def requested(cls, action): if isinstance(action, Action): return action in cls.requested(action.__class__) return (DBSession.query(action) .join(AccessRecord) .filter(AccessRecord.capability == None) .distinct())
def __check(action_class, serial):
req = DBSession.query(action_class).filter(Action.serial == serial).first()
if req is None:
return HTTPNotFound("Invalid serial number")
if Access.processed(req, True):
return req.render("approved", True)
if Access.processed(req, False):
return req.render("denied", True)
if Access.filtered(req):
return req.render("pending", True)
return req.render("rejected", True)
def usable(cls, t=None, user=None, action_class=None, access_types=None):
t = time() // 1 if t is None else t
query = DBSession.query(cls)
if user is not None:
query = query.filter(Capability.user == user)
if action_class is not None:
query = query.filter(Capability.action_class == action_class)
if access_types is not None:
query = query.filter(Capability.access_type.in_(access_types))
query = (
query.filter(Capability.revoked == None)
.filter(or_(Capability.start_time == None, Capability.start_time <= t))
.filter(or_(Capability.end_time == None, Capability.end_time >= t))
)
return [cap for cap in query if cap.valid()]
def processed(cls, action, success=True): if isinstance(action, Action): if action not in cls.processed(action.__class__, success=None): return False elif success is None: return True else: return success != (action in cls.processed(action.__class__, success=False)) query = (DBSession.query(action) .join(AccessRecord).join(Capability) .filter(AccessRecord.allowed == True)) if success is None: query = query.filter(Capability.access_type.in_(EXIT)) else: fail_query = query.filter(Capability.access_type == EXIT[1]) if success: query = query.filter(Capability.access_type == EXIT[0]).except_(fail_query) else: query = fail_query return query.distinct()
def review_page(request, action_class, **kwargs):
access = Access(request)
allowable = access.allowable(action_class)
if allowable is False:
simple = action_class.readable()
raise HTTPForbidden("You don't have sufficient permissions to review %s requests" % simple)
serial_field = 'SERIAL'
answer = ''
POST = request.POST
if serial_field in POST and (EXIT[0] in POST or EXIT[1] in POST):
serial = POST[serial_field]
action = DBSession.query(action_class).filter(Action.serial == serial).first()
if action is None:
raise HTTPNotFound('Invalid serial number')
if action not in allowable:
raise HTTPForbidden('Action not available for processing')
if EXIT[0] in POST and EXIT[1] in POST:
raise ValueError('Both "%s" and "%s" specified in form' % EXIT)
choice = EXIT[1] if EXIT[1] in POST else EXIT[0]
caps = [c for c in allowable[action] if c.access_type == choice]
try:
answer = access.perform_with_one(action, caps)
except HTTPException as e:
answer = e.detail
else:
del allowable[action]
forms = []
form_params = dict(serial_field=serial_field)
button_options = {EXIT[0]:'Allow', EXIT[1]:'Deny'}
for action, caps in allowable.iteritems():
render_template, render_params = action.render('pending')
form_params['info'] = HTML(render(render_template, render_params, request))
form_params['serial'] = action.serial
form_params['credentials'] = offer_creds(request, caps)
choices = set((c.access_type for c in caps))
form_params['buttons'] = ((c, button_options[c]) for c in choices)
forms.append(HTML(render(FORM_TEMPLATE, form_params, request)))
if not forms:
forms.append('No requests are available for processing')
return dict(forms=forms, answer=HTML(answer), **kwargs)
def revoke_page(request, action_class, **kwargs):
access = Access(request)
revocable = access.revocable(action_class)
if revocable is False:
simple = action_class.readable()
raise HTTPForbidden("You don't have sufficient permissions to revoke %s requests" % simple)
serial_field = 'SERIAL'
answer = ''
POST = request.POST
if serial_field in POST:
serial = POST[serial_field]
action = DBSession.query(action_class).filter(Action.serial == serial).first()
if action is None:
raise HTTPNotFound('Invalid serial number')
if action not in revocable:
raise HTTPForbidden('Action not available for revocation')
try:
answer = access.perform_with_one(action, revocable[action])
except HTTPException as e:
answer = e.detail
else:
del revocable[action]
forms = []
form_params = dict(serial_field=serial_field, button='Revoke')
button_options = {EXIT[0]:'Allow', EXIT[1]:'Deny'}
for action, caps in revocable.iteritems():
render_template, render_params = action.render('approved')
form_params['info'] = HTML(render(render_template, render_params, request))
form_params['serial'] = action.serial
form_params['credentials'] = offer_creds(request, caps)
forms.append(HTML(render(FORM_TEMPLATE, form_params, request)))
if not forms:
forms.append('No requests are available for revocation')
return dict(forms=forms, answer=HTML(answer), **kwargs)
def query(self, access_info, action_class=None): action_class = self._action_class(action_class) return DBSession.query(action_class).filter(self.condition(access_info, action_class))
def own_processes(self, action): q1 = ((lambda(a): True) if isinstance(action, Action) else (lambda(a): DBSession.query(a))) filtered = (q1, lambda(a): self.processed(a, None)) return self.__acceptable(action, (EXIT[0],), filtered)
def own_filters(self, action): q1 = ((lambda(a): True) if isinstance(action, Action) else (lambda(a): DBSession.query(a))) requested = (q1, lambda(a): self.filtered(a, None)) return self.__acceptable(action, (FILTER[0],), requested)
def get(cls, userid): """Take a username and return the corresponding User, if it exists""" if userid: return DBSession.query(cls).filter(cls.login==userid).first() return None
def is_admin(self): """Check if this user is the ROOT admin account""" return DBSession.query(User).get(1) is self
def _needs_admin(info, request):
"""Custom predicate which checks if an admin needs to be created"""
return DBSession.query(User).count() == 0
def validate_username(username, allow_existing=False): if len(username) < 3: return 'Username must be at least 3 characters long' if not allow_existing and DBSession.query(User).filter(User.login == username).count() > 0: return 'Username already taken' return ''
