def on_identity_loaded(sender, identity): if identity.id is not None: from zou.app.services import persons_service try: identity.user = persons_service.get_person(identity.id) if hasattr(identity.user, "id"): identity.provides.add(UserNeed(identity.user["id"])) if identity.user is None: raise PersonNotFoundException if identity.user["role"] == "admin": identity.provides.add(RoleNeed("admin")) identity.provides.add(RoleNeed("manager")) if identity.user["role"] == "manager": identity.provides.add(RoleNeed("manager")) if identity.user["role"] == "client": identity.provides.add(RoleNeed("client")) if not identity.user["active"]: current_app.logger.error("Current user is not active anymore") logout() return wrong_auth_handler(identity.user) return identity except PersonNotFoundException: return wrong_auth_handler() except TimeoutError: current_app.logger.error("Identity loading timed out") return wrong_auth_handler() except Exception as exception: current_app.logger.error(exception, exc_info=1) if hasattr(exception, "message"): current_app.logger.error(exception.message) return wrong_auth_handler()
def on_identity_loaded(sender, identity): """ 视图层模块的权限控制 :param sender: :param identity: :return: """ # Set the identity user object identity.user = current_user if not (hasattr(current_user, 'id') and hasattr(current_user, 'role_id')): return # Add the UserNeed to the identity identity.provides.add(UserNeed(current_user.id)) # 角色 - 系统 if current_user.role_id == TYPE_ROLE_SYSTEM: identity_role_administrator.setup(identity) # 角色 - 销售 if current_user.role_id == TYPE_ROLE_SALES: identity_role_sales.setup(identity) # 角色 - 采购 if current_user.role_id == TYPE_ROLE_PURCHASER: identity_role_purchaser.setup(identity) # 角色 - 经理 if current_user.role_id == TYPE_ROLE_MANAGER: identity_role_manager.setup(identity) # 角色 - 库管 if current_user.role_id == TYPE_ROLE_STOREKEEPER: identity_role_stock_keeper.setup(identity) # 角色 - 财务 if current_user.role_id == TYPE_ROLE_ACCOUNTANT: identity_role_accountant.setup(identity)
def on_identity_loaded(sender, identity): # 设置当前用户身份为login登录对象 identity.user = current_user # 添加UserNeed到identity user对象 if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id)) # 将Role添加到identity user对象 if hasattr(current_user, 'role'): identity.provides.add(RoleNeed(current_user.role)) if hasattr(current_user, 'is_su_user') and current_user.is_su_user: identity.provides.add(RoleNeed('su')) # 把身份添加到权限里面 identity.allow_su = su_permission.allows(identity) identity.allow_admin = admin_permission.allows(identity) identity.allow_edit = editor_permission.allows(identity) identity.allow_write = writer_permission.allows(identity) identity.allow_read = reader_permission.allows(identity)
def on_identity_loaded(sender, identity): # Set the identity user object identity.user = current_user #user has the permission of edit himself identity.provides.add(EditUserPermission(current_user.id)) # Add the UserNeed to the identity if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id)) for role in current_user.roles: identity.provides.add(RoleNeed(role.roleName)) # Assuming the User model has a list of nodes, update the # identity with the nodes that the user provides if hasattr(current_user,"roles"): for role in current_user.roles: for node in role.nodes: if (node.status==1) and (current_user.status==1) and (role.status==1): identity.provides.add(ActionNeed(node.nodeName))
def edit_post(id): # if not g.current_user: # return redirect(url_for('main.login')) post = Post.query.get_or_404(id) permission = Permission(UserNeed(post.user.id)) # 同时希望管理员可以修改任何文章 if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): title = form.title.data text = form.text.data post.change(title, text) return redirect(url_for('.post', post_id=post.id)) form.text.data = post.text return render_template('blog/edit.html', form=form, post=post) abort(403)
def edit_post(post_id): post = Post.query.get_or_404(post_id) permission = Permission(UserNeed(post.user_id)) # 除了文章作者,我们希望管理员也可以修改任何文章 if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.utcnow() db.session.add(post) db.session.commit() flash('The post has been updated.', category='success') return redirect(url_for('.post', post_id=post.id)) form.text.data = post.text return render_template('edit_post.html', form=form, post=post) # 如果没有权限,直接返回403错误 abort(403)
