def default_validators(item, context):
"""
Check role and permission
role and permission check result will be cached in context dict
"""
from uliweb import functions, request
roles = item.get('roles', [])
perms = item.get('permissions', [])
if roles or perms:
if roles:
con_roles = context.setdefault('roles', {})
for x in roles:
if x in con_roles:
flag = con_roles[x]
else:
flag = functions.has_role(request.user, x)
con_roles[x] = flag
if flag:
return flag
if perms:
con_perms = context.setdefault('permissions', {})
for x in perms:
if x in con_perms:
flag = con_perms[x]
else:
flag = functions.has_permission(request.user, x)
con_perms[x] = flag
if flag:
return flag
else:
return True
def default_validators(item, context):
"""
Check role and permission
role and permission check result will be cached in context dict
"""
from uliweb import functions, request
roles = item.get('roles', [])
perms = item.get('permissions', [])
if roles or perms:
if roles:
con_roles = context.setdefault('roles', {})
for x in roles:
if x in con_roles:
flag = con_roles[x]
else:
flag = functions.has_role(request.user, x)
con_roles[x] = flag
if flag:
return flag
if perms:
con_perms = context.setdefault('permissions', {})
for x in perms:
if x in con_perms:
flag = con_perms[x]
else:
flag = functions.has_permission(request.user, x)
con_perms[x] = flag
if flag:
return flag
else:
return True
def has_deliver_permission(self, task, user):
from uliweb import settings
from uliweb import functions
maps = settings.get_var("WORKFLOW/TASK_PERMISSION_MAP")
key = "%s.%s" % (self._workflow.get_spec_name(), task.get_name())
if key in maps:
for perm in maps[key]:
if functions.has_permission(user, perm):
return True
return False
def _f(_m):
menus = []
for row in _m:
if row.get('permissions'):
if functions.has_permission(user, row['permissions']):
menus.append(row)
else:
menus.append(row)
if row.get('subs'):
row['subs'] = _f(row['subs'])
return menus
def _check_GET_permission(self):
GET = self.setting.get("GET")
if not GET:
raise UliwebError("'%s' not accessible by apijson" % (self.name))
roles = GET.get("roles")
params_role = self.params.get("@role")
user = getattr(request, "user", None)
if roles:
if not params_role:
if user:
params_role = "LOGIN"
else:
params_role = "UNKNOWN"
elif params_role != "UNKNOWN":
if not user:
raise UliwebError("no login user for role '%s'" %
(params_role))
if params_role not in roles:
raise UliwebError("'%s' not accessible by role '%s'" %
(self.name, params_role))
if params_role == "UNKNOWN":
self.permission_check_ok = True
elif functions.has_role(user, params_role):
self.permission_check_ok = True
else:
raise UliwebError("user doesn't have role '%s'" %
(params_role))
if not self.permission_check_ok:
perms = GET.get("permissions")
if perms:
if params_role:
role, msg = functions.has_permission_as_role(
user, params_role, *perms)
if role:
self.permission_check_ok = True
else:
role = functions.has_permission(user, *perms)
if role:
role_name = getattr(role, "name")
if role_name:
self.permission_check_ok = True
params_role = role_name
if not self.permission_check_ok:
raise UliwebError("no permission")
self.params_role = params_role
def get_task_spec_names(self, user):
from uliweb import request
spec_names = request.session.get("_task_spec_names_")
if spec_names:
return spec_names
else:
spec_names = []
from uliweb import settings
from uliweb import functions
maps = settings.get_var("WORKFLOW/TASK_PERMISSION_MAP")
for key in maps:
wf_spec_name, task_spec_name = key.split(".")
