def get_dict(self, exclude_keys=None, include_keys=None, extended_info=False):
result = super(User, self).get_dict(exclude_keys, include_keys)
if extended_info:
result["groups"] = [g.group_name for g in self.groups]
result["permissions"] = [p.perm_name for p in UserService.permissions(self)]
request = get_current_request()
apps = UserService.resources_with_perms(
self, ["view"], resource_types=["application"]
)
result["applications"] = sorted(
[
{"resource_id": a.resource_id, "resource_name": a.resource_name}
for a in apps.all()
],
key=lambda x: x["resource_name"].lower(),
)
result["assigned_reports"] = [
r.get_dict(request) for r in self.assigned_report_groups
]
result["latest_events"] = [
ev.get_dict(request) for ev in self.latest_events()
]
exclude_keys_list = exclude_keys or []
include_keys_list = include_keys or []
d = {}
for k in result.keys():
if k not in exclude_keys_list and (
k in include_keys_list or not include_keys
):
d[k] = result[k]
return d
def permissions(self):
"""
.. deprecated:: 0.8
:return:
"""
db_session = get_db_session(None, self)
return UserService.permissions(self, db_session=db_session)
def permissions(self):
"""
.. deprecated:: 0.8
:return:
"""
db_session = get_db_session(None, self)
return UserService.permissions(self, db_session=db_session)
def __init__(self, request):
self.__acl__ = [
(Allow, Authenticated, "authenticated"),
(Allow, Authenticated, "create_resources"),
]
# general page factory - append custom non resource permissions
if hasattr(request, "user") and request.user:
acls = permission_to_04_acls(UserService.permissions(request.user))
for perm_user, perm_name in acls:
self.__acl__.append(rewrite_root_perm(perm_user, perm_name))
def add_root_superperm(request, context):
"""
Adds ALL_PERMISSIONS to every resource if user somehow has 'root_permission'
non-resource permission
"""
if hasattr(request, "user") and request.user:
acls = permission_to_04_acls(UserService.permissions(request.user))
for perm_user, perm_name in acls:
if perm_name == "root_administration":
context.__acl__.append(rewrite_root_perm(perm_user, perm_name))
def test_permission_add(self, full_app, sqla_session):
from ziggurat_foundations.models.services.user import UserService
with session_context(sqla_session) as session:
admin, token = create_admin(session)
user = create_user(
{"user_name": "testX", "email": "*****@*****.**"},
sqla_session=session,
)
url_path = "/api/0.1/users/{}/permissions".format(user.id)
headers = {str("x-testscaffold-auth-token"): str(token)}
permission = {"perm_name": "root_administration"}
permissions = UserService.permissions(user)
assert not list(permissions)
full_app.post_json(url_path, permission, status=200, headers=headers)
sqla_session.expire_all()
permissions = UserService.permissions(user)
assert permissions[0].perm_name == "root_administration"
def test_user_permissions(self, db_session):
created_user = add_user(db_session)
permissions = UserService.permissions(created_user, db_session=db_session)
expected = [
PermissionTuple(
created_user, "alter_users", "user", None, None, False, True
),
PermissionTuple(created_user, "root", "user", None, None, False, True),
]
check_one_in_other(permissions, expected)
def test_user_permissions(self, db_session):
created_user = add_user(db_session)
permissions = UserService.permissions(created_user,
db_session=db_session)
expected = [
PermissionTuple(created_user, "alter_users", "user", None, None,
False, True),
PermissionTuple(created_user, "root", "user", None, None, False,
True),
]
check_one_in_other(permissions, expected)
def __acl__(self):
# type: () -> AccessControlListType
"""
Administrators have all permissions, user/group-specific permissions added if user is logged in.
"""
user = self.request.user
# allow if role MAGPIE_ADMIN_PERMISSION is somehow directly set instead of inferred via members of admin-group
acl = [(Allow, get_constant("MAGPIE_ADMIN_PERMISSION"),
ALL_PERMISSIONS)]
admins = GroupService.by_group_name(get_constant("MAGPIE_ADMIN_GROUP"),
db_session=self.request.db)
if admins:
# need to add explicit admin-group ALL_PERMISSIONS otherwise views with other permissions than the
# default MAGPIE_ADMIN_PERMISSION will be refused access (e.g.: views with MAGPIE_LOGGED_PERMISSION)
acl += [(Allow, "group:{}".format(admins.id), ALL_PERMISSIONS)]
if user:
# user-specific permissions (including group memberships)
permissions = UserService.permissions(user, self.request.db)
user_acl = permission_to_pyramid_acls(permissions)
# allow views that require minimally to be logged in (regardless of who is the user)
auth_acl = [(Allow, user.id, Authenticated)]
acl += user_acl + auth_acl
return acl
