def stat(request, slug, page=1): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (problem.state != Problem.PUBLISHED and not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 submissions = Submission.objects.filter(problem=problem) verdict_chart = Submission.get_verdict_distribution_graph(submissions) incorrect_tries_chart = Solver.get_incorrect_tries_chart(problem) solvers = Solver.objects.filter(problem=problem, solved=True) order_by = request.GET.get('order_by', 'shortest') if order_by.endswith('fastest'): solvers = solvers.order_by(order_by + '_submission__time') elif order_by.endswith('shortest'): solvers = solvers.order_by(order_by + '_submission__length') else: solvers = solvers.order_by(order_by) pagination = setup_paginator(solvers, page, 'judge-problem-stat', {'slug': slug}, request.GET) title = problem.slug + u': 해결한 사람들' return render(request, "problem/stat.html", {'title': title, 'problem': problem, 'editable': checker.has_perm('edit_problem', problem), 'verdict_chart': verdict_chart, 'incorrects_chart': incorrect_tries_chart, 'pagination': pagination, })
def get_permitted_minutes(minutes, request, groupid): groupid = int(groupid) try: group = Group.objects.get(id=groupid) except ObjectDoesNotExist: raise Http404 own_group = request.user.is_superuser or group in request.user.groups.all() # Prefetch group permissions group_checker = ObjectPermissionChecker(group) group_checker.prefetch_perms(minutes) # Prefetch user permissions user_checker = ObjectPermissionChecker(request.user) user_checker.prefetch_perms(minutes) # Prefetch ip group permissions ip_range_group_name = request.user._ip_range_group_name if hasattr(request.user, '_ip_range_group_name') else None if ip_range_group_name: ip_range_group = Group.objects.get(name=ip_range_group_name) ip_range_group_checker = ObjectPermissionChecker(ip_range_group) permitted_minutes = [] for m in minutes: # we show all documents for which the requested group has edit permissions # e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown if not group_checker.has_perm(m.edit_permission_name, m): continue # we only show documents for which the user has view permissions if not user_checker.has_perm(MinutesDocument.get_view_permission(), m) and (not ip_range_group_name or not ip_range_group_checker.has_perm(MinutesDocument.get_view_permission(), m)): continue permitted_minutes.append(m) return permitted_minutes, own_group
def test_state_permission_update(self): """ Test if the permission are correctly updated when the state is updated """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) university_group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) assign_perm(document.view_permission_name, university_group, document) document.state = MinutesDocument.INTERNAL document.save() document = MinutesDocument.objects.get(url_title=document.url_title) checker = ObjectPermissionChecker(university_group) self.assertFalse(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertTrue(checker.has_perm(document.edit_permission_name, document)) self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def diff(request, id1, id2): rev1 = get_object_or_404(ProblemRevision, id=id1) rev2 = get_object_or_404(ProblemRevision, id=id2) problem = rev1.revision_for checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 dmp = diff_match_patch() def differ(text1, text2): return text1 != text2 and dmp.diff_main(text1, text2) or None return render(request, "problem/diff.html", {"problem": problem, "editable": checker.has_perm('edit_problem', problem), "rev1": rev1, "rev2": rev2, "rev1link": reverse("judge-problem-old", kwargs={"id": rev1.id, "slug": problem.slug}), "rev2link": reverse("judge-problem-old", kwargs={"id": rev2.id, "slug": problem.slug}), "description": differ(rev1.description, rev2.description), "input": differ(rev1.input, rev2.input), "output": differ(rev1.output, rev2.output), "sample_input": differ(rev1.sample_input, rev2.sample_input), "sample_output": differ(rev1.sample_output, rev2.sample_output), "note": differ(rev1.note, rev2.note), "differ": differ})
def check_user_role(user, project, roles): """Check that a user has one of a set of roles for a project. Administrator role satisfies any requirement. """ # Prefetch all user permissions for project. checker = ObjectPermissionChecker(user) # Check for admin privs in all cases. has_role = checker.has_perm('can_administer', project) if not has_role: # Check the indicated role(s) if isinstance(roles, string_types): roles = [roles] for role in roles: if role == UserRole.Annotate: has_role = checker.has_perm('can_annotate', project) elif role == UserRole.Browse: has_role = checker.has_perm('can_browse', project) elif role == UserRole.Import: has_role = checker.has_perm('can_import', project) if has_role: break return has_role
