def load_access_control_list(user, permissions): """Load permissions from access_control_list""" acl_base = db.aliased(all_models.AccessControlList, name="acl_base") acl_propagated = db.aliased(all_models.AccessControlList, name="acl_propagated") acr = all_models.AccessControlRole acp = all_models.AccessControlPerson additional_filters = _get_acl_filter(acl_propagated) access_control_list = db.session.query( acl_propagated.object_type, acl_propagated.object_id, acr.read, acr.update, acr.delete, ).filter( sa.and_(acp.person_id == user.id, acp.ac_list_id == acl_base.id, acl_base.id == acl_propagated.base_id, acl_propagated.ac_role_id == acr.id, *additional_filters)) for object_type, object_id, read, update, delete in access_control_list: actions = (("read", read), ("update", update), ("delete", delete)) for action, allowed in actions: if not allowed: continue permissions.setdefault(action, {})\ .setdefault(object_type, {})\ .setdefault('resources', set())\ .add(object_id)
def assert_propagated_role(self, base_role_name, person_email, mapped_obj): """Check that a person has a role that is propagated from base role. Args: base_role_name: role name of the base ACL that should be propagated to the current object. person_email: email of the person that should be propagated. mapped_obj: object which should contain a child ACL entry. """ acl_prop = db.aliased(all_models.AccessControlList) acl_base = db.aliased(all_models.AccessControlList) query = all_models.AccessControlPerson.query.join( acl_base, acl_base.id == all_models.AccessControlPerson.ac_list_id, ).join( acl_prop, acl_prop.base_id == acl_base.id, ).join(all_models.AccessControlRole, ).join( all_models.Person, ).filter( all_models.AccessControlList.object_id == mapped_obj.id, all_models.AccessControlList.object_type == mapped_obj.type, all_models.Person.email == person_email, all_models.AccessControlRole.name.like( "{}*%".format(base_role_name)), ) self.assertNotEqual(query.count(), 0)
def assert_propagated_role(self, base_role_name, person_email, mapped_obj): """Check that a person has a role that is propagated from base role. Args: base_role_name: role name of the base ACL that should be propagated to the current object. person_email: email of the person that should be propagated. mapped_obj: object which should contain a child ACL entry. """ acl_prop = db.aliased(all_models.AccessControlList) acl_base = db.aliased(all_models.AccessControlList) query = all_models.AccessControlPerson.query.join( acl_base, acl_base.id == all_models.AccessControlPerson.ac_list_id, ).join( acl_prop, acl_prop.base_id == acl_base.id, ).join( all_models.AccessControlRole, ).join( all_models.Person, ).filter( all_models.AccessControlList.object_id == mapped_obj.id, all_models.AccessControlList.object_type == mapped_obj.type, all_models.Person.email == person_email, all_models.AccessControlRole.name.like("{}*%".format(base_role_name)), ) self.assertNotEqual(query.count(), 0)