def check_permissions(self, resource, method, user): if not user: return True # is the operation against the user record of the current user if request.view_args.get('_id') == str(user['_id']): # no user is allowed to delete their own user if method.lower() in('delete', 'put'): raise ForbiddenError else: return True # We allow all reads or if resource is prepopulate then allow all if method == 'GET' or resource == 'prepopulate': return True # We allow a user to patch activities as they may be marking it as read if method == 'PATCH' and resource == 'activity': return True # users should be able to change only their preferences if resource == 'preferences': session = get_resource_service('preferences').find_one(_id=request.view_args.get('_id'), req=None) return user['_id'] == session.get("user") # Get the list of privileges belonging to this user get_resource_service('users').set_privileges(user, flask.g.role) privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get(method, None) if privileges.get(resource_privileges, False): return True # If we didn't return True so far then user is not authorized raise ForbiddenError()
def check_permissions(self, resource, method, user): if not user: return True # is the operation against the user record of the current user if request.view_args.get('_id') == str(user['_id']): # no user is allowed to delete their own user if method.lower() in ('delete', 'put'): raise ForbiddenError else: return True # We allow all reads or if resource is prepopulate then allow all if method == 'GET' or resource == 'prepopulate': return True # users should be able to change only their preferences if resource == 'preferences': session = get_resource_service('preferences').find_one( _id=request.view_args.get('_id'), req=None) return user['_id'] == session.get("user") # Get the list of privileges belonging to this user get_resource_service('users').set_privileges(user, flask.g.role) privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get( method, None) if privileges.get(resource_privileges, False): return True # If we didn't return True so far then user is not authorized raise ForbiddenError()
def on_update(self, updates, original): """ Overriding the method to prevent a user without 'User Management' privilege from changing a role. """ if 'role' in updates and 'active_privileges' in flask.g.user: if not get_resource_privileges('users')['PATCH'] in flask.g.user['active_privileges']: raise SuperdeskApiError.forbiddenError("Insufficient privileges to change the role")
def check_get_access_privilege(self): if not hasattr(g, 'user'): return privileges = g.user.get('active_privileges', {}) resource_privileges = get_resource_privileges(self.datasource).get('GET', None) if privileges.get(resource_privileges, 0) == 0: raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user): """Checks user permissions. 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if not user: return True # Step 2: Get User's Privileges get_resource_service("users").set_privileges(user, flask.g.role) if method == "GET": return True # Step 3: Intrinsic Privileges message = _("Insufficient privileges for the requested operation.") intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get( resource) and method in intrinsic_privileges[resource]: service = get_resource_service(resource) authorized = service.is_authorized( user_id=str(user.get("_id")), _id=request.view_args.get("_id"), method=method) if not authorized: raise SuperdeskApiError.forbiddenError(message=message) return authorized # Step 4: User's privileges privileges = user.get("active_privileges", {}) resource_privileges = get_resource_privileges(resource).get( method, None) if not resource_privileges and get_no_resource_privileges(resource): return True if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError(message=message)
def check_get_access_privilege(self): if not hasattr(g, 'user'): return privileges = g.user.get('active_privileges', {}) resource_privileges = get_resource_privileges(self.datasource).get( 'GET', None) if privileges.get(resource_privileges, 0) == 0: raise SuperdeskApiError.forbiddenError()
def on_update(self, updates, original): """ Overriding the method to prevent a user without 'User Management' privilege from changing a role. """ if 'role' in updates and 'active_privileges' in flask.g.user: if not get_resource_privileges( 'users')['PATCH'] in flask.g.user['active_privileges']: raise SuperdeskApiError.forbiddenError( "Insufficient privileges to change the role")
def check_get_access_privilege(self): """ Checks if user is authorized to perform get operation on Legal Archive resources. If authorized then request is forwarded otherwise throws forbidden error. :raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources. """ if not hasattr(g, 'user'): return privileges = g.user.get('active_privileges', {}) resource_privileges = get_resource_privileges(self.datasource).get('GET', None) if privileges.get(resource_privileges, 0) == 0: raise SuperdeskApiError.forbiddenError()
def check_get_access_privilege(self): """Checks if user is authorized to perform get operation on Legal Archive resources. If authorized then request is forwarded otherwise throws forbidden error. :raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources. """ if not hasattr(g, 'user'): return privileges = g.user.get('active_privileges', {}) resource_privileges = get_resource_privileges(self.datasource).get('GET', None) if privileges.get(resource_privileges, 0) == 0: raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user): """Checks user permissions. 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if not user: return True # Step 2: Get User's Privileges get_resource_service('users').set_privileges(user, flask.g.role) if method == 'GET': return True # Step 3: Intrinsic Privileges intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get(resource) and method in intrinsic_privileges[resource]: service = get_resource_service(resource) authorized = service.is_authorized(user_id=str(user.get('_id')), _id=request.view_args.get('_id')) if not authorized: raise SuperdeskApiError.forbiddenError() return authorized # Step 4: User's privileges privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get(method, None) if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError()
def can_unlock(self, item, user_id, resource): """ Function checks whether user can unlock the item or not. """ can_user_edit, error_message = superdesk.get_resource_service(resource).can_edit(item, user_id) if can_user_edit: resource_privileges = get_resource_privileges(resource).get('PATCH') if not (str(item.get(LOCK_USER, '')) == str(user_id) or (current_user_has_privilege(resource_privileges) and current_user_has_privilege('planning_unlock'))): return False, 'You don\'t have permissions to unlock an item.' else: return False, error_message return True, ''
def check_permissions(self, resource, method, user): """ 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if method == 'GET' or not user: return True # Step 2: Get User's Privileges get_resource_service('users').set_privileges(user, flask.g.role) # Step 3: Intrinsic Privileges intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get( resource) and method in intrinsic_privileges[resource]: authorized = get_resource_service(resource).is_authorized( user_id=request.view_args.get('_id')) if not authorized: raise SuperdeskApiError.forbiddenError() return authorized # Step 4: User's privileges privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get( method, None) if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError()
def check_auth(self, token, allowed_roles, resource, method): """ This function is called to check if a token is valid. Must be overridden with custom logic. :param token: token. :param allowed_roles: allowed user roles. :param resource: resource being requested. :param method: HTTP method being executed (POST, GET, etc.) """ if not app.config.get('AUTH_SERVER_SHARED_SECRET'): return False # decode jwt try: decoded_jwt = jwt.decode( token, key=app.config.get('AUTH_SERVER_SHARED_SECRET') ) decoded_jwt.validate_exp(now=time(), leeway=0) except (BadSignatureError, ExpiredTokenError, DecodeError): return False # authorization resource_privileges = get_resource_privileges(resource).get(method, None) if resource_privileges not in decoded_jwt.get('scope', []): abort( make_response( jsonify({ "_status": "ERR", "_error": { "code": 403, "message": "Invalid scope" } }), 403 ) ) return True
def is_authorized(self, **kwargs) -> bool: """ Check auth for intrinsic methods. """ method = kwargs["method"] user = auth.get_user() # delete token is a part of `users` privelege # user with `users` privelege can delete sessions of any user # user without `users` privelege can delete only it's own session (logout) if method == "DELETE": _auth = self.find_one(req=None, _id=kwargs.get("_id")) if _auth and _auth.get("user") == user.get("_id"): return True active_privileges = user.get("active_privileges", {}) users_resource_privileges = get_resource_privileges("users").get( method, None) return active_privileges.get(users_resource_privileges, False) return True