def get_user_perms(user, obj):
"""
Returns permissions for given user and object pair, as list of
strings, only those assigned directly for the user.
"""
check = ObjectPermissionChecker(user)
return check.get_user_perms(obj)
def test_group_assing(self):
assign("change_flatpage", self.group, self.flatpage)
assign("delete_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_flatpage", self.flatpage))
self.assertTrue(check.has_perm("delete_flatpage", self.flatpage))
def test_group_assing(self):
assign("change_keycard", self.group, self.keycard)
assign("delete_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_keycard", self.keycard))
self.assertTrue(check.has_perm("delete_keycard", self.keycard))
def assign_perm(self, perm, user, obj):
"""
Assigns permission with given ``perm`` for an instance ``obj`` and
``user``.
"""
if getattr(obj, 'pk', None) is None:
raise ObjectNotPersisted("Object %s needs to be persisted first"
% obj)
ctype = ContentType.objects.get_for_model(obj)
permission = Permission.objects.get(content_type=ctype, codename=perm)
kwargs = {'permission': permission, 'user': user}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = obj.pk
else:
kwargs['content_object'] = obj
obj_perm, created = self.get_or_create(**kwargs)
# Add to cache
check = ObjectPermissionChecker(user)
key = check.get_local_cache_key(obj)
cache_perms = cache.get(key)
if cache_perms is not None and perm not in cache_perms:
cache_perms.append(perm)
cache.set(key, cache_perms)
return obj_perm
def remove_perm(self, perm, user, obj):
"""
Removes permission ``perm`` for an instance ``obj`` and given ``user``.
Please note that we do NOT fetch object permission from database - we
use ``Queryset.delete`` method for removing it. Main implication of this
is that ``post_delete`` signals would NOT be fired.
"""
if getattr(obj, 'pk', None) is None:
raise ObjectNotPersisted("Object %s needs to be persisted first"
% obj)
filters = {
'permission__codename': perm,
'permission__content_type': ContentType.objects.get_for_model(obj),
'user': user,
}
if self.is_generic():
filters['object_pk'] = obj.pk
else:
filters['content_object__pk'] = obj.pk
self.filter(**filters).delete()
#Remove for cache
check = ObjectPermissionChecker(user)
key = check.get_local_cache_key(obj)
cache_perms = cache.get(key)
if cache_perms is not None and perm in cache_perms:
cache_index = 0
for cache_perm in cache_perms:
if perm == cache_perm:
cache_perms.pop(cache_index)
break
cache_index += 1
cache.set(key, cache_perms)
def recent(request, page=1):
checker = ObjectPermissionChecker(request.user)
submissions = Submission.objects.all().order_by("-id")
filters = {}
empty_message = u"제출된 답안이 없습니다."
title_add = []
# only superuser can see all nonpublic submissions.
# as an exception, if we are filtering by a problem, the author can see
# nonpublic submissions. also, everybody can see their nonpublic
# submissions.
only_public = not request.user.is_superuser
if request.GET.get("problem"):
slug = request.GET["problem"]
problem = get_object_or_404(Problem, slug=slug)
if request.user == problem.user or checker.has_perm('read_problem', problem):
only_public = False
if (problem.state != Problem.PUBLISHED and
request.user != problem.user and
not checker.has_perm('read_problem', problem)):
raise Http404
submissions = submissions.filter(problem=problem)
title_add.append(slug)
filters["problem"] = slug
if "state" in request.GET:
state = request.GET["state"]
submissions = submissions.filter(state=state)
filters["state"] = state
title_add.append(Submission.STATES_KOR[int(state)])
if request.GET.get("user"):
username = request.GET["user"]
user = get_or_none(User, username=username)
if not user:
empty_message = u"해당 사용자가 없습니다."
submissions = submissions.none()
else:
submissions = submissions.filter(user=user)
filters["user"] = username
title_add.append(username)
if user == request.user:
only_public = False
if only_public:
submissions = submissions.filter(is_public=True)
return render(request, "submission/recent.html",
{"title": u"답안 목록" + (": " if title_add else "") +
",".join(title_add),
"filters": filters,
"empty_message": empty_message,
"pagination": setup_paginator(submissions, page,
"judge-submission-recent", {}, filters)})
def test_get_perms(self):
group = Group.objects.create(name='group')
obj1 = ContentType.objects.create(name='ct1', model='foo',
app_label='guardian-tests')
obj2 = ContentType.objects.create(name='ct2', model='bar',
app_label='guardian-tests')
assign_perms = {
group: ('change_group', 'delete_group'),
obj1: ('change_contenttype', 'delete_contenttype'),
obj2: ('delete_contenttype',),
}
check = ObjectPermissionChecker(self.user)
for obj, perms in assign_perms.items():
for perm in perms:
UserObjectPermission.objects.assign_perm(perm, self.user, obj)
self.assertEqual(sorted(perms), sorted(check.get_perms(obj)))
check = ObjectPermissionChecker(self.group)
for obj, perms in assign_perms.items():
for perm in perms:
GroupObjectPermission.objects.assign_perm(perm, self.group, obj)
self.assertEqual(sorted(perms), sorted(check.get_perms(obj)))
def go():
problem = get_or_none(Problem, id=id)
if not problem:
return {"success": False,
"error": u"존재하지 않는 문제입니다."}
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('edit_problem', problem) and problem.user != request.user:
return {"success": False,
"error": u"권한이 없습니다."}
if request.method != "POST":
return {"success": False,
"error": u"POST 접근하셔야 합니다."}
file = request.FILES["file"]
md5 = md5file(file)
target_path = os.path.join("judge-attachments", md5, file.name)
storage = DefaultStorage()
storage.save(target_path, file)
new_attachment = Attachment(problem=problem,
file=target_path)
new_attachment.save()
# 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다
visible_users = get_users_with_perms(problem, with_group_users=False)
visible_groups = get_groups_with_perms(problem)
publish("problem-attachment-%s" % datetime.now().strftime('%s.%f'),
"problem",
"problem-attachment",
actor=request.user,
target=problem,
timestamp=datetime.now(),
visible_users=visible_users,
visible_groups=visible_groups,
verb=u"문제 {target}에 첨부파일 %s 을 추가했습니다." % file.name)
return {"success": True}
def has_perm(self, user_obj, perm, obj=None):
"""
Returns ``True`` if given ``user_obj`` has ``perm`` for ``obj``. If no
``obj`` is given, ``False`` is returned.
.. note::
Remember, that if user is not *active*, all checks would return
``False``.
Main difference between Django's ``ModelBackend`` is that we can pass
``obj`` instance here and ``perm`` doesn't have to contain
``app_label`` as it can be retrieved from given ``obj``.
**Inactive user support**
If user is authenticated but inactive at the same time, all checks
always returns ``False``.
"""
# check if user_obj and object are supported
support, user_obj = check_support(user_obj, obj)
if not support:
return False
if '.' in perm:
app_label, perm = perm.split('.')
if app_label != obj._meta.app_label:
raise WrongAppError("Passed perm has app label of '%s' and "
"given obj has '%s'" % (app_label, obj._meta.app_label))
check = ObjectPermissionChecker(user_obj)
return check.has_perm(perm, obj)
def check_user_role(user, project, roles):
"""Check that a user has one of a set of roles for a project.