def on_identity_loaded(sender, identity): if identity.id is not None: from zou.app.services import persons_service try: identity.user = persons_service.get_person(identity.id) if hasattr(identity.user, "id"): identity.provides.add(UserNeed(identity.user["id"])) if identity.user["role"] == "admin": identity.provides.add(RoleNeed("admin")) identity.provides.add(RoleNeed("manager")) if identity.user["role"] == "manager": identity.provides.add(RoleNeed("manager")) return identity except PersonNotFoundException: return None except Exception as exception: current_app.logger.error(exception.message) return None
def install_default_user_permissions(identity): ''' Add permisisons that the current user should be able to perform regardless of whatever other roles they possess. ''' identity.provides.add(UserNeed(identity.user.id)) # TODO(vedant) - This should not be hardcoded. # Always allow the user to view their profile identity.provides.add(ItemNeed('view_resource', identity.user.id, 'user')) # HACK(vedant) - Fixed as part of a short term solution for T2113 # The long term solution is to define default permissions or a default user group that all new # users should be added to. identity.provides.add(ItemNeed('create_resource', None, 'dashboard')) # Continuation of Work for T2148 but now allowing RO-access to all Potion APIs identity.provides.add(ItemNeed('view_resource', None, 'user')) identity.provides.add(ItemNeed('view_resource', None, 'group')) identity.provides.add(ItemNeed('view_resource', None, 'role')) identity.provides.add(ItemNeed('view_resource', None, 'resource')) identity.provides.add(ItemNeed('view_resource', None, 'configuration'))
def on_identity_loaded(sender, identity): # Set the identity user object identity.user = current_user # Add the UserNeed to the identity if hasattr(current_user, 'username'): identity.provides.add(UserNeed(current_user.username)) # Assuming the User model has a list of roles, update the # identity with the roles that the user provides if hasattr(current_user, 'role'): # for role in current_user.roles: identity.provides.add(RoleNeed(current_user.role)) # if current_user.is_superuser: if hasattr(current_user, 'is_superuser') and current_user.is_superuser: identity.provides.add(su_need) # return current_user.role identity.allow_edit = editor_permission.allows(identity) identity.allow_admin = admin_permission.allows(identity) identity.allow_write = writer_permission.allows(identity)
def test_owner_permissions(app, db, community, authenticated_user): """Test owner system role permissions.""" login_user(authenticated_user) assert len(g.identity.provides) == 4 assert community_record_owner in g.identity.provides permissions = require_any( # Approval is granted either by user role Permission(ParameterizedActionNeed(COMMUNITY_REQUEST_APPROVAL, community[0])), require_all( # Or user id must match and record owners must be granted the action Permission(UserNeed(authenticated_user.id)), Permission(ParameterizedActionNeed(f'owner-{COMMUNITY_REQUEST_APPROVAL}', community[0])) ) ) assert not permissions().can() db.session.add( ActionSystemRoles(action=f'owner-{COMMUNITY_REQUEST_APPROVAL}', role_name=community_record_owner.value, argument=community[0])) assert permissions().can()
def update_password(): """Update current logged user password """ user = current_user form = PasswordForm(request.form) perm = Permission(UserNeed(user.id), RoleNeed('admin')) perm.test() if form.validate_on_submit(): to_check = user.password_hash if not custom_app_context.verify(form.current.data, to_check): flash("Bad password provided", "alert-danger") return render_template("user/pwd_update.html", form=form) new_hash = custom_app_context.hash(form.password.data) user.password_hash = new_hash db.session.commit() flash("Password updated", "alert-info") return redirect(url_for('dashboard.index')) return render_template("user/pwd_update.html", form=form)
def test_record_access(db): """Test access control for search.""" mock_provides([UserNeed('*****@*****.**'), RoleNeed('groupX')]) def check_record(json, allowed=True): # Create uuid id = uuid.uuid4() # Create record rec = type('obj', (object, ), {'id': id}) Record.create(json, id_=id) # Check permission factory factory = cern_read_factory(rec) assert factory.can() if allowed else not factory.can() # Check test records check_record({'foo': 'bar'}) check_record({'_access': {'read': ['*****@*****.**', 'groupA', 'groupB']}}) check_record({'_access': {'read': ['*****@*****.**', 'groupC']}}, False) check_record({'_access': {'read': ['groupX']}}) check_record({'_access': {'read': ['*****@*****.**', 'groupA', 'groupB']}}) check_record({'_access': {'read': []}})
