Beispiel #1
0
def user_has_permission(user, obj, permission):

    if user.is_superuser:
        return True

    if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
        return True

    if isinstance(obj, Product_Type) or isinstance(obj, Product):
        # Global roles are only relevant for product types, products and their dependent objects
        if user_has_global_permission(user, permission):
            return True

    if isinstance(obj, Product_Type):
        # Check if the user has a role for the product type with the requested permissions
        member = get_product_type_member(user, obj)
        if member is not None and role_has_permission(member.role.id,
                                                      permission):
            return True
        # Check if the user is in a group with a role for the product type with the requested permissions
        for product_type_group in get_product_type_groups(user, obj):
            if role_has_permission(product_type_group.role.id, permission):
                return True
        return False
    elif (isinstance(obj, Product)
          and permission.value >= Permissions.Product_View.value):
        # Products inherit permissions of their product type
        if user_has_permission(user, obj.prod_type, permission):
            return True

        # Check if the user has a role for the product with the requested permissions
        member = get_product_member(user, obj)
        if member is not None and role_has_permission(member.role.id,
                                                      permission):
            return True
        # Check if the user is in a group with a role for the product with the requested permissions
        for product_group in get_product_groups(user, obj):
            if role_has_permission(product_group.role.id, permission):
                return True
        return False
    elif isinstance(
            obj, Engagement
    ) and permission in Permissions.get_engagement_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(obj,
                    Test) and permission in Permissions.get_test_permissions():
        return user_has_permission(user, obj.engagement.product, permission)
    elif (isinstance(obj, Finding) or isinstance(obj, Stub_Finding)
          ) and permission in Permissions.get_finding_permissions():
        return user_has_permission(user, obj.test.engagement.product,
                                   permission)
    elif isinstance(
            obj, Finding_Group
    ) and permission in Permissions.get_finding_group_permissions():
        return user_has_permission(user, obj.test.engagement.product,
                                   permission)
    elif isinstance(
            obj,
            Endpoint) and permission in Permissions.get_endpoint_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(obj, Languages
                    ) and permission in Permissions.get_language_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, App_Analysis
    ) and permission in Permissions.get_technology_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, Product_API_Scan_Configuration
    ) and permission in Permissions.get_product_api_scan_configuration_permissions(
    ):
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, Product_Type_Member
    ) and permission in Permissions.get_product_type_member_permissions():
        if permission == Permissions.Product_Type_Member_Delete:
            # Every member is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.product_type, permission)
        else:
            return user_has_permission(user, obj.product_type, permission)
    elif isinstance(
            obj, Product_Member
    ) and permission in Permissions.get_product_member_permissions():
        if permission == Permissions.Product_Member_Delete:
            # Every member is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.product, permission)
        else:
            return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, Product_Type_Group
    ) and permission in Permissions.get_product_type_group_permissions():
        return user_has_permission(user, obj.product_type, permission)
    elif isinstance(
            obj, Product_Group
    ) and permission in Permissions.get_product_group_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj,
            Dojo_Group) and permission in Permissions.get_group_permissions():
        # Check if the user has a role for the group with the requested permissions
        group_member = get_group_member(user, obj)
        return group_member is not None and role_has_permission(
            group_member.role.id, permission)
    elif isinstance(
            obj, Dojo_Group_Member
    ) and permission in Permissions.get_group_member_permissions():
        if permission == Permissions.Group_Member_Delete:
            # Every user is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.group, permission)
        else:
            return user_has_permission(user, obj.group, permission)
    else:
        raise NoAuthorizationImplementedError(
            'No authorization implemented for class {} and permission {}'.
            format(type(obj).__name__, permission))
def user_has_permission(user, obj, permission):

    if user.is_superuser:
        return True

    if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
        return True

    if hasattr(user, 'global_role'
               ) and user.global_role.role is not None and role_has_permission(
                   user.global_role.role.id, permission):
        return True

    for group in get_groups(user):
        if hasattr(
                group, 'global_role'
        ) and group.global_role.role is not None and role_has_permission(
                group.global_role.role.id, permission):
            return True

    if isinstance(obj, Product_Type):
        # Check if the user has a role for the product type with the requested permissions
        member = get_product_type_member(user, obj)
        if member is not None and role_has_permission(member.role.id,
                                                      permission):
            return True
        # Check if the user is in a group with a role for the product type with the requested permissions
        for product_type_group in get_product_type_groups(user, obj):
            if role_has_permission(product_type_group.role.id, permission):
                return True
        return False
    elif (isinstance(obj, Product)
          and permission.value >= Permissions.Product_View.value):
        # Products inherit permissions of their product type
        if user_has_permission(user, obj.prod_type, permission):
            return True

        # Check if the user has a role for the product with the requested permissions
        member = get_product_member(user, obj)
        if member is not None and role_has_permission(member.role.id,
                                                      permission):
            return True
        # Check if the user is in a group with a role for the product with the requested permissions
        for product_group in get_product_groups(user, obj):
            if role_has_permission(product_group.role.id, permission):
                return True
        return False
    elif isinstance(
            obj, Engagement
    ) and permission in Permissions.get_engagement_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(obj,
                    Test) and permission in Permissions.get_test_permissions():
        return user_has_permission(user, obj.engagement.product, permission)
    elif isinstance(
            obj,
            Finding) and permission in Permissions.get_finding_permissions():
        return user_has_permission(user, obj.test.engagement.product,
                                   permission)
    elif isinstance(
            obj, Finding_Group
    ) and permission in Permissions.get_finding_group_permissions():
        return user_has_permission(user, obj.test.engagement.product,
                                   permission)
    elif isinstance(
            obj,
            Endpoint) and permission in Permissions.get_endpoint_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, Product_Type_Member
    ) and permission in Permissions.get_product_type_member_permissions():
        if permission == Permissions.Product_Type_Member_Delete:
            # Every member is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.product_type, permission)
        else:
            return user_has_permission(user, obj.product_type, permission)
    elif isinstance(
            obj, Product_Member
    ) and permission in Permissions.get_product_member_permissions():
        if permission == Permissions.Product_Member_Delete:
            # Every member is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.product, permission)
        else:
            return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj, Product_Type_Group
    ) and permission in Permissions.get_product_type_group_permissions():
        return user_has_permission(user, obj.product_type, permission)
    elif isinstance(
            obj, Product_Group
    ) and permission in Permissions.get_product_group_permissions():
        return user_has_permission(user, obj.product, permission)
    elif isinstance(
            obj,
            Dojo_Group) and permission in Permissions.get_group_permissions():
        # Check if the user has a role for the group with the requested permissions
        group_member = get_group_member(user, obj)
        return group_member is not None and role_has_permission(
            group_member.role.id, permission)
    elif isinstance(
            obj, Dojo_Group_Member
    ) and permission in Permissions.get_group_member_permissions():
        if permission == Permissions.Group_Member_Delete:
            # Every user is allowed to remove himself
            return obj.user == user or user_has_permission(
                user, obj.group, permission)
        else:
            return user_has_permission(user, obj.group, permission)
    else:
        raise NoAuthorizationImplementedError(
            'No authorization implemented for class {} and permission {}'.
            format(type(obj).__name__, permission))