def delete_perm(db_session, permission: str, requester):
"""
Removes a permission from the system
:param db_session: The postgres session to be used.
:param permission: String The permission to be removed (name or ID).
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username".
:return:
:raises HTTPRequestError: Can't delete a system permission.
"""
try:
perm = Permission.get_by_name_or_id(permission)
if perm.type == PermissionTypeEnum.api:
db_session.execute(
UserPermission.__table__.delete(
UserPermission.permission_id == perm.id))
db_session.execute(
GroupPermission.__table__.delete(
GroupPermission.permission_id == perm.id))
cache.delete_key(action=perm.method, resource=perm.path)
LOGGER.info(
f"permission {perm.name} deleted by {requester['username']}")
LOGGER.info(perm.safe_dict())
db_session.delete(perm)
db_session.commit()
MVUserPermission.refresh()
MVGroupPermission.refresh()
else:
raise HTTPRequestError(405, "Can't delete a system permission")
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID or name")
def add_permissions_group():
predef_group_perm = [
{
"name": "testadm",
"permission": [
'all_all'
]
},
{
"name": "testuser",
"permission": [
'all_template',
'all_device',
'all_flows',
'ro_history',
'ro_ca',
'wo_sign',
"ro_socketio",
"all_import",
"ro_export",
"all_image"
]
}
]
for group in predef_group_perm:
group_id = Group.get_by_name_or_id(group['name']).id
for perm in group['permission']:
perm_id = Permission.get_by_name_or_id(perm).id
r = GroupPermission(group_id=group_id, permission_id=perm_id)
db.session.add(r)
db.session.commit()
def update_perm(db_session, permission: str, perm_data, requester):
"""
Updates all information about a permission (excluding name and ID, of course).
:param db_session: The postgres session to be used.
:param permission: String The permission name or ID.
:param perm_data: New information for this permission.
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username".
:return:
:raises HTTPRequestError: Can't edit a system permission.
"""
perm_data = {
k: perm_data[k]
for k in perm_data if k in Permission.fillable
}
check_perm(perm_data)
try:
perm = Permission.get_by_name_or_id(permission)
if perm.type == PermissionTypeEnum.api:
if 'name' in perm_data.keys() and perm.name != perm_data['name']:
raise HTTPRequestError(400, "permission name can't be changed")
for key, value in perm_data.items():
setattr(perm, key, value)
db_session.add(perm)
LOGGER.info(
f"permission {perm.name} updated by {requester['username']}")
LOGGER.info(perm_data)
db_session.commit()
else:
raise HTTPRequestError(405, "Can't edit a system permission ")
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
def remove_group_permission(db_session, group, permission, requester):
try:
group = Group.get_by_name_or_id(group)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No group found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
try:
relation = db_session.query(GroupPermission) \
.filter_by(group_id=group.id, permission_id=perm.id).one()
db_session.delete(relation)
cache.delete_key(action=perm.method,
resource=perm.path)
log().info(f"permission {perm.name} removed from group {group.name} by {requester['username']}")
MVGroupPermission.refresh()
db_session.commit()
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "Group does not have this permission")
def add_group_permission(db_session, group, permission, requester):
try:
group = Group.get_by_name_or_id(group)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No group found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID or name")
if db_session.query(GroupPermission) \
.filter_by(group_id=group.id, permission_id=perm.id).one_or_none():
raise HTTPRequestError(409, "Group already have this permission")
r = GroupPermission(group_id=group.id, permission_id=perm.id)
db_session.add(r)
cache.delete_key(action=perm.method,
resource=perm.path)
log().info(f"permission {perm.name} added to group {group.name} by {requester['username']}")
MVGroupPermission.refresh()
db_session.commit()
def remove_user_permission(db_session, user, permission, requester):
try:
user = User.get_by_name_or_id(user)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No user found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
try:
relation = db_session.query(UserPermission) \
.filter_by(user_id=user.id, permission_id=perm.id).one()
db_session.delete(relation)
cache.delete_key(userid=user.id,
action=perm.method,
resource=perm.path)
log().info(f"permission {perm.name} for user {user.username} was revoked by {requester['username']}")
MVUserPermission.refresh()
db_session.commit()
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "User does not have this permission")
def add_user_permission(db_session, user, permission, requester):
try:
user = User.get_by_name_or_id(user)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No user found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
if db_session.query(UserPermission) \
.filter_by(user_id=user.id, permission_id=perm.id).one_or_none():
raise HTTPRequestError(409, "User already have this permission")
r = UserPermission(user_id=user.id, permission_id=perm.id)
db_session.add(r)
cache.delete_key(userid=user.id, action=perm.method, resource=perm.path)
MVUserPermission.refresh()
db_session.commit()
log().info(
f"user {user.username} received permission {perm.name} by {requester['username']}"
)
def get_perm(db_session, permission):
try:
perm = Permission.get_by_name_or_id(permission)
return perm
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")