def check_permissions(self, resource, method, user): """Checks user permissions. 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if not user: return True # Step 2: Get User's Privileges get_resource_service("users").set_privileges(user, flask.g.role) if method == "GET": return True # Step 3: Intrinsic Privileges message = _("Insufficient privileges for the requested operation.") intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get( resource) and method in intrinsic_privileges[resource]: service = get_resource_service(resource) authorized = service.is_authorized( user_id=str(user.get("_id")), _id=request.view_args.get("_id"), method=method) if not authorized: raise SuperdeskApiError.forbiddenError(message=message) return authorized # Step 4: User's privileges privileges = user.get("active_privileges", {}) resource_privileges = get_resource_privileges(resource).get( method, None) if not resource_privileges and get_no_resource_privileges(resource): return True if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError(message=message)
def check_permissions(self, resource, method, user): """Checks user permissions. 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if not user: return True # Step 2: Get User's Privileges get_resource_service('users').set_privileges(user, flask.g.role) if method == 'GET': return True # Step 3: Intrinsic Privileges intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get(resource) and method in intrinsic_privileges[resource]: service = get_resource_service(resource) authorized = service.is_authorized(user_id=str(user.get('_id')), _id=request.view_args.get('_id')) if not authorized: raise SuperdeskApiError.forbiddenError() return authorized # Step 4: User's privileges privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get(method, None) if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError()
def check_permissions(self, resource, method, user): """ 1. If there's no user associated with the request or HTTP Method is GET then return True. 2. Get User's Privileges 3. Intrinsic Privileges: Check if resource has intrinsic privileges. If it has then check if HTTP Method is allowed. Return True if `is_authorized()` on the resource service returns True. Otherwise, raise ForbiddenError. HTTP Method not allowed continue No intrinsic privileges continue 4. User's Privileges Get Resource Privileges and validate it against user's privileges. Return True if validation is successful. Otherwise continue. 5. If method didn't return True, then user is not authorized to perform the requested operation on the resource. """ # Step 1: if method == 'GET' or not user: return True # Step 2: Get User's Privileges get_resource_service('users').set_privileges(user, flask.g.role) # Step 3: Intrinsic Privileges intrinsic_privileges = get_intrinsic_privileges() if intrinsic_privileges.get( resource) and method in intrinsic_privileges[resource]: authorized = get_resource_service(resource).is_authorized( user_id=request.view_args.get('_id')) if not authorized: raise SuperdeskApiError.forbiddenError() return authorized # Step 4: User's privileges privileges = user.get('active_privileges', {}) resource_privileges = get_resource_privileges(resource).get( method, None) if privileges.get(resource_privileges, False): return True # Step 5: raise SuperdeskApiError.forbiddenError()