def auth_decorator_inner(*args, **kwargs):
user_string = get_user_string(current_user)
resource_string = get_resource_string(resource_id, resource_type)
if is_authorized(permission, resource_type, resource_id, False):
if log_request:
g.request_logger.debug(
'User \'%s\' successfully authorized to perform \'%s\' on %s.',
user_string,
permission,
resource_string,
)
return protected_operation(*args, **kwargs)
if log_request:
g.request_logger.info(
'User \'%s\' attempted to perform \'%s\' on %s but was unauthorized.',
user_string,
permission,
resource_string,
)
if is_api_request:
message = ('You do not have the \'%s\' permission on %s. ') % (
permission,
resource_string,
)
raise Unauthorized(description=message)
else:
return current_app.user_manager.unauthorized_view_function()
def __enter__(self):
if not is_authorized(self.permission, self.resource_type,
self.resource_id, self.log_request):
resource_string = get_resource_string(self.resource_id,
self.resource_type)
message = ('You do not have the \'%s\' permission on %s. ') % (
self.permission,
resource_string,
)
raise Unauthorized(description=message)
def get_roles(self, resource):
resource_name = resource.name
resource_type = resource.resource_type.name.name
resource_string = get_resource_string(resource_name, resource_type)
with AuthorizedOperation('view_resource', resource_type, resource.id):
current_roles = get_current_resource_roles(resource)
message = (
'Successfully retrieved a listing of all the roles for %s. ' %
resource_string)
g.request_logger.debug(message)
return current_roles
def delete_default_role_by_name(self, request):
role_name = request['roleName']
resource_type = request['resourceType']
resource_name = request.get('resourceName')
(_, exists) = delete_default_role(role_name, resource_type,
resource_name)
action = 'has been deleted' if exists else 'does not exist'
message = 'Role \'%s\' %s for %s' % (
role_name,
action,
get_resource_string(resource_name, resource_type),
)
g.request_logger.info(message)
return StandardResponse(message, OK, True)
def add_default_role_by_name(self, request):
role_name = request['roleName']
resource_type = request['resourceType']
resource_name = request.get('resourceName')
(_, exists) = add_default_role(role_name, resource_type, resource_name)
action = 'has been added' if exists else 'already exists'
message = 'Role \'%s\' %s for %s' % (
role_name,
action,
get_resource_string(resource_name, resource_type),
)
g.request_logger.info(message)
response_code = OK if exists else CREATED
return (StandardResponse(message, response_code, True), response_code)
def delete_role_by_name(self, group, request):
with AuthorizedOperation('edit_resource', 'group', group.id):
role_name = request['roleName']
resource_name = request['resourceName']
resource_type = request['resourceType']
(_, exists) = delete_group_role(group, role_name, resource_type,
resource_name)
action = 'has been deleted' if exists else 'does not exist'
message = 'Role \'%s\' %s for %s' % (
role_name,
action,
get_resource_string(resource_name, resource_type),
)
g.request_logger.info(message)
return StandardResponse(message, OK, True)
def add_role_by_name(self, group, request):
with AuthorizedOperation('edit_resource', 'group', group.id):
role_name = request['roleName']
resource_name = request.get('resourceName')
resource_type = request['resourceType']
(_, exists) = add_group_role(group, role_name, resource_type,
resource_name)
action = 'already exists' if exists else 'has been added'
message = 'Role \'%s\' %s for %s' % (
role_name,
action,
get_resource_string(resource_name, resource_type),
)
g.request_logger.info(message)
response_code = OK if exists else CREATED
return (StandardResponse(message, response_code,
True), response_code)
def update_roles(self, resource, request):
resource_name = resource.name
type_name = resource.resource_type.name.name
resource_string = get_resource_string(resource_name, type_name)
with AuthorizedOperation('update_users', type_name, resource.id):
user_roles = request.get('userRoles')
group_roles = request.get('groupRoles')
default_roles = request.get('defaultRoles')
for (_, role_object) in list(default_roles.items()):
if role_object['applyToUnregistered']:
with AuthorizedOperation('publish_resource', type_name,
resource.id):
pass
(existing_roles,
new_roles) = update_resource_roles(resource, user_roles,
group_roles, default_roles)
g.request_logger.info(
'Updating roles for %s. Existing roles are %s. New roles will be %s.',
resource_string,
existing_roles,
new_roles,
)
return None, NO_CONTENT