Administrator role satisfies any requirement.
"""
# Prefetch all user permissions for project.
checker = ObjectPermissionChecker(user)
# Check for admin privs in all cases.
has_role = checker.has_perm('can_administer', project)
if not has_role:
# Check the indicated role(s)
if isinstance(roles, string_types):
roles = [roles]
for role in roles:
if role == UserRole.Annotate:
has_role = checker.has_perm('can_annotate', project)
elif role == UserRole.Browse:
has_role = checker.has_perm('can_browse', project)
elif role == UserRole.Import:
has_role = checker.has_perm('can_import', project)
if has_role:
break
return has_role
def test_group_assign_perm(self):
assign_perm("change_contenttype", self.group, self.ctype)
assign_perm("delete_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertTrue(check.has_perm("change_contenttype", self.ctype))
self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_group_remove_perm(self):
# assign perm first
assign("change_flatpage", self.group, self.flatpage)
remove_perm("change_flatpage", self.group, self.flatpage)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def document_permission_overview(user, document): can_edit = user.has_perm(document.edit_permission_name, document) if not can_edit: return [] main_groups = [ settings.ANONYMOUS_GROUP_NAME, settings.UNIVERSITY_GROUP_NAME, settings.STUDENT_GROUP_NAME, settings.STAFF_GROUP_NAME, ] permissions = [] for group_name in main_groups: group = Group.objects.get(name=group_name) checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) else: permissions.append((group.name, "none")) for group in Group.objects.exclude(name__in=main_groups): checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) return permissions
def test_publish_student_button(self):
"""
Test if the publish for students only button works
"""
staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME)
document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED)
document.set_all_permissions(staff_group)
# The 4 sets the state to published_student
self.app.get(reverse('documents:publish', args=[document.url_title, 4]), user=self.user)
document = MinutesDocument.objects.get(url_title=document.url_title)
self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT)
group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertFalse(checker.has_perm(document.view_permission_name, document))
self.assertFalse(checker.has_perm(document.edit_permission_name, document))
self.assertFalse(checker.has_perm(document.delete_permission_name, document))
group = Group.objects.get(name=settings.STUDENT_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertTrue(checker.has_perm(document.view_permission_name, document))
self.assertFalse(checker.has_perm(document.edit_permission_name, document))
self.assertFalse(checker.has_perm(document.delete_permission_name, document))
checker = ObjectPermissionChecker(staff_group)
self.assertTrue(checker.has_perm(document.view_permission_name, document))
self.assertTrue(checker.has_perm(document.edit_permission_name, document))
self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def test_group_remove_perm_queryset(self):
assign_perm("change_contenttype", self.group, self.ctype_qset)
remove_perm("change_contenttype", self.group, self.ctype_qset)
check = ObjectPermissionChecker(self.group)
for obj in self.ctype_qset:
self.assertFalse(check.has_perm("change_contenttype", obj))
def read(request, id):
post = get_object_or_404(Post, id=id)
category = post.category
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('read_post', category):
return HttpResponseForbidden("Restricted post")
return render(request, "read.html", {"post": post, "category": category})
def diff(request, id1, id2):
rev1 = get_object_or_404(ProblemRevision, id=id1)
rev2 = get_object_or_404(ProblemRevision, id=id2)
problem = rev1.revision_for
checker = ObjectPermissionChecker(request.user)
if (not checker.has_perm('read_problem', problem) and
problem.user != request.user):
raise Http404
dmp = diff_match_patch()
def differ(text1, text2):
return text1 != text2 and dmp.diff_main(text1, text2) or None
return render(request, "problem/diff.html",
{"problem": problem,
"editable": checker.has_perm('edit_problem', problem),
"rev1": rev1,
"rev2": rev2,
"rev1link": reverse("judge-problem-old", kwargs={"id": rev1.id, "slug": problem.slug}),
"rev2link": reverse("judge-problem-old", kwargs={"id": rev2.id, "slug": problem.slug}),
"description": differ(rev1.description, rev2.description),
"input": differ(rev1.input, rev2.input),
"output": differ(rev1.output, rev2.output),
"sample_input": differ(rev1.sample_input, rev2.sample_input),
"sample_output": differ(rev1.sample_output, rev2.sample_output),
"note": differ(rev1.note, rev2.note),
"differ": differ})
def test_group_remove_perm(self):
# assign perm first
assign_perm("change_contenttype", self.group, self.ctype)
remove_perm("change_contenttype", self.group, self.ctype)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def stat(request, slug, page=1):
problem = get_object_or_404(Problem, slug=slug)
checker = ObjectPermissionChecker(request.user)
if (problem.state != Problem.PUBLISHED and
not checker.has_perm('read_problem', problem) and
problem.user != request.user):
raise Http404
submissions = Submission.objects.filter(problem=problem)
verdict_chart = Submission.get_verdict_distribution_graph(submissions)
incorrect_tries_chart = Solver.get_incorrect_tries_chart(problem)
solvers = Solver.objects.filter(problem=problem, solved=True)
order_by = request.GET.get('order_by', 'shortest')
if order_by.endswith('fastest'):
solvers = solvers.order_by(order_by + '_submission__time')
elif order_by.endswith('shortest'):
solvers = solvers.order_by(order_by + '_submission__length')
else:
solvers = solvers.order_by(order_by)
pagination = setup_paginator(solvers, page, 'judge-problem-stat',
{'slug': slug}, request.GET)
title = problem.slug + u': 해결한 사람들'
return render(request, "problem/stat.html",
{'title': title,
'problem': problem,
'editable': checker.has_perm('edit_problem', problem),
'verdict_chart': verdict_chart,
'incorrects_chart': incorrect_tries_chart,
'pagination': pagination,
})
def delete_attachment(request, id):
attachment = get_object_or_404(Attachment, id=id)
problem = attachment.problem
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('edit_problem', problem) and problem.user != request.user:
raise Http404
old_id = attachment.id
old_filename = attachment.file.name
attachment.file.delete(False)
attachment.delete()
# 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다
visible_users = get_users_with_perms(problem, with_group_users=False)
visible_groups = get_groups_with_perms(problem)
publish("problem-attachment-delete-%s" % datetime.now().strftime('%s.%f'),
"problem",
"problem-attachment",
actor=request.user,
target=problem,
timestamp=datetime.now(),
visible_users=visible_users,
visible_groups=visible_groups,
verb=u"문제 {target}에서 첨부파일 %s 을 삭제했습니다." % os.path.basename(old_filename))
return HttpResponse("[]")
def test_has_perms_using_parent_object(self):
group = Group.objects.create(name='group')
obj1 = ContentType.objects.create(
name='ct1', model='foo', app_label='guardian-tests')
obj2 = ContentType.objects.create(
name='ct2', model='bar', app_label='guardian-tests')
obj2.get_parent_object_permission = lambda: (obj1,)
assign_perms = {
group: ('change_group', 'delete_group'),
obj1: ('change_contenttype', 'delete_contenttype'),
obj2: ('delete_contenttype',),
}
# for user
check = ObjectPermissionChecker(self.user)
self.assign_perms(UserObjectPermission, assign_perms[obj1], self.user, obj1)
self.assign_perms(UserObjectPermission, assign_perms[obj2], self.user, obj2)
print "\n\n\n", '*'*30
for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])):
print 'checking perm %s in %s' % (perm, obj2)
self.assertTrue(check.has_perm(perm, obj2))
# for group
check = ObjectPermissionChecker(self.group)
self.assign_perms(GroupObjectPermission, assign_perms[obj1], self.group, obj1)
self.assign_perms(GroupObjectPermission, assign_perms[obj2], self.group, obj2)
print "\n\n\n", '-'*30
for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])):
print 'checking perm %s in %s' % (perm, obj2)
self.assertTrue(check.has_perm(perm, obj2))
def get_perms(user_or_group, obj, field="codename"):
"""
Returns permissions for given user/group and object pair, as list of
strings.