for perm in maps[key]:
if functions.has_permission(user, perm):
spec_names.append(task_spec_name)
request.session.setdefault("_task_spec_names_", spec_names)
return spec_names
def index():
if functions.has_permission(request.user, settings.TRANSFER.PERMISSION):
return redirect('/transfer')
else:
error(_('You do not have transfer permission'))
def _get_one(self, key):
modelname = key
params = self.request_data[key]
try:
model = getattr(models, modelname)
model_setting = settings.APIJSON_MODELS.get(modelname, {})
except ModelNotFound as e:
log.error("try to find model '%s' but not found: '%s'" %
(modelname, e))
return json({
"code": 400,
"msg": "model '%s' not found" % (modelname)
})
model_column_set = None
q = model.all()
#rbac check begin
GET = model_setting.get("GET", {})
if not GET:
return json({
"code": 401,
"msg": "'%s' not accessible by apijson" % (modelname)
})
roles = GET.get("roles")
perms = GET.get("perms")
params_role = params.get("@role")
permission_check_ok = False
user_role = None
if params_role:
if params_role not in roles:
return json({
"code":
401,
"msg":
"'%s' not accessible by role '%s'" %
(modelname, params_role)
})
if functions.has_role(request.user, params_role):
permission_check_ok = True
user_role = params_role
else:
return json({
"code":
401,
"msg":
"user doesn't have role '%s'" % (params_role)
})
if not permission_check_ok and roles:
for role in roles:
if functions.has_role(request.user, role):
permission_check_ok = True
user_role = role
break
if not permission_check_ok and perms:
for perm in perms:
if functions.has_permission(request.user, perm):
permission_check_ok = True
break
if not permission_check_ok:
return json({"code": 401, "msg": "no permission"})
#rbac check end
filtered = False
if user_role == "OWNER":
owner_filtered, q = self._filter_owner(model, model_setting, q)
if not owner_filtered:
return json({
"code":
401,
"msg":
"'%s' cannot filter with owner" % (modelname)
})
filtered = True
params = self.request_data[key]
if isinstance(params, dict):
for n in params:
if n[0] == "@":
if n == "@column":
model_column_set = set(params[n].split(","))
elif hasattr(model, n):
q = q.filter(getattr(model.c, n) == params[n])
filtered = True
else:
return json({
"code":
400,
"msg":
"'%s' have no attribute '%s'" % (modelname, n)
})
#default filter is trying to filter with owner
if not filtered and request.user:
owner_filtered, q = self._filter_owner(model, model_setting, q)
o = q.one()
if o:
o = o.to_dict()
secret_fields = model_setting.get("secret_fields")
if secret_fields:
for k in secret_fields:
del o[k]
if model_column_set:
keys = list(o.keys())
for k in keys:
if k not in model_column_set:
del o[k]
self.rdict[key] = o
def _get_array(self, key):
params = self.request_data[key]
query_count = None
query_page = None
modelname = None
model_param = None
model_column_set = None
for n in params:
if n[0] == "@":
if not query_count and n == "@count":
try:
query_count = int(params[n])
except ValueError as e:
log.error("bad param in '%s': '%s'" % (n, params))
return json({
"code":
400,
"msg":
"@count should be an int, now '%s'" % (params[n])
})
if query_count <= 0:
return json({
"code":
400,
"msg":
"count should >0, now is '%s' " % (query_count)
})
elif not query_page and n == "@page":
#@page begin from 0
try:
query_page = int(params[n])
except ValueError as e:
log.error("bad param in '%s': '%s'" % (n, params))
return json({
"code":
400,
"msg":
"@page should be an int, now '%s'" % (params[n])
})
if query_page < 0:
return json({
"code":
400,
"msg":
"page should >0, now is '%s' " % (query_page)
})
# TODO: support join in the future, now only support 1 model
elif not modelname:
modelname = n
if not modelname:
