예제 #1
0
        def auth_decorator_inner(*args, **kwargs):
            user_string = get_user_string(current_user)
            resource_string = get_resource_string(resource_id, resource_type)

            if is_authorized(permission, resource_type, resource_id, False):
                if log_request:
                    g.request_logger.debug(
                        'User \'%s\' successfully authorized to perform \'%s\' on %s.',
                        user_string,
                        permission,
                        resource_string,
                    )
                return protected_operation(*args, **kwargs)

            if log_request:
                g.request_logger.info(
                    'User \'%s\' attempted to perform \'%s\' on %s but was unauthorized.',
                    user_string,
                    permission,
                    resource_string,
                )

            if is_api_request:
                message = ('You do not have the \'%s\' permission on %s. ') % (
                    permission,
                    resource_string,
                )
                raise Unauthorized(description=message)
            else:
                return current_app.user_manager.unauthorized_view_function()
예제 #2
0
 def __enter__(self):
     if not is_authorized(self.permission, self.resource_type,
                          self.resource_id, self.log_request):
         resource_string = get_resource_string(self.resource_id,
                                               self.resource_type)
         message = ('You do not have the \'%s\' permission on %s. ') % (
             self.permission,
             resource_string,
         )
         raise Unauthorized(description=message)
예제 #3
0
 def get_roles(self, resource):
     resource_name = resource.name
     resource_type = resource.resource_type.name.name
     resource_string = get_resource_string(resource_name, resource_type)
     with AuthorizedOperation('view_resource', resource_type, resource.id):
         current_roles = get_current_resource_roles(resource)
         message = (
             'Successfully retrieved a listing of all the roles for %s. ' %
             resource_string)
         g.request_logger.debug(message)
         return current_roles
예제 #4
0
 def delete_default_role_by_name(self, request):
     role_name = request['roleName']
     resource_type = request['resourceType']
     resource_name = request.get('resourceName')
     (_, exists) = delete_default_role(role_name, resource_type,
                                       resource_name)
     action = 'has been deleted' if exists else 'does not exist'
     message = 'Role \'%s\' %s for %s' % (
         role_name,
         action,
         get_resource_string(resource_name, resource_type),
     )
     g.request_logger.info(message)
     return StandardResponse(message, OK, True)
예제 #5
0
 def add_default_role_by_name(self, request):
     role_name = request['roleName']
     resource_type = request['resourceType']
     resource_name = request.get('resourceName')
     (_, exists) = add_default_role(role_name, resource_type, resource_name)
     action = 'has been added' if exists else 'already exists'
     message = 'Role \'%s\' %s for %s' % (
         role_name,
         action,
         get_resource_string(resource_name, resource_type),
     )
     g.request_logger.info(message)
     response_code = OK if exists else CREATED
     return (StandardResponse(message, response_code, True), response_code)
예제 #6
0
 def delete_role_by_name(self, group, request):
     with AuthorizedOperation('edit_resource', 'group', group.id):
         role_name = request['roleName']
         resource_name = request['resourceName']
         resource_type = request['resourceType']
         (_, exists) = delete_group_role(group, role_name, resource_type,
                                         resource_name)
         action = 'has been deleted' if exists else 'does not exist'
         message = 'Role \'%s\' %s for %s' % (
             role_name,
             action,
             get_resource_string(resource_name, resource_type),
         )
         g.request_logger.info(message)
         return StandardResponse(message, OK, True)
예제 #7
0
 def add_role_by_name(self, group, request):
     with AuthorizedOperation('edit_resource', 'group', group.id):
         role_name = request['roleName']
         resource_name = request.get('resourceName')
         resource_type = request['resourceType']
         (_, exists) = add_group_role(group, role_name, resource_type,
                                      resource_name)
         action = 'already exists' if exists else 'has been added'
         message = 'Role \'%s\' %s for %s' % (
             role_name,
             action,
             get_resource_string(resource_name, resource_type),
         )
         g.request_logger.info(message)
         response_code = OK if exists else CREATED
         return (StandardResponse(message, response_code,
                                  True), response_code)
예제 #8
0
    def update_roles(self, resource, request):
        resource_name = resource.name
        type_name = resource.resource_type.name.name
        resource_string = get_resource_string(resource_name, type_name)
        with AuthorizedOperation('update_users', type_name, resource.id):
            user_roles = request.get('userRoles')
            group_roles = request.get('groupRoles')
            default_roles = request.get('defaultRoles')
            for (_, role_object) in list(default_roles.items()):
                if role_object['applyToUnregistered']:
                    with AuthorizedOperation('publish_resource', type_name,
                                             resource.id):
                        pass

            (existing_roles,
             new_roles) = update_resource_roles(resource, user_roles,
                                                group_roles, default_roles)
            g.request_logger.info(
                'Updating roles for %s. Existing roles are %s. New roles will be %s.',
                resource_string,
                existing_roles,
                new_roles,
            )
            return None, NO_CONTENT