def recent(request, page=1): checker = ObjectPermissionChecker(request.user) submissions = Submission.objects.all().order_by("-id") filters = {} empty_message = u"제출된 답안이 없습니다." title_add = [] # only superuser can see all nonpublic submissions. # as an exception, if we are filtering by a problem, the author can see # nonpublic submissions. also, everybody can see their nonpublic # submissions. only_public = not request.user.is_superuser if request.GET.get("problem"): slug = request.GET["problem"] problem = get_object_or_404(Problem, slug=slug) if request.user == problem.user or checker.has_perm('read_problem', problem): only_public = False if (problem.state != Problem.PUBLISHED and request.user != problem.user and not checker.has_perm('read_problem', problem)): raise Http404 submissions = submissions.filter(problem=problem) title_add.append(slug) filters["problem"] = slug if "state" in request.GET: state = request.GET["state"] submissions = submissions.filter(state=state) filters["state"] = state title_add.append(Submission.STATES_KOR[int(state)]) if request.GET.get("user"): username = request.GET["user"] user = get_or_none(User, username=username) if not user: empty_message = u"해당 사용자가 없습니다." submissions = submissions.none() else: submissions = submissions.filter(user=user) filters["user"] = username title_add.append(username) if user == request.user: only_public = False if only_public: submissions = submissions.filter(is_public=True) return render(request, "submission/recent.html", {"title": u"답안 목록" + (": " if title_add else "") + ",".join(title_add), "filters": filters, "empty_message": empty_message, "pagination": setup_paginator(submissions, page, "judge-submission-recent", {}, filters)})
def document_permission_overview(user, document): can_edit = user.has_perm(document.edit_permission_name, document) if not can_edit: return [] main_groups = [ settings.ANONYMOUS_GROUP_NAME, settings.UNIVERSITY_GROUP_NAME, settings.STUDENT_GROUP_NAME, settings.STAFF_GROUP_NAME, ] permissions = [] for group_name in main_groups: group = Group.objects.get(name=group_name) checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) else: permissions.append((group.name, "none")) for group in Group.objects.exclude(name__in=main_groups): checker = ObjectPermissionChecker(group) checker.prefetch_perms([document]) if checker.has_perm(document.edit_permission_name, document): permissions.append((group.name, "edit")) elif checker.has_perm(document.view_permission_name, document): permissions.append((group.name, "view")) return permissions
def test_has_perms_using_parent_object(self): group = Group.objects.create(name='group') obj1 = ContentType.objects.create( name='ct1', model='foo', app_label='guardian-tests') obj2 = ContentType.objects.create( name='ct2', model='bar', app_label='guardian-tests') obj2.get_parent_object_permission = lambda: (obj1,) assign_perms = { group: ('change_group', 'delete_group'), obj1: ('change_contenttype', 'delete_contenttype'), obj2: ('delete_contenttype',), } # for user check = ObjectPermissionChecker(self.user) self.assign_perms(UserObjectPermission, assign_perms[obj1], self.user, obj1) self.assign_perms(UserObjectPermission, assign_perms[obj2], self.user, obj2) print "\n\n\n", '*'*30 for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])): print 'checking perm %s in %s' % (perm, obj2) self.assertTrue(check.has_perm(perm, obj2)) # for group check = ObjectPermissionChecker(self.group) self.assign_perms(GroupObjectPermission, assign_perms[obj1], self.group, obj1) self.assign_perms(GroupObjectPermission, assign_perms[obj2], self.group, obj2) print "\n\n\n", '-'*30 for perm in sorted(chain(assign_perms[obj1], assign_perms[obj2])): print 'checking perm %s in %s' % (perm, obj2) self.assertTrue(check.has_perm(perm, obj2))
def test_group_assign_perm(self): assign_perm("add_contenttype", self.group, self.ctype) assign_perm("change_contenttype", self.group, self.ctype) assign_perm(self.get_permission("delete_contenttype"), self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("add_contenttype", self.ctype)) self.assertTrue(check.has_perm("change_contenttype", self.ctype)) self.assertTrue(check.has_perm("delete_contenttype", self.ctype))
def test_group_assign_perm_queryset(self): assign_perm("add_contenttype", self.group, self.ctype_qset) assign_perm("change_contenttype", self.group, self.ctype_qset) assign_perm(self.get_permission("delete_contenttype"), self.group, self.ctype_qset) check = ObjectPermissionChecker(self.group) for obj in self.ctype_qset: self.assertTrue(check.has_perm("add_contenttype", obj)) self.assertTrue(check.has_perm("change_contenttype", obj)) self.assertTrue(check.has_perm("delete_contenttype", obj))
def test_cache(self): checker = ObjectPermissionChecker(self.mum) with mock.patch('guardian.tests.signals.signal_get_perms_user', return_value=[], autospec=True) as mocked_handler: get_perms.connect(mocked_handler, sender=User, dispatch_uid='test_cache_mocked_handler') checker.has_perm('a_custom_perm', self.user) checker.has_perm('another_custom_perm', self.user) self.assertEqual(mocked_handler.call_count, 1)
def old(request, id, slug): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 revision = get_object_or_404(ProblemRevision, id=id) return render(request, "problem/old.html", {"problem": problem, "editable": checker.has_perm('edit_problem', problem), "revision": revision})
def list(request, slug, page=1): checker = ObjectPermissionChecker(request.user) category = get_object_or_404(Category, slug=slug) if not checker.has_perm('read_post', category): return HttpResponseForbidden("Restricted category") posts = Post.objects.filter(category=category).order_by("-id") return render(request, "list.html", {"write_at": category.slug if checker.has_perm('write_post', category) else None, "title": category.name, "category": category, "pagination": setup_paginator(posts, page, "forum-list", {"slug": category.slug})})
def test_publish_button(self): """ Test if the publish button works """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) # The 1 sets the state to published self.app.get(reverse('documents:publish', args=[document.url_title, 1]), user=self.user) document = MinutesDocument.objects.get(url_title=document.url_title) self.assertEqual(document.state, MinutesDocument.PUBLISHED) group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) group = Group.objects.get(name=settings.STUDENT_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertFalse(checker.has_perm(document.edit_permission_name, document)) self.assertFalse(checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue(checker.has_perm(document.view_permission_name, document)) self.assertTrue(checker.has_perm(document.edit_permission_name, document)) self.assertTrue(checker.has_perm(document.delete_permission_name, document))
