def extract_and_format_data(self, record):
view_perm = self.view_permission_for(record)
edit_perm = self.edit_permission_for(record)
delete_perm = self.delete_permission_for(record)
can_edit = has_permissions(edit_perm, flask_login.current_user)
can_delete = has_permissions(delete_perm, flask_login.current_user)
can_view = ((self.edit_endpoint != self.view_endpoint or not can_edit)
and has_permissions(view_perm, flask_login.current_user))
view_link_class = self.view_link_class_for(record)
edit_link_class = self.edit_link_class_for(record)
delete_link_class = self.delete_link_class_for(record)
data = self.extract_data(record)
return self.format_data(data, can_edit, can_delete, can_view,
view_link_class, edit_link_class,
delete_link_class)
def check_auth(self, instance=None):
super(RequiresPermissions, self).check_auth(instance=instance)
user = flask_login.current_user
if self.condition and not model_utils.has_permissions(
self.condition, user):
if instance and callable(
getattr(instance, 'on_authorization_failure', None)):
instance.on_authorization_failure()
self.on_authorization_failure()
def check_auth(obj):
if obj is None:
return True
if (getattr(obj, '__keg_auth_requires_user__', False)
and (not flask_login.current_user
or not flask_login.current_user.is_authenticated)):
return False
if (getattr(obj, '__keg_auth_requires_permissions__', False) and
not has_permissions(obj.__keg_auth_requires_permissions__,
flask_login.current_user)):
return False
return True
def is_permitted(self):
""" Check permitted status of this route for the current user """
# simplest case: route has requirements directly assigned
if self.requires_permissions:
if not flask_login.current_user:
return False
return has_permissions(self.requires_permissions,
flask_login.current_user)
# otherwise, we need to find the view for the route. In that case, both the route and its
# defining class (if any) may (or may not) have requirements to check.
# the following checks are ANDed, so return False if anything fails
view_obj = flask.current_app.view_functions.get(self.route_string)
if not view_obj:
raise Exception(
_('Endpoint {} in navigation is not registered').format(
self.route_string))
def check_auth(obj):
if obj is None:
return True
if (getattr(obj, '__keg_auth_requires_user__', False)
and (not flask_login.current_user
or not flask_login.current_user.is_authenticated)):
return False
if (getattr(obj, '__keg_auth_requires_permissions__', False) and
not has_permissions(obj.__keg_auth_requires_permissions__,
flask_login.current_user)):
return False
return True
def fetch_parent_class(view_obj):
parent_class = getattr(
view_obj, 'im_class',
getattr(view_obj, '__keg_auth_parent_class__', None))
if not parent_class and not hasattr(view_obj,
'__keg_auth_parent_class__'):
obj = view_obj
if hasattr(obj, '__keg_auth_original_function__'):
# the target method has been wrapped by a keg auth decorator, so we need
# to inspect the original method to find the parent class (if any)
obj = obj.__keg_auth_original_function__
view_obj.__keg_auth_parent_class__ = get_defining_class(obj)
parent_class = view_obj.__keg_auth_parent_class__
return parent_class
def fetch_blueprint():
return flask.current_app.blueprints.get(
self.route_string.split('.', 1)[0], None)
if hasattr(view_obj, 'view_class'):
# class got wrapped with flask's as_view - get the original view to see what
# requirements are stored there
view_obj = view_obj.view_class
if inspect.isclass(view_obj) and hasattr(view_obj, 'get'):
# view class has an action method likely to be called via a navigation link
if sys.version_info[0] != 2:
view_obj.get.__keg_auth_parent_class__ = view_obj
view_obj = view_obj.get
# make sure defining class is assigned (if any). We need to know this in order to
# check requirements at the class level
parent_class = fetch_parent_class(view_obj)
blueprint = fetch_blueprint()
return check_auth(view_obj) and check_auth(
parent_class) and check_auth(blueprint)