def get_obj_perms_model(obj, base_cls, generic_cls):
if isinstance(obj, Model):
obj = obj.__class__
ctype = get_content_type(obj)
if django.VERSION >= (1, 8):
fields = (f for f in obj._meta.get_fields()
if (f.one_to_many or f.one_to_one) and f.auto_created)
else:
fields = obj._meta.get_all_related_objects()
for attr in fields:
if django.VERSION < (1, 8):
model = getattr(attr, 'model', None)
else:
model = getattr(attr, 'related_model', None)
if (model and issubclass(model, base_cls) and
model is not generic_cls):
# if model is generic one it would be returned anyway
if not model.objects.is_generic():
# make sure that content_object's content_type is same as
# the one of given obj
fk = model._meta.get_field('content_object')
if ctype == get_content_type(remote_model(fk)):
return model
return generic_cls
def get_organization_filters(self, obj, permission_expiry=False):
User = get_user_model()
ctype = get_content_type(obj)
# Django organizations
organization_model = get_organization_obj_perms_model(obj)
organization_rel_name = organization_model.permission.field.related_query_name()
if self.user:
fieldname = '%s__organization__%s' % (
organization_rel_name,
"users",
)
organization_filters = {fieldname: self.user}
else:
organization_filters = {'%s__organization' % organization_rel_name: self.organization}
if organization_model.objects.is_generic():
organization_filters.update({
'%s__content_type' % organization_rel_name: ctype,
'%s__object_pk' % organization_rel_name: obj.pk,
})
else:
organization_filters['%s__content_object' % organization_rel_name] = obj
org_q = tuple()
if permission_expiry:
kwargs1 = {"%s__permission_expiry" % organization_rel_name: None}
kwargs2 = {"%s__permission_expiry__gte" % organization_rel_name: datetime.utcnow().replace(tzinfo=utc)}
org_q = (Q(**kwargs1) | Q(**kwargs2),)
return organization_filters, org_q
def get_groups_with_perms(obj, attach_perms=False):
"""Return queryset of all ``Group`` objects with *any* object permissions for the given ``obj``."""
ctype = get_content_type(obj)
group_model = get_group_obj_perms_model(obj)
if not attach_perms:
# It's much easier without attached perms so we do it first if that is the case
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'%s__content_type' % group_rel_name: ctype,
'%s__object_pk' % group_rel_name: obj.pk,
}
else:
group_filters = {'%s__content_object' % group_rel_name: obj}
return Group.objects.filter(**group_filters).distinct()
else:
group_perms_mapping = defaultdict(list)
groups_with_perms = get_groups_with_perms(obj)
queryset = group_model.objects.filter(group__in=groups_with_perms).prefetch_related('group', 'permission')
if group_model is GroupObjectPermission:
queryset = queryset.filter(object_pk=obj.pk, content_type=ctype)
else:
queryset = queryset.filter(content_object_id=obj.pk)
for group_perm in queryset:
group_perms_mapping[group_perm.group].append(group_perm.permission.codename)
return dict(group_perms_mapping)
def get_perms(self, obj):
"""
Returns list of ``codename``'s of all permissions for given ``obj``.
:param obj: Django model instance for which permission should be checked
"""
if self.user and not self.user.is_active:
return []
ctype = get_content_type(obj)
key = self.get_local_cache_key(obj)
if key not in self._obj_perms_cache:
if self.user and self.user.is_superuser:
perms = list(chain(*Permission.objects
.filter(content_type=ctype)
.values_list("codename")))
elif self.user:
# Query user and group permissions separately and then combine
# the results to avoid a slow query
user_perms = self.get_user_perms(obj)
group_perms = self.get_group_perms(obj)
perms = list(set(chain(user_perms, group_perms)))
else:
perms = list(set(self.get_group_perms(obj)))
self._obj_perms_cache[key] = perms
return self._obj_perms_cache[key]
def save(self, *args, **kwargs):
content_type = get_content_type(self.content_object)
if content_type != self.permission.content_type:
raise ValidationError("Cannot persist permission not designed for "
"this class (permission's type is %r and object's type is %r)"
% (self.permission.content_type, content_type))
return super(BaseObjectPermission, self).save(*args, **kwargs)
def assign_perm(self, perm, user_or_group, obj, renewal_period=None, subscribe_to_emails=True):
"""
Assigns permission with given ``perm`` for an instance ``obj`` and
``user``.
"""
if getattr(obj, 'pk', None) is None:
raise ObjectNotPersisted("Object %s needs to be persisted first"
% obj)
ctype = get_content_type(obj)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype, codename=perm)
else:
permission = perm
kwargs = {'permission': permission, self.user_or_group_field: user_or_group}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = obj.pk
else:
kwargs['content_object'] = obj
obj_perm, _ = self.get_or_create(**kwargs)
obj_perm.permission_expiry = calculate_permission_expiry(obj_perm, renewal_period)
if subscribe_to_emails:
obj_perm.permission_expiry_0day_email_sent = False
obj_perm.permission_expiry_30day_email_sent = False
else:
obj_perm.permission_expiry_0day_email_sent = True
obj_perm.permission_expiry_30day_email_sent = True
obj_perm.save()
return obj_perm
def bulk_assign_perm(self, perm, user_or_group, queryset):
"""
Bulk assigns permissions with given ``perm`` for an objects in ``queryset`` and
``user_or_group``.
"""
ctype = get_content_type(queryset.model)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype, codename=perm)
else:
permission = perm
checker = ObjectPermissionChecker(user_or_group)
checker.prefetch_perms(queryset)
assigned_perms = []
for instance in queryset:
if not checker.has_perm(permission.codename, instance):
kwargs = {'permission': permission, self.user_or_group_field: user_or_group}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = instance.pk
else:
kwargs['content_object'] = instance
assigned_perms.append(self.model(**kwargs))
self.model.objects.bulk_create(assigned_perms)
return assigned_perms
def assign_perm_to_many(self, perm, users_or_groups, obj):
"""
Bulk assigns given ``perm`` for the object ``obj`` to a set of users or a set of groups.
"""
ctype = get_content_type(obj)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype,
codename=perm)
else:
permission = perm
kwargs = {'permission': permission}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = obj.pk
else:
kwargs['content_object'] = obj
to_add = []
field = self.user_or_group_field
for user in users_or_groups:
kwargs[field] = user
to_add.append(
self.model(**kwargs)
)
return self.model.objects.bulk_create(to_add)
def remove_perm(self, perm, user_or_group, obj):
"""
Removes permission ``perm`` for an instance ``obj`` and given ``user_or_group``.
Please note that we do NOT fetch object permission from database - we
use ``Queryset.delete`` method for removing it. Main implication of this
is that ``post_delete`` signals would NOT be fired.
"""
if getattr(obj, 'pk', None) is None:
raise ObjectNotPersisted("Object %s needs to be persisted first"
% obj)
filters = Q(**{self.user_or_group_field: user_or_group})
if isinstance(perm, Permission):
filters &= Q(permission=perm)
else:
filters &= Q(permission__codename=perm,
permission__content_type=get_content_type(obj))
if self.is_generic():
filters &= Q(object_pk=obj.pk)
else:
filters &= Q(content_object__pk=obj.pk)
return self.filter(filters).delete()
def get_organization_perms(self, obj, permission_expiry=False):
ctype = get_content_type(obj)
perms_qs = Permission.objects.filter(content_type=ctype)
organization_filters, org_q = self.get_organization_filters(obj, permission_expiry)
organization_perms_qs = perms_qs.filter(*org_q, **organization_filters)
organization_perms = organization_perms_qs.values_list("codename", flat=True)
return organization_perms
def get_group_perms(self, obj):
ctype = get_content_type(obj)
perms_qs = Permission.objects.filter(content_type=ctype)
group_filters = self.get_group_filters(obj)
group_perms_qs = perms_qs.filter(**group_filters)
group_perms = group_perms_qs.values_list("codename", flat=True)
return group_perms
def get_user_perms(self, obj):
ctype = get_content_type(obj)
perms_qs = Permission.objects.filter(content_type=ctype)
user_filters = self.get_user_filters(obj)
user_perms_qs = perms_qs.filter(**user_filters)
user_perms = user_perms_qs.values_list("codename", flat=True)
return user_perms
def _get_pks_model_and_ctype(objects):
"""
Returns the primary keys, model and content type of an iterable of Django model objects.