def delete_attachment(request, id): attachment = get_object_or_404(Attachment, id=id) problem = attachment.problem checker = ObjectPermissionChecker(request.user) if not checker.has_perm('edit_problem', problem) and problem.user != request.user: raise Http404 old_id = attachment.id old_filename = attachment.file.name attachment.file.delete(False) attachment.delete() # 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다 visible_users = get_users_with_perms(problem, with_group_users=False) visible_groups = get_groups_with_perms(problem) publish("problem-attachment-delete-%s" % datetime.now().strftime('%s.%f'), "problem", "problem-attachment", actor=request.user, target=problem, timestamp=datetime.now(), visible_users=visible_users, visible_groups=visible_groups, verb=u"문제 {target}에서 첨부파일 %s 을 삭제했습니다." % os.path.basename(old_filename)) return HttpResponse("[]")
def test_save_first_minutes_document(self): # get the editor page and save the site response = self.app.get(reverse('documents:create', args=['minutesdocument']) + '?group={}'.format(self.group.id), user=self.user) self.assertEqual(response.status_code, 200) form = response.forms['document-form'] text = "Lorem ipsum" form.set('text', text) form.set('comment', text) form.set('url_title', slugify(text)) response = form.submit().follow() self.assertEqual(response.status_code, 200) document = MinutesDocument.objects.get(url_title=slugify(text)) # check whether number of versions is correct versions = Version.objects.get_for_object(document) self.assertEqual(len(versions), 1) # check whether the properties of the new document are correct self.assertEqual(document.title, MinutesDocument.generate_new_title()) self.assertEqual(document.author, self.user) self.assertEqual(document.moderator, self.user) self.assertEqual(document.text, text) self.assertEqual(versions[0].revision.comment, text) self.assertListEqual(list(document.participants.all().order_by('username')), list(self.group.user_set.all().order_by('username'))) checker = ObjectPermissionChecker(self.group) self.assertTrue(checker.has_perm(document.edit_permission_name, document))
def clean(self): if self.instance.id: checker = ObjectPermissionChecker(self.request_user) if not checker.has_perm('contacts.write_contact', self.instance): raise ValidationError("User %s has no write permissions" % self.request_user.username) return super(ContactAdminForm, self).clean()
def test_group_remove_perm(self): # assign perm first assign_perm("change_contenttype", self.group, self.ctype) remove_perm("change_contenttype", self.group, self.ctype) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_contenttype", self.ctype))
def test_group_remove_perm_queryset(self): assign_perm("change_contenttype", self.group, self.ctype_qset) remove_perm("change_contenttype", self.group, self.ctype_qset) check = ObjectPermissionChecker(self.group) for obj in self.ctype_qset: self.assertFalse(check.has_perm("change_contenttype", obj))
def read(request, id): post = get_object_or_404(Post, id=id) category = post.category checker = ObjectPermissionChecker(request.user) if not checker.has_perm('read_post', category): return HttpResponseForbidden("Restricted post") return render(request, "read.html", {"post": post, "category": category})
def settable_statuses(cls, user, unit): """ Return the list of statuses this user is allowed to set, based on their permissions. """ checker = ObjectPermissionChecker(user) statuses = [] if checker.has_perm(APPOINTMENT__CAN_FINALIZE, unit): statuses.extend([cls.SENT, cls.ACCEPTED, cls.DECLINED]) if checker.has_perm(APPOINTMENT__CAN_RECOMMEND, unit): statuses.extend([cls.APPLICANT, cls.POTENTIAL, cls.RECOMMENDED, cls.NOPE]) return statuses
def test_group_remove_perm(self): # assign perm first assign("change_flatpage", self.group, self.flatpage) remove_perm("change_flatpage", self.group, self.flatpage) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_flatpage", self.flatpage))
def has_perm(self, user_obj, perm, obj=None): """ Returns ``True`` if given ``user_obj`` has ``perm`` for ``obj``. If no ``obj`` is given, ``False`` is returned. .. note:: Remember, that if user is not *active*, all checks would return ``False``. Main difference between Django's ``ModelBackend`` is that we can pass ``obj`` instance here and ``perm`` doesn't have to contain ``app_label`` as it can be retrieved from given ``obj``. **Inactive user support** If user is authenticated but inactive at the same time, all checks always returns ``False``. """ # check if user_obj and object are supported support, user_obj = check_support(user_obj, obj) if not support: return False if '.' in perm: app_label, perm = perm.split('.') if app_label != obj._meta.app_label: raise WrongAppError("Passed perm has app label of '%s' and " "given obj has '%s'" % (app_label, obj._meta.app_label)) check = ObjectPermissionChecker(user_obj) return check.has_perm(perm, obj)
def test_group_assing(self): assign("change_flatpage", self.group, self.flatpage) assign("delete_flatpage", self.group, self.flatpage) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_flatpage", self.flatpage)) self.assertTrue(check.has_perm("delete_flatpage", self.flatpage))
