Пример #1
0
    def check_permissions(self, resource, method, user):
        if not user:
            return True

        # is the operation against the user record of the current user
        if request.view_args.get('_id') == str(user['_id']):
            # no user is allowed to delete their own user
            if method.lower() in('delete', 'put'):
                raise ForbiddenError
            else:
                return True

        # We allow all reads or if resource is prepopulate then allow all
        if method == 'GET' or resource == 'prepopulate':
            return True

        # We allow a user to patch activities as they may be marking it as read
        if method == 'PATCH' and resource == 'activity':
            return True

        # users should be able to change only their preferences
        if resource == 'preferences':
            session = get_resource_service('preferences').find_one(_id=request.view_args.get('_id'), req=None)
            return user['_id'] == session.get("user")

        # Get the list of privileges belonging to this user
        get_resource_service('users').set_privileges(user, flask.g.role)
        privileges = user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(resource).get(method, None)
        if privileges.get(resource_privileges, False):
            return True

        # If we didn't return True so far then user is not authorized
        raise ForbiddenError()
Пример #2
0
    def check_permissions(self, resource, method, user):
        if not user:
            return True

        # is the operation against the user record of the current user
        if request.view_args.get('_id') == str(user['_id']):
            # no user is allowed to delete their own user
            if method.lower() in ('delete', 'put'):
                raise ForbiddenError
            else:
                return True

        # We allow all reads or if resource is prepopulate then allow all
        if method == 'GET' or resource == 'prepopulate':
            return True

        # users should be able to change only their preferences
        if resource == 'preferences':
            session = get_resource_service('preferences').find_one(
                _id=request.view_args.get('_id'), req=None)
            return user['_id'] == session.get("user")

        # Get the list of privileges belonging to this user
        get_resource_service('users').set_privileges(user, flask.g.role)
        privileges = user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(resource).get(
            method, None)
        if privileges.get(resource_privileges, False):
            return True

        # If we didn't return True so far then user is not authorized
        raise ForbiddenError()
Пример #3
0
    def on_update(self, updates, original):
        """
        Overriding the method to prevent a user without 'User Management' privilege from changing a role.
        """

        if 'role' in updates and 'active_privileges' in flask.g.user:
            if not get_resource_privileges('users')['PATCH'] in flask.g.user['active_privileges']:
                raise SuperdeskApiError.forbiddenError("Insufficient privileges to change the role")
Пример #4
0
    def check_get_access_privilege(self):
        if not hasattr(g, 'user'):
            return

        privileges = g.user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
        if privileges.get(resource_privileges, 0) == 0:
            raise SuperdeskApiError.forbiddenError()
Пример #5
0
    def check_permissions(self, resource, method, user):
        """Checks user permissions.

        1. If there's no user associated with the request or HTTP Method is GET then return True.
        2. Get User's Privileges
        3. Intrinsic Privileges:
            Check if resource has intrinsic privileges.
                If it has then check if HTTP Method is allowed.
                    Return True if `is_authorized()` on the resource service returns True.
                    Otherwise, raise ForbiddenError.
                HTTP Method not allowed continue
            No intrinsic privileges continue
        4. User's Privileges
            Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
            Otherwise continue.
        5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
        """

        # Step 1:
        if not user:
            return True

        # Step 2: Get User's Privileges
        get_resource_service("users").set_privileges(user, flask.g.role)

        if method == "GET":
            return True

        # Step 3: Intrinsic Privileges
        message = _("Insufficient privileges for the requested operation.")
        intrinsic_privileges = get_intrinsic_privileges()
        if intrinsic_privileges.get(
                resource) and method in intrinsic_privileges[resource]:
            service = get_resource_service(resource)
            authorized = service.is_authorized(
                user_id=str(user.get("_id")),
                _id=request.view_args.get("_id"),
                method=method)

            if not authorized:
                raise SuperdeskApiError.forbiddenError(message=message)

            return authorized

        # Step 4: User's privileges
        privileges = user.get("active_privileges", {})
        resource_privileges = get_resource_privileges(resource).get(
            method, None)

        if not resource_privileges and get_no_resource_privileges(resource):
            return True

        if privileges.get(resource_privileges, False):
            return True

        # Step 5:
        raise SuperdeskApiError.forbiddenError(message=message)
Пример #6
0
    def check_get_access_privilege(self):
        if not hasattr(g, 'user'):
            return

        privileges = g.user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(self.datasource).get(
            'GET', None)
        if privileges.get(resource_privileges, 0) == 0:
            raise SuperdeskApiError.forbiddenError()
Пример #7
0
    def on_update(self, updates, original):
        """
        Overriding the method to prevent a user without 'User Management' privilege from changing a role.
        """

        if 'role' in updates and 'active_privileges' in flask.g.user:
            if not get_resource_privileges(
                    'users')['PATCH'] in flask.g.user['active_privileges']:
                raise SuperdeskApiError.forbiddenError(
                    "Insufficient privileges to change the role")
Пример #8
0
    def check_get_access_privilege(self):
        """
        Checks if user is authorized to perform get operation on Legal Archive resources. If authorized then request is
        forwarded otherwise throws forbidden error.

        :raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources.
        """

        if not hasattr(g, 'user'):
            return

        privileges = g.user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
        if privileges.get(resource_privileges, 0) == 0:
            raise SuperdeskApiError.forbiddenError()
Пример #9
0
    def check_get_access_privilege(self):
        """Checks if user is authorized to perform get operation on Legal Archive resources.

        If authorized then request is
        forwarded otherwise throws forbidden error.