Assumes that all objects are of the same content type.
"""
if isinstance(objects, QuerySet):
model = objects.model
pks = [force_text(pk) for pk in objects.values_list('pk', flat=True)]
ctype = get_content_type(model)
else:
pks = []
for idx, obj in enumerate(objects):
if not idx:
model = type(obj)
ctype = get_content_type(model)
pks.append(force_text(obj.pk))
return pks, model, ctype
def get_obj_perms_model(obj, base_cls, generic_cls):
if isinstance(obj, Model):
obj = obj.__class__
ctype = get_content_type(obj)
fields = (f for f in obj._meta.get_fields()
if (f.one_to_many or f.one_to_one) and f.auto_created)
for attr in fields:
model = getattr(attr, 'related_model', None)
if (model and issubclass(model, base_cls) and
model is not generic_cls and getattr(model, 'enabled', True)):
# if model is generic one it would be returned anyway
if not model.objects.is_generic():
# make sure that content_object's content_type is same as
# the one of given obj
fk = model._meta.get_field('content_object')
if ctype == get_content_type(fk.remote_field.model):
return model
return generic_cls
def get_groups_with_perms(obj, attach_perms=False):
"""
Returns queryset of all ``Group`` objects with *any* object permissions for
the given ``obj``.
:param obj: persisted Django's ``Model`` instance
:param attach_perms: Default: ``False``. If set to ``True`` result would be
dictionary of ``Group`` instances with permissions' codenames list as
values. This would fetch groups eagerly!
Example::
>>> from django.contrib.flatpages.models import FlatPage
>>> from guardian.shortcuts import assign_perm, get_groups_with_perms
>>> from guardian.models import Group
>>>
>>> page = FlatPage.objects.create(title='Some page', path='/some/page/')
>>> admins = Group.objects.create(name='Admins')
>>> assign_perm('change_flatpage', admins, page)
>>>
>>> get_groups_with_perms(page)
[<Group: admins>]
>>>
>>> get_groups_with_perms(page, attach_perms=True)
{<Group: admins>: [u'change_flatpage']}
"""
ctype = get_content_type(obj)
group_model = get_group_obj_perms_model(obj)
if not attach_perms:
# It's much easier without attached perms so we do it first if that is the case
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'%s__content_type' % group_rel_name: ctype,
'%s__object_pk' % group_rel_name: obj.pk,
}
else:
group_filters = {'%s__content_object' % group_rel_name: obj}
return Group.objects.filter(**group_filters).distinct()
else:
group_perms_mapping = defaultdict(list)
groups_with_perms = get_groups_with_perms(obj)
qs = group_model.objects.filter(group__in=groups_with_perms).prefetch_related('group', 'permission')
if group_model is GroupObjectPermission:
qs = qs.filter(object_pk=obj.pk, content_type=ctype)
else:
qs = qs.filter(content_object_id=obj.pk)
for group_perm in qs:
group_perms_mapping[group_perm.group].append(group_perm.permission.codename)
return dict(group_perms_mapping)
def get_perms_for_model(cls):
"""
Returns queryset of all Permission objects for the given class. It is
possible to pass Model as class or instance.
"""
if isinstance(cls, basestring):
app_label, model_name = cls.split('.')
model = apps.get_model(app_label, model_name)
else:
model = cls
ctype = get_content_type(model)
return Permission.objects.filter(content_type=ctype)
def get_user_filters(self, obj):
ctype = get_content_type(obj)
model = get_user_obj_perms_model(obj)
related_name = model.permission.field.related_query_name()
user_filters = {'%s__user' % related_name: self.user}
if model.objects.is_generic():
user_filters.update({
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
})
else:
user_filters['%s__content_object' % related_name] = obj
return user_filters
def get_user_filters(self, obj, permission_expiry=False):
ctype = get_content_type(obj)
model = get_user_obj_perms_model(obj)
related_name = model.permission.field.related_query_name()
user_filters = {'%s__user' % related_name: self.user}
if model.objects.is_generic():
user_filters.update({
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
})
else:
user_filters['%s__content_object' % related_name] = obj
user_q = tuple()
if permission_expiry:
kwargs1 = {"%s__permission_expiry" % related_name: None}
kwargs2 = {"%s__permission_expiry__gte" % related_name: datetime.utcnow().replace(tzinfo=utc)}
user_q = (Q(**kwargs1) | Q(**kwargs2),)
return user_filters, user_q
def assign_perm(self, perm, user_or_group, obj):
"""
Assigns permission with given ``perm`` for an instance ``obj`` and
``user``.
"""
if getattr(obj, 'pk', None) is None:
raise ObjectNotPersisted("Object %s needs to be persisted first"
% obj)
ctype = get_content_type(obj)
if not isinstance(perm, Permission):
permission = Permission.objects.get(content_type=ctype, codename=perm)
else:
permission = perm
kwargs = {'permission': permission, self.user_or_group_field: user_or_group}
if self.is_generic():
kwargs['content_type'] = ctype
kwargs['object_pk'] = obj.pk
else:
kwargs['content_object'] = obj
obj_perm, _ = self.get_or_create(**kwargs)
return obj_perm
def has_perm(self, user_obj, perm, obj=None):
"""
Returns ``True`` if given ``user_obj`` has ``perm`` for ``obj``. If no
``obj`` is given, ``False`` is returned.
.. note::
Remember, that if user is not *active*, all checks would return
``False``.
Main difference between Django's ``ModelBackend`` is that we can pass
``obj`` instance here and ``perm`` doesn't have to contain
``app_label`` as it can be retrieved from given ``obj``.
**Inactive user support**
If user is authenticated but inactive at the same time, all checks
always returns ``False``.
"""
# check if user_obj and object are supported
support, user_obj = check_support(user_obj, obj)
if not support:
return False
if '.' in perm:
app_label, perm = perm.split('.')
if app_label != obj._meta.app_label:
# Check the content_type app_label when permission
# and obj app labels don't match.
ctype = get_content_type(obj)
if app_label != ctype.app_label:
raise WrongAppError("Passed perm has app label of '%s' while "
"given obj has app label '%s' and given obj"
"content_type has app label '%s'" %
(app_label, obj._meta.app_label, ctype.app_label))
check = ObjectPermissionChecker(user_obj)
return check.has_perm(perm, obj)
def bulk_remove_perm(self, perm, user_or_group, queryset):
"""
Removes permission ``perm`` for a ``queryset`` and given ``user_or_group``.
Please note that we do NOT fetch object permission from database - we
use ``Queryset.delete`` method for removing it. Main implication of this
is that ``post_delete`` signals would NOT be fired.
"""
filters = Q(**{self.user_or_group_field: user_or_group})
if isinstance(perm, Permission):
filters &= Q(permission=perm)
else:
ctype = get_content_type(queryset.model)
filters &= Q(permission__codename=perm,
permission__content_type=ctype)
if self.is_generic():
filters &= Q(object_pk__in = [str(pk) for pk in queryset.values_list('pk', flat=True)])
else:
filters &= Q(content_object__in=queryset)
return self.filter(filters).delete()
def get_group_filters(self, obj):
User = get_user_model()
ctype = get_content_type(obj)
group_model = get_group_obj_perms_model(obj)
group_rel_name = group_model.permission.field.related_query_name()
if self.user:
fieldname = '%s__group__%s' % (
group_rel_name,
User.groups.field.related_query_name(),
)
group_filters = {fieldname: self.user}
else:
group_filters = {'%s__group' % group_rel_name: self.group}
if group_model.objects.is_generic():
group_filters.update({
'%s__content_type' % group_rel_name: ctype,
'%s__object_pk' % group_rel_name: obj.pk,
})
else:
group_filters['%s__content_object' % group_rel_name] = obj
return group_filters
def test_get_content_type(self):
with mock.patch(
"guardian.conf.settings.GET_CONTENT_TYPE", "guardian.testapp.tests.test_conf.get_test_content_type"
):
self.assertEqual(get_content_type(None), "x")
def get_objects_for_group(group, perms, klass=None, any_perm=False, accept_global_perms=True):
"""
Returns queryset of objects for which a given ``group`` has *all*
permissions present at ``perms``.
