def create_permission(instance):
content_type = ContentType.objects.get_for_model(instance)
for acltype in ACLType.availables():
codename = "%s.%s" % (instance.id, acltype.id)
Permission(name=acltype.name,
codename=codename,
content_type=content_type).save()
def index(request, obj_id):
aclbase_obj, error = get_obj_with_check_perm(request.user, ACLBase, obj_id, ACLType.Full)
if error:
return error
target_obj = aclbase_obj.get_subclass_object()
# Some type of objects needs object that refers target_obj (e.g. Attribute)
# for showing breadcrumb navigation.
parent_obj = None
try:
if isinstance(target_obj, Attribute):
parent_obj = target_obj.parent_entry
elif isinstance(target_obj, EntityAttr):
parent_obj = target_obj.parent_entity
except StopIteration:
Logger.warning("failed to get related parent object")
context = {
"object": target_obj,
"parent": parent_obj,
"acltypes": [{"id": x.id, "name": x.label} for x in ACLType.all()],
"roles": [
{
"id": x.id,
"name": x.name,
"description": x.description,
"current_permission": x.get_current_permission(target_obj),
}
for x in Role.objects.filter(is_active=True)
if request.user.is_superuser or x.is_belonged_to(request.user)
],
}
return render(request, "edit_acl.html", context)
def _set_permission(role, acl_obj, acl_type):
# clear unset permissions of target ACLbased object
for _acltype in ACLType.all():
if _acltype != acl_type and _acltype != ACLType.Nothing:
role.permissions.remove(getattr(acl_obj, _acltype.name))
# set new permissoin to be specified except for 'Nothing' permission
if acl_type != ACLType.Nothing:
role.permissions.add(getattr(acl_obj, acl_type.name))
def set(request, recv_data):
user = User.objects.get(id=request.user.id)
acl_obj = getattr(_get_acl_model(recv_data['object_type']),
'objects').get(id=recv_data['object_id'])
if not user.has_permission(acl_obj, ACLType.Full):
return HttpResponse(
"User(%s) doesn't have permission to change this ACL" %
user.username,
status=400)
if not user.may_permitted(
acl_obj, ACLType.Full, **{
'is_public': True if 'is_public' in recv_data else False,
'default_permission': int(recv_data['default_permission']),
'acl_settings': recv_data['acl']
}):
return HttpResponse(
"Inadmissible setting. By this change you will never change this ACL",
status=400)
acl_obj.is_public = False
if 'is_public' in recv_data:
acl_obj.is_public = True
acl_obj.default_permission = int(recv_data['default_permission'])
# update the Public/Private flag parameter
acl_obj.save()
for acl_data in [x for x in recv_data['acl'] if x['value']]:
if acl_data['member_type'] == 'user':
member = User.objects.get(id=acl_data['member_id'])
else:
member = Group.objects.get(id=acl_data['member_id'])
acl_type = [x for x in ACLType.all() if x == int(acl_data['value'])][0]
# update permissios for the target ACLBased object
_set_permission(member, acl_obj, acl_type)
redirect_url = '/'
if isinstance(acl_obj, Entity):
redirect_url = '/entity/'
elif isinstance(acl_obj, EntityAttr):
redirect_url = '/entity/edit/%s' % acl_obj.parent_entity.id
elif isinstance(acl_obj, Entry):
redirect_url = '/entry/show/%s' % acl_obj.id
elif isinstance(acl_obj, Attribute):
redirect_url = '/entry/edit/%s' % acl_obj.parent_entry.id
return JsonResponse({
'redirect_url': redirect_url,
'msg': 'Success to update ACL of "%s"' % acl_obj.name,
})
def save(self, *args, **kwargs):
super(ACLBase, self).save(*args, **kwargs)
# create Permission sets for this object at once
content_type = ContentType.objects.get_for_model(self)
for acltype in ACLType.availables():
codename = '%s.%s' % (self.id, acltype.id)
if not Permission.objects.filter(codename=codename).exists():
Permission(name=acltype.name,
codename=codename,
content_type=content_type).save()
def index(request, obj_id):
user = User.objects.get(id=request.user.id)
aclbase_obj, error = get_object_with_check_permission(
user, ACLBase, obj_id, ACLType.Full)
if error:
return error
target_obj = aclbase_obj.get_subclass_object()
# get ACLTypeID of target_obj if a permission is set
def get_current_permission(member):
permissions = [
x for x in member.permissions.all()
if x.get_objid() == target_obj.id
]
if permissions:
return permissions[0].get_aclid()
else:
