示例#1
0
 def __init__(self, user_or_group=None):
     """
     :param user_or_group: should be an ``User``, ``AnonymousUser`` or
       ``Group`` instance
     """
     self.user, self.group = get_identity(user_or_group)
     self._obj_perms_cache = {}
示例#2
0
    def __init__(self, user_or_group=None):
        """
        Constructor for ObjectPermissionChecker.

        :param user_or_group: should be an ``User``, ``AnonymousUser`` or
          ``Group`` instance
        """
        self.user, self.group = get_identity(user_or_group)
        self._obj_perms_cache = {}
示例#3
0
def get_user_group_perms(user_or_group, obj):
    """Get permissins for user groups.

    Based on guardian.core.ObjectPermissionChecker.

    """
    user, group = get_identity(user_or_group)

    if user and not user.is_active:
        return [], []
    user_model = get_user_model()
    ctype = ContentType.objects.get_for_model(obj)

    group_model = get_group_obj_perms_model(obj)
    group_rel_name = group_model.permission.field.related_query_name()
    if user:
        user_rel_name = user_model.groups.field.related_query_name()
        group_filters = {user_rel_name: user}
    else:
        group_filters = {'pk': group.pk}
    if group_model.objects.is_generic():
        group_filters.update({
            '{}__content_type'.format(group_rel_name): ctype,
            '{}__object_pk'.format(group_rel_name): obj.pk,
        })
    else:
        group_filters['{}__content_object'.format(group_rel_name)] = obj

    user_perms, group_perms = [], []

    if user:
        perms_qs = Permission.objects.filter(content_type=ctype)
        if user.is_superuser:
            user_perms = list(chain(perms_qs.values_list("codename", flat=True)))
        else:
            model = get_user_obj_perms_model(obj)
            related_name = model.permission.field.related_query_name()
            user_filters = {'{}__user'.format(related_name): user}
            if model.objects.is_generic():
                user_filters.update({
                    '{}__content_type'.format(related_name): ctype,
                    '{}__object_pk'.format(related_name): obj.pk,
                })
            else:
                user_filters['{}__content_object'.format(related_name)] = obj

            user_perms_qs = perms_qs.filter(**user_filters)
            user_perms = list(chain(user_perms_qs.values_list("codename", flat=True)))

    group_perms_qs = Group.objects.filter(**group_filters)
    group_perms = list(chain(group_perms_qs.order_by("pk").values_list(
        "pk", "name", "{}__permission__codename".format(group_rel_name))))

    group_perms = _group_groups(group_perms)

    return user_perms, group_perms
示例#4
0
def get_user_group_perms(user_or_group, obj):
    user, group = get_identity(user_or_group)

    if user and not user.is_active:
        return [], []
    User = get_user_model()
    ctype = ContentType.objects.get_for_model(obj)

    group_model = get_group_obj_perms_model(obj)
    group_rel_name = group_model.permission.field.related_query_name()
    if user:
        fieldname = '%s__group__%s' % (
            group_rel_name,
            User.groups.field.related_query_name(),
        )
        group_filters = {fieldname: user}
    else:
        group_filters = {'%s__group' % group_rel_name: group}
    if group_model.objects.is_generic():
        group_filters.update({
            '%s__content_type' % group_rel_name: ctype,
            '%s__object_pk' % group_rel_name: obj.pk,
        })
    else:
        group_filters['%s__content_object' % group_rel_name] = obj

    user_perms = []
    group_perms = []

    if user and user.is_superuser:
        user_perms = list(chain(*Permission.objects
                                .filter(content_type=ctype)
                                .values_list("codename")))
    elif user:
        model = get_user_obj_perms_model(obj)
        related_name = model.permission.field.related_query_name()
        user_filters = {'%s__user' % related_name: user}
        if model.objects.is_generic():
            user_filters.update({
                '%s__content_type' % related_name: ctype,
                '%s__object_pk' % related_name: obj.pk,
            })
        else:
            user_filters['%s__content_object' % related_name] = obj
        perms_qs = Permission.objects.filter(content_type=ctype)
        user_perms_qs = perms_qs.filter(**user_filters)
        user_perms = user_perms_qs.values_list("codename", flat=True)
        group_perms_qs = perms_qs.filter(**group_filters)
        group_perms = group_perms_qs.values_list("codename", flat=True)
    else:
        user_perms = list(set(chain(*Permission.objects
                                    .filter(content_type=ctype)
                                    .filter(**group_filters)
                                    .values_list("codename"))))