return json({"code": 400, "msg": "no model found in array query"})
#model settings
model_setting = settings.APIJSON_MODELS.get(modelname, {})
secret_fields = model_setting.get("secret_fields")
#model params
#column
model_param = params[n]
model_column = model_param.get("@column")
if model_column:
model_column_set = set(model_column.split(","))
try:
model = getattr(models, modelname)
except ModelNotFound as e:
log.error("try to find model '%s' but not found: '%s'" %
(modelname, e))
return json({
"code": 400,
"msg": "model '%s' not found" % (modelname)
})
#order
model_order = model_param.get("@order")
q = model.all()
#rbac check begin
GET = model_setting.get("GET", {})
if not GET:
return json({
"code": 401,
"msg": "'%s' not accessible by apijson" % (modelname)
})
roles = GET.get("roles")
perms = GET.get("perms")
params_role = params.get("@role")
permission_check_ok = False
user_role = None
if params_role:
if params_role not in roles:
return json({
"code":
401,
"msg":
"'%s' not accessible by role '%s'" %
(modelname, params_role)
})
if functions.has_role(request.user, params_role):
permission_check_ok = True
user_role = params_role
else:
return json({
"code":
401,
"msg":
"user doesn't have role '%s'" % (params_role)
})
if not permission_check_ok and roles:
for role in roles:
if functions.has_role(request.user, role):
permission_check_ok = True
user_role = role
break
if not permission_check_ok and perms:
for perm in perms:
if functions.has_permission(request.user, perm):
permission_check_ok = True
break
if not permission_check_ok:
return json({"code": 401, "msg": "no permission"})
#rbac check end
if user_role == "OWNER":
owner_filtered, q = self._filter_owner(model, model_setting, q)
if not owner_filtered:
return json({
"code":
401,
"msg":
"'%s' cannot filter with owner" % (modelname)
})
if query_count:
if query_page:
q = q.offset(query_page * query_count)
q = q.limit(query_count)
if model_order:
for k in model_order.split(","):
if k[-1] == "+":
sort_key = k[:-1]
sort_order = "asc"
elif k[-1] == "-":
sort_key = k[:-1]
sort_order = "desc"
else:
sort_key = k
sort_order = "asc"
column = getattr(model.c, sort_key)
q = q.order_by(getattr(column, sort_order)())
def _get_info(i):
d = i.to_dict()
if secret_fields:
for k in secret_fields:
del d[k]
if model_column_set:
keys = list(d.keys())
for k in keys:
if k not in model_column_set:
del d[k]
return d
l = [_get_info(i) for i in q]
self.rdict[key] = l
def linci_artifact_has_permission(perm):
return bool(functions.has_permission(request.user,perm))
def _head(self, key):
model_name = key
params = self.request_data[key]
params_role = params.get("@role")
try:
model = getattr(models, model_name)
model_setting = settings.APIJSON_MODELS.get(model_name, {})
except ModelNotFound as e:
log.error("try to find model '%s' but not found: '%s'" %
(model_name, e))
return json({
"code": 400,
"msg": "model '%s' not found" % (model_name)
})
q = model.all()
HEAD = model_setting.get("HEAD")
if not HEAD:
return json({
"code": 400,
"msg": "'%s' not accessible" % (model_name)
})
roles = HEAD.get("roles")
permission_check_ok = False
user = getattr(request, "user", None)
if roles:
if not params_role:
params_role = "LOGIN" if user else "UNKNOWN"
if params_role not in roles:
return json({
"code":
400,
"msg":
"role '%s' not have permission HEAD for '%s'" %
(params_role, model_name)
})
if functions.has_role(user, params_role):
permission_check_ok = True
else:
return json({
"code":
400,
"msg":
"user doesn't have role '%s'" % (params_role)
})
else:
perms = HEAD.get("permissions")
if perms:
if params_role:
role, msg = functions.has_permission_as_role(
user, params_role, *perms)
if role:
permission_check_ok = True
else:
role = functions.has_permission(user, *perms)
