def _check_groups(*args, **kwargs):
request = _find_httprequest(args)
mrp = request.mozreview_profile
if not mrp:
# This should never happen since webapi_login_required
# should mean they are authenticated and our middleware
# has added the profile to the request. Check it just
# to make sure nothing went wrong with the middleware.
logger.error(
'No MozReviewUserProfile for authenticated user: %s',
request.user.id)
return PERMISSION_DENIED
if not mrp.ldap_username:
logger.info(
'No ldap_username for user: %s when '
'attempting to access protected resource', request.user.id)
return PERMISSION_DENIED.with_message(
'You are not associated with an ldap account')
for group in groups:
if not mrp.has_scm_ldap_group(group):
logger.info(
'Missing group membership for user: %s '
'when attempting to access protected '
'resource', request.user.id)
return PERMISSION_DENIED.with_message(
'You do not have the required ldap permissions')
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
webapi_token = getattr(request, '_webapi_token', None)
if webapi_token:
restrict_to_local_site = request._webapi_token.local_site_id
else:
restrict_to_local_site = None
if local_site_name:
local_site = get_object_or_none(LocalSite, name=local_site_name)
if not local_site:
return DOES_NOT_EXIST
elif not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
elif (restrict_to_local_site and
restrict_to_local_site != local_site.pk):
return PERMISSION_DENIED
kwargs['local_site'] = local_site
elif restrict_to_local_site is not None:
return PERMISSION_DENIED
else:
kwargs['local_site'] = None
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
webapi_token = getattr(request, '_webapi_token', None)
if webapi_token:
restrict_to_local_site = request._webapi_token.local_site_id
else:
restrict_to_local_site = None
if local_site_name:
local_site = get_object_or_none(LocalSite, name=local_site_name)
if not local_site:
return DOES_NOT_EXIST
elif not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
elif (restrict_to_local_site
and restrict_to_local_site != local_site.pk):
return PERMISSION_DENIED
elif restrict_to_local_site is not None:
return PERMISSION_DENIED
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
siteconfig = SiteConfiguration.objects.get_current()
request = _find_httprequest(args)
if (siteconfig.get("auth_require_sitewide_login") or
(request.user.is_anonymous() and
'HTTP_AUTHORIZATION' in request.META)):
return webapi_login_required(view_func)(*args, **kwargs)
else:
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
if local_site_name:
try:
local_site = LocalSite.objects.get(name=local_site_name)
if not local_site.is_accessible_by(request.user):
return WebAPIResponseError(request, PERMISSION_DENIED)
except LocalSite.DoesNotExist:
return WebAPIResponseError(request, DOES_NOT_EXIST)
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
if local_site_name:
try:
local_site = LocalSite.objects.get(name=local_site_name)
if not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
except LocalSite.DoesNotExist:
return DOES_NOT_EXIST
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
if local_site_name:
try:
local_site = LocalSite.objects.get(name=local_site_name)
if not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
except LocalSite.DoesNotExist:
return DOES_NOT_EXIST
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
webapi_token = getattr(request, '_webapi_token', None)
if webapi_token:
restrict_to_local_site = request._webapi_token.local_site_id
else:
restrict_to_local_site = None
if local_site_name:
local_site = get_object_or_none(LocalSite, name=local_site_name)
if not local_site:
return DOES_NOT_EXIST
elif not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
logging.warning('%s %s: user %s does not have access to '
'local site "%s".',
request.method, request.path_info,
request.user.username, local_site_name)
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
elif (restrict_to_local_site and
restrict_to_local_site != local_site.pk):
logging.warning('%s %s: API token for user %s does not have '
'access to local site "%s".',
request.method, request.path_info,
request.user.username, local_site_name)
return PERMISSION_DENIED
kwargs['local_site'] = local_site
elif restrict_to_local_site is not None:
logging.warning('%s %s: API token for user %s is limited to a '
'local site but the request was for the root.',
request.method, request.path_info,
request.user.username)
return PERMISSION_DENIED
else:
kwargs['local_site'] = None
return view_func(*args, **kwargs)
def _check_groups(*args, **kwargs):
request = _find_httprequest(args)
mrp = request.mozreview_profile
if not mrp:
