def check_permissions(self, resource, method, user):
if not user:
return True
# is the operation against the user record of the current user
if request.view_args.get('_id') == str(user['_id']):
# no user is allowed to delete their own user
if method.lower() in('delete', 'put'):
raise ForbiddenError
else:
return True
# We allow all reads or if resource is prepopulate then allow all
if method == 'GET' or resource == 'prepopulate':
return True
# We allow a user to patch activities as they may be marking it as read
if method == 'PATCH' and resource == 'activity':
return True
# users should be able to change only their preferences
if resource == 'preferences':
session = get_resource_service('preferences').find_one(_id=request.view_args.get('_id'), req=None)
return user['_id'] == session.get("user")
# Get the list of privileges belonging to this user
get_resource_service('users').set_privileges(user, flask.g.role)
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(method, None)
if privileges.get(resource_privileges, False):
return True
# If we didn't return True so far then user is not authorized
raise ForbiddenError()
def check_permissions(self, resource, method, user):
if not user:
return True
# is the operation against the user record of the current user
if request.view_args.get('_id') == str(user['_id']):
# no user is allowed to delete their own user
if method.lower() in ('delete', 'put'):
raise ForbiddenError
else:
return True
# We allow all reads or if resource is prepopulate then allow all
if method == 'GET' or resource == 'prepopulate':
return True
# users should be able to change only their preferences
if resource == 'preferences':
session = get_resource_service('preferences').find_one(
_id=request.view_args.get('_id'), req=None)
return user['_id'] == session.get("user")
# Get the list of privileges belonging to this user
get_resource_service('users').set_privileges(user, flask.g.role)
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(
method, None)
if privileges.get(resource_privileges, False):
return True
# If we didn't return True so far then user is not authorized
raise ForbiddenError()
def on_update(self, updates, original):
"""
Overriding the method to prevent a user without 'User Management' privilege from changing a role.
"""
if 'role' in updates and 'active_privileges' in flask.g.user:
if not get_resource_privileges('users')['PATCH'] in flask.g.user['active_privileges']:
raise SuperdeskApiError.forbiddenError("Insufficient privileges to change the role")
def check_get_access_privilege(self):
if not hasattr(g, 'user'):
return
privileges = g.user.get('active_privileges', {})
resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
if privileges.get(resource_privileges, 0) == 0:
raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user):
"""Checks user permissions.
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if not user:
return True
# Step 2: Get User's Privileges
get_resource_service("users").set_privileges(user, flask.g.role)
if method == "GET":
return True
# Step 3: Intrinsic Privileges
message = _("Insufficient privileges for the requested operation.")
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(
resource) and method in intrinsic_privileges[resource]:
service = get_resource_service(resource)
authorized = service.is_authorized(
user_id=str(user.get("_id")),
_id=request.view_args.get("_id"),
method=method)
if not authorized:
raise SuperdeskApiError.forbiddenError(message=message)
return authorized
# Step 4: User's privileges
privileges = user.get("active_privileges", {})
resource_privileges = get_resource_privileges(resource).get(
method, None)
if not resource_privileges and get_no_resource_privileges(resource):
return True
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError(message=message)
def check_get_access_privilege(self):
if not hasattr(g, 'user'):
return
privileges = g.user.get('active_privileges', {})
resource_privileges = get_resource_privileges(self.datasource).get(
'GET', None)
if privileges.get(resource_privileges, 0) == 0:
raise SuperdeskApiError.forbiddenError()
def on_update(self, updates, original):
"""
Overriding the method to prevent a user without 'User Management' privilege from changing a role.
"""
if 'role' in updates and 'active_privileges' in flask.g.user:
if not get_resource_privileges(
'users')['PATCH'] in flask.g.user['active_privileges']:
raise SuperdeskApiError.forbiddenError(
"Insufficient privileges to change the role")
def check_get_access_privilege(self):
"""
Checks if user is authorized to perform get operation on Legal Archive resources. If authorized then request is
forwarded otherwise throws forbidden error.
:raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources.
"""
if not hasattr(g, 'user'):
return
privileges = g.user.get('active_privileges', {})
resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
if privileges.get(resource_privileges, 0) == 0:
raise SuperdeskApiError.forbiddenError()
def check_get_access_privilege(self):
"""Checks if user is authorized to perform get operation on Legal Archive resources.
