def inner(*args, **kwargs):
resource = func(*args, **kwargs)
Privilege.add_with_check(resource.id, resource.name, resource_type,
g.user_id, g.user_hash,
Privilege.Type.MODIFIER,
kwargs["visibility"])
return resource
def delete_item_privilege_for_user(target_user=None, resource_id=None):
if target_user.id == g.user_id:
raise GulDanException().with_message(u"你不能删除自己的权限").with_code(409)
Privilege.delete_privilege(target_user.user_hash, resource_id,
Resource.Type.ITEM)
item = ensure_item(resource_id)
cache.delete_memoized(pull_item, ItemPuller(item.name), item.name,
target_user.user_hash)
def get_user_hash_for_item(item_id):
item_user_hashes = Privilege.get_user_hash_for_resource(
item_id, Resource.Type.ITEM, TARGET_PRIVILEGES_TYPES_FOR_ITEM)
project_id = Item.get_parent_id(item_id)
project_user_hashes = Privilege.get_user_hash_for_resource(
project_id, Resource.Type.PROJECT, TARGET_PRIVILEGES_TYPES_FOR_PROJECT)
org_id = Project.get_parent_id(project_id)
org_user_hashes = Privilege.get_user_hash_for_resource(
org_id, Resource.Type.ORG, TARGET_PRIVILEGES_TYPES_FOR_ORG)
user_hashes = set()
for uh in item_user_hashes + project_user_hashes + org_user_hashes:
user_hashes.add(uh[0])
return user_hashes
def get_one_modifier(resource_type, resource_id):
priv = Privilege.get_one_user_for_resource(resource_id, resource_type,
Privilege.Type.MODIFIER)
user_id = priv[0]
user = User.get_by_id(user_id)
if not user:
raise GulDanException().with_code(404).with_message(u"找不到指定的用户")
return {"user_id": user.id, "user_name": user.name}
def can_user_modify_item(item_id, user_hash):
privilege = Privilege.get_privilege_by_user_and_resource(
user_hash, item_id, Resource.Type.ITEM)
if privilege and privilege.privilege_type == Privilege.Type.MODIFIER:
return True
project_id = Item.get_parent_id(item_id)
return can_user_modify_project(project_id, user_hash)
def can_user_modify_project(project_id, user_hash):
privilege = Privilege.get_privilege_by_user_and_resource(
user_hash, project_id, Resource.Type.PROJECT)
if privilege and privilege.privilege_type == Privilege.Type.MODIFIER:
return True
org_id = Project.get_parent_id(project_id)
return can_user_modify_org(org_id, user_hash)
def get_user_orgs(user_hash):
privileges = Privilege.get_privileges_under_user_for_resource(
user_hash,
[Resource.Type.ORG, Resource.Type.PROJECT, Resource.Type.ITEM],
[Privilege.Type.MODIFIER, Privilege.Type.VIEWER])
org_name_set = set()
for p in privileges:
org_name_set.add(p.resource_name.split(".")[0])
return _generate_org_list(org_name_set)
def get_items_that_user_can_see(user_hash, project_id):
items = Item.get_items_under_project(project_id)
public_items, private_items = separate_public_and_private_items(items)
privileges = Privilege.get_privileges_under_user(
user_hash, Resource.Type.ITEM, [item.id for item in private_items])
items_list = [item.to_dict() for item in public_items]
for p in privileges:
items_list.append({"id": p.resource_id, "name": p.resource_name})
return items_list
def build_privilege_tree_under_user(user_hash):
dict_tree = {}
for name in Privilege.get_resource_names_under_user(user_hash):
current_level = dict_tree
for l in name[0].split("."):
next_level = current_level.get(l, None)
if next_level is None:
current_level[l] = {}
next_level = current_level[l]
current_level = next_level
return dict_tree
def can_user_view_project(project_id, user_hash):
project = ensure_project(project_id)
if project.visibility == Resource.Visibility.PUBLIC:
return True
privilege = Privilege.get_privilege_by_user_and_resource(
user_hash, project_id, Resource.Type.PROJECT)
if privilege and privilege.privilege_type >= Privilege.Type.VIEWER:
return True
org_id = Project.get_parent_id(project_id)
return can_user_modify_org(org_id, user_hash)
def can_user_view_item(item_id, user_hash):
item = Item.get_by_id(item_id)
if not item:
raise GulDanException().with_code(404).with_message(
u"找不到配置项(id:{})".format(item_id))
if item.visibility == Resource.Visibility.PUBLIC:
return True
privilege = Privilege.get_privilege_by_user_and_resource(
user_hash, item_id, Resource.Type.ITEM)
if privilege and privilege.privilege_type >= Privilege.Type.VIEWER:
return True
project_id = Item.get_parent_id(item_id)
return can_user_modify_project(project_id, user_hash)
def get_projects_that_user_can_see(user_hash, org_id):
projects = Project.get_projects_under_org(org_id)
public_projects, private_projects = separate_public_and_private_projects(
projects)
projects_list = [p.to_dict() for p in public_projects]
org = Org.get_by_id(org_id)
privileges = Privilege.get_privileges_by_name_prefix(
org.name + ".", user_hash)
project_names_under_user = {
p.resource_name.split(".")[1]
for p in privileges
}
for p in filter(lambda p: p.name.split(".")[1] in project_names_under_user,
private_projects):
projects_list.append(p.to_dict())
return projects_list
def delete_project_privilege_for_user(target_user=None, resource_id=None):
if target_user.id == g.user_id:
raise GulDanException().with_message(u"你不能删除自己的权限").with_code(409)
Privilege.delete_privilege(target_user.user_hash, resource_id,
Resource.Type.PROJECT)
def get_privileges_for_resource(res_id, resource_type):
privileges = Privilege.get_privileges_by_resource(res_id, resource_type)
user_dict = get_users_for_privileges(privileges)
return construct_privileges_list(privileges, user_dict)
def get_privilege_for_item(user_hash, item_full_name):
return Privilege.get_privilege_by_user_hash_and_resource_name(
user_hash, item_full_name, Resource.Type.ITEM)
def inner(*args, **kwargs):
result = func(*args, **kwargs)
resource_id = kwargs["resource_id"]
Privilege.delete(resource_id, resource_type)
return result