def decorated_view(*args, **kwargs):
permission = Permission(*[RoleNeed(role) for role in roles])
if permission.can():
return fn(*args, **kwargs)
return lm.unauthorized()
from flask import url_for, redirect, request, current_app
from flask_admin.contrib.sqla import ModelView
from flask_admin import AdminIndexView, helpers, expose
from werkzeug.security import generate_password_hash
from flask_login import current_user, login_user, logout_user
from models import User, Role, Device, Platforms_info, Ip, Project, Domain, Port, App
from forms import LoginForm
from flask_principal import (ActionNeed, AnonymousIdentity, Identity,
identity_changed, identity_loaded, Permission,
Principal, RoleNeed, Denial)
# Initialize flask-principal
prcp = Principal()
anon_permission = Permission()
admin_permission = Permission(RoleNeed('Admin'))
admin_or_editor = Permission(RoleNeed('Admin'), RoleNeed('Devlop'))
devlop_permission = Permission(RoleNeed('Devlop'))
admin_denied = Denial(RoleNeed('Admin'))
# Create customized model view class
class UserModelView(ModelView):
can_export = True
can_view_details = True
column_exclude_list = [
'password',
]
column_searchable_list = ('real_name', 'login', Role.name)
column_display_all_relations = True
login_manager.session_protection = 'strong'
login_manager.login_message = 'Please login to access this page.'
login_manager.login_message_category = 'info'
@login_manager.user_loader
def load_user(user_id):
from models import User
return User.query.filter_by(id=user_id).first()
#创建principal实例
principals = Principal()
#设置了三种权限,会绑定到identity之后才发挥作用
admin_permission = Permission(RoleNeed('admin'))
poster_permission = Permission(RoleNeed('poster'))
default_permission = Permission(RoleNeed('default'))
#创建celery实例
flask_celery = Celery()
#创建mail实例
mail = Mail()
#创建cache实例
cache = Cache()
#创建assets实例
assets_env = Environment()
main_css = Bundle('css/bootstrap.css',
from flask_login import LoginManager
from flask_principal import Principal, Permission, RoleNeed
from pony.flask import Pony
from sqlalchemy import engine_from_config
from .models import User, db
from .utils.fetcher import Http_Fetcher
from .utils.scheduler import RMFScheduler
from .utils.app_logger import setup_log
login_manager = LoginManager()
login_manager.login_view = 'main.login'
login_manager.login_message = 'Пожалуйста, авторизуйтесь'
principals = Principal()
admin_permission = Permission(RoleNeed('admin'), RoleNeed('su'))
su_permission = Permission(RoleNeed('su'))
fetcher = Http_Fetcher()
scheduler = RMFScheduler()
def create_app(config=None):
app = Flask(__name__)
formatter = logging.Formatter(
'%(asctime)s - %(name)s - %(levelname)s - %(message)s')
file_handler = TimedRotatingFileHandler('app/logs/application.log',
when="midnight",
backupCount=7)
file_handler.setFormatter(formatter)
file_handler.setLevel(logging.DEBUG)
import json
from flask import (
jsonify, render_template, request
)
from flask_principal import Permission, RoleNeed
from mes.revise import bp
from model import *
admin_permission = Permission(RoleNeed('super'))
user_permission = Permission(RoleNeed('user'))
@bp.route('/bad_revise')
def bad_revise():
return render_template('main/revise/bad_revise.html')
@bp.route("/ajax_revise_get_bad", methods=['GET'])
def ajax_revise_get_bad():
q_bad = BadList.query.all()
bad_list = []
for bad in q_bad:
temp = {}
temp['bad_name'] = bad.bad_name
temp['bad_code'] = bad.bad_code
bad_list.append(temp)
return jsonify(bad_list)
# Path to app root dir
APP_ROOT = os.path.dirname(os.path.abspath(__file__))
#: Default cache type.
CACHE_TYPE = "redis"
#: Default cache URL for sessions.