If authorized then request is
forwarded otherwise throws forbidden error.
:raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources.
"""
if not hasattr(g, 'user'):
return
privileges = g.user.get('active_privileges', {})
resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
if privileges.get(resource_privileges, 0) == 0:
raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user):
"""Checks user permissions.
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if not user:
return True
# Step 2: Get User's Privileges
get_resource_service('users').set_privileges(user, flask.g.role)
if method == 'GET':
return True
# Step 3: Intrinsic Privileges
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(resource) and method in intrinsic_privileges[resource]:
service = get_resource_service(resource)
authorized = service.is_authorized(user_id=str(user.get('_id')), _id=request.view_args.get('_id'))
if not authorized:
raise SuperdeskApiError.forbiddenError()
return authorized
# Step 4: User's privileges
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(method, None)
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError()
def can_unlock(self, item, user_id, resource):
"""
Function checks whether user can unlock the item or not.
"""
can_user_edit, error_message = superdesk.get_resource_service(resource).can_edit(item, user_id)
if can_user_edit:
resource_privileges = get_resource_privileges(resource).get('PATCH')
if not (str(item.get(LOCK_USER, '')) == str(user_id) or
(current_user_has_privilege(resource_privileges) and
current_user_has_privilege('planning_unlock'))):
return False, 'You don\'t have permissions to unlock an item.'
else:
return False, error_message
return True, ''
def check_permissions(self, resource, method, user):
"""
1. If there's no user associated with the request or HTTP Method is GET then return True.
2. Get User's Privileges
3. Intrinsic Privileges:
Check if resource has intrinsic privileges.
If it has then check if HTTP Method is allowed.
Return True if `is_authorized()` on the resource service returns True.
Otherwise, raise ForbiddenError.
HTTP Method not allowed continue
No intrinsic privileges continue
4. User's Privileges
Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
Otherwise continue.
5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
"""
# Step 1:
if method == 'GET' or not user:
return True
# Step 2: Get User's Privileges
get_resource_service('users').set_privileges(user, flask.g.role)
# Step 3: Intrinsic Privileges
intrinsic_privileges = get_intrinsic_privileges()
if intrinsic_privileges.get(
resource) and method in intrinsic_privileges[resource]:
authorized = get_resource_service(resource).is_authorized(
user_id=request.view_args.get('_id'))
if not authorized:
raise SuperdeskApiError.forbiddenError()
return authorized
# Step 4: User's privileges
privileges = user.get('active_privileges', {})
resource_privileges = get_resource_privileges(resource).get(
method, None)
if privileges.get(resource_privileges, False):
return True
# Step 5:
raise SuperdeskApiError.forbiddenError()
def check_auth(self, token, allowed_roles, resource, method):
"""
This function is called to check if a token is valid. Must be
overridden with custom logic.
:param token: token.
:param allowed_roles: allowed user roles.
:param resource: resource being requested.
:param method: HTTP method being executed (POST, GET, etc.)
"""
if not app.config.get('AUTH_SERVER_SHARED_SECRET'):
return False
# decode jwt
try:
decoded_jwt = jwt.decode(
token,
key=app.config.get('AUTH_SERVER_SHARED_SECRET')
)
decoded_jwt.validate_exp(now=time(), leeway=0)
except (BadSignatureError, ExpiredTokenError, DecodeError):
return False
# authorization
resource_privileges = get_resource_privileges(resource).get(method, None)
if resource_privileges not in decoded_jwt.get('scope', []):
abort(
make_response(
jsonify({
"_status": "ERR",
"_error": {
"code": 403,
"message": "Invalid scope"
}
}),
403
)
)
return True
def is_authorized(self, **kwargs) -> bool:
"""
Check auth for intrinsic methods.
"""
method = kwargs["method"]
user = auth.get_user()
# delete token is a part of `users` privelege
# user with `users` privelege can delete sessions of any user
# user without `users` privelege can delete only it's own session (logout)
if method == "DELETE":
_auth = self.find_one(req=None, _id=kwargs.get("_id"))
if _auth and _auth.get("user") == user.get("_id"):
return True
active_privileges = user.get("active_privileges", {})
users_resource_privileges = get_resource_privileges("users").get(
method, None)
return active_privileges.get(users_resource_privileges, False)
return True
