Esempio n. 1
0
    def verifyPermissionsForWriteToItemElement(self,
                                               session,
                                               userId,
                                               itemElementId=None,
                                               dbItemElementObject=None):
        if dbItemElementObject is None and itemElementId is None:
            raise InvalidArgument(
                "At least the item element id or item element object must be provided."
            )
        if dbItemElementObject is None:
            dbItemElementObject = self.getItemElementById(
                session, itemElementId)
        else:
            itemElementId = dbItemElementObject.id
        dbUserInfo = self.userInfoHandler.getUserInfoById(session, userId)

        dbEntityInfo = dbItemElementObject.entityInfo
        ownerUserId = dbEntityInfo.ownerUserInfo.id

        if ownerUserId == userId:
            return True

        ownerGroupWriteable = dbEntityInfo.is_group_writeable
        ownerUserGroupId = dbEntityInfo.ownerUserGroup.id
        for userGroup in dbUserInfo.userGroupList:
            if ownerGroupWriteable:
                if ownerUserGroupId == userGroup.id:
                    return True
            if userGroup.name == self.CDB_ADMIN_GROUP_NAME:
                return True

        raise InvalidSession(
            "User %s does not have permissions to modify item element %s" %
            (userId, itemElementId))
Esempio n. 2
0
    def checkAuthorization(cls, *args, **kwargs):
        """
        A tool that looks in config for 'auth.require'. If found and it
        is not None, a login is required and the entry is evaluated as a list of
        conditions that the user must fulfill.
        """
        logger = LoggingManager.getInstance().getLogger(
            'LoginController:checkAuthorization')
        conditions = cherrypy.request.config.get('auth.require', None)
        #logger.debug('Headers: %s' % (cherrypy.request.headers))
        #logger.debug('Request params: %s' % (cherrypy.request.params))
        #logger.debug('Request query string: %s' % (cherrypy.request.query_string))
        method = urllib.parse.quote(cherrypy.request.request_line.split()[0])
        params = urllib.parse.quote(cherrypy.request.request_line.split()[1])

        if conditions is None:
            logger.debug('No conditions imposed')
            return

        sessionId = cherrypy.serving.session.id
        sessionCache = cherrypy.session.cache
        #logger.debug('Session: %s' % ((cherrypy.session.__dict__)))
        #logger.debug('Session cache length: %s' % (len(sessionCache)))
        #logger.debug('Session cache: %s' % (sessionCache))

        # Check session.
        if sessionId not in sessionCache:
            errorMsg = 'Invalid or expired session id: %s.' % sessionId
            logger.debug(errorMsg)
            raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
                               'User Not Authorized', InvalidSession(errorMsg))

        username = cherrypy.session.get(LoginController.SESSION_USERNAME_KEY)
        logger.debug('Session id %s is valid (username: %s)' %
                     (sessionId, username))
        if username:
            cherrypy.request.login = username
            for condition in conditions:
                # A condition is just a callable that returns true or false
                if not condition():
                    logger.debug(
                        'Authorization check %s failed for username %s' %
                        (condition.__name__, username))
                    errorMsg = 'Authorization check %s failed for user %s.' % (
                        condition.__name__, username)
                    raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
                                       'User Not Authorized',
                                       AuthorizationError(errorMsg))
        else:
            logger.debug('Username is not supplied')
            raise CdbHttpError(cdbHttpStatus.CDB_HTTP_UNAUTHORIZED,
                               'User Not Authorized', ex)
Esempio n. 3
0
    def verifyPermissionsToUpdatePropertyValue(self, session, dbPropertyValue,
                                               userId):
        if dbPropertyValue.is_user_writeable:
            # Any user has permission to update.
            return True

        dbItemElementProperty = self.__getItemElementPropertyFromPropertyValueId(
            session, dbPropertyValue.id)
        dbItemElement = dbItemElementProperty.itemElement

        if self.verifyPermissionsForWriteToItemElement(
                session, userId, dbItemElementObject=dbItemElement):
            return True

        raise InvalidSession(
            "User id %s  does not have necessary permissions to edit: %s" %
            (userId, dbPropertyValue))
Esempio n. 4
0
    def verifyUserCreatedLogEntry(self,
                                  session,
                                  userId,
                                  logId=None,
                                  dbLogObject=None):
        if logId is None and dbLogObject is None:
            raise InvalidArgument(
                "At least log id or db log object must be provided.")
        if dbLogObject is None:
            dbLogObject = self.findLogById(session, logId)
        else:
            logId = dbLogObject.id

        if userId == dbLogObject.entered_by_user_id:
            return True

        raise InvalidSession("The log entry %s was created by another user." %
                             logId)