def on_identity_loaded(sender, identity): '''基础权限''' identity.user = current_user if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id)) if hasattr(current_user, 'roles'): for role in current_user.roles: identity.provides.add(RoleNeed(role.name)) if hasattr(current_user, 'is_superuser'): if current_user.is_superuser: identity.provides.add(RoleNeed('super')) if hasattr(current_user, 'topics'): for topic in current_user.topics: identity.provides.add(EditTopicNeed(topic.uid)) if hasattr(current_user, 'collects'): for collect in current_user.collects: identity.provides.add(GetCollect(collect.id)) identity.provides.add(PostCollect(collect.id))
def edit_post(id): post = Post.query.get_or_404(id) permission = Permission(UserNeed(post.user.id)) # We want admins to be able to edit any post if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('.post', post_id=post.id)) form.text.data = post.text return render_template('edit.html', form=form, post=post) abort(403)
def editItem(item_id): item = Item.query.get_or_404(item_id) # Check if the logged user is the one that created the destination about to # edit. permission = Permission(UserNeed(item.user_id)) if permission.can(): # Create the form object using data from different sources. form = ItemForm(CombinedMultiDict((request.files, request.form)), obj=item) form.category.choices = getChoicesOfCategorySelect() form.image.default = item.image if request.method == 'GET': form.category.default = item.category_id # Makes effective the default selection set above. form.category.process([]) elif form.validate(): # Manages images updates. if isinstance(form.image.data, FileStorage) and form.image.data: filename = secure_filename(form.image.data.filename) removeFile(item.image) saveFile(form.image.data, filename) item.image = filename item.name = form.name.data item.category_id = form.category.data item.coutry = form.country.data item.description = form.description.data item.location = form.location.data item.image_alt = form.image_alt.data db.session.add(item) db.session.commit() flash('The destination was successfully updated.', "success") return redirect(url_for('showItem', item_id=item.id)) return render_template('editItem.html', form=form, item=item) else: abort(403)
def edit_post(id): """编辑博客""" post = Post.query.get_or_404(id) searchform = SearchForm() if not current_user: return redirect(url_for('main.login')) if current_user != post.users: return redirect(url_for('blog.post',post_id=id)) permission = Permission(UserNeed(post.users.id)) if permission.can() or admin_permission.can(): postform = PostForm() if postform.validate_on_submit(): data1 = str(postform.text).replace("required>","&") data2 = str(data1).replace("</textarea>"," ") mes = data2.find("&") data = data2[mes+1:] post.title = postform.title.data post.text = postform.text.data post.publish_date = datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('blog.post',post_id=post.id)) else: return redirect(url_for('blog.home',page=1)) postform.title.data = post.title postform.text.data = post.text return render_template('edit_post.html',postform=postform,post=post,searchform=searchform)
def edit_post(id): """View function for edit_post.""" post = Post.query.get_or_404(id) form = PostForm() # Ensure the user logged in. if not current_user: return redirect(url_for('main.login')) # Only the post onwer can be edit this post. if current_user != post.users: return redirect(url_for('blog.post', post_id=id)) # 当 user 是 poster 或者 admin 时, 才能够编辑文章 # Admin can be edit the post. permission = Permission(UserNeed(post.users.id)) if permission.can() or admin_permission.can(): # if current_user != post.users: # abort(403) if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.now() # Update the post db.session.add(post) db.session.commit() return redirect(url_for('blog.post', post_id=post.id)) else: return redirect(url_for('blog.post', post_id=id)) form.title.data = post.title form.text.data = post.text return render_template('edit_post.html', form=form, post=post)
def populate_identity_roles(identity, user=None): identity.user = user if user is None or user.is_anonymous: if current_app.config['POLICY_ANONYMOUS_VIEW_INDEX']: identity.provides.add(roles.index_view) if current_app.config['POLICY_ANONYMOUS_VIEW_POST']: identity.provides.add(roles.post_view) if current_app.config['POLICY_ANONYMOUS_VIEW_STATS']: identity.provides.add(roles.stats_view) else: identity.provides.add(UserNeed(user.identifier)) identity.provides.add(roles.index_view) identity.provides.add(roles.post_comment) identity.provides.add(roles.post_view) identity.provides.add(roles.post_download) identity.provides.add(roles.post_edit) identity.provides.add(roles.stats_view) # TODO: Populate group permissions, and port existing group admin # code to roles. return identity
