Project

General

Profile

0005-manager-differentiate-perm-granted-while-ignoring-au.patch

Valentin Deniaud, 28 May 2019 05:24 PM

Download (4 KB)

View differences: 

Subject: [PATCH 5/8] manager: differentiate perm granted while ignoring auth
 level (#33515)

95% of the uses of can_{action} permission attributes should be done
while ignoring authentication levels, because they control buttons
display in templates. But for the remaining part, we need to know if the
permission is really accessible to the user, which is currently hard to
tell.
This commit adds an explicit way to do so by introducing could_{action}
attributes, that represent permissions granted when ignoring
authentication levels. can_{action} attributes now represent permissions
that the user is really able to use.

Hence we'll have to replace can_ attributes by could_ in most places, while
leaving them be in the places that actually motivate this commit.

 src/authentic2/manager/views.py | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)
src/authentic2/manager/views.py
from gadjo.templatetags.gadjo import xstatic
from django_rbac.exceptions import InsufficientAuthLevel
from django_rbac.utils import get_ou_model
from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext
......
'''Control access to views based on permissions'''
permissions = None
@staticmethod
def can_and_could(user, perm, auth_level, obj=None):
try:
can = could = user.has_perm(perm, obj, auth_level=auth_level) if obj \
else user.has_perm_any(perm, auth_level=auth_level)
except InsufficientAuthLevel:
can = False
could = True
return can, could
def authorize(self, request, *args, **kwargs):
auth_level = request.session.get('auth_level', 1)
if hasattr(self, 'model'):
app_label = self.model._meta.app_label
model_name = self.model._meta.model_name
add_perm = '%s.add_%s' % (app_label, model_name)
self.can_add = request.user.has_perm_any(add_perm)
self.can_add, self.could_add = \
self.can_and_could(request.user, add_perm, auth_level)
if hasattr(self, 'get_object') \
and ((hasattr(self, 'pk_url_kwarg')
and self.pk_url_kwarg in self.kwargs)
or (hasattr(self, 'slug_url_kwarg')
and self.slug_url_kwarg in self.kwargs)):
self.object = self.get_object()
view_perm = '%s.view_%s' % (app_label, model_name)
change_perm = '%s.change_%s' % (app_label, model_name)
delete_perm = '%s.delete_%s' % (app_label, model_name)
self.can_view = request.user.has_perm(view_perm, self.object)
self.can_change = request.user.has_perm(change_perm,
self.object)
self.can_delete = request.user.has_perm(delete_perm,
self.object)
actions = ('view', 'change', 'delete')
for action in actions:
perm = '%s.%s_%s' % (app_label, action, model_name)
can, could = self.can_and_could(request.user, perm, auth_level,
self.object)
setattr(self, 'can_' + action, can)
setattr(self, 'could_' + action, could)
if self.permissions \
and not request.user.has_perms(
self.permissions, self.object, auth_level=auth_level):