def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported
# here:
from grouper.models.perf_profile import PerfProfile # noqa
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported
# here:
from grouper.models.perf_profile import PerfProfile # noqa
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
grantable = user_grantable_permissions(self.session, self.current_user)
if not grantable:
return self.forbidden()
group = Group.get(self.session, name=name)
if not group:
return self.notfound()
form = PermissionGrantForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in grantable:
grantable_str = "{} ({})".format(perm[0].name, perm[1])
form.permission.choices.append([perm[0].name, grantable_str])
if not form.validate():
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
permission = get_permission(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
argument = form.argument.data.strip()
allowed = False
for perm in grantable:
if perm[0].name == permission.name:
if matches_glob(perm[1], argument):
allowed = True
break
if not allowed:
form.argument.errors.append(
"You do not have grant authority over that permission/argument combination."
)
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
# If the permission is audited, then see if the subtree meets auditing requirements.
if permission.audited:
try:
assert_controllers_are_auditors(group)
except UserNotAuditor as e:
form.permission.errors.append(str(e))
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
try:
self.plugins.check_permission_argument(permission.name, argument)
grant_permission(self.session,
group.id,
permission.id,
argument=argument)
except PluginRejectedPermissionArgument as e:
self.session.rollback()
form.argument.errors.append(f"Rejected by plugin: {e}")
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
except IntegrityError:
self.session.rollback()
form.argument.errors.append(
"Permission and Argument already mapped to this group.")
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"grant_permission",
"Granted permission with argument: {}".format(
form.data["argument"]),
on_permission_id=permission.id,
on_group_id=group.id,
)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, name=None):
grantable = self.current_user.my_grantable_permissions()
if not grantable:
return self.forbidden()
group = Group.get(self.session, None, name)
if not group:
return self.notfound()
form = PermissionGrantForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in grantable:
grantable_str = "{} ({})".format(perm[0].name, perm[1])
form.permission.choices.append([perm[0].name, grantable_str])
if not form.validate():
return self.render(
"permission-grant.html", form=form, group=group,
alerts=self.get_form_alerts(form.errors)
)
permission = Permission.get(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
allowed = False
for perm in grantable:
if perm[0].name == permission.name:
if matches_glob(perm[1], form.data["argument"]):
allowed = True
break
if not allowed:
form.argument.errors.append(
"You do not have grant authority over that permission/argument combination."
)
return self.render(
"permission-grant.html", form=form, group=group,
alerts=self.get_form_alerts(form.errors),
)
# If the permission is audited, then see if the subtree meets auditing requirements.
if permission.audited:
fail_message = ("Permission is audited and this group (or a subgroup) contains " +
"owners, np-owners, or managers who have not received audit training.")
try:
permission_ok = assert_controllers_are_auditors(group)
except UserNotAuditor as e:
permission_ok = False
fail_message = e
if not permission_ok:
form.permission.errors.append(fail_message)
return self.render(
"permission-grant.html", form=form, group=group,
alerts=self.get_form_alerts(form.errors),
)
try:
grant_permission(self.session, group.id, permission.id, argument=form.data["argument"])
except IntegrityError:
form.argument.errors.append(
"Permission and Argument already mapped to this group."
)
return self.render(
"permission-grant.html", form=form, group=group,
alerts=self.get_form_alerts(form.errors),
)
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'grant_permission',
'Granted permission with argument: {}'.format(form.data["argument"]),
on_permission_id=permission.id, on_group_id=group.id)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, name=None):
grantable = user_grantable_permissions(self.session, self.current_user)
if not grantable:
return self.forbidden()
group = Group.get(self.session, None, name)
if not group:
return self.notfound()
form = PermissionGrantForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in grantable:
grantable_str = "{} ({})".format(perm[0].name, perm[1])
form.permission.choices.append([perm[0].name, grantable_str])
if not form.validate():
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
permission = get_permission(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
allowed = False
for perm in grantable:
if perm[0].name == permission.name:
if matches_glob(perm[1], form.data["argument"]):
allowed = True
break
if not allowed:
form.argument.errors.append(
"You do not have grant authority over that permission/argument combination."
)
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
# If the permission is audited, then see if the subtree meets auditing requirements.
if permission.audited:
fail_message = (
"Permission is audited and this group (or a subgroup) contains "
+
"owners, np-owners, or managers who have not received audit training."
)
try:
permission_ok = assert_controllers_are_auditors(group)
except UserNotAuditor as e:
permission_ok = False
fail_message = e
if not permission_ok:
form.permission.errors.append(fail_message)
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
try:
grant_permission(self.session,
group.id,
permission.id,
argument=form.data["argument"])
except IntegrityError:
self.session.rollback()
form.argument.errors.append(
"Permission and Argument already mapped to this group.")
return self.render(
"permission-grant.html",
form=form,
group=group,
alerts=self.get_form_alerts(form.errors),
)
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"grant_permission",
"Granted permission with argument: {}".format(
form.data["argument"]),
on_permission_id=permission.id,
on_group_id=group.id,
)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported here
from grouper.models.perf_profile import PerfProfile # noqa: F401
from grouper.models.user_token import UserToken # noqa: F401
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = get_permission(session, name)
if test:
continue
try:
create_permission(session, name, description)
session.flush()
except IntegrityError:
session.rollback()
raise Exception("Failed to create permission: %s" % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception("Failed to create group: grouper-administrators")
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = get_permission(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
auditors_group_name = get_auditors_group_name(settings)
auditors_group = Group.get(session, name=auditors_group_name)
if not auditors_group:
auditors_group = Group(
groupname=auditors_group_name,
description=
"Group for auditors, who can be owners of audited groups.",
canjoin="canjoin",
)
try:
auditors_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception(
"Failed to create group: {}".format(auditors_group_name))
permission = get_permission(session, PERMISSION_AUDITOR)
assert permission, "Permission should have been created earlier!"
grant_permission(session, auditors_group.id, permission.id)
session.commit()