ACCESS_SESSION_REDIS_HOST = os.environ.get('APP_ACCESS_SESSION_REDIS_HOST',
'localhost')
#: Cache for storing access restrictions
ACCESS_CACHE = 'cap.modules.cache:current_cache'
#: E-Groups for superuser rights
SUPERUSER_EGROUPS = [
RoleNeed('*****@*****.**'),
RoleNeed('*****@*****.**'),
]
# Records
# =======
#: Records sort/facets options
RECORDS_REST_SORT_OPTIONS = dict(records=dict(
bestmatch=dict(
title=_('Best match'),
fields=['_score'],
order=1,
),
mostrecent=dict(
title=_('Most recent'),
fields=['_updated'],
from flask_principal import Permission, RoleNeed
admin_permission = Permission(RoleNeed('admin'))
vip_permission = Permission(RoleNeed('vip'))
if os.path.isfile(app_config_file):
app.config.from_pyfile(app_config_file, silent=True)
elif platform == "linux2" and os.path.isfile('/etc/astrobox/application.cfg'):
app.config.from_pyfile('/etc/astrobox/application.cfg', silent=True)
assets = Environment(app)
Compress(app)
userManager = None
eventManager = None
loginManager = None
softwareManager = None
discoveryManager = None
principals = Principal(app)
admin_permission = Permission(RoleNeed("admin"))
user_permission = Permission(RoleNeed("user"))
# only import the octoprint stuff down here, as it might depend on things defined above to be initialized already
from octoprint.server.util import LargeResponseHandler, ReverseProxied, restricted_access, PrinterStateConnection, admin_validator, UrlForwardHandler, user_validator, user_or_logout_validator
from astroprint.printer.manager import printerManager
from octoprint.settings import settings
import octoprint.util as util
import octoprint.events as events
import astroprint.users as users
from astroprint.software import softwareManager as swManager
from astroprint.boxrouter import boxrouterManager
from astroprint.network.manager import networkManager
from astroprint.camera import cameraManager
from flask_principal import Principal
from flask_login import current_user, user_loaded_from_request, user_logged_in
from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded, identity_changed, Identity
from app import enums
from app.services.user_service import UserService
principal = Principal(use_sessions=False, skip_static=True)
admin_permission = Permission(RoleNeed(enums.Role.ADMIN))
@user_loaded_from_request.connect
def on_user_loaded(sender, user):
identity_changed.send(sender, identity=Identity(user.id))
@user_logged_in.connect
def on_user_logged_in(sender, user):
identity_changed.send(sender, identity=Identity(user.id))
@identity_loaded.connect
def on_identity_loaded(sender, identity):
# Set the identity user object
identity.user = current_user
# Add the UserNeed to the identity
if hasattr(current_user, 'id'):
identity.provides.add(UserNeed(current_user.id))
def user_role() -> RoleNeed:
return RoleNeed("user")
def test_role() -> RoleNeed:
return RoleNeed("test")
def admin_role() -> RoleNeed:
return RoleNeed("admin")
login_manager.session_protection = "strong"
login_manager.login_message = "Please login to access this page."
login_manager.login_message_category = "info"
@login_manager.user_loader
def user_loader(id):
from app.database.models import BlogUser
return BlogUser.query.filter_by(id=id).first()
# 角色权限
from flask_principal import Principal, Permission, RoleNeed
principal = Principal()
permission_admin = Permission(RoleNeed('admin'))
permission_poster = Permission(RoleNeed('poster'))
permission_default = Permission(RoleNeed('default'))
# 消息队列、异步任务
from flask_celery import Celery
celery = Celery()
# 邮件
from flask_mail import Mail
mail = Mail()
# 缓存
from flask_cache import Cache
cache = Cache()
#!/usr/bin/env python
# encoding: utf-8
"""
@author: zhanghe
@software: PyCharm
@file: permissions.py
@time: 2017/6/8 下午11:16
"""
from flask_principal import Permission, RoleNeed
# 模块列表
modules = [
u'会员',
u'订单',
u'留言',
u'系统',
u'权限',
u'统计',
]
# 模块权限
permission_user = Permission(RoleNeed(u'会员'))
permission_order = Permission(RoleNeed(u'订单'))
permission_msg = Permission(RoleNeed(u'留言'))
permission_sys = Permission(RoleNeed(u'系统'))
permission_admin = Permission(RoleNeed(u'权限'))
permission_stats = Permission(RoleNeed(u'统计'))
permission_other = Permission(RoleNeed(u'其它'))
def on_identity_loaded(sender, identity):
identity.user = current_user
if hasattr(current_user, "id"):
identity.provides.add(UserNeed(current_user.id))
identity.provides.add(RoleNeed("blogger"))
# -*- coding: utf-8 -*-
from flask_principal import Permission, RoleNeed
from flask import json, jsonify, request, Blueprint, flash
from flask_security import auth_token_required, http_auth_required, login_required, current_user
from ..models import db, Templates
from mongoengine.queryset import Q
temp_api = Blueprint('template_api',
__name__,
url_prefix='/api/pulse/templates')
