예제 #1
0
def create(actor,
           alias_key=None,
           alias_id=None,
           user_id=None,
           user_key=None,
           user=None,
           group_id=None,
           group_key=None,
           group=None,
           **kwargs):
    permission_verify(actor, "alias", "create")

    user_key = user_key or build_user_key(user or user_id)
    group_key = group_key or build_group_key(group or group_id)

    if not user_key and not group_key:
        raise IllegalError("Aliases must specify either a user or a group")
    if user_key and group_key:
        raise IllegalError("Aliases must specify either a user or a group")

    alias_key = alias_key or key(alias_id)
    alias = Alias(key=alias_key)
    alias.alias = users.User(alias_key.id())
    alias.user = user_key
    alias.group = group_key
    alias.created_by = build_user_key(actor)
    alias.put()

    return alias
예제 #2
0
def permission_revoke(viewer, type, action, target=None, user=None, group=None):
    permission_verify(viewer, "permissions", "revoke")

    key = permission_get(type, action, target, user, [group] if group else None)
    if key:
        key.delete()
        log.debug("Permission Revoked: %s - %s.%s (%s)" % (build_user_key(user) or build_group_key(group), type, action, target))
        if user:
            memcache.delete(build_user_key(user).id())
        else:
            memcache.flush_all()
    else:
        log.debug("Permission wasn't granted")
예제 #3
0
def members_add(actor, group_id=None, group_key=None, group=None, user_id=None, user_key=None, user=None):
    permission_verify(actor, "member", "update")

    user_key  = user_key  or build_user_key( user_id ) or user.key
    group_key = group_key or build_group_key(group_id) or group.key

    user  = user  or user_key.get()
    group = group or group_key.get()

    if not group.users:
        group.users = [ user_key ]
    else:
        users = set(group.users)
        users.add(user_key)
        group.users = users

    group.put()

    if user:
        if not user.groups:
            user.groups = [ group.key ]
        else:
            groups = set(user.groups)
            groups.add(group.key)
            user.groups = groups

        user.put()
예제 #4
0
def members_add(actor,
                group_id=None,
                group_key=None,
                group=None,
                user_id=None,
                user_key=None,
                user=None):
    permission_verify(actor, "member", "update")

    user_key = user_key or build_user_key(user_id) or user.key
    group_key = group_key or build_group_key(group_id) or group.key

    user = user or user_key.get()
    group = group or group_key.get()

    if not group.users:
        group.users = [user_key]
    else:
        users = set(group.users)
        users.add(user_key)
        group.users = users

    group.put()

    if user:
        if not user.groups:
            user.groups = [group.key]
        else:
            groups = set(user.groups)
            groups.add(group.key)
            user.groups = groups

        user.put()
예제 #5
0
def permission_lookup(user, type, action, target=None, keys_only=True):
    if not isinstance(user, ndb.Model):
        user = build_user_key(user).get()

    if not user:
        return None

    return permission_get(type, action, target, user, user.groups, keys_only=keys_only)
예제 #6
0
def create(actor, group_id=None, group_key=None, active=True, **kwargs):
    permission_verify(actor, "group", "create")

    group_key = group_key or key(group_id)
    group = Group(key=group_key)
    group.group = users.User(group_key.id())
    group.created_by = build_user_key(actor)

    return set(actor, group, active=True, **kwargs)
예제 #7
0
def permission_is_root(user):
    if build_user_key(user).id() == "cron":
        return True
    if users.is_current_user_admin():
        return True
    if permission_lookup(user, "root", "root"):
        return True
    else:
        return False
예제 #8
0
def permission_is_root(user):
    if build_user_key(user).id() == "cron":
        return True
    if users.is_current_user_admin():
        return True
    if permission_lookup(user, "root", "root"):
        return True
    else:
        return False
예제 #9
0
def create(actor, group_id=None, group_key=None, active=True, **kwargs):
    permission_verify(actor, "group", "create")

    group_key = group_key or key(group_id)
    group = Group(key=group_key)
    group.group = users.User(group_key.id())
    group.created_by = build_user_key(actor)

    return set(actor, group, active=True, **kwargs)
예제 #10
0
def permission_get(type, action, target, user, groups, keys_only=True):
    if user and groups:
        return Permission.query().filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target,
                    ndb.OR(Permission.user == build_user_key(user),
                           Permission.group.IN([build_group_key(group) for group in groups])))).get(keys_only=keys_only)
    elif user:
        return Permission.query(ancestor=build_user_key(user)).filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target)).get(keys_only=keys_only)
    elif groups:
        return Permission.query().filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target,
                    Permission.group.IN([build_group_key(group) for group in groups]))).get(keys_only=keys_only)
예제 #11
0
def permission_get(type, action, target, user, groups, keys_only=True):
    if user and groups:
        return Permission.query().filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target,
                    ndb.OR(Permission.user == build_user_key(user),
                           Permission.group.IN([build_group_key(group) for group in groups])))).get(keys_only=keys_only)
    elif user:
        return Permission.query(ancestor=build_user_key(user)).filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target)).get(keys_only=keys_only)
    elif groups:
        return Permission.query().filter( \
            ndb.AND(Permission.type == type,
                    Permission.action == action,
                    Permission.target == target,
                    Permission.group.IN([build_group_key(group) for group in groups]))).get(keys_only=keys_only)
예제 #12
0
def permission_grant(viewer, type, action, target=None, user=None, group=None):
    permission_verify(viewer, "permissions", "grant")

