def removePermission(self, permission, auth_name, is_group, extra_params): """ Removes the given permission from the user or group auth_name. """ try: session = self.__config_db() perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) if not require_manager(perm, params, self.__auth_session): raise shared.ttypes.RequestFailed( shared.ttypes.ErrorCode.UNAUTHORIZED, "You can not manage the permission '{0}'".format( perm.name)) handler = make_handler(perm, params) handler.remove_permission(auth_name, is_group) session.commit() return True except sqlalchemy.exc.SQLAlchemyError as alchemy_ex: msg = str(alchemy_ex) LOG.error(msg) raise shared.ttypes.RequestFailed(shared.ttypes.ErrorCode.DATABASE, msg) finally: session.close()
def getAuthorisedNames(self, permission, extra_params): """ Returns the users and groups who were EXPLICITLY granted a particular permission. """ try: session = self.__config_db() perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) if not require_manager(perm, params, self.__auth_session): raise shared.ttypes.RequestFailed( shared.ttypes.ErrorCode.UNAUTHORIZED, "You can not manage the permission '{0}'".format( perm.name)) handler = make_handler(perm, params) users, groups = handler.list_permitted() # The special default permission marker is an internal value. users = filter(lambda user: user != '*', users) return AuthorisationList(users, groups) except sqlalchemy.exc.SQLAlchemyError as alchemy_ex: msg = str(alchemy_ex) LOG.error(msg) raise shared.ttypes.RequestFailed(shared.ttypes.ErrorCode.DATABASE, msg) finally: session.close()
def getPermissionsForUser(self, scope, extra_params, perm_filter): """ Returns the permissions in the given permission scope and with the given scope-specific extra_params for the current logged in user, based on the permission filters. Filters in the perm_filter struct are joined in an AND clause. """ if perm_filter is None or not any(perm_filter.__dict__.values()): # If no filtering is needed, this function behaves identically # to getPermissions(). return self.getPermissions(scope) try: session = self.__config_db() # The database connection must always be passed to the permission # handler. params = ThriftAuthHandler.__unpack_extra_params( extra_params, session) perms = [] for perm in permissions.get_permissions(scope): should_return = True handler = make_handler(perm, params) if should_return and perm_filter.given: should_return = handler.has_permission(self.__auth_session) if should_return and perm_filter.canManage: # If the user has any of the permissions that are # authorised to manage the currently iterated permission, # the filter passes. should_return = require_manager(perm, params, self.__auth_session) if should_return: perms.append(perm) return [permissions.api_enum_for_permission(p) for p in perms] except sqlalchemy.exc.SQLAlchemyError as alchemy_ex: msg = str(alchemy_ex) LOG.error(msg) raise shared.ttypes.RequestFailed(shared.ttypes.ErrorCode.DATABASE, msg) finally: session.close()
def removePermission(self, permission, auth_name, is_group, extra_params): """ Removes the given permission from the user or group auth_name. """ with DBSession(self.__config_db) as session: perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) if not require_manager(perm, params, self.__auth_session): raise shared.ttypes.RequestFailed( shared.ttypes.ErrorCode.UNAUTHORIZED, "You can not manage the permission '{0}'".format( perm.name)) handler = make_handler(perm, params) handler.remove_permission(auth_name, is_group) session.commit() return True
def getPermissionsForUser(self, scope, extra_params, perm_filter): """ Returns the permissions in the given permission scope and with the given scope-specific extra_params for the current logged in user, based on the permission filters. Filters in the perm_filter struct are joined in an AND clause. """ if perm_filter is None or not any(perm_filter.__dict__.values()): # If no filtering is needed, this function behaves identically # to getPermissions(). return self.getPermissions(scope) with DBSession(self.__config_db) as session: # The database connection must always be passed to the permission # handler. params = ThriftAuthHandler.__unpack_extra_params(extra_params, session) perms = [] for perm in permissions.get_permissions(scope): should_return = True handler = make_handler(perm, params) if should_return and perm_filter.given: should_return = handler.has_permission(self.__auth_session) if should_return and perm_filter.canManage: # If the user has any of the permissions that are # authorised to manage the currently iterated permission, # the filter passes. should_return = require_manager( perm, params, self.__auth_session) if should_return: perms.append(perm) return [permissions.api_enum_for_permission(p) for p in perms]
def getAuthorisedNames(self, permission, extra_params): """ Returns the users and groups who were EXPLICITLY granted a particular permission. """ with DBSession(self.__config_db) as session: perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) if not require_manager(perm, params, self.__auth_session): raise shared.ttypes.RequestFailed( shared.ttypes.ErrorCode.UNAUTHORIZED, "You can not manage the permission '{0}'".format( perm.name)) handler = make_handler(perm, params) users, groups = handler.list_permitted() # The special default permission marker is an internal value. users = filter(lambda user: user != '*', users) return AuthorisationList(users, groups)