def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments):
"""
Given the request object (or the user_info dictionary, or the uid), checks
if the user is allowed to run name_action with the given parameters.
If authorized_if_no_roles is True and no role exists (different
than superadmin) that are authorized to execute the given action, the
authorization will be granted.
Returns (0, msg) when the authorization is granted, (1, msg) when it's not.
"""
user_info = collect_user_info(req)
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
if acc_is_user_in_role(user_info, id_role):
## User belong to at least one authorized role.
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID):
## User is SUPERADMIN
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if not roles:
## No role is authorized for the given action/arguments
if authorized_if_no_roles:
## User is authorized because no authorization exists for the given
## action/arguments
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
else:
## User is not authorized.
return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action))
## User is not authorized
in_a_web_request_p = bool(user_info['uri'])
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']), CFG_WEBACCESS_MSGS[1]) or "")))
def isRefereed(doctype, categ="*"):
"""Check if the given doctype, categ is refereed by at least a role. different than SUPERADMINROLE"""
roles = acc_find_possible_roles('referee',
always_add_superadmin=False,
doctype=doctype,
categ=categ)
if roles:
return True
return False
def acc_authorize_action(req,
name_action,
authorized_if_no_roles=False,
**arguments):
"""
Given the request object (or the user_info dictionary, or the uid), checks
if the user is allowed to run name_action with the given parameters.
If authorized_if_no_roles is True and no role exists (different
than superadmin) that are authorized to execute the given action, the
authorization will be granted.
Returns (0, msg) when the authorization is granted, (1, msg) when it's not.
"""
from invenio.webuser_flask import UserInfo
if isinstance(req, UserInfo):
user_info = req
uid = user_info.get_id()
elif type(req) is dict:
uid = req.get('uid', None)
user_info = req
elif type(req) not in [int, long]:
uid = current_user.get_id()
user_info = collect_user_info(uid) # FIXME
else:
user_info = collect_user_info(req)
roles = acc_find_possible_roles(name_action,
always_add_superadmin=False,
**arguments)
roles.add(CFG_SUPERADMINROLE_ID)
if acc_is_user_in_any_role(user_info, roles):
## User belong to at least one authorized role
## or User is SUPERADMIN
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if len(roles) <= 1:
## No role is authorized for the given action/arguments
if authorized_if_no_roles:
## User is authorized because no authorization exists for the given
## action/arguments
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
else:
## User is not authorized.
return (20,
CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action))
## User is not authorized
in_a_web_request_p = bool(user_info.get('uri', ''))
return (1, "%s %s" %
(CFG_WEBACCESS_WARNING_MSGS[1],
(in_a_web_request_p and "%s %s" %
(CFG_WEBACCESS_MSGS[0] % quote(user_info.get('uri', '')),
CFG_WEBACCESS_MSGS[1]) or "")))
def make_list_apache_firerole(name_action, arguments):
"""Given an action and a dictionary arguments returns a list of all the
roles (and their descriptions) which are authorized to perform this
action with these arguments, and whose FireRole definition expect
an Apache Password membership.
"""
roles = acc_find_possible_roles(name_action, **arguments)
ret = []
for role in roles:
res = run_sql_cached('SELECT name, description, firerole_def_ser FROM accROLE WHERE id=%s', (role, ), affected_tables=['accROLE'])
if acc_firerole_suggest_apache_p(deserialize(res[0][2])):
ret.append((res[0][0], res[0][1]))
return ret
def acc_get_authorized_emails(name_action, **arguments):
"""
Given the action and its arguments, try to retireve all the matching
email addresses of users authorized.
This is a best effort operation, because if a role is authorized and
happens to be defined using a FireRole rule based on regular expression
or on IP addresses, non every email might be returned.
@param name_action: the name of the action.
@type name_action: string
@param arguments: the arguments to the action.
@return: the list of authorized emails.
@rtype: set of string
"""
authorized_emails = set()
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
for dummy1, email, dummy2 in acc_get_role_users(id_role):
authorized_emails.add(email.lower().strip())
firerole = load_role_definition(id_role)
authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole))
return authorized_emails
def acc_get_authorized_emails(name_action, **arguments):
"""
Given the action and its arguments, try to retireve all the matching
email addresses of users authorized.
This is a best effort operation, because if a role is authorized and
happens to be defined using a FireRole rule based on regular expression
or on IP addresses, non every email might be returned.
@param name_action: the name of the action.
@type name_action: string
@param arguments: the arguments to the action.
@return: the list of authorized emails.
@rtype: set of string
"""
authorized_emails = set()
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
for dummy1, email, dummy2 in acc_get_role_users(id_role):
authorized_emails.add(email.lower().strip())
firerole = load_role_definition(id_role)
authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole))
return authorized_emails
def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments):
"""
Given the request object (or the user_info dictionary, or the uid), checks
if the user is allowed to run name_action with the given parameters.
