Beispiel #1
0
    def _add_tenant_filter(self, query, model_class, all_tenants):
        """Filter by the tenant ID associated with `model_class` (either
        directly via a relationship with the tenants table, or via an
        ancestor who has such a relationship)
        """
        # Users/Groups etc. don't have tenants
        if not model_class.is_resource:
            return query

        # not used from a request handler - no relevant user
        if not has_request_context():
            return query

        # If a user that is allowed to get all the tenants in the system
        # passed the `all_tenants` flag, no need to filter
        if all_tenants_authorization() and all_tenants:
            return query

        if all_tenants:
            tenant_ids = [tenant.id for tenant in current_user.all_tenants]
        else:
            tenant_ids = [self.current_tenant.id]

        # Match any of the applicable tenant ids or if it's a global resource
        tenant_filter = sql_or(
            model_class.resource_availability == AvailabilityState.GLOBAL,
            model_class._tenant_id.in_(tenant_ids))
        return query.filter(tenant_filter)
Beispiel #2
0
    def _add_permissions_filter(query, model_class):
        """Filter by the users present in either the `viewers` or `owners`
        lists
        """
        # not used from a request handler - no relevant user
        if not has_request_context():
            return query

        # For users that are allowed to see all resources, regardless of tenant
        # Queries of elements that aren't resources (tenants, users, etc.),
        # shouldn't be filtered as well
        if not model_class.is_resource or all_tenants_authorization():
            return query

        # Only get resources that are public - not private (note that ~ stands
        # for NOT, in SQLA), *or* those where the current user is the creator
        user_filter = sql_or(
            model_class.resource_availability != AvailabilityState.PRIVATE,
            model_class.creator == current_user)
        return query.filter(user_filter)
    def _add_tenant_filter(self, query, model_class, all_tenants):
        """Filter by the tenant ID associated with `model_class` (either
        directly via a relationship with the tenants table, or via an
        ancestor who has such a relationship)
        """
        # Users/Groups etc. don't have tenants
        if not model_class.is_resource:
            return query

        # not used from a request handler - no relevant user
        if not has_request_context():
            return query

        current_tenant = self.current_tenant

        # If a user passed the `all_tenants` flag
        if all_tenants:
            # If a user that is allowed to get all the tenants in the system
            # no need to filter
            if all_tenants_authorization():
                return query
            # Filter by all the tenants the user is allowed to list in
            tenant_ids = [
                tenant.id for tenant in current_user.all_tenants
                if utils.tenant_specific_authorization(tenant,
                                                       model_class.__name__)
                ]
        else:
            # Specific tenant only
            tenant_ids = [current_tenant.id] if current_tenant else []

        # Match any of the applicable tenant ids or if it's a global resource
        tenant_filter = sql_or(
            model_class.visibility == VisibilityState.GLOBAL,
            model_class._tenant_id.in_(tenant_ids)
        )
        return query.filter(tenant_filter)
Beispiel #4
0
    def _add_tenant_filter(self, query, model_class, all_tenants):
        """Filter by the tenant ID associated with `model_class` (either
        directly via a relationship with the tenants table, or via an
        ancestor who has such a relationship)
        """
        # Users/Groups etc. don't have tenants
        if not model_class.is_resource:
            return query

        # not used from a request handler - no relevant user
        if not has_request_context():
            return query

        current_tenant = self.current_tenant

        # If a user passed the `all_tenants` flag
        if all_tenants:
            # If a user that is allowed to get all the tenants in the system
            # no need to filter
            if all_tenants_authorization():
                return query
            # Filter by all the tenants the user is allowed to list in
            tenant_ids = [
                tenant.id for tenant in current_user.all_tenants
                if utils.tenant_specific_authorization(tenant,
                                                       model_class.__name__)
                ]
        else:
            # Specific tenant only
            tenant_ids = [current_tenant.id] if current_tenant else []

        # Match any of the applicable tenant ids or if it's a global resource
        tenant_filter = sql_or(
            model_class.visibility == VisibilityState.GLOBAL,
            model_class._tenant_id.in_(tenant_ids)
        )
        return query.filter(tenant_filter)