def getPermissions(self, scope):
"""
Returns all the defined permissions in the given permission scope.
"""
return [permissions.api_enum_for_permission(p)
for p in permissions.get_permissions(scope)]
def __get_permission_names(scope=None):
"""
Returns a list of strings which contains permission names.
This function is used internally to set up the permission database.
:param scope: One of the Permission class strings (e.g. 'SYSTEM'), which
if given, filters the returned list of permissions to only definitions
of the given scope.
"""
return [perm.name for perm in permissions.get_permissions(scope)]
def getPermissionsForUser(self, scope, extra_params, perm_filter):
"""
Returns the permissions in the given permission scope and with the
given scope-specific extra_params for the current logged in user,
based on the permission filters.
Filters in the perm_filter struct are joined in an AND clause.
"""
if perm_filter is None or not any(perm_filter.__dict__.values()):
# If no filtering is needed, this function behaves identically
# to getPermissions().
return self.getPermissions(scope)
try:
session = self.__config_db()
# The database connection must always be passed to the permission
# handler.
params = ThriftAuthHandler.__unpack_extra_params(
extra_params, session)
perms = []
for perm in permissions.get_permissions(scope):
should_return = True
handler = make_handler(perm, params)
if should_return and perm_filter.given:
should_return = handler.has_permission(self.__auth_session)
if should_return and perm_filter.canManage:
# If the user has any of the permissions that are
# authorised to manage the currently iterated permission,
# the filter passes.
should_return = require_manager(perm, params,
self.__auth_session)
if should_return:
perms.append(perm)
return [permissions.api_enum_for_permission(p) for p in perms]
except sqlalchemy.exc.SQLAlchemyError as alchemy_ex:
msg = str(alchemy_ex)
LOG.error(msg)
raise shared.ttypes.RequestFailed(shared.ttypes.ErrorCode.DATABASE,
msg)
finally:
session.close()
def getPermissionsForUser(self, scope, extra_params, perm_filter):
"""
Returns the permissions in the given permission scope and with the
given scope-specific extra_params for the current logged in user,
based on the permission filters.
Filters in the perm_filter struct are joined in an AND clause.
"""
if perm_filter is None or not any(perm_filter.__dict__.values()):
# If no filtering is needed, this function behaves identically
# to getPermissions().
return self.getPermissions(scope)
with DBSession(self.__config_db) as session:
# The database connection must always be passed to the permission
# handler.
params = ThriftAuthHandler.__unpack_extra_params(extra_params,
session)
perms = []
for perm in permissions.get_permissions(scope):
should_return = True
handler = make_handler(perm, params)
if should_return and perm_filter.given:
should_return = handler.has_permission(self.__auth_session)
if should_return and perm_filter.canManage:
# If the user has any of the permissions that are
# authorised to manage the currently iterated permission,
# the filter passes.
should_return = require_manager(
perm, params, self.__auth_session)
if should_return:
perms.append(perm)
return [permissions.api_enum_for_permission(p)
for p in perms]