# Create a permission with a single Need, in this case a RoleNeed.
admin_permission = Permission(RoleNeed('admin'))
editor_permission = Permission(RoleNeed('editor'))
@temp_api.route('', methods=['GET'])
@temp_api.route('/', methods=['GET'])
def get_templates_api():
if current_user.has_role('admin'):
templates = Templates.objects.all().order_by('-pub_date')
elif current_user.has_role('editor'):
templates = Templates.objects(
Q(status='public')
| Q(contributor=current_user.email)).order_by('-pub_date')
else:
templates = Templates.objects(Q(status='public')).order_by('-pub_date')
return jsonify({'result': templates})
def is_accessible(self):
permission = Permission(RoleNeed('super'))
return permission.can()
from flask_principal import Principal, Permission, RoleNeed
from redidropper.models.role_entity import \
ROLE_ADMIN, ROLE_TECHNICIAN, ROLE_RESEARCHER_ONE, ROLE_RESEARCHER_TWO
from redidropper.main import app
# @TODO: read https://pythonhosted.org/Flask-Security/api.html
# from flask_security import roles_accepted
# from flask_security import roles_required, auth_token_required
# from pages import ProjectRolePermission
# load the Principal extension
principals = Principal(app)
# define a permission
perm_admin = Permission(RoleNeed(ROLE_ADMIN))
perm_technician = Permission(RoleNeed(ROLE_TECHNICIAN))
perm_researcher_one = Permission(RoleNeed(ROLE_RESEARCHER_ONE))
perm_researcher_two = Permission(RoleNeed(ROLE_RESEARCHER_TWO))
perm_admin_or_technician = Permission(RoleNeed(ROLE_ADMIN),
RoleNeed(ROLE_TECHNICIAN))
@app.route('/admin')
@perm_admin.require()
def admin():
""" Render the technician's home page
from flask import abort
abort(403)
"""
return render_template('admin.html', user_links=get_user_links())
import bcrypt
from flask_login import LoginManager, UserMixin
from flask_principal import RoleNeed, Permission
from db import mongo
admin_role = RoleNeed('admin')
corrector_role = RoleNeed('corrector')
roles = {'admin': admin_role, 'editor': corrector_role}
admin_permission = Permission(admin_role)
edit_permission = Permission(corrector_role, admin_role)
login_manager = LoginManager()
class User(UserMixin):
def __init__(self, id, str_roles, retry_count):
self.id = id
self.str_roles = str_roles
self.roles = []
for r in str_roles:
self.roles.append(roles[r])
self.retry_count = retry_count
def check_pw(self, pw):
db_pw = mongo.db.users.find_one({'username': self.id})['password']
return bcrypt.hashpw(pw.encode('utf-8'), db_pw) == db_pw
def need_change_pw(self):
# -*- coding: utf8 -*-
from __future__ import unicode_literals
from collections import namedtuple
from functools import partial
from flask_principal import ActionNeed, RoleNeed, Permission
# 角色
MEMBER = 'MEMBER'
ADMIN = 'ADMIN'
ROLES = [(MEMBER, '用户'), (ADMIN, '系统管理员')]
member_permission = Permission(RoleNeed(MEMBER))
admin_permission = Permission(RoleNeed(ADMIN))
# edit = Permission(ActionNeed())
# 粗粒度的权限保护
# BlogPostNeed = namedtuple('blog_post', ['method', 'value'])
# EditBlogPostNeed = partial(BlogPostNeed, 'edit')
#
#
# class EditBlogPostPermission(Permission):
# def __init__(self, post_id):
# need = EditBlogPostNeed(unicode(post_id))
# super(EditBlogPostPermission, self).__init__(need)
# **usage:
# edit_blog_post_permission = EditBlogPostPermission(post_id)
# 1.接口中拥有编辑该篇文章的权限(接口内权限访问)
# with edit_blog_post_permission.require():
from flask_principal import Identity, AnonymousIdentity, identity_changed, RoleNeed, UserNeed, Permission
