예제 #1
0
def get_slider_agents(scontext)  : 
    return [
            ('anonymous_group', get_anonymous_group().get_ref()),
            ('all_members_group', get_all_members_group().get_ref()), 
            ('context_agent', scontext.context_agent), 
            ('creator', get_creator_agent()),
            ('context_admin', scontext.context_admin)
           ]
예제 #2
0
def has_access(agent, resource, interface):
    """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
    """

    # make sure we've stripped resource from any SecureWrappers
    if resource.__class__.__name__ == "SecureWrapper":
        resource = resource.get_inner()

    # make sure we've stripped agent from any SecureWrappers
    if agent.__class__.__name__ == "SecureWrapper":
        agent = agent.get_inner()

    # we're always interested in the security_context of this resource

    context = resource.get_security_context()

    # which agents have access?

    if not SecurityTag.objects.filter(interface=interface, security_context=context):
        # lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
        typ = resource.__class__
        interface_name = interface.split(".")[1]
        if interface_name in get_interface_map(typ.__name__):

            agent_defaults = AgentDefaults[context.context_agent.obj.__class__][
                context.context_agent.permission_prototype
            ]
            slider_agents = SliderAgents[context.context_agent.obj.__class__](context)
            sad = dict(slider_agents)
            context.setup_tag_from_defaults(interface, sad, agent_defaults)

    allowed_agents = SecurityTag.objects.get(interface=interface, security_context=context).agents

    # probably should memcache both allowed agents (per .View interface) and
    # agents held per user to allow many queries very quickly.
    allowed_agents = set([a.obj for a in allowed_agents.all()])

    if get_anonymous_group() in allowed_agents:
        # in other words, if this resource is matched with anyone, we don't have to test
        # that user is in the "anyone" group
        return True

    if get_creator_agent().obj in allowed_agents:
        actual_creator = resource.get_ref().creator
        if agent == actual_creator:
            return True

    if agent.__class__ == AnonymousUser:
        # we clearly shouldn't be seeing this - sure but is this a security issue - t.s.
        return False

    agents_held = agent.get_enclosure_set()
    if allowed_agents.intersection(agents_held):
        return True

    print "has_access fails for %s, %s, %s, %s" % (interface, resource, context.context_agent.obj, agent)
    return False
예제 #3
0
def has_access(agent, resource, interface, sec_context=None, diagnose=None) :
    """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
    """

    # if diagnose mode we want to try to find why we failed to get the interface we want
    if diagnose :
        diagnostics = {}

    # make sure we've stripped agent from any SecureWrappers
    if agent.__class__.__name__ == "SecureWrapper":
        agent = agent.get_inner()
 

    if not sec_context:
        # make sure we've stripped resource from any SecureWrappers
        if resource.__class__.__name__ == "SecureWrapper":
            resource = resource.get_inner()
        context = resource.get_security_context()
    else:
        context = sec_context

    if not SecurityTag.objects.filter(interface=interface, security_context=context):
        #lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
        typ = resource.__class__
        interface_name = interface.split('.')[1]
        if interface_name in get_interface_map(typ.__name__):
            agent_defaults = AgentDefaults[context.context_agent.obj.__class__][context.context_agent.permission_prototype]
            slider_agents = SliderAgents[context.context_agent.obj.__class__](context)
            sad = dict(slider_agents)
            context.setup_tag_from_defaults(interface, sad, agent_defaults)


    # which agents have access?
    allowed_agents = SecurityTag.objects.get(interface=interface,
                                             security_context=context).agents
    

    # probably should redis both allowed agents (per .View interface) and 
    # agents held per user to allow many queries very quickly. 
    allowed_agents = set([a.obj for a in allowed_agents.all()])

