def __init__(self, connection):
self.connection = connection
from models.permission import Permission
from models.user_role import UserRole
self.permission = Permission(connection)
self.user_role = UserRole(connection)
from token_controller import TokenController
self.token_controller = TokenController(connection)
from user_role_controller import UserRoleController
self.user_role_controller = UserRoleController(connection)
def run(self):
for permission in ('admin', 'arrivals', 'cfp_reviewer',
'cfp_anonymiser', 'cfp_schedule'):
if not Permission.query.filter_by(name=permission).first():
db.session.add(Permission(permission))
db.session.commit()
def mutate(self, info, **kwargs):
myPermission = Permission(
name=kwargs.get('name'),
description=kwargs.get('description')
)
save(myPermission)
return CreatePermission(permission=myPermission)
def permissions_parse_func(controller, database_session, instance,
data):
errors = []
if not data:
data = {}
if data.get("enabled") is not None:
enabled = data["enabled"]
instance.permissions = []
for action in enabled:
permission = Permission()
permission.action = action
permission.role = instance
database_session.add(permission)
return errors
def create_perms():
""" Create permissions in DB if they don't exist """
for permission in (
"admin",
"arrivals",
"cfp_reviewer",
"cfp_anonymiser",
"cfp_schedule",
):
if not Permission.query.filter_by(name=permission).first():
db.session.add(Permission(permission))
db.session.commit()
def setUp(self):
self.client, self.app, self.db = get_app()
self.app.testing = True
with self.app.app_context():
admin_user = User(self.admin_email, 'TEST_ADMIN_USER')
admin_user.grant_permission('admin')
self.db.session.add(admin_user)
user = User(self.user_email, 'TEST_USER')
self.db.session.add(user)
permission = Permission(self.permission_name)
self.db.session.add(permission)
self.db.session.commit()
import sys
sys.path.append('../../porper')
import os
region = os.environ.get('AWS_DEFAULT_REGION')
import boto3
dynamodb = boto3.resource('dynamodb',region_name=region)
from models.permission import Permission
permission = Permission(dynamodb)
params = {'user_id': 'user1', 'action': 'action1', 'resource': 'res1', 'value': 'val1'}
permission.create(params)
params = {'user_id': 'user1', 'action': 'action2', 'resource': 'res2', 'value': '*'}
permission.create(params)
params = {'user_id': 'user2', 'action': 'action3', 'resource': 'res3', 'value': 'val3'}
permission.create(params)
params = {'user_id': 'user2', 'action': 'action4', 'resource': 'res4', 'value': '*'}
permission.create(params)
params = {'role_id': 'abcd', 'action': 'action11', 'resource': 'res11', 'value': 'val11'}
permission.create(params)
params = {'role_id': 'abcd', 'action': 'action12', 'resource': 'res12', 'value': '*'}
permission.create(params)
params = {'role_id': '1234', 'action': 'action13', 'resource': 'res13', 'value': 'val13'}
permission.create(params)
params = {'role_id': '1234', 'action': 'action14', 'resource': 'res14', 'value': '*'}
permission.create(params)
def _remove_admin(self, user):
permission = Permission.by_user_and_name(user, ADMIN_PERMISSION)
self.dbsession.delete(permission)
self.dbsession.commit()
def _make_admin(self, user):
""" Give a user ADMIN permission """
admin_permission = Permission(name=ADMIN_PERMISSION, user_id=user.id)
user.permissions.append(admin_permission)
self.dbsession.add(admin_permission)
print("Passwords don't match. Try again.\n")
with closing(database_session_maker()) as database_session:
account = Account()
account.firstname = "Admin"
account.lastname_prefix = ""
account.lastname = "Admin"
account.mailaddress = "*****@*****.**"
account.set_password(password1)
role = database_session.query(Role).filter(
Role.name == "Administrator").first()
if not role:
role = Role()
role.name = "Administrator"
role.description = "Administrator role"
account.role = role
for action in [
'role.list', 'role.edit', 'account.list', 'account.edit'
]:
permission = Permission()
permission.action = action
permission.role = role
database_session.add(account)
database_session.commit()
print("Created admin account with mailadddress " +
account.mailaddress)
def Permission(self):
return Permission(self)
import sys
sys.path.insert(0, r'../..')
from models.connection import connection
from models.permission import Permission
permission = Permission(connection)
print permission.create({'user_id':'49d8bc68-f57e-11e3-ba1d-005056ba0d15', 'resource':'res-a', 'action':'act-a', 'value':'val-a', 'condition':'cond-a', 'role_id':''})
print permission.create({'user_id':'', 'resource':'res', 'action':'act-r', 'value':'val-r', 'condition':'', 'role_id':'3867c370-552f-43b8-bed9-6aa00ffc41b4'})
print permission.find({'user_id':'49d8bc68-f57e-11e3-ba1d-005056ba0d15', 'resource':'account', 'action':'', 'value':'', 'condition':'', 'role_id':'', 'all':True})
print permission.find({'user_id':'', 'resource':'res', 'action':'act-r', 'value':'', 'condition':'', 'role_id':'3867c370-552f-43b8-bed9-6aa00ffc41b4'})
print permission.delete({'user_id':'49d8bc68-f57e-11e3-ba1d-005056ba0d15', 'resource':'res-a', 'action':'act-a', 'value':'val-a', 'condition':'cond-a', 'role_id':''})
print permission.delete({'user_id':'', 'resource':'res', 'action':'act-r', 'value':'val-r', 'condition':'', 'role_id':'3867c370-552f-43b8-bed9-6aa00ffc41b4'})
import sys
sys.path.insert(0, r'../..')
