0001-delegate-permission-checking-to-mellon-if-possible.patch

Valentin Deniaud, 17 juillet 2019 17:07

Voir les différences: en ligne côte à côte

Subject: [PATCH 1/3] delegate permission checking to mellon if possible

We pass request instead of user in permission method because mellon
wants to look inside the session.

 chrono/agendas/models.py | 35 ++++++++++++++++++++++++-----------
 chrono/exceptions.py     |  5 +++++
 chrono/manager/views.py  | 33 +++++++++++++++++++++------------
 chrono/settings.py       |  1 +
 4 files changed, 51 insertions(+), 23 deletions(-)
 create mode 100644 chrono/exceptions.py

     from jsonfield import JSONField
     from ..interval import Intervals
     from chrono.exceptions import RolesNotInSession
     from chrono.interval import Intervals
     try:
         from mellon.utils import user_has_role
     except ImportError:
         def user_has_role(request, role):
             if request.user.is_staff:
                 return True
             return request.user.groups.filter(id=role.id).exists()
     AGENDA_KINDS = (
-...
         def get_absolute_url(self):
             return reverse('chrono-manager-agenda-view', kwargs={'pk': self.id})
         def can_be_managed(self, user):
             if user.is_staff:
                 return True
             group_ids = [x.id for x in user.groups.all()]
             return bool(self.edit_role_id in group_ids)
         def can_be_managed(self, request):
             return user_has_role(request, self.edit_role)
         def can_be_viewed(self, user):
             if self.can_be_managed(user):
                 return True
             group_ids = [x.id for x in user.groups.all()]
             return bool(self.view_role_id in group_ids)
         def can_be_viewed(self, request):
             could_be_managed = False
             try:
                 if self.can_be_managed(request):
                     return True
             except RolesNotInSession as e:
                 could_be_managed = e
             has_role = user_has_role(request, self.view_role)
             if not has_role and could_be_managed:
                 raise could_be_managed
             return has_role
         def get_base_meeting_duration(self):
             durations = [x.duration for x in MeetingType.objects.filter(agenda=self)]

chrono/exceptions.py
	1	try:
	2	from mellon.exceptions import RolesNotInSession
	3	except ImportError:
	4	class RolesNotInSession(Exception):
	5	pass

     from chrono.agendas.models import (Agenda, Event, MeetingType, TimePeriod,
                                        Booking, Desk, TimePeriodException,
                                        ICSError, AgendaImportError)
     from chrono.exceptions import RolesNotInSession
     from .forms import (AgendaAddForm, AgendaEditForm, EventForm, NewMeetingTypeForm, MeetingTypeForm,
                         TimePeriodForm, ImportEventsForm, NewDeskForm, DeskForm, TimePeriodExceptionForm,
-...
         def get_object(self, queryset=None):
             obj = super(AgendaEditView, self).get_object(queryset=queryset)
             if not obj.can_be_managed(self.request.user):
             if not obj.can_be_managed(self.request):
                 raise PermissionDenied()
             return obj
-...
                 agenda = Agenda.objects.get(id=kwargs.get('pk'))
             except Agenda.DoesNotExist:
                 raise Http404()
             if not agenda.can_be_viewed(self.request.user):
             if not agenda.can_be_viewed(self.request):
                 raise PermissionDenied()
             if agenda.kind == 'meetings':
-...
             self.agenda = get_object_or_404(Agenda, id=kwargs.get('pk'))
             if self.agenda.kind != 'meetings':
                 raise Http404()
             if not self.agenda.can_be_viewed(request.user):
             if not self.agenda.can_be_viewed(request):
                 raise PermissionDenied()
             # specify 6am time to get the expected timezone on daylight saving time
-...
                 self.agenda = Agenda.objects.get(id=kwargs.get('pk'))
             except Agenda.DoesNotExist:
                 raise Http404()
             if not self.agenda.can_be_managed(request.user):
             if not self.agenda.can_be_managed(request):
                 raise PermissionDenied()
             return super(ManagedAgendaMixin, self).dispatch(request, *args, **kwargs)
-...
         def dispatch(self, request, *args, **kwargs):
             self.agenda = self.get_object().agenda
             if not self.agenda.can_be_managed(request.user):
             if not self.agenda.can_be_managed(request):
                 raise PermissionDenied()
             return super(ManagedAgendaSubobjectMixin, self).dispatch(request, *args, **kwargs)
-...
                 self.desk = Desk.objects.get(id=kwargs.get('pk'))
             except Desk.DoesNotExist:
                 raise Http404()
             if not self.desk.agenda.can_be_managed(request.user):
             if not self.desk.agenda.can_be_managed(request):
                 raise PermissionDenied()
             return super(ManagedDeskMixin, self).dispatch(request, *args, **kwargs)
-...
         def dispatch(self, request, *args, **kwargs):
             self.desk = self.get_object().desk
             if not self.desk.agenda.can_be_managed(request.user):
             if not self.desk.agenda.can_be_managed(request):
                 raise PermissionDenied()
             return super(ManagedDeskSubobjectMixin, self).dispatch(request, *args, **kwargs)
-...
                 self.agenda = Agenda.objects.get(id=kwargs.get('pk'))
             except Agenda.DoesNotExist:
                 raise Http404()
             if not self.agenda.can_be_managed(request.user):
                 # "events" agendas settings page can be access by user with the
                 # view permission as there are no other "view" page for this type
                 # of agenda.
                 if self.agenda.kind != 'events' or not self.agenda.can_be_viewed(request.user):
             # Do something different here as "events" agendas settings page can be
             # access by user with the view permission as there are no other "view"
             # page for this type of agenda.
             raised_exception = None
             try:
                 can_be_managed = self.agenda.can_be_managed(request)
             except RolesNotInSession as e:
                 can_be_managed = False
                 raised_exception = e
             if not can_be_managed:
                 if self.agenda.kind != 'events' or not self.agenda.can_be_viewed(request):
                     if raised_exception:
                         raise raised_exception
                     raise PermissionDenied()
             return super(DetailView, self).dispatch(request, *args, **kwargs)

             'mellon.backends.SAMLBackend',
             'django.contrib.auth.backends.ModelBackend',
+        )
         MIDDLEWARE_CLASSES += ('mellon.middleware.RolesRequestMiddleware',)
     LOGIN_URL = '/login/'
     LOGIN_REDIRECT_URL = '/'
+    -

Projet

Général

Profil

Produits Entr'ouvert » Chrono

0001-delegate-permission-checking-to-mellon-if-possible.patch