def get_user_perms(user, obj): """ Returns permissions for given user and object pair, as list of strings, only those assigned directly for the user. """ check = ObjectPermissionChecker(user) return check.get_user_perms(obj)
def test_group_assing(self): assign("change_flatpage", self.group, self.flatpage) assign("delete_flatpage", self.group, self.flatpage) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_flatpage", self.flatpage)) self.assertTrue(check.has_perm("delete_flatpage", self.flatpage))
def test_group_assing(self): assign("change_keycard", self.group, self.keycard) assign("delete_keycard", self.group, self.keycard) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_keycard", self.keycard)) self.assertTrue(check.has_perm("delete_keycard", self.keycard))
def assign_perm(self, perm, user, obj): """ Assigns permission with given ``perm`` for an instance ``obj`` and ``user``. """ if getattr(obj, 'pk', None) is None: raise ObjectNotPersisted("Object %s needs to be persisted first" % obj) ctype = ContentType.objects.get_for_model(obj) permission = Permission.objects.get(content_type=ctype, codename=perm) kwargs = {'permission': permission, 'user': user} if self.is_generic(): kwargs['content_type'] = ctype kwargs['object_pk'] = obj.pk else: kwargs['content_object'] = obj obj_perm, created = self.get_or_create(**kwargs) # Add to cache check = ObjectPermissionChecker(user) key = check.get_local_cache_key(obj) cache_perms = cache.get(key) if cache_perms is not None and perm not in cache_perms: cache_perms.append(perm) cache.set(key, cache_perms) return obj_perm
def remove_perm(self, perm, user, obj): """ Removes permission ``perm`` for an instance ``obj`` and given ``user``. Please note that we do NOT fetch object permission from database - we use ``Queryset.delete`` method for removing it. Main implication of this is that ``post_delete`` signals would NOT be fired. """ if getattr(obj, 'pk', None) is None: raise ObjectNotPersisted("Object %s needs to be persisted first" % obj) filters = { 'permission__codename': perm, 'permission__content_type': ContentType.objects.get_for_model(obj), 'user': user, } if self.is_generic(): filters['object_pk'] = obj.pk else: filters['content_object__pk'] = obj.pk self.filter(**filters).delete() #Remove for cache check = ObjectPermissionChecker(user) key = check.get_local_cache_key(obj) cache_perms = cache.get(key) if cache_perms is not None and perm in cache_perms: cache_index = 0 for cache_perm in cache_perms: if perm == cache_perm: cache_perms.pop(cache_index) break cache_index += 1 cache.set(key, cache_perms)
def recent(request, page=1): checker = ObjectPermissionChecker(request.user) submissions = Submission.objects.all().order_by("-id") filters = {} empty_message = u"제출된 답안이 없습니다." title_add = [] # only superuser can see all nonpublic submissions. # as an exception, if we are filtering by a problem, the author can see # nonpublic submissions. also, everybody can see their nonpublic # submissions. only_public = not request.user.is_superuser if request.GET.get("problem"): slug = request.GET["problem"] problem = get_object_or_404(Problem, slug=slug) if request.user == problem.user or checker.has_perm('read_problem', problem): only_public = False if (problem.state != Problem.PUBLISHED and request.user != problem.user and not checker.has_perm('read_problem', problem)): raise Http404 submissions = submissions.filter(problem=problem) title_add.append(slug) filters["problem"] = slug if "state" in request.GET: state = request.GET["state"] submissions = submissions.filter(state=state) filters["state"] = state title_add.append(Submission.STATES_KOR[int(state)]) if request.GET.get("user"): username = request.GET["user"] user = get_or_none(User, username=username) if not user: empty_message = u"해당 사용자가 없습니다." submissions = submissions.none() else: submissions = submissions.filter(user=user) filters["user"] = username title_add.append(username) if user == request.user: only_public = False if only_public: submissions = submissions.filter(is_public=True) return render(request, "submission/recent.html", {"title": u"답안 목록" + (": " if title_add else "") + ",".join(title_add), "filters": filters, "empty_message": empty_message, "pagination": setup_paginator(submissions, page, "judge-submission-recent", {}, filters)})
def test_get_perms(self): group = Group.objects.create(name='group') obj1 = ContentType.objects.create(name='ct1', model='foo', app_label='guardian-tests') obj2 = ContentType.objects.create(name='ct2', model='bar', app_label='guardian-tests') assign_perms = { group: ('change_group', 'delete_group'), obj1: ('change_contenttype', 'delete_contenttype'), obj2: ('delete_contenttype',), } check = ObjectPermissionChecker(self.user) for obj, perms in assign_perms.items(): for perm in perms: UserObjectPermission.objects.assign_perm(perm, self.user, obj) self.assertEqual(sorted(perms), sorted(check.get_perms(obj))) check = ObjectPermissionChecker(self.group) for obj, perms in assign_perms.items(): for perm in perms: GroupObjectPermission.objects.assign_perm(perm, self.group, obj) self.assertEqual(sorted(perms), sorted(check.get_perms(obj)))
def go(): problem = get_or_none(Problem, id=id) if not problem: return {"success": False, "error": u"존재하지 않는 문제입니다."} checker = ObjectPermissionChecker(request.user) if not checker.has_perm('edit_problem', problem) and problem.user != request.user: return {"success": False, "error": u"권한이 없습니다."} if request.method != "POST": return {"success": False, "error": u"POST 접근하셔야 합니다."} file = request.FILES["file"] md5 = md5file(file) target_path = os.path.join("judge-attachments", md5, file.name) storage = DefaultStorage() storage.save(target_path, file) new_attachment = Attachment(problem=problem, file=target_path) new_attachment.save() # 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다 visible_users = get_users_with_perms(problem, with_group_users=False) visible_groups = get_groups_with_perms(problem) publish("problem-attachment-%s" % datetime.now().strftime('%s.%f'), "problem", "problem-attachment", actor=request.user, target=problem, timestamp=datetime.now(), visible_users=visible_users, visible_groups=visible_groups, verb=u"문제 {target}에 첨부파일 %s 을 추가했습니다." % file.name) return {"success": True}