# String must not have spaces, as users can have multiple roles
# And this is accomplished by a space delimited string.
# For more information, see example data for MongoDB
_ADMIN_ROLE = "admin"
_EDITOR_ROLE = "editor"
_PEERLEADER_ROLE = "peer_leader"
_USER_ROLE = "user"
_ADMIN_NEED = RoleNeed(_ADMIN_ROLE)
_EDITOR_NEED = RoleNeed(_EDITOR_ROLE)
_PEERLEADER_NEED = RoleNeed(_PEERLEADER_ROLE)
_USER_NEED = RoleNeed(_USER_ROLE)
_ADMIN_PERM = Permission(_ADMIN_NEED)
_EDITOR_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED)
_PEERLEADER_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED, _PEERLEADER_NEED)
_USER_PERM = Permission(_ADMIN_NEED, _EDITOR_NEED, _PEERLEADER_NEED,
_USER_NEED)
def get_all_roles():
return [_ADMIN_ROLE, _EDITOR_ROLE, _PEERLEADER_ROLE, _USER_ROLE]
def has_admin():
return _ADMIN_PERM.can()
#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author:huchong
from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded
from flask_login import current_user
# Create a permission with a single Need, in this case a RoleNeed.
admin_permission = Permission(RoleNeed('admin'))
editor_permission = Permission(RoleNeed('editor')).union(admin_permission)
reader_permission = Permission(RoleNeed('reader')).union(editor_permission)
# 用法:
# # protect a view with a principal for that need
# @app.route('/admin')
# @admin_permission.require()
# def do_admin_index():
# return Response('Only if you are an admin')
@identity_loaded.connect
def on_identity_loaded(sender, identity):
identity.user = current_user
if hasattr(current_user, 'username'):
identity.provides.add(UserNeed(current_user.username))
if hasattr(current_user, 'role'):
identity.provides.add(RoleNeed(current_user.role))
identity.allow_read = identity.can(reader_permission)
identity.allow_edit = editor_permission.allows(identity)
def test_invenio_access_permission_cache_roles_updates(
app,
dynamic_permission
):
"""Testing ActionRoles cache with inserts/updates/deletes."""
# This test case is doing the same of user test case but using roles.
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
# Creation of some data to test.
role_1 = Role(name='role_1')
role_2 = Role(name='role_2')
role_3 = Role(name='role_3')
role_4 = Role(name='role_4')
role_5 = Role(name='role_5')
role_6 = Role(name='role_6')
db.session.add(role_1)
db.session.add(role_2)
db.session.add(role_3)
db.session.add(role_4)
db.session.add(role_5)
db.session.add(role_6)
db.session.add(ActionRoles(action='open', role=role_1))
db.session.add(ActionRoles(action='write', role=role_4))
db.session.flush()
# Creation of identities to test.
identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name))
identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name))
identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name))
identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name))
identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name))
identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name))
# Test if role 1 can open. In this case, the cache should store only
# this object.
permission_open = dynamic_permission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# Test if role 4 can write. In this case, the cache should have this
# new object and the previous one (Open is allowed to role_1)
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# If we add a new role to the action open, the open action in cache
# should be removed but it should still containing the write entry.
db.session.add(ActionRoles(action='open', role=role_2))
db.session.flush()
assert current_access.get_action_cache('open') is None
permission_open = dynamic_permission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_2)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# Test if the new role is added to the action 'open'
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# If we update an action swapping a role, the cache containing the
# action, should be removed.
role_4_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_4).first()
role_4_action_write.role = role_3
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is not None
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# Test if the role_3 can write now.
permission_write = dynamic_permission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_4)
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_3.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If we remove a role from an action, the cache should clear the
# action item.
role_3_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_3).first()
db.session.delete(role_3_action_write)
db.session.flush()
assert current_access.get_action_cache('write') is None
# If no one is allowed to perform an action then everybody is allowed.
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_5))
db.session.flush()
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
permission_write = dynamic_permission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If you update the name of an existing action, the previous action