    return user_perms, group_perms
示例#5
0
def remove_perm(perm, user_or_group=None, obj=None):
    """
    Removes permission from user/group and object pair.
    """
    perm = perm.split('.')[-1]
    user, group = get_identity(user_or_group)
    if user:
        UserObjectPermission.objects.remove_perm(perm, user, obj)
    if group:
        GroupObjectPermission.objects.remove_perm(perm, group, obj)
示例#6
0
def bulk_add_perms(perms, user_or_group, objects):
	"""
	Adds permissions in bulk.
	:param perms single Permission or list of Permissions
	:param user_or_group, django.contrib.auth.models User or Group object
	:param group single, list, tuple or queryset of objects (same type)
	NB!!! ONLY TESTED IN POSTGRESQL
	"""
	if not isinstance(perms, (types.ListType, types.TupleType)):
		perms = [perms]
	if not isinstance(objects, (types.ListType, types.TupleType)) and not isinstance(objects, QuerySet):
		objects = [objects]
	
	if len(objects) == 0:
		return
	
	user, group = get_identity(user_or_group)
	ctype = ContentType.objects.get_for_model(objects[0])
	permissions = Permission.objects.filter(content_type = ctype, codename__in = perms)
	objects = [str(object.pk) for object in objects]
	permissions_ids = [perm.id for perm in permissions]
	
	sql_values_list = []

	if user:
		dict = {'column':'user_id',
				'table' : 'guardian_userobjectpermission' }
		target_id = str(user.id)
		
	if group:
		dict = {'column':'group_id',
				'table' : 'guardian_groupobjectpermission' }
		target_id = str(group.id) 

	for permission_id in permissions_ids:
		for obj_pk in objects:
			sql_values_list.append("SELECT %s, %s, '%s', %s " % (permission_id, str(ctype.id), obj_pk, target_id))
	
	sql_values = 'UNION ALL '.join(sql_values_list)
	
	dict['sql_values'] = sql_values
	dict['str_permission_ids'] = str(permissions_ids).replace('[','').replace(']','')
	dict['str_object_pks'] = str(objects).replace('[','').replace(']','')
	dict['target_id'] = target_id

	sql = "INSERT INTO %(table)s (permission_id, content_type_id, object_pk, %(column)s)" % dict
	sql += " (%(sql_values)s" % dict
	sql += "EXCEPT SELECT permission_id,content_type_id, object_pk, %(column)s from %(table)s" % dict
	sql += " WHERE permission_id in (%(str_permission_ids)s) and object_pk in (%(str_object_pks)s) and %(column)s = %(target_id)s" % dict
	sql += ")"

	from django.db import connection, transaction
	with transaction.commit_on_success():
		cursor = connection.cursor()
		cursor.execute(sql)
示例#7
0
    def __init__(self, user_or_group=None, direct_perms_only=False):
        """
        :param user_or_group: should be an ``User``, ``AnonymousUser`` or
          ``Group`` instance

        :param direct_perms_only: If set to ``True`` and ``user_or_group`` is a
          ``User`` instance, only consider permissions assigned directly to the
          user, not those coming via user's superuser status or group
          memberships.
        """
        self.user, self.group = get_identity(user_or_group)
        self._obj_perms_cache = {}
        self._direct_perms_only = direct_perms_only if self.user else False
示例#8
0
def remove_perm(perm, user_or_group=None, obj=None):
    """
    Removes permission from user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (in format:
      ``app_label.codename`` or ``codename``). If ``obj`` is not given, must
      be in format ``app_label.codename``.

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance or QuerySet of Django
      ``Model`` instances or ``None`` if assigning global permission.
      Default is ``None``.