    if not permission_get(type, action, target, user, [group] if group else None):
        user = build_user_key(user)
        group = build_group_key(group)

        permission = Permission(parent=user or group)
        permission.user = user
        permission.group = group
        permission.type = type or target.kind()
        permission.action = action
        permission.target = target
        permission.granted_by = build_user_key(viewer)
        permission.put()

        log.debug("Permission Granted: %s - %s.%s (%s)" % (user or group, type, action, target))
    else:
        log.warn("Permission already granted")
예제 #13
0
def permission_list(viewer, user):
    permission_verify(viewer, "permissions", "view")

    result = []
    for permission in Permission.query(ancestor=build_user_key(user)).fetch():
        result.append({ 'user'   : permission.user.email(),
                        'type'   : permission.type,
                        'id'     : permission.id,
                        'action' : permission.action,
                        'target' : permission.target })
    return result
예제 #14
0
def permission_revoke(viewer,
                      type,
                      action,
                      target=None,
                      user=None,
                      group=None):
    permission_verify(viewer, "permissions", "revoke")

    key = permission_get(type, action, target, user,
                         [group] if group else None)
    if key:
        key.delete()
        log.debug("Permission Revoked: %s - %s.%s (%s)" %
                  (build_user_key(user)
                   or build_group_key(group), type, action, target))
        if user:
            memcache.delete(build_user_key(user).id())
        else:
            memcache.flush_all()
    else:
        log.debug("Permission wasn't granted")
예제 #15
0
def permission_grant(viewer, type, action, target=None, user=None, group=None):
    permission_verify(viewer, "permissions", "grant")

    if not permission_get(type, action, target, user,
                          [group] if group else None):
        user = build_user_key(user)
        group = build_group_key(group)

        permission = Permission(parent=user or group)
        permission.user = user
        permission.group = group
        permission.type = type or target.kind()
        permission.action = action
        permission.target = target
        permission.granted_by = build_user_key(viewer)
        permission.put()

        log.debug("Permission Granted: %s - %s.%s (%s)" %
                  (user or group, type, action, target))
    else:
        log.warn("Permission already granted")
예제 #16
0
def permission_list(viewer, user):
    permission_verify(viewer, "permissions", "view")

    result = []
    for permission in Permission.query(ancestor=build_user_key(user)).fetch():
        result.append({
            'user': permission.user.email(),
            'type': permission.type,
            'id': permission.id,
            'action': permission.action,
            'target': permission.target
        })
    return result
예제 #17
0
def permission_lookup(user, type, action, target=None, keys_only=True):
    if not isinstance(user, ndb.Model):
        user = build_user_key(user).get()

    if not user:
        return None

    return permission_get(type,
                          action,
                          target,
                          user,
                          user.groups,
                          keys_only=keys_only)
예제 #18
0
def members_remove(actor, group_id=None, group_key=None, group=None, user_id=None, user_key=None, user=None):
    permission_verify(actor, "member", "update")

    user_key  = user_key  or build_user_key( user_id ) or user.key
    group_key = group_key or build_group_key(group_id) or group.key

    user  = user  or user_key.get()
    group = group or group_key.get()

    if group.users: group.users.remove(user_key)
    if user and user.groups: user.groups.remove(group_key)

    group.put()
    user.put()
예제 #19
0
def set(actor, group, name=undefined, active=undefined, notes=undefined, **ignored):
    if is_defined(name):
        group.name = name

    if is_defined(active):
        group.active = active

    if is_defined(notes):
        group.notes = notes

    group.updated_by = build_user_key(actor)
    group.put()

    return group
예제 #20
0
def permission_verify(user, type, action, target=None, root_ok=True):
    original_user = user
    user_key = build_user_key(user)
    if not isinstance(user, ndb.Model):
        user = user_key.get()

    tuple = (type, action, target)
    cached = memcache.get(user_key.id(), namespace="permissions") or []

    if not user:
        if str(original_user) != 'cron':
            log.warn("User '%s' not recognized", original_user)
    else:
        if tuple in cached:
            log.debug("Permission Allowed (Cache): %s - %s.%s (%s)" %
                      (user.user.email(), type, action, target))
            return

        if permission_lookup(user, type, action, target):
            log.debug("Permission Allowed:         %s - %s.%s (%s)" %
                      (user.user.email(), type, action, target))
            cached.append(tuple)
            memcache.set(user_key.id(), cached, namespace="permissions")
            return
        else:
            log.debug("Permission Not Allowed:     %s - %s.%s (%s)" %
                      (user.user.email(), type, action, target))