:param group: ``Group`` instance for which objects would be returned.
:param perms: single permission string, or sequence of permission strings
which should be checked.
If ``klass`` parameter is not given, those should be full permission
names rather than only codenames (i.e. ``auth.change_user``). If more than
one permission is present within sequence, their content type **must** be
the same or ``MixedContentTypeError`` exception would be raised.
:param klass: may be a Model, Manager or QuerySet object. If not given
this parameter would be computed based on given ``params``.
:param any_perm: if True, any of permission in sequence is accepted
:param accept_global_perms: if ``True`` takes global permissions into account.
If any_perm is set to false then the intersection of matching objects based on global and object based permissions
is returned. Default is ``True``.
:raises MixedContentTypeError: when computed content type for ``perms``
and/or ``klass`` clashes.
:raises WrongAppError: if cannot compute app label for given ``perms``/
``klass``.
Example:
Let's assume we have a ``Task`` model belonging to the ``tasker`` app with
the default add_task, change_task and delete_task permissions provided
by Django::
>>> from guardian.shortcuts import get_objects_for_group
>>> from tasker import Task
>>> group = Group.objects.create('some group')
>>> task = Task.objects.create('some task')
>>> get_objects_for_group(group, 'tasker.add_task')
[]
>>> from guardian.shortcuts import assign_perm
>>> assign_perm('tasker.add_task', group, task)
>>> get_objects_for_group(group, 'tasker.add_task')
[<Task some task>]
The permission string can also be an iterable. Continuing with the previous example:
>>> get_objects_for_group(group, ['tasker.add_task', 'tasker.delete_task'])
[]
>>> assign_perm('tasker.delete_task', group, task)
>>> get_objects_for_group(group, ['tasker.add_task', 'tasker.delete_task'])
[<Task some task>]
Global permissions assigned to the group are also taken into account. Continuing with previous example:
>>> task_other = Task.objects.create('other task')
>>> assign_perm('tasker.change_task', group)
>>> get_objects_for_group(group, ['tasker.change_task'])
[<Task some task>, <Task other task>]
>>> get_objects_for_group(group, ['tasker.change_task'], accept_global_perms=False)
[<Task some task>]
"""
if isinstance(perms, basestring):
perms = [perms]
ctype = None
app_label = None
codenames = set()
# Compute codenames set and ctype if possible
for perm in perms:
if '.' in perm:
new_app_label, codename = perm.split('.', 1)
if app_label is not None and app_label != new_app_label:
raise MixedContentTypeError("Given perms must have same app "
"label (%s != %s)" % (app_label, new_app_label))
else:
app_label = new_app_label
else:
codename = perm
codenames.add(codename)
if app_label is not None:
new_ctype = ContentType.objects.get(app_label=app_label,
permission__codename=codename)
if ctype is not None and ctype != new_ctype:
raise MixedContentTypeError("ContentType was once computed "
"to be %s and another one %s" % (ctype, new_ctype))
else:
ctype = new_ctype
# Compute queryset and ctype if still missing
if ctype is None and klass is not None:
queryset = _get_queryset(klass)
ctype = get_content_type(queryset.model)
elif ctype is not None and klass is None:
queryset = _get_queryset(ctype.model_class())
elif klass is None:
raise WrongAppError("Cannot determine content type")
else:
queryset = _get_queryset(klass)
if ctype.model_class() != queryset.model:
raise MixedContentTypeError("Content type for given perms and "
"klass differs")
# At this point, we should have both ctype and queryset and they should
# match which means: ctype.model_class() == queryset.model
# we should also have ``codenames`` list
global_perms = set()
if accept_global_perms:
global_perm_set = group.permissions.values_list('codename', flat=True)
for code in codenames:
if code in global_perm_set:
global_perms.add(code)
for code in global_perms:
codenames.remove(code)
if len(global_perms) > 0 and (len(codenames) == 0 or any_perm):
return queryset
# Now we should extract list of pk values for which we would filter
# queryset
group_model = get_group_obj_perms_model(queryset.model)
groups_obj_perms_queryset = (group_model.objects
.filter(group=group)
.filter(permission__content_type=ctype))
if len(codenames):
groups_obj_perms_queryset = groups_obj_perms_queryset.filter(
permission__codename__in=codenames)
if group_model.objects.is_generic():
fields = ['object_pk', 'permission__codename']
else:
fields = ['content_object__pk', 'permission__codename']
if not any_perm and len(codenames):
groups_obj_perms = groups_obj_perms_queryset.values_list(*fields)
data = list(groups_obj_perms)
keyfunc = lambda t: t[0] # sorting/grouping by pk (first in result tuple)
data = sorted(data, key=keyfunc)
pk_list = []
for pk, group in groupby(data, keyfunc):
obj_codenames = set((e[1] for e in group))
if any_perm or codenames.issubset(obj_codenames):
pk_list.append(pk)
objects = queryset.filter(pk__in=pk_list)
return objects
values = groups_obj_perms_queryset.values_list(fields[0], flat=True)
if group_model.objects.is_generic():
values = list(values)
return queryset.filter(pk__in=values)
def get_objects_for_user(user, perms, klass=None, use_groups=True, any_perm=False,
with_superuser=True, accept_global_perms=True):
"""
Returns queryset of objects for which a given ``user`` has *all*
permissions present at ``perms``.
:param user: ``User`` or ``AnonymousUser`` instance for which objects would
be returned.
:param perms: single permission string, or sequence of permission strings
which should be checked.
If ``klass`` parameter is not given, those should be full permission
names rather than only codenames (i.e. ``auth.change_user``). If more than
one permission is present within sequence, their content type **must** be
the same or ``MixedContentTypeError`` exception would be raised.
:param klass: may be a Model, Manager or QuerySet object. If not given
this parameter would be computed based on given ``params``.
:param use_groups: if ``False``, wouldn't check user's groups object
permissions. Default is ``True``.
:param any_perm: if True, any of permission in sequence is accepted. Default is ``False``.
:param with_superuser: if ``True`` and if ``user.is_superuser`` is set,
returns the entire queryset. Otherwise will only return objects the user
has explicit permissions. This must be ``True`` for the accept_global_perms
parameter to have any affect. Default is ``True``.
:param accept_global_perms: if ``True`` takes global permissions into account.
Object based permissions are taken into account if more than one permission is handed in in perms and at least
one of these perms is not globally set. If any_perm is set to false then the intersection of matching object
is returned. Note, that if with_superuser is False, accept_global_perms will be ignored, which means that only
object permissions will be checked! Default is ``True``.
:raises MixedContentTypeError: when computed content type for ``perms``
and/or ``klass`` clashes.
:raises WrongAppError: if cannot compute app label for given ``perms``/
``klass``.
Example::
>>> from django.contrib.auth.models import User
>>> from guardian.shortcuts import get_objects_for_user
>>> joe = User.objects.get(username='******')
>>> get_objects_for_user(joe, 'auth.change_group')
[]
>>> from guardian.shortcuts import assign_perm
>>> group = Group.objects.create('some group')
>>> assign_perm('auth.change_group', joe, group)
>>> get_objects_for_user(joe, 'auth.change_group')
[<Group some group>]
The permission string can also be an iterable. Continuing with the previous example:
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
[]
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'], any_perm=True)
[<Group some group>]
>>> assign_perm('auth.delete_group', joe, group)
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
[<Group some group>]
Take global permissions into account:
>>> jack = User.objects.get(username='******')
>>> assign_perm('auth.change_group', jack) # this will set a global permission
>>> get_objects_for_user(jack, 'auth.change_group')
[<Group some group>]
>>> group2 = Group.objects.create('other group')
>>> assign_perm('auth.delete_group', jack, group2)
>>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group']) # this retrieves intersection
[<Group other group>]
>>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group'], any_perm) # this retrieves union
[<Group some group>, <Group other group>]
If accept_global_perms is set to ``True``, then all assigned global
permissions will also be taken into account.
