def auth_decorator_inner(*args, **kwargs): user_string = get_user_string(current_user) resource_string = get_resource_string(resource_id, resource_type) if is_authorized(permission, resource_type, resource_id, False): if log_request: g.request_logger.debug( 'User \'%s\' successfully authorized to perform \'%s\' on %s.', user_string, permission, resource_string, ) return protected_operation(*args, **kwargs) if log_request: g.request_logger.info( 'User \'%s\' attempted to perform \'%s\' on %s but was unauthorized.', user_string, permission, resource_string, ) if is_api_request: message = ('You do not have the \'%s\' permission on %s. ') % ( permission, resource_string, ) raise Unauthorized(description=message) else: return current_app.user_manager.unauthorized_view_function()
def __enter__(self): if not is_authorized(self.permission, self.resource_type, self.resource_id, self.log_request): resource_string = get_resource_string(self.resource_id, self.resource_type) message = ('You do not have the \'%s\' permission on %s. ') % ( self.permission, resource_string, ) raise Unauthorized(description=message)
def get_roles(self, resource): resource_name = resource.name resource_type = resource.resource_type.name.name resource_string = get_resource_string(resource_name, resource_type) with AuthorizedOperation('view_resource', resource_type, resource.id): current_roles = get_current_resource_roles(resource) message = ( 'Successfully retrieved a listing of all the roles for %s. ' % resource_string) g.request_logger.debug(message) return current_roles
def delete_default_role_by_name(self, request): role_name = request['roleName'] resource_type = request['resourceType'] resource_name = request.get('resourceName') (_, exists) = delete_default_role(role_name, resource_type, resource_name) action = 'has been deleted' if exists else 'does not exist' message = 'Role \'%s\' %s for %s' % ( role_name, action, get_resource_string(resource_name, resource_type), ) g.request_logger.info(message) return StandardResponse(message, OK, True)
def add_default_role_by_name(self, request): role_name = request['roleName'] resource_type = request['resourceType'] resource_name = request.get('resourceName') (_, exists) = add_default_role(role_name, resource_type, resource_name) action = 'has been added' if exists else 'already exists' message = 'Role \'%s\' %s for %s' % ( role_name, action, get_resource_string(resource_name, resource_type), ) g.request_logger.info(message) response_code = OK if exists else CREATED return (StandardResponse(message, response_code, True), response_code)
def delete_role_by_name(self, group, request): with AuthorizedOperation('edit_resource', 'group', group.id): role_name = request['roleName'] resource_name = request['resourceName'] resource_type = request['resourceType'] (_, exists) = delete_group_role(group, role_name, resource_type, resource_name) action = 'has been deleted' if exists else 'does not exist' message = 'Role \'%s\' %s for %s' % ( role_name, action, get_resource_string(resource_name, resource_type), ) g.request_logger.info(message) return StandardResponse(message, OK, True)
def add_role_by_name(self, group, request): with AuthorizedOperation('edit_resource', 'group', group.id): role_name = request['roleName'] resource_name = request.get('resourceName') resource_type = request['resourceType'] (_, exists) = add_group_role(group, role_name, resource_type, resource_name) action = 'already exists' if exists else 'has been added' message = 'Role \'%s\' %s for %s' % ( role_name, action, get_resource_string(resource_name, resource_type), ) g.request_logger.info(message) response_code = OK if exists else CREATED return (StandardResponse(message, response_code, True), response_code)
def update_roles(self, resource, request): resource_name = resource.name type_name = resource.resource_type.name.name resource_string = get_resource_string(resource_name, type_name) with AuthorizedOperation('update_users', type_name, resource.id): user_roles = request.get('userRoles') group_roles = request.get('groupRoles') default_roles = request.get('defaultRoles') for (_, role_object) in list(default_roles.items()): if role_object['applyToUnregistered']: with AuthorizedOperation('publish_resource', type_name, resource.id): pass (existing_roles, new_roles) = update_resource_roles(resource, user_roles, group_roles, default_roles) g.request_logger.info( 'Updating roles for %s. Existing roles are %s. New roles will be %s.', resource_string, existing_roles, new_roles, ) return None, NO_CONTENT