"""
check = ObjectPermissionChecker(user_or_group)
return check.get_perms(obj, values_field=field)
def get_organization_perms(user_or_group, obj):
"""
Returns permissions for given user/group and object pair, as list of
strings. It returns only those which are inferred through groups.
"""
check = ObjectPermissionChecker(user_or_group)
return check.get_organization_perms(obj)
def test_group_remove_perm(self):
# assign perm first
assign("change_keycard", self.group, self.keycard)
remove_perm("change_keycard", self.group, self.keycard)
check = ObjectPermissionChecker(self.group)
self.assertFalse(check.has_perm("change_keycard", self.keycard))
def test_setannotationpermissions_sets_correct_permissions(
self, AnnotationSet
):
admins_group = Group.objects.get(
name=settings.RETINA_ADMINS_GROUP_NAME
)
graders_group = Group.objects.get(
name=settings.RETINA_GRADERS_GROUP_NAME
)
AnnotationSet.grader.groups.add(graders_group)
call_command("setannotationpermissions")
checker = ObjectPermissionChecker(AnnotationSet.grader)
group_perms = Permission.objects.filter(
group=admins_group
).values_list("codename", flat=True)
for annotation_model in ANNOTATION_MODELS:
annotation_codename = annotation_model._meta.model_name
for annotation in annotation_model.objects.all():
perms = checker.get_perms(annotation)
for permission_type in annotation._meta.default_permissions:
assert f"{permission_type}_{annotation_codename}" in perms
for permission_type in annotation._meta.default_permissions:
assert (
f"{permission_type}_{annotation_codename}"
in group_perms
)
def bulk_assign_perm(self, perm, user_or_group, queryset):
"""
Bulk assigns permissions with given ``perm`` for an objects in ``queryset`` and
``user_or_group``.
"""
ctype = get_content_type(queryset.model)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype, codename=perm)
else:
permission = perm
checker = ObjectPermissionChecker(user_or_group)
checker.prefetch_perms(queryset)
assigned_perms = []
for instance in queryset:
if not checker.has_perm(permission.codename, instance):
kwargs = {'permission': permission, self.user_or_group_field: user_or_group}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = instance.pk
else:
kwargs['content_object'] = instance
assigned_perms.append(self.model(**kwargs))
self.model.objects.bulk_create(assigned_perms)
return assigned_perms
def render(self, context):
for_whom = self.for_whom.resolve(context)
if isinstance(for_whom, get_user_model()):
self.user = for_whom
self.group = None
elif isinstance(for_whom, AnonymousUser):
self.user = get_user_model().get_anonymous()
self.group = None
elif isinstance(for_whom, Group):
self.user = None
self.group = for_whom
elif isinstance(for_whom, Organization):
self.user = None
self.group = for_whom
else:
raise NotUserNorGroup("User or Group instance required (got %s)"
% for_whom.__class__)
obj = self.obj.resolve(context)
if not obj:
return ''
check = ObjectPermissionChecker(for_whom)
perms = check.get_perms(obj, include_group_perms=self.include_group_permissions)
context[self.context_var] = perms
return ''
def allow_bulk_destroy_resources(self, user, resource_list):
"""User must have admin permissions to delete collections."""
checker = ObjectPermissionChecker(user)
for collection in resource_list:
if not checker.has_perm('admin_collection', collection):
return False
return True
def get_perms(user_or_group, obj):
"""
Returns permissions for given user/group and object pair, as list of
strings.
"""
check = ObjectPermissionChecker(user_or_group)
return check.get_perms(obj)
def item_check(self, object_list, bundle, permission):
if not self.base_check(object_list, bundle):
raise Unauthorized("You are not allowed to access that resource.")
checker = ObjectPermissionChecker(bundle.request.user)
if not checker.has_perm(permission, bundle.obj):
raise Unauthorized("You are not allowed to access that resource.")
return True
def render(self, context):
for_whom = self.for_whom.resolve(context)
if isinstance(for_whom, get_user_model()):
self.user = for_whom
self.group = None
elif isinstance(for_whom, AnonymousUser):
self.user = get_user_model().get_anonymous()
self.group = None
elif isinstance(for_whom, Group):
self.user = None
self.group = for_whom
else:
raise NotUserNorGroup("User or Group instance required (got %s)" %
for_whom.__class__)
obj = self.obj.resolve(context)
if not obj:
return ''
check = self.checker.resolve(
context) if self.checker else ObjectPermissionChecker(for_whom)
perms = check.get_perms(obj)
context[self.context_var] = perms
return ''
def _preload_permissions(self):
units = set()
resource_groups = set()
resources = set()
checker = ObjectPermissionChecker(self.request.user)
for rv in self._page:
resources.add(rv.resource)
rv.resource._permission_checker = checker
for res in resources:
units.add(res.unit)
for g in res.groups.all():
resource_groups.add(g)
if units:
checker.prefetch_perms(units)
if resource_groups:
checker.prefetch_perms(resource_groups)
def assign_user_profile(user, _model, admins=[]):
"""
Assign Object(model) permission for the object's associated
user and site administrators
:param user: the object's associated user
:param _model: the object itself
:param admins: optional administrators for control and security reasons
:return: Boolean
"""
for admin in admins:
admin_checker = ObjectPermissionChecker(admin)
admin_has_perm = admin_checker.has_perm("profile_user", _model)
if not admin_has_perm:
assign_perm("profile_user", admin, _model)
checker = ObjectPermissionChecker(user)
has_perm = checker.has_perm("profile_user", _model)
if not has_perm:
assign_perm("profile_user", user, _model)
return user.has_perm("profile_user", _model)
def get_permissions(user_or_group: Union[User, Group], object_list: QuerySet) -> List[ObjectPermission]:
permissions = []
perm_checker = ObjectPermissionChecker(user_or_group)
perm_checker.prefetch_perms(object_list)
opts = object_list.model._meta
perm_view = get_permission_codename('view', opts)
perm_change = get_permission_codename('change', opts)
perm_delete = get_permission_codename('delete', opts)
for obj in object_list:
permissions.append(
ObjectPermission(
obj=obj,
can_view=perm_checker.has_perm(perm_view, obj),
can_change=perm_checker.has_perm(perm_change, obj),
can_delete=perm_checker.has_perm(perm_delete, obj),
)
)
return permissions
def has_object_permission(self, request, view, obj):
checker = ObjectPermissionChecker(request.user)
return checker.has_perm("profile_user", obj)
def check_permissions(permission_type, user, obj):
checker = ObjectPermissionChecker(user)
class_lower_name = obj.__class__.__name__.lower()
perm = '{0}_{1}'.format(permission_type, class_lower_name)
return checker.has_perm(perm, obj)
def get_all_permissions(user, object_list):
checker = ObjectPermissionChecker(user)
checker.prefetch_perms(object_list)
return {obj.pk: checker.get_perms(obj) for obj in object_list}
def index(request, catalog_id='', slug=''):
catalog = None
if catalog_id:
catalog = get_object_or_404(ZCatalog, id=catalog_id)
elif slug:
catalog = get_object_or_404(ZCatalog, latin_title=slug)
else:
raise Http404()
checker = ObjectPermissionChecker(request.user)
if not checker.has_perm('view_zcatalog', catalog):
return HttpResponse(u'Доступ запрещен')
if not catalog.can_search:
return HttpResponse(u"Каталог не доступен для поиска.")
