def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments): """ Given the request object (or the user_info dictionary, or the uid), checks if the user is allowed to run name_action with the given parameters. If authorized_if_no_roles is True and no role exists (different than superadmin) that are authorized to execute the given action, the authorization will be granted. Returns (0, msg) when the authorization is granted, (1, msg) when it's not. """ user_info = collect_user_info(req) roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments) for id_role in roles: if acc_is_user_in_role(user_info, id_role): ## User belong to at least one authorized role. return (0, CFG_WEBACCESS_WARNING_MSGS[0]) if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID): ## User is SUPERADMIN return (0, CFG_WEBACCESS_WARNING_MSGS[0]) if not roles: ## No role is authorized for the given action/arguments if authorized_if_no_roles: ## User is authorized because no authorization exists for the given ## action/arguments return (0, CFG_WEBACCESS_WARNING_MSGS[0]) else: ## User is not authorized. return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action)) ## User is not authorized in_a_web_request_p = bool(user_info['uri']) return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']), CFG_WEBACCESS_MSGS[1]) or "")))
def isRefereed(doctype, categ="*"): """Check if the given doctype, categ is refereed by at least a role. different than SUPERADMINROLE""" roles = acc_find_possible_roles('referee', always_add_superadmin=False, doctype=doctype, categ=categ) if roles: return True return False
def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments): """ Given the request object (or the user_info dictionary, or the uid), checks if the user is allowed to run name_action with the given parameters. If authorized_if_no_roles is True and no role exists (different than superadmin) that are authorized to execute the given action, the authorization will be granted. Returns (0, msg) when the authorization is granted, (1, msg) when it's not. """ from invenio.webuser_flask import UserInfo if isinstance(req, UserInfo): user_info = req uid = user_info.get_id() elif type(req) is dict: uid = req.get('uid', None) user_info = req elif type(req) not in [int, long]: uid = current_user.get_id() user_info = collect_user_info(uid) # FIXME else: user_info = collect_user_info(req) roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments) roles.add(CFG_SUPERADMINROLE_ID) if acc_is_user_in_any_role(user_info, roles): ## User belong to at least one authorized role ## or User is SUPERADMIN return (0, CFG_WEBACCESS_WARNING_MSGS[0]) if len(roles) <= 1: ## No role is authorized for the given action/arguments if authorized_if_no_roles: ## User is authorized because no authorization exists for the given ## action/arguments return (0, CFG_WEBACCESS_WARNING_MSGS[0]) else: ## User is not authorized. return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action)) ## User is not authorized in_a_web_request_p = bool(user_info.get('uri', '')) return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info.get('uri', '')), CFG_WEBACCESS_MSGS[1]) or "")))
def make_list_apache_firerole(name_action, arguments): """Given an action and a dictionary arguments returns a list of all the roles (and their descriptions) which are authorized to perform this action with these arguments, and whose FireRole definition expect an Apache Password membership. """ roles = acc_find_possible_roles(name_action, **arguments) ret = [] for role in roles: res = run_sql_cached('SELECT name, description, firerole_def_ser FROM accROLE WHERE id=%s', (role, ), affected_tables=['accROLE']) if acc_firerole_suggest_apache_p(deserialize(res[0][2])): ret.append((res[0][0], res[0][1])) return ret
def acc_get_authorized_emails(name_action, **arguments): """ Given the action and its arguments, try to retireve all the matching email addresses of users authorized. This is a best effort operation, because if a role is authorized and happens to be defined using a FireRole rule based on regular expression or on IP addresses, non every email might be returned. @param name_action: the name of the action. @type name_action: string @param arguments: the arguments to the action. @return: the list of authorized emails. @rtype: set of string """ authorized_emails = set() roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments) for id_role in roles: for dummy1, email, dummy2 in acc_get_role_users(id_role): authorized_emails.add(email.lower().strip()) firerole = load_role_definition(id_role) authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole)) return authorized_emails
def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments): """ Given the request object (or the user_info dictionary, or the uid), checks if the user is allowed to run name_action with the given parameters. If authorized_if_no_roles is True and no role exists (different than superadmin) that are authorized to execute the given action, the authorization will be granted. Returns (0, msg) when the authorization is granted, (1, msg) when it's not. """ user_info = collect_user_info(req) roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments) for id_role in roles: if acc_is_user_in_role(user_info, id_role): ## User belong to at least one authorized role. return (0, CFG_WEBACCESS_WARNING_MSGS[0]) if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID): ## User is SUPERADMIN return (0, CFG_WEBACCESS_WARNING_MSGS[0]) if not roles: ## No role is authorized for the given action/arguments if authorized_if_no_roles: ## User is authorized because no authorization exists for the given ## action/arguments return (0, CFG_WEBACCESS_WARNING_MSGS[0]) else: ## User is not authorized. return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action)) ## User is not authorized in_a_web_request_p = bool(user_info['uri']) if CFG_CERN_SITE and arguments.has_key('collection'): # We apply the checks for all actions with that 'collection' # argument, for simplicity not necessity. from invenio.search_engine import get_collection_allchildren if arguments.get('collection', None) in get_collection_allchildren('e-Tendering', recreate_cache_if_needed=False): return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[9] % ("*****@*****.**", "*****@*****.**"), CFG_WEBACCESS_MSGS[10] % (CFG_SITE_SECURE_URL + "/goto/etendering-faq", "Frequently Asked Questions (FAQ) concerning the CERN e-tendering application") ) or ""))) return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']), CFG_WEBACCESS_MSGS[1]) or "")))