def check_access(self, permission, actor, obj): # TODO: Merge with has_access obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) if self.has_access(permission, actor, obj): return True else: raise PermissionDenied(ugettext(u'Insufficient access.'))
def check_accesses(self, permission_list, actor, obj): """ Returns whether an actor has at least one of a list of permissions for an object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) for permission in permission_list: if self.has_access(permission, actor, obj): return True raise PermissionDenied(ugettext(u'Insufficient access.'))
def grant(self, permission, actor, obj): """ Grant a permission (what), (to) an actor, (on) a specific object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) access_entry, created = self.model.objects.get_or_create( permission=permission, holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk) return created
def grant(self, permission, actor, obj): """ Grant a permission (what), (to) an actor, (on) a specific object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) access_entry, created = self.model.objects.get_or_create( permission=permission, holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk ) return created
def has_access(self, permission, actor, obj, db_only=False): """ Returns whether an actor has a specific permission for an object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) if isinstance(actor, User) and db_only == False: # db_only causes the return of only the stored permissions # and not the perceived permissions for an actor if actor.is_superuser or actor.is_staff: return True actor = AnonymousUserSingleton.objects.passthru_check(actor) try: content_type=ContentType.objects.get_for_model(obj) except AttributeError: # Object doesn't have a content type, therefore allow access return True try: self.model.objects.get( permission=permission.get_stored_permission(), holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=content_type, object_id=obj.pk ) except self.model.DoesNotExist: # If not check if the actor's memberships is one of # the access's holder? roles = RoleMember.objects.get_roles_for_member(actor) if isinstance(actor, User): groups = actor.groups.all() else: groups = [] for membership in list(set(roles) | set(groups)): if self.has_access(permission, membership, obj, db_only): return True logger.debug('Fallthru') return False else: return True
def has_access(self, permission, actor, obj, db_only=False): """ Returns whether an actor has a specific permission for an object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) if isinstance(actor, User) and db_only == False: # db_only causes the return of only the stored permissions # and not the perceived permissions for an actor if actor.is_superuser or actor.is_staff: return True actor = AnonymousUserSingleton.objects.passthru_check(actor) try: content_type = ContentType.objects.get_for_model(obj) except AttributeError: # Object doesn't have a content type, therefore allow access return True try: self.model.objects.get( permission=permission.get_stored_permission(), holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=content_type, object_id=obj.pk) except self.model.DoesNotExist: # If not check if the actor's memberships is one of # the access's holder? roles = RoleMember.objects.get_roles_for_member(actor) if isinstance(actor, User): groups = actor.groups.all() else: groups = [] for membership in list(set(roles) | set(groups)): if self.has_access(permission, membership, obj, db_only): return True logger.debug('Fallthru') return False else: return True
def revoke(self, permission, actor, obj): """ Revoke a permission (what), (from) an actor, (on) a specific object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) try: access_entry = self.model.objects.get( permission=permission, holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk) except self.model.DoesNotExist: return False else: access_entry.delete() return True
def revoke(self, permission, actor, obj): """ Revoke a permission (what), (from) an actor, (on) a specific object """ obj = EncapsulatedObject.get_source_object(obj) actor = EncapsulatedObject.get_source_object(actor) try: access_entry = self.model.objects.get( permission=permission, holder_type=ContentType.objects.get_for_model(actor), holder_id=actor.pk, content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk ) except self.model.DoesNotExist: return False else: access_entry.delete() return True
def get_holders_for(self, cls): cls = EncapsulatedObject.get_source_object(cls) content_type = ContentType.objects.get_for_model(cls) holder_list = [] for access_entry in self.model.objects.filter(content_type=content_type): if access_entry.holder_object: # Don't add references to non existant content type objects entry = ClassAccessHolder.encapsulate(access_entry.holder_object) if entry not in holder_list: holder_list.append(entry) return holder_list
def get_holders_for(self, cls): cls = EncapsulatedObject.get_source_object(cls) content_type = ContentType.objects.get_for_model(cls) holder_list = [] for access_entry in self.model.objects.filter( content_type=content_type): if access_entry.holder_object: # Don't add references to non existant content type objects entry = ClassAccessHolder.encapsulate( access_entry.holder_object) if entry not in holder_list: holder_list.append(entry) return holder_list
def apply_default_acls(obj, actor=None): logger.debug('actor, init: %s' % actor) obj = EncapsulatedObject.get_source_object(obj) if actor: actor = AnonymousUserSingleton.objects.passthru_check(actor) content_type = ContentType.objects.get_for_model(obj) for default_acl in DefaultAccessEntry.objects.filter(content_type=content_type): holder = CreatorSingleton.objects.passthru_check(default_acl.holder_object, actor) if holder: # When the creator is admin access_entry = AccessEntry( permission=default_acl.permission, holder_object=holder, content_object=obj, ) access_entry.save()
def apply_default_acls(obj, actor=None): logger.debug('actor, init: %s' % actor) obj = EncapsulatedObject.get_source_object(obj) if actor: actor = AnonymousUserSingleton.objects.passthru_check(actor) content_type = ContentType.objects.get_for_model(obj) for default_acl in DefaultAccessEntry.objects.filter( content_type=content_type): holder = CreatorSingleton.objects.passthru_check( default_acl.holder_object, actor) if holder: # When the creator is admin access_entry = AccessEntry( permission=default_acl.permission, holder_object=holder, content_object=obj, ) access_entry.save()