# This should never happen since webapi_login_required
# should mean they are authenticated and our middleware
# has added the profile to the request. Check it just
# to make sure nothing went wrong with the middleware.
logging.error('No MozReviewUserProfile for authenticated user')
return PERMISSION_DENIED
if not mrp.ldap_username:
return PERMISSION_DENIED.with_message(
'You are not associated with an ldap account')
for group in groups:
if not mrp.has_scm_ldap_group(group):
return PERMISSION_DENIED.with_message(
'You do not have the required ldap permissions')
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
webapi_token = getattr(request, '_webapi_token', None)
oauth_token = getattr(request, '_oauth2_token', None)
if webapi_token:
restrict_to_local_site = request._webapi_token.local_site_id
token_type = 'API'
elif oauth_token:
restrict_to_local_site = oauth_token.application.local_site_id
token_type = 'OAuth'
else:
restrict_to_local_site = None
token_type = None
if local_site_name:
local_site = get_object_or_none(LocalSite, name=local_site_name)
if not local_site:
return DOES_NOT_EXIST
elif not local_site.is_accessible_by(request.user):
if request.user.is_authenticated:
logger.warning(
'User does not have access to local site.',
request=request,
)
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
elif oauth_token and not oauth_token.application.enabled:
logger.warning(
'OAuth token using disabled application "%s" (%d).',
oauth_token.application.name,
oauth_token.application.pk,
request=request,
)
return PERMISSION_DENIED
elif oauth_token and not restrict_to_local_site:
# OAuth tokens for applications on the global site cannot be
# used on a local site.
logger.warning(
'OAuth token is for root, not local site.',
request=request,
)
return PERMISSION_DENIED
elif (restrict_to_local_site
and restrict_to_local_site != local_site.pk):
logger.warning(
'%s token does not have access to local site.',
token_type,
request=request,
)
return PERMISSION_DENIED
kwargs['local_site'] = local_site
elif restrict_to_local_site is not None:
logger.warning(
'%s token is limited to a local site but the request was for '
'the root.',
token_type,
request=request,
)
return PERMISSION_DENIED
else:
kwargs['local_site'] = None
return view_func(*args, **kwargs)
def _check(*args, **kwargs):
request = _find_httprequest(args)
local_site_name = kwargs.get('local_site_name', None)
webapi_token = getattr(request, '_webapi_token', None)
oauth_token = getattr(request, '_oauth2_token', None)
if webapi_token:
restrict_to_local_site = request._webapi_token.local_site_id
token_type = 'API'
elif oauth_token:
restrict_to_local_site = oauth_token.application.local_site_id
token_type = 'OAuth'
else:
restrict_to_local_site = None
token_type = None
if local_site_name:
local_site = get_object_or_none(LocalSite, name=local_site_name)
if not local_site:
return DOES_NOT_EXIST
elif not local_site.is_accessible_by(request.user):
if request.user.is_authenticated():
logging.warning(
'User does not have access to local site.',
request=request,
)
return PERMISSION_DENIED
else:
return NOT_LOGGED_IN
elif oauth_token and not oauth_token.application.enabled:
logging.warning(
'OAuth token using disabled application "%s" (%d).',
oauth_token.application.name,
oauth_token.application.pk,
request=request,
)
return PERMISSION_DENIED
elif oauth_token and not restrict_to_local_site:
# OAuth tokens for applications on the global site cannot be
# used on a local site.
logging.warning(
'OAuth token is for root, not local site.',
request=request,
)
return PERMISSION_DENIED
elif (restrict_to_local_site and
restrict_to_local_site != local_site.pk):
logging.warning(
'%s token does not have access to local site.',
token_type,
request=request,
)
return PERMISSION_DENIED
kwargs['local_site'] = local_site
elif restrict_to_local_site is not None:
logging.warning(
'%s token is limited to a local site but the request was for '
'the root.',
token_type,
request=request,
)
return PERMISSION_DENIED
else:
kwargs['local_site'] = None
return view_func(*args, **kwargs)
