Python _operations_not_granted_by_rolesの例、pulp.server.auth.authorization._operations_not_granted_by_roles Pythonの例

コード例 #1

0

ファイルを表示

ファイル: cud.py プロジェクト: BrnoPCmaniak/pulp

    def remove_user_from_role(role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           name of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = model.User.objects.get_or_404(login=login)

        if role_id == SUPER_USER_ROLE and user_controller.is_last_super_user(login):
            raise PulpDataException(
                _('%(role)s cannot be empty, and %(login)s is the last member') %
                {'role': SUPER_USER_ROLE, 'login': login})

        if role_id not in user.roles:
            return

        user.roles.remove(role_id)
        user.save()

        for item in role['permissions']:
            other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
            user_ops = _operations_not_granted_by_roles(item['resource'],
                                                        item['permission'],
                                                        other_roles)
            factory.permission_manager().revoke(item['resource'], login, user_ops)

コード例 #2

0

ファイルを表示

ファイル: cud.py プロジェクト: zjhuntin/pulp

    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, user['login'],
                                                user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role, safe=True)

コード例 #3

0

ファイルを表示

ファイル: cud.py プロジェクト: nbetm/pulp

    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, user['login'], user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role, safe=True)

コード例 #4

0

ファイルを表示

    def remove_permissions_from_role(self, role_id, resource, operations):
        """
        Remove permissions from a role. 
        
        @type role_id: str
        @param role_id: role identifier
    
        @type resource: str
        @param resource: resource path to revoke permissions from
        
        @type operations: list of allowed operations being revoked
        @param operations: list or tuple
        
        @raise MissingResource: if the given role does not exist
        """
        if role_id == self.super_user_role:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        current_ops = role['permissions'].get(resource, [])
        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, user['login'],
                                                user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            del role['permissions'][resource]

        Role.get_collection().save(role, safe=True)

コード例 #5

0

ファイルを表示

ファイル: cud.py プロジェクト: zjhuntin/pulp

    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users = factory.user_query_manager().find_users_belonging_to_role(
            role_id)

        for item in role['permissions']:
            for user in users:
                other_roles = factory.role_query_manager().get_other_roles(
                    role, user['roles'])
                user_ops = _operations_not_granted_by_roles(
                    item['resource'], item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'],
                                                    user['login'], user_ops)

        for user in users:
            user['roles'].remove(role_id)
            factory.user_manager().update_user(user['login'],
                                               Delta(user, 'roles'))

        Role.get_collection().remove({'id': role_id}, safe=True)

コード例 #6

0

ファイルを表示

    def remove_user_from_role(self, role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.
        
        @type role_id: str
        @param role_id: role identifier
    
        @type login: str
        @param login: name of user
        
        @rtype: bool
        @return: True on success
                        
        @raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id == self.super_user_role and factory.user_query_manager(
        ).is_last_super_user(login):
            raise PulpDataException(
                _('%s cannot be empty, and %s is the last member') %
                (self.super_user_role, login))

        if role_id not in user['roles']:
            return

        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, login, user_ops)

コード例 #7

0

ファイルを表示

ファイル: cud.py プロジェクト: bartwo/pulp

    def remove_permissions_from_role(self, role_id, resource, operations):
        """
        Remove permissions from a role. 
        
        @type role_id: str
        @param role_id: role identifier
    
        @type resource: str
        @param resource: resource path to revoke permissions from
        
        @type operations: list of allowed operations being revoked
        @param operations: list or tuple
        
        @raise MissingResource: if the given role does not exist
        """
        if role_id == self.super_user_role:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id' : role_id})
        if role is None:
            raise MissingResource(role_id)
        
        current_ops = role['permissions'].get(resource, [])
        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)
            
        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                    operations,
                                                    other_roles)
            factory.permission_manager().revoke(resource, user['login'], user_ops)
        
        # in no more allowed operations, remove the resource
        if not current_ops:
            del role['permissions'][resource]
        
        Role.get_collection().save(role, safe=True)

コード例 #8

0

ファイルを表示

ファイル: cud.py プロジェクト: zjhuntin/pulp

    def remove_user_from_role(role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           name of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id == SUPER_USER_ROLE and factory.user_query_manager(
        ).is_last_super_user(login):
            raise PulpDataException(
                _('%(role)s cannot be empty, and %(login)s is the last member')
                % {
                    'role': SUPER_USER_ROLE,
                    'login': login
                })

        if role_id not in user['roles']:
            return

        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for item in role['permissions']:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user['roles'])
            user_ops = _operations_not_granted_by_roles(
                item['resource'], item['permission'], other_roles)
            factory.permission_manager().revoke(item['resource'], login,
                                                user_ops)

コード例 #9

0

ファイルを表示

ファイル: cud.py プロジェクト: bartwo/pulp

    def remove_user_from_role(self, role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.
        
        @type role_id: str
        @param role_id: role identifier
    
        @type login: str
        @param login: name of user
        
        @rtype: bool
        @return: True on success
                        
        @raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id' : role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login' : login})
        if user is None:
            raise MissingResource(login)

        if role_id == self.super_user_role and factory.user_query_manager().is_last_super_user(login):
            raise PulpDataException(_('%s cannot be empty, and %s is the last member') %
                                     (self.super_user_role, login))

        if role_id not in user['roles']:
            return
        
        user['roles'].remove(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, login, user_ops)

コード例 #10

0

ファイルを表示

ファイル: cud.py プロジェクト: nbetm/pulp

    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users = factory.user_query_manager().find_users_belonging_to_role(role_id)

        for item in role['permissions']:
            for user in users:
                other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
                user_ops = _operations_not_granted_by_roles(item['resource'],
                                                            item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'], user['login'], user_ops)

        for user in users:
            user['roles'].remove(role_id)
            factory.user_manager().update_user(user['login'], Delta(user, 'roles'))

        Role.get_collection().remove({'id': role_id}, safe=True)