zgate_url = catalog.url
if request.method == 'POST' and 'SESSION_ID' in request.POST:
log_search_request(request, catalog)
(result, cookies) = zworker.request(zgate_url,
data=request.POST,
cookies=request.COOKIES)
response = render_search_result(
request,
catalog,
zresult=result,
)
return set_cookies_to_response(cookies, response)
else:
if 'zstate' in request.GET: #а тут пользователь уже начал щелкать по ссылкам
if 'ACTION' in request.GET and request.GET['ACTION'] == 'pq':
return save_requests(request, catalog)
url = zgate_url + '?' + request.GET['zstate'].replace(' ', '+')
vars = request.GET['zstate'].split(' ')
cookies = {}
if vars[0] == 'form':
try:
(zresult,
cookies) = zworker.request(url, cookies=request.COOKIES)
except Exception:
return HttpResponse(
u'Получен некорретный ответ. Попробуйте осуществить поиск еще раз.'
)
response = render_form(request,
zresult=zresult,
catalog=catalog)
return set_cookies_to_response(cookies, response)
elif vars[0] == 'present':
if vars[4] == '1' and vars[5] == 'F':
try:
response = render_detail(request, catalog)
except Exception:
return HttpResponse(
u'Сервер не может корректно отобразить результат. Повторите запрос еще раз.'
)
return set_cookies_to_response(cookies, response)
response = render_search_result(request, catalog)
return set_cookies_to_response(cookies, response)
else:
response = render_search_result(request, catalog)
return set_cookies_to_response(cookies, response)
else: #значит только инициализация формы
# if not catalog.can_search:
# return Htt
(zgate_form,
cookies) = zworker.get_zgate_form(zgate_url=zgate_url,
xml=catalog.xml,
xsl=catalog.xsl,
cookies=request.COOKIES)
response = render_form(request, zgate_form, catalog)
return set_cookies_to_response(cookies, response)
def check_permissions(self, request):
user = request.user
region = Region.objects.get(pk=self.kwargs['pk'])
checker = ObjectPermissionChecker(user)
response = checker.has_perm('financiero', region)
return response
def sftp_file(request): ##上传
if request.method == "GET":
obj = get_objects_for_user(request.user, 'asset.change_asset')
return render(request, 'tasks/sftp.html', {
'asset_list': obj,
"tasks_active": "active",
"sftp_active": "active"
})
if request.method == 'POST':
ids = request.POST.getlist('id')
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
local_path = request.POST.get("local_path")
server_path = request.POST.get("server_path")
ids1 = []
for i in ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'delete_asset',
assets,
) == True:
ids1.append(i)
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择主机"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not local_path or not server_path:
error_2 = "请输入上传文件目录及文件名"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = asset.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
s = sftp(ip=i.network_ip,
port=i.port,
username=i.system_user.username,
password=i.system_user.password,
local_path=local_path,
server_path=server_path)
historys = history.objects.create(
ip=i.network_ip,
root=i.system_user,
port=i.port,
cmd="上传{}".format(server_path),
user=user)
if s == None or s['data'] == '':
s = {}
s['ip'] = i.network_ip
s['data'] = "返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({
"ip": i.network_ip,
"data": "账号密码不对,{}".format(e)
})
return HttpResponse(json.dumps(ret))
def tools_script_post(request):
ret = {'data': None}
if request.method == 'POST':
try:
host_ids = request.POST.getlist('id', None)
sh_id = request.POST.get('shid', None)
user = request.user
if not host_ids:
error1 = "请选择主机"
ret = {"error": error1, "status": False}
return HttpResponse(json.dumps(ret))
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in host_ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'delete_asset',
assets,
) == True:
ids1.append(i)
idstring = ','.join(ids1)
host = asset.objects.extra(where=['id IN (' + idstring + ')'])
sh = toolsscript.objects.filter(id=sh_id)
for s in sh:
if s.tool_run_type == 0:
with open('tasks/script/test.sh', 'w+') as f:
f.write(s.tool_script)
a = 'tasks/script/{}.sh'.format(s.id)
os.system(
"sed 's/\r//' tasks/script/test.sh > {}".format(a))
elif s.tool_run_type == 1:
with open('tasks/script/test.py', 'w+') as f:
f.write(s.tool_script)
p = 'tasks/script/{}.py'.format(s.id)
os.system(
"sed 's/\r//' tasks/script/test.py > {}".format(p))
elif s.tool_run_type == 2:
with open('tasks/script/test.yml', 'w+') as f:
f.write(s.tool_script)
y = 'tasks/script/{}.yml'.format(s.id)
os.system(
"sed 's/\r//' tasks/script/test.yml > {}".format(y))
else:
ret['status'] = False
ret['error'] = '脚本类型错误,只能是shell、yml、python'
return HttpResponse(json.dumps(ret))
data1 = []
for h in host:
try:
data2 = {}
assets = [
{
"hostname": h.hostname,
"ip": h.network_ip,
"port": h.port,
"username": h.system_user.username,
"password": h.system_user.password,
},
]
history.objects.create(ip=h.network_ip,
root=h.system_user.username,
port=h.port,
cmd=s.name,
user=user)
if s.tool_run_type == 0:
task_tuple = (('script', a), )
hoc = AdHocRunner(hosts=assets)
hoc.results_callback = CommandResultCallback()
r = hoc.run(task_tuple)
data2['ip'] = h.network_ip
data2['data'] = r['contacted'][
h.hostname]['stdout']
data1.append(data2)
elif s.tool_run_type == 1:
task_tuple = (('script', p), )
hoc = AdHocRunner(hosts=assets)
hoc.results_callback = CommandResultCallback()
r = hoc.run(task_tuple)
data2['ip'] = h.network_ip
data2['data'] = r['contacted'][
h.hostname]['stdout']
data1.append(data2)
elif s.tool_run_type == 2:
play = PlayBookRunner(assets, playbook_path=y)
b = play.run()
data2['ip'] = h.network_ip
data2['data'] = b['plays'][0]['tasks'][1]['hosts'][h.hostname]['stdout'] + \
b['plays'][0]['tasks'][1]['hosts'][h.hostname]['stderr']
data1.append(data2)
else:
data2['ip'] = "脚本类型错误"
data2['data'] = "脚本类型错误"
except Exception as e:
data2['ip'] = h.network_ip
data2[
'data'] = "账号密码不对,或没有权限,请修改{}, 请查看主机资产中的 主机名 ,此值不能为空,可随便填写一个。 ".format(
e)
data1.append(data2)
ret['data'] = data1
return HttpResponse(json.dumps(ret))
except Exception as e:
ret['error'] = '未知错误 {}'.format(e)
return HttpResponse(json.dumps(ret))
def Inception_exe(request): ##Inception 执行
if request.method == 'POST':
ids = request.POST.getlist('id')
sql_db = request.POST.get('sql', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = db_mysql.objects.get(id=i)
if checker.has_perm(
'task_db_mysql',
db_mysql,
) == True:
ids1.append(i)
else:
