def has_permission(self, request, view): if view.action == "list": if "project_id" not in request.query_params: return False project_resources = res_factory.resources_for_project(request.query_params["project_id"]) allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_VIEW_ACTION), resources=project_resources, ) elif view.action == "create": # let serializer to handle this if "project_id" not in request.data: return True project_resources = res_factory.resources_for_project(request.data["project_id"]) allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_EDIT_ACTION), resources=project_resources, ) return True
def has_object_permission(self, request, view, obj): project_resources = res_factory.resources_for_project(obj.project_id) allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_EDIT_ACTION), resources=project_resources, ) return True
def destroy(self, request, *args, **kwargs): instance = self.get_object() self.iam_auth_check( request, action=IAMMeta.PROJECT_EDIT_ACTION, resources=res_factory.resources_for_project(instance.project_id), ) instance.is_deleted = True instance.save() serializer = self.serializer_class(instance=instance) return Response(serializer.data)
def list(self, request, *args, **kwargs): serializer = ListSerializer(data=self.request.query_params) serializer.is_valid(raise_exception=True) project_id = serializer.validated_data["project_id"] self.iam_auth_check( request, action=IAMMeta.PROJECT_VIEW_ACTION, resources=res_factory.resources_for_project(project_id)) queryset = self.get_queryset().filter(project_id=project_id) serializer = self.get_serializer(queryset, many=True) return Response(serializer.data)
def has_permission(self, request, view): if view.action == "list": if "project_id" not in request.query_params: return False self.iam_auth_check( request, action=self.actions[view.action], resources=res_factory.resources_for_project( request.query_params["project_id"]), ) return True
def create(self, request, *args, **kwargs): validated_data = self.get_serializer_data(request) staff_group_obj = StaffGroupSet.objects.create(**validated_data) self.iam_auth_check( request, action=IAMMeta.PROJECT_EDIT_ACTION, resources=res_factory.resources_for_project( staff_group_obj.project_id), ) serializer = self.serializer_class(instance=staff_group_obj) return Response(serializer.data)
def list(self, request, *args, **kwargs): project_id = request.query_params.get("project_id") if not project_id: raise ValidationException("project_id should be provided.") allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_VIEW_ACTION), resources=res_factory.resources_for_project(project_id), ) return super(NewLabelViewSet, self).list(request, *args, **kwargs)
def update(self, request, *args, **kwargs): label = self.get_object() if label.is_default: raise ValidationException("default label cannot be updated.") project_id = label.project_id allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_EDIT_ACTION), resources=res_factory.resources_for_project(project_id), ) return super(NewLabelViewSet, self).update(request, *args, **kwargs)
def has_permission(self, request, view): project_id = view.kwargs["pk"] action = IAMMeta.PROJECT_VIEW_ACTION if view.action in [ "retrieve" ] else IAMMeta.PROJECT_EDIT_ACTION allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(action), resources=res_factory.resources_for_project(project_id), ) return True
def destroy(self, request, *args, **kwargs): label = self.get_object() if label.is_default: raise ValidationException("default label cannot be deleted.") project_id = label.project_id allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_EDIT_ACTION), resources=res_factory.resources_for_project(project_id), ) self.perform_destroy(label) return Response({"result": True, "message": "success"})
def update(self, request, *args, **kwargs): validated_data = self.get_serializer_data(request) self.iam_auth_check( request, action=IAMMeta.PROJECT_EDIT_ACTION, resources=res_factory.resources_for_project( validated_data.get("project_id")), ) instance = self.get_object() instance.name = validated_data.get("name") instance.members = validated_data.get("members") instance.save() serializer = self.serializer_class(instance=instance) return Response(serializer.data)
def has_permission(self, request, view): if view.action == "list": if "project_id" not in request.query_params: return False self.iam_auth_check( request, action=self.actions[view.action], resources=res_factory.resources_for_project( request.query_params["project_id"]), ) elif view.action == "create": template_id = request.data.get("template_id") self.iam_auth_check( request, action=self.actions[view.action], resources=res_factory.resources_for_flow(template_id), ) return True
def _fetch_label_or_template_ids(request, fetch_label): base_id_name = "template_ids" if fetch_label else "label_ids" if fetch_label: fetch_func = TemplateLabelRelation.objects.fetch_templates_labels else: fetch_func = TemplateLabelRelation.objects.fetch_label_template_ids base_ids = request.query_params.get(base_id_name) if not base_ids: raise ValidationException( "{} must be provided.".format(base_id_name)) project_id = request.query_params.get("project_id") allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_VIEW_ACTION), resources=res_factory.resources_for_project(project_id), ) base_ids = [int(base_id) for base_id in base_ids.strip().split(",")] return Response(fetch_func(base_ids))
def list_with_default_labels(self, request, *args, **kwargs): """ 获取某个项目下的标签(包括默认标签) param: project_id: 项目ID, integer, query, required """ project_id = request.query_params.get("project_id") if not project_id: raise ValidationException("project_id should be provided.") allow_or_raise_auth_failed( iam=iam, system=IAMMeta.SYSTEM_ID, subject=Subject("user", request.user.username), action=Action(IAMMeta.PROJECT_VIEW_ACTION), resources=res_factory.resources_for_project(project_id), ) queryset = Label.objects.filter( Q(project_id=project_id) | Q(is_default=True)) serializer = self.get_serializer(queryset, many=True) return Response(serializer.data)
def process(self, request, *args, **kwargs): project_id = kwargs["project_id"] templates_data = read_template_data_file( request.FILES["data_file"])["data"]["template_data"] request.FILES["data_file"].seek(0) override = string_to_boolean(request.POST["override"]) check_info = TaskTemplate.objects.import_operation_check( templates_data, project_id) subject = Subject("user", request.user.username) create_action = Action(IAMMeta.FLOW_CREATE_ACTION) project_resources = res_factory.resources_for_project(project_id) create_request = Request(IAMMeta.SYSTEM_ID, subject, create_action, project_resources, {}) # check flow create permission if not override: allowed = iam.is_allowed(create_request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, create_action, project_resources) else: # check flow create permission if len(check_info["new_template"]) != len( check_info["override_template"]): allowed = iam.is_allowed(create_request) if not allowed: raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, create_action, project_resources) # check flow edit permission if check_info["override_template"]: tids = [ template_info["id"] for template_info in check_info["override_template"] ] resources_list = res_factory.resources_list_for_flows(tids) if not resources_list: return resources_map = {} for resources in resources_list: resources_map[resources[0].id] = resources edit_action = Action(IAMMeta.FLOW_EDIT_ACTION) edit_request = Request(IAMMeta.SYSTEM_ID, subject, edit_action, [], {}) result = iam.batch_is_allowed(edit_request, resources_list) if not result: raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject, edit_action, resources_list) not_allowed_list = [] for tid, allow in result.items(): if not allow: not_allowed_list.append(resources_map[tid]) if not_allowed_list: raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject, edit_action, not_allowed_list)
def get_create_detail_resources(self, bundle): return res_factory.resources_for_project(bundle.obj.project__id)