    """
    user, group = get_identity(user_or_group)
    if obj is None:
        try:
            app_label, codename = perm.split('.', 1)
        except ValueError:
            raise ValueError("For global permissions, first argument must be in"
                             " format: 'app_label.codename' (is %r)" % perm)
        perm = Permission.objects.get(content_type__app_label=app_label,
                                      codename=codename)
        if user:
            user.user_permissions.remove(perm)
            return
        elif group:
            group.permissions.remove(perm)
            return

    if not isinstance(perm, Permission):
        perm = perm.split('.')[-1]

    if isinstance(obj, QuerySet):
        if user:
            model = get_user_obj_perms_model(obj.model)
            return model.objects.bulk_remove_perm(perm, user, obj)
        if group:
            model = get_group_obj_perms_model(obj.model)
            return model.objects.bulk_remove_perm(perm, group, obj)

    if user:
        model = get_user_obj_perms_model(obj)
        return model.objects.remove_perm(perm, user, obj)

    if group:
        model = get_group_obj_perms_model(obj)
        return model.objects.remove_perm(perm, group, obj)
示例#9
0
def assign(perm, user_or_group, obj):
    """
    Assigns permission to user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (*codename*)

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance

    We can assign permission for ``Model`` instance for specific user:

    >>> from django.contrib.sites.models import Site
    >>> from django.contrib.auth.models import User, Group
    >>> from guardian.shortcuts import assign
    >>> site = Site.objects.get_current()
    >>> user = User.objects.create(username='******')
    >>> assign("change_site", user, site)
    <UserObjectPermission: example.com | joe | change_site>
    >>> user.has_perm("change_site", site)
    True

    ... or we can assign permission for group:

    >>> group = Group.objects.create(name='joe-group')
    >>> user.groups.add(group)
    >>> assign("delete_site", group, site)
    <GroupObjectPermission: example.com | joe-group | delete_site>
    >>> user.has_perm("delete_site", site)
    True

    """

    perm = perm.split('.')[-1]
    user, group = get_identity(user_or_group)
    if user:
        return UserObjectPermission.objects.assign(perm, user, obj)
    if group:
        return GroupObjectPermission.objects.assign(perm, group, obj)
def remove_perm(perm, user_or_group=None, obj=None):
    """
    Removes permission from user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (in format:
      ``app_label.codename`` or ``codename``). If ``obj`` is not given, must
      be in format ``app_label.codename``.

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance or ``None`` if assigning
      global permission. Default is ``None``.

    """
    user, group = get_identity(user_or_group)
    if obj is None:
        try:
            app_label, codename = perm.split('.', 1)
        except ValueError:
            raise ValueError("For global permissions, first argument must be in"
                " format: 'app_label.codename' (is %r)" % perm) 
        if user:
            user_perm_list = UserPermissionList.objects.get(user=user)
            user_perm_list.permission_list.remove(perm)
            user_perm_list.save()
            return
        elif group:
            group_perm_list = GroupPermissionList.objects.get(group=group)
            group_perm_list.permission_list.remove(perm)
            group_perm_list.save()
            return
    perm = perm.split('.')[-1]
    if user:
        UserObjectPermission.objects.remove_perm(perm, user, obj)
    if group:
        GroupObjectPermission.objects.remove_perm(perm, group, obj)
示例#11
0
def remove_perm(perm, user_or_group=None, obj=None):
    """
    Removes permission from user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (in format:
      ``app_label.codename`` or ``codename``). If ``obj`` is not given, must
      be in format ``app_label.codename``.

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance or ``None`` if assigning
      global permission. Default is ``None``.

    """
    user, group = get_identity(user_or_group)
    if obj is None:
        try:
            app_label, codename = perm.split('.', 1)
        except ValueError:
            raise ValueError("For global permissions, first argument must be in"
                " format: 'app_label.codename' (is %r)" % perm)
        perm = Permission.objects.get(content_type__app_label=app_label,
            codename=codename)
        if user:
            user.user_permissions.remove(perm)
            return
        elif group:
            group.permissions.remove(perm)
            return
    perm = perm.split('.')[-1]
    if user:
        model = get_user_obj_perms_model(obj)
        model.objects.remove_perm(perm, user, obj)
    if group:
        model = get_group_obj_perms_model(obj)
        model.objects.remove_perm(perm, group, obj)
示例#12
0
def bulk_remove_perms(perms, user_or_group, objects):
	"""
	Deletes permissions in bulk.
	:param perms single Permission or list of Permissions
	:param user_or_group, django.contrib.auth.models User or Group object
	:param group single, list, tuple or queryset of objects (same type)
	"""
	if not isinstance(perms, (types.ListType, types.TupleType)):
		perms = list(perms)
	if not isinstance(objects, (types.ListType, types.TupleType)) and not isinstance(objects, QuerySet):
		objects = list(objects)
	
