def check_permissions(self, resource, method, user):
"""Checks user permissions.
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if not user:
return True
# Step 2: Get User's Privileges
get_resource_service("users").set_privileges(user, flask.g.role)
if method == "GET":
return True
# Step 3: Intrinsic Privileges
message = _("Insufficient privileges for the requested operation.")
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(
resource) and method in intrinsic_privileges[resource]:
service = get_resource_service(resource)
authorized = service.is_authorized(
user_id=str(user.get("_id")),
_id=request.view_args.get("_id"),
method=method)
if not authorized:
raise SuperdeskApiError.forbiddenError(message=message)
return authorized
# Step 4: User's privileges
privileges = user.get("active_privileges", {})
resource_privileges = get_resource_privileges(resource).get(
method, None)
if not resource_privileges and get_no_resource_privileges(resource):
return True
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError(message=message)
def check_permissions(self, resource, method, user):
"""Checks user permissions.
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if not user:
return True
# Step 2: Get User's Privileges
get_resource_service('users').set_privileges(user, flask.g.role)
if method == 'GET':
return True
# Step 3: Intrinsic Privileges
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(resource) and method in intrinsic_privileges[resource]:
service = get_resource_service(resource)
authorized = service.is_authorized(user_id=str(user.get('_id')), _id=request.view_args.get('_id'))
if not authorized:
raise SuperdeskApiError.forbiddenError()
return authorized
# Step 4: User's privileges
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(method, None)
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user):
"""
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if method == 'GET' or not user:
return True
# Step 2: Get User's Privileges
get_resource_service('users').set_privileges(user, flask.g.role)
# Step 3: Intrinsic Privileges
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(
resource) and method in intrinsic_privileges[resource]:
authorized = get_resource_service(resource).is_authorized(
user_id=request.view_args.get('_id'))
if not authorized:
raise SuperdeskApiError.forbiddenError()
return authorized
# Step 4: User's privileges
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(
method, None)
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError()
