0001-base-grant-endpoint-permissions-using-roles-38365.patch

Valentin Deniaud, 11 décembre 2019 17:06

Voir les différences: en ligne côte à côte

Subject: [PATCH] base: grant endpoint permissions using roles (#38365)

 passerelle/base/forms.py                      | 19 +++++++---
 .../migrations/0017_auto_20191211_1509.py     | 35 +++++++++++++++++++
 passerelle/base/models.py                     | 27 ++++++++++++--
 passerelle/base/templatetags/passerelle.py    |  5 ++-
 passerelle/base/urls.py                       |  7 +++-
 passerelle/base/views.py                      | 29 +++++++++++----
 .../includes/access-rights-table.html         | 11 ++++++
 passerelle/utils/__init__.py                  | 13 +++++++
 8 files changed, 130 insertions(+), 16 deletions(-)
 create mode 100644 passerelle/base/migrations/0017_auto_20191211_1509.py

     from django import forms
     from .models import ApiUser, AccessRight, AvailabilityParameters
     from .models import ApiUser, AccessRight, RoleAccessRight, AvailabilityParameters
     class ApiUserForm(forms.ModelForm):
-...
             exclude = []
     class AccessRightForm(forms.ModelForm):
     class BaseAccessRightForm(forms.ModelForm):
         class Meta:
             model = AccessRight
             exclude = []
             abstract = True
             widgets = {
                 'codename': forms.HiddenInput(),
                 'resource_type': forms.HiddenInput(),
-...
+            }
     class AccessRightForm(BaseAccessRightForm):
         class Meta(BaseAccessRightForm.Meta):
             model = AccessRight
             fields = ['apiuser', 'codename', 'resource_type', 'resource_pk']
     class RoleAccessRightForm(BaseAccessRightForm):
         class Meta(BaseAccessRightForm.Meta):
             model = RoleAccessRight
             fields = ['role', 'codename', 'resource_type', 'resource_pk']
     class AvailabilityParametersForm(forms.ModelForm):
         class Meta:
             model = AvailabilityParameters

     # -*- coding: utf-8 -*-
     # Generated by Django 1.11.18 on 2019-12-11 14:09
     from __future__ import unicode_literals
     from django.db import migrations, models
     import django.db.models.deletion
     class Migration(migrations.Migration):
         dependencies = [
             ('contenttypes', '0002_remove_content_type_name'),
             ('auth', '0008_alter_user_username_max_length'),
             ('base', '0016_auto_20191002_1443'),
+        ]
         operations = [
             migrations.CreateModel(
                 name='RoleAccessRight',
                 fields=[
                     ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                     ('codename', models.CharField(max_length=100, verbose_name=b'codename')),
                     ('resource_pk', models.PositiveIntegerField()),
                     ('resource_type', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='contenttypes.ContentType')),
                     ('role', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='auth.Group', verbose_name='Role')),
                 ],
                 options={
                     'permissions': (('view_accessright', 'Can view access right'),),
                 },
             ),
             migrations.AlterUniqueTogether(
                 name='roleaccessright',
                 unique_together=set([('codename', 'resource_type', 'resource_pk', 'role')]),
             ),
+        ]

     from django.apps import apps
     from django.conf import settings
     from django.contrib.auth.models import Group
     from django.core.exceptions import ValidationError, ObjectDoesNotExist, PermissionDenied
     from django.core.urlresolvers import reverse
     from django.db import connection, models, transaction
-...
                 exc_info=exc_info)
     class AccessRight(models.Model):
     class BaseAccessRight(models.Model):
         codename = models.CharField(max_length=100, verbose_name='codename')
         resource_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
         resource_pk = models.PositiveIntegerField()
         resource = fields.GenericForeignKey('resource_type', 'resource_pk')
         apiuser = models.ForeignKey(ApiUser, verbose_name=_('API User'), on_delete=models.CASCADE)
         class Meta:
             abstract = True
             permissions = (
                 ('view_accessright', 'Can view access right'),
+            )
     class AccessRight(BaseAccessRight):
         apiuser = models.ForeignKey(ApiUser, verbose_name=_('API User'), on_delete=models.CASCADE)
         class Meta(BaseAccessRight.Meta):
             unique_together = (
                 ('codename', 'resource_type', 'resource_pk', 'apiuser'),
+            )
         def __unicode__(self):
             return '%s (on %s <%s>) (for %s)' % (self.codename, self.resource_type, self.resource_pk, self.apiuser)
             return '%s (on %s <%s>) (for %s)' % (self.codename, self.resource_type,
                                                  self.resource_pk, self.apiuser)
     class RoleAccessRight(BaseAccessRight):
         role = models.ForeignKey(Group, verbose_name=_('Role'), on_delete=models.CASCADE)
         class Meta(BaseAccessRight.Meta):
             unique_together = (
                 ('codename', 'resource_type', 'resource_pk', 'role'),
+            )
         def __unicode__(self):
             return '%s (on %s <%s>) (for role %s)' % (self.codename, self.resource_type,
                                                       self.resource_pk, self.role.name)
     class LoggingParameters(models.Model):

     from django.template.defaultfilters import stringfilter
     from passerelle.utils import get_trusted_services
     from ..models import AccessRight, ResourceLog
     from ..models import AccessRight, RoleAccessRight, ResourceLog
     register = template.Library()
-...
     def access_rights_table(context, resource, permission):
         resource_type = ContentType.objects.get_for_model(resource)
         rights = AccessRight.objects.filter(resource_type=resource_type, resource_pk=resource.id, codename=permission)
         role_rights = RoleAccessRight.objects.filter(resource_type=resource_type, resource_pk=resource.id,
                                                      codename=permission)
         context['permission'] = permission
         context['access_rights_list'] = rights
         context['role_access_rights_list'] = role_rights
         context['resource_type'] = resource_type.id
         context['resource_pk'] = resource.id
         context['trusted_services'] = get_trusted_services()