def test_permissions(): """Iterates over all users checking its permissions.""" for i in range(users_number): identity = FakeIdentity(UserNeed(users[i].id)) # Allowed permission permission_allowed_both = dynamic_permission( ActionNeed('action{0}'.format((i % actions_users_number) + actions_roles_number)), ActionNeed('action{0}'.format(i % actions_roles_number))) assert permission_allowed_both.allows(identity) # Not allowed action user permission_not_allowed_user = dynamic_permission( ActionNeed( 'action{0}'.format((i + 1) % actions_users_number + actions_roles_number))) assert not permission_not_allowed_user.allows(identity) # Not allowed action role permission_not_allowed_role = dynamic_permission( ActionNeed('action{0}'.format( (i + 1) % actions_roles_number))) assert not permission_not_allowed_role.allows(identity)
def post_edit(postid): """Edit a exits article.""" post = Post.query.get_or_404(postid) if Permission(UserNeed(post.user.id)).can() or current_user.can("admin"): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.body = form.body.data db.session.add(post) db.session.commit() tags = list(set(form.tags.data.split())) post.tags = [] for tagname in tags: tag = Tag.query.filter_by(name=tagname).first() if tag: post.tags.append(tag) else: tag = Tag(name=tagname) post.tags.append(tag) db.session.add(post) db.session.commit() flash("You have successfully updated a article.") return redirect(url_for("main.post", postid=post.id)) form.title.data = post.title form.body.data = post.body form.tags.data = " ".join([tag.name for tag in post.tags]) return render_template("/main/editpost.html", form=form, postid=post.id) else: abort(403)
def _on_identity_loaded(sender, identity): """ flask_principal used to load user""" if hasattr(current_user, 'id'): identity.provides.add(UserNeed(current_user.id)) if hasattr(current_user, 'roles'): for role in current_user.roles: identity.provides.add(RoleNeed(role.name)) # provide vip need if hasattr(current_user, 'vips'): from youjiao.user.models import User, VIP from youjiao.extensions import db e = VIP.query.filter(VIP.user_id == current_user.id, VIP.end > date.today()).exists() if db.session.query(e).scalar(): identity.provides.add(RoleNeed('vip')) if hasattr(current_user, 'roles'): if ('admin' in current_user.roles_name) or ('editor' in current_user.roles_name): identity.provides.add(RoleNeed('vip')) identity.user = current_user
def on_identity_loaded(sender, identity): identity.user = current_user if hasattr(current_user, "id"): identity.provides.add(UserNeed(current_user.id)) identity.provides.add(RoleNeed(role_name))
def need(self): """Return UserNeed instance.""" return UserNeed(self.user_id)
def load_needs(sender, identity: Identity): identity.user = current_user if getattr(current_user, 'id', None): identity.provides.add(UserNeed(current_user.id)) identity.provides.add(RoleNeed(USER_ROLE))
def test_invenio_access_permission_cache_users_updates(app): """Testing ActionUsers cache with inserts/updates/deletes.""" cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): # Creation of some data to test. user_1 = User(email='*****@*****.**') user_2 = User(email='*****@*****.**') user_3 = User(email='*****@*****.**') user_4 = User(email='*****@*****.**') user_5 = User(email='*****@*****.**') user_6 = User(email='*****@*****.**') db.session.add(user_1) db.session.add(user_2) db.session.add(user_3) db.session.add(user_4) db.session.add(user_5) db.session.add(user_6) db.session.add(ActionUsers(action='open', user=user_1)) db.session.add(ActionUsers(action='write', user=user_4)) db.session.flush() # Creation identities to test. identity_user_1 = FakeIdentity(UserNeed(user_1.id)) identity_user_2 = FakeIdentity(UserNeed(user_2.id)) identity_user_3 = FakeIdentity(UserNeed(user_3.id)) identity_user_4 = FakeIdentity(UserNeed(user_4.id)) identity_user_5 = FakeIdentity(UserNeed(user_5.id)) identity_user_6 = FakeIdentity(UserNeed(user_6.id)) # Test if user 1 can open. In this case, the cache should store only # this object. permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_1) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) # Test if user 4 can write. In this case, the cache should have this # new object and the previous one (Open is allowed to user_1) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_4) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1)]), set([]) ) # If