async def authorizeRequest( self, request: IRequest, event: Optional[Event], requiredAuthorizations: Authorization, ) -> None: """ Determine whether the user attached to a request has the required authorizations in the context of a given event. """ self.authenticateRequest(request) userAuthorizations = await self.authorizationsForUser( request.user, event ) request.authorizations = userAuthorizations if not (requiredAuthorizations & userAuthorizations): self._log.debug( "Authorization failed for {request.user}. " "Requires {requiredAuthorizations}, has {userAuthorizations}. " "URI: {request.uri}", request=request, requiredAuthorizations=requiredAuthorizations, userAuthorizations=userAuthorizations, ) raise NotAuthorizedError("User not authorized")
async def authorizeRequest( self, request: IRequest, event: Optional[Event], requiredAuthorizations: Authorization, ) -> None: """ Determine whether the user attached to a request has the required authorizations in the context of a given event. """ self.authenticateRequest(request) userAuthorizations = await self.authorizationsForUser( request.user, event ) request.authorizations = userAuthorizations if not (requiredAuthorizations & userAuthorizations): self._log.debug( "Authorization failed for {request.user}. " "Requires {requiredAuthorizations}, has {userAuthorizations}. " "URI: {request.uri}", request=request, requiredAuthorizations=requiredAuthorizations, userAuthorizations=userAuthorizations, ) raise NotAuthorizedError(f"User not authorized")
async def authorizeRequestForIncidentReport( self, request: IRequest, incidentReport: IncidentReport ) -> None: """ Determine whether the user attached to a request has the required authorizations to read the incident report with the given number. """ # The author of the incident report should be allowed to read and write # to it. if request.user is not None and incidentReport.reportEntries: rangerHandle = request.user.rangerHandle for reportEntry in incidentReport.reportEntries: if reportEntry.author == rangerHandle: request.authorizations = ( Authorization.readIncidentReports | Authorization.writeIncidentReports ) return # If there are incidents attached to this incident report, then the # permissions on the attached incidents (which are determined by the # events containing the incidents) determine the permission on the # incident report. # So we'll iterate over all of the events containing incidents that # this incident report is attached to, and see if any of those events # can approve the request. events = frozenset( event for event, _incidentNumber in await self.store.incidentsAttachedToIncidentReport( incidentReport.number ) ) if events: for event in events: # There are incidents attached; use the authorization for # reading incidents from the corresponding events. # Because it's possible for multiple incidents to be attached, # if one event fails, keep trying the others in case they allow # it. try: await self.authorizeRequest( request, event, Authorization.readIncidents ) except NotAuthorizedError as e: authFailure = e else: return raise authFailure # Incident report is detached await self.authorizeRequest( request, None, Authorization.readIncidentReports )
async def authorizeRequestForIncidentReport( self, request: IRequest, incidentReport: IncidentReport) -> None: """ Determine whether the user attached to a request has the required authorizations to read the incident report with the given number. """ # The author of the incident report should be allowed to read and write # to it. if request.user is not None and incidentReport.reportEntries: rangerHandle = request.user.rangerHandle for reportEntry in incidentReport.reportEntries: if reportEntry.author == rangerHandle: request.authorizations = ( Authorization.readIncidentReports | Authorization.writeIncidentReports) return # If there are incidents attached to this incident report, then the # permissions on the attached incidents (which are determined by the # events containing the incidents) determine the permission on the # incident report. # So we'll iterate over all of the events containing incidents that # this incident report is attached to, and see if any of those events # can approve the request. events = frozenset( event for event, _incidentNumber in await self.store. incidentsAttachedToIncidentReport(incidentReport.number)) if events: for event in events: # There are incidents attached; use the authorization for # reading incidents from the corresponding events. # Because it's possible for multiple incidents to be attached, # if one event fails, keep trying the others in case they allow # it. try: await self.authorizeRequest(request, event, Authorization.readIncidents) except NotAuthorizedError as e: authFailure = e else: return raise authFailure # Incident report is detached await self.authorizeRequest(request, None, Authorization.readIncidentReports)
async def authorizeRequestForIncidentReport( self, request: IRequest, incidentReport: IncidentReport ) -> None: """ Determine whether the user attached to a request has the required authorizations to read the incident report with the given number. """ # The author of the incident report should be allowed to read and write # to it. if request.user is not None and incidentReport.reportEntries: rangerHandle = request.user.rangerHandle for reportEntry in incidentReport.reportEntries: if reportEntry.author == rangerHandle: request.authorizations = Authorization.writeIncidentReports return # Otherwise, use the ACL for the event associated with the incident # report. await self.authorizeRequest( request, incidentReport.event, Authorization.readIncidents )