def has_perm(self, user_obj, perm, obj=None): """ Returns ``True`` if given ``user_obj`` has ``perm`` for ``obj``. If no ``obj`` is given, ``False`` is returned. .. note:: Remember, that if user is not *active*, all checks would return ``False``. Main difference between Django's ``ModelBackend`` is that we can pass ``obj`` instance here and ``perm`` doesn't have to contain ``app_label`` as it can be retrieved from given ``obj``. **Inactive user support** If user is authenticated but inactive at the same time, all checks always returns ``False``. """ # check if user_obj and object are supported support, user_obj = check_support(user_obj, obj) if not support: return False if '.' in perm: app_label, perm = perm.split('.') if app_label != obj._meta.app_label: raise WrongAppError("Passed perm has app label of '%s' and " "given obj has '%s'" % (app_label, obj._meta.app_label)) check = ObjectPermissionChecker(user_obj) return check.has_perm(perm, obj)
def check_user_role(user, project, roles): """Check that a user has one of a set of roles for a project. Administrator role satisfies any requirement. """ # Prefetch all user permissions for project. checker = ObjectPermissionChecker(user) # Check for admin privs in all cases. has_role = checker.has_perm('can_administer', project) if not has_role: # Check the indicated role(s) if isinstance(roles, string_types): roles = [roles] for role in roles: if role == UserRole.Annotate: has_role = checker.has_perm('can_annotate', project) elif role == UserRole.Browse: has_role = checker.has_perm('can_browse', project) elif role == UserRole.Import: has_role = checker.has_perm('can_import', project) if has_role: break return has_role
def test_group_assign_perm(self): assign_perm("change_contenttype", self.group, self.ctype) assign_perm("delete_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_contenttype", self.ctype)) self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_group_remove_perm(self): # assign perm first assign("change_flatpage", self.group, self.flatpage) remove_perm("change_flatpage", self.group, self.flatpage) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def document_permission_overview(user, document): can_edit = user.has_perm(document.edit_permission_name, document) if not can_edit: return [] main_groups = [ settings.ANONYMOUS_GROUP_NAME, settings.UNIVERSITY_GROUP_NAME, settings.STUDENT_GROUP_NAME, settings.STAFF_GROUP_NAME, ] permissions = [] for group_name in main_groups: group = Group.objects.get(name=group_name) checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) else: permissions.append((group.name, "none")) for group in Group.objects.exclude(name__in=main_groups): checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) return permissions
def test_publish_student_button(self): """ Test if the publish for students only button works """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) # The 4 sets the state to published_student self.app.get(reverse('documents:publish', args=[document.url_title, 4]), user=self.user) document = MinutesDocument.objects.get(url_title=document.url_title) self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT) group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertFalse(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) group = Group.objects.get(name=settings.STUDENT_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertTrue(checker.has_perm(document.edit_permission_name, document)) self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def test_group_remove_perm_queryset(self): assign_perm("change_contenttype", self.group, self.ctype_qset) remove_perm("change_contenttype", self.group, self.ctype_qset) check = ObjectPermissionChecker(self.group) for obj in self.ctype_qset: self.assertFalse(check.has_perm("change_contenttype", obj))
def read(request, id): post = get_object_or_404(Post, id=id) category = post.category checker = ObjectPermissionChecker(request.user) if not checker.has_perm('read_post', category): return HttpResponseForbidden("Restricted post") return render(request, "read.html", {"post": post, "category": category})
def diff(request, id1, id2): rev1 = get_object_or_404(ProblemRevision, id=id1) rev2 = get_object_or_404(ProblemRevision, id=id2) problem = rev1.revision_for checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 dmp = diff_match_patch() def differ(text1, text2): return text1 != text2 and dmp.diff_main(text1, text2) or None return render(request, "problem/diff.html", {"problem": problem, "editable": checker.has_perm('edit_problem', problem), "rev1": rev1, "rev2": rev2, "rev1link": reverse("judge-problem-old", kwargs={"id": rev1.id, "slug": problem.slug}), "rev2link": reverse("judge-problem-old", kwargs={"id": rev2.id, "slug": problem.slug}), "description": differ(rev1.description, rev2.description), "input": differ(rev1.input, rev2.input), "output": differ(rev1.output, rev2.output), "sample_input": differ(rev1.sample_input, rev2.sample_input), "sample_output": differ(rev1.sample_output, rev2.sample_output), "note": differ(rev1.note, rev2.note), "differ": differ})
def test_group_remove_perm(self): # assign perm first assign_perm("change_contenttype", self.group, self.ctype) remove_perm("change_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def stat(request, slug, page=1): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (problem.state != Problem.PUBLISHED and not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 submissions = Submission.objects.filter(problem=problem) verdict_chart = Submission.get_verdict_distribution_graph(submissions) incorrect_tries_chart = Solver.get_incorrect_tries_chart(problem) solvers = Solver.objects.filter(problem=problem, solved=True) order_by = request.GET.get('order_by', 'shortest') if order_by.endswith('fastest'): solvers = solvers.order_by(order_by + '_submission__time') elif order_by.endswith('shortest'): solvers = solvers.order_by(order_by + '_submission__length') else: solvers = solvers.order_by(order_by) pagination = setup_paginator(solvers, page, 'judge-problem-stat', {'slug': slug}, request.GET) title = problem.slug + u': 해결한 사람들' return render(request, "problem/stat.html", {'title': title, 'problem': problem, 'editable': checker.has_perm('edit_problem', problem), 'verdict_chart': verdict_chart, 'incorrects_chart': incorrect_tries_chart, 'pagination': pagination, })
def delete_attachment(request, id): attachment = get_object_or_404(Attachment, id=id) problem = attachment.problem checker = ObjectPermissionChecker(request.user) if not checker.has_perm('edit_problem', problem) and problem.user != request.user: raise Http404 old_id = attachment.id old_filename = attachment.file.name attachment.file.delete(False) attachment.delete() # 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다 visible_users = get_users_with_perms(problem, with_group_users=False) visible_groups = get_groups_with_perms(problem) publish("problem-attachment-delete-%s" % datetime.now().strftime('%s.%f'), "problem", "problem-attachment", actor=request.user, target=problem, timestamp=datetime.now(), visible_users=visible_users, visible_groups=visible_groups, verb=u"문제 {target}에서 첨부파일 %s 을 삭제했습니다." % os.path.basename(old_filename)) return HttpResponse("[]")