        if target:
            if permission_lookup(user, type, action):
                log.debug("Permission Allowed:         %s - %s.%s (%s)" %
                          (user.user.email(), type, action, None))
                cached.append(tuple)
                memcache.set(user_key.id(), cached, namespace="permissions")
                return
            else:
                log.debug("Permission Not Allowed:     %s - %s.%s (%s)" %
                          (user.user.email(), type, action, None))

    if root_ok and permission_is_root(original_user):
        cached.append(tuple)
        memcache.set(user_key.id(), cached, namespace="permissions")
        log.debug("Permission Allowed (Root):  %s" % user_key.id())
        return

    log.error("Permission Denied:       %s" % user_key.id())
    raise NotAllowedError()
예제 #21
0
def permission_check(user, type, action, key=None):
    if not type:
        type = key.kind()

    user_key = build_user_key(user)
    result = permission_lookup(user_key, type, action, key)

    key_str = ""
    if key: key_str = ":" + key.urlsafe()

    if result:
        log.debug("Permission: %s %s%s (%s) - Allowed" % (user_key, type, key_str, action))
    else:
        log.debug("Permission: %s %s%s (%s) - Not Allowed" % (user_key, type, key_str, action))
        if key:
            return permission_check(user_key, type, action, key.parent())

    return result
예제 #22
0
def set(actor,
        group,
        name=undefined,
        active=undefined,
        notes=undefined,
        **ignored):
    if is_defined(name):
        group.name = name

    if is_defined(active):
        group.active = active

    if is_defined(notes):
        group.notes = notes

    group.updated_by = build_user_key(actor)
    group.put()

    return group
예제 #23
0
def permission_verify(user, type, action, target=None, root_ok=True):
    original_user = user
    user_key = build_user_key(user)
    if not isinstance(user, ndb.Model):
        user = user_key.get()

    tuple = (type, action, target)
    cached = memcache.get(user_key.id(), namespace="permissions") or []

    if not user:
        if str(original_user) != 'cron':
            log.warn("User '%s' not recognized", original_user)
    else:
        if tuple in cached:
            log.debug("Permission Allowed (Cache): %s - %s.%s (%s)" % (user.user.email(), type, action, target))
            return

        if permission_lookup(user, type, action, target):
            log.debug("Permission Allowed:         %s - %s.%s (%s)" % (user.user.email(), type, action, target))
            cached.append(tuple)
            memcache.set(user_key.id(), cached, namespace="permissions")
            return
        else:
            log.debug("Permission Not Allowed:     %s - %s.%s (%s)" % (user.user.email(), type, action, target))

        if target:
            if permission_lookup(user, type, action):
                log.debug("Permission Allowed:         %s - %s.%s (%s)" % (user.user.email(), type, action, None))
                cached.append(tuple)
                memcache.set(user_key.id(), cached, namespace="permissions")
                return
            else: 
                log.debug("Permission Not Allowed:     %s - %s.%s (%s)" % (user.user.email(), type, action, None))

    if root_ok and permission_is_root(original_user):
        cached.append(tuple)
        memcache.set(user_key.id(), cached, namespace="permissions")
        log.debug("Permission Allowed (Root):  %s" % user_key.id())
        return

    log.error("Permission Denied:       %s" % user_key.id())
    raise NotAllowedError()
예제 #24
0
def members_remove(actor,
                   group_id=None,
                   group_key=None,
                   group=None,
                   user_id=None,
                   user_key=None,
                   user=None):
    permission_verify(actor, "member", "update")

    user_key = user_key or build_user_key(user_id) or user.key
    group_key = group_key or build_group_key(group_id) or group.key

    user = user or user_key.get()
    group = group or group_key.get()

    if group.users: group.users.remove(user_key)
    if user and user.groups: user.groups.remove(group_key)

    group.put()
    user.put()
예제 #25
0
def permission_check(user, type, action, key=None):
    if not type:
        type = key.kind()

    user_key = build_user_key(user)
    result = permission_lookup(user_key, type, action, key)

    key_str = ""
    if key: key_str = ":" + key.urlsafe()

    if result:
        log.debug("Permission: %s %s%s (%s) - Allowed" %
                  (user_key, type, key_str, action))
    else:
        log.debug("Permission: %s %s%s (%s) - Not Allowed" %
                  (user_key, type, key_str, action))
        if key:
            return permission_check(user_key, type, action, key.parent())

    return result
예제 #26
0
def members_group_list(actor, user_id=None, user_key=None, user=None):
    user = user or (user_key or build_user_key(user_id)).get()
    return [key.get() for key in user.users]
예제 #27
0
def members_group_list(actor, user_id=None, user_key=None, user=None):
    user = user or (user_key or build_user_key(user_id)).get()
    return [key.get() for key in user.users]