties
bux
/
tracim_v2
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
299 Revīzijas
1 Atzari
Koks: 8ab1bc2582
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '8ab1bc2582'
${ noResults }
tracim_v2/tracim/lib/utils/authorization.py

authorization.py 6.2KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. # -*- coding: utf-8 -*-

  2. import typing

  3. from typing import TYPE_CHECKING

  4. import functools

  5. from pyramid.interfaces import IAuthorizationPolicy

  6. from zope.interface import implementer

  7. 

  8. from tracim.models.contents import NewContentType

  9. 

  10. try:

  11.     from json.decoder import JSONDecodeError

  12. except ImportError:  # python3.4

  13.     JSONDecodeError = ValueError

  14. 

  15. from tracim.exceptions import InsufficientUserWorkspaceRole

  16. from tracim.exceptions import ContentTypeNotAllowed

  17. from tracim.exceptions import InsufficientUserProfile

  18. if TYPE_CHECKING:

  19.     from tracim import TracimRequest

  20. ###

  21. # Pyramid default permission/authorization mecanism

  22. 

  23. # INFO - G.M - 12-04-2018 - Setiing a Default permission on view is

  24. #  needed to activate AuthentificationPolicy and

  25. # AuthorizationPolicy on pyramid request

  26. TRACIM_DEFAULT_PERM = 'tracim'

  27. 

  28. 

  29. @implementer(IAuthorizationPolicy)

  30. class AcceptAllAuthorizationPolicy(object):

  31.     """

  32.     Empty AuthorizationPolicy : Allow all request. As Pyramid need

  33.     a Authorization policy when we use AuthentificationPolicy, this

  34.     class permit use to disable pyramid authorization mecanism with

  35.     working a AuthentificationPolicy.

  36.     """

  37.     def permits(self, context, principals, permision):

  38.         return True

  39. 

  40.     def principals_allowed_by_permission(self, context, permission):

  41.         raise NotImplementedError()

  42. 

  43. ###

  44. # Authorization decorators for views

  45. 

  46. # INFO - G.M - 12-04-2018

  47. # Instead of relying on pyramid authorization mecanism

  48. # We prefer to use decorators

  49. 

  50. 

  51. def require_same_user_or_profile(group: int):

  52.     """

  53.     Decorator for view to restrict access of tracim request if candidate user

  54.     is distinct from authenticated user and not with high enough profile.

  55.     :param group: value from Group Object

  56.     like Group.TIM_USER or Group.TIM_MANAGER

  57.     :return:

  58.     """

  59.     def decorator(func):

  60.         @functools.wraps(func)

  61.         def wrapper(self, context, request: 'TracimRequest'):

  62.             auth_user = request.current_user

  63.             candidate_user = request.candidate_user

  64.             if auth_user.user_id == candidate_user.user_id or \

  65.                     auth_user.profile.id >= group:

  66.                 return func(self, context, request)

  67.             raise InsufficientUserProfile()

  68.         return wrapper

  69.     return decorator

  70. 

  71. 

  72. def require_profile(group: int):

  73.     """

  74.     Decorator for view to restrict access of tracim request if profile is

  75.     not high enough

  76.     :param group: value from Group Object

  77.     like Group.TIM_USER or Group.TIM_MANAGER

  78.     :return:

  79.     """

  80.     def decorator(func):

  81.         @functools.wraps(func)

  82.         def wrapper(self, context, request: 'TracimRequest'):

  83.             user = request.current_user

  84.             if user.profile.id >= group:

  85.                 return func(self, context, request)

  86.             raise InsufficientUserProfile()

  87.         return wrapper

  88.     return decorator

  89. 

  90. 

  91. def require_workspace_role(minimal_required_role: int):

  92.     """

  93.     Restricts access to endpoint to minimal role or raise an exception.

  94.     Check role for current_workspace.

  95.     :param minimal_required_role: value from UserInWorkspace Object like

  96.     UserRoleInWorkspace.CONTRIBUTOR or UserRoleInWorkspace.READER

  97.     :return: decorator

  98.     """

  99.     def decorator(func):

  100.         @functools.wraps(func)

  101.         def wrapper(self, context, request: 'TracimRequest'):

  102.             user = request.current_user

  103.             workspace = request.current_workspace

  104.             if workspace.get_user_role(user) >= minimal_required_role:

  105.                 return func(self, context, request)

  106.             raise InsufficientUserWorkspaceRole()

  107. 

  108.         return wrapper

  109.     return decorator

  110. 

  111. 

  112. def require_candidate_workspace_role(minimal_required_role: int):

  113.     """

  114.     Restricts access to endpoint to minimal role or raise an exception.

  115.     Check role for candidate_workspace.

  116.     :param minimal_required_role: value from UserInWorkspace Object like

  117.     UserRoleInWorkspace.CONTRIBUTOR or UserRoleInWorkspace.READER

  118.     :return: decorator

  119.     """

  120.     def decorator(func):

  121. 

  122.         def wrapper(self, context, request: 'TracimRequest'):

  123.             user = request.current_user

  124.             workspace = request.candidate_workspace

  125. 

  126.             if workspace.get_user_role(user) >= minimal_required_role:

  127.                 return func(self, context, request)

  128.             raise InsufficientUserWorkspaceRole()

  129. 

  130.         return wrapper

  131.     return decorator

  132. 

  133. 

  134. def require_content_types(content_types: typing.List['NewContentType']):

  135.     """

  136.     Restricts access to specific file type or raise an exception.

  137.     Check role for candidate_workspace.

  138.     :param content_types: list of NewContentType object

  139.     :return: decorator

  140.     """

  141.     def decorator(func):

  142.         @functools.wraps(func)

  143.         def wrapper(self, context, request: 'TracimRequest'):

  144.             content = request.current_content

  145.             if content.type in [content.slug for content in content_types]:

  146.                 return func(self, context, request)

  147.             raise ContentTypeNotAllowed()

  148.         return wrapper

  149.     return decorator

  150. 

  151. 

  152. def require_comment_ownership_or_role(

  153.         minimal_required_role_for_owner: int,

  154.         minimal_required_role_for_anyone: int,

  155. ) -> None:

  156.     """

  157.     Decorator for view to restrict access of tracim request if role is

  158.     not high enough and user is not owner of the current_content

  159.     :param minimal_required_role_for_owner_access: minimal role for owner

  160.     of current_content to access to this view

  161.     :param minimal_required_role_for_anyone: minimal role for anyone to

  162.     access to this view.

  163.     :return:

  164.     """

  165.     def decorator(func):

  166.         @functools.wraps(func)

  167.         def wrapper(self, context, request: 'TracimRequest'):

  168.             user = request.current_user

  169.             workspace = request.current_workspace

  170.             comment = request.current_comment

  171.             # INFO - G.M - 2018-06-178 - find minimal role required

  172.             if comment.owner.user_id == user.user_id:

  173.                 minimal_required_role = minimal_required_role_for_owner

  174.             else:

  175.                 minimal_required_role = minimal_required_role_for_anyone

  176.             # INFO - G.M - 2018-06-178 - normal role test

  177.             if workspace.get_user_role(user) >= minimal_required_role:

  178.                 return func(self, context, request)

  179.             raise InsufficientUserWorkspaceRole()

  180.         return wrapper

  181.     return decorator