def test_has_perms_using_parent_object(self): group = Group.objects.create(name='group') obj1 = ContentType.objects.create( name='ct1', model='foo', app_label='guardian-tests') obj2 = ContentType.objects.create( name='ct2', model='bar', app_label='guardian-tests') obj2.get_parent_object_permission = lambda: (obj1,) assign_perms = { group: ('change_group', 'delete_group'), obj1: ('change_contenttype', 'delete_contenttype'), obj2: ('delete_contenttype',), } # for user check = ObjectPermissionChecker(self.user) self.assign_perms(UserObjectPermission, assign_perms[obj1], self.user, obj1) self.assign_perms(UserObjectPermission, assign_perms[obj2], self.user, obj2) print "\n\n\n", '*'*30 for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])): print 'checking perm %s in %s' % (perm, obj2) self.assertTrue(check.has_perm(perm, obj2)) # for group check = ObjectPermissionChecker(self.group) self.assign_perms(GroupObjectPermission, assign_perms[obj1], self.group, obj1) self.assign_perms(GroupObjectPermission, assign_perms[obj2], self.group, obj2) print "\n\n\n", '-'*30 for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])): print 'checking perm %s in %s' % (perm, obj2) self.assertTrue(check.has_perm(perm, obj2))
def get_perms(user_or_group, obj, field="codename"): """ Returns permissions for given user/group and object pair, as list of strings. """ check = ObjectPermissionChecker(user_or_group) return check.get_perms(obj, values_field=field)
def get_organization_perms(user_or_group, obj): """ Returns permissions for given user/group and object pair, as list of strings. It returns only those which are inferred through groups. """ check = ObjectPermissionChecker(user_or_group) return check.get_organization_perms(obj)
def test_group_remove_perm(self): # assign perm first assign("change_keycard", self.group, self.keycard) remove_perm("change_keycard", self.group, self.keycard) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_keycard", self.keycard))
def test_setannotationpermissions_sets_correct_permissions( self, AnnotationSet ): admins_group = Group.objects.get( name=settings.RETINA_ADMINS_GROUP_NAME ) graders_group = Group.objects.get( name=settings.RETINA_GRADERS_GROUP_NAME ) AnnotationSet.grader.groups.add(graders_group) call_command("setannotationpermissions") checker = ObjectPermissionChecker(AnnotationSet.grader) group_perms = Permission.objects.filter( group=admins_group ).values_list("codename", flat=True) for annotation_model in ANNOTATION_MODELS: annotation_codename = annotation_model._meta.model_name for annotation in annotation_model.objects.all(): perms = checker.get_perms(annotation) for permission_type in annotation._meta.default_permissions: assert f"{permission_type}_{annotation_codename}" in perms for permission_type in annotation._meta.default_permissions: assert ( f"{permission_type}_{annotation_codename}" in group_perms )
def bulk_assign_perm(self, perm, user_or_group, queryset): """ Bulk assigns permissions with given ``perm`` for an objects in ``queryset`` and ``user_or_group``. """ ctype = get_content_type(queryset.model) if not isinstance(perm, Permission): permission = Permission.objects.get(content_type=ctype, codename=perm) else: permission = perm checker = ObjectPermissionChecker(user_or_group) checker.prefetch_perms(queryset) assigned_perms = [] for instance in queryset: if not checker.has_perm(permission.codename, instance): kwargs = {'permission': permission, self.user_or_group_field: user_or_group} if self.is_generic(): kwargs['content_type'] = ctype kwargs['object_pk'] = instance.pk else: kwargs['content_object'] = instance assigned_perms.append(self.model(**kwargs)) self.model.objects.bulk_create(assigned_perms) return assigned_perms
def render(self, context): for_whom = self.for_whom.resolve(context) if isinstance(for_whom, get_user_model()): self.user = for_whom self.group = None elif isinstance(for_whom, AnonymousUser): self.user = get_user_model().get_anonymous() self.group = None elif isinstance(for_whom, Group): self.user = None self.group = for_whom elif isinstance(for_whom, Organization): self.user = None self.group = for_whom else: raise NotUserNorGroup("User or Group instance required (got %s)" % for_whom.__class__) obj = self.obj.resolve(context) if not obj: return '' check = ObjectPermissionChecker(for_whom) perms = check.get_perms(obj, include_group_perms=self.include_group_permissions) context[self.context_var] = perms return ''
def allow_bulk_destroy_resources(self, user, resource_list): """User must have admin permissions to delete collections.""" checker = ObjectPermissionChecker(user) for collection in resource_list: if not checker.has_perm('admin_collection', collection): return False return True
def get_perms(user_or_group, obj): """ Returns permissions for given user/group and object pair, as list of strings. """ check = ObjectPermissionChecker(user_or_group) return check.get_perms(obj)
def item_check(self, object_list, bundle, permission): if not self.base_check(object_list, bundle): raise Unauthorized("You are not allowed to access that resource.") checker = ObjectPermissionChecker(bundle.request.user) if not checker.has_perm(permission, bundle.obj): raise Unauthorized("You are not allowed to access that resource.") return True
def render(self, context): for_whom = self.for_whom.resolve(context) if isinstance(for_whom, get_user_model()): self.user = for_whom self.group = None elif isinstance(for_whom, AnonymousUser): self.user = get_user_model().get_anonymous() self.group = None elif isinstance(for_whom, Group): self.user = None self.group = for_whom else: raise NotUserNorGroup("User or Group instance required (got %s)" % for_whom.__class__) obj = self.obj.resolve(context) if not obj: return '' check = self.checker.resolve( context) if self.checker else ObjectPermissionChecker(for_whom) perms = check.get_perms(obj) context[self.context_var] = perms return ''
def _preload_permissions(self): units = set() resource_groups = set() resources = set() checker = ObjectPermissionChecker(self.request.user) for rv in self._page: resources.add(rv.resource) rv.resource._permission_checker = checker for res in resources: units.add(res.unit) for g in res.groups.all(): resource_groups.add(g) if units: checker.prefetch_perms(units) if resource_groups: checker.prefetch_perms(resource_groups)
def assign_user_profile(user, _model, admins=[]): """ Assign Object(model) permission for the object's associated user and site administrators :param user: the object's associated user :param _model: the object itself :param admins: optional administrators for control and security reasons :return: Boolean """ for admin in admins: admin_checker = ObjectPermissionChecker(admin) admin_has_perm = admin_checker.has_perm("profile_user", _model) if not admin_has_perm: assign_perm("profile_user", admin, _model) checker = ObjectPermissionChecker(user) has_perm = checker.has_perm("profile_user", _model) if not has_perm: assign_perm("profile_user", user, _model) return user.has_perm("profile_user", _model)