# and the new action should be remove from cache.
permission_write = dynamic_permission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
role_5_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_5).first()
role_5_action_write.action = 'open'
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is None
permission_open = dynamic_permission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_4))
permission_write = dynamic_permission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
db.session.add(ActionRoles(action='open', argument='1', role=role_6))
db.session.flush()
permission_open_1 = dynamic_permission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_fake_role_6)
assert permission_open_1.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::1') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
user_6_action_open_1 = ActionRoles.query.filter_by(
action='open', argument='1', role_id=role_6.id).first()
user_6_action_open_1.argument = '2'
db.session.flush()
assert current_access.get_action_cache('open::1') is None
assert current_access.get_action_cache('open::2') is None
permission_open_2 = dynamic_permission(
ParameterizedActionNeed('open', '2'))
assert permission_open_2.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::2') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
# open action cache should remain as before
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
# coding=utf-8
from __future__ import absolute_import
from flask_principal import Permission, RoleNeed
admin_permission = Permission(RoleNeed('admin'))
normal_permission = Permission(RoleNeed('normal'))
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask_login import current_user
# from flask.ext.principal import Permission, RoleNeed, UserNeed, identity_loaded
# from flask.ext.login import current_user
from flask_principal import Permission, RoleNeed, UserNeed, identity_loaded
# admin_need = RoleNeed('admin')
# editor_need = RoleNeed('editor')
# writer_need = RoleNeed('writer')
# reader_need = RoleNeed('reader')
su_need = RoleNeed('su')
su_permission = Permission(su_need)
admin_permission = Permission(RoleNeed('admin')).union(su_permission)
editor_permission = Permission(RoleNeed('editor')).union(admin_permission)
writer_permission = Permission(RoleNeed('writer')).union(editor_permission)
reader_permission = Permission(RoleNeed('reader')).union(writer_permission)
@identity_loaded.connect # Both of this and the following works
# @identity_loaded.connect_via(current_app)
def on_identity_loaded(sender, identity):
# Set the identity user object
identity.user = current_user
# Add the UserNeed to the identity
if hasattr(current_user, 'username'):
identity.provides.add(UserNeed(current_user.username))
DEBUG=True,
SECRET_KEY=os.urandom(16).encode('base-64'),
SQLALCHEMY_DATABASE_URI='postgresql://*****:*****@localhost/mytest',
SQLALCHEMY_COMMIT_ON_TEARDOWN=True
)
app.debug = True
db = SQLAlchemy(app)
login_manager = LoginManager(app)
login_manager.login_view = 'login'
principals = Principal(app)
# Needs
be_admin = RoleNeed('admin')
be_user = RoleNeed('user')
app_needs = {
'admin': be_admin,
'user': be_user
}
admin_perm = Permission(be_admin)
admin_perm.description = "Admin's permissions"
user_perm = Permission(be_user)
user_perm.description = "User's permissions"
app_perms = [admin_perm, user_perm]
DEFAULT_ROLE = be_user
@identity_loaded.connect_via(app)
def on_identity_loaded(sender, identity):
logging.basicConfig(level=logging.DEBUG)
# -------------------------------------------------------------------------------------------------#
# Permission objects
# Permission types (dict)
PERM_TYPE = {
'self_admin': 'self-administrator',
'subgroups': 'create subgroups',
'courses': 'create courses'
}
# The list of permission tuples (for forms)
PERMISSION_LIST = list(perm_tuple for perm_tuple in PERM_TYPE.items())
# Create the permission with RoleNeeds.
role_permission = Permission(RoleNeed('Instructor'), RoleNeed('Mentor'),
RoleNeed('Teacher'), RoleNeed('TA'),
RoleNeed('TeachingAssistant'))
# -------------------------------------------------------------------------------------------------#
# Decorators for permission checking
def subgroup_create_perm(func):
"""
Check whether the current user can create a subgroup under a group.
Permission: 1.the user is a member of the ancestors of the group
OR
2. the group is the target group where subgroups can be created under.
"""
@wraps(func)
#
# You should have received a copy of the GNU General Public License
# along with Invenio; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307, USA.
#
# In applying this license, RERO does not
# waive the privileges and immunities granted to it by virtue of its status
# as an Intergovernmental Organization or submit itself to any jurisdiction.
"""Permission for this module."""
from flask_login import current_user
from flask_principal import RoleNeed
from invenio_access.permissions import DynamicPermission
record_edit_permission = DynamicPermission(RoleNeed('cataloguer'))
def cataloguer_permission_factory(record, *args, **kwargs):
"""User has editor role."""
return record_edit_permission
def can_edit(user=None):
"""User has editor role."""
if not user:
user = current_user
return user.is_authenticated and record_edit_permission.can()
from .models import User
from flask_login import current_user
from flask_principal import RoleNeed, UserNeed, Permission, identity_changed
def load_user(user_id):
return User.query.get(user_id)
@identity_changed.connect
def on_identity_loaded(sender, identity):
identity.user = current_user
if hasattr(current_user, 'id'):
identity.provides.add(UserNeed(current_user.id))
if getattr(current_user, 'is_admin', False):
identity.provides.add(RoleNeed('admin'))
admin_permission = Permission(RoleNeed('admin'))
def decorated_view(*args, **kwargs):
permissions = [Permission(RoleNeed(role)) for role in roles]
for p in permissions:
if not p.can():
return lm.unauthorized()
return fn(*args, **kwargs)
