def get_dict(self, exclude_keys=None, include_keys=None, extended_info=False): result = super(User, self).get_dict(exclude_keys, include_keys) if extended_info: result["groups"] = [g.group_name for g in self.groups] result["permissions"] = [p.perm_name for p in UserService.permissions(self)] request = get_current_request() apps = UserService.resources_with_perms( self, ["view"], resource_types=["application"] ) result["applications"] = sorted( [ {"resource_id": a.resource_id, "resource_name": a.resource_name} for a in apps.all() ], key=lambda x: x["resource_name"].lower(), ) result["assigned_reports"] = [ r.get_dict(request) for r in self.assigned_report_groups ] result["latest_events"] = [ ev.get_dict(request) for ev in self.latest_events() ] exclude_keys_list = exclude_keys or [] include_keys_list = include_keys or [] d = {} for k in result.keys(): if k not in exclude_keys_list and ( k in include_keys_list or not include_keys ): d[k] = result[k] return d
def permissions(self): """ .. deprecated:: 0.8 :return: """ db_session = get_db_session(None, self) return UserService.permissions(self, db_session=db_session)
def __init__(self, request): self.__acl__ = [ (Allow, Authenticated, "authenticated"), (Allow, Authenticated, "create_resources"), ] # general page factory - append custom non resource permissions if hasattr(request, "user") and request.user: acls = permission_to_04_acls(UserService.permissions(request.user)) for perm_user, perm_name in acls: self.__acl__.append(rewrite_root_perm(perm_user, perm_name))
def add_root_superperm(request, context): """ Adds ALL_PERMISSIONS to every resource if user somehow has 'root_permission' non-resource permission """ if hasattr(request, "user") and request.user: acls = permission_to_04_acls(UserService.permissions(request.user)) for perm_user, perm_name in acls: if perm_name == "root_administration": context.__acl__.append(rewrite_root_perm(perm_user, perm_name))
def test_permission_add(self, full_app, sqla_session): from ziggurat_foundations.models.services.user import UserService with session_context(sqla_session) as session: admin, token = create_admin(session) user = create_user( {"user_name": "testX", "email": "*****@*****.**"}, sqla_session=session, ) url_path = "/api/0.1/users/{}/permissions".format(user.id) headers = {str("x-testscaffold-auth-token"): str(token)} permission = {"perm_name": "root_administration"} permissions = UserService.permissions(user) assert not list(permissions) full_app.post_json(url_path, permission, status=200, headers=headers) sqla_session.expire_all() permissions = UserService.permissions(user) assert permissions[0].perm_name == "root_administration"
def test_user_permissions(self, db_session): created_user = add_user(db_session) permissions = UserService.permissions(created_user, db_session=db_session) expected = [ PermissionTuple( created_user, "alter_users", "user", None, None, False, True ), PermissionTuple(created_user, "root", "user", None, None, False, True), ] check_one_in_other(permissions, expected)
def test_user_permissions(self, db_session): created_user = add_user(db_session) permissions = UserService.permissions(created_user, db_session=db_session) expected = [ PermissionTuple(created_user, "alter_users", "user", None, None, False, True), PermissionTuple(created_user, "root", "user", None, None, False, True), ] check_one_in_other(permissions, expected)
def __acl__(self): # type: () -> AccessControlListType """ Administrators have all permissions, user/group-specific permissions added if user is logged in. """ user = self.request.user # allow if role MAGPIE_ADMIN_PERMISSION is somehow directly set instead of inferred via members of admin-group acl = [(Allow, get_constant("MAGPIE_ADMIN_PERMISSION"), ALL_PERMISSIONS)] admins = GroupService.by_group_name(get_constant("MAGPIE_ADMIN_GROUP"), db_session=self.request.db) if admins: # need to add explicit admin-group ALL_PERMISSIONS otherwise views with other permissions than the # default MAGPIE_ADMIN_PERMISSION will be refused access (e.g.: views with MAGPIE_LOGGED_PERMISSION) acl += [(Allow, "group:{}".format(admins.id), ALL_PERMISSIONS)] if user: # user-specific permissions (including group memberships) permissions = UserService.permissions(user, self.request.db) user_acl = permission_to_pyramid_acls(permissions) # allow views that require minimally to be logged in (regardless of who is the user) auth_acl = [(Allow, user.id, Authenticated)] acl += user_acl + auth_acl return acl