def get_permissions(user_or_group: Union[User, Group], object_list: QuerySet) -> List[ObjectPermission]: permissions = [] perm_checker = ObjectPermissionChecker(user_or_group) perm_checker.prefetch_perms(object_list) opts = object_list.model._meta perm_view = get_permission_codename('view', opts) perm_change = get_permission_codename('change', opts) perm_delete = get_permission_codename('delete', opts) for obj in object_list: permissions.append( ObjectPermission( obj=obj, can_view=perm_checker.has_perm(perm_view, obj), can_change=perm_checker.has_perm(perm_change, obj), can_delete=perm_checker.has_perm(perm_delete, obj), ) ) return permissions
def has_object_permission(self, request, view, obj): checker = ObjectPermissionChecker(request.user) return checker.has_perm("profile_user", obj)
def check_permissions(permission_type, user, obj): checker = ObjectPermissionChecker(user) class_lower_name = obj.__class__.__name__.lower() perm = '{0}_{1}'.format(permission_type, class_lower_name) return checker.has_perm(perm, obj)
def get_all_permissions(user, object_list): checker = ObjectPermissionChecker(user) checker.prefetch_perms(object_list) return {obj.pk: checker.get_perms(obj) for obj in object_list}
def index(request, catalog_id='', slug=''): catalog = None if catalog_id: catalog = get_object_or_404(ZCatalog, id=catalog_id) elif slug: catalog = get_object_or_404(ZCatalog, latin_title=slug) else: raise Http404() checker = ObjectPermissionChecker(request.user) if not checker.has_perm('view_zcatalog', catalog): return HttpResponse(u'Доступ запрещен') if not catalog.can_search: return HttpResponse(u"Каталог не доступен для поиска.") zgate_url = catalog.url if request.method == 'POST' and 'SESSION_ID' in request.POST: log_search_request(request, catalog) (result, cookies) = zworker.request(zgate_url, data=request.POST, cookies=request.COOKIES) response = render_search_result( request, catalog, zresult=result, ) return set_cookies_to_response(cookies, response) else: if 'zstate' in request.GET: #а тут пользователь уже начал щелкать по ссылкам if 'ACTION' in request.GET and request.GET['ACTION'] == 'pq': return save_requests(request, catalog) url = zgate_url + '?' + request.GET['zstate'].replace(' ', '+') vars = request.GET['zstate'].split(' ') cookies = {} if vars[0] == 'form': try: (zresult, cookies) = zworker.request(url, cookies=request.COOKIES) except Exception: return HttpResponse( u'Получен некорретный ответ. Попробуйте осуществить поиск еще раз.' ) response = render_form(request, zresult=zresult, catalog=catalog) return set_cookies_to_response(cookies, response) elif vars[0] == 'present': if vars[4] == '1' and vars[5] == 'F': try: response = render_detail(request, catalog) except Exception: return HttpResponse( u'Сервер не может корректно отобразить результат. Повторите запрос еще раз.' ) return set_cookies_to_response(cookies, response) response = render_search_result(request, catalog) return set_cookies_to_response(cookies, response) else: response = render_search_result(request, catalog) return set_cookies_to_response(cookies, response) else: #значит только инициализация формы # if not catalog.can_search: # return Htt (zgate_form, cookies) = zworker.get_zgate_form(zgate_url=zgate_url, xml=catalog.xml, xsl=catalog.xsl, cookies=request.COOKIES) response = render_form(request, zgate_form, catalog) return set_cookies_to_response(cookies, response)
def check_permissions(self, request): user = request.user region = Region.objects.get(pk=self.kwargs['pk']) checker = ObjectPermissionChecker(user) response = checker.has_perm('financiero', region) return response
def sftp_file(request): ##上传 if request.method == "GET": obj = get_objects_for_user(request.user, 'asset.change_asset') return render(request, 'tasks/sftp.html', { 'asset_list': obj, "tasks_active": "active", "sftp_active": "active" }) if request.method == 'POST': ids = request.POST.getlist('id') user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) local_path = request.POST.get("local_path") server_path = request.POST.get("server_path") ids1 = [] for i in ids: assets = asset.objects.get(id=i) if checker.has_perm( 'delete_asset', assets, ) == True: ids1.append(i) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择主机" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not local_path or not server_path: error_2 = "请输入上传文件目录及文件名" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = asset.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: s = sftp(ip=i.network_ip, port=i.port, username=i.system_user.username, password=i.system_user.password, local_path=local_path, server_path=server_path) historys = history.objects.create( ip=i.network_ip, root=i.system_user, port=i.port, cmd="上传{}".format(server_path), user=user) if s == None or s['data'] == '': s = {} s['ip'] = i.network_ip s['data'] = "返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({ "ip": i.network_ip, "data": "账号密码不对,{}".format(e) }) return HttpResponse(json.dumps(ret))
def tools_script_post(request): ret = {'data': None} if request.method == 'POST': try: host_ids = request.POST.getlist('id', None) sh_id = request.POST.get('shid', None) user = request.user if not host_ids: error1 = "请选择主机" ret = {"error": error1, "status": False} return HttpResponse(json.dumps(ret)) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in host_ids: assets = asset.objects.get(id=i) if checker.has_perm( 'delete_asset', assets, ) == True: ids1.append(i) idstring = ','.join(ids1) host = asset.objects.extra(where=['id IN (' + idstring + ')']) sh = toolsscript.objects.filter(id=sh_id) for s in sh: if s.tool_run_type == 0: with open('tasks/script/test.sh', 'w+') as f: f.write(s.tool_script) a = 'tasks/script/{}.sh'.format(s.id) os.system( "sed 's/\r//' tasks/script/test.sh > {}".format(a)) elif s.tool_run_type == 1: with open('tasks/script/test.py', 'w+') as f: f.write(s.tool_script) p = 'tasks/script/{}.py'.format(s.id) os.system( "sed 's/\r//' tasks/script/test.py > {}".format(p)) elif s.tool_run_type == 2: with open('tasks/script/test.yml', 'w+') as f: f.write(s.tool_script) y = 'tasks/script/{}.yml'.format(s.id) os.system( "sed 's/\r//' tasks/script/test.yml > {}".format(y)) else: ret['status'] = False ret['error'] = '脚本类型错误,只能是shell、yml、python' return HttpResponse(json.dumps(ret)) data1 = [] for h in host: try: data2 = {} assets = [ { "hostname": h.hostname, "ip": h.network_ip, "port": h.port, "username": h.system_user.username, "password": h.system_user.password, }, ] history.objects.create(ip=h.network_ip, root=h.system_user.username, port=h.port, cmd=s.name, user=user) if s.tool_run_type == 0: task_tuple = (('script', a), ) hoc = AdHocRunner(hosts=assets) hoc.results_callback = CommandResultCallback() r = hoc.run(task_tuple) data2['ip'] = h.network_ip data2['data'] = r['contacted'][ h.hostname]['stdout'] data1.append(data2) elif s.tool_run_type == 1: task_tuple = (('script', p), ) hoc = AdHocRunner(hosts=assets) hoc.results_callback = CommandResultCallback() r = hoc.run(task_tuple) data2['ip'] = h.network_ip data2['data'] = r['contacted'][ h.hostname]['stdout'] data1.append(data2) elif s.tool_run_type == 2: play = PlayBookRunner(assets, playbook_path=y) b = play.run() data2['ip'] = h.network_ip data2['data'] = b['plays'][0]['tasks'][1]['hosts'][h.hostname]['stdout'] + \ b['plays'][0]['tasks'][1]['hosts'][h.hostname]['stderr'] data1.append(data2) else: data2['ip'] = "脚本类型错误" data2['data'] = "脚本类型错误" except Exception as e: data2['ip'] = h.network_ip data2[ 'data'] = "账号密码不对,或没有权限,请修改{}, 请查看主机资产中的 主机名 ,此值不能为空,可随便填写一个。 ".format( e) data1.append(data2) ret['data'] = data1 return HttpResponse(json.dumps(ret)) except Exception as e: ret['error'] = '未知错误 {}'.format(e) return HttpResponse(json.dumps(ret))
def Inception_exe(request): ##Inception 执行 if request.method == 'POST': ids = request.POST.getlist('id') sql_db = request.POST.get('sql', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = db_mysql.objects.get(id=i) if checker.has_perm( 'task_db_mysql', db_mysql, ) == True: ids1.append(i) else: error_3 = "数据库没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择数据库" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not sql_db: error_2 = "请输入命令" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: historys = history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port, cmd="执行:{}".format(sql_db), user=user) password = decrypt_p(i.db_user.password) s = sql_exe(user=i.db_user.username, password=password, host=i.ip, port=i.port, sqls=sql_db) if s == None or s['data'] == '': s = {} s['ip'] = i.ip s['data'] = "返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)}) return HttpResponse(json.dumps(ret))
def has_perm(obj, user, perm): if hasattr(obj, 'perm'): return ObjectPermissionChecker(user).has_perm( perm, obj) if guardian else user.has_perm(obj.perm(perm)) else: return False
def has_manage_permissions(self, reservables, user): checker = ObjectPermissionChecker(user) for r in reservables.all(): if not checker.has_perm('manage_reservations', r): return False return True
def post(self, request): ##命令行 ids = request.POST.getlist('id') code_id = request.POST.get('code_id', None) dest = request.POST.get('dest', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = asset.objects.get(id=i) if checker.has_perm( 'task_asset', assets, ) == True: ids1.append(i) else: error_3 = "主机没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) idstring = ','.join(ids1) if not ids: error_1 = "请选择主机" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) obj = asset.objects.extra(where=['id IN (' + idstring + ')']) ret = {'data': []} tasks = [] file = codebase.objects.get(id=code_id) for i in obj: try: assets = [ { "hostname": 'host', "ip": i.network_ip, "port": i.port, "username": i.system_user.username, "password": decrypt_p(i.system_user.password), }, ] tasks = [ { "action": { "module": "copy", "args": "src=./upload/{0} {1}".format( file.file.name, dest) }, "name": "copy_code" }, ] inventory = BaseInventory(assets) runner = AdHocRunner(inventory) retsult = runner.run(tasks, "all") ret1 = [] try: ret1.append( "分发成功 {} 备注:如果前面返回值为 false,表示已经分发完成了,请不要重复分发。". format(retsult.results_raw['ok']['host']['copy_code'] ['changed'])) except Exception as e: if retsult.results_summary['dark'] == {}: ret1.append("执行成功") else: ret1.append("命令有问题,{}".format( retsult.results_summary['dark'])) history.objects.create(ip=i.network_ip, root=i.system_user, port=i.port, cmd="上传 {} 到 {}".format( file.name, dest), user=user) ret2 = {'ip': i.network_ip, 'data': '\n'.join(ret1)} ret['data'].append(ret2) except Exception as e: ret['data'].append({ "ip": i.network_ip, "data": "账号密码不对,{}".format(e) }) return HttpResponse(json.dumps(ret))
def list(request, groupid): groupid = int(groupid) try: group = Group.objects.get(id=groupid) except ObjectDoesNotExist: raise Http404 result = {} own_group = request.user.is_superuser or group in request.user.groups.all() minutes = MinutesDocument.objects.all().prefetch_related( 'labels').order_by('-date') # Prefetch group permissions group_checker = ObjectPermissionChecker(group) group_checker.prefetch_perms(minutes) # Prefetch user permissions user_checker = ObjectPermissionChecker(request.user) user_checker.prefetch_perms(minutes) # Prefetch ip group permissions ip_range_group_name = request.user._ip_range_group_name if hasattr( request.user, '_ip_range_group_name') else None if ip_range_group_name: ip_range_group = Group.objects.get(name=ip_range_group_name) ip_range_group_checker = ObjectPermissionChecker(ip_range_group) for m in minutes: # we show all documents for which the requested group has edit permissions # e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown if not group_checker.has_perm(m.edit_permission_name, m): continue # we only show documents for which the user has view permissions if not user_checker.has_perm( MinutesDocument.get_view_permission(), m) and (not ip_range_group_name or not ip_range_group_checker.has_perm( MinutesDocument.get_view_permission(), m)): continue if m.date.year not in result: result[m.date.year] = [] result[m.date.year].append(m) return render( request, "minutes_list.html", { 'minutes_list': sorted(result.items(), reverse=True), 'own_group': own_group })
def test_publish_student_button(self): """ Test if the publish for students only button works """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) # The 4 sets the state to published_student self.app.get(reverse('documents:publish', args=[document.url_title, 4]), user=self.user) document = MinutesDocument.objects.get(url_title=document.url_title) self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT) group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertFalse( checker.has_perm(document.view_permission_name, document)) self.assertFalse( checker.has_perm(document.edit_permission_name, document)) self.assertFalse( checker.has_perm(document.delete_permission_name, document)) group = Group.objects.get(name=settings.STUDENT_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertTrue( checker.has_perm(document.view_permission_name, document)) self.assertFalse( checker.has_perm(document.edit_permission_name, document)) self.assertFalse( checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue( checker.has_perm(document.view_permission_name, document)) self.assertTrue( checker.has_perm(document.edit_permission_name, document)) self.assertTrue( checker.has_perm(document.delete_permission_name, document))
