Esempio n. 1
0
        def _check_groups(*args, **kwargs):
            request = _find_httprequest(args)
            mrp = request.mozreview_profile

            if not mrp:
                # This should never happen since webapi_login_required
                # should mean they are authenticated and our middleware
                # has added the profile to the request. Check it just
                # to make sure nothing went wrong with the middleware.
                logger.error(
                    'No MozReviewUserProfile for authenticated user: %s',
                    request.user.id)
                return PERMISSION_DENIED

            if not mrp.ldap_username:
                logger.info(
                    'No ldap_username for user: %s when '
                    'attempting to access protected resource', request.user.id)
                return PERMISSION_DENIED.with_message(
                    'You are not associated with an ldap account')

            for group in groups:
                if not mrp.has_scm_ldap_group(group):
                    logger.info(
                        'Missing group membership for user: %s '
                        'when attempting to access protected '
                        'resource', request.user.id)
                    return PERMISSION_DENIED.with_message(
                        'You do not have the required ldap permissions')

            return view_func(*args, **kwargs)
Esempio n. 2
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        webapi_token = getattr(request, '_webapi_token', None)

        if webapi_token:
            restrict_to_local_site = request._webapi_token.local_site_id
        else:
            restrict_to_local_site = None

        if local_site_name:
            local_site = get_object_or_none(LocalSite, name=local_site_name)

            if not local_site:
                return DOES_NOT_EXIST
            elif not local_site.is_accessible_by(request.user):
                if request.user.is_authenticated():
                    return PERMISSION_DENIED
                else:
                    return NOT_LOGGED_IN
            elif (restrict_to_local_site and
                  restrict_to_local_site != local_site.pk):
                return PERMISSION_DENIED

            kwargs['local_site'] = local_site
        elif restrict_to_local_site is not None:
            return PERMISSION_DENIED
        else:
            kwargs['local_site'] = None

        return view_func(*args, **kwargs)
Esempio n. 3
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        webapi_token = getattr(request, '_webapi_token', None)

        if webapi_token:
            restrict_to_local_site = request._webapi_token.local_site_id
        else:
            restrict_to_local_site = None

        if local_site_name:
            local_site = get_object_or_none(LocalSite, name=local_site_name)

            if not local_site:
                return DOES_NOT_EXIST
            elif not local_site.is_accessible_by(request.user):
                if request.user.is_authenticated():
                    return PERMISSION_DENIED
                else:
                    return NOT_LOGGED_IN
            elif (restrict_to_local_site
                  and restrict_to_local_site != local_site.pk):
                return PERMISSION_DENIED
        elif restrict_to_local_site is not None:
            return PERMISSION_DENIED

        return view_func(*args, **kwargs)
Esempio n. 4
0
    def _check(*args, **kwargs):
        siteconfig = SiteConfiguration.objects.get_current()
        request = _find_httprequest(args)

        if (siteconfig.get("auth_require_sitewide_login") or
            (request.user.is_anonymous() and
             'HTTP_AUTHORIZATION' in request.META)):
            return webapi_login_required(view_func)(*args, **kwargs)
        else:
            return view_func(*args, **kwargs)
Esempio n. 5
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        if local_site_name:
            try:
                local_site = LocalSite.objects.get(name=local_site_name)
                if not local_site.is_accessible_by(request.user):
                    return WebAPIResponseError(request, PERMISSION_DENIED)
            except LocalSite.DoesNotExist:
                return WebAPIResponseError(request, DOES_NOT_EXIST)

        return view_func(*args, **kwargs)
Esempio n. 6
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        if local_site_name:
            try:
                local_site = LocalSite.objects.get(name=local_site_name)

                if not local_site.is_accessible_by(request.user):
                    if request.user.is_authenticated():
                        return PERMISSION_DENIED
                    else:
                        return NOT_LOGGED_IN
            except LocalSite.DoesNotExist:
                return DOES_NOT_EXIST

        return view_func(*args, **kwargs)
Esempio n. 7
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        if local_site_name:
            try:
                local_site = LocalSite.objects.get(name=local_site_name)

                if not local_site.is_accessible_by(request.user):
                    if request.user.is_authenticated():
                        return PERMISSION_DENIED
                    else:
                        return NOT_LOGGED_IN
            except LocalSite.DoesNotExist:
                return DOES_NOT_EXIST

        return view_func(*args, **kwargs)
Esempio n. 8
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        webapi_token = getattr(request, '_webapi_token', None)

        if webapi_token:
            restrict_to_local_site = request._webapi_token.local_site_id
        else:
            restrict_to_local_site = None

        if local_site_name:
            local_site = get_object_or_none(LocalSite, name=local_site_name)

            if not local_site:
                return DOES_NOT_EXIST
            elif not local_site.is_accessible_by(request.user):
                if request.user.is_authenticated():
                    logging.warning('%s %s: user %s does not have access to '
                                    'local site "%s".',
                                    request.method, request.path_info,
                                    request.user.username, local_site_name)
                    return PERMISSION_DENIED
                else:
                    return NOT_LOGGED_IN
            elif (restrict_to_local_site and
                  restrict_to_local_site != local_site.pk):
                logging.warning('%s %s: API token for user %s does not have '
                                'access to local site "%s".',
                                request.method, request.path_info,
                                request.user.username, local_site_name)
                return PERMISSION_DENIED

