Beispiel #1
0
    def has_perm(self, user_obj, perm, obj=None):
        '''
        main method, calls other methods based on permission type queried
        '''
        if not user_obj.is_authenticated():
            allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
            user_obj = AnonymousUser()
            user_obj.allowed_tokens = allowed_tokens

        if obj is None:
            return False

        try:
            perm_label, perm_type = perm.split('.')
            perm_action, perm_ct = perm_type.split('_')
        except:
            return False

        if perm_label != self.app_label:
            return False

        ct = ContentType.objects.get_for_model(obj)
        if ct.name != perm_ct:
            return False

        method_name = '_has_%s_perm' % perm_action

        # run any custom perms per model, continue if not None
        # allows complete overriding of standard authorisation, eg for public
        # experiments
        model_spec_perm = getattr(obj, method_name,
                                  lambda *args, **kwargs: None)(user_obj)
        if type(model_spec_perm) == bool:
            return model_spec_perm

        #get_acls
        obj_acls = ObjectACL.objects.filter(
            content_type=ct, object_id=obj.id).filter(
                self.get_perm_bool(perm_action)).filter(
                    ObjectACL.get_effective_query())

        query = Q(pluginId='django_user',
                  entityId=str(user_obj.id))

        if user_obj.is_authenticated():
            for name, group in user_obj.get_profile().ext_groups:
                query |= Q(pluginId=name, entityId=str(group))
        else:
            # the only authorisation available for anonymous users is tokenauth
            tgp = TokenGroupProvider()
            for name, group in tgp.getGroups(user_obj):
                query |= Q(pluginId=name, entityId=str(group))

        return obj_acls.filter(query).count() > 0
Beispiel #2
0
    def _query_shared(self, user):
        '''
        get all shared experiments, not owned ones
        '''
        # if the user is not authenticated, only tokens apply
        # this is almost duplicate code of end of has_perm in authorisation.py
        # should be refactored, but cannot think of good way atm
        if not user.is_authenticated():
            from tardis.tardis_portal.auth.token_auth import TokenGroupProvider
            query = Q(id=None)
            tgp = TokenGroupProvider()
            for group in tgp.getGroups(user):
                query |= Q(objectacls__pluginId=tgp.name,
                           objectacls__entityId=str(group),
                           objectacls__canRead=True) &\
                    (Q(objectacls__effectiveDate__lte=datetime.today())
                     | Q(objectacls__effectiveDate__isnull=True)) &\
                    (Q(objectacls__expiryDate__gte=datetime.today())
                     | Q(objectacls__expiryDate__isnull=True))
            return query

        # for which experiments does the user have read access
        # based on USER permissions?
        query = Q(objectacls__pluginId=django_user,
                  objectacls__entityId=str(user.id),
                  objectacls__canRead=True,
                  objectacls__isOwner=False) &\
            (Q(objectacls__effectiveDate__lte=datetime.today())
             | Q(objectacls__effectiveDate__isnull=True)) &\
            (Q(objectacls__expiryDate__gte=datetime.today())
             | Q(objectacls__expiryDate__isnull=True))

        # for which does experiments does the user have read access
        # based on GROUP permissions
        for name, group in user.userprofile.ext_groups:
            query |= Q(objectacls__pluginId=name,
                       objectacls__entityId=str(group),
                       objectacls__canRead=True) &\
                (Q(objectacls__effectiveDate__lte=datetime.today())
                 | Q(objectacls__effectiveDate__isnull=True)) &\
                (Q(objectacls__expiryDate__gte=datetime.today())
                 | Q(objectacls__expiryDate__isnull=True))
        return query
    def _query_shared(self, user):
        '''
        get all shared experiments, not owned ones
        '''
        # if the user is not authenticated, only tokens apply
        # this is almost duplicate code of end of has_perm in authorisation.py
        # should be refactored, but cannot think of good way atm
        if not user.is_authenticated():
            from tardis.tardis_portal.auth.token_auth import TokenGroupProvider
            query = Q(id=None)
            tgp = TokenGroupProvider()
            for group in tgp.getGroups(user):
                query |= Q(objectacls__pluginId=tgp.name,
                           objectacls__entityId=str(group),
                           objectacls__canRead=True) &\
                    (Q(objectacls__effectiveDate__lte=datetime.today())
                     | Q(objectacls__effectiveDate__isnull=True)) &\
                    (Q(objectacls__expiryDate__gte=datetime.today())
                     | Q(objectacls__expiryDate__isnull=True))
            return query

        # for which experiments does the user have read access
        # based on USER permissions?
        query = Q(objectacls__pluginId=django_user,
                  objectacls__entityId=str(user.id),
                  objectacls__canRead=True,
                  objectacls__isOwner=False) &\
            (Q(objectacls__effectiveDate__lte=datetime.today())
             | Q(objectacls__effectiveDate__isnull=True)) &\
            (Q(objectacls__expiryDate__gte=datetime.today())
             | Q(objectacls__expiryDate__isnull=True))