        :raises: SuperdeskApiError.forbiddenError() if user is unauthorized to access the Legal Archive resources.
        """

        if not hasattr(g, 'user'):
            return

        privileges = g.user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(self.datasource).get('GET', None)
        if privileges.get(resource_privileges, 0) == 0:
            raise SuperdeskApiError.forbiddenError()
Пример #10
0
    def check_permissions(self, resource, method, user):
        """Checks user permissions.

        1. If there's no user associated with the request or HTTP Method is GET then return True.
        2. Get User's Privileges
        3. Intrinsic Privileges:
            Check if resource has intrinsic privileges.
                If it has then check if HTTP Method is allowed.
                    Return True if `is_authorized()` on the resource service returns True.
                    Otherwise, raise ForbiddenError.
                HTTP Method not allowed continue
            No intrinsic privileges continue
        4. User's Privileges
            Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
            Otherwise continue.
        5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
        """

        # Step 1:
        if not user:
            return True

        # Step 2: Get User's Privileges
        get_resource_service('users').set_privileges(user, flask.g.role)

        if method == 'GET':
            return True

        # Step 3: Intrinsic Privileges
        intrinsic_privileges = get_intrinsic_privileges()
        if intrinsic_privileges.get(resource) and method in intrinsic_privileges[resource]:
            service = get_resource_service(resource)
            authorized = service.is_authorized(user_id=str(user.get('_id')), _id=request.view_args.get('_id'))

            if not authorized:
                raise SuperdeskApiError.forbiddenError()

            return authorized

        # Step 4: User's privileges
        privileges = user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(resource).get(method, None)
        if privileges.get(resource_privileges, False):
            return True

        # Step 5:
        raise SuperdeskApiError.forbiddenError()
Пример #11
0
    def can_unlock(self, item, user_id, resource):
        """
        Function checks whether user can unlock the item or not.
        """
        can_user_edit, error_message = superdesk.get_resource_service(resource).can_edit(item, user_id)

        if can_user_edit:
            resource_privileges = get_resource_privileges(resource).get('PATCH')

            if not (str(item.get(LOCK_USER, '')) == str(user_id) or
                    (current_user_has_privilege(resource_privileges) and
                    current_user_has_privilege('planning_unlock'))):
                return False, 'You don\'t have permissions to unlock an item.'
        else:
            return False, error_message

        return True, ''
Пример #12
0
    def check_permissions(self, resource, method, user):
        """
        1. If there's no user associated with the request or HTTP Method is GET then return True.
        2. Get User's Privileges
        3. Intrinsic Privileges:
            Check if resource has intrinsic privileges.
                If it has then check if HTTP Method is allowed.
                    Return True if `is_authorized()` on the resource service returns True.
                    Otherwise, raise ForbiddenError.
                HTTP Method not allowed continue
            No intrinsic privileges continue
        4. User's Privileges
            Get Resource Privileges and validate it against user's privileges. Return True if validation is successful.
            Otherwise continue.
        5. If method didn't return True, then user is not authorized to perform the requested operation on the resource.
        """

        # Step 1:
        if method == 'GET' or not user:
            return True

        # Step 2: Get User's Privileges
        get_resource_service('users').set_privileges(user, flask.g.role)

        # Step 3: Intrinsic Privileges
        intrinsic_privileges = get_intrinsic_privileges()
        if intrinsic_privileges.get(
                resource) and method in intrinsic_privileges[resource]:
            authorized = get_resource_service(resource).is_authorized(
                user_id=request.view_args.get('_id'))

            if not authorized:
                raise SuperdeskApiError.forbiddenError()

            return authorized

        # Step 4: User's privileges
        privileges = user.get('active_privileges', {})
        resource_privileges = get_resource_privileges(resource).get(
            method, None)
        if privileges.get(resource_privileges, False):
            return True

        # Step 5:
        raise SuperdeskApiError.forbiddenError()
Пример #13
0
    def check_auth(self, token, allowed_roles, resource, method):
        """
        This function is called to check if a token is valid. Must be
        overridden with custom logic.

        :param token: token.
        :param allowed_roles: allowed user roles.
        :param resource: resource being requested.
        :param method: HTTP method being executed (POST, GET, etc.)
        """

        if not app.config.get('AUTH_SERVER_SHARED_SECRET'):
            return False

        # decode jwt
        try:
            decoded_jwt = jwt.decode(
                token,
                key=app.config.get('AUTH_SERVER_SHARED_SECRET')
            )
            decoded_jwt.validate_exp(now=time(), leeway=0)
        except (BadSignatureError, ExpiredTokenError, DecodeError):
            return False

        # authorization
        resource_privileges = get_resource_privileges(resource).get(method, None)
        if resource_privileges not in decoded_jwt.get('scope', []):
            abort(
                make_response(
                    jsonify({
                        "_status": "ERR",
                        "_error": {
                            "code": 403,
                            "message": "Invalid scope"
                        }
                    }),
                    403
                )
            )

        return True
Пример #14
0
    def is_authorized(self, **kwargs) -> bool:
        """
        Check auth for intrinsic methods.
        """
        method = kwargs["method"]
        user = auth.get_user()

        # delete token is a part of `users` privelege
        # user with `users` privelege can delete sessions of any user
        # user without `users` privelege can delete only it's own session (logout)
        if method == "DELETE":
            _auth = self.find_one(req=None, _id=kwargs.get("_id"))
            if _auth and _auth.get("user") == user.get("_id"):
                return True

            active_privileges = user.get("active_privileges", {})
            users_resource_privileges = get_resource_privileges("users").get(
                method, None)
            return active_privileges.get(users_resource_privileges, False)

        return True