error_3 = "数据库没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择数据库"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not sql_db:
error_2 = "请输入命令"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
historys = history.objects.create(ip=i.ip,
root=i.db_user.username,
port=i.port,
cmd="执行:{}".format(sql_db),
user=user)
password = decrypt_p(i.db_user.password)
s = sql_exe(user=i.db_user.username,
password=password,
host=i.ip,
port=i.port,
sqls=sql_db)
if s == None or s['data'] == '':
s = {}
s['ip'] = i.ip
s['data'] = "返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)})
return HttpResponse(json.dumps(ret))
def has_perm(obj, user, perm):
if hasattr(obj, 'perm'):
return ObjectPermissionChecker(user).has_perm(
perm, obj) if guardian else user.has_perm(obj.perm(perm))
else:
return False
def has_manage_permissions(self, reservables, user):
checker = ObjectPermissionChecker(user)
for r in reservables.all():
if not checker.has_perm('manage_reservations', r):
return False
return True
def post(self, request): ##命令行
ids = request.POST.getlist('id')
code_id = request.POST.get('code_id', None)
dest = request.POST.get('dest', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'task_asset',
assets,
) == True:
ids1.append(i)
else:
error_3 = "主机没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择主机"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
obj = asset.objects.extra(where=['id IN (' + idstring + ')'])
ret = {'data': []}
tasks = []
file = codebase.objects.get(id=code_id)
for i in obj:
try:
assets = [
{
"hostname": 'host',
"ip": i.network_ip,
"port": i.port,
"username": i.system_user.username,
"password": decrypt_p(i.system_user.password),
},
]
tasks = [
{
"action": {
"module":
"copy",
"args":
"src=./upload/{0} {1}".format(
file.file.name, dest)
},
"name": "copy_code"
},
]
inventory = BaseInventory(assets)
runner = AdHocRunner(inventory)
retsult = runner.run(tasks, "all")
ret1 = []
try:
ret1.append(
"分发成功 {} 备注:如果前面返回值为 false,表示已经分发完成了,请不要重复分发。".
format(retsult.results_raw['ok']['host']['copy_code']
['changed']))
except Exception as e:
if retsult.results_summary['dark'] == {}:
ret1.append("执行成功")
else:
ret1.append("命令有问题,{}".format(
retsult.results_summary['dark']))
history.objects.create(ip=i.network_ip,
root=i.system_user,
port=i.port,
cmd="上传 {} 到 {}".format(
file.name, dest),
user=user)
ret2 = {'ip': i.network_ip, 'data': '\n'.join(ret1)}
ret['data'].append(ret2)
except Exception as e:
ret['data'].append({
"ip": i.network_ip,
"data": "账号密码不对,{}".format(e)
})
return HttpResponse(json.dumps(ret))
def document_permission_overview(user, document):
can_edit = user.has_perm(document.edit_permission_name, document)
if not can_edit:
return []
main_groups = [
settings.ANONYMOUS_GROUP_NAME,
settings.UNIVERSITY_GROUP_NAME,
settings.STUDENT_GROUP_NAME,
settings.STAFF_GROUP_NAME,
]
permissions = []
for group_name in main_groups:
group = Group.objects.get(name=group_name)
checker = ObjectPermissionChecker(group)
checker.prefetch_perms([document])
if checker.has_perm(document.edit_permission_name, document):
permissions.append((group.name, "edit"))
elif checker.has_perm(document.view_permission_name, document):
permissions.append((group.name, "view"))
else:
permissions.append((group.name, "none"))
for group in Group.objects.exclude(name__in=main_groups):
checker = ObjectPermissionChecker(group)
checker.prefetch_perms([document])
if checker.has_perm(document.edit_permission_name, document):
permissions.append((group.name, "edit"))
elif checker.has_perm(document.view_permission_name, document):
permissions.append((group.name, "view"))
return permissions
def list(request, groupid):
groupid = int(groupid)
try:
group = Group.objects.get(id=groupid)
except ObjectDoesNotExist:
raise Http404
result = {}
own_group = request.user.is_superuser or group in request.user.groups.all()
minutes = MinutesDocument.objects.all().prefetch_related(
'labels').order_by('-date')
# Prefetch group permissions
group_checker = ObjectPermissionChecker(group)
group_checker.prefetch_perms(minutes)
# Prefetch user permissions
user_checker = ObjectPermissionChecker(request.user)
user_checker.prefetch_perms(minutes)
# Prefetch ip group permissions
ip_range_group_name = request.user._ip_range_group_name if hasattr(
request.user, '_ip_range_group_name') else None
if ip_range_group_name:
ip_range_group = Group.objects.get(name=ip_range_group_name)
ip_range_group_checker = ObjectPermissionChecker(ip_range_group)
for m in minutes:
# we show all documents for which the requested group has edit permissions
# e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown
if not group_checker.has_perm(m.edit_permission_name, m):
continue
# we only show documents for which the user has view permissions
if not user_checker.has_perm(
MinutesDocument.get_view_permission(),
m) and (not ip_range_group_name
or not ip_range_group_checker.has_perm(
MinutesDocument.get_view_permission(), m)):
continue
if m.date.year not in result:
result[m.date.year] = []
result[m.date.year].append(m)
return render(
request, "minutes_list.html", {
'minutes_list': sorted(result.items(), reverse=True),
'own_group': own_group
})
def test_publish_student_button(self):
"""
Test if the publish for students only button works
"""
staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME)
document = mommy.make(MinutesDocument,
participants=self.participants,
moderator=self.moderator,
state=MinutesDocument.UNPUBLISHED)
document.set_all_permissions(staff_group)
# The 4 sets the state to published_student
self.app.get(reverse('documents:publish', args=[document.url_title,
4]),
user=self.user)
document = MinutesDocument.objects.get(url_title=document.url_title)
self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT)
group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertFalse(
checker.has_perm(document.view_permission_name, document))
self.assertFalse(
checker.has_perm(document.edit_permission_name, document))
self.assertFalse(
checker.has_perm(document.delete_permission_name, document))
group = Group.objects.get(name=settings.STUDENT_GROUP_NAME)
checker = ObjectPermissionChecker(group)
self.assertTrue(
checker.has_perm(document.view_permission_name, document))
self.assertFalse(
checker.has_perm(document.edit_permission_name, document))
self.assertFalse(
checker.has_perm(document.delete_permission_name, document))
checker = ObjectPermissionChecker(staff_group)
self.assertTrue(
checker.has_perm(document.view_permission_name, document))
