def load_access_control_list(user, permissions):
"""Load permissions from access_control_list"""
acl_base = db.aliased(all_models.AccessControlList, name="acl_base")
acl_propagated = db.aliased(all_models.AccessControlList,
name="acl_propagated")
acr = all_models.AccessControlRole
acp = all_models.AccessControlPerson
additional_filters = _get_acl_filter(acl_propagated)
access_control_list = db.session.query(
acl_propagated.object_type,
acl_propagated.object_id,
acr.read,
acr.update,
acr.delete,
).filter(
sa.and_(acp.person_id == user.id, acp.ac_list_id == acl_base.id,
acl_base.id == acl_propagated.base_id,
acl_propagated.ac_role_id == acr.id, *additional_filters))
for object_type, object_id, read, update, delete in access_control_list:
actions = (("read", read), ("update", update), ("delete", delete))
for action, allowed in actions:
if not allowed:
continue
permissions.setdefault(action, {})\
.setdefault(object_type, {})\
.setdefault('resources', set())\
.add(object_id)
def assert_propagated_role(self, base_role_name, person_email, mapped_obj):
"""Check that a person has a role that is propagated from base role.
Args:
base_role_name: role name of the base ACL that should be propagated to
the current object.
person_email: email of the person that should be propagated.
mapped_obj: object which should contain a child ACL entry.
"""
acl_prop = db.aliased(all_models.AccessControlList)
acl_base = db.aliased(all_models.AccessControlList)
query = all_models.AccessControlPerson.query.join(
acl_base,
acl_base.id == all_models.AccessControlPerson.ac_list_id,
).join(
acl_prop,
acl_prop.base_id == acl_base.id,
).join(all_models.AccessControlRole, ).join(
all_models.Person, ).filter(
all_models.AccessControlList.object_id == mapped_obj.id,
all_models.AccessControlList.object_type == mapped_obj.type,
all_models.Person.email == person_email,
all_models.AccessControlRole.name.like(
"{}*%".format(base_role_name)),
)
self.assertNotEqual(query.count(), 0)
def assert_propagated_role(self, base_role_name, person_email, mapped_obj):
"""Check that a person has a role that is propagated from base role.
Args:
base_role_name: role name of the base ACL that should be propagated to
the current object.
person_email: email of the person that should be propagated.
mapped_obj: object which should contain a child ACL entry.
"""
acl_prop = db.aliased(all_models.AccessControlList)
acl_base = db.aliased(all_models.AccessControlList)
query = all_models.AccessControlPerson.query.join(
acl_base,
acl_base.id == all_models.AccessControlPerson.ac_list_id,
).join(
acl_prop,
acl_prop.base_id == acl_base.id,
).join(
all_models.AccessControlRole,
).join(
all_models.Person,
).filter(
all_models.AccessControlList.object_id == mapped_obj.id,
all_models.AccessControlList.object_type == mapped_obj.type,
all_models.Person.email == person_email,
all_models.AccessControlRole.name.like("{}*%".format(base_role_name)),
)
self.assertNotEqual(query.count(), 0)