def get_roles_for_permission(permission):
if not Permissions.has_value(permission):
raise PermissionDoesNotExistError('Permission {} does not exist'.format(permission))
roles_for_permissions = set()
roles = get_roles_with_permissions()
for role in roles:
permissions = roles.get(role)
if permission in permissions:
roles_for_permissions.add(role)
return roles_for_permissions
def user_has_permission(user, obj, permission):
if user.is_superuser:
return True
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return True
if isinstance(obj, Product_Type):
member = get_product_type_member(user, obj)
if member is None:
return False
return role_has_permission(member.role, permission)
elif (isinstance(obj, Product)
and permission.value >= Permissions.Product_View.value):
# Products inherit permissions of their product type
if user_has_permission(user, obj.prod_type, permission):
return True
# Maybe the user has a role for the product with the requested permissions
member = get_product_member(user, obj)
if member is None:
return False
return role_has_permission(member.role, permission)
elif isinstance(
obj, Engagement
) and permission in Permissions.get_engagement_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(obj,
Test) and permission in Permissions.get_test_permissions():
return user_has_permission(user, obj.engagement.product, permission)
elif isinstance(
obj,
Finding) and permission in Permissions.get_finding_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj,
Endpoint) and permission in Permissions.get_endpoint_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Member
) and permission in Permissions.get_product_type_member_permissions():
return obj.user == user or user_has_permission(
user, obj.product_type, Permissions.Product_Type_Manage_Members)
elif isinstance(
obj, Product_Member
) and permission in Permissions.get_product_member_permissions():
return obj.user == user or user_has_permission(
user, obj.product, Permissions.Product_Manage_Members)
else:
raise NoAuthorizationImplementedError(
'No authorization implemented for class {} and permission {}'.
format(type(obj).__name__, permission))
def user_has_permission(user, obj, permission):
if user.is_superuser:
return True
if isinstance(obj, Product_Type):
try:
member = Product_Type_Member.objects.get(user=user,
product_type=obj)
except Product_Type_Member.DoesNotExist:
return False
return role_has_permission(member.role, permission)
elif (isinstance(obj, Product)
and permission.value >= Permissions.Product_View.value):
# Products inherit permissions of their product type
if user_has_permission(user, obj.prod_type, permission):
return True
# Maybe the user has a role for the product with the requested permissions
try:
member = Product_Member.objects.get(user=user, product=obj)
except Product_Member.DoesNotExist:
return False
return role_has_permission(member.role, permission)
elif isinstance(
obj, Engagement
) and permission in Permissions.get_engagement_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(obj,
Test) and permission in Permissions.get_test_permissions():
return user_has_permission(user, obj.engagement.product, permission)
elif isinstance(
obj,
Finding) and permission in Permissions.get_finding_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj,
Endpoint) and permission in Permissions.get_endpoint_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Member
) and permission in Permissions.get_product_type_member_permissions():
return obj.user == user or user_has_permission(
user, obj.product_type, Permissions.Product_Type_Manage_Members)
elif isinstance(
obj, Product_Member
) and permission in Permissions.get_product_member_permissions():
return obj.user == user or user_has_permission(
user, obj.product, Permissions.Product_Manage_Members)
else:
raise NoAuthorizationImplementedError(
'No authorization implemented for class {} and permission {}'.
format(type(obj).__name__, permission))
def user_has_permission(user, obj, permission):
if user.is_superuser:
return True
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return True
if isinstance(obj, Product_Type) or isinstance(obj, Product):
# Global roles are only relevant for product types, products and their dependent objects
if user_has_global_permission(user, permission):
return True
if isinstance(obj, Product_Type):
# Check if the user has a role for the product type with the requested permissions
member = get_product_type_member(user, obj)
if member is not None and role_has_permission(member.role.id,
permission):
return True
# Check if the user is in a group with a role for the product type with the requested permissions
for product_type_group in get_product_type_groups(user, obj):
if role_has_permission(product_type_group.role.id, permission):
return True
return False
elif (isinstance(obj, Product)
and permission.value >= Permissions.Product_View.value):
# Products inherit permissions of their product type
if user_has_permission(user, obj.prod_type, permission):
return True
# Check if the user has a role for the product with the requested permissions
member = get_product_member(user, obj)
if member is not None and role_has_permission(member.role.id,
permission):
return True
# Check if the user is in a group with a role for the product with the requested permissions
for product_group in get_product_groups(user, obj):
if role_has_permission(product_group.role.id, permission):
return True
return False
elif isinstance(
obj, Engagement
) and permission in Permissions.get_engagement_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(obj,
Test) and permission in Permissions.get_test_permissions():
return user_has_permission(user, obj.engagement.product, permission)
elif (isinstance(obj, Finding) or isinstance(obj, Stub_Finding)
) and permission in Permissions.get_finding_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj, Finding_Group
) and permission in Permissions.get_finding_group_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj,
Endpoint) and permission in Permissions.get_endpoint_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(obj, Languages