        # for which does experiments does the user have read access
        # based on GROUP permissions
        for name, group in user.userprofile.ext_groups:
            query |= Q(objectacls__pluginId=name,
                       objectacls__entityId=str(group),
                       objectacls__canRead=True) &\
                (Q(objectacls__effectiveDate__lte=datetime.today())
                 | Q(objectacls__effectiveDate__isnull=True)) &\
                (Q(objectacls__expiryDate__gte=datetime.today())
                 | Q(objectacls__expiryDate__isnull=True))
        return query
Beispiel #4
0
    def has_perm(self, user_obj, perm, obj=None):
        '''
        main method, calls other methods based on permission type queried
        '''
        if not user_obj.is_authenticated():
            allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
            user_obj = AnonymousUser()
            user_obj.allowed_tokens = allowed_tokens

        if obj is None:
            return False

        try:
            perm_label, perm_type = perm.split('.')
            # the following is necessary because of the ridiculous naming
            # of 'Dataset_File'......
            type_list = perm_type.split('_')
            perm_action = type_list[0]
            perm_ct = '_'.join(type_list[1:])
        except:
            return False

        if perm_label != self.app_label:
            return False

        ct = ContentType.objects.get_for_model(obj)
        if ct.model != perm_ct:
            return False

        method_name = '_has_%s_perm' % perm_action

        # run any custom perms per model, continue if not None
        # allows complete overriding of standard authorisation, eg for public
        # experiments
        model_spec_perm = getattr(obj, method_name,
                                  lambda *args, **kwargs: None)(user_obj)
        if type(model_spec_perm) == bool:
            return model_spec_perm
        elif model_spec_perm is not None:
            # pass auth to a different object, if False try this ACL
            # works when returned object is parent.
            # makes it impossible to 'hide' child objects
            if type(model_spec_perm) not in (list, set, QuerySet):
                model_spec_perm = [model_spec_perm]
            for msp in model_spec_perm:
                new_ct = ContentType.objects.get_for_model(msp)
                new_perm = '%s.%s_%s' % (perm_label, perm_action, new_ct)
                if user_obj.has_perm(new_perm, msp):
                    return True

        #get_acls
        obj_acls = ObjectACL.objects\
            .filter(content_type=ct, object_id=obj.id)\
            .filter(self.get_perm_bool(perm_action))\
            .filter(ObjectACL.get_effective_query())

        query = Q(pluginId='django_user',
                  entityId=str(user_obj.id))

        if user_obj.is_authenticated():
            for name, group in user_obj.get_profile().ext_groups:
                query |= Q(pluginId=name, entityId=str(group))
        else:
            # the only authorisation available for anonymous users is tokenauth
            tgp = TokenGroupProvider()
            for group in tgp.getGroups(user_obj):
                query |= Q(pluginId=tgp.name, entityId=str(group))

        return obj_acls.filter(query).count() > 0
Beispiel #5
0
    def has_perm(self, user_obj, perm, obj=None):
        '''
        main method, calls other methods based on permission type queried
        '''
        if not user_obj.is_authenticated():
            allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
            user_obj = AnonymousUser()
            user_obj.allowed_tokens = allowed_tokens

        if obj is None:
            return False

        try:
            perm_label, perm_type = perm.split('.')
            # the following is necessary because of the ridiculous naming
            # of 'Dataset_File'......
            type_list = perm_type.split('_')
            perm_action = type_list[0]
            perm_ct = '_'.join(type_list[1:])
        except:
            return False

        if perm_label != self.app_label:
            return False

        ct = ContentType.objects.get_for_model(obj)
        if ct.model != perm_ct:
            return False

        method_name = '_has_%s_perm' % perm_action

        # run any custom perms per model, continue if not None
        # allows complete overriding of standard authorisation, eg for public
        # experiments
        model_spec_perm = getattr(obj, method_name,
                                  lambda *args, **kwargs: None)(user_obj)
        if type(model_spec_perm) == bool:
            return model_spec_perm
        elif model_spec_perm is not None:
            # pass auth to a different object, if False try this ACL
            # works when returned object is parent.
            # makes it impossible to 'hide' child objects
            if type(model_spec_perm) not in (list, set, QuerySet):
                model_spec_perm = [model_spec_perm]
            for msp in model_spec_perm:
                new_ct = ContentType.objects.get_for_model(msp)
                new_perm = '%s.%s_%s' % (perm_label, perm_action, new_ct)
                if user_obj.has_perm(new_perm, msp):
                    return True

        #get_acls
        obj_acls = ObjectACL.objects\
            .filter(content_type=ct, object_id=obj.id)\
            .filter(self.get_perm_bool(perm_action))\
            .filter(ObjectACL.get_effective_query())

        query = Q(pluginId='django_user', entityId=str(user_obj.id))

        if user_obj.is_authenticated():
            for name, group in user_obj.get_profile().ext_groups:
                query |= Q(pluginId=name, entityId=str(group))
        else:
            # the only authorisation available for anonymous users is tokenauth
            tgp = TokenGroupProvider()
            for group in tgp.getGroups(user_obj):
                query |= Q(pluginId=tgp.name, entityId=str(group))

        return obj_acls.filter(query).count() > 0