async def authorizeRequest(
self,
request: IRequest,
event: Optional[Event],
requiredAuthorizations: Authorization,
) -> None:
"""
Determine whether the user attached to a request has the required
authorizations in the context of a given event.
"""
self.authenticateRequest(request)
userAuthorizations = await self.authorizationsForUser(
request.user, event
)
request.authorizations = userAuthorizations
if not (requiredAuthorizations & userAuthorizations):
self._log.debug(
"Authorization failed for {request.user}. "
"Requires {requiredAuthorizations}, has {userAuthorizations}. "
"URI: {request.uri}",
request=request,
requiredAuthorizations=requiredAuthorizations,
userAuthorizations=userAuthorizations,
)
raise NotAuthorizedError("User not authorized")
async def authorizeRequest(
self, request: IRequest, event: Optional[Event],
requiredAuthorizations: Authorization,
) -> None:
"""
Determine whether the user attached to a request has the required
authorizations in the context of a given event.
"""
self.authenticateRequest(request)
userAuthorizations = await self.authorizationsForUser(
request.user, event
)
request.authorizations = userAuthorizations
if not (requiredAuthorizations & userAuthorizations):
self._log.debug(
"Authorization failed for {request.user}. "
"Requires {requiredAuthorizations}, has {userAuthorizations}. "
"URI: {request.uri}",
request=request,
requiredAuthorizations=requiredAuthorizations,
userAuthorizations=userAuthorizations,
)
raise NotAuthorizedError(f"User not authorized")
async def authorizeRequestForIncidentReport(
self, request: IRequest, incidentReport: IncidentReport
) -> None:
"""
Determine whether the user attached to a request has the required
authorizations to read the incident report with the given number.
"""
# The author of the incident report should be allowed to read and write
# to it.
if request.user is not None and incidentReport.reportEntries:
rangerHandle = request.user.rangerHandle
for reportEntry in incidentReport.reportEntries:
if reportEntry.author == rangerHandle:
request.authorizations = (
Authorization.readIncidentReports |
Authorization.writeIncidentReports
)
return
# If there are incidents attached to this incident report, then the
# permissions on the attached incidents (which are determined by the
# events containing the incidents) determine the permission on the
# incident report.
# So we'll iterate over all of the events containing incidents that
# this incident report is attached to, and see if any of those events
# can approve the request.
events = frozenset(
event for event, _incidentNumber in
await self.store.incidentsAttachedToIncidentReport(
incidentReport.number
)
)
if events:
for event in events:
# There are incidents attached; use the authorization for
# reading incidents from the corresponding events.
# Because it's possible for multiple incidents to be attached,
# if one event fails, keep trying the others in case they allow
# it.
try:
await self.authorizeRequest(
request, event, Authorization.readIncidents
)
except NotAuthorizedError as e:
authFailure = e
else:
return
raise authFailure
# Incident report is detached
await self.authorizeRequest(
request, None, Authorization.readIncidentReports
)
async def authorizeRequestForIncidentReport(
self, request: IRequest, incidentReport: IncidentReport) -> None:
"""
Determine whether the user attached to a request has the required
authorizations to read the incident report with the given number.
"""
# The author of the incident report should be allowed to read and write
# to it.
if request.user is not None and incidentReport.reportEntries:
rangerHandle = request.user.rangerHandle
for reportEntry in incidentReport.reportEntries:
if reportEntry.author == rangerHandle:
request.authorizations = (
Authorization.readIncidentReports
| Authorization.writeIncidentReports)
return
# If there are incidents attached to this incident report, then the
# permissions on the attached incidents (which are determined by the
# events containing the incidents) determine the permission on the
# incident report.
# So we'll iterate over all of the events containing incidents that
# this incident report is attached to, and see if any of those events
# can approve the request.
events = frozenset(
event for event, _incidentNumber in await self.store.
incidentsAttachedToIncidentReport(incidentReport.number))
if events:
for event in events:
# There are incidents attached; use the authorization for
# reading incidents from the corresponding events.
# Because it's possible for multiple incidents to be attached,
# if one event fails, keep trying the others in case they allow
# it.
try:
await self.authorizeRequest(request, event,
Authorization.readIncidents)
except NotAuthorizedError as e:
authFailure = e
else:
return
raise authFailure
# Incident report is detached
await self.authorizeRequest(request, None,
Authorization.readIncidentReports)
async def authorizeRequestForIncidentReport(
self, request: IRequest, incidentReport: IncidentReport
) -> None:
"""
Determine whether the user attached to a request has the required
authorizations to read the incident report with the given number.
"""
# The author of the incident report should be allowed to read and write
# to it.
if request.user is not None and incidentReport.reportEntries:
rangerHandle = request.user.rangerHandle
for reportEntry in incidentReport.reportEntries:
if reportEntry.author == rangerHandle:
request.authorizations = Authorization.writeIncidentReports
return
# Otherwise, use the ACL for the event associated with the incident
# report.
await self.authorizeRequest(
request, incidentReport.event, Authorization.readIncidents
)