def test_group_assing(self): assign("change_keycard", self.group, self.keycard) assign("delete_keycard", self.group, self.keycard) check = ObjectPermissionChecker(self.group) self.assertTrue(check.has_perm("change_keycard", self.keycard)) self.assertTrue(check.has_perm("delete_keycard", self.keycard))
def allow_bulk_destroy_resources(self, user, resource_list): """User must have admin permissions to delete collections.""" checker = ObjectPermissionChecker(user) for collection in resource_list: if not checker.has_perm('admin_collection', collection): return False return True
def test_group_remove_perm(self): # assign perm first assign("change_keycard", self.group, self.keycard) remove_perm("change_keycard", self.group, self.keycard) check = ObjectPermissionChecker(self.group) self.assertFalse(check.has_perm("change_keycard", self.keycard))
def bulk_assign_perm(self, perm, user_or_group, queryset): """ Bulk assigns permissions with given ``perm`` for an objects in ``queryset`` and ``user_or_group``. """ ctype = get_content_type(queryset.model) if not isinstance(perm, Permission): permission = Permission.objects.get(content_type=ctype, codename=perm) else: permission = perm checker = ObjectPermissionChecker(user_or_group) checker.prefetch_perms(queryset) assigned_perms = [] for instance in queryset: if not checker.has_perm(permission.codename, instance): kwargs = {'permission': permission, self.user_or_group_field: user_or_group} if self.is_generic(): kwargs['content_type'] = ctype kwargs['object_pk'] = instance.pk else: kwargs['content_object'] = instance assigned_perms.append(self.model(**kwargs)) self.model.objects.bulk_create(assigned_perms) return assigned_perms
def go(): problem = get_or_none(Problem, id=id) if not problem: return {"success": False, "error": u"존재하지 않는 문제입니다."} checker = ObjectPermissionChecker(request.user) if not checker.has_perm('edit_problem', problem) and problem.user != request.user: return {"success": False, "error": u"권한이 없습니다."} if request.method != "POST": return {"success": False, "error": u"POST 접근하셔야 합니다."} file = request.FILES["file"] md5 = md5file(file) target_path = os.path.join("judge-attachments", md5, file.name) storage = DefaultStorage() storage.save(target_path, file) new_attachment = Attachment(problem=problem, file=target_path) new_attachment.save() # 해당 오브젝트에 대해 아무 퍼미션이나 있으면 처리됨. 문제의 경우 PUBLISHED 일 때는 이 권한을 사용하지 않아서 안전하다 visible_users = get_users_with_perms(problem, with_group_users=False) visible_groups = get_groups_with_perms(problem) publish("problem-attachment-%s" % datetime.now().strftime('%s.%f'), "problem", "problem-attachment", actor=request.user, target=problem, timestamp=datetime.now(), visible_users=visible_users, visible_groups=visible_groups, verb=u"문제 {target}에 첨부파일 %s 을 추가했습니다." % file.name) return {"success": True}
def item_check(self, object_list, bundle, permission): if not self.base_check(object_list, bundle): raise Unauthorized("You are not allowed to access that resource.") checker = ObjectPermissionChecker(bundle.request.user) if not checker.has_perm(permission, bundle.obj): raise Unauthorized("You are not allowed to access that resource.") return True
def auth(request): if request.user.is_superuser: if request.method == 'GET': return render(request, 'api/auth.html') elif request.method == 'POST': # 初始化权限树 user_id = request.POST.get('userId') projects = ProjectInfo.objects.filter().order_by('-id') perm_dict = { AUTH_VIEW: '查询', AUTH_UPDATE: '修改', AUTH_DELETE: '删除' } # 需要初始化的权限 is_superuser = False has_add_perm_list = [] # 用户拥有的创建权限列表 auth_list = [] if user_id != DEFAULT_USER_ID: try: user = UserInfo.objects.get(id=user_id) checker = ObjectPermissionChecker(user) is_superuser = user.is_superuser has_add_perm_list = check_add_perm_for_user( user, add_perm_list) # 初始化创建权限部分 except ObjectDoesNotExist: return JsonResponse(get_ajax_msg(0, 0, '没有该名用户')) # 初始化项目权限部分 for project in projects: flag_all = True # 全选项目权限标志 auth_dict = {} auth_dict['name'] = project.project_name auth_dict['value'] = project.id auth_dict['list'] = [] for key, value in perm_dict.items(): perm_name = value perm_value = str(project.id) + '-' + key if user_id != DEFAULT_USER_ID: is_auth = checker.has_perm(key, project) else: is_auth = False flag_all = flag_all and is_auth # 与运算,判断是否全选权限 auth_dict['list'].append({ 'name': perm_name, 'value': perm_value, 'checked': is_auth }) auth_dict['checked'] = flag_all auth_list.append(auth_dict) return JsonResponse( get_ajax_msg( 1, 1, '获取权限列表成功', { 'is_superuser': is_superuser, 'checks': ','.join(has_add_perm_list), 'trees': auth_list })) else: return JsonResponse(get_ajax_msg(0, 0, '该名用户没有管理员权限'))
def post(self, request, pk=0, form=None): form = forms.NewPost(request.POST) if form.is_valid(): if not pk: cur_post = models.Post() else: try: pk = int(pk) cur_post = models.Post.objects.get(pk=pk) checker = ObjectPermissionChecker(request.user) if not checker.has_perm('change_post', cur_post) \ and not request.user.has_perm('main.change_post'): return HttpResponseForbidden('forbidden1') except models.Post.DoesNotExist: raise Http404 cur_post.title = form.cleaned_data['title'] cur_post.raw = form.cleaned_data['content'] cur_post.abstract = form.cleaned_data['abstract'] # html = markdown2.markdown(cur_post.raw, extras=['code-friendly', 'fenced-code-blocks']) # cur_post.content_html = smart_text(html) cur_post.author = User.objects.get(pk=form.cleaned_data['author_id']) if form.cleaned_data['author_id'] else request.user # cur_post.author = request.user tag_ids = request.POST.getlist('tags') category_id = request.POST.get('category', None) # return HttpResponse(len(tag_ids)) if request.POST.get('publish'): cur_post.is_draft = False msg = 'Post has been pulished!' messages.add_message(request, messages.SUCCESS, msg) url = reverse('main:admin_posts') else: cur_post.is_draft=True if request.POST.get('preview'): cur_post.save() return HttpResponse(cur_post.id) msg = 'Draft has been saved!' messages.add_message(request, messages.SUCCESS, msg) url = '{0}?draft=true'.format(reverse('main:admin_posts')) cur_post.category_id = category_id cur_post.save() cur_post.tags.clear() cur_post.tags.add(*tag_ids) assign_perm('main.change_post', request.user, cur_post) assign_perm('main.delete_post', request.user, cur_post) if request.POST.get('preview'): url = reverse('main:post', kwargs={'pk':cur_post.id}) return redirect(url) return self.get(request, form)
