def verifyPermissionsForWriteToItemElement(self,
session,
userId,
itemElementId=None,
dbItemElementObject=None):
if dbItemElementObject is None and itemElementId is None:
raise InvalidArgument(
"At least the item element id or item element object must be provided."
)
if dbItemElementObject is None:
dbItemElementObject = self.getItemElementById(
session, itemElementId)
else:
itemElementId = dbItemElementObject.id
dbUserInfo = self.userInfoHandler.getUserInfoById(session, userId)
dbEntityInfo = dbItemElementObject.entityInfo
ownerUserId = dbEntityInfo.ownerUserInfo.id
if ownerUserId == userId:
return True
ownerGroupWriteable = dbEntityInfo.is_group_writeable
ownerUserGroupId = dbEntityInfo.ownerUserGroup.id
for userGroup in dbUserInfo.userGroupList:
if ownerGroupWriteable:
if ownerUserGroupId == userGroup.id:
return True
if userGroup.name == self.CDB_ADMIN_GROUP_NAME:
return True
raise InvalidSession(
"User %s does not have permissions to modify item element %s" %
(userId, itemElementId))
def checkAuthorization(cls, *args, **kwargs):
"""
A tool that looks in config for 'auth.require'. If found and it
is not None, a login is required and the entry is evaluated as a list of
conditions that the user must fulfill.
"""
logger = LoggingManager.getInstance().getLogger(
'LoginController:checkAuthorization')
conditions = cherrypy.request.config.get('auth.require', None)
#logger.debug('Headers: %s' % (cherrypy.request.headers))
#logger.debug('Request params: %s' % (cherrypy.request.params))
#logger.debug('Request query string: %s' % (cherrypy.request.query_string))
method = urllib.parse.quote(cherrypy.request.request_line.split()[0])
params = urllib.parse.quote(cherrypy.request.request_line.split()[1])
if conditions is None:
logger.debug('No conditions imposed')
return
sessionId = cherrypy.serving.session.id
sessionCache = cherrypy.session.cache
#logger.debug('Session: %s' % ((cherrypy.session.__dict__)))
#logger.debug('Session cache length: %s' % (len(sessionCache)))
#logger.debug('Session cache: %s' % (sessionCache))
# Check session.
if sessionId not in sessionCache:
errorMsg = 'Invalid or expired session id: %s.' % sessionId
logger.debug(errorMsg)
raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
'User Not Authorized', InvalidSession(errorMsg))
username = cherrypy.session.get(LoginController.SESSION_USERNAME_KEY)
logger.debug('Session id %s is valid (username: %s)' %
(sessionId, username))
if username:
cherrypy.request.login = username
for condition in conditions:
# A condition is just a callable that returns true or false
if not condition():
logger.debug(
'Authorization check %s failed for username %s' %
(condition.__name__, username))
errorMsg = 'Authorization check %s failed for user %s.' % (
condition.__name__, username)
raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
'User Not Authorized',
AuthorizationError(errorMsg))
else:
logger.debug('Username is not supplied')
raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
'User Not Authorized', ex)
def verifyPermissionsToUpdatePropertyValue(self, session, dbPropertyValue,
userId):
if dbPropertyValue.is_user_writeable:
# Any user has permission to update.
return True
dbItemElementProperty = self.__getItemElementPropertyFromPropertyValueId(
session, dbPropertyValue.id)
dbItemElement = dbItemElementProperty.itemElement
if self.verifyPermissionsForWriteToItemElement(
session, userId, dbItemElementObject=dbItemElement):
return True
raise InvalidSession(
"User id %s does not have necessary permissions to edit: %s" %
(userId, dbPropertyValue))
def verifyUserCreatedLogEntry(self,
session,
userId,
logId=None,
dbLogObject=None):
if logId is None and dbLogObject is None:
raise InvalidArgument(
"At least log id or db log object must be provided.")
if dbLogObject is None:
dbLogObject = self.findLogById(session, logId)
else:
logId = dbLogObject.id
if userId == dbLogObject.entered_by_user_id:
return True
raise InvalidSession("The log entry %s was created by another user." %
logId)