def get_principals(
self, role, anonymous=True, users=True, groups=True, object=None, as_list=True
):
"""Return all users which are assigned given role."""
if not isinstance(role, Role):
role = Role(role)
assert role
assert users or groups
query = RoleAssignment.query.filter_by(role=role)
if not anonymous:
query = query.filter(RoleAssignment.anonymous == False)
if not users:
query = query.filter(RoleAssignment.user == None)
elif not groups:
query = query.filter(RoleAssignment.group == None)
query = query.filter(RoleAssignment.object == object)
principals = {(ra.user or ra.group) for ra in query.all()}
if object is not None and role in (Creator, Owner):
p = object.creator if role == Creator else object.owner
if p:
principals.add(p)
if not as_list:
return principals
return list(principals)
class GroupAdminForm(Form):
name = StringField(_l(u'Name'), filters=(strip,), validators=[required()])
description = StringField(_l(u'Description'), filters=(strip,))
public = BooleanField(
_l(u'Public'), widget=widgets.BooleanWidget(on_off_mode=True))
roles = fields.Select2MultipleField(
_l(u'Roles'),
choices=lambda: [(r.name, r.label) for r in Role.assignable_roles()],)
def after_populate_obj(self):
security = get_service('security')
current_roles = security.get_roles(self.obj, no_group_roles=True)
current_roles = {r for r in current_roles if r.assignable}
new_roles = {Role(r) for r in self.form.roles.data}
for r in (current_roles - new_roles):
security.ungrant_role(self.obj, r)
for r in (new_roles - current_roles):
security.grant_role(self.obj, r)
return super(GroupEdit, self).after_populate_obj()
def after_populate_obj(self):
security = current_app.services['security']
current_roles = security.get_roles(self.obj, no_group_roles=True)
current_roles = set(r for r in current_roles if r.assignable)
new_roles = {Role(r) for r in self.form.roles.data}
for r in (current_roles - new_roles):
security.ungrant_role(self.obj, r)
for r in (new_roles - current_roles):
security.grant_role(self.obj, r)
return super(UserEdit, self).after_populate_obj()
class BaseUserAdminForm(Form):
email = StringField(
_l("Email"),
description=_l("Users log in with their email address."),
view_widget=widgets.EmailWidget(),
filters=(strip,),
validators=[required()],
)
first_name = StringField(
_l("First Name"),
description=_l("ex: John"),
filters=(strip,),
validators=[required()],
)
last_name = StringField(
_l("Last Name"),
description=_l("ex: Smith"),
filters=(strip,),
validators=[required()],
)
can_login = BooleanField(
_l("Login enabled"),
description=_l("If unchecked, user will not be able to connect."),
widget=widgets.BooleanWidget(),
)
groups = QuerySelect2Field(
_l("Groups"),
validators=(optional(),),
multiple=True,
collection_class=set,
query_factory=lambda: Group.query.order_by(sa.sql.func.lower(Group.name).asc()),
get_label="name",
)
roles = Select2MultipleField(
_l("Roles"),
description=_l(
"Prefer groups to manage access rights. Directly assigning roles "
"to users is possible but discouraged."
),
choices=lambda: [(r.name, r.label) for r in Role.assignable_roles()],
)
password = StringField(
_l("New Password"),
description=_l("If empty the current password will not be changed."),
widget=widgets.PasswordInput(autocomplete="off"),
)
def get_principals(
self,
role: Role,
anonymous: bool = True,
users: bool = True,
groups: bool = True,
object: Optional[Model] = None,
as_list: bool = True,
) -> Collection[Principal]:
"""Return all users which are assigned given role."""
if not isinstance(role, Role):
role = Role(role)
assert role
assert users or groups
query = RoleAssignment.query.filter_by(role=role)
if not anonymous:
query = query.filter(RoleAssignment.anonymous == False)
if not users:
query = query.filter(RoleAssignment.user == None)
elif not groups:
query = query.filter(RoleAssignment.group == None)
query = query.filter(RoleAssignment.object == object)
principals = {(ra.user or ra.group) for ra in query.all()}
if object is not None and role in (Creator, Owner):
# pyre-fixme[16]: `Model` has no attribute `creator`.
# pyre-fixme[16]: `Model` has no attribute `owner`.
p = object.creator if role == Creator else object.owner
if p:
principals.add(p)
if not as_list:
return principals
return list(principals)
def has_permission(self, user, permission, obj=None, inherit=False, roles=None):
"""
:param obj: target object to check permissions.
:param inherit: check with permission inheritance. By default, check only
local roles.
:param roles: additional valid role or iterable of roles having
`permission`.
"""
if not isinstance(permission, Permission):
assert permission in PERMISSIONS
permission = Permission(permission)
user = unwrap(user)
if not self.running:
return True
session = None
if obj is not None:
session = object_session(obj)
if session is None:
session = db.session()
# root always have any permission
if isinstance(user, User) and user.id == 0:
return True
# valid roles
# 1: from database
pa_filter = PermissionAssignment.object == None
if obj is not None and obj.id is not None:
pa_filter |= PermissionAssignment.object == obj
pa_filter &= PermissionAssignment.permission == permission
valid_roles = session.query(PermissionAssignment.role).filter(pa_filter)
valid_roles = {res[0] for res in valid_roles.yield_per(1000)}
# complete with defaults
valid_roles |= {Admin} # always have all permissions
valid_roles |= DEFAULT_PERMISSION_ROLE.get(permission, set())
# FIXME: obj.__class__ could define default permisssion matrix too
if roles is not None:
if isinstance(roles, (Role,) + string_types):
roles = (roles,)
for r in roles:
valid_roles.add(Role(r))
# FIXME: query permission_role: global and on object
if AnonymousRole in valid_roles:
return True
if Authenticated in valid_roles and not user.is_anonymous:
return True
# first test global roles, then object local roles
checked_objs = [None, obj]
if inherit and obj is not None:
while obj.inherit_security and obj.parent is not None:
obj = obj.parent
checked_objs.append(obj)
principals = [user] + list(user.groups)
self._fill_role_cache_batch(principals)
return any(
(
self.has_role(principal, valid_roles, item)
for principal in principals
for item in checked_objs
)
)