def Inception_exe(request): ##Inception 执行 if request.method == 'POST': ids = request.POST.getlist('id') sql_db = request.POST.get('sql', None) databases = request.POST.get('databases', None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = db_mysql.objects.get(id=i) if checker.has_perm('task_db_mysql',assets, ) == True: ids1.append(i) else: error_3 = "数据库没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择数据库" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not sql_db: error_2 = "请输入命令" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port, cmd="执行:{}".format(sql_db), user=user) password = decrypt_p(i.db_user.password) s = sql_exe(user=i.db_user.username, password=password, host=i.ip, port=i.port, databases=databases,sqls=sql_db) if s == None or s['data'] == '': s = {} s['ip'] = i.ip s['data'] = "返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)}) return HttpResponse(json.dumps(ret))
def test_autoprefetch_superuser_perms(self): settings.DEBUG = True guardian_settings.AUTO_PREFETCH = True ProjectUserObjectPermission.enabled = False ProjectGroupObjectPermission.enabled = False try: from django.db import connection ContentType.objects.clear_cache() group1 = Group.objects.create(name='group1') user = User.objects.create(username='******', is_superuser=True, is_active=True) assign_perm("change_group", user, self.group) checker = ObjectPermissionChecker(user) # Fill cache checker._prefetch_cache() query_count = len(connection.queries) # Check customuser has cache attribute self.assertTrue(hasattr(user, '_guardian_perms_cache')) # Checking shouldn't spawn any queries self.assertTrue(checker.has_perm("change_group", self.group)) self.assertTrue(user.has_perm("change_group", self.group)) self.assertEqual(len(connection.queries), query_count) # Checking for other permission but for Group object again # shouldn't spawn any query too self.assertTrue(checker.has_perm("delete_group", self.group)) self.assertTrue(user.has_perm("delete_group", self.group)) self.assertEqual(len(connection.queries), query_count) # Checking for same model but other instance shouldn't spawn any queries self.assertTrue(checker.has_perm("change_group", group1)) self.assertTrue(user.has_perm("change_group", group1)) self.assertEqual(len(connection.queries), query_count) finally: settings.DEBUG = False guardian_settings.AUTO_PREFETCH = False ProjectUserObjectPermission.enabled = True ProjectGroupObjectPermission.enabled = True
def assign_user_profile(user, _model, admins=[]): """ Assign Object(model) permission for the object's associated user and site administrators :param user: the object's associated user :param _model: the object itself :param admins: optional administrators for control and security reasons :return: Boolean """ for admin in admins: admin_checker = ObjectPermissionChecker(admin) admin_has_perm = admin_checker.has_perm("profile_user", _model) if not admin_has_perm: assign_perm("profile_user", admin, _model) checker = ObjectPermissionChecker(user) has_perm = checker.has_perm("profile_user", _model) if not has_perm: assign_perm("profile_user", user, _model) return user.has_perm("profile_user", _model)
def get_last_minutes_document_for_group(group): minutes = MinutesDocument.objects.all().order_by('-date') group_checker = ObjectPermissionChecker(group) group_checker.prefetch_perms(minutes) for m in minutes: if group_checker.has_perm(m.edit_permission_name, m): return m return None
def test_superuser(self): user = User.objects.create(username='******', is_superuser=True) check = ObjectPermissionChecker(user) ctype = ContentType.objects.get_for_model(self.ctype) perms = sorted( chain(*Permission.objects.filter( content_type=ctype).values_list('codename'))) self.assertEqual(perms, check.get_perms(self.ctype)) for perm in perms: self.assertTrue(check.has_perm(perm, self.ctype))
def _has_perm(self, user, perm, allow_admin=True): if not is_authenticated_user(user): return False # Admins are almighty. if self.is_admin(user) and allow_admin: return True if hasattr(self, '_permission_checker'): checker = self._permission_checker else: checker = ObjectPermissionChecker(user) # Permissions can be given per-unit if checker.has_perm('unit:%s' % perm, self.unit): return True # ... or through Resource Groups resource_group_perms = [ checker.has_perm('group:%s' % perm, rg) for rg in self.groups.all() ] return any(resource_group_perms)
def get_queryset_for_customer(self): created_time = self.request.query_params.get('created_time', None) if created_time: self.kwargs['created_time__contains'] = created_time queryset = Order.objects.filter(**self.kwargs) checker = ObjectPermissionChecker(self.request.user) checker.prefetch_perms(queryset) return [ query for query in queryset if checker.has_perm('app.view_order', query) ]
