def has_perm(self, user_obj, perm, obj=None):
'''
main method, calls other methods based on permission type queried
'''
if not user_obj.is_authenticated():
allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
user_obj = AnonymousUser()
user_obj.allowed_tokens = allowed_tokens
if obj is None:
return False
try:
perm_label, perm_type = perm.split('.')
perm_action, perm_ct = perm_type.split('_')
except:
return False
if perm_label != self.app_label:
return False
ct = ContentType.objects.get_for_model(obj)
if ct.name != perm_ct:
return False
method_name = '_has_%s_perm' % perm_action
# run any custom perms per model, continue if not None
# allows complete overriding of standard authorisation, eg for public
# experiments
model_spec_perm = getattr(obj, method_name,
lambda *args, **kwargs: None)(user_obj)
if type(model_spec_perm) == bool:
return model_spec_perm
#get_acls
obj_acls = ObjectACL.objects.filter(
content_type=ct, object_id=obj.id).filter(
self.get_perm_bool(perm_action)).filter(
ObjectACL.get_effective_query())
query = Q(pluginId='django_user',
entityId=str(user_obj.id))
if user_obj.is_authenticated():
for name, group in user_obj.get_profile().ext_groups:
query |= Q(pluginId=name, entityId=str(group))
else:
# the only authorisation available for anonymous users is tokenauth
tgp = TokenGroupProvider()
for name, group in tgp.getGroups(user_obj):
query |= Q(pluginId=name, entityId=str(group))
return obj_acls.filter(query).count() > 0
def _query_shared(self, user):
'''
get all shared experiments, not owned ones
'''
# if the user is not authenticated, only tokens apply
# this is almost duplicate code of end of has_perm in authorisation.py
# should be refactored, but cannot think of good way atm
if not user.is_authenticated():
from tardis.tardis_portal.auth.token_auth import TokenGroupProvider
query = Q(id=None)
tgp = TokenGroupProvider()
for group in tgp.getGroups(user):
query |= Q(objectacls__pluginId=tgp.name,
objectacls__entityId=str(group),
objectacls__canRead=True) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
return query
# for which experiments does the user have read access
# based on USER permissions?
query = Q(objectacls__pluginId=django_user,
objectacls__entityId=str(user.id),
objectacls__canRead=True,
objectacls__isOwner=False) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
# for which does experiments does the user have read access
# based on GROUP permissions
for name, group in user.userprofile.ext_groups:
query |= Q(objectacls__pluginId=name,
objectacls__entityId=str(group),
objectacls__canRead=True) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
return query
def _query_shared(self, user):
'''
get all shared experiments, not owned ones
'''
# if the user is not authenticated, only tokens apply
# this is almost duplicate code of end of has_perm in authorisation.py
# should be refactored, but cannot think of good way atm
if not user.is_authenticated():
from tardis.tardis_portal.auth.token_auth import TokenGroupProvider
query = Q(id=None)
tgp = TokenGroupProvider()
for group in tgp.getGroups(user):
query |= Q(objectacls__pluginId=tgp.name,
objectacls__entityId=str(group),
objectacls__canRead=True) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
return query
# for which experiments does the user have read access
# based on USER permissions?
query = Q(objectacls__pluginId=django_user,
objectacls__entityId=str(user.id),
objectacls__canRead=True,
objectacls__isOwner=False) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
# for which does experiments does the user have read access
# based on GROUP permissions
for name, group in user.userprofile.ext_groups:
query |= Q(objectacls__pluginId=name,
objectacls__entityId=str(group),
objectacls__canRead=True) &\
(Q(objectacls__effectiveDate__lte=datetime.today())
| Q(objectacls__effectiveDate__isnull=True)) &\
(Q(objectacls__expiryDate__gte=datetime.today())
| Q(objectacls__expiryDate__isnull=True))
return query
def has_perm(self, user_obj, perm, obj=None):
'''
main method, calls other methods based on permission type queried
'''
if not user_obj.is_authenticated():
allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
user_obj = AnonymousUser()
user_obj.allowed_tokens = allowed_tokens
if obj is None:
return False
try:
perm_label, perm_type = perm.split('.')
