def _add_permissions_filter(self, query, model_class): """Filter by the users present in either the `viewers` or `owners` lists """ # not used from a request handler - no relevant user if not has_request_context(): return query # Queries of elements that aren't resources (tenants, users, etc.), # shouldn't be filtered if not model_class.is_resource: return query # For users that are allowed to see all resources, regardless of tenant is_admin = is_administrator(self.current_tenant) if is_admin: return query # Only get resources that are public - not private (note that ~ stands # for NOT, in SQLA), *or* those where the current user is the creator user_filter = sql_or( model_class.visibility != VisibilityState.PRIVATE, model_class.creator == current_user ) return query.filter(user_filter)
def is_hidden_value_permitted(secret): return is_administrator(secret.tenant) or \ secret.created_by == current_user.username
def _inner(*a, **kw): if not utils.is_administrator(tenant=None): raise manager_exceptions.UnauthorizedError( 'Only admin users are permitted to edit permissions') return f(*a, **kw)
def _is_hidden_value_permitted(self, secret): return is_administrator(secret.tenant) or \ secret.created_by == current_user.username
def _is_value_permitted(self, creator): current_tenant = get_storage_manager().current_tenant current_username = current_user.username return is_administrator(current_tenant) or creator == current_username