def rejudge(request, id): problem = get_object_or_404(Problem, id=id) checker = ObjectPermissionChecker(request.user) if not checker.has_perm('edit_problem', problem) and problem.user != request.user: raise Http404 submissions = Submission.objects.filter(problem=problem) for submission in submissions: submission.rejudge() return redirect( reverse('judge-submission-recent') + '?problem=' + problem.slug)
def generic_item_check(self, object_list, bundle, permission): if not self.generic_base_check(object_list, bundle): raise ImmediateHttpResponse( HttpForbidden("You are not allowed to access that resource.")) checker = ObjectPermissionChecker(bundle.request.user) if not checker.has_perm(permission, bundle.obj): raise ImmediateHttpResponse( HttpForbidden("You are not allowed to access that resource.")) return True
def system_user_list(request): obj = system_users.objects.all() user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) l = [] for i in obj: system_u = system_users.objects.get(id=i.id) if checker.has_perm('read_system_users', system_u) == True: l.append(i) return render(request, 'asset/system-user.html', {'asset_list': l, "asset_active": "active", "system_user_list_active": "active"})
def has_object_permission(self, request, view, obj): # Read permissions are allowed to any request, # so we'll always allow GET, HEAD or OPTIONS requests. if (request.method in permissions.SAFE_METHODS and is_owner(obj, request)): return True checker = ObjectPermissionChecker(request.user) if checker.has_perm('view_location', obj.id): return True return False
def latexify(request, slug): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 response = render(request, "problem/latexify.tex", { "problem": problem, "revision": problem.last_revision }) response['Content-Type'] = 'text/plain; charset=UTF-8' return response
def history(request, slug): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('read_problem', problem) and problem.user != request.user): raise Http404 revision_set = ProblemRevision.objects.filter( revision_for=problem).order_by("-id") ids = [rev.id for rev in revision_set[:2]] revisions = revision_set.all() last, second_last = -1, -1 if len(ids) >= 2: last, second_last = ids[0], ids[1] return render( request, "problem/history.html", { "problem": problem, "editable": checker.has_perm('edit_problem', problem), "revisions": revisions, "last_rev": last, "second_last_rev": second_last })
def check_user_role(user, project, roles) -> bool: """Check that a user has one of a set of roles for a project. Administrator role satisfies any requirement. """ # Prefetch all user permissions for project. checker = ObjectPermissionChecker(user) # Check for admin privs in all cases. has_role = checker.has_perm('can_administer', project) if not has_role: # Check the indicated role(s) if isinstance(roles, str): roles = [roles] for role in roles: if role == UserRole.Annotate: has_role = checker.has_perm('can_annotate', project) elif role == UserRole.Browse: has_role = checker.has_perm('can_browse', project) elif role == UserRole.Fork: has_role = checker.has_perm('can_fork', project) elif role == UserRole.Import: has_role = checker.has_perm('can_import', project) elif role == UserRole.QueueComputeTask: has_role = checker.has_perm('can_queue_compute_task', project) if has_role: break return has_role
def test_prefetch_group_perms(self): settings.DEBUG = True try: from django.db import connection ContentType.objects.clear_cache() new_group = Group.objects.create(name='new-group') assign_perm("change_group", new_group, self.group) assign_perm("change_group", new_group, new_group) checker = ObjectPermissionChecker(new_group) # Prefetch permissions self.assertTrue(checker.prefetch_perms([self.group, new_group])) query_count = len(connection.queries) # Checking cache is filled self.assertEqual(len(checker._obj_perms_cache), 2) # Checking shouldn't spawn any queries checker.has_perm("change_group", self.group) self.assertEqual(len(connection.queries), query_count) # Checking for other permission but for Group object again # shouldn't spawn any query too checker.has_perm("delete_group", self.group) self.assertEqual(len(connection.queries), query_count) # Checking for same model but other instance shouldn't spawn any queries checker.has_perm("change_group", new_group) self.assertEqual(len(connection.queries), query_count) finally: settings.DEBUG = False
def get_permitted_minutes(minutes, request, groupid): groupid = int(groupid) try: group = Group.objects.get(id=groupid) except ObjectDoesNotExist: raise Http404 own_group = request.user.is_superuser or group in request.user.groups.all() # Prefetch group permissions group_checker = ObjectPermissionChecker(group) group_checker.prefetch_perms(minutes) # Prefetch user permissions user_checker = ObjectPermissionChecker(request.user) user_checker.prefetch_perms(minutes) # Prefetch ip group permissions ip_range_group_name = request.user._ip_range_group_name if hasattr( request.user, '_ip_range_group_name') else None if ip_range_group_name: ip_range_group = Group.objects.get(name=ip_range_group_name) ip_range_group_checker = ObjectPermissionChecker(ip_range_group) permitted_minutes = [] for m in minutes: # we show all documents for which the requested group has edit permissions # e.g. if you request FSR minutes, all minutes for which the FSR group has edit rights will be shown if not group_checker.has_perm(m.edit_permission_name, m): continue # we only show documents for which the user has view permissions if not user_checker.has_perm( MinutesDocument.get_view_permission(), m) and (not ip_range_group_name or not ip_range_group_checker.has_perm( MinutesDocument.get_view_permission(), m)): continue permitted_minutes.append(m) return permitted_minutes, own_group