return 0
# Some type of objects needs object that refers target_obj (e.g. Attribute)
# for showing breadcrumb navigation.
parent_obj = None
try:
if isinstance(target_obj, Attribute):
parent_obj = target_obj.parent_entry
elif isinstance(target_obj, EntityAttr):
parent_obj = target_obj.parent_entity
except StopIteration:
Logger.warning('failed to get related parent object')
context = {
'object':
target_obj,
'parent':
parent_obj,
'acltypes': [{
'id': x.id,
'name': x.label
} for x in ACLType.all()],
'members': [{
'id': x.id,
'name': x.username,
'current_permission': get_current_permission(x),
'type': 'user'
} for x in User.objects.filter(is_active=True)] +
[{
'id': x.id,
'name': x.name,
'current_permission': get_current_permission(x),
'type': 'group'
} for x in Group.objects.filter(is_active=True)]
}
return render(request, 'edit_acl.html', context)
def update(self, instance, validated_data):
acl_obj = getattr(self._get_acl_model(validated_data["objtype"]),
"objects").get(id=instance.id)
acl_obj.is_public = validated_data["is_public"]
acl_obj.default_permission = validated_data["default_permission"]
acl_obj.save()
for item in [x for x in validated_data["acl"] if x["value"]]:
role = Role.objects.get(id=item["member_id"])
acl_type = [x for x in ACLType.all() if x == int(item["value"])][0]
# update permissios for the target ACLBased object
self._set_permission(role, acl_obj, acl_type)
return acl_obj
def update(self, instance, validated_data):
acl_obj = getattr(self._get_acl_model(validated_data['objtype']),
'objects').get(id=instance.id)
acl_obj.is_public = validated_data['is_public']
acl_obj.default_permission = validated_data['default_permission']
acl_obj.save()
for item in [x for x in validated_data['acl'] if x['value']]:
if item['member_type'] == 'user':
member = User.objects.get(id=item['member_id'])
else:
member = Group.objects.get(id=item['member_id'])
acl_type = [x for x in ACLType.all() if x == int(item['value'])][0]
# update permissios for the target ACLBased object
self._set_permission(member, acl_obj, acl_type)
return acl_obj
class ACLBase(models.Model):
name = models.CharField(max_length=200)
is_public = models.BooleanField(default=True)
created_user = models.ForeignKey(User, on_delete=models.DO_NOTHING)
is_active = models.BooleanField(default=True)
status = models.IntegerField(default=0)
default_permission = models.IntegerField(default=ACLType.Nothing().id)
updated_time = models.DateTimeField(auto_now=True)
# This fields describes the sub-class of this object
objtype = models.IntegerField(default=0)
def set_status(self, val):
self.status |= val
self.save(update_fields=["status"])
def del_status(self, val):
self.status &= ~val
self.save(update_fields=["status"])
def get_status(self, val):
return self.status & val
def delete(self, *args, **kwargs):
self.is_active = False
self.name = "%s_deleted_%s" % (
self.name,
datetime.now().strftime("%Y%m%d_%H%M%S"),
)
self.save()
def restore(self, *args, **kwargs):
self.is_active = True
self.name = re.sub(r"_deleted_[0-9_]*$", "", self.name)
self.save()
def inherit_acl(self, aclobj):
if not isinstance(aclobj, ACLBase):
raise TypeError("specified object(%s) is not ACLBase object")
# inherit parameter of ACL
self.is_public = aclobj.is_public
self.default_permission = aclobj.default_permission
@property
def readable(self):
return self._get_permission(ACLType.Readable.id)
@property
def writable(self):
return self._get_permission(ACLType.Writable.id)
@property
def full(self):
return self._get_permission(ACLType.Full.id)
def _get_permission(self, acltype):
return Permission.objects.get(codename="%s.%s" % (self.id, acltype))
def get_subclass_object(self):
# Use importlib to prevent circular import
if self.objtype == ACLObjType.Entity:
model = importlib.import_module("entity.models").Entity
elif self.objtype == ACLObjType.EntityAttr:
model = importlib.import_module("entity.models").EntityAttr
elif self.objtype == ACLObjType.Entry:
model = importlib.import_module("entry.models").Entry
elif self.objtype == ACLObjType.EntryAttr:
model = importlib.import_module("entry.models").Attribute
else:
# set ACLBase model
model = type(self)
return model.objects.get(id=self.id)
def is_same_object(self, comp):
return all([self[x] == comp[x] for x in self._IMPORT_INFO["header"]])
@classmethod
def search(kls, query):
results = []
for obj in kls.objects.filter(name__icontains=query):
results.append(
{
"type": kls.__name__,