def __init__(self, user_or_group, checker=None): self.user_or_group = user_or_group self.checker = checker if checker is None: self.checker = ObjectPermissionChecker(user_or_group)
def cmd(request): ##命令行 if request.method == "GET": obj = get_objects_for_user(request.user, 'asset.change_asset') return render(request, 'tasks/cmd.html', { 'asset_list': obj, "tasks_active": "active", "cmd_active": "active" }) if request.method == 'POST': ids = request.POST.getlist('id') args = request.POST.getlist('args', None) module = request.POST.getlist('module', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = asset.objects.get(id=i) if checker.has_perm( 'task_asset', assets, ) == True: ids1.append(i) else: error_3 = "主机没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) idstring = ','.join(ids1) if not ids: error_1 = "请选择主机" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif args == ['']: error_2 = "请输入命令" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = asset.objects.extra(where=['id IN (' + idstring + ')']) ret = {'data': []} tasks = [] for x in range(len(module)): tasks.append( { "action": { "module": module[x], "args": args[x] }, "name": 'task{}'.format(x) }, ) for i in obj: try: assets = [ { "hostname": 'host', "ip": i.network_ip, "port": i.port, "username": i.system_user.username, "password": decrypt_p(i.system_user.password), }, ] inventory = BaseInventory(assets) runner = AdHocRunner(inventory) retsult = runner.run(tasks, "all") ret1 = [] for c in range(len(module)): try: ret1.append(retsult.results_raw['ok']['host'][ 'task{}'.format(c)]['stdout']) except Exception as e: if retsult.results_summary['dark'] == ['']: ret1.append("执行成功") else: ret1.append("命令有问题,{}".format( retsult.results_summary['dark'])) history.objects.create(ip=i.network_ip, root=i.system_user, port=i.port, cmd=args, user=user) ret2 = {'ip': i.network_ip, 'data': '\n'.join(ret1)} ret['data'].append(ret2) except Exception as e: ret['data'].append({ "ip": i.network_ip, "data": "账号密码不对,{}".format(e) }) return HttpResponse(json.dumps(ret))
def Inception(request): ##Inception if request.method == "GET": obj = get_objects_for_user(request.user, 'db.change_db_mysql') return render(request, 'tasks/Inception.html', { 'sql_list': obj, "tasks_active": "active", "sql_active": "active" }) if request.method == 'POST': ids = request.POST.getlist('id') sql_db = request.POST.get('sql', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = db_mysql.objects.get(id=i) if checker.has_perm( 'delete_db_mysql', db_mysql, ) == True: ids1.append(i) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择数据库" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not sql_db: error_2 = "请输入命令" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] print(sql_db) for i in obj: try: s = sql(user=i.db_user.username, password=i.db_user.password, host=i.ip, port=i.port, sqls=sql_db) historys = history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port, cmd=sql_db, user=user) if s == None or s['data'] == '': s = {} s['ip'] = i.ip s['data'] = "返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)}) return HttpResponse(json.dumps(ret))
def get(self, request, *args, **kwargs): entity = kwargs['entity'] pk = kwargs['pk'] entity_model = ContentType.objects.get(app_label='entities', model=entity).model_class() instance = get_object_or_404(entity_model, pk=pk) request = set_session_variables(request) relations = ContentType.objects.filter(app_label='relations', model__icontains=entity) side_bar = [] for rel in relations: match = str(rel).split() prefix = "{}{}-".format(match[0].title()[:2], match[1].title()[:2]) table = get_generic_relations_table(''.join(match), entity) title_panel = '' if match[0] == match[1]: title_panel = entity.title() dict_1 = {'related_' + entity.lower() + 'A': instance} dict_2 = {'related_' + entity.lower() + 'B': instance} if 'apis_highlighter' in settings.INSTALLED_APPS: object_pre = rel.model_class( ).annotation_links.filter_ann_proj( request=request).filter(Q(**dict_1) | Q(**dict_2)) else: object_pre = rel.model_class().objects.filter( Q(**dict_1) | Q(**dict_2)) objects = [] for x in object_pre: objects.append(x.get_table_dict(instance)) else: if match[0].lower() == entity.lower(): title_panel = match[1].title() else: title_panel = match[0].title() dict_1 = {'related_' + entity.lower(): instance} if 'apis_highlighter' in settings.INSTALLED_APPS: objects = list( rel.model_class().annotation_links.filter_ann_proj( request=request).filter(**dict_1)) else: objects = list(rel.model_class().objects.filter(**dict_1)) tb_object = table(objects, prefix=prefix) tb_object_open = request.GET.get(prefix + 'page', None) RequestConfig(request, paginate={ "per_page": 10 }).configure(tb_object) side_bar.append( (title_panel, tb_object, ''.join([x.title() for x in match]), tb_object_open)) form = get_entities_form(entity.title()) form = form(instance=instance) form_text = FullTextForm(entity=entity.title(), instance=instance) if 'apis_highlighter' in settings.INSTALLED_APPS: form_ann_agreement = SelectAnnotatorAgreement() else: form_ann_agreement = False object_revisions = Version.objects.get_for_object(instance) object_lod = Uri.objects.filter(entity=instance) object_texts, ann_proj_form = get_highlighted_texts(request, instance) object_labels = Label.objects.filter(temp_entity=instance) tb_label = EntityLabelTable(object_labels, prefix=entity.title()[:2] + 'L-') tb_label_open = request.GET.get('PL-page', None) side_bar.append(('Label', tb_label, 'PersonLabel', tb_label_open)) RequestConfig(request, paginate={"per_page": 10}).configure(tb_label) perm = ObjectPermissionChecker(request.user) permissions = { 'change': perm.has_perm('change_{}'.format(entity), instance), 'delete': perm.has_perm('delete_{}'.format(entity), instance), 'create': request.user.has_perm('entities.add_{}'.format(entity)) } template = select_template([ 'entities/{}_create_generic.html'.format(entity), 'entities/entity_create_generic.html' ]) return HttpResponse( template.render(request=request, context={ 'entity_type': entity, 'form': form, 'form_text': form_text, 'instance': instance, 'right_panel': side_bar, 'object_revisions': object_revisions, 'object_texts': object_texts, 'object_lod': object_lod, 'ann_proj_form': ann_proj_form, 'form_ann_agreement': form_ann_agreement, 'permissions': permissions }))
def test_anonymous_user(self): user = AnonymousUser() check = ObjectPermissionChecker(user) # assert anonymous user has no object permissions at all for obj self.assertTrue([] == list(check.get_perms(self.ctype)))