def test_publish_student_button(self): """ Test if the publish for students only button works """ staff_group = Group.objects.get(name=settings.STAFF_GROUP_NAME) document = mommy.make(MinutesDocument, participants=self.participants, moderator=self.moderator, state=MinutesDocument.UNPUBLISHED) document.set_all_permissions(staff_group) # The 4 sets the state to published_student self.app.get(reverse('documents:publish', args=[document.url_title, 4]), user=self.user) document = MinutesDocument.objects.get(url_title=document.url_title) self.assertEqual(document.state, MinutesDocument.PUBLISHED_STUDENT) group = Group.objects.get(name=settings.UNIVERSITY_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertFalse( checker.has_perm(document.view_permission_name, document)) self.assertFalse( checker.has_perm(document.edit_permission_name, document)) self.assertFalse( checker.has_perm(document.delete_permission_name, document)) group = Group.objects.get(name=settings.STUDENT_GROUP_NAME) checker = ObjectPermissionChecker(group) self.assertTrue( checker.has_perm(document.view_permission_name, document)) self.assertFalse( checker.has_perm(document.edit_permission_name, document)) self.assertFalse( checker.has_perm(document.delete_permission_name, document)) checker = ObjectPermissionChecker(staff_group) self.assertTrue( checker.has_perm(document.view_permission_name, document)) self.assertTrue( checker.has_perm(document.edit_permission_name, document)) self.assertTrue( checker.has_perm(document.delete_permission_name, document))
def sftp_file(request): ##上传 if request.method == "GET": obj = get_objects_for_user(request.user, 'asset.change_asset') return render(request, 'tasks/sftp.html', {'asset_list': obj, "tasks_active": "active", "sftp_active": "active"}) if request.method == 'POST': ids = request.POST.getlist('id') user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) local_path= request.POST.get("local_path") server_path= request.POST.get("server_path") ids1 = [] for i in ids: assets = asset.objects.get(id=i) if checker.has_perm('delete_asset', assets, ) == True: ids1.append(i) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择主机" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) elif not local_path or not server_path : error_2 = "请输入上传文件目录及文件名" ret = {"error": error_2, "status": False} return HttpResponse(json.dumps(ret)) obj = asset.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: s = sftp(ip=i.network_ip, port=i.port, username=i.system_user.username, password=i.system_user.password,local_path=local_path, server_path=server_path ) historys = history.objects.create(ip=i.network_ip, root=i.system_user, port=i.port, cmd="上传{}".format(server_path), user=user) if s == None or s['data'] == '': s={} s['ip']=i.network_ip s['data']="返回值为空,可能是权限不够。" ret['data'].append(s) except Exception as e: ret['data'].append({"ip": i.network_ip, "data": "账号密码不对,{}".format(e)}) return HttpResponse(json.dumps(ret))
def revert(request, id, slug): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) if (not checker.has_perm('edit_problem', problem) and problem.user != request.user): raise Http404 revision = ProblemRevision.objects.get(id=id) old_id = revision.id revision.id = None revision_form = ProblemRevisionEditForm(data=None, instance=revision) revision_form.save(problem, request.user, summary=u"리비전 %s로 복구." % old_id) return redirect( reverse("judge-problem-read", kwargs={"slug": problem.slug}))
def has_overlapping_permissions(self, reservation, reservables, user): # do NOT use method on reservation object! It checks # object.reservations which does not exist when called from # method has_permission. overlapping = reservation.get_overlapping_reservations(reservables) checker = ObjectPermissionChecker(user) for res in overlapping: for r in res.reservables.all(): if r in (reservables.all() and not checker.has_perm('double_reserve', r)): raise rest_framework.exceptions.PermissionDenied( detail=_('Double booking not allowed')) return True
def submit(request, slug): problem = get_object_or_404(Problem, slug=slug) checker = ObjectPermissionChecker(request.user) # read_problem permission owners and problem authors can opt in for nonpublic submissions. # nobody can submit public submissions to problems that are not published. if ((request.user == problem.user or checker.has_perm('read_problem', problem)) and problem.state == Problem.PUBLISHED): form = AdminSubmitForm(data=request.POST or None) else: form = SubmitForm(data=request.POST or None, public=(problem.state == Problem.PUBLISHED)) if request.method == "POST" and form.is_valid(): form.save(request.user, problem) return redirect(reverse("judge-submission-recent")) return render( request, "problem/submit.html", { "form": form, "editable": checker.has_perm("edit_problem", problem), "problem": problem })
def get_queryset(self): # For bulk requests, queryset is formed from request body. if is_bulk_request(self.request): auth = get_user_auth(self.request) collection_ids = [coll['id'] for coll in self.request.data] collections = Collection.objects.filter(guids___id__in=collection_ids) checker = ObjectPermissionChecker(auth.user) for collection in collections: if not checker.has_perm('write_collection', collection): raise PermissionDenied return collections else: return self.get_queryset_from_request()
