def _collect_allowed_items(self, items, user):
"""Get items from request that user is allowed to access."""
for item in items:
if isinstance(item, storage.BaseCollection):
path = pathutils.unstrip_path(item.path, True)
if item.get_meta("tag"):
permissions = self.Rights.authorized(user, path, "rw")
target = "collection with tag %r" % item.path
else:
permissions = self.Rights.authorized(user, path, "RW")
target = "collection %r" % item.path
else:
path = pathutils.unstrip_path(item.collection.path, True)
permissions = self.Rights.authorized(user, path, "rw")
target = "item %r from %r" % (item.href, item.collection.path)
if rights.intersect_permissions(permissions, "Ww"):
permission = "w"
status = "write"
elif rights.intersect_permissions(permissions, "Rr"):
permission = "r"
status = "read"
else:
permission = ""
status = "NO"
logger.debug(
"%s has %s access to %s",
repr(user) if user else "anonymous user", status, target)
if permission:
yield item, permission
def _collect_allowed_items(self, items, user):
"""Get items from request that user is allowed to access."""
for item in items:
if isinstance(item, storage.BaseCollection):
path = pathutils.unstrip_path(item.path, True)
if item.get_meta("tag"):
permissions = self.Rights.authorized(user, path, "rw")
target = "collection with tag %r" % item.path
else:
permissions = self.Rights.authorized(user, path, "RW")
target = "collection %r" % item.path
else:
path = pathutils.unstrip_path(item.collection.path, True)
permissions = self.Rights.authorized(user, path, "rw")
target = "item %r from %r" % (item.href, item.collection.path)
if rights.intersect_permissions(permissions, "Ww"):
permission = "w"
status = "write"
elif rights.intersect_permissions(permissions, "Rr"):
permission = "r"
status = "read"
else:
permission = ""
status = "NO"
logger.debug("%s has %s access to %s",
repr(user) if user else "anonymous user", status,
target)
if permission:
yield item, permission
def authorized(self, user, path, permissions):
if self._verify_user and not user:
return ""
sane_path = pathutils.strip_path(path)
if "/" not in sane_path:
return rights.intersect_permissions(permissions, "RW")
if sane_path.count("/") == 1:
return rights.intersect_permissions(permissions, "rw")
return ""
def authorized(self, user, path, permissions):
if self._verify_user and not user:
return ""
sane_path = pathutils.strip_path(path)
if "/" not in sane_path:
return rights.intersect_permissions(permissions, "RW")
if sane_path.count("/") == 1:
return rights.intersect_permissions(permissions, "rw")
return ""
def authorized(self, user, path, permissions):
if self._verify_user and not user:
return ""
sane_path = pathutils.strip_path(path)
if not sane_path:
return rights.intersect_permissions(permissions, "R")
if self._verify_user:
owned = user == sane_path.split("/", maxsplit=1)[0]
else:
owned = True
if "/" not in sane_path:
return rights.intersect_permissions(permissions,
"RW" if owned else "R")
if sane_path.count("/") == 1:
return rights.intersect_permissions(permissions,
"rw" if owned else "r")
return ""
def authorized(self, user, path, permissions):
user = user or ""
sane_path = pathutils.strip_path(path)
# Prevent "regex injection"
user_escaped = re.escape(user)
sane_path_escaped = re.escape(sane_path)
rights_config = configparser.ConfigParser({
"login": user_escaped,
"path": sane_path_escaped
})
try:
if not rights_config.read(self.filename):
raise RuntimeError("No such file: %r" % self.filename)
except Exception as e:
raise RuntimeError("Failed to load rights file %r: %s" %
(self.filename, e)) from e
for section in rights_config.sections():
try:
user_pattern = rights_config.get(section, "user")
collection_pattern = rights_config.get(section, "collection")
user_match = re.fullmatch(user_pattern, user)
collection_match = user_match and re.fullmatch(
collection_pattern.format(
*map(re.escape, user_match.groups())), sane_path)
except Exception as e:
raise RuntimeError("Error in section %r of rights file %r: "
"%s" % (section, self.filename, e)) from e
if user_match and collection_match:
logger.debug("Rule %r:%r matches %r:%r from section %r", user,
sane_path, user_pattern, collection_pattern,
section)
return rights.intersect_permissions(
permissions, rights_config.get(section, "permissions"))
else:
logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
user, sane_path, user_pattern, collection_pattern,
section)
logger.info("Rights: %r:%r doesn't match any section", user, sane_path)
return ""
def authorized(self, user, path, permissions):
sane_path = pathutils.strip_path(path)
if sane_path not in ("tmp", "other"):
return ""
return rights.intersect_permissions(permissions)
def authorized(self, user, path, permissions):
sane_path = pathutils.strip_path(path)
if sane_path not in ("tmp", "other"):
return ""
return rights.intersect_permissions(permissions)
def authorized(self, user, path, permissions):
if path.strip("/") not in ("tmp", "other"):
return ""
return rights.intersect_permissions(permissions)