def tools_script_post(request): ret = {'data': None} if request.method == 'POST': try: host_ids = request.POST.getlist('id', None) sh_id = request.POST.get('shid', None) user = request.user if not host_ids: error1 = "请选择主机" ret = {"error": error1, "status": False} return HttpResponse(json.dumps(ret)) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in host_ids: assets = asset.objects.get(id=i) if checker.has_perm( 'task_asset', assets, ) == True: ids1.append(i) else: error2 = "主机没有权限" ret = {"error": error2, "status": False} return HttpResponse(json.dumps(ret)) idstring = ','.join(ids1) host = asset.objects.extra(where=['id IN (' + idstring + ')']) sh = toolsscript.objects.filter(id=sh_id) for s in sh: if s.tool_run_type == 0: with open('tasks/script/test.sh', 'w+') as f: f.write(s.tool_script) a = 'tasks/script/{}.sh'.format(s.id) os.system( "sed 's/\r//' tasks/script/test.sh > {}".format(a)) elif s.tool_run_type == 1: with open('tasks/script/test.py', 'w+') as f: f.write(s.tool_script) p = 'tasks/script/{}.py'.format(s.id) os.system( "sed 's/\r//' tasks/script/test.py > {}".format( p)) # elif s.tool_run_type == 2: # with open('tasks/script/test.yml', 'w+') as f: # f.write(s.tool_script) # y = 'tasks/script/{}.yml'.format(s.id) # os.system("sed 's/\r//' tasks/script/test.yml > {}".format(y)) else: ret['status'] = False ret['error'] = '脚本类型错误,只能是shell、python' return HttpResponse(json.dumps(ret)) data1 = [] for h in host: try: password = decrypt_p(h.system_user.password) assets = [ { "hostname": 'host', "ip": h.network_ip, "port": h.port, "username": h.system_user.username, "password": password, }, ] history.objects.create(ip=h.network_ip, root=h.system_user.username, port=h.port, cmd=s.name, user=user) if s.tool_run_type == 0: tasks1 = [ { "action": { "module": "script", "args": "{}".format(a) }, "name": "1" }, ] elif s.tool_run_type == 1: tasks1 = [ { "action": { "module": "script", "args": "{}".format(p) }, "name": "1" }, ] inventory = BaseInventory(assets) runner = AdHocRunner(inventory) retsu = runner.run(tasks1, "all") try: data2 = { 'ip': h.network_ip, 'data': retsu.results_raw['ok']['host']['1']['stdout'] } except Exception as e: if retsu.results_summary['dark'] == ['']: data2 = {'ip': h.network_ip, 'data': "执行成功"} else: data2 = { 'ip': h.network_ip, 'data': "命令有问题,{}".format( retsu.results_summary['dark']) } data1.append(data2) except Exception as e: data2['ip'] = h.network_ip data2['data'] = "账号密码不对,或没有权限,请修改 {}, ".format(e) data1.append(data2) ret['data'] = data1 return HttpResponse(json.dumps(ret)) except Exception as e: ret['error'] = '未知错误 {}'.format(e) return HttpResponse(json.dumps(ret))
def get_context_data(self, **kwargs): context = super(CandidateDetailView, self).get_context_data(**kwargs) obj = self.get_object() notes = Note.objects.filter(candidate=obj, privileged=False) special_notes = Note.objects.filter(candidate=obj, privileged=True) checker = ObjectPermissionChecker(self.request.user) notes_forms = [] notes_display = [] for note in notes: if checker.has_perm(NOTE__CAN_MAKE_CANDIDATE_NOTE, note.unit): update_form = UpdateNoteForm(instance=note) update_form.fields['text'].label = 'Note for {unit}'.format( unit=note.unit) notes_forms.append(update_form) elif checker.has_perm(NOTE__CAN_SEE, note.unit): notes_display.append(note) context['notes_forms'] = notes_forms context['notes_display'] = notes_display unnoted_units = [] for unit in Unit.objects.all(): if (checker.has_perm(NOTE__CAN_MAKE_CANDIDATE_NOTE, unit) and not notes.filter(unit=unit)): unnoted_units.append(unit.pk) if unnoted_units: create_form = CreateNoteForm(initial={'candidate': obj}) create_form.fields['unit'].queryset = Unit.objects.filter( pk__in=unnoted_units) create_form.fields['candidate'].widget = forms.HiddenInput() context['create_form'] = create_form special_notes_forms = [] special_notes_display = [] for note in special_notes: if checker.has_perm(NOTE__CAN_MAKE_PRIVILEGED_NOTE, note.unit): update_form = UpdateNoteForm(instance=note) update_form.fields['text'].label = 'Special note for ' \ '{unit}'.format(unit=note.unit) special_notes_forms.append(update_form) else: special_notes_display.append(note) context['special_notes_forms'] = special_notes_forms context['special_notes_display'] = special_notes_display unnoted_special_units = [] for unit in Unit.objects.all(): if (checker.has_perm(NOTE__CAN_MAKE_PRIVILEGED_NOTE, unit) and not special_notes.filter(unit=unit)): unnoted_special_units.append(unit.pk) if unnoted_special_units: create_form = CreateNoteForm(initial={ 'candidate': obj, 'privileged': True }) create_form.fields['unit'].queryset = Unit.objects.filter( pk__in=unnoted_special_units) create_form.fields['candidate'].widget = forms.HiddenInput() context['special_create_form'] = create_form committees = {} committees['sent'] = Committee.objects.filter( appointments__in=Appointment.objects.filter( candidate=obj, status=Appointment.SENT)).distinct() committees['recced'] = Committee.objects.filter( appointments__in=Appointment.objects.filter( candidate=obj, status=Appointment.RECOMMENDED)).distinct() committees['maybe'] = Committee.objects.filter( appointments__in=Appointment.objects.filter( candidate=obj, status__in=[Appointment.APPLICANT, Appointment.POTENTIAL ])).distinct() committees['nope'] = Committee.objects.filter( appointments__in=Appointment.objects.filter( candidate=obj, status=Appointment.DECLINED)).distinct() context['committees'] = committees context['other_committees'] = Committee.objects.exclude( appointments__candidate=obj).distinct() context['appointments'] = Committee.objects.filter( appointments__candidate=obj, appointments__status=Appointment.ACCEPTED).distinct() context['libtype_form'] = UpdateLibraryTypeForm( instance=self.get_object()) return context
def __init__(self, *args, **kwargs): self.request = kwargs.pop('request', None) super().__init__(*args, **kwargs) self.permission_checker = ObjectPermissionChecker(kwargs['instance']) self.permission_checker.prefetch_perms( Unit.objects.filter(authorizations__authorized=kwargs['instance']))
