def dataset_new_object(request, app, data):
try:
servertype = request.GET['servertype']
except KeyError as error:
raise SuspiciousOperation(error)
return {'result': get_default_attribute_values(servertype)}
def _acl_violations(changed_objects, obj, acl):
"""Check if ACL allows all the changes to obj
An ACL can fail to validate in two ways. Every ACL has a filter describing
which objects it is applicable to. If the object doesn't match this filter
the ACL is violated. Secondly ACLs include a whitelist of attributes that
may be changed. If another attribute is changed, the ACL is violated.
Just because we return ACL violations here doesn't mean the user isn't
allowed to make a change. Another ACL might allow it later on.
For more context read the _access_control() doc string.
Returns a list of human readable ACL violations on failure.
Returns None on success.
"""
violations = []
# Check wether the object matches all the attribute filters of the ACL
for attribute_id, attribute_filter in acl.get_filters().items():
if not attribute_filter.matches(obj.get(attribute_id)):
violations.append(
'Object is not covered by ACL "{}", Attribute "{}" '
'does not match the filter "{}".'.format(
acl,
attribute_id,
attribute_filter,
))
# If this ACL is not applicable to this object, we can bail out right away
if violations:
return violations
# For existing objects we only check attributes which were changed
# For new objects we only check attributes different to their default
if obj['object_id'] in changed_objects:
old_object = changed_objects[obj['object_id']]
else:
old_object = get_default_attribute_values(obj['servertype'])
# Gather attribute ids this ACL allows changing
attribute_ids = acl.get_permissible_attribute_ids()
# Check wether all changed attributes are on this ACLs attribute whitelist
for attribute_id, attribute_value in obj.items():
if (attribute_id not in attribute_ids
and attribute_value != old_object[attribute_id]):
violations.append(
'Change is not covered by ACL "{}", Attribute "{}" was '
'modified despite not beeing whitelisted.'.format(
acl,
attribute_id,
))
return violations or None
def _can_access_server(changed_objects, new_object, acl):
if not all(
f.matches(new_object.get(a))
for a, f in acl.get_filters().items()
):
return False
if new_object['object_id'] in changed_objects:
old_object = changed_objects[new_object['object_id']]
else:
old_object = get_default_attribute_values(new_object['servertype'])
attribute_ids = {a.pk for a in acl.attributes.all()}
if not all(
a in attribute_ids or v == old_object[a]
for a, v in new_object.items()
):
return False
return True
def _fetch_new_object(self, servertype):
return DatasetObject(get_default_attribute_values(servertype))