def process(self, request, *args, **kwargs):
if request.is_trust:
return
params = json.loads(request.body)
template_source = params.get("template_source", PROJECT)
template_id = kwargs["template_id"]
subject = Subject("user", request.user.username)
if template_source in NON_COMMON_TEMPLATE_TYPES:
action = Action(IAMMeta.FLOW_CREATE_TASK_ACTION)
resources = res_factory.resources_for_flow(template_id)
allow_or_raise_auth_failed(iam,
IAMMeta.SYSTEM_ID,
subject,
action,
resources,
cache=True)
else:
action = Action(IAMMeta.COMMON_FLOW_CREATE_TASK_ACTION)
resources = [
res_factory.resources_for_common_flow(template_id)[0],
res_factory.resources_for_project_obj(request.project)[0],
]
allow_or_raise_auth_failed(iam,
IAMMeta.SYSTEM_ID,
subject,
action,
resources,
cache=True)
def process(self, request, *args, **kwargs):
if request.is_trust:
return
template_source = request.GET.get("template_source", PROJECT)
template_id = kwargs["template_id"]
subject = Subject("user", request.user.username)
if template_source in NON_COMMON_TEMPLATE_TYPES:
action = Action(IAMMeta.FLOW_VIEW_ACTION)
resources = res_factory.resources_for_flow(template_id)
allow_or_raise_auth_failed(iam,
IAMMeta.SYSTEM_ID,
subject,
action,
resources,
cache=True)
else:
action = Action(IAMMeta.COMMON_FLOW_VIEW_ACTION)
resources = res_factory.resources_for_common_flow(template_id)
allow_or_raise_auth_failed(iam,
IAMMeta.SYSTEM_ID,
subject,
action,
resources,
cache=True)
def scheme_allow_or_raise_auth_failed(request, template_id=None):
data = request.query_params or request.data
if template_id is None:
template_id = data.get("template_id")
# 项目流程方案的权限控制
if "project_id" in data or data.get("template_type") != "common":
# 默认进行是否有流程查看权限校验
scheme_action = IAMMeta.FLOW_VIEW_ACTION
scheme_resources = res_factory.resources_for_flow(template_id)
# 公共流程方案的权限控制
else:
# 默认进行是否有流程查看权限校验
scheme_action = IAMMeta.COMMON_FLOW_VIEW_ACTION
scheme_resources = res_factory.resources_for_common_flow(
template_id)
allow_or_raise_auth_failed(
iam=iam,
system=IAMMeta.SYSTEM_ID,
subject=Subject("user", request.user.username),
action=Action(scheme_action),
resources=scheme_resources,
)
return True
def process(self, request, *args, **kwargs):
template_id = request.GET.get("template_id")
subject = Subject("user", request.user.username)
action = Action(IAMMeta.FLOW_VIEW_ACTION)
resources = res_factory.resources_for_flow(template_id)
request = Request(IAMMeta.SYSTEM_ID, subject, action, resources, {})
allowed = iam.is_allowed(request)
if not allowed:
raise AuthFailedException(IAMMeta.SYSTEM_ID, subject, action,
resources)
def process(self, request, *args, **kwargs):
if request.is_trust:
return
template_id = kwargs["template_id"]
subject = Subject("user", request.user.username)
action = Action(IAMMeta.FLOW_VIEW_ACTION)
resources = res_factory.resources_for_flow(template_id)
allow_or_raise_auth_failed(iam,
IAMMeta.SYSTEM_ID,
subject,
action,
resources,
cache=True)
def has_permission(self, request, view):
if view.action == "list":
if "project_id" not in request.query_params:
return False
self.iam_auth_check(
request,
action=self.actions[view.action],
resources=res_factory.resources_for_project(
request.query_params["project_id"]),
)
elif view.action == "create":
template_id = request.data.get("template_id")
self.iam_auth_check(
request,
action=self.actions[view.action],
resources=res_factory.resources_for_flow(template_id),
)
return True