# the following is necessary because of the ridiculous naming
# of 'Dataset_File'......
type_list = perm_type.split('_')
perm_action = type_list[0]
perm_ct = '_'.join(type_list[1:])
except:
return False
if perm_label != self.app_label:
return False
ct = ContentType.objects.get_for_model(obj)
if ct.model != perm_ct:
return False
method_name = '_has_%s_perm' % perm_action
# run any custom perms per model, continue if not None
# allows complete overriding of standard authorisation, eg for public
# experiments
model_spec_perm = getattr(obj, method_name,
lambda *args, **kwargs: None)(user_obj)
if type(model_spec_perm) == bool:
return model_spec_perm
elif model_spec_perm is not None:
# pass auth to a different object, if False try this ACL
# works when returned object is parent.
# makes it impossible to 'hide' child objects
if type(model_spec_perm) not in (list, set, QuerySet):
model_spec_perm = [model_spec_perm]
for msp in model_spec_perm:
new_ct = ContentType.objects.get_for_model(msp)
new_perm = '%s.%s_%s' % (perm_label, perm_action, new_ct)
if user_obj.has_perm(new_perm, msp):
return True
#get_acls
obj_acls = ObjectACL.objects\
.filter(content_type=ct, object_id=obj.id)\
.filter(self.get_perm_bool(perm_action))\
.filter(ObjectACL.get_effective_query())
query = Q(pluginId='django_user',
entityId=str(user_obj.id))
if user_obj.is_authenticated():
for name, group in user_obj.get_profile().ext_groups:
query |= Q(pluginId=name, entityId=str(group))
else:
# the only authorisation available for anonymous users is tokenauth
tgp = TokenGroupProvider()
for group in tgp.getGroups(user_obj):
query |= Q(pluginId=tgp.name, entityId=str(group))
return obj_acls.filter(query).count() > 0
def has_perm(self, user_obj, perm, obj=None):
'''
main method, calls other methods based on permission type queried
'''
if not user_obj.is_authenticated():
allowed_tokens = getattr(user_obj, 'allowed_tokens', [])
user_obj = AnonymousUser()
user_obj.allowed_tokens = allowed_tokens
if obj is None:
return False
try:
perm_label, perm_type = perm.split('.')
# the following is necessary because of the ridiculous naming
# of 'Dataset_File'......
type_list = perm_type.split('_')
perm_action = type_list[0]
perm_ct = '_'.join(type_list[1:])
except:
return False
if perm_label != self.app_label:
return False
ct = ContentType.objects.get_for_model(obj)
if ct.model != perm_ct:
return False
method_name = '_has_%s_perm' % perm_action
# run any custom perms per model, continue if not None
# allows complete overriding of standard authorisation, eg for public
# experiments
model_spec_perm = getattr(obj, method_name,
lambda *args, **kwargs: None)(user_obj)
if type(model_spec_perm) == bool:
return model_spec_perm
elif model_spec_perm is not None:
# pass auth to a different object, if False try this ACL
# works when returned object is parent.
# makes it impossible to 'hide' child objects
if type(model_spec_perm) not in (list, set, QuerySet):
model_spec_perm = [model_spec_perm]
for msp in model_spec_perm:
new_ct = ContentType.objects.get_for_model(msp)
new_perm = '%s.%s_%s' % (perm_label, perm_action, new_ct)
if user_obj.has_perm(new_perm, msp):
return True
#get_acls
obj_acls = ObjectACL.objects\
.filter(content_type=ct, object_id=obj.id)\
.filter(self.get_perm_bool(perm_action))\
.filter(ObjectACL.get_effective_query())
query = Q(pluginId='django_user', entityId=str(user_obj.id))
if user_obj.is_authenticated():
for name, group in user_obj.get_profile().ext_groups:
query |= Q(pluginId=name, entityId=str(group))
else:
# the only authorisation available for anonymous users is tokenauth
tgp = TokenGroupProvider()
for group in tgp.getGroups(user_obj):
query |= Q(pluginId=tgp.name, entityId=str(group))
return obj_acls.filter(query).count() > 0