self.assertTrue(
checker.has_perm(document.edit_permission_name, document))
self.assertTrue(
checker.has_perm(document.delete_permission_name, document))
def __init__(self, user_or_group, checker=None):
self.user_or_group = user_or_group
self.checker = checker
if checker is None:
self.checker = ObjectPermissionChecker(user_or_group)
def cmd(request): ##命令行
if request.method == "GET":
obj = get_objects_for_user(request.user, 'asset.change_asset')
return render(request, 'tasks/cmd.html', {
'asset_list': obj,
"tasks_active": "active",
"cmd_active": "active"
})
if request.method == 'POST':
ids = request.POST.getlist('id')
args = request.POST.getlist('args', None)
module = request.POST.getlist('module', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'task_asset',
assets,
) == True:
ids1.append(i)
else:
error_3 = "主机没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择主机"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif args == ['']:
error_2 = "请输入命令"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = asset.objects.extra(where=['id IN (' + idstring + ')'])
ret = {'data': []}
tasks = []
for x in range(len(module)):
tasks.append(
{
"action": {
"module": module[x],
"args": args[x]
},
"name": 'task{}'.format(x)
}, )
for i in obj:
try:
assets = [
{
"hostname": 'host',
"ip": i.network_ip,
"port": i.port,
"username": i.system_user.username,
"password": decrypt_p(i.system_user.password),
},
]
inventory = BaseInventory(assets)
runner = AdHocRunner(inventory)
retsult = runner.run(tasks, "all")
ret1 = []
for c in range(len(module)):
try:
ret1.append(retsult.results_raw['ok']['host'][
'task{}'.format(c)]['stdout'])
except Exception as e:
if retsult.results_summary['dark'] == ['']:
ret1.append("执行成功")
else:
ret1.append("命令有问题,{}".format(
retsult.results_summary['dark']))
history.objects.create(ip=i.network_ip,
root=i.system_user,
port=i.port,
cmd=args,
user=user)
ret2 = {'ip': i.network_ip, 'data': '\n'.join(ret1)}
ret['data'].append(ret2)
except Exception as e:
ret['data'].append({
"ip": i.network_ip,
"data": "账号密码不对,{}".format(e)
})
return HttpResponse(json.dumps(ret))
def Inception(request): ##Inception
if request.method == "GET":
obj = get_objects_for_user(request.user, 'db.change_db_mysql')
return render(request, 'tasks/Inception.html', {
'sql_list': obj,
"tasks_active": "active",
"sql_active": "active"
})
if request.method == 'POST':
ids = request.POST.getlist('id')
sql_db = request.POST.get('sql', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = db_mysql.objects.get(id=i)
if checker.has_perm(
'delete_db_mysql',
db_mysql,
) == True:
ids1.append(i)
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择数据库"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not sql_db:
error_2 = "请输入命令"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
print(sql_db)
for i in obj:
try:
s = sql(user=i.db_user.username,
password=i.db_user.password,
host=i.ip,
port=i.port,
sqls=sql_db)
historys = history.objects.create(ip=i.ip,
root=i.db_user.username,
port=i.port,
cmd=sql_db,
user=user)
if s == None or s['data'] == '':
s = {}
s['ip'] = i.ip
s['data'] = "返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)})
return HttpResponse(json.dumps(ret))
def get(self, request, *args, **kwargs):
entity = kwargs['entity']
pk = kwargs['pk']
entity_model = ContentType.objects.get(app_label='entities',
model=entity).model_class()
instance = get_object_or_404(entity_model, pk=pk)
request = set_session_variables(request)
relations = ContentType.objects.filter(app_label='relations',
model__icontains=entity)
side_bar = []
for rel in relations:
match = str(rel).split()
prefix = "{}{}-".format(match[0].title()[:2], match[1].title()[:2])
table = get_generic_relations_table(''.join(match), entity)
title_panel = ''
if match[0] == match[1]:
title_panel = entity.title()
dict_1 = {'related_' + entity.lower() + 'A': instance}
dict_2 = {'related_' + entity.lower() + 'B': instance}
if 'apis_highlighter' in settings.INSTALLED_APPS:
object_pre = rel.model_class(
).annotation_links.filter_ann_proj(
request=request).filter(Q(**dict_1) | Q(**dict_2))
else:
object_pre = rel.model_class().objects.filter(
Q(**dict_1) | Q(**dict_2))
objects = []
for x in object_pre:
objects.append(x.get_table_dict(instance))
else:
if match[0].lower() == entity.lower():
title_panel = match[1].title()
else:
title_panel = match[0].title()
dict_1 = {'related_' + entity.lower(): instance}
if 'apis_highlighter' in settings.INSTALLED_APPS:
objects = list(
rel.model_class().annotation_links.filter_ann_proj(
request=request).filter(**dict_1))
else:
objects = list(rel.model_class().objects.filter(**dict_1))
tb_object = table(objects, prefix=prefix)
tb_object_open = request.GET.get(prefix + 'page', None)
RequestConfig(request, paginate={
"per_page": 10
}).configure(tb_object)
side_bar.append(
(title_panel, tb_object, ''.join([x.title() for x in match]),
tb_object_open))
form = get_entities_form(entity.title())
form = form(instance=instance)
form_text = FullTextForm(entity=entity.title(), instance=instance)
if 'apis_highlighter' in settings.INSTALLED_APPS:
form_ann_agreement = SelectAnnotatorAgreement()
else:
form_ann_agreement = False
object_revisions = Version.objects.get_for_object(instance)
object_lod = Uri.objects.filter(entity=instance)
object_texts, ann_proj_form = get_highlighted_texts(request, instance)
object_labels = Label.objects.filter(temp_entity=instance)
tb_label = EntityLabelTable(object_labels,
prefix=entity.title()[:2] + 'L-')
tb_label_open = request.GET.get('PL-page', None)
side_bar.append(('Label', tb_label, 'PersonLabel', tb_label_open))
RequestConfig(request, paginate={"per_page": 10}).configure(tb_label)
perm = ObjectPermissionChecker(request.user)
permissions = {
'change': perm.has_perm('change_{}'.format(entity), instance),
'delete': perm.has_perm('delete_{}'.format(entity), instance),
'create': request.user.has_perm('entities.add_{}'.format(entity))
}
template = select_template([
'entities/{}_create_generic.html'.format(entity),
'entities/entity_create_generic.html'
])
return HttpResponse(
template.render(request=request,
context={
'entity_type': entity,
'form': form,
'form_text': form_text,
'instance': instance,
'right_panel': side_bar,
'object_revisions': object_revisions,
'object_texts': object_texts,
'object_lod': object_lod,
'ann_proj_form': ann_proj_form,
'form_ann_agreement': form_ann_agreement,
'permissions': permissions
}))
def test_anonymous_user(self):