If authorized_if_no_roles is True and no role exists (different
than superadmin) that are authorized to execute the given action, the
authorization will be granted.
Returns (0, msg) when the authorization is granted, (1, msg) when it's not.
"""
user_info = collect_user_info(req)
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
if acc_is_user_in_role(user_info, id_role):
## User belong to at least one authorized role.
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID):
## User is SUPERADMIN
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if not roles:
## No role is authorized for the given action/arguments
if authorized_if_no_roles:
## User is authorized because no authorization exists for the given
## action/arguments
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
else:
## User is not authorized.
return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action))
## User is not authorized
in_a_web_request_p = bool(user_info['uri'])
if CFG_CERN_SITE and arguments.has_key('collection'):
# We apply the checks for all actions with that 'collection'
# argument, for simplicity not necessity.
from invenio.search_engine import get_collection_allchildren
if arguments.get('collection', None) in get_collection_allchildren('e-Tendering', recreate_cache_if_needed=False):
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1],
(in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[9] % ("*****@*****.**", "*****@*****.**"),
CFG_WEBACCESS_MSGS[10] % (CFG_SITE_SECURE_URL + "/goto/etendering-faq", "Frequently Asked Questions (FAQ) concerning the CERN e-tendering application")
) or "")))
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']), CFG_WEBACCESS_MSGS[1]) or "")))
def acc_authorize_action(req, name_action, authorized_if_no_roles=False, **arguments):
"""
Given the request object (or the user_info dictionary, or the uid), checks
if the user is allowed to run name_action with the given parameters.
If authorized_if_no_roles is True and no role exists (different
than superadmin) that are authorized to execute the given action, the
authorization will be granted.
Returns (0, msg) when the authorization is granted, (1, msg) when it's not.
"""
user_info = collect_user_info(req)
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
if acc_is_user_in_role(user_info, id_role):
## User belong to at least one authorized role.
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID):
## User is SUPERADMIN
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if not roles:
## No role is authorized for the given action/arguments
if authorized_if_no_roles:
## User is authorized because no authorization exists for the given
## action/arguments
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
else:
## User is not authorized.
return (20, CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action))
## User is not authorized
in_a_web_request_p = bool(user_info['uri'])
if CFG_CERN_SITE and arguments.has_key('collection'):
# We apply the checks for all actions with that 'collection'
# argument, for simplicity not necessity.
from invenio.search_engine import get_collection_allchildren
if arguments.get('collection', None) in get_collection_allchildren('e-Tendering', recreate_cache_if_needed=False):
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1],
(in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[9] % ("*****@*****.**", "*****@*****.**"),
CFG_WEBACCESS_MSGS[10] % (CFG_SITE_SECURE_URL + "/goto/etendering-faq", "Frequently Asked Questions (FAQ) concerning the CERN e-tendering application")
) or "")))
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1], (in_a_web_request_p and "%s %s" % (CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']), CFG_WEBACCESS_MSGS[1]) or "")))
def acc_authorize_action(req,
name_action,
authorized_if_no_roles=False,
**arguments):
"""
Given the request object (or the user_info dictionary, or the uid), checks
if the user is allowed to run name_action with the given parameters.
If authorized_if_no_roles is True and no role exists (different
than superadmin) that are authorized to execute the given action, the
authorization will be granted.
Returns (0, msg) when the authorization is granted, (1, msg) when it's not.
"""
user_info = collect_user_info(req)
roles = acc_find_possible_roles(name_action,
always_add_superadmin=False,
**arguments)
for id_role in roles:
if acc_is_user_in_role(user_info, id_role):
## User belong to at least one authorized role.
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if acc_is_user_in_role(user_info, CFG_SUPERADMINROLE_ID):
## User is SUPERADMIN
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
if not roles:
## No role is authorized for the given action/arguments
if authorized_if_no_roles:
## User is authorized because no authorization exists for the given
## action/arguments
return (0, CFG_WEBACCESS_WARNING_MSGS[0])
else:
## User is not authorized.
return (20,
CFG_WEBACCESS_WARNING_MSGS[20] % cgi.escape(name_action))
## User is not authorized
in_a_web_request_p = bool(user_info['uri'])
return (1, "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[1],
(in_a_web_request_p and "%s %s" %
(CFG_WEBACCESS_MSGS[0] % quote(user_info['uri']),
CFG_WEBACCESS_MSGS[1]) or "")))
def isRefereed(doctype, categ="*"):
"""Check if the given doctype, categ is refereed by at least a role. different than SUPERADMINROLE"""
roles = acc_find_possible_roles('referee', always_add_superadmin=False, doctype=doctype, categ=categ)
if roles:
return True
return False
