def get_slider_agents(scontext) :
return [
('anonymous_group', get_anonymous_group().get_ref()),
('all_members_group', get_all_members_group().get_ref()),
('context_agent', scontext.context_agent),
('creator', get_creator_agent()),
('context_admin', scontext.context_admin)
]
def has_access(agent, resource, interface):
"""Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
"""
# make sure we've stripped resource from any SecureWrappers
if resource.__class__.__name__ == "SecureWrapper":
resource = resource.get_inner()
# make sure we've stripped agent from any SecureWrappers
if agent.__class__.__name__ == "SecureWrapper":
agent = agent.get_inner()
# we're always interested in the security_context of this resource
context = resource.get_security_context()
# which agents have access?
if not SecurityTag.objects.filter(interface=interface, security_context=context):
# lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
typ = resource.__class__
interface_name = interface.split(".")[1]
if interface_name in get_interface_map(typ.__name__):
agent_defaults = AgentDefaults[context.context_agent.obj.__class__][
context.context_agent.permission_prototype
]
slider_agents = SliderAgents[context.context_agent.obj.__class__](context)
sad = dict(slider_agents)
context.setup_tag_from_defaults(interface, sad, agent_defaults)
allowed_agents = SecurityTag.objects.get(interface=interface, security_context=context).agents
# probably should memcache both allowed agents (per .View interface) and
# agents held per user to allow many queries very quickly.
allowed_agents = set([a.obj for a in allowed_agents.all()])
if get_anonymous_group() in allowed_agents:
# in other words, if this resource is matched with anyone, we don't have to test
# that user is in the "anyone" group
return True
if get_creator_agent().obj in allowed_agents:
actual_creator = resource.get_ref().creator
if agent == actual_creator:
return True
if agent.__class__ == AnonymousUser:
# we clearly shouldn't be seeing this - sure but is this a security issue - t.s.
return False
agents_held = agent.get_enclosure_set()
if allowed_agents.intersection(agents_held):
return True
print "has_access fails for %s, %s, %s, %s" % (interface, resource, context.context_agent.obj, agent)
return False
def has_access(agent, resource, interface, sec_context=None, diagnose=None) :
"""Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
"""
# if diagnose mode we want to try to find why we failed to get the interface we want
if diagnose :
diagnostics = {}
# make sure we've stripped agent from any SecureWrappers
if agent.__class__.__name__ == "SecureWrapper":
agent = agent.get_inner()
if not sec_context:
# make sure we've stripped resource from any SecureWrappers
if resource.__class__.__name__ == "SecureWrapper":
resource = resource.get_inner()
context = resource.get_security_context()
else:
context = sec_context
if not SecurityTag.objects.filter(interface=interface, security_context=context):
#lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
typ = resource.__class__
interface_name = interface.split('.')[1]
if interface_name in get_interface_map(typ.__name__):
agent_defaults = AgentDefaults[context.context_agent.obj.__class__][context.context_agent.permission_prototype]
slider_agents = SliderAgents[context.context_agent.obj.__class__](context)
sad = dict(slider_agents)
context.setup_tag_from_defaults(interface, sad, agent_defaults)
# which agents have access?
allowed_agents = SecurityTag.objects.get(interface=interface,
security_context=context).agents
# probably should redis both allowed agents (per .View interface) and
# agents held per user to allow many queries very quickly.
allowed_agents = set([a.obj for a in allowed_agents.all()])
# diagnostic
if diagnose :
diagnostics['allowed_agents'] = allowed_agents
if agent in allowed_agents : # agent must hold itself. agent.get_enclosures no longer includes agent
return True
if get_anonymous_group() in allowed_agents:
# in other words, if this resource is matched with anyone, we don't have to test
#that user is in the "anyone" group
return True
if resource:
if get_creator_agent().obj in allowed_agents:
actual_creator = resource.get_ref().creator
if agent == actual_creator:
return True
agents_held = agent.get_enclosure_set()
if diagnose :
diagnostics['agents_held'] = agents_held
if allowed_agents.intersection(agents_held):
return True
if diagnose :
print
print 'Interface ', interface
print "Allowed Agents for ", resource
for a in diagnostics['allowed_agents'] :
print a
print "Agents Held by ", agent
for a in diagnostics['agents_held'] :
print "%s,"%a,
print
for a in diagnostics['allowed_agents'] :
if not a in diagnostics['agents_held'] :
print a, " not in agents_held"
return False
def has_access(agent, resource, interface, sec_context=None, diagnose=None):
"""Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
"""
# if diagnose mode we want to try to find why we failed to get the interface we want
if diagnose:
diagnostics = {}
# make sure we've stripped agent from any SecureWrappers
if agent.__class__.__name__ == "SecureWrapper":
agent = agent.get_inner()
if not sec_context:
# make sure we've stripped resource from any SecureWrappers
if resource.__class__.__name__ == "SecureWrapper":
resource = resource.get_inner()
context = resource.get_security_context()
else:
context = sec_context
if not SecurityTag.objects.filter(interface=interface,
security_context=context):
#lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
typ = resource.__class__
interface_name = interface.split('.')[1]
if interface_name in get_interface_map(typ.__name__):
agent_defaults = AgentDefaults[
context.context_agent.obj.__class__][
context.context_agent.permission_prototype]
slider_agents = SliderAgents[context.context_agent.obj.__class__](
context)
sad = dict(slider_agents)
context.setup_tag_from_defaults(interface, sad, agent_defaults)
# which agents have access?
allowed_agents = SecurityTag.objects.get(interface=interface,
security_context=context).agents
# probably should redis both allowed agents (per .View interface) and
# agents held per user to allow many queries very quickly.
allowed_agents = set([a.obj for a in allowed_agents.all()])
# diagnostic
if diagnose:
diagnostics['allowed_agents'] = allowed_agents
if agent in allowed_agents: # agent must hold itself. agent.get_enclosures no longer includes agent
return True
if get_anonymous_group() in allowed_agents:
# in other words, if this resource is matched with anyone, we don't have to test
#that user is in the "anyone" group
return True
if resource:
if get_creator_agent().obj in allowed_agents:
actual_creator = resource.get_ref().creator
if agent == actual_creator:
return True
agents_held = agent.get_enclosure_set()
if diagnose:
diagnostics['agents_held'] = agents_held
if allowed_agents.intersection(agents_held):
return True
if diagnose:
print
print 'Interface ', interface
print "Allowed Agents for ", resource
for a in diagnostics['allowed_agents']:
print a
print "Agents Held by ", agent
for a in diagnostics['agents_held']:
print "%s," % a,
print
for a in diagnostics['allowed_agents']:
if not a in diagnostics['agents_held']:
print a, " not in agents_held"
return False
def get_slider_agents(scontext):
return [('anonymous_group', get_anonymous_group().get_ref()),
('all_members_group', get_all_members_group().get_ref()),
('context_agent', scontext.context_agent),
('creator', get_creator_agent()),
('context_admin', scontext.context_admin)]