"object": obj,
"hint": "",
}
)
return results
def _get_objid(permission):
if not any([permission.name == x.name for x in ACLType.all()]):
return 0
return int(permission.codename.split(".")[0])
def set(request, recv_data):
acl_obj = getattr(_get_acl_model(recv_data["object_type"]), "objects").get(
id=recv_data["object_id"]
)
# This checks that user currently has permission to change it
if not request.user.has_permission(acl_obj, ACLType.Full):
return HttpResponse(
"User(%s) doesn't have permission to change this ACL" % request.user.username,
status=400,
)
# This checks that user will have permission as user specifies by this change
# (NOTE: this processing is completely different from above permissoin check)
if not request.user.is_permitted_to_change(
**{
"target_obj": acl_obj,
"expected_permission": ACLType.Full,
"will_be_public": recv_data.get("is_public", False),
"default_permission": int(recv_data["default_permission"]),
"acl_settings": [
{
"role": Role.objects.filter(id=x["role_id"], is_active=True).first(),
"value": int(x["value"]),
}
for x in recv_data["acl"]
],
}
):
return HttpResponse(
"Inadmissible setting. By this change you will never change this ACL", status=400
)
acl_obj.is_public = bool(recv_data.get("is_public", False))
acl_obj.default_permission = int(recv_data["default_permission"])
# update the Public/Private flag parameter
acl_obj.save()
for acl_data in [x for x in recv_data["acl"] if x["value"]]:
role = Role.objects.get(id=acl_data["role_id"])
acl_type = [x for x in ACLType.all() if x == int(acl_data["value"])][0]
# update permissios for the target ACLBased object
_set_permission(role, acl_obj, acl_type)
redirect_url = "/"
if isinstance(acl_obj, Entity):
redirect_url = "/entity/"
elif isinstance(acl_obj, EntityAttr):
redirect_url = "/entity/edit/%s" % acl_obj.parent_entity.id
elif isinstance(acl_obj, Entry):
redirect_url = "/entry/show/%s" % acl_obj.id
elif isinstance(acl_obj, Attribute):
redirect_url = "/entry/edit/%s" % acl_obj.parent_entry.id
if isinstance(acl_obj, Attribute):
acl_obj = acl_obj.parent_entry
if isinstance(acl_obj, Entry):
acl_obj.register_es()
return JsonResponse(
{
"redirect_url": redirect_url,
"msg": 'Success to update ACL of "%s"' % acl_obj.name,
}
)
def _get_acltype(permission):
if not any([permission.name == x.name for x in ACLType.all()]):
return 0
return int(permission.codename.split('.')[-1])
"meta": [
{
"name":
"role_id",
"type":
str,
"checker":
lambda x: Role.objects.filter(id=x["role_id"], is_active=True).
exists(),
},
{
"name":
"value",
"type": (str, type(None)),
"checker":
lambda x: [y for y in ACLType.all() if int(x["value"]) == y],
},
],
},
{
"name":
"default_permission",
"type":
str,
"checker":
lambda x: any(
[y == int(x["default_permission"]) for y in ACLType.all()]),
},
])
def set(request, recv_data):
acl_obj = getattr(_get_acl_model(recv_data["object_type"]),
{"name": "object_type", "type": str, "checker": lambda x: x["object_type"]},
{
"name": "acl",
"type": list,
"meta": [
{
"name": "role_id",
"type": str,
"checker": lambda x: Role.objects.filter(
id=x["role_id"], is_active=True
).exists(),
},
{
"name": "value",
"type": (str, type(None)),
"checker": lambda x: [y for y in ACLType.all() if int(x["value"]) == y],
},
],
},
{
"name": "default_permission",
"type": str,
"checker": lambda x: any([y == int(x["default_permission"]) for y in ACLType.all()]),
},
]
)
def set(request, recv_data):
acl_obj = getattr(_get_acl_model(recv_data["object_type"]), "objects").get(
id=recv_data["object_id"]
)
def validate_default_permission(self, default_permission: int):
return default_permission in ACLType.all()
def get_acltypes(self, obj: ACLBase) -> List[Dict[str, Any]]:
return [{"id": x.id, "name": x.label} for x in ACLType.all()]
'name':
'member_id',
'type':
str,
'checker':
lambda x: any([
k.objects.filter(id=x['member_id']).exists()
for k in [User, Group]
])
},
{
'name':
'value',
'type': (str, type(None)),
'checker':
lambda x: [y for y in ACLType.all() if int(x['value']) == y]
},
]
},
{
'name':
'default_permission',
'type':
str,
'checker':
lambda x: any(
[y == int(x['default_permission']) for y in ACLType.all()])
},
])
def set(request, recv_data):
user = User.objects.get(id=request.user.id)
def validate_default_permission(self, default_permission: int):
if default_permission not in ACLType.all():
raise ValidationError("invalid default_permission parameter")
return default_permission
