def get_default_where_clauses(self, container: IContainer) -> typing.List[str]: users = [] roles = [] principal = get_authenticated_user() if principal is None: # assume anonymous then principal = AnonymousUser() policy = get_security_policy(principal) users.append(principal.id) users.extend(principal.groups) roles_dict = policy.global_principal_roles(principal.id, principal.groups) roles.extend([key for key, value in roles_dict.items() if value]) clauses = [ "json->'access_users' ?| array['{}']".format("','".join( [sqlq(u) for u in users])), "json->'access_roles' ?| array['{}']".format("','".join( [sqlq(r) for r in roles])), ] sql_wheres = ["({})".format(" OR ".join(clauses))] sql_wheres.append( f"""json->>'container_id' = '{sqlq(container.id)}'""") sql_wheres.append("""type != 'Container'""") sql_wheres.append(f"""parent_id != '{sqlq(TRASHED_ID)}'""") return sql_wheres
def get_default_where_clauses( self, context: IBaseObject, unrestricted: bool = False) -> typing.List[str]: clauses = [] sql_wheres = [] if unrestricted is False: users = [] principal = get_authenticated_user() if principal is None: # assume anonymous then principal = AnonymousUser() users.append(principal.id) users.extend(principal.groups) roles = get_roles_principal(context) clauses.extend([ "json->'access_users' ?| array['{}']".format("','".join( [sqlq(u) for u in users])), "json->'access_roles' ?| array['{}']".format("','".join( [sqlq(r) for r in roles])), ]) sql_wheres.append("({})".format(" OR ".join(clauses))) container = find_container(context) if container is None: raise ContainerNotFound() sql_wheres.append( f"""json->>'container_id' = '{sqlq(container.id)}'""") sql_wheres.append("""type != 'Container'""") sql_wheres.append(f"""parent_id != '{sqlq(TRASHED_ID)}'""") return sql_wheres
def get_security_policy(user: Optional[IPrincipal] = None) -> ISecurityPolicy: if user is None: user = get_authenticated_user() if user is None: from guillotina.auth.users import AnonymousUser user = AnonymousUser() security_policies = task_vars.security_policies.get() if security_policies is None: security_policies = {} task_vars.security_policies.set(security_policies) if user.id not in security_policies: security_policies[user.id] = get_adapter(user, ISecurityPolicy) return security_policies[user.id]
def get_roles_principal(obj): """ Return the roles that has access to the content that are global roles""" if obj is None: return [] authenticated = get_authenticated_user() if authenticated is None: from guillotina.auth.users import AnonymousUser authenticated = AnonymousUser() policy = get_security_policy(authenticated) roles = policy.cached_principal_roles(obj, authenticated.id, authenticated.groups, "o") return [role for role, value in roles.items() if value]
async def real_resolve(self, request: IRequest) -> Optional[MatchInfo]: """Main function to resolve a request.""" if request.method not in app_settings['http_methods']: raise HTTPMethodNotAllowed( method=request.method, allowed_methods=[ k for k in app_settings['http_methods'].keys() ]) method = app_settings['http_methods'][request.method] try: resource, tail = await self.traverse(request) except ConflictError: # can also happen from connection errors so we bubble this... raise except Exception as _exc: logger.error('Unhandled exception occurred', exc_info=True) request.resource = request.tail = None request.exc = _exc data = { 'success': False, 'exception_message': str(_exc), 'exception_type': getattr(type(_exc), '__name__', str(type(_exc))), # noqa } if app_settings.get('debug'): data['traceback'] = traceback.format_exc() raise HTTPBadRequest(content={'reason': data}) request.record('traversed') await notify(ObjectLoadedEvent(resource)) request.resource = resource request.tail = tail if request.resource is None: await notify(TraversalResourceMissEvent(request, tail)) raise HTTPNotFound(content={"reason": 'Resource not found'}) if tail and len(tail) > 0: # convert match lookups view_name = routes.path_to_view_name(tail) elif not tail: view_name = '' request.record('beforeauthentication') authenticated = await authenticate_request(request) # Add anonymous participation if authenticated is None: authenticated = AnonymousUser() set_authenticated_user(authenticated) request.record('authentication') policy = get_security_policy(authenticated) for language in get_acceptable_languages(request): translator = query_adapter((resource, request), ILanguage, name=language) if translator is not None: resource = translator.translate() break # container registry lookup try: view = query_multi_adapter((resource, request), method, name=view_name) except AttributeError: view = None if view is None and method == IOPTIONS: view = DefaultOPTIONS(resource, request) # Check security on context to AccessContent unless # is view allows explicit or its OPTIONS permission = get_utility(IPermission, name='guillotina.AccessContent') if not policy.check_permission(permission.id, resource): # Check if its a CORS call: if IOPTIONS != method: # Check if the view has permissions explicit if view is None or not view.__allow_access__: logger.info( "No access content {content} with {auth}".format( content=resource, auth=authenticated.id), request=request) raise HTTPUnauthorized( content={ "reason": "You are not authorized to access content", "content": str(resource), "auth": authenticated.id }) if not view and len(tail) > 0: # we should have a view in this case because we are matching routes await notify(TraversalViewMissEvent(request, tail)) return None request.found_view = view request.view_name = view_name request.record('viewfound') ViewClass = view.__class__ view_permission = get_view_permission(ViewClass) if view_permission is None: # use default view permission view_permission = app_settings['default_permission'] if not policy.check_permission(view_permission, view): if IOPTIONS != method: raise HTTPUnauthorized( content={ "reason": "You are not authorized to view", "content": str(resource), "auth": authenticated.id }) try: view.__route__.matches(request, tail or []) except (KeyError, IndexError): await notify(TraversalRouteMissEvent(request, tail)) return None except AttributeError: pass if hasattr(view, 'prepare'): view = (await view.prepare()) or view request.record('authorization') return MatchInfo(resource, request, view)
def __init__(self, request): self.principal = AnonymousUser(request) self.principal._roles['guillotina.Anonymous'] = Allow self.interaction = None