- Scenario 1: a user has view permissions generally defined on the model
'books' but no object based permission on a single book instance:
- If accept_global_perms is ``True``: List of all books will be
returned.
- If accept_global_perms is ``False``: list will be empty.
- Scenario 2: a user has view permissions generally defined on the model
'books' and also has an object based permission to view book 'Whatever':
- If accept_global_perms is ``True``: List of all books will be
returned.
- If accept_global_perms is ``False``: list will only contain book
'Whatever'.
- Scenario 3: a user only has object based permission on book 'Whatever':
- If accept_global_perms is ``True``: List will only contain book
'Whatever'.
- If accept_global_perms is ``False``: List will only contain book
'Whatever'.
- Scenario 4: a user does not have any permission:
- If accept_global_perms is ``True``: Empty list.
- If accept_global_perms is ``False``: Empty list.
"""
if isinstance(perms, basestring):
perms = [perms]
ctype = None
app_label = None
codenames = set()
# Compute codenames set and ctype if possible
for perm in perms:
if '.' in perm:
new_app_label, codename = perm.split('.', 1)
if app_label is not None and app_label != new_app_label:
raise MixedContentTypeError("Given perms must have same app "
"label (%s != %s)" % (app_label, new_app_label))
else:
app_label = new_app_label
else:
codename = perm
codenames.add(codename)
if app_label is not None:
new_ctype = ContentType.objects.get(app_label=app_label,
permission__codename=codename)
if ctype is not None and ctype != new_ctype:
raise MixedContentTypeError("ContentType was once computed "
"to be %s and another one %s" % (ctype, new_ctype))
else:
ctype = new_ctype
# Compute queryset and ctype if still missing
if ctype is None and klass is not None:
queryset = _get_queryset(klass)
ctype = get_content_type(queryset.model)
elif ctype is not None and klass is None:
queryset = _get_queryset(ctype.model_class())
elif klass is None:
raise WrongAppError("Cannot determine content type")
else:
queryset = _get_queryset(klass)
if ctype.model_class() != queryset.model:
raise MixedContentTypeError("Content type for given perms and "
"klass differs")
# At this point, we should have both ctype and queryset and they should
# match which means: ctype.model_class() == queryset.model
# we should also have ``codenames`` list
# First check if user is superuser and if so, return queryset immediately
if with_superuser and user.is_superuser:
return queryset
# Check if the user is anonymous. The
# django.contrib.auth.models.AnonymousUser object doesn't work for queries
# and it's nice to be able to pass in request.user blindly.
if user.is_anonymous:
user = get_anonymous_user()
global_perms = set()
has_global_perms = False
# a superuser has by default assigned global perms for any
if accept_global_perms and with_superuser:
for code in codenames:
if user.has_perm(ctype.app_label + '.' + code):
global_perms.add(code)
for code in global_perms:
codenames.remove(code)
# prerequisite: there must be elements in global_perms otherwise just follow the procedure for
# object based permissions only AND
# 1. codenames is empty, which means that permissions are ONLY set globally, therefore return the full queryset.
# OR
# 2. any_perm is True, then the global permission beats the object based permission anyway,
# therefore return full queryset
if len(global_perms) > 0 and (len(codenames) == 0 or any_perm):
return queryset
# if we have global perms and still some object based perms differing from global perms and any_perm is set
# to false, then we have to flag that global perms exist in order to merge object based permissions by user
# and by group correctly. Scenario: global perm change_xx and object based perm delete_xx on object A for user,
# and object based permission delete_xx on object B for group, to which user is assigned.
# get_objects_for_user(user, [change_xx, delete_xx], use_groups=True, any_perm=False, accept_global_perms=True)
# must retrieve object A and B.
elif len(global_perms) > 0 and (len(codenames) > 0):
has_global_perms = True
# Now we should extract list of pk values for which we would filter
# queryset
user_model = get_user_obj_perms_model(queryset.model)
user_obj_perms_queryset = (user_model.objects
.filter(user=user)
.filter(permission__content_type=ctype))
groups_obj_perms_queryset = None
organizations_obj_perms_queryset = None
group_fields = None
organization_fields = None
organization_model = None
group_model = None
if len(codenames):
user_obj_perms_queryset = user_obj_perms_queryset.filter(
permission__codename__in=codenames)
direct_fields = ['content_object__pk', 'permission__codename']
generic_fields = ['object_pk', 'permission__codename']
if user_model.objects.is_generic():
user_fields = generic_fields
else:
user_fields = direct_fields
if use_groups:
group_model = get_group_obj_perms_model(queryset.model)
group_filters = {
'permission__content_type': ctype,
'group__%s' % get_user_model().groups.field.related_query_name(): user,
}
if len(codenames):
group_filters.update({
'permission__codename__in': codenames,
})
groups_obj_perms_queryset = group_model.objects.filter(**group_filters)
if group_model.objects.is_generic():
group_fields = generic_fields
else:
group_fields = direct_fields
# Orgs
organization_model = get_organization_obj_perms_model(queryset.model)
organization_filters = {
'permission__content_type': ctype,
'permission__codename__in': codenames,
'organization__users': user,
}
organizations_obj_perms_queryset = organization_model.objects.filter(**organization_filters)
if organization_model.objects.is_generic():
organization_fields = generic_fields
else:
organization_fields = direct_fields
if not any_perm and len(codenames) and not has_global_perms:
user_obj_perms = user_obj_perms_queryset.values_list(*user_fields)
groups_obj_perms = groups_obj_perms_queryset.values_list(*group_fields)
organizations_obj_perms = organizations_obj_perms_queryset.values_list(*organization_fields)
data = list(user_obj_perms) + list(groups_obj_perms) + list(organizations_obj_perms)
# sorting/grouping by pk (first in result tuple)
keyfunc = lambda t: t[0]
data = sorted(data, key=keyfunc)
pk_list = []
for pk, group in groupby(data, keyfunc):
obj_codenames = set((e[1] for e in group))
if codenames.issubset(obj_codenames):
pk_list.append(pk)
objects = queryset.filter(pk__in=pk_list)
return objects
if not any_perm and len(codenames) > 1:
counts = user_obj_perms_queryset.values(
user_fields[0]).annotate(object_pk_count=Count(user_fields[0]))
user_obj_perms_queryset = counts.filter(
object_pk_count__gte=len(codenames))
values = user_obj_perms_queryset.values_list(user_fields[0], flat=True)
if user_model.objects.is_generic():
values = set(values)
q = Q(pk__in=values)
if use_groups:
values = groups_obj_perms_queryset.values_list(group_fields[0], flat=True)
if group_model.objects.is_generic():
values = set(values)
q |= Q(pk__in=values)
values = organizations_obj_perms_queryset.values_list(organization_fields[0], flat=True)
if organization_model.objects.is_generic():
values = list(values)
q |= Q(pk__in=values)
return queryset.filter(q)
def test_get_content_type(self):
with mock.patch('guardian.conf.settings.GET_CONTENT_TYPE', 'guardian.testapp.tests.test_conf.get_test_content_type'):
self.assertEqual(get_content_type(None), 'x')
def get_objects_for_user(user,
perms,
klass=None,
use_groups=True,
any_perm=False,
with_superuser=True,
accept_global_perms=True):
"""
Returns queryset of objects for which a given ``user`` has *all*
permissions present at ``perms``.
If ``perms`` is an empty list, then it returns objects for which
a given ``user`` has *any* object permission.
:param user: ``User`` or ``AnonymousUser`` instance for which objects would
be returned.