	if len(objects) == 0:
		return
	
	user, group = get_identity(user_or_group)
	ctype = ContentType.objects.get_for_model(objects[0])
	objects = [object.pk for object in objects]

	if user:
		UserObjectPermission.objects.filter(permission__codename__in = perms, user = user, object_pk__in = objects, content_type = ctype).delete()
	if group:
		GroupObjectPermission.objects.filter(permission__codename__in = perms, group = group, object_pk__in = objects, content_type = ctype).delete()
 def test_multiple_user_list(self):
     user, group = get_identity([self.user])
     self.assertIsInstance(user, list)
     self.assertIsNone(group)
示例#14
0
def get_user_group_perms(user_or_group, obj):
    """Get permissins for user groups.

    Based on guardian.core.ObjectPermissionChecker.

    """
    user, group = get_identity(user_or_group)

    if user and not user.is_active:
        return [], []
    user_model = get_user_model()
    ctype = ContentType.objects.get_for_model(obj)

    group_model = get_group_obj_perms_model(obj)
    group_rel_name = group_model.permission.field.related_query_name()  # pylint: disable=no-member
    if user:
        user_rel_name = user_model.groups.field.related_query_name()  # pylint: disable=no-member
        group_filters = {user_rel_name: user}
    else:
        group_filters = {'pk': group.pk}
    if group_model.objects.is_generic():
        group_filters.update({
            '{}__content_type'.format(group_rel_name): ctype,
            '{}__object_pk'.format(group_rel_name): obj.pk,
        })
    else:
        group_filters['{}__content_object'.format(group_rel_name)] = obj

    user_perms, group_perms = [], []

    if user:
        perms_qs = Permission.objects.filter(content_type=ctype)
        if user.is_superuser:
            user_perms = list(
                chain(perms_qs.values_list("codename", flat=True)))
        else:
            model = get_user_obj_perms_model(obj)
            related_name = model.permission.field.related_query_name()  # pylint: disable=no-member
            user_filters = {'{}__user'.format(related_name): user}
            if model.objects.is_generic():
                user_filters.update({
                    '{}__content_type'.format(related_name):
                    ctype,
                    '{}__object_pk'.format(related_name):
                    obj.pk,
                })
            else:
                user_filters['{}__content_object'.format(related_name)] = obj

            user_perms_qs = perms_qs.filter(**user_filters)
            user_perms = list(
                chain(user_perms_qs.values_list("codename", flat=True)))

    group_perms_qs = Group.objects.filter(**group_filters)
    group_perms = list(
        chain(
            group_perms_qs.order_by("pk").values_list(
                "pk", "name",
                "{}__permission__codename".format(group_rel_name))))

    group_perms = _group_groups(group_perms)

    return user_perms, group_perms
def assign_perm(perm, user_or_group, obj=None):
    """
    Assigns permission to user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (in format:
      ``app_label.codename`` or ``codename``). If ``obj`` is not given, must
      be in format ``app_label.codename``.

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance or ``None`` if assigning
      global permission. Default is ``None``.

    We can assign permission for ``Model`` instance for specific user:

    >>> from django.contrib.sites.models import Site
    >>> from guardian.models import User
    >>> from guardian.shortcuts import assign_perm
    >>> site = Site.objects.get_current()
    >>> user = User.objects.create(username='******')
    >>> assign_perm("change_site", user, site)
    <UserObjectPermission: example.com | joe | change_site>
    >>> user.has_perm("change_site", site)
    True

    ... or we can assign permission for group:

    >>> group = Group.objects.create(name='joe-group')
    >>> user.groups.add(group)
    >>> assign_perm("delete_site", group, site)
    <GroupObjectPermission: example.com | joe-group | delete_site>
    >>> user.has_perm("delete_site", site)
    True