user = AnonymousUser()
check = ObjectPermissionChecker(user)
# assert anonymous user has no object permissions at all for obj
self.assertTrue([] == list(check.get_perms(self.ctype)))
def tools_script_post(request):
ret = {'data': None}
if request.method == 'POST':
try:
host_ids = request.POST.getlist('id', None)
sh_id = request.POST.get('shid', None)
user = request.user
if not host_ids:
error1 = "请选择主机"
ret = {"error": error1, "status": False}
return HttpResponse(json.dumps(ret))
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in host_ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'task_asset',
assets,
) == True:
ids1.append(i)
else:
error2 = "主机没有权限"
ret = {"error": error2, "status": False}
return HttpResponse(json.dumps(ret))
idstring = ','.join(ids1)
host = asset.objects.extra(where=['id IN (' + idstring + ')'])
sh = toolsscript.objects.filter(id=sh_id)
for s in sh:
if s.tool_run_type == 0:
with open('tasks/script/test.sh', 'w+') as f:
f.write(s.tool_script)
a = 'tasks/script/{}.sh'.format(s.id)
os.system(
"sed 's/\r//' tasks/script/test.sh > {}".format(a))
elif s.tool_run_type == 1:
with open('tasks/script/test.py', 'w+') as f:
f.write(s.tool_script)
p = 'tasks/script/{}.py'.format(s.id)
os.system(
"sed 's/\r//' tasks/script/test.py > {}".format(
p))
# elif s.tool_run_type == 2:
# with open('tasks/script/test.yml', 'w+') as f:
# f.write(s.tool_script)
# y = 'tasks/script/{}.yml'.format(s.id)
# os.system("sed 's/\r//' tasks/script/test.yml > {}".format(y))
else:
ret['status'] = False
ret['error'] = '脚本类型错误,只能是shell、python'
return HttpResponse(json.dumps(ret))
data1 = []
for h in host:
try:
password = decrypt_p(h.system_user.password)
assets = [
{
"hostname": 'host',
"ip": h.network_ip,
"port": h.port,
"username": h.system_user.username,
"password": password,
},
]
history.objects.create(ip=h.network_ip,
root=h.system_user.username,
port=h.port,
cmd=s.name,
user=user)
if s.tool_run_type == 0:
tasks1 = [
{
"action": {
"module": "script",
"args": "{}".format(a)
},
"name": "1"
},
]
elif s.tool_run_type == 1:
tasks1 = [
{
"action": {
"module": "script",
"args": "{}".format(p)
},
"name": "1"
},
]
inventory = BaseInventory(assets)
runner = AdHocRunner(inventory)
retsu = runner.run(tasks1, "all")
try:
data2 = {
'ip':
h.network_ip,
'data':
retsu.results_raw['ok']['host']['1']['stdout']
}
except Exception as e:
if retsu.results_summary['dark'] == ['']:
data2 = {'ip': h.network_ip, 'data': "执行成功"}
else:
data2 = {
'ip':
h.network_ip,
'data':
"命令有问题,{}".format(
retsu.results_summary['dark'])
}
data1.append(data2)
except Exception as e:
data2['ip'] = h.network_ip
data2['data'] = "账号密码不对,或没有权限,请修改 {}, ".format(e)
data1.append(data2)
ret['data'] = data1
return HttpResponse(json.dumps(ret))
except Exception as e:
ret['error'] = '未知错误 {}'.format(e)
return HttpResponse(json.dumps(ret))
def get_context_data(self, **kwargs):
context = super(CandidateDetailView, self).get_context_data(**kwargs)
obj = self.get_object()
notes = Note.objects.filter(candidate=obj, privileged=False)
special_notes = Note.objects.filter(candidate=obj, privileged=True)
checker = ObjectPermissionChecker(self.request.user)
notes_forms = []
notes_display = []
for note in notes:
if checker.has_perm(NOTE__CAN_MAKE_CANDIDATE_NOTE, note.unit):
update_form = UpdateNoteForm(instance=note)
update_form.fields['text'].label = 'Note for {unit}'.format(
unit=note.unit)
notes_forms.append(update_form)
elif checker.has_perm(NOTE__CAN_SEE, note.unit):
notes_display.append(note)
context['notes_forms'] = notes_forms
context['notes_display'] = notes_display
unnoted_units = []
for unit in Unit.objects.all():
if (checker.has_perm(NOTE__CAN_MAKE_CANDIDATE_NOTE, unit)
and not notes.filter(unit=unit)):
unnoted_units.append(unit.pk)
if unnoted_units:
create_form = CreateNoteForm(initial={'candidate': obj})
create_form.fields['unit'].queryset = Unit.objects.filter(
pk__in=unnoted_units)
create_form.fields['candidate'].widget = forms.HiddenInput()
context['create_form'] = create_form
special_notes_forms = []
special_notes_display = []
for note in special_notes:
if checker.has_perm(NOTE__CAN_MAKE_PRIVILEGED_NOTE, note.unit):
update_form = UpdateNoteForm(instance=note)
update_form.fields['text'].label = 'Special note for ' \
'{unit}'.format(unit=note.unit)
special_notes_forms.append(update_form)
else:
special_notes_display.append(note)
context['special_notes_forms'] = special_notes_forms
context['special_notes_display'] = special_notes_display
unnoted_special_units = []
for unit in Unit.objects.all():
if (checker.has_perm(NOTE__CAN_MAKE_PRIVILEGED_NOTE, unit)
and not special_notes.filter(unit=unit)):
unnoted_special_units.append(unit.pk)
if unnoted_special_units:
create_form = CreateNoteForm(initial={
'candidate': obj,
'privileged': True
})
create_form.fields['unit'].queryset = Unit.objects.filter(
pk__in=unnoted_special_units)
create_form.fields['candidate'].widget = forms.HiddenInput()
context['special_create_form'] = create_form
committees = {}
committees['sent'] = Committee.objects.filter(
appointments__in=Appointment.objects.filter(
candidate=obj, status=Appointment.SENT)).distinct()
committees['recced'] = Committee.objects.filter(
appointments__in=Appointment.objects.filter(
candidate=obj, status=Appointment.RECOMMENDED)).distinct()
committees['maybe'] = Committee.objects.filter(
appointments__in=Appointment.objects.filter(
candidate=obj,
status__in=[Appointment.APPLICANT, Appointment.POTENTIAL
])).distinct()
committees['nope'] = Committee.objects.filter(
appointments__in=Appointment.objects.filter(
candidate=obj, status=Appointment.DECLINED)).distinct()
context['committees'] = committees
context['other_committees'] = Committee.objects.exclude(
appointments__candidate=obj).distinct()
context['appointments'] = Committee.objects.filter(
appointments__candidate=obj,
appointments__status=Appointment.ACCEPTED).distinct()
context['libtype_form'] = UpdateLibraryTypeForm(
instance=self.get_object())
return context
def __init__(self, *args, **kwargs):
self.request = kwargs.pop('request', None)
super().__init__(*args, **kwargs)
self.permission_checker = ObjectPermissionChecker(kwargs['instance'])
self.permission_checker.prefetch_perms(
Unit.objects.filter(authorizations__authorized=kwargs['instance']))
def recent(request, page=1):
checker = ObjectPermissionChecker(request.user)
submissions = Submission.objects.all().order_by("-id")
filters = {}
empty_message = u"제출된 답안이 없습니다."