:param perms: single permission string, or sequence of permission strings
which should be checked.
If ``klass`` parameter is not given, those should be full permission
names rather than only codenames (i.e. ``auth.change_user``). If more than
one permission is present within sequence, their content type **must** be
the same or ``MixedContentTypeError`` exception would be raised.
:param klass: may be a Model, Manager or QuerySet object. If not given
this parameter would be computed based on given ``params``.
:param use_groups: if ``False``, wouldn't check user's groups object
permissions. Default is ``True``.
:param any_perm: if True, any of permission in sequence is accepted. Default is ``False``.
:param with_superuser: if ``True`` and if ``user.is_superuser`` is set,
returns the entire queryset. Otherwise will only return objects the user
has explicit permissions. This must be ``True`` for the accept_global_perms
parameter to have any affect. Default is ``True``.
:param accept_global_perms: if ``True`` takes global permissions into account.
Object based permissions are taken into account if more than one permission is handed in in perms and at least
one of these perms is not globally set. If any_perm is set to false then the intersection of matching object
is returned. Note, that if with_superuser is False, accept_global_perms will be ignored, which means that only
object permissions will be checked! Default is ``True``.
:raises MixedContentTypeError: when computed content type for ``perms``
and/or ``klass`` clashes.
:raises WrongAppError: if cannot compute app label for given ``perms``/
``klass``.
Example::
>>> from django.contrib.auth.models import User
>>> from guardian.shortcuts import get_objects_for_user
>>> joe = User.objects.get(username='******')
>>> get_objects_for_user(joe, 'auth.change_group')
[]
>>> from guardian.shortcuts import assign_perm
>>> group = Group.objects.create('some group')
>>> assign_perm('auth.change_group', joe, group)
>>> get_objects_for_user(joe, 'auth.change_group')
[<Group some group>]
The permission string can also be an iterable. Continuing with the previous example:
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
[]
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'], any_perm=True)
[<Group some group>]
>>> assign_perm('auth.delete_group', joe, group)
>>> get_objects_for_user(joe, ['auth.change_group', 'auth.delete_group'])
[<Group some group>]
Take global permissions into account:
>>> jack = User.objects.get(username='******')
>>> assign_perm('auth.change_group', jack) # this will set a global permission
>>> get_objects_for_user(jack, 'auth.change_group')
[<Group some group>]
>>> group2 = Group.objects.create('other group')
>>> assign_perm('auth.delete_group', jack, group2)
>>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group']) # this retrieves intersection
[<Group other group>]
>>> get_objects_for_user(jack, ['auth.change_group', 'auth.delete_group'], any_perm) # this retrieves union
[<Group some group>, <Group other group>]
If accept_global_perms is set to ``True``, then all assigned global
permissions will also be taken into account.
- Scenario 1: a user has view permissions generally defined on the model
'books' but no object based permission on a single book instance:
- If accept_global_perms is ``True``: List of all books will be
returned.
- If accept_global_perms is ``False``: list will be empty.
- Scenario 2: a user has view permissions generally defined on the model
'books' and also has an object based permission to view book 'Whatever':
- If accept_global_perms is ``True``: List of all books will be
returned.
- If accept_global_perms is ``False``: list will only contain book
'Whatever'.
- Scenario 3: a user only has object based permission on book 'Whatever':
- If accept_global_perms is ``True``: List will only contain book
'Whatever'.
- If accept_global_perms is ``False``: List will only contain book
'Whatever'.
- Scenario 4: a user does not have any permission:
- If accept_global_perms is ``True``: Empty list.
- If accept_global_perms is ``False``: Empty list.
"""
if isinstance(perms, basestring):
perms = [perms]
ctype = None
app_label = None
codenames = set()
# Compute codenames set and ctype if possible
for perm in perms:
if '.' in perm:
new_app_label, codename = perm.split('.', 1)
if app_label is not None and app_label != new_app_label:
raise MixedContentTypeError("Given perms must have same app "
"label (%s != %s)" %
(app_label, new_app_label))
else:
app_label = new_app_label
else:
codename = perm
codenames.add(codename)
if app_label is not None:
new_ctype = ContentType.objects.get(app_label=app_label,
permission__codename=codename)
if ctype is not None and ctype != new_ctype:
raise MixedContentTypeError("ContentType was once computed "
"to be %s and another one %s" %
(ctype, new_ctype))
else:
ctype = new_ctype
# Compute queryset and ctype if still missing
if ctype is None and klass is not None:
queryset = _get_queryset(klass)
ctype = get_content_type(queryset.model)
elif ctype is not None and klass is None:
queryset = _get_queryset(ctype.model_class())
elif klass is None:
raise WrongAppError("Cannot determine content type")
else:
queryset = _get_queryset(klass)
if ctype.model_class() != queryset.model:
raise MixedContentTypeError("Content type for given perms and "
"klass differs")
# At this point, we should have both ctype and queryset and they should
# match which means: ctype.model_class() == queryset.model
# we should also have ``codenames`` list
# First check if user is superuser and if so, return queryset immediately
if with_superuser and user.is_superuser:
return queryset
# Check if the user is anonymous. The
# django.contrib.auth.models.AnonymousUser object doesn't work for queries
# and it's nice to be able to pass in request.user blindly.
if user.is_anonymous():
user = get_anonymous_user()
global_perms = set()
has_global_perms = False
# a superuser has by default assigned global perms for any
if accept_global_perms and with_superuser:
for code in codenames:
if user.has_perm(ctype.app_label + '.' + code):
global_perms.add(code)
for code in global_perms:
codenames.remove(code)
# prerequisite: there must be elements in global_perms otherwise just follow the procedure for
# object based permissions only AND
# 1. codenames is empty, which means that permissions are ONLY set globally, therefore return the full queryset.
# OR
# 2. any_perm is True, then the global permission beats the object based permission anyway,
# therefore return full queryset
if len(global_perms) > 0 and (len(codenames) == 0 or any_perm):
return queryset
# if we have global perms and still some object based perms differing from global perms and any_perm is set
# to false, then we have to flag that global perms exist in order to merge object based permissions by user
# and by group correctly. Scenario: global perm change_xx and object based perm delete_xx on object A for user,
# and object based permission delete_xx on object B for group, to which user is assigned.
# get_objects_for_user(user, [change_xx, delete_xx], use_groups=True, any_perm=False, accept_global_perms=True)
# must retrieve object A and B.
elif len(global_perms) > 0 and (len(codenames) > 0):
has_global_perms = True
# Now we should extract list of pk values for which we would filter
# queryset
user_model = get_user_obj_perms_model(queryset.model)
user_obj_perms_queryset = (user_model.objects.filter(user=user).filter(
permission__content_type=ctype))
if len(codenames):
user_obj_perms_queryset = user_obj_perms_queryset.filter(
permission__codename__in=codenames)
direct_fields = ['content_object__pk', 'permission__codename']
generic_fields = ['object_pk', 'permission__codename']
if user_model.objects.is_generic():
user_fields = generic_fields
else:
user_fields = direct_fields
if use_groups:
group_model = get_group_obj_perms_model(queryset.model)
group_filters = {
'permission__content_type': ctype,
'group__%s' % get_user_model().groups.field.related_query_name():
user,
}
if len(codenames):
group_filters.update({
'permission__codename__in': codenames,
})
groups_obj_perms_queryset = group_model.objects.filter(**group_filters)
if group_model.objects.is_generic():
group_fields = generic_fields
else:
group_fields = direct_fields
if not any_perm and len(codenames) > 1 and not has_global_perms:
user_obj_perms = user_obj_perms_queryset.values_list(*user_fields)
groups_obj_perms = groups_obj_perms_queryset.values_list(
*group_fields)
data = list(user_obj_perms) + list(groups_obj_perms)
# sorting/grouping by pk (first in result tuple)
keyfunc = lambda t: t[0]
data = sorted(data, key=keyfunc)
pk_list = []
for pk, group in groupby(data, keyfunc):
obj_codenames = set((e[1] for e in group))
if codenames.issubset(obj_codenames):
pk_list.append(pk)
objects = queryset.filter(pk__in=pk_list)
return objects
if not any_perm and len(codenames) > 1:
counts = user_obj_perms_queryset.values(
user_fields[0]).annotate(object_pk_count=Count(user_fields[0]))
user_obj_perms_queryset = counts.filter(
object_pk_count__gte=len(codenames))
values = user_obj_perms_queryset.values_list(user_fields[0], flat=True)
if user_model.objects.is_generic():
values = set(values)
q = Q(pk__in=values)
if use_groups:
values = groups_obj_perms_queryset.values_list(group_fields[0],
flat=True)
if group_model.objects.is_generic():
values = set(values)
q |= Q(pk__in=values)
return queryset.filter(q)
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
ctype = get_content_type(obj)
change_perm_name = f'change_{ctype}'
return request.user.has_perm(change_perm_name, obj)
def get_local_cache_key(self, obj, include_group_perms=True, permission_expiry=False):
"""
Returns cache key for ``_obj_perms_cache`` dict.