    # diagnostic
    if diagnose :
        diagnostics['allowed_agents'] = allowed_agents
    
    if agent in allowed_agents : # agent must hold itself. agent.get_enclosures no longer includes agent
        return True

    if get_anonymous_group() in allowed_agents: 
        # in other words, if this resource is matched with anyone, we don't have to test 
        #that user is in the "anyone" group
        return True

    if resource:
        if get_creator_agent().obj in allowed_agents:
            actual_creator = resource.get_ref().creator
            if agent == actual_creator:
                return True

    agents_held = agent.get_enclosure_set()
    
    if diagnose :
        diagnostics['agents_held'] = agents_held

    if allowed_agents.intersection(agents_held):
        return True


    if diagnose :
        print
        print 'Interface ', interface
        print "Allowed Agents for ", resource
        for a in diagnostics['allowed_agents'] :
            print a
        print "Agents Held by ", agent
        for a in diagnostics['agents_held'] :
            print "%s,"%a,

        print
        for a in diagnostics['allowed_agents'] :
            if not a in diagnostics['agents_held'] :
                print a, " not in agents_held"


    return False
예제 #4
0
def has_access(agent, resource, interface, sec_context=None, diagnose=None):
    """Does the agent have access to this interface in this resource. All the special casing below will make it hard to refactor this method and for instance make it work for a whole lot of objects
    """

    # if diagnose mode we want to try to find why we failed to get the interface we want
    if diagnose:
        diagnostics = {}

    # make sure we've stripped agent from any SecureWrappers
    if agent.__class__.__name__ == "SecureWrapper":
        agent = agent.get_inner()

    if not sec_context:
        # make sure we've stripped resource from any SecureWrappers
        if resource.__class__.__name__ == "SecureWrapper":
            resource = resource.get_inner()
        context = resource.get_security_context()
    else:
        context = sec_context

    if not SecurityTag.objects.filter(interface=interface,
                                      security_context=context):
        #lets create it if it is in defaults for the type -- this allows adding new interfaces to the type at runtime
        typ = resource.__class__
        interface_name = interface.split('.')[1]
        if interface_name in get_interface_map(typ.__name__):
            agent_defaults = AgentDefaults[
                context.context_agent.obj.__class__][
                    context.context_agent.permission_prototype]
            slider_agents = SliderAgents[context.context_agent.obj.__class__](
                context)
            sad = dict(slider_agents)
            context.setup_tag_from_defaults(interface, sad, agent_defaults)

    # which agents have access?
    allowed_agents = SecurityTag.objects.get(interface=interface,
                                             security_context=context).agents

    # probably should redis both allowed agents (per .View interface) and
    # agents held per user to allow many queries very quickly.
    allowed_agents = set([a.obj for a in allowed_agents.all()])

    # diagnostic
    if diagnose:
        diagnostics['allowed_agents'] = allowed_agents

    if agent in allowed_agents:  # agent must hold itself. agent.get_enclosures no longer includes agent
        return True

    if get_anonymous_group() in allowed_agents:
        # in other words, if this resource is matched with anyone, we don't have to test
        #that user is in the "anyone" group
        return True

    if resource:
        if get_creator_agent().obj in allowed_agents:
            actual_creator = resource.get_ref().creator
            if agent == actual_creator:
                return True

    agents_held = agent.get_enclosure_set()

    if diagnose:
        diagnostics['agents_held'] = agents_held

    if allowed_agents.intersection(agents_held):
        return True

    if diagnose:
        print
        print 'Interface ', interface
        print "Allowed Agents for ", resource
        for a in diagnostics['allowed_agents']:
            print a
        print "Agents Held by ", agent
        for a in diagnostics['agents_held']:
            print "%s," % a,

        print
        for a in diagnostics['allowed_agents']:
            if not a in diagnostics['agents_held']:
                print a, " not in agents_held"

    return False
예제 #5
0
def get_slider_agents(scontext):
    return [('anonymous_group', get_anonymous_group().get_ref()),
            ('all_members_group', get_all_members_group().get_ref()),
            ('context_agent', scontext.context_agent),
            ('creator', get_creator_agent()),
            ('context_admin', scontext.context_admin)]