def requested(cls, action): if isinstance(action, Action): return action in cls.requested(action.__class__) return (DBSession.query(action) .join(AccessRecord) .filter(AccessRecord.capability == None) .distinct())
def __check(action_class, serial): req = DBSession.query(action_class).filter(Action.serial == serial).first() if req is None: return HTTPNotFound("Invalid serial number") if Access.processed(req, True): return req.render("approved", True) if Access.processed(req, False): return req.render("denied", True) if Access.filtered(req): return req.render("pending", True) return req.render("rejected", True)
def usable(cls, t=None, user=None, action_class=None, access_types=None): t = time() // 1 if t is None else t query = DBSession.query(cls) if user is not None: query = query.filter(Capability.user == user) if action_class is not None: query = query.filter(Capability.action_class == action_class) if access_types is not None: query = query.filter(Capability.access_type.in_(access_types)) query = ( query.filter(Capability.revoked == None) .filter(or_(Capability.start_time == None, Capability.start_time <= t)) .filter(or_(Capability.end_time == None, Capability.end_time >= t)) ) return [cap for cap in query if cap.valid()]
def processed(cls, action, success=True): if isinstance(action, Action): if action not in cls.processed(action.__class__, success=None): return False elif success is None: return True else: return success != (action in cls.processed(action.__class__, success=False)) query = (DBSession.query(action) .join(AccessRecord).join(Capability) .filter(AccessRecord.allowed == True)) if success is None: query = query.filter(Capability.access_type.in_(EXIT)) else: fail_query = query.filter(Capability.access_type == EXIT[1]) if success: query = query.filter(Capability.access_type == EXIT[0]).except_(fail_query) else: query = fail_query return query.distinct()
def review_page(request, action_class, **kwargs): access = Access(request) allowable = access.allowable(action_class) if allowable is False: simple = action_class.readable() raise HTTPForbidden("You don't have sufficient permissions to review %s requests" % simple) serial_field = 'SERIAL' answer = '' POST = request.POST if serial_field in POST and (EXIT[0] in POST or EXIT[1] in POST): serial = POST[serial_field] action = DBSession.query(action_class).filter(Action.serial == serial).first() if action is None: raise HTTPNotFound('Invalid serial number') if action not in allowable: raise HTTPForbidden('Action not available for processing') if EXIT[0] in POST and EXIT[1] in POST: raise ValueError('Both "%s" and "%s" specified in form' % EXIT) choice = EXIT[1] if EXIT[1] in POST else EXIT[0] caps = [c for c in allowable[action] if c.access_type == choice] try: answer = access.perform_with_one(action, caps) except HTTPException as e: answer = e.detail else: del allowable[action] forms = [] form_params = dict(serial_field=serial_field) button_options = {EXIT[0]:'Allow', EXIT[1]:'Deny'} for action, caps in allowable.iteritems(): render_template, render_params = action.render('pending') form_params['info'] = HTML(render(render_template, render_params, request)) form_params['serial'] = action.serial form_params['credentials'] = offer_creds(request, caps) choices = set((c.access_type for c in caps)) form_params['buttons'] = ((c, button_options[c]) for c in choices) forms.append(HTML(render(FORM_TEMPLATE, form_params, request))) if not forms: forms.append('No requests are available for processing') return dict(forms=forms, answer=HTML(answer), **kwargs)
def revoke_page(request, action_class, **kwargs): access = Access(request) revocable = access.revocable(action_class) if revocable is False: simple = action_class.readable() raise HTTPForbidden("You don't have sufficient permissions to revoke %s requests" % simple) serial_field = 'SERIAL' answer = '' POST = request.POST if serial_field in POST: serial = POST[serial_field] action = DBSession.query(action_class).filter(Action.serial == serial).first() if action is None: raise HTTPNotFound('Invalid serial number') if action not in revocable: raise HTTPForbidden('Action not available for revocation') try: answer = access.perform_with_one(action, revocable[action]) except HTTPException as e: answer = e.detail else: del revocable[action] forms = [] form_params = dict(serial_field=serial_field, button='Revoke') button_options = {EXIT[0]:'Allow', EXIT[1]:'Deny'} for action, caps in revocable.iteritems(): render_template, render_params = action.render('approved') form_params['info'] = HTML(render(render_template, render_params, request)) form_params['serial'] = action.serial form_params['credentials'] = offer_creds(request, caps) forms.append(HTML(render(FORM_TEMPLATE, form_params, request))) if not forms: forms.append('No requests are available for revocation') return dict(forms=forms, answer=HTML(answer), **kwargs)
def query(self, access_info, action_class=None): action_class = self._action_class(action_class) return DBSession.query(action_class).filter(self.condition(access_info, action_class))
def own_processes(self, action): q1 = ((lambda(a): True) if isinstance(action, Action) else (lambda(a): DBSession.query(a))) filtered = (q1, lambda(a): self.processed(a, None)) return self.__acceptable(action, (EXIT[0],), filtered)
def own_filters(self, action): q1 = ((lambda(a): True) if isinstance(action, Action) else (lambda(a): DBSession.query(a))) requested = (q1, lambda(a): self.filtered(a, None)) return self.__acceptable(action, (FILTER[0],), requested)
def get(cls, userid): """Take a username and return the corresponding User, if it exists""" if userid: return DBSession.query(cls).filter(cls.login==userid).first() return None
def is_admin(self): """Check if this user is the ROOT admin account""" return DBSession.query(User).get(1) is self
def _needs_admin(info, request): """Custom predicate which checks if an admin needs to be created""" return DBSession.query(User).count() == 0
def validate_username(username, allow_existing=False): if len(username) < 3: return 'Username must be at least 3 characters long' if not allow_existing and DBSession.query(User).filter(User.login == username).count() > 0: return 'Username already taken' return ''