"""
ctype = get_content_type(obj)
return (ctype.id, force_str(obj.pk), include_group_perms, permission_expiry)
def get_queryset(self):
"""动态的计算结果集
- 如果是展开字段,这里做好是否关联查询
- 如果 bsm admin 定义了 get_queryset 方法,贼继续使用 get_queryset 进行处理
"""
admin_get_queryset = None
admin_class = self.get_bsm_model_admin()
if admin_class:
admin_get_queryset = getattr(admin_class(), 'get_queryset', None)
queryset = self.model.objects.all()
context = {'user': self.request.user}
expand_fields = self.expand_fields
if expand_fields:
expand_fields = self.translate_expand_fields(expand_fields)
expand_dict = sort_expand_fields(expand_fields)
display_fields = self.get_display_fields()
queryset = queryset_utils.queryset_prefetch(
queryset, expand_dict, context, display_fields=display_fields)
if self.action not in ['get_chart', 'group_statistics']:
queryset = queryset_utils.annotate(queryset, context=context)
queryset = self._get_queryset(queryset)
if admin_get_queryset:
queryset = admin_get_queryset(queryset, self.request, self)
# 如果开启了 guardian 数据权限检测,那么这里会进行必要的筛选
if settings.MANAGE_GUARDIAN_DATA_PERMISSION_CHECK:
# 如果不是超级用户,则进行对应的数据筛选
# FIXME: 目前只做查询类
app_models = settings.MANAGE_GUARDIAN_DATA_APP_MODELS
check_model = (isinstance(app_models, (list, set))
and f'{self.app_label}__{self.model_slug}'
in app_models)
check_not_is_superuser = not self.request.user.is_superuser
check_action = self.action in ['retrieve', 'list', 'set']
if check_not_is_superuser and check_action and check_model:
from guardian.ctypes import get_content_type
from guardian.models import UserObjectPermission, GroupObjectPermission
from django.contrib.auth.models import Permission
content_type = get_content_type(self.model)
permission = Permission.objects.filter(
codename=f'view_{self.model_slug}',
content_type=content_type).first()
content_object_set = set()
# 如果存在对应的权限
if permission:
permission_object_list = UserObjectPermission.objects.filter(
user=self.request.user,
permission=permission).values('object_pk')
for item in permission_object_list:
content_object_set.add(item['object_pk'])
user_groups = self.request.user.groups.all()
if user_groups:
group_object_list = GroupObjectPermission.objects.filter(
permission=permission,
group__in=user_groups).values('object_pk')
for item in group_object_list:
content_object_set.add(item['object_pk'])
if content_object_set:
queryset = queryset.filter(id__in=content_object_set)
return queryset
def get_unattached_users_with_perms_qset(obj,
perm,
permission_expiry=False,
with_group_users=True,
with_superusers=False,
only_with_perms_in=None):
# It's much easier without attached perms so we do it first if that is
# the case
# JOINing into the perms table is a no-go - would have to be done three times, for users, groups and orgs.
# Getting perm id first allows us to forgo this JOIN
perm_id = None
if perm:
perm_id = cache.get("permission_id_{0}".format(perm))
if not perm_id:
perm_id = Permission.objects.get(codename=perm).id
cache.set("permission_id_{0}".format(perm), perm_id, 86400)
ctype = get_content_type(obj)
user_model = get_user_obj_perms_model(obj)
related_name = user_model.user.field.related_query_name()
if user_model.objects.is_generic():
user_filters = {
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
}
if perm_id:
user_filters.update({
'%s__permission_id' % related_name: perm_id,
})
else:
user_filters = {'%s__content_object' % related_name: obj}
qset = Q(**user_filters)
if only_with_perms_in is not None:
permission_ids = Permission.objects.filter(
content_type=ctype,
codename__in=only_with_perms_in).values_list('id', flat=True)
qset &= Q(**{
'%s__permission_id__in' % related_name: permission_ids,
})
if permission_expiry:
kwargs1 = {"%s__permission_expiry" % related_name: None}
kwargs2 = {
"%s__permission_expiry__gte" % related_name:
datetime.utcnow().replace(tzinfo=utc)
}
qset &= (Q(**kwargs1) | Q(**kwargs2))
if with_group_users:
group_model = get_group_obj_perms_model(obj)
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'groups__%s__content_type' % group_rel_name: ctype,
'groups__%s__object_pk' % group_rel_name: obj.pk,
}
if perm_id:
group_filters.update({
'groups__%s__permission_id' % group_rel_name:
perm_id,
})
else:
group_filters = {
'groups__%s__content_object' % group_rel_name: obj,
}
if only_with_perms_in is not None:
permission_ids = Permission.objects.filter(
content_type=ctype,
codename__in=only_with_perms_in).values_list('id', flat=True)
group_filters.update({
'groups__%s__permission_id__in' % group_rel_name:
permission_ids,
})
qset = qset | Q(**group_filters)
org_model = get_organization_obj_perms_model(obj)
organization_rel_name = org_model.organization.field.related_query_name(
)
if org_model.objects.is_generic():
organization_filters = {
'organizations_organization__%s__content_type' % organization_rel_name:
ctype,
'organizations_organization__%s__object_pk' % organization_rel_name:
obj.pk,
}
if perm_id:
organization_filters.update({
'organizations_organization__%s__permission_id' % organization_rel_name:
perm_id,
})
else:
organization_filters = {
'organizations_organization__%s__content_object' % organization_rel_name:
obj
}
if permission_expiry:
kwargs1 = {
"organizations_organization__%s__permission_expiry" % organization_rel_name:
None
}
kwargs2 = {
"organizations_organization__%s__permission_expiry__gte" % organization_rel_name:
datetime.utcnow().replace(tzinfo=utc)
}
qset &= (Q(**kwargs1) | Q(**kwargs2))
qset = qset | Q(**organization_filters)
if with_superusers:
qset = qset | Q(is_superuser=True)
return qset
def get_users_with_perms(obj, attach_perms=False, with_superusers=False,
with_group_users=True):
"""
Returns queryset of all ``User`` objects with *any* object permissions for
the given ``obj``.
:param obj: persisted Django's ``Model`` instance
:param attach_perms: Default: ``False``. If set to ``True`` result would be
dictionary of ``User`` instances with permissions' codenames list as
values. This would fetch users eagerly!
:param with_superusers: Default: ``False``. If set to ``True`` result would
contain all superusers.
:param with_group_users: Default: ``True``. If set to ``False`` result would
**not** contain those users who have only group permissions for given
``obj``.
