def has_permission(self, request, view):
if view.action == "list":
if "project_id" not in request.query_params:
return False
project_resources = res_factory.resources_for_project(request.query_params["project_id"])
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_VIEW_ACTION),
resources=project_resources,
)
elif view.action == "create":
# let serializer to handle this
if "project_id" not in request.data:
return True
project_resources = res_factory.resources_for_project(request.data["project_id"])
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_EDIT_ACTION),
resources=project_resources,
)
return True
def has_object_permission(self, request, view, obj):
project_resources = res_factory.resources_for_project(obj.project_id)
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_EDIT_ACTION),
resources=project_resources,
)
return True
def destroy(self, request, *args, **kwargs):
instance = self.get_object()
self.iam_auth_check(
request,
action=IAMMeta.PROJECT_EDIT_ACTION,
resources=res_factory.resources_for_project(instance.project_id),
)
instance.is_deleted = True
instance.save()
serializer = self.serializer_class(instance=instance)
return Response(serializer.data)
def list(self, request, *args, **kwargs):
serializer = ListSerializer(data=self.request.query_params)
serializer.is_valid(raise_exception=True)
project_id = serializer.validated_data["project_id"]
self.iam_auth_check(
request,
action=IAMMeta.PROJECT_VIEW_ACTION,
resources=res_factory.resources_for_project(project_id))
queryset = self.get_queryset().filter(project_id=project_id)
serializer = self.get_serializer(queryset, many=True)
return Response(serializer.data)
def has_permission(self, request, view):
if view.action == "list":
if "project_id" not in request.query_params:
return False
self.iam_auth_check(
request,
action=self.actions[view.action],
resources=res_factory.resources_for_project(
request.query_params["project_id"]),
)
return True
def create(self, request, *args, **kwargs):
validated_data = self.get_serializer_data(request)
staff_group_obj = StaffGroupSet.objects.create(**validated_data)
self.iam_auth_check(
request,
action=IAMMeta.PROJECT_EDIT_ACTION,
resources=res_factory.resources_for_project(
staff_group_obj.project_id),
)
serializer = self.serializer_class(instance=staff_group_obj)
return Response(serializer.data)
def list(self, request, *args, **kwargs):
project_id = request.query_params.get("project_id")
if not project_id:
raise ValidationException("project_id should be provided.")
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_VIEW_ACTION),
resources=res_factory.resources_for_project(project_id),
)
return super(NewLabelViewSet, self).list(request, *args, **kwargs)
def update(self, request, *args, **kwargs):
label = self.get_object()
if label.is_default:
raise ValidationException("default label cannot be updated.")
project_id = label.project_id
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_EDIT_ACTION),
resources=res_factory.resources_for_project(project_id),
)
return super(NewLabelViewSet, self).update(request, *args, **kwargs)
def has_permission(self, request, view):
project_id = view.kwargs["pk"]
action = IAMMeta.PROJECT_VIEW_ACTION if view.action in [
"retrieve"
] else IAMMeta.PROJECT_EDIT_ACTION
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(action),
resources=res_factory.resources_for_project(project_id),
)
return True
def destroy(self, request, *args, **kwargs):
label = self.get_object()
if label.is_default:
raise ValidationException("default label cannot be deleted.")
project_id = label.project_id
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_EDIT_ACTION),
resources=res_factory.resources_for_project(project_id),
)
self.perform_destroy(label)
return Response({"result": True, "message": "success"})
def update(self, request, *args, **kwargs):
validated_data = self.get_serializer_data(request)
self.iam_auth_check(
request,
action=IAMMeta.PROJECT_EDIT_ACTION,
resources=res_factory.resources_for_project(
validated_data.get("project_id")),
)
instance = self.get_object()
instance.name = validated_data.get("name")
instance.members = validated_data.get("members")
instance.save()
serializer = self.serializer_class(instance=instance)
return Response(serializer.data)
def has_permission(self, request, view):
if view.action == "list":
if "project_id" not in request.query_params:
return False
self.iam_auth_check(
request,
action=self.actions[view.action],
resources=res_factory.resources_for_project(
request.query_params["project_id"]),
)
elif view.action == "create":
template_id = request.data.get("template_id")
self.iam_auth_check(
request,
action=self.actions[view.action],
resources=res_factory.resources_for_flow(template_id),
)
return True
def _fetch_label_or_template_ids(request, fetch_label):
base_id_name = "template_ids" if fetch_label else "label_ids"
if fetch_label:
fetch_func = TemplateLabelRelation.objects.fetch_templates_labels
else:
fetch_func = TemplateLabelRelation.objects.fetch_label_template_ids
base_ids = request.query_params.get(base_id_name)
if not base_ids:
raise ValidationException(
"{} must be provided.".format(base_id_name))
project_id = request.query_params.get("project_id")
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_VIEW_ACTION),
resources=res_factory.resources_for_project(project_id),
)
base_ids = [int(base_id) for base_id in base_ids.strip().split(",")]
return Response(fetch_func(base_ids))
def list_with_default_labels(self, request, *args, **kwargs):
"""
获取某个项目下的标签(包括默认标签)
param: project_id: 项目ID, integer, query, required
"""
project_id = request.query_params.get("project_id")
if not project_id:
raise ValidationException("project_id should be provided.")
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(IAMMeta.PROJECT_VIEW_ACTION),
resources=res_factory.resources_for_project(project_id),
)
queryset = Label.objects.filter(
Q(project_id=project_id) | Q(is_default=True))
serializer = self.get_serializer(queryset, many=True)
return Response(serializer.data)
def process(self, request, *args, **kwargs):
project_id = kwargs["project_id"]
templates_data = read_template_data_file(
request.FILES["data_file"])["data"]["template_data"]
request.FILES["data_file"].seek(0)
override = string_to_boolean(request.POST["override"])
check_info = TaskTemplate.objects.import_operation_check(
templates_data, project_id)
subject = Subject("user", request.user.username)
create_action = Action(IAMMeta.FLOW_CREATE_ACTION)
project_resources = res_factory.resources_for_project(project_id)
create_request = Request(IAMMeta.SYSTEM_ID, subject, create_action,
project_resources, {})
# check flow create permission
if not override:
allowed = iam.is_allowed(create_request)
if not allowed:
raise AuthFailedException(IAMMeta.SYSTEM_ID, subject,
create_action, project_resources)
else:
# check flow create permission
if len(check_info["new_template"]) != len(
check_info["override_template"]):
allowed = iam.is_allowed(create_request)
if not allowed:
raise AuthFailedException(IAMMeta.SYSTEM_ID, subject,
create_action, project_resources)
# check flow edit permission
if check_info["override_template"]:
tids = [
template_info["id"]
for template_info in check_info["override_template"]
]
resources_list = res_factory.resources_list_for_flows(tids)
if not resources_list:
return
resources_map = {}
for resources in resources_list:
resources_map[resources[0].id] = resources
edit_action = Action(IAMMeta.FLOW_EDIT_ACTION)
edit_request = Request(IAMMeta.SYSTEM_ID, subject, edit_action,
[], {})
result = iam.batch_is_allowed(edit_request, resources_list)
if not result:
raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject,
edit_action, resources_list)
not_allowed_list = []
for tid, allow in result.items():
if not allow:
not_allowed_list.append(resources_map[tid])
if not_allowed_list:
raise MultiAuthFailedException(IAMMeta.SYSTEM_ID, subject,
edit_action,
not_allowed_list)
def get_create_detail_resources(self, bundle):
return res_factory.resources_for_project(bundle.obj.project__id)