title_add = []
# only superuser can see all nonpublic submissions.
# as an exception, if we are filtering by a problem, the author can see
# nonpublic submissions. also, everybody can see their nonpublic
# submissions.
only_public = not request.user.is_superuser
if request.GET.get("problem"):
slug = request.GET["problem"]
problem = get_object_or_404(Problem, slug=slug)
if request.user == problem.user or checker.has_perm(
'read_problem', problem):
only_public = False
if (problem.state != Problem.PUBLISHED and request.user != problem.user
and not checker.has_perm('read_problem', problem)):
raise Http404
submissions = submissions.filter(problem=problem)
title_add.append(slug)
filters["problem"] = slug
if "state" in request.GET:
state = request.GET["state"]
submissions = submissions.filter(state=state)
filters["state"] = state
title_add.append(Submission.STATES_KOR[int(state)])
if request.GET.get("user"):
username = request.GET["user"]
user = get_or_none(User, username=username)
if not user:
empty_message = u"해당 사용자가 없습니다."
submissions = submissions.none()
else:
submissions = submissions.filter(user=user)
filters["user"] = username
title_add.append(username)
if user == request.user:
only_public = False
if only_public:
submissions = submissions.filter(is_public=True)
problems = Problem.objects.filter(state=Problem.PUBLISHED).order_by("slug")
users = User.objects.order_by("username")
return render(
request, "submission/recent.html", {
"title":
u"답안 목록" + (": " if title_add else "") + ",".join(title_add),
"problems":
problems,
"users":
users,
"filters":
filters,
"empty_message":
empty_message,
"pagination":
setup_paginator(submissions, page, "judge-submission-recent", {},
filters)
})
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
profile_user = context["object"].user
profile_groups = profile_user.groups.all()
organizations = Organization.objects.filter(
Q(members_group__in=profile_groups)
| Q(editors_group__in=profile_groups)).distinct()
archives = (get_objects_for_user(
user=self.request.user,
perms="view_archive",
klass=Archive,
use_groups=True,
).filter(
Q(editors_group__in=profile_groups)
| Q(uploaders_group__in=profile_groups)
| Q(users_group__in=profile_groups)).distinct())
reader_studies = (get_objects_for_user(
user=self.request.user,
perms="view_readerstudy",
klass=ReaderStudy,
use_groups=True,
).filter(
Q(editors_group__in=profile_groups)
| Q(readers_group__in=profile_groups)).distinct())
challenges = Challenge.objects.filter(
Q(admins_group__in=profile_groups)
| Q(participants_group__in=profile_groups),
hidden=False,
).distinct()
algorithms = (get_objects_for_user(
user=self.request.user,
perms="view_algorithm",
klass=Algorithm,
use_groups=True,
).filter(
Q(editors_group__in=profile_groups)
| Q(users_group__in=profile_groups)).distinct())
checker = ObjectPermissionChecker(user_or_group=profile_user)
for qs in [
archives,
reader_studies,
challenges,
algorithms,
]:
# Perms can only be prefetched for sets of the same objects
checker.prefetch_perms(objects=qs)
object_list = [
*archives,
*reader_studies,
*challenges,
*algorithms,
]
role = {}
for obj in object_list:
obj_perms = checker.get_perms(obj)
if f"change_{obj._meta.model_name}" in obj_perms:
role[obj] = "editor"
elif f"view_{obj._meta.model_name}" in obj_perms:
role[obj] = "user"
else:
role[obj] = "participant"
context.update({
"object_list":
object_list,
"object_role":
role,
"num_submissions":
Submission.objects.filter(creator=profile_user).count(),
"num_algorithms_run":
Job.objects.filter(creator=profile_user).count(),
"organizations":
organizations,
})
return context
def cmd(request): ##命令行
if request.method == "GET":
obj = get_objects_for_user(request.user, 'asset.change_asset')
return render(request, 'tasks/cmd.html', {
'asset_list': obj,
"tasks_active": "active",
"cmd_active": "active"
})
if request.method == 'POST':
ids = request.POST.getlist('id')
cmd = request.POST.get('cmd', None)
user = User.objects.get(username=request.user)
checker = ObjectPermissionChecker(user)
ids1 = []
for i in ids:
assets = asset.objects.get(id=i)
if checker.has_perm(
'task_asset',
assets,
) == True:
ids1.append(i)
else:
error_3 = "主机没有权限"
ret = {"error": error_3, "status": False}
return HttpResponse(json.dumps(ret))
user = request.user
idstring = ','.join(ids1)
if not ids:
error_1 = "请选择主机"
ret = {"error": error_1, "status": False}
return HttpResponse(json.dumps(ret))
elif not cmd:
error_2 = "请输入命令"
ret = {"error": error_2, "status": False}
return HttpResponse(json.dumps(ret))
obj = asset.objects.extra(where=['id IN (' + idstring + ')'])
ret = {}
ret['data'] = []
for i in obj:
try:
password = decrypt_p(i.system_user.password)
s = ssh(ip=i.network_ip,
port=i.port,
username=i.system_user.username,
password=password,
cmd=cmd)
historys = history.objects.create(ip=i.network_ip,
root=i.system_user,
port=i.port,
cmd=cmd,
user=user)
if s == None or s['data'] == '':
s = {}
s['ip'] = i.network_ip
s['data'] = "返回值为空,可能是权限不够。"
ret['data'].append(s)
except Exception as e:
ret['data'].append({
"ip": i.network_ip,
"data": "账号密码不对,{}".format(e)
})
return HttpResponse(json.dumps(ret))
def create_space(request):
"""
Returns a SpaceForm form to fill with data to create a new space. There
is an attached EntityFormset to save the entities related to the space.
Every user in the platform is allowed to create spaces. Once it's created
we assign the administration permissions to the user, along with some
others for the sake of functionality.
.. note:: Since everyone can have the ability to create spaces, instead
of checking for the add_space permission we just ask for login.
:attributes: - space_form: empty SpaceForm instance
- entity_forms: empty EntityFormSet
:permissions required: login_required
:rtype: Space object, multiple entity objects.
:context: form, entityformset
"""
space_form = SpaceForm(request.POST or None, request.FILES or None)
entity_forms = EntityFormSet(request.POST or None, request.FILES or None,
queryset=Entity.objects.none())
if request.method == 'POST':
if space_form.is_valid() and entity_forms.is_valid():
space_form_uncommited = space_form.save(commit=False)
space_form_uncommited.author = request.user
new_space = space_form_uncommited.save()
space = get_object_or_404(Space, name=space_form_uncommited.name)
ef_uncommited = entity_forms.save(commit=False)
for ef in ef_uncommited:
ef.space = space
ef.save()
# We add the created spaces to the user allowed spaces
# space.admins.add(request.user)
space_form.save_m2m()
# Assign permissions to the user so he can chenge everything in the
# space
assign_perm('view_space', request.user, space)
assign_perm('change_space', request.user, space)
assign_perm('delete_space', request.user, space)
assign_perm('admin_space', request.user, space)
if DEBUG:
# This will tell us if the user got the right permissions for
# the object
un = request.user.username
u = ObjectPermissionChecker(request.user) # Avoid unnecesary queries for the permission checks
print """Space permissions for user '%s':
View: %s
Change: %s
Delete: %s
Admin: %s
Mod: %s
""" % (un, u.has_perm('view_space', space),
u.has_perm('change_space', space),
u.has_perm('delete_space', space),
u.has_perm('admin_space', space),
u.has_perm('mod_space', space))
return HttpResponseRedirect(reverse(urln.SPACE_INDEX,
kwargs={'space_url': space.url}))
return render_to_response('spaces/space_form.html',
{'form': space_form,
'entityformset': entity_forms},
context_instance=RequestContext(request))