) and permission in Permissions.get_language_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, App_Analysis
) and permission in Permissions.get_technology_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_API_Scan_Configuration
) and permission in Permissions.get_product_api_scan_configuration_permissions(
):
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Member
) and permission in Permissions.get_product_type_member_permissions():
if permission == Permissions.Product_Type_Member_Delete:
# Every member is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.product_type, permission)
else:
return user_has_permission(user, obj.product_type, permission)
elif isinstance(
obj, Product_Member
) and permission in Permissions.get_product_member_permissions():
if permission == Permissions.Product_Member_Delete:
# Every member is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.product, permission)
else:
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Group
) and permission in Permissions.get_product_type_group_permissions():
return user_has_permission(user, obj.product_type, permission)
elif isinstance(
obj, Product_Group
) and permission in Permissions.get_product_group_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj,
Dojo_Group) and permission in Permissions.get_group_permissions():
# Check if the user has a role for the group with the requested permissions
group_member = get_group_member(user, obj)
return group_member is not None and role_has_permission(
group_member.role.id, permission)
elif isinstance(
obj, Dojo_Group_Member
) and permission in Permissions.get_group_member_permissions():
if permission == Permissions.Group_Member_Delete:
# Every user is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.group, permission)
else:
return user_has_permission(user, obj.group, permission)
else:
raise NoAuthorizationImplementedError(
'No authorization implemented for class {} and permission {}'.
format(type(obj).__name__, permission))
def user_has_permission(user, obj, permission):
if user.is_superuser:
return True
if user.is_staff and settings.AUTHORIZATION_STAFF_OVERRIDE:
return True
if hasattr(user, 'global_role'
) and user.global_role.role is not None and role_has_permission(
user.global_role.role.id, permission):
return True
for group in get_groups(user):
if hasattr(
group, 'global_role'
) and group.global_role.role is not None and role_has_permission(
group.global_role.role.id, permission):
return True
if isinstance(obj, Product_Type):
# Check if the user has a role for the product type with the requested permissions
member = get_product_type_member(user, obj)
if member is not None and role_has_permission(member.role.id,
permission):
return True
# Check if the user is in a group with a role for the product type with the requested permissions
for product_type_group in get_product_type_groups(user, obj):
if role_has_permission(product_type_group.role.id, permission):
return True
return False
elif (isinstance(obj, Product)
and permission.value >= Permissions.Product_View.value):
# Products inherit permissions of their product type
if user_has_permission(user, obj.prod_type, permission):
return True
# Check if the user has a role for the product with the requested permissions
member = get_product_member(user, obj)
if member is not None and role_has_permission(member.role.id,
permission):
return True
# Check if the user is in a group with a role for the product with the requested permissions
for product_group in get_product_groups(user, obj):
if role_has_permission(product_group.role.id, permission):
return True
return False
elif isinstance(
obj, Engagement
) and permission in Permissions.get_engagement_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(obj,
Test) and permission in Permissions.get_test_permissions():
return user_has_permission(user, obj.engagement.product, permission)
elif isinstance(
obj,
Finding) and permission in Permissions.get_finding_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj, Finding_Group
) and permission in Permissions.get_finding_group_permissions():
return user_has_permission(user, obj.test.engagement.product,
permission)
elif isinstance(
obj,
Endpoint) and permission in Permissions.get_endpoint_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Member
) and permission in Permissions.get_product_type_member_permissions():
if permission == Permissions.Product_Type_Member_Delete:
# Every member is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.product_type, permission)
else:
return user_has_permission(user, obj.product_type, permission)
elif isinstance(
obj, Product_Member
) and permission in Permissions.get_product_member_permissions():
if permission == Permissions.Product_Member_Delete:
# Every member is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.product, permission)
else:
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj, Product_Type_Group
) and permission in Permissions.get_product_type_group_permissions():
return user_has_permission(user, obj.product_type, permission)
elif isinstance(
obj, Product_Group
) and permission in Permissions.get_product_group_permissions():
return user_has_permission(user, obj.product, permission)
elif isinstance(
obj,
Dojo_Group) and permission in Permissions.get_group_permissions():
# Check if the user has a role for the group with the requested permissions
group_member = get_group_member(user, obj)
return group_member is not None and role_has_permission(
group_member.role.id, permission)
elif isinstance(
obj, Dojo_Group_Member
) and permission in Permissions.get_group_member_permissions():
if permission == Permissions.Group_Member_Delete:
# Every user is allowed to remove himself
return obj.user == user or user_has_permission(
user, obj.group, permission)
else:
return user_has_permission(user, obj.group, permission)
else:
raise NoAuthorizationImplementedError(
'No authorization implemented for class {} and permission {}'.
format(type(obj).__name__, permission))