            kwargs['local_site'] = local_site
        elif restrict_to_local_site is not None:
            logging.warning('%s %s: API token for user %s is limited to a '
                            'local site but the request was for the root.',
                            request.method, request.path_info,
                            request.user.username)
            return PERMISSION_DENIED
        else:
            kwargs['local_site'] = None

        return view_func(*args, **kwargs)
Esempio n. 9
0
        def _check_groups(*args, **kwargs):
            request = _find_httprequest(args)
            mrp = request.mozreview_profile

            if not mrp:
                # This should never happen since webapi_login_required
                # should mean they are authenticated and our middleware
                # has added the profile to the request. Check it just
                # to make sure nothing went wrong with the middleware.
                logging.error('No MozReviewUserProfile for authenticated user')
                return PERMISSION_DENIED

            if not mrp.ldap_username:
                return PERMISSION_DENIED.with_message(
                    'You are not associated with an ldap account')

            for group in groups:
                if not mrp.has_scm_ldap_group(group):
                    return PERMISSION_DENIED.with_message(
                        'You do not have the required ldap permissions')

            return view_func(*args, **kwargs)
Esempio n. 10
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        webapi_token = getattr(request, '_webapi_token', None)
        oauth_token = getattr(request, '_oauth2_token', None)

        if webapi_token:
            restrict_to_local_site = request._webapi_token.local_site_id
            token_type = 'API'
        elif oauth_token:
            restrict_to_local_site = oauth_token.application.local_site_id
            token_type = 'OAuth'
        else:
            restrict_to_local_site = None
            token_type = None

        if local_site_name:
            local_site = get_object_or_none(LocalSite, name=local_site_name)

            if not local_site:
                return DOES_NOT_EXIST
            elif not local_site.is_accessible_by(request.user):
                if request.user.is_authenticated:
                    logger.warning(
                        'User does not have access to local site.',
                        request=request,
                    )
                    return PERMISSION_DENIED
                else:
                    return NOT_LOGGED_IN
            elif oauth_token and not oauth_token.application.enabled:
                logger.warning(
                    'OAuth token using disabled application "%s" (%d).',
                    oauth_token.application.name,
                    oauth_token.application.pk,
                    request=request,
                )
                return PERMISSION_DENIED
            elif oauth_token and not restrict_to_local_site:
                # OAuth tokens for applications on the global site cannot be
                # used on a local site.
                logger.warning(
                    'OAuth token is for root, not local site.',
                    request=request,
                )
                return PERMISSION_DENIED
            elif (restrict_to_local_site
                  and restrict_to_local_site != local_site.pk):
                logger.warning(
                    '%s token does not have access to local site.',
                    token_type,
                    request=request,
                )
                return PERMISSION_DENIED

            kwargs['local_site'] = local_site
        elif restrict_to_local_site is not None:
            logger.warning(
                '%s token is limited to a local site but the request was for '
                'the root.',
                token_type,
                request=request,
            )
            return PERMISSION_DENIED
        else:
            kwargs['local_site'] = None

        return view_func(*args, **kwargs)
Esempio n. 11
0
    def _check(*args, **kwargs):
        request = _find_httprequest(args)
        local_site_name = kwargs.get('local_site_name', None)
        webapi_token = getattr(request, '_webapi_token', None)
        oauth_token = getattr(request, '_oauth2_token', None)

        if webapi_token:
            restrict_to_local_site = request._webapi_token.local_site_id
            token_type = 'API'
        elif oauth_token:
            restrict_to_local_site = oauth_token.application.local_site_id
            token_type = 'OAuth'
        else:
            restrict_to_local_site = None
            token_type = None

        if local_site_name:
            local_site = get_object_or_none(LocalSite, name=local_site_name)

            if not local_site:
                return DOES_NOT_EXIST
            elif not local_site.is_accessible_by(request.user):
                if request.user.is_authenticated():
                    logging.warning(
                        'User does not have access to local site.',
                        request=request,
                    )
                    return PERMISSION_DENIED
                else:
                    return NOT_LOGGED_IN
            elif oauth_token and not oauth_token.application.enabled:
                logging.warning(
                    'OAuth token using disabled application "%s" (%d).',
                    oauth_token.application.name,
                    oauth_token.application.pk,
                    request=request,
                )
                return PERMISSION_DENIED
            elif oauth_token and not restrict_to_local_site:
                # OAuth tokens for applications on the global site cannot be
                # used on a local site.
                logging.warning(
                    'OAuth token is for root, not local site.',
                    request=request,
                )
                return PERMISSION_DENIED
            elif (restrict_to_local_site and
                  restrict_to_local_site != local_site.pk):
                logging.warning(
                    '%s token does not have access to local site.',
                    token_type,
                    request=request,
                )
                return PERMISSION_DENIED

            kwargs['local_site'] = local_site
        elif restrict_to_local_site is not None:
            logging.warning(
                '%s token is limited to a local site but the request was for '
                'the root.',
                token_type,
                request=request,
            )
            return PERMISSION_DENIED
        else:
            kwargs['local_site'] = None

        return view_func(*args, **kwargs)