def get_slider_agents(scontext) : return [ ('anonymous_group', get_anonymous_group().get_ref()), ('all_members_group', get_all_members_group().get_ref()), ('context_agent', scontext.context_agent), ('creator', get_creator_agent()), ('context_admin', scontext.context_admin) ]
def has_access(agent, resource, interface): """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects """ # make sure we've stripped resource from any SecureWrappers if resource.__class__.__name__ == "SecureWrapper": resource = resource.get_inner() # make sure we've stripped agent from any SecureWrappers if agent.__class__.__name__ == "SecureWrapper": agent = agent.get_inner() # we're always interested in the security_context of this resource context = resource.get_security_context() # which agents have access? if not SecurityTag.objects.filter(interface=interface, security_context=context): # lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime typ = resource.__class__ interface_name = interface.split(".")[1] if interface_name in get_interface_map(typ.__name__): agent_defaults = AgentDefaults[context.context_agent.obj.__class__][ context.context_agent.permission_prototype ] slider_agents = SliderAgents[context.context_agent.obj.__class__](context) sad = dict(slider_agents) context.setup_tag_from_defaults(interface, sad, agent_defaults) allowed_agents = SecurityTag.objects.get(interface=interface, security_context=context).agents # probably should memcache both allowed agents (per .View interface) and # agents held per user to allow many queries very quickly. allowed_agents = set([a.obj for a in allowed_agents.all()]) if get_anonymous_group() in allowed_agents: # in other words, if this resource is matched with anyone, we don't have to test # that user is in the "anyone" group return True if get_creator_agent().obj in allowed_agents: actual_creator = resource.get_ref().creator if agent == actual_creator: return True if agent.__class__ == AnonymousUser: # we clearly shouldn't be seeing this - sure but is this a security issue - t.s. return False agents_held = agent.get_enclosure_set() if allowed_agents.intersection(agents_held): return True print "has_access fails for %s, %s, %s, %s" % (interface, resource, context.context_agent.obj, agent) return False
def has_access(agent, resource, interface, sec_context=None, diagnose=None) : """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects """ # if diagnose mode we want to try to find why we failed to get the interface we want if diagnose : diagnostics = {} # make sure we've stripped agent from any SecureWrappers if agent.__class__.__name__ == "SecureWrapper": agent = agent.get_inner() if not sec_context: # make sure we've stripped resource from any SecureWrappers if resource.__class__.__name__ == "SecureWrapper": resource = resource.get_inner() context = resource.get_security_context() else: context = sec_context if not SecurityTag.objects.filter(interface=interface, security_context=context): #lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime typ = resource.__class__ interface_name = interface.split('.')[1] if interface_name in get_interface_map(typ.__name__): agent_defaults = AgentDefaults[context.context_agent.obj.__class__][context.context_agent.permission_prototype] slider_agents = SliderAgents[context.context_agent.obj.__class__](context) sad = dict(slider_agents) context.setup_tag_from_defaults(interface, sad, agent_defaults) # which agents have access? allowed_agents = SecurityTag.objects.get(interface=interface, security_context=context).agents # probably should redis both allowed agents (per .View interface) and # agents held per user to allow many queries very quickly. allowed_agents = set([a.obj for a in allowed_agents.all()]) # diagnostic if diagnose : diagnostics['allowed_agents'] = allowed_agents if agent in allowed_agents : # agent must hold itself. agent.get_enclosures no longer includes agent return True if get_anonymous_group() in allowed_agents: # in other words, if this resource is matched with anyone, we don't have to test #that user is in the "anyone" group return True if resource: if get_creator_agent().obj in allowed_agents: actual_creator = resource.get_ref().creator if agent == actual_creator: return True agents_held = agent.get_enclosure_set() if diagnose : diagnostics['agents_held'] = agents_held if allowed_agents.intersection(agents_held): return True if diagnose : print print 'Interface ', interface print "Allowed Agents for ", resource for a in diagnostics['allowed_agents'] : print a print "Agents Held by ", agent for a in diagnostics['agents_held'] : print "%s,"%a, print for a in diagnostics['allowed_agents'] : if not a in diagnostics['agents_held'] : print a, " not in agents_held" return False
def has_access(agent, resource, interface, sec_context=None, diagnose=None): """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects """ # if diagnose mode we want to try to find why we failed to get the interface we want if diagnose: diagnostics = {} # make sure we've stripped agent from any SecureWrappers if agent.__class__.__name__ == "SecureWrapper": agent = agent.get_inner() if not sec_context: # make sure we've stripped resource from any SecureWrappers if resource.__class__.__name__ == "SecureWrapper": resource = resource.get_inner() context = resource.get_security_context() else: context = sec_context if not SecurityTag.objects.filter(interface=interface, security_context=context): #lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime typ = resource.__class__ interface_name = interface.split('.')[1] if interface_name in get_interface_map(typ.__name__): agent_defaults = AgentDefaults[ context.context_agent.obj.__class__][ context.context_agent.permission_prototype] slider_agents = SliderAgents[context.context_agent.obj.__class__]( context) sad = dict(slider_agents) context.setup_tag_from_defaults(interface, sad, agent_defaults) # which agents have access? allowed_agents = SecurityTag.objects.get(interface=interface, security_context=context).agents # probably should redis both allowed agents (per .View interface) and # agents held per user to allow many queries very quickly. allowed_agents = set([a.obj for a in allowed_agents.all()]) # diagnostic if diagnose: diagnostics['allowed_agents'] = allowed_agents if agent in allowed_agents: # agent must hold itself. agent.get_enclosures no longer includes agent return True if get_anonymous_group() in allowed_agents: # in other words, if this resource is matched with anyone, we don't have to test #that user is in the "anyone" group return True if resource: if get_creator_agent().obj in allowed_agents: actual_creator = resource.get_ref().creator if agent == actual_creator: return True agents_held = agent.get_enclosure_set() if diagnose: diagnostics['agents_held'] = agents_held if allowed_agents.intersection(agents_held): return True if diagnose: print print 'Interface ', interface print "Allowed Agents for ", resource for a in diagnostics['allowed_agents']: print a print "Agents Held by ", agent for a in diagnostics['agents_held']: print "%s," % a, print for a in diagnostics['allowed_agents']: if not a in diagnostics['agents_held']: print a, " not in agents_held" return False
def get_slider_agents(scontext): return [('anonymous_group', get_anonymous_group().get_ref()), ('all_members_group', get_all_members_group().get_ref()), ('context_agent', scontext.context_agent), ('creator', get_creator_agent()), ('context_admin', scontext.context_admin)]