Beispiel #1
0
 def visible_desktop_integration_actions(self):
     """Return all visible actions for DESKTOP_INTEGRATION."""
     actions = Actions()
     for action in self.visible_actions:
         if action.permission is OAuthPermission.DESKTOP_INTEGRATION:
             actions.append(action)
     return actions
Beispiel #2
0
def create_oauth_permission_actions():
    """Make two `Actions` objects containing each possible `OAuthPermission`.

    The first `Actions` object contains every action supported by the
    OAuthAuthorizeTokenView. The second list contains a good default
    set of actions, omitting special actions like the
    DESKTOP_INTEGRATION ones.
    """
    all_actions = Actions()
    ordinary_actions = Actions()
    desktop_permission = OAuthPermission.DESKTOP_INTEGRATION
    for permission in OAuthPermission.items:
        action = Action(
            permission.title, name=permission.name,
            success=token_review_success,
            condition=token_exists_and_is_not_reviewed)
        action.permission = permission
        action.duration = None
        all_actions.append(action)
        if permission != desktop_permission:
            ordinary_actions.append(action)

    # Add special actions for the time-limited DESKTOP_INTEGRATION
    # tokens.
    for duration in (
        TemporaryIntegrations.HOUR, TemporaryIntegrations.DAY,
        TemporaryIntegrations.WEEK):
        action = Action(
            ("For One %s" % duration),
            name=expandPrefix(desktop_permission.name) + duration,
            success=token_review_success,
            condition=token_exists_and_is_not_reviewed)
        action.permission = desktop_permission
        action.duration = duration
        all_actions.append(action)

    return all_actions, ordinary_actions
Beispiel #3
0
    def visible_actions(self):
        """Restrict the actions to a subset to be presented to the client.

        Not all client programs can function with all levels of
        access. For instance, a client that needs to modify the
        dataset won't work correctly if the end-user only gives it
        read access. By setting the 'allow_permission' query variable
        the client program can get Launchpad to show the end-user an
        acceptable subset of OAuthPermission.

        The user always has the option to deny the client access
        altogether, so it makes sense for the client to ask for the
        least access possible.

        If the client sends nonsensical values for allow_permissions,
        the end-user will be given a choice among all the permissions
        used by normal applications.
        """

        allowed_permissions = set(
            self.request.form_ng.getAll('allow_permission'))
        if len(allowed_permissions) == 0:
            return self.actions_excluding_special_permissions
        actions = Actions()

        # UNAUTHORIZED is always one of the options. If the client
        # explicitly requested UNAUTHORIZED, remove it from the list
        # to simplify the algorithm: we'll add it back later.
        if OAuthPermission.UNAUTHORIZED.name in allowed_permissions:
            allowed_permissions.remove(OAuthPermission.UNAUTHORIZED.name)

        # DESKTOP_INTEGRATION cannot be requested as one of several
        # options--it must be the only option (other than
        # UNAUTHORIZED). If there is any item in the list that doesn't
        # use DESKTOP_INTEGRATION, remove it from the list.
        desktop_permission = OAuthPermission.DESKTOP_INTEGRATION

        if (desktop_permission.name in allowed_permissions
            and len(allowed_permissions) > 1):
            allowed_permissions.remove(desktop_permission.name)

        if desktop_permission.name in allowed_permissions:
            if not self.token.consumer.is_integrated_desktop:
                # Consumers may only ask for desktop integration if
                # they give a desktop type (eg. "Ubuntu") and a
                # user-recognizable desktop name (eg. the hostname).
                raise Unauthorized(
                    ('Consumer "%s" asked for desktop integration, '
                     "but didn't say what kind of desktop it is, or name "
                     "the computer being integrated."
                     % self.token.consumer.key))

            # We're going for desktop integration. There are four
            # possibilities: "allow permanently", "allow for one
            # hour", "allow for one day", "allow for one week", and
            # "deny". We'll customize the "allow permanently" and
            # "deny" message using the hostname provided by the
            # desktop. We'll use the existing Action objects for the
            # "temporary integration" actions, without customizing
            # their messages.
            #
            # Since self.actions is a descriptor that returns copies
            # of Action objects, we can modify the actions we get
            # in-place without ruining the Action objects for everyone
            # else.
            desktop_name = self.token.consumer.integrated_desktop_name
            allow_action = [
                action for action in self.actions
                if action.name == desktop_permission.name][0]
            allow_action.label = "Until I Disable It"
            actions.append(allow_action)

            # Bring in all of the temporary integration actions.
            for action in self.actions:
                if (action.permission == desktop_permission
                    and action.name != desktop_permission.name):
                    actions.append(action)

            # Fionally, customize the "deny" message.
            label = (
                'Do Not Allow "%s" to Access my Launchpad Account.')
            deny_action = [
                action for action in self.actions
                if action.name == OAuthPermission.UNAUTHORIZED.name][0]
            deny_action.label = label % desktop_name
            actions.append(deny_action)
        else:
            # We're going for web-based integration.
            for action in self.actions_excluding_special_permissions:
                if (action.permission.name in allowed_permissions
                    or action.permission is OAuthPermission.UNAUTHORIZED):
                    actions.append(action)

        if len(list(actions)) == 1:
            # The only visible action is UNAUTHORIZED. That means the
            # client tried to restrict the permissions but didn't name
            # any actual permissions (except possibly
            # UNAUTHORIZED). Rather than present the end-user with an
            # impossible situation where their only option is to deny
            # access, we'll present the full range of actions (except
            # for special permissions like DESKTOP_INTEGRATION).
            return self.actions_excluding_special_permissions
        return actions