Example::
>>> from django.contrib.flatpages.models import FlatPage
>>> from django.contrib.auth.models import User
>>> from guardian.shortcuts import assign_perm, get_users_with_perms
>>>
>>> page = FlatPage.objects.create(title='Some page', path='/some/page/')
>>> joe = User.objects.create_user('joe', '*****@*****.**', 'joesecret')
>>> assign_perm('change_flatpage', joe, page)
>>>
>>> get_users_with_perms(page)
[<User: joe>]
>>>
>>> get_users_with_perms(page, attach_perms=True)
{<User: joe>: [u'change_flatpage']}
"""
ctype = get_content_type(obj)
if not attach_perms:
# It's much easier without attached perms so we do it first if that is
# the case
user_model = get_user_obj_perms_model(obj)
related_name = user_model.user.field.related_query_name()
if user_model.objects.is_generic():
user_filters = {
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
}
else:
user_filters = {'%s__content_object' % related_name: obj}
qset = Q(**user_filters)
if with_group_users:
group_model = get_group_obj_perms_model(obj)
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'groups__%s__content_type' % group_rel_name: ctype,
'groups__%s__object_pk' % group_rel_name: obj.pk,
}
else:
group_filters = {
'groups__%s__content_object' % group_rel_name: obj,
}
qset = qset | Q(**group_filters)
if with_superusers:
qset = qset | Q(is_superuser=True)
return get_user_model().objects.filter(qset).distinct()
else:
# TODO: Do not hit db for each user!
users = {}
for user in get_users_with_perms(obj,
with_group_users=with_group_users,
with_superusers=with_superusers):
# TODO: Support the case of set with_group_users but not with_superusers.
if with_group_users or with_superusers:
users[user] = sorted(get_perms(user, obj))
else:
users[user] = sorted(get_user_perms(user, obj))
return users
def get_local_cache_key(self, obj):
"""
Returns cache key for ``_obj_perms_cache`` dict.
"""
ctype = get_content_type(obj)
return (ctype.id, force_text(obj.pk))
def get_local_cache_key(self, obj, include_group_perms=True, permission_expiry=False):
"""
Returns cache key for ``_obj_perms_cache`` dict.
"""
ctype = get_content_type(obj)
return (ctype.id, force_text(obj.pk), include_group_perms, permission_expiry)
def get_unattached_users_with_perms_qset(obj, perm, permission_expiry=False, with_group_users=True, with_superusers=False):
# It's much easier without attached perms so we do it first if that is
# the case
# JOINing into the perms table is a no-go - would have to be done three times, for users, groups and orgs.
# Getting perm id first allows us to forgo this JOIN
perm_id = None
if perm:
perm_id = cache.get("permission_id_{0}".format(perm))
if not perm_id:
perm_id = Permission.objects.get(codename=perm).id
cache.set("permission_id_{0}".format(perm), perm_id, 86400)
ctype = get_content_type(obj)
user_model = get_user_obj_perms_model(obj)
related_name = user_model.user.field.related_query_name()
if user_model.objects.is_generic():
user_filters = {
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
}
if perm_id:
user_filters.update({
'%s__permission_id' % related_name: perm_id,
})
else:
user_filters = {'%s__content_object' % related_name: obj}
qset = Q(**user_filters)
if permission_expiry:
kwargs1 = {"%s__permission_expiry" % related_name: None}
kwargs2 = {"%s__permission_expiry__gte" % related_name: datetime.utcnow().replace(tzinfo=utc)}
qset &= (Q(**kwargs1) | Q(**kwargs2))
if with_group_users:
group_model = get_group_obj_perms_model(obj)
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'groups__%s__content_type' % group_rel_name: ctype,
'groups__%s__object_pk' % group_rel_name: obj.pk,
}
if perm_id:
group_filters.update({
'groups__%s__permission_id' % group_rel_name: perm_id,
})
else:
group_filters = {
'groups__%s__content_object' % group_rel_name: obj,
}
qset = qset | Q(**group_filters)
org_model = get_organization_obj_perms_model(obj)
organization_rel_name = org_model.organization.field.related_query_name()
if org_model.objects.is_generic():
organization_filters = {
'organizations_organization__%s__content_type' % organization_rel_name: ctype,
'organizations_organization__%s__object_pk' % organization_rel_name: obj.pk,
}
if perm_id:
organization_filters.update({
'organizations_organization__%s__permission_id' % organization_rel_name: perm_id,
})
else:
organization_filters = {
'organizations_organization__%s__content_object' % organization_rel_name: obj
}
if permission_expiry:
kwargs1 = {"organizations_organization__%s__permission_expiry" % organization_rel_name: None}
kwargs2 = {"organizations_organization__%s__permission_expiry__gte" % organization_rel_name: datetime.utcnow().replace(tzinfo=utc)}
qset &= (Q(**kwargs1) | Q(**kwargs2))
qset = qset | Q(**organization_filters)
if with_superusers:
qset = qset | Q(is_superuser=True)
return qset
def get_users_with_perms(obj,
attach_perms=False,
with_superusers=False,
with_group_users=True):
"""
Returns queryset of all ``User`` objects with *any* object permissions for
the given ``obj``.
:param obj: persisted Django's ``Model`` instance
:param attach_perms: Default: ``False``. If set to ``True`` result would be
dictionary of ``User`` instances with permissions' codenames list as
values. This would fetch users eagerly!
:param with_superusers: Default: ``False``. If set to ``True`` result would
contain all superusers.
:param with_group_users: Default: ``True``. If set to ``False`` result would
**not** contain those users who have only group permissions for given
``obj``.
Example::
>>> from django.contrib.flatpages.models import FlatPage
>>> from django.contrib.auth.models import User
>>> from guardian.shortcuts import assign_perm, get_users_with_perms
>>>
>>> page = FlatPage.objects.create(title='Some page', path='/some/page/')
>>> joe = User.objects.create_user('joe', '*****@*****.**', 'joesecret')
>>> assign_perm('change_flatpage', joe, page)
>>>
>>> get_users_with_perms(page)
[<User: joe>]
>>>
>>> get_users_with_perms(page, attach_perms=True)
{<User: joe>: [u'change_flatpage']}
"""
ctype = get_content_type(obj)
if not attach_perms:
# It's much easier without attached perms so we do it first if that is
# the case
user_model = get_user_obj_perms_model(obj)
related_name = user_model.user.field.related_query_name()
if user_model.objects.is_generic():
user_filters = {
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
}
else:
user_filters = {'%s__content_object' % related_name: obj}
qset = Q(**user_filters)
if with_group_users:
group_model = get_group_obj_perms_model(obj)
group_rel_name = group_model.group.field.related_query_name()
if group_model.objects.is_generic():
group_filters = {
'groups__%s__content_type' % group_rel_name: ctype,
'groups__%s__object_pk' % group_rel_name: obj.pk,
}
else:
group_filters = {
'groups__%s__content_object' % group_rel_name: obj,
}
qset = qset | Q(**group_filters)
if with_superusers:
qset = qset | Q(is_superuser=True)
return get_user_model().objects.filter(qset).distinct()
else:
# TODO: Do not hit db for each user!
users = {}
for user in get_users_with_perms(obj,
with_group_users=with_group_users,
with_superusers=with_superusers):
# TODO: Support the case of set with_group_users but not with_superusers.
if with_group_users or with_superusers:
users[user] = sorted(get_perms(user, obj))
else:
users[user] = sorted(get_user_perms(user, obj))
return users
def get_local_cache_key(self, obj):
"""
Returns cache key for ``_obj_perms_cache`` dict.
"""
ctype = get_content_type(obj)
return (ctype.id, force_text(obj.pk))
def get_objects_for_group(group,
perms,
klass=None,
any_perm=False,
accept_global_perms=True):
"""
Returns queryset of objects for which a given ``group`` has *all*
permissions present at ``perms``.
:param group: ``Group`` instance for which objects would be returned.
:param perms: single permission string, or sequence of permission strings
which should be checked.
If ``klass`` parameter is not given, those should be full permission
names rather than only codenames (i.e. ``auth.change_user``). If more than
one permission is present within sequence, their content type **must** be
the same or ``MixedContentTypeError`` exception would be raised.
:param klass: may be a Model, Manager or QuerySet object. If not given
this parameter would be computed based on given ``params``.
:param any_perm: if True, any of permission in sequence is accepted
:param accept_global_perms: if ``True`` takes global permissions into account.