def recent(request, page=1): checker = ObjectPermissionChecker(request.user) submissions = Submission.objects.all().order_by("-id") filters = {} empty_message = u"제출된 답안이 없습니다." title_add = [] # only superuser can see all nonpublic submissions. # as an exception, if we are filtering by a problem, the author can see # nonpublic submissions. also, everybody can see their nonpublic # submissions. only_public = not request.user.is_superuser if request.GET.get("problem"): slug = request.GET["problem"] problem = get_object_or_404(Problem, slug=slug) if request.user == problem.user or checker.has_perm( 'read_problem', problem): only_public = False if (problem.state != Problem.PUBLISHED and request.user != problem.user and not checker.has_perm('read_problem', problem)): raise Http404 submissions = submissions.filter(problem=problem) title_add.append(slug) filters["problem"] = slug if "state" in request.GET: state = request.GET["state"] submissions = submissions.filter(state=state) filters["state"] = state title_add.append(Submission.STATES_KOR[int(state)]) if request.GET.get("user"): username = request.GET["user"] user = get_or_none(User, username=username) if not user: empty_message = u"해당 사용자가 없습니다." submissions = submissions.none() else: submissions = submissions.filter(user=user) filters["user"] = username title_add.append(username) if user == request.user: only_public = False if only_public: submissions = submissions.filter(is_public=True) problems = Problem.objects.filter(state=Problem.PUBLISHED).order_by("slug") users = User.objects.order_by("username") return render( request, "submission/recent.html", { "title": u"답안 목록" + (": " if title_add else "") + ",".join(title_add), "problems": problems, "users": users, "filters": filters, "empty_message": empty_message, "pagination": setup_paginator(submissions, page, "judge-submission-recent", {}, filters) })
def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) profile_user = context["object"].user profile_groups = profile_user.groups.all() organizations = Organization.objects.filter( Q(members_group__in=profile_groups) | Q(editors_group__in=profile_groups)).distinct() archives = (get_objects_for_user( user=self.request.user, perms="view_archive", klass=Archive, use_groups=True, ).filter( Q(editors_group__in=profile_groups) | Q(uploaders_group__in=profile_groups) | Q(users_group__in=profile_groups)).distinct()) reader_studies = (get_objects_for_user( user=self.request.user, perms="view_readerstudy", klass=ReaderStudy, use_groups=True, ).filter( Q(editors_group__in=profile_groups) | Q(readers_group__in=profile_groups)).distinct()) challenges = Challenge.objects.filter( Q(admins_group__in=profile_groups) | Q(participants_group__in=profile_groups), hidden=False, ).distinct() algorithms = (get_objects_for_user( user=self.request.user, perms="view_algorithm", klass=Algorithm, use_groups=True, ).filter( Q(editors_group__in=profile_groups) | Q(users_group__in=profile_groups)).distinct()) checker = ObjectPermissionChecker(user_or_group=profile_user) for qs in [ archives, reader_studies, challenges, algorithms, ]: # Perms can only be prefetched for sets of the same objects checker.prefetch_perms(objects=qs) object_list = [ *archives, *reader_studies, *challenges, *algorithms, ] role = {} for obj in object_list: obj_perms = checker.get_perms(obj) if f"change_{obj._meta.model_name}" in obj_perms: role[obj] = "editor" elif f"view_{obj._meta.model_name}" in obj_perms: role[obj] = "user" else: role[obj] = "participant" context.update({ "object_list": object_list, "object_role": role, "num_submissions": Submission.objects.filter(creator=profile_user).count(), "num_algorithms_run": Job.objects.filter(creator=profile_user).count(), "organizations": organizations, }) return context
def cmd(request): ##命令行 if request.method == "GET": obj = get_objects_for_user(request.user, 'asset.change_asset') return render(request, 'tasks/cmd.html', { 'asset_list': obj, "tasks_active": "active", "cmd_active": "active" }) if request.method == 'POST': ids = request.POST.getlist('id') cmd = request.POST.get('cmd', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = asset.objects.get(id=i) if checker.has_perm( 'task_asset', assets, ) == True: ids1.append(i) else: error_3 = "主机没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择主机" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not cmd: error_2 = "请输入命令" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = asset.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: password = decrypt_p(i.system_user.password) s = ssh(ip=i.network_ip, port=i.port, username=i.system_user.username, password=password, cmd=cmd) historys = history.objects.create(ip=i.network_ip, root=i.system_user, port=i.port, cmd=cmd, user=user) if s == None or s['data'] == '': s = {} s['ip'] = i.network_ip s['data'] = "返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({ "ip": i.network_ip, "data": "账号密码不对,{}".format(e) }) return HttpResponse(json.dumps(ret))
def create_space(request): """ Returns a SpaceForm form to fill with data to create a new space. There is an attached EntityFormset to save the entities related to the space. Every user in the platform is allowed to create spaces. Once it's created we assign the administration permissions to the user, along with some others for the sake of functionality. .. note:: Since everyone can have the ability to create spaces, instead of checking for the add_space permission we just ask for login. :attributes: - space_form: empty SpaceForm instance - entity_forms: empty EntityFormSet :permissions required: login_required :rtype: Space object, multiple entity objects. :context: form, entityformset """ space_form = SpaceForm(request.POST or None, request.FILES or None) entity_forms = EntityFormSet(request.POST or None, request.FILES or None, queryset=Entity.objects.none()) if request.method == 'POST': if space_form.is_valid() and entity_forms.is_valid(): space_form_uncommited = space_form.save(commit=False) space_form_uncommited.author = request.user new_space = space_form_uncommited.save() space = get_object_or_404(Space, name=space_form_uncommited.name) ef_uncommited = entity_forms.save(commit=False) for ef in ef_uncommited: ef.space = space ef.save() # We add the created spaces to the user allowed spaces # space.admins.add(request.user) space_form.save_m2m() # Assign permissions to the user so he can chenge everything in the # space assign_perm('view_space', request.user, space) assign_perm('change_space', request.user, space) assign_perm('delete_space', request.user, space) assign_perm('admin_space', request.user, space) if DEBUG: # This will tell us if the user got the right permissions for # the object un = request.user.username u = ObjectPermissionChecker(request.user) # Avoid unnecesary queries for the permission checks print """Space permissions for user '%s': View: %s Change: %s Delete: %s Admin: %s Mod: %s """ % (un, u.has_perm('view_space', space), u.has_perm('change_space', space), u.has_perm('delete_space', space), u.has_perm('admin_space', space), u.has_perm('mod_space', space)) return HttpResponseRedirect(reverse(urln.SPACE_INDEX, kwargs={'space_url': space.url})) return render_to_response('spaces/space_form.html', {'form': space_form, 'entityformset': entity_forms}, context_instance=RequestContext(request))