     from .views import ApiUserCreateView, ApiUserUpdateView, ApiUserDeleteView, \
             ApiUserListView, AccessRightDeleteView, AccessRightCreateView, \
             LoggingParametersUpdateView, ManageAvailabilityView
             LoggingParametersUpdateView, ManageAvailabilityView, \
             RoleAccessRightDeleteView, RoleAccessRightCreateView
     access_urlpatterns = [
         url(r'^$', ApiUserListView.as_view(), name='apiuser-list'),
-...
             name='access-right-remove'),
         url(r'^accessright/add/(?P<resource_type>[\w,-]+)/(?P<resource_pk>[\w,-]+)/(?P<codename>[\w,-]+)/',
             AccessRightCreateView.as_view(), name='access-right-add'),
         url(r'^(?P<pk>[\w,-]+)/roleremove$', RoleAccessRightDeleteView.as_view(),
             name='role-access-right-remove'),
         url(r'^roleaccessright/add/(?P<resource_type>[\w,-]+)/(?P<resource_pk>[\w,-]+)/(?P<codename>[\w,-]+)/',
             RoleAccessRightCreateView.as_view(), name='role-access-right-add'),
         url(r'logging/parameters/(?P<resource_type>[\w,-]+)/(?P<resource_pk>[\w,-]+)/$',
             LoggingParametersUpdateView.as_view(), name='logging-parameters'),
         url(r'manage/availability/(?P<resource_type>[\w,-]+)/(?P<resource_pk>[\w,-]+)/$',

     from django.utils.timezone import make_aware
     from django.utils.translation import ugettext_lazy as _
     from .models import ApiUser, AccessRight, LoggingParameters, ResourceStatus, Job
     from .forms import ApiUserForm, AccessRightForm, AvailabilityParametersForm
     from .models import ApiUser, AccessRight, RoleAccessRight, LoggingParameters, ResourceStatus, Job
     from .forms import ApiUserForm, AccessRightForm, RoleAccessRightForm, AvailabilityParametersForm
     from ..views import GenericConnectorMixin
     from ..utils import get_trusted_services
-...
             return context
     class AccessRightDeleteView(DeleteView):
         model = AccessRight
     class BaseAccessRightDeleteView(DeleteView):
         template_name = 'passerelle/manage/accessright_confirm_delete.html'
         def get_object(self):
             object = super(AccessRightDeleteView, self).get_object()
             object = super(BaseAccessRightDeleteView, self).get_object()
             self.resource = object.resource
             return object
-...
             return self.resource.get_absolute_url()
     class AccessRightCreateView(CreateView):
     class AccessRightDeleteView(BaseAccessRightDeleteView):
         model = AccessRight
         form_class = AccessRightForm
     class RoleAccessRightDeleteView(BaseAccessRightDeleteView):
         model = RoleAccessRight
     class BaseAccessRightCreateView(CreateView):
         template_name = 'passerelle/manage/accessright_form.html'
         def get_initial(self):
-...
             return self.object.resource.get_absolute_url()
     class AccessRightCreateView(BaseAccessRightCreateView):
         model = AccessRight
         form_class = AccessRightForm
     class RoleAccessRightCreateView(BaseAccessRightCreateView):
         model = RoleAccessRight
         form_class = RoleAccessRightForm
     class LoggingParametersUpdateView(FormView):
         template_name = 'passerelle/manage/logging_parameters_form.html'

       {% endif %}
     </tr>
     {% endfor %}
     {% for object in role_access_rights_list %}
     <tr>
       <td>{{ object.role.name }}</td>
       <td> - </td>
       <td> - </td>
       {% if perms.base.delete_accessright %}
       <td><a rel="popup" class="icon-remove-sign" href="{% url 'role-access-right-remove' pk=object.id %}"></a></td>
       {% endif %}
     </tr>
     {% endfor %}
     {% for trusted_service in trusted_services %}
     <tr>
       <td>{{ trusted_service.title }} ({{ trusted_service.verif_orig }})</td>
-...
     {% if perms.base.add_accessright %}
     <p>
     <a rel="popup" class="icon-plus button" href="{% url 'access-right-add' resource_type=resource_type resource_pk=resource_pk codename=permission %}">{% trans 'Add' %}</a>
     <a rel="popup" class="icon-plus button" href="{% url 'role-access-right-add' resource_type=resource_type resource_pk=resource_pk codename=permission %}">{% trans 'Add role' %}</a>
     </p>
     {% endif %}

         return False
     def has_perm(user, obj, resource_type, perm):
         from passerelle.base.models import RoleAccessRight
         if user.is_anonymous:
             return False
         rights = RoleAccessRight.objects.filter(resource_type=resource_type,
                                                 resource_pk=obj.id, codename=perm)
         role_ids = [x.role.id for x in rights]
         return user.groups.filter(id__in=role_ids).exists()
     def is_authorized(request, obj, perm):
         from passerelle.base.models import AccessRight
         if is_trusted(request):
             return True
         resource_type = ContentType.objects.get_for_model(obj)
         if not request.user.is_anonymous and has_perm(request.user, obj, resource_type, perm):
             return True
         rights = AccessRight.objects.filter(resource_type=resource_type, resource_pk=obj.id, codename=perm)
         users = [x.apiuser for x in rights]
         return set(users).intersection(get_request_users(request))
+    -

Projet

Général

Profil

Produits Entr'ouvert » Passerelle

0001-base-grant-endpoint-permissions-using-roles-38365.patch