If any_perm is set to false then the intersection of matching objects based on global and object based permissions
is returned. Default is ``True``.
:raises MixedContentTypeError: when computed content type for ``perms``
and/or ``klass`` clashes.
:raises WrongAppError: if cannot compute app label for given ``perms``/
``klass``.
Example:
Let's assume we have a ``Task`` model belonging to the ``tasker`` app with
the default add_task, change_task and delete_task permissions provided
by Django::
>>> from guardian.shortcuts import get_objects_for_group
>>> from tasker import Task
>>> group = Group.objects.create('some group')
>>> task = Task.objects.create('some task')
>>> get_objects_for_group(group, 'tasker.add_task')
[]
>>> from guardian.shortcuts import assign_perm
>>> assign_perm('tasker.add_task', group, task)
>>> get_objects_for_group(group, 'tasker.add_task')
[<Task some task>]
The permission string can also be an iterable. Continuing with the previous example:
>>> get_objects_for_group(group, ['tasker.add_task', 'tasker.delete_task'])
[]
>>> assign_perm('tasker.delete_task', group, task)
>>> get_objects_for_group(group, ['tasker.add_task', 'tasker.delete_task'])
[<Task some task>]
Global permissions assigned to the group are also taken into account. Continuing with previous example:
>>> task_other = Task.objects.create('other task')
>>> assign_perm('tasker.change_task', group)
>>> get_objects_for_group(group, ['tasker.change_task'])
[<Task some task>, <Task other task>]
>>> get_objects_for_group(group, ['tasker.change_task'], accept_global_perms=False)
[<Task some task>]
"""
if isinstance(perms, basestring):
perms = [perms]
ctype = None
app_label = None
codenames = set()
# Compute codenames set and ctype if possible
for perm in perms:
if '.' in perm:
new_app_label, codename = perm.split('.', 1)
if app_label is not None and app_label != new_app_label:
raise MixedContentTypeError("Given perms must have same app "
"label (%s != %s)" %
(app_label, new_app_label))
else:
app_label = new_app_label
else:
codename = perm
codenames.add(codename)
if app_label is not None:
new_ctype = ContentType.objects.get(app_label=app_label,
permission__codename=codename)
if ctype is not None and ctype != new_ctype:
raise MixedContentTypeError("ContentType was once computed "
"to be %s and another one %s" %
(ctype, new_ctype))
else:
ctype = new_ctype
# Compute queryset and ctype if still missing
if ctype is None and klass is not None:
queryset = _get_queryset(klass)
ctype = get_content_type(queryset.model)
elif ctype is not None and klass is None:
queryset = _get_queryset(ctype.model_class())
elif klass is None:
raise WrongAppError("Cannot determine content type")
else:
queryset = _get_queryset(klass)
if ctype.model_class() != queryset.model:
raise MixedContentTypeError("Content type for given perms and "
"klass differs")
# At this point, we should have both ctype and queryset and they should
# match which means: ctype.model_class() == queryset.model
# we should also have ``codenames`` list
global_perms = set()
if accept_global_perms:
global_perm_set = group.permissions.values_list('codename', flat=True)
for code in codenames:
if code in global_perm_set:
global_perms.add(code)
for code in global_perms:
codenames.remove(code)
if len(global_perms) > 0 and (len(codenames) == 0 or any_perm):
return queryset
# Now we should extract list of pk values for which we would filter
# queryset
group_model = get_group_obj_perms_model(queryset.model)
groups_obj_perms_queryset = (group_model.objects.filter(
group=group).filter(permission__content_type=ctype))
if len(codenames):
groups_obj_perms_queryset = groups_obj_perms_queryset.filter(
permission__codename__in=codenames)
if group_model.objects.is_generic():
fields = ['object_pk', 'permission__codename']
else:
fields = ['content_object__pk', 'permission__codename']
if not any_perm and len(codenames):
groups_obj_perms = groups_obj_perms_queryset.values_list(*fields)
data = list(groups_obj_perms)
keyfunc = lambda t: t[
0] # sorting/grouping by pk (first in result tuple)
data = sorted(data, key=keyfunc)
pk_list = []
for pk, group in groupby(data, keyfunc):
obj_codenames = set((e[1] for e in group))
if any_perm or codenames.issubset(obj_codenames):
pk_list.append(pk)
objects = queryset.filter(pk__in=pk_list)
return objects
values = groups_obj_perms_queryset.values_list(fields[0], flat=True)
if group_model.objects.is_generic():
values = list(values)
return queryset.filter(pk__in=values)
def get_users_with_perms(obj,
attach_perms=False,
with_superusers=False,
with_group_users=True,
only_with_perms_in=None):
"""
Returns queryset of all ``User`` objects with *any* object permissions for
the given ``obj``.
:param obj: persisted Django's ``Model`` instance
:param attach_perms: Default: ``False``. If set to ``True`` result would be
dictionary of ``User`` instances with permissions' codenames list as
values. This would fetch users eagerly!
:param with_superusers: Default: ``False``. If set to ``True`` result would
contain all superusers.
:param with_group_users: Default: ``True``. If set to ``False`` result would
**not** contain those users who have only group permissions for given
``obj``.
:param only_with_perms_in: Default: ``None``. If set to an iterable of
permission strings then only users with those permissions would be
returned.
Example::
>>> from django.contrib.flatpages.models import FlatPage
>>> from django.contrib.auth.models import User
>>> from guardian.shortcuts import assign_perm, get_users_with_perms
>>>
>>> page = FlatPage.objects.create(title='Some page', path='/some/page/')
>>> joe = User.objects.create_user('joe', '*****@*****.**', 'joesecret')
>>> dan = User.objects.create_user('dan', '*****@*****.**', 'dansecret')
>>> assign_perm('change_flatpage', joe, page)
>>> assign_perm('delete_flatpage', dan, page)
>>>
>>> get_users_with_perms(page)
[<User: joe>, <User: dan>]
>>>
>>> get_users_with_perms(page, attach_perms=True)
{<User: joe>: [u'change_flatpage'], <User: dan>: [u'delete_flatpage']}
>>> get_users_with_perms(page, only_with_perms_in=['change_flatpage'])
[<User: joe>]
"""
ctype = get_content_type(obj)
if not attach_perms:
# It's much easier without attached perms so we do it first if that is
# the case
user_model = get_user_obj_perms_model(obj)
related_name = user_model.user.field.related_query_name()
if user_model.objects.is_generic():
user_filters = {
'%s__content_type' % related_name: ctype,
'%s__object_pk' % related_name: obj.pk,
}
else:
user_filters = {'%s__content_object' % related_name: obj}
qset = Q(**user_filters)
if only_with_perms_in is not None:
permission_ids = Permission.objects.filter(
content_type=ctype,
codename__in=only_with_perms_in).values_list('id', flat=True)
qset &= Q(**{
'%s__permission_id__in' % related_name: permission_ids,
})
if with_group_users:
group_model = get_group_obj_perms_model(obj)
if group_model.objects.is_generic():
group_obj_perm_filters = {
'content_type': ctype,
'object_pk': obj.pk,
}
else:
group_obj_perm_filters = {
'content_object': obj,
}
if only_with_perms_in is not None:
group_obj_perm_filters.update({
'permission_id__in':
permission_ids,
})
group_ids = set(
group_model.objects.filter(
**group_obj_perm_filters).values_list(
'group_id', flat=True).distinct())
qset = qset | Q(groups__in=group_ids)
if with_superusers:
qset = qset | Q(is_superuser=True)
return get_user_model().objects.filter(qset).distinct()
else:
# TODO: Do not hit db for each user!
users = {}
for user in get_users_with_perms(obj,
with_group_users=with_group_users,
only_with_perms_in=only_with_perms_in,
with_superusers=with_superusers):
# TODO: Support the case of set with_group_users but not with_superusers.
if with_group_users or with_superusers:
users[user] = sorted(get_perms(user, obj))
else:
users[user] = sorted(get_user_perms(user, obj))
return users
