class APIPermissionsApplicator(NamespaceKeyApplicator):
@property
def is_generating_api_cache(self):
try:
return getattr(settings, "GENERATING_API_CACHE", False)
except IndexError:
return False
def __init__(self, user):
super().__init__(None)
self.permissions = Permissions(user)
self.pset = self.permissions
self.set_peeringdb_handlers()
if self.is_generating_api_cache:
self.drop_namespace_key = False
def set_peeringdb_handlers(self):
self.handler(
"peeringdb.organization.*.network.*.poc_set.private", explicit=True
)
self.handler("peeringdb.organization.*.network.*.poc_set.users", explicit=True)
self.handler(
"peeringdb.organization.*.internetexchange.*", fn=self.handle_ixlan
)
def handle_ixlan(self, namespace, data):
if "ixf_ixp_member_list_url" in data:
visible = data["ixf_ixp_member_list_url_visible"].lower()
_namespace = f"{namespace}.ixf_ixp_member_list_url.{visible}"
perms = self.permissions.check(_namespace, 0x01, explicit=True)
if not perms:
del data["ixf_ixp_member_list_url"]
class Organization(serializers.ModelSerializer):
ref_tag = "org"
personal = serializers.SerializerMethodField()
label = serializers.CharField(read_only=True)
selected = serializers.SerializerMethodField()
is_admin = serializers.SerializerMethodField()
class Meta:
model = models.Organization
fields = ["id", "name", "label", "slug", "selected", "personal", "is_admin"]
def get_personal(self, obj):
if obj.user == self.context.get("user"):
return True
return False
def get_selected(self, obj):
selected_org = self.context.get("selected_org")
return selected_org and selected_org.id == obj.id
def get_is_admin(self, obj):
user = self.context.get("user")
if not hasattr(self, "_perms"):
self._perms = Permissions(user)
return self._perms.check(obj, "crud")
def validate(self, data):
user = self.context.get("user")
if not user:
raise serializers.ValidationError("No user context")
form = forms.CreateOrganization(data)
if not form.is_valid():
raise serializers.ValidationError(form.errors)
return data
def save(self):
data = self.validated_data
org = models.Organization.objects.create(
name=data.get("name"), slug=data.get("slug")
)
org.add_user(self.context.get("user"), "crud")
return org
def test_anonymous_permissions(self):
user = AnonymousUser()
perms = Permissions(user)
self.assertTrue(perms.check("a.b.c", PERM_READ))
self.assertTrue(perms.check("a.b.c.d", PERM_UPDATE | PERM_READ))
self.assertFalse(perms.check("x.y.z", PERM_READ))
def test_permissions_check(self):
"""
test django.grainy.util.Permissions.check
"""
user = self.users["user_a"]
perms = Permissions(user)
self.assertTrue(perms.check(ModelA, PERM_READ))
self.assertFalse(perms.check(ModelA, PERM_UPDATE))
self.assertTrue(perms.check(ModelB, PERM_READ))
self.assertTrue(perms.check(ModelB, PERM_UPDATE))
self.assertTrue(perms.check(ModelA(), PERM_READ))
self.assertFalse(perms.check(ModelA(), PERM_UPDATE))
self.assertTrue(perms.check(ModelB(), PERM_READ))
self.assertTrue(perms.check(ModelB(), PERM_UPDATE))
self.assertTrue(perms.check("secret.group", PERM_READ))
self.assertFalse(perms.check("secret", PERM_READ))
perms = Permissions(self.users["user_b"])
self.assertTrue(perms.check("x.y.z", PERM_READ))
self.assertFalse(perms.check("x.y.z", PERM_UPDATE))
perms = Permissions(self.users["user_admin_a"])
self.assertTrue(perms.check("x.y.z", PERM_READ))
self.assertFalse(perms.check("x.y.z", PERM_READ,
ignore_grant_all=True))
perms = Permissions(self.api_key)
self.assertTrue(perms.check(ModelA, PERM_READ))
self.assertFalse(perms.check(ModelA, PERM_UPDATE))
self.assertTrue(perms.check(ModelB, PERM_READ))
self.assertTrue(perms.check(ModelB, PERM_UPDATE))
self.assertTrue(perms.check(ModelA(), PERM_READ))
self.assertFalse(perms.check(ModelA(), PERM_UPDATE))
self.assertTrue(perms.check(ModelB(), PERM_READ))
self.assertTrue(perms.check(ModelB(), PERM_UPDATE))
from django_grainy.util import Permissions # give user full permissions to model (any instance) user.grainy_permissions.add(TestModelA, "crud") # give user full permissions to a specific instance instance = TestModelA.objects.get(id=1) user.grainy_permissions.add(instance, "crud") # check user permission on model class perms = Permissions(user) perms.check(TestModelA, "r") # True # check user permission on instance perms.check(instance, "r") # True # check permissions to the name field perms.check((instance, "name"), "r") # return all instances of the model according to permissions instances = perms.instances(TestModelA, "r") # this could also take a queryset instances = perms.instances(TestModelA.objects.filter(id__gt=10), "r")
import grainy.const
from django_grainy.util import Permissions
user.grainy_permissions.add_permission_set({"a.b.c": "r"})
# we use the Permissions() wrapper as that allows
# us to do repeated permission checks for a user or group
# without having requery permissions for each check
perms = Permissions(user)
perms.check("a.b.c", grainy.const.PERM_READ) #True
perms.check("a.b.c.d", grainy.const.PERM_READ) #True
perms.check("a.b.c.d",
grainy.const.PERM_READ | grainy.const.PERM_UPDATE) #False
perms.check("z.y.x", grainy.const.PERM_READ) #False
perms.check("a.b.c", "r") # True
perms.check("a.b.c.d", "r") # True
perms.check("a.b.c.d", "ru") # False
perms.check("x.y.z", "r") # False
# The `explicit` option allows us to require that excplicit
# permissions need to exist for a check to succeed, meaning
# having permissions to `a.b.c` will not grant permissions
# to `a.b.c.d` if `explicit`=True
perms.check("a.b.c.d", "r", explicit=True) # False
