def check_availability_of_auto_approving(items, user, project): if user.is_staff: return True # Skip approval of private offering for project users if all(item.offering.is_private for item in items): return structure_permissions._has_admin_access(user, project) # Skip approval of public offering belonging to the same organization under which the request is done if all( item.offering.shared and item.offering.customer == project.customer and item.offering.plugin_options.get( 'auto_approve_in_service_provider_projects' ) is True for item in items ): return True # Service provider is not required to approve termination order if ( len(items) == 1 and items[0].type == models.OrderItem.Types.TERMINATE and structure_permissions._has_owner_access(user, items[0].offering.customer) ): return True return user_can_approve_order(user, project)
def check_project_permissions(self, attrs): if self.instance: project = self.instance.project else: project = attrs['instance'].service_project_link.project if not structure_permissions._has_admin_access(self.context['request'].user, project): raise exceptions.PermissionDenied()
def test_if_project_customer_has_been_changed_then_users_permissions_must_be_deleted( self, ): self.fixture.admin self.change_customer() self.assertFalse( permissions._has_admin_access(self.fixture.admin, self.project) )
def _validate_service_project_link(self, spl): """ Administrator can create tenant only using not shared service settings """ user = self.context['request'].user message = _('You do not have permissions to create tenant in this project using selected service.') if spl.service.settings.shared and not user.is_staff: raise serializers.ValidationError(message) if not spl.service.settings.shared and not structure_permissions._has_admin_access(user, spl.project): raise serializers.ValidationError(message) return spl
def remove_ssh_key_from_tenants(sender, structure, user, role, **kwargs): """ Delete user ssh keys from tenants that he does not have access now. """ tenants = Tenant.objects.filter(**{sender.__name__.lower(): structure}) ssh_keys = core_models.SshPublicKey.objects.filter(user=user) for tenant in tenants: if structure_permissions._has_admin_access(user, tenant.project): continue # no need to delete ssh keys if user still have permissions for tenant. serialized_tenant = core_utils.serialize_instance(tenant) for key in ssh_keys: core_tasks.BackendMethodTask().delay(serialized_tenant, 'remove_ssh_key_from_tenant', key.name, key.fingerprint)
def user_can_terminate_resource(request, view, resource=None): if not resource: return # Project manager/admin and customer owner are allowed to terminate resource. if structure_permissions._has_admin_access(request.user, resource.project): return # Service provider is allowed to terminate resource too. if structure_permissions._has_owner_access(request.user, resource.offering.customer): return raise exceptions.PermissionDenied()
def remove_ssh_key_from_all_tenants_on_it_deletion(sender, instance, **kwargs): """ Delete key from all tenants that are accessible for user on key deletion. """ ssh_key = instance user = ssh_key.user tenants = structure_filters.filter_queryset_for_user( Tenant.objects.all(), user) for tenant in tenants: if not structure_permissions._has_admin_access(user, tenant.project): continue serialized_tenant = core_utils.serialize_instance(tenant) core_tasks.BackendMethodTask().delay(serialized_tenant, 'remove_ssh_key_from_tenant', ssh_key.name, ssh_key.fingerprint)
def check_availability_of_auto_approving(items, user, project): if user.is_staff: return True # Skip approval of private offering for project users if all(item.offering.is_private for item in items): return structure_permissions._has_admin_access(user, project) # Service provider is not required to approve termination order if (len(items) == 1 and items[0].type == models.OrderItem.Types.TERMINATE and structure_permissions._has_owner_access(user, items[0].offering.customer)): return True return user_can_approve_order(user, project)
def user_can_reject_order(request, view, order=None): if not order: return user = request.user if user.is_staff: return if user == order.created_by: return if structure_permissions._has_admin_access(user, order.project): return raise exceptions.PermissionDenied()
def user_can_approve_order(user, project): if user.is_staff: return True if django_settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \ structure_permissions._has_owner_access(user, project.customer): return True if django_settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \ structure_permissions._has_manager_access(user, project): return True if django_settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \ structure_permissions._has_admin_access(user, project): return True return False
def user_can_terminate_resource(request, view, resource=None): if not resource: return # Allow to terminate resource in soft-deleted project project = structure_models.Project.all_objects.get(id=resource.project_id) # Project manager/admin and customer owner are allowed to terminate resource. if structure_permissions._has_admin_access(request.user, project): return # Service provider is allowed to terminate resource too. if structure_permissions._has_owner_access(request.user, resource.offering.customer): return raise exceptions.PermissionDenied()
def check_permissions_for_state_change(request, view, order=None): if not order: return user = request.user if user.is_staff: return if settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \ structure_permissions._has_owner_access(user, order.project.customer): return if settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \ structure_permissions._has_manager_access(user, order.project): return if settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \ structure_permissions._has_admin_access(user, order.project): return raise rf_exceptions.PermissionDenied()