if role:
role_name = getattr(role, "name")
if role_name:
permission_check_ok = True
params_role = role_name
#current implementation won't run here, but keep for safe
if not permission_check_ok:
return json({"code": 400, "msg": "no permission"})
if params_role == "OWNER":
owner_filtered, q = self._filter_owner(model, model_setting, q)
if not owner_filtered:
return json({
"code":
400,
"msg":
"'%s' cannot filter with owner" % (model_name)
})
for n in params:
if n[0] == "@":
pass
else:
param = params[n]
if not hasattr(model.c, n):
return json({
"code":
400,
"msg":
"'%s' don't have field '%s'" % (model_name, n)
})
q = q.filter(getattr(model.c, n) == param)
rdict = {
"code": 200,
"msg": "success",
"count": q.count(),
}
self.rdict[key] = rdict
def _get_one(self, key):
model_name = key
params = self.request_data[key]
params_role = params.get("@role")
try:
model = getattr(models, model_name)
model_setting = settings.APIJSON_MODELS.get(model_name, {})
except ModelNotFound as e:
log.error("try to find model '%s' but not found: '%s'" %
(model_name, e))
return json({
"code": 400,
"msg": "model '%s' not found" % (model_name)
})
model_column_set = None
q = model.all()
GET = model_setting.get("GET")
if not GET:
return json({
"code": 400,
"msg": "'%s' not accessible" % (model_name)
})
user = getattr(request, "user", None)
roles = GET.get("roles")
permission_check_ok = False
if roles:
if not params_role:
params_role = "LOGIN" if user else "UNKNOWN"
elif params_role != "UNKNOWN":
if not user:
return json({
"code":
400,
"msg":
"no login user for role '%s'" % (params_role)
})
if params_role not in roles:
return json({
"code":
400,
"msg":
"'%s' not accessible by role '%s'" %
(model_name, params_role)
})
if params_role == "UNKNOWN":
permission_check_ok = True
elif functions.has_role(user, params_role):
permission_check_ok = True
else:
return json({
"code": 400,
"msg": "user doesn't has role '%s'" % (params_role)
})
if not permission_check_ok:
perms = GET.get("permissions")
if perms:
if params_role:
role, msg = functions.has_permission_as_role(
user, params_role, *perms)
if role:
permission_check_ok = True
else:
role = functions.has_permission(user, *perms)
if role:
role_name = getattr(role, "name")
if role_name:
permission_check_ok = True
params_role = role_name
if not permission_check_ok:
return json({
"code": 400,
"msg": "no permission to access the data"
})
if params_role == "OWNER":
owner_filtered, q = self._filter_owner(model, model_setting, q)
if not owner_filtered:
return json({
"code":
400,
"msg":
"'%s' cannot filter with owner" % (model_name)
})
params = self.request_data[key]
if isinstance(params, dict):
#update reference,example: {"id@": "moment/user_id"} -> {"id": 2}
ref_fields = []
refs = {}
for n in params:
if n[-1] == "@":
ref_fields.append(n)
col_name = n[:-1]
path = params[n]
refs[col_name] = self._ref_get(path, context=self.rdict)
for i in ref_fields:
del params[i]
params.update(refs)
for n in params:
if n[0] == "@":
if n == "@column":
model_column_set = set(params[n].split(","))
elif hasattr(model, n):
q = q.filter(getattr(model.c, n) == params[n])
else:
return json({
"code":
400,
"msg":
"'%s' have no attribute '%s'" % (model_name, n)
})
o = q.one()
if o:
o = o.to_dict()
secret_fields = model_setting.get("secret_fields")
if secret_fields:
for k in secret_fields:
del o[k]
if model_column_set:
keys = list(o.keys())
for k in keys:
if k not in model_column_set:
del o[k]
self.rdict[key] = o
def index():
if functions.has_permission(request.user, settings.TRANSFER.PERMISSION):
return redirect('/transfer')
else:
error(_('You do not have transfer permission'))
def linci_artifact_has_permission(perm):
return bool(functions.has_permission(request.user, perm))
