def check_project_id(subfilter): op = subfilter.keys()[0] if (op.lower() not in self.complex_operators and subfilter[op].keys()[0] == visibility_field and subfilter[op][visibility_field] != own_project_id): raise base.ProjectNotAuthorized( subfilter[op][visibility_field])
def wrapped(*args, **kwargs): usr_limit, proj_limit = rbac.get_limited_to(pecan.request.headers) # If User and Project are None, you have full access. if usr_limit and proj_limit: # since this decorator get's called out of wsme context # raising exception results internal error so call abort # for handling the error ex = base.ProjectNotAuthorized(proj_limit) pecan.core.abort(status_code=ex.code, detail=ex.msg) return func(*args, **kwargs)
def _verify_query_segregation(query, auth_project=None): """Ensure non-admin queries are not constrained to another project.""" auth_project = (auth_project or rbac.get_limited_to_project(pecan.request.headers)) if not auth_project: return for q in query: if q.field in ('project', 'project_id') and auth_project != q.value: raise base.ProjectNotAuthorized(q.value)
def _set_ownership(aspect, owner_limitation, header): attr = '%s_id' % aspect requested_owner = getattr(data, attr) explicit_owner = requested_owner != wtypes.Unset caller = pecan.request.headers.get(header) if (owner_limitation and explicit_owner and requested_owner != caller): raise base.ProjectNotAuthorized(requested_owner, aspect) actual_owner = (owner_limitation or requested_owner if explicit_owner else caller) setattr(data, attr, actual_owner)
def check_project_id(subfilter): op, value = list(subfilter.items())[0] if (op.lower() not in self.complex_operators and list(value.keys())[0] == visibility_field and value[visibility_field] != own_project_id): raise base.ProjectNotAuthorized(value[visibility_field])