we add a new user to the action open, the open action in cache # should be removed but it should still containing the write entry. db.session.add(ActionUsers(action='open', user=user_2)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_2) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) # Test if the new user is added to the action 'open' permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_4) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) # If we update an action swapping a user, the cache containing the # action, should be removed. user_4_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_4).first() user_4_action_write.user = user_3 db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # Test if the user_3 can now write. permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_4) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=3)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # If we remove a user from an action, the cache should clear the # action item. user_3_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_3).first() db.session.delete(user_3_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionUsers(action='write', user=user_5)) db.session.flush() permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_5) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_3) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=5)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_user_5) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=5)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2)]), set([]) ) user_5_action_write = ActionUsers.query.filter( ActionUsers.action == 'write' and ActionUsers.user == user_5).first() user_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_user_1) assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5)]), set([]) ) db.session.add(ActionUsers(action='write', user=user_4)) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_user_5) assert current_access.get_action_cache('write') == ( set([Need(method='id', value=4)]), set([]) ) db.session.add(ActionUsers(action='open', argument='1', user=user_6)) db.session.flush() permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_user_6) assert permission_open_1.allows(identity_user_6) assert current_access.get_action_cache('open::1') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5), Need(method='id', value=6)]), set([]) ) user_6_action_open_1 = ActionUsers.query.filter_by( action='open', argument='1', user_id=user_6.id).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = DynamicPermission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_user_6) assert current_access.get_action_cache('open::2') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5), Need(method='id', value=6)]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([Need(method='id', value=1), Need(method='id', value=2), Need(method='id', value=5)]), set([]) )
def custom_views_permissions_factory(action): if action == "circulation-loan-force-checkout": # fake permission for a specific user return Permission(UserNeed(librarian2.id)) else: return default_factory(action)
def __call__(self, item): if self.method == 'id': return UserNeed(self.resource.item_get_id(item)) return ItemNeed(self.method, get_value(item, self.resource.meta.id_attribute, None), self.type)
def identity_simple(): """Simple identity fixture.""" i = Identity(1) i.provides.add(UserNeed(1)) i.provides.add(Need(method="system_role", value="any_user")) return i
def needs(self, record=None, **kwargs): """Enabling Needs.""" return [UserNeed(owner) for owner in record.get('owners', [])]
from flask_principal import Principal, Permission, RoleNeed, identity_loaded,UserNeed from config import config from flask_login import current_user import flask_whooshalchemyplus from flask_admin import Admin db = SQLAlchemy() principals = Principal() login_manager = LoginManager() login_manager.session_protection = 'strong' login_manager.login_view = 'main.login' admin_permission = Permission(RoleNeed('admin')) user_permission = Permission(UserNeed('id')) def create_app(config_name): app = Flask(__name__) app.config.from_object(config[config_name]) config[config_name].init_app(app) Principal(app) db.init_app(app) db.app = app with app.app_context(): db.create_all() login_manager.init_app(app) from .models import User, Post, UserRole, Comment, Tag, posts_tags, Role from .modelview import MyAdminIndexView, MyViewAll, MyView, MyViewpost flask_whooshalchemyplus.init_app(app)