from models.connection import connection
from models.permission import Permission
permission = Permission(connection)
print permission.create({
'user_id': '49d8bc68-f57e-11e3-ba1d-005056ba0d15',
'resource': 'res-a',
'action': 'act-a',
'value': 'val-a',
'condition': 'cond-a',
'role_id': ''
})
print permission.create({
'user_id': '',
'resource': 'res',
'action': 'act-r',
'value': 'val-r',
'condition': '',
'role_id': '3867c370-552f-43b8-bed9-6aa00ffc41b4'
})
print permission.find({
'user_id': '49d8bc68-f57e-11e3-ba1d-005056ba0d15',
'resource': 'account',
'action': '',
'value': '',
'condition': '',
'role_id': '',
'all': True
})
class PermissionController:
def __init__(self, connection):
self.connection = connection
from models.permission import Permission
from models.user_role import UserRole
self.permission = Permission(connection)
self.user_role = UserRole(connection)
from token_controller import TokenController
self.token_controller = TokenController(connection)
from user_role_controller import UserRoleController
self.user_role_controller = UserRoleController(connection)
def is_admin(self, user_id):
row = self.user_role.find({'user_id': user_id, 'role_id': ADMIN_ROLE_ID})
if len(row) > 0: return True
else: return False
def is_role_admin(self, user_id, role_id):
rows = self.user_role.find({'user_id': user_id, 'role_id': role_id})
if len(rows) > 0 and rows[0]['is_admin']: return True
else: return False
def are_permitted(self, access_token, params_list):
rows = self.token_controller.find(access_token)
user_id = rows[0]['user_id']
for params in params_list:
if not self.is_permitted(user_id, params): return False
return True
def is_permitted(self, user_id, params):
params['user_id'] = user_id
params['all'] = True
rows = self.permission.find(params)
print "permitted : %s" % rows
if len(rows) == 0: return False
for row in rows:
if not row.get('condition'): return True
if not params.get('parent'): return False # parent must be given because all permissions have conditions
# now check if the parent permissions include the given 'parent' value
for row in rows:
parent_params = json.loads(row['condition'])
parent_params['user_id'] = user_id
#parent_params['role_id'] = row['role_id']
parent_params['value'] = params['parent']
parent_params['all'] = True
parent_rows = self.permission.find(parent_params)
print "permitted parents : %s" % parent_rows
if len(parent_rows) == 0: return False #### TODO: not sure if all have to be true......
return True
def create(self, access_token, params):
rows = self.token_controller.find(access_token)
user_id = rows[0]['user_id']
if not self.is_admin(user_id): raise Exception("not permitted")
self.permission.create(params)
return True
def update(self, access_token, params):
raise Exception("not supported")
def delete(self, access_token, params):
rows = self.token_controller.find(access_token)
user_id = rows[0]['user_id']
if not self.is_admin(user_id): raise Exception("not permitted")
self.permission.delete(params)
return True
"""
1. find all of my permissions from access_token
2. find all permissions of given user if I'm the admin
3. find all permissions of given role if I'm the admin
4. find member's all permissions if I'm the role admin of the given role
5. find member's all permissions if I'm the role admin of any roles where the given user belongs
6. find member's all permissions if I'm the given user
"""
def find_all(self, access_token, params):
rows = self.token_controller.find(access_token)
user_id = rows[0]['user_id']
# return my permissions
if not params.get('user_id') and not params.get('role_id'):
params['user_id'] = user_id
return self.permission.find(params)
# return requested user/role's permissions if I'm an admin
if self.is_admin(user_id): return self.permission.find(params)
# return requested role's permissions if I'm a role admin
if params.get('role_id'):
if self.is_role_admin(user_id, params['role_id']): return self.permission.find(params)
else: raise Exception("not permitted")
if params.get('user_id'):
# return my permissions when the given user is me
if user_id == params['user_id']: return self.permission.find(params)
# return requested user's permissions if I'm a role admin of any roles the given user belongs
user_roles = self.user_role.find({'user_id': params['user_id']})
if len(user_roles) == 0: raise Exception("not permitted")
for user_role in user_roles:
if self.is_role_admin(user_id, user_role['role_id']): return self.permission.find(params)
raise Exception("not permitted")
def find_one(self, access_token, params):
raise Exception("not supported")