20 |
20 |
from django.core.validators import MinValueValidator
|
21 |
21 |
|
22 |
22 |
from . import utils, constants, managers, backends
|
|
23 |
from .exceptions import InsufficientAuthLevel
|
23 |
24 |
|
24 |
25 |
|
25 |
26 |
@six.python_2_unicode_compatible
|
... | ... | |
330 |
331 |
def get_all_permissions(self, obj=None):
|
331 |
332 |
return _user_get_all_permissions(self, obj)
|
332 |
333 |
|
|
334 |
def _check_auth_level(perm_func):
|
|
335 |
"""Add authentication level check to a permission control function.
|
|
336 |
|
|
337 |
perm_func can be passed a new keyword argument 'auth_level'. If
|
|
338 |
present, expect perm_func to be ran two times, once with the user
|
|
339 |
object annotated with an '_auth_level' attribute, and once without. If
|
|
340 |
the return values do not match, ie some permissions are not granted
|
|
341 |
when the user authentication level is taken into account, the decorator
|
|
342 |
will take care of raising an InsufficientAuthLevel exception.
|
|
343 |
"""
|
|
344 |
def wrapped_perm_func(self, *args, **kwargs):
|
|
345 |
auth_level = kwargs.pop('auth_level', None)
|
|
346 |
auth_level_result = None
|
|
347 |
|
|
348 |
if auth_level:
|
|
349 |
self._auth_level = auth_level
|
|
350 |
auth_level_result = perm_func(self, *args, **kwargs)
|
|
351 |
self._auth_level = None
|
|
352 |
if auth_level_result is True:
|
|
353 |
# Performance trick: if the function returns True, assume
|
|
354 |
# that we can return right away.
|
|
355 |
return True
|
|
356 |
|
|
357 |
new_result = perm_func(self, *args, **kwargs)
|
|
358 |
if auth_level and auth_level_result != new_result:
|
|
359 |
# Let the application know that permission could be granted
|
|
360 |
# with higher authentication level.
|
|
361 |
raise InsufficientAuthLevel
|
|
362 |
|
|
363 |
return new_result
|
|
364 |
return wrapped_perm_func
|
|
365 |
|
|
366 |
@_check_auth_level
|
333 |
367 |
def has_perm(self, perm, obj=None):
|
334 |
368 |
"""
|
335 |
369 |
Returns True if the user has the specified permission. This method
|
... | ... | |
346 |
380 |
# Otherwise we need to check the backends.
|
347 |
381 |
return _user_has_perm(self, perm, obj)
|
348 |
382 |
|
349 |
|
def has_perms(self, perm_list, obj=None):
|
|
383 |
def has_perms(self, perm_list, obj=None, auth_level=None):
|
350 |
384 |
"""
|
351 |
385 |
Returns True if the user has each of the specified permissions. If
|
352 |
386 |
object is passed, it checks if the user has all required perms for this
|
... | ... | |
357 |
391 |
return True
|
358 |
392 |
|
359 |
393 |
for perm in perm_list:
|
360 |
|
if not self.has_perm(perm, obj):
|
|
394 |
if not self.has_perm(perm, obj, auth_level=auth_level):
|
361 |
395 |
return False
|
362 |
396 |
return True
|
363 |
397 |
|
|
398 |
@_check_auth_level
|
364 |
399 |
def has_module_perms(self, app_label):
|
365 |
400 |
"""
|
366 |
401 |
Returns True if the user has any permissions in the given app label.
|
... | ... | |
372 |
407 |
|
373 |
408 |
return _user_has_module_perms(self, app_label)
|
374 |
409 |
|
|
410 |
@_check_auth_level
|
375 |
411 |
def filter_by_perm(self, perm_or_perms, qs):
|
376 |
412 |
results = []
|
377 |
413 |
for backend in auth.get_backends():
|
... | ... | |
382 |
418 |
else:
|
383 |
419 |
return qs
|
384 |
420 |
|
|
421 |
@_check_auth_level
|
385 |
422 |
def has_perm_any(self, perm_or_perms):
|
386 |
423 |
# Active superusers have all permissions.
|
387 |
424 |
if self.is_active and self.is_superuser:
|
... | ... | |
393 |
430 |
return True
|
394 |
431 |
return False
|
395 |
432 |
|
|
433 |
@_check_auth_level
|
396 |
434 |
def has_ou_perm(self, perm, ou):
|
397 |
435 |
# Active superusers have all permissions.
|
398 |
436 |
if self.is_active and self.is_superuser:
|
... | ... | |
404 |
442 |
return True
|
405 |
443 |
return False
|
406 |
444 |
|
|
445 |
@_check_auth_level
|
407 |
446 |
def ous_with_perm(self, perm, queryset=None):
|
408 |
447 |
return backends.DjangoRBACBackend().ous_with_perm(self, perm, queryset=queryset)
|
409 |
448 |
|
410 |
|
-
|