def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params({
'tenant_name': {
'type': unicode
}
}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# extracting tenant roles for user in the tenant
tenant_roles = []
for t in current_user.all_tenants:
if (allow_all_tenants and request_use_all_tenants()) \
or t.name == tenant_name:
tenant_roles += current_user.all_tenants[t]
# joining user's system role with his tenant roles
user_roles = [role.name for role in tenant_roles] \
+ current_user.system_roles
# getting the roles allowed to perform requested action
action_roles = config.instance.authorization_permissions[action]
# checking if any of the user's roles is allowed to perform action
for user_role in user_roles:
if user_role in action_roles:
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def get_current_user_roles(tenant_name=None, allow_all_tenants=False):
tenant_roles = []
# extracting tenant roles for user in the tenant
for t in current_user.all_tenants:
if (allow_all_tenants and request_use_all_tenants()) \
or t.name == tenant_name:
tenant_roles += current_user.all_tenants[t]
# joining user's system role with his tenant roles
user_roles = [role.name for role in tenant_roles] \
+ current_user.system_roles
return user_roles
def get_current_user_roles(tenant_name=None, allow_all_tenants=False):
tenant_roles = []
# extracting tenant roles for user in the tenant
for t in current_user.all_tenants:
if (allow_all_tenants and request_use_all_tenants()) \
or t.name == tenant_name:
tenant_roles += current_user.all_tenants[t]
# joining user's system role with his tenant roles
user_roles = [role.name for role in tenant_roles] \
+ current_user.system_roles
return user_roles
def is_all_tenants(*args, **kw):
return func(all_tenants=request_use_all_tenants(), *args, **kw)
def is_all_tenants(*args, **kw):
return func(all_tenants=request_use_all_tenants(), *args, **kw)
