def _allowed(self, request, datum):
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if policy_check and self.policy_rules:
target = self.get_policy_target(request, datum)
return (policy_check(self.policy_rules, request, target) and
self.allowed(request, datum))
return self.allowed(request, datum)
def _allowed(self, request, datum):
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if policy_check and self.policy_rules:
target = self.get_policy_target(request, datum)
return (policy_check(self.policy_rules, request, target)
and self.allowed(request, datum))
return self.allowed(request, datum)
def check(actions, request, target=None):
"""Wrapper of the configurable policy method."""
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if policy_check:
return policy_check(actions, request, target)
return True
def _has_permission(self, policy):
has_permission = True
# policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if policy_check:
has_permission = policy_check(policy, self.request)
return has_permission
def policy_check(policy_rules, request):
_policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if _policy_check and policy_rules:
for rule in policy_rules:
rule_param = rule
if not any(isinstance(r, (list, tuple)) for r in rule):
rule_param = (rule, )
if _policy_check(rule_param, request):
return True
return False
return True
def allowed(self, request):
"""Determines whether or not the tab is displayed.
Tab instances can override this method to specify conditions under
which this tab should not be shown at all by returning ``False``.
"""
if not self.policy_rules:
return True
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
if policy_check:
return policy_check(self.policy_rules, request)
return True
class Admin(horizon.Dashboard):
name = _("Admin")
slug = "admin"
if utils_settings.import_setting("POLICY_CHECK_FUNCTION"):
policy_rules = (
('identity', 'admin_required'),
('image', 'context_is_admin'),
('volume', 'context_is_admin'),
('compute', 'context_is_admin'),
('network', 'context_is_admin'),
)
else:
permissions = (tuple(utils.get_admin_permissions()), )
def _can_access(self, request):
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")#导入权限检查函数
# this check is an OR check rather than an AND check that is the
# default in the policy engine, so calling each rule individually在策略引擎中默认,所以单独调用每个规则
if policy_check and self.policy_rules:
for rule in self.policy_rules:
rule_param = rule
if not any(isinstance(r, (list, tuple)) for r in rule):#从rule取出所有的元素r,然后判断是不是一个列表或者元组,any为真的情况为非空
rule_param = (rule,)
if policy_check(rule_param, request):
return True#若存在权限,则返回true
return False
# default to allowed
return True#默认返回true
def _can_access(self, request):
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
# this check is an OR check rather than an AND check that is the
# default in the policy engine, so calling each rule individually
if policy_check and self.policy_rules:
for rule in self.policy_rules:
rule_param = rule
if not any(isinstance(r, (list, tuple)) for r in rule):
rule_param = (rule, )
if policy_check(rule_param, request):
return True
return False
# default to allowed
return True
def _can_access(self, request):
policy_check = utils_settings.import_setting("POLICY_CHECK_FUNCTION")
# this check is an OR check rather than an AND check that is the
# default in the policy engine, so calling each rule individually
if policy_check and self.policy_rules:
for rule in self.policy_rules:
rule_param = rule
if not any(isinstance(r, (list, tuple)) for r in rule):
rule_param = (rule,)
if policy_check(rule_param, request):
return True
return False
# default to allowed
return True