def test_cache_for_queries_count(self): settings.DEBUG = True try: from django.db import connection ContentType.objects.clear_cache() checker = ObjectPermissionChecker(self.user) # has_perm on Checker should spawn only two queries plus one extra # for fetching the content type first time we check for specific # model and two more content types as there are additional checks # at get_user_obj_perms_model and get_group_obj_perms_model query_count = len(connection.queries) res = checker.has_perm("change_group", self.group) if 'guardian.testapp' in settings.INSTALLED_APPS: expected = 5 else: # TODO: This is strange, need to investigate; totally not sure # why there are more queries if testapp is not included expected = 11 self.assertEqual(len(connection.queries), query_count + expected) # Checking again shouldn't spawn any queries query_count = len(connection.queries) res_new = checker.has_perm("change_group", self.group) self.assertEqual(res, res_new) self.assertEqual(len(connection.queries), query_count) # Checking for other permission but for Group object again # shouldn't spawn any query too query_count = len(connection.queries) checker.has_perm("delete_group", self.group) self.assertEqual(len(connection.queries), query_count) # Checking for same model but other instance should spawn 2 queries new_group = Group.objects.create(name='new-group') query_count = len(connection.queries) checker.has_perm("change_group", new_group) self.assertEqual(len(connection.queries), query_count + 2) # Checking for permission for other model should spawn 4 queries # every added direct relation adds one more query.. # (again: content type and actual permissions for the object... query_count = len(connection.queries) checker.has_perm("change_user", self.user) self.assertEqual(len(connection.queries), query_count + 4) finally: settings.DEBUG = False
def Inception_query_databases(request): ##Inception 查询 数据库 名字 if request.method == 'POST': ids = request.POST.getlist('id') user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) ids1 = [] for i in ids: assets = db_mysql.objects.get(id=i) if checker.has_perm('task_db_mysql', assets, ) == True: ids1.append(i) else: error_3 = "数据库没有权限" ret = {"error": error_3, "status": False} return HttpResponse(json.dumps(ret)) user = request.user idstring = ','.join(ids1) if not ids: error_1 = "请选择数据库" ret = {"error": error_1, "status": False} return HttpResponse(json.dumps(ret)) obj = db_mysql.objects.extra(where=['id IN (' + idstring + ')']) ret = {} ret['data'] = [] for i in obj: try: history.objects.create(ip=i.ip, root=i.db_user.username, port=i.port, cmd="查询数据库库名字".format(), user=user) password = decrypt_p(i.db_user.password) a = sql_query(user=i.db_user.username, password=password, host=i.ip, port=i.port,db='mysql') s1 = a.connectmysql(sql="select SCHEMA_NAME from information_schema.SCHEMATA;") s2 = [] for z in s1: s2.append(z[0]) s = {'ip':i.ip,'data':s2} ret['data'].append(s) except Exception as e: ret['data'].append({"ip": i.ip, "data": "账号密码不对,{}".format(e)}) return HttpResponse(json.dumps(ret))
def commandTask(request,code): checker = ObjectPermissionChecker(request.user) add = checker.has_perm('SystemManage.access_to_Function',Function.objects.get(name='添加命令分发')) detail = checker.has_perm('SystemManage.access_to_Function',Function.objects.get(name='添加命令分发')) if request.method=='POST': data = request.POST if request.user.is_superuser: tableData = models.CommandTask.objects.all() else: tableData = models.CommandTask.objects.filter(createBy=request.user) if data['name']: tableData = tableData.filter(name__icontains=data['name']) if data['cmdline']: tableData = tableData.filter(cmdline__icontains=data['cmdline']) paginator = Paginator(tableData,settings.ITEMS_PER_PAGE) #模板需要 page = int(request.GET.get('page',1)) #模板需要 start = max(page-5,0) page_range = paginator.page_range[start:start+10] #模板需要 cur_page = paginator.page(page) #模板需要 return render(request,'TaskManage/commandtasktablelist.html',locals()) else: form = forms.CommandTaskSearchForm() return render(request,'TaskManage/commandtask.html',locals())
def __init__(self, request: HttpRequest, *args, **kwargs): super().__init__(*args, **kwargs) # Disable non-editable fields person_fields = set([field.name for field in Person.syncable_fields() ]).intersection(set(self.fields)) if self.instance: checker = ObjectPermissionChecker(request.user) checker.prefetch_perms([self.instance]) for field in person_fields: if not checker.has_perm(f"core.change_person_field_{field}", self.instance): self.fields[field].disabled = True
def get_permissions(user_or_group: Union[User, Group], object_list: QuerySet) -> List[ObjectPermission]: permissions = [] perm_checker = ObjectPermissionChecker(user_or_group) perm_checker.prefetch_perms(object_list) opts = object_list.model._meta perm_view = get_permission_codename('view', opts) perm_change = get_permission_codename('change', opts) perm_delete = get_permission_codename('delete', opts) for obj in object_list: permissions.append( ObjectPermission( obj=obj, can_view=perm_checker.has_perm(perm_view, obj), can_change=perm_checker.has_perm(perm_change, obj), can_delete=perm_checker.has_perm(perm_delete, obj), ) ) return permissions
def system_user_del(request): ret = {'status': True, 'error': None, } if request.method == "POST": try: id = request.POST.get("nid", None) user = User.objects.get(username=request.user) checker = ObjectPermissionChecker(user) system_u = system_users.objects.get(id=id) if checker.has_perm('delete_system_users', system_u, ) == True: system_u.delete() GroupObjectPermission.objects.filter(object_pk=id).delete() except Exception as e: ret['status'] = False ret['error'] = '删除请求错误,{}'.format(e) return HttpResponse(json.dumps(ret))