    **Global permissions**

    This function may also be used to assign standard, *global* permissions if
    ``obj`` parameter is omitted. Added Permission would be returned in that
    case:

    >>> assign_perm("sites.change_site", user)
    <Permission: sites | site | Can change site>

    """

    user, group = get_identity(user_or_group)
    # If obj is None we try to operate on global permissions
    if obj is None:
        try:
            app_label, codename = perm.split('.', 1)
        except ValueError:
            raise ValueError("For global permissions, first argument must be in"
                " format: 'app_label.codename' (is %r)" % perm)
        perm = Permission.objects.get(content_type__app_label=app_label,
            codename=codename)
        if user:
            user.user_permissions.add(perm)
            return perm
        if group:
            group.permissions.add(perm)
            return perm
    perm = perm.split('.')[-1]
    if user:
        model = get_user_obj_perms_model(obj)
        return model.objects.assign_perm(perm, user, obj)
    if group:
        model = get_group_obj_perms_model(obj)
        return model.objects.assign_perm(perm, group, obj)
 def test_user(self):
     user, group = get_identity(self.user)
     self.assertTrue(isinstance(user, User))
     self.assertEqual(group, None)
 def test_anonymous_user(self):
     anon = AnonymousUser()
     user, group = get_identity(anon)
     self.assertTrue(isinstance(user, User))
     self.assertEqual(group, None)
 def test_group(self):
     user, group = get_identity(self.group)
     self.assertTrue(isinstance(group, Group))
     self.assertEqual(user, None)
示例#19
0
def assign_perm(perm, user_or_group, obj=None):
    """
    Assigns permission to user/group and object pair.

    :param perm: proper permission for given ``obj``, as string (in format:
      ``app_label.codename`` or ``codename``) or ``Permission`` instance.
      If ``obj`` is not given, must be in format ``app_label.codename`` or
      ``Permission`` instance.

    :param user_or_group: instance of ``User``, ``AnonymousUser`` or ``Group``;
      passing any other object would raise
      ``guardian.exceptions.NotUserNorGroup`` exception

    :param obj: persisted Django's ``Model`` instance or QuerySet of Django
      ``Model`` instances or ``None`` if assigning global permission.
      Default is ``None``.

    We can assign permission for ``Model`` instance for specific user:

    >>> from django.contrib.sites.models import Site
    >>> from guardian.models import User
    >>> from guardian.shortcuts import assign_perm
    >>> site = Site.objects.get_current()
    >>> user = User.objects.create(username='******')
    >>> assign_perm("change_site", user, site)
    <UserObjectPermission: example.com | joe | change_site>
    >>> user.has_perm("change_site", site)
    True

    ... or we can assign permission for group:

    >>> group = Group.objects.create(name='joe-group')
    >>> user.groups.add(group)
    >>> assign_perm("delete_site", group, site)
    <GroupObjectPermission: example.com | joe-group | delete_site>
    >>> user.has_perm("delete_site", site)
    True

    **Global permissions**

    This function may also be used to assign standard, *global* permissions if
    ``obj`` parameter is omitted. Added Permission would be returned in that
    case:

    >>> assign_perm("sites.change_site", user)
    <Permission: sites | site | Can change site>

    """

    user, group = get_identity(user_or_group)
    # If obj is None we try to operate on global permissions
    if obj is None:
        if not isinstance(perm, Permission):
            try:
                app_label, codename = perm.split('.', 1)
            except ValueError:
                raise ValueError(
                    "For global permissions, first argument must be in"
                    " format: 'app_label.codename' (is %r)" % perm)
            perm = Permission.objects.get(content_type__app_label=app_label,
                                          codename=codename)

        if user:
            user.user_permissions.add(perm)
            return perm
        if group:
            group.permissions.add(perm)
            return perm

    if not isinstance(perm, Permission):
        perm = perm.split('.')[-1]

    if isinstance(obj, QuerySet):
        if user:
            model = get_user_obj_perms_model(obj.model)
            return model.objects.bulk_assign_perm(perm, user, obj)
        if group:
            model = get_group_obj_perms_model(obj.model)
            return model.objects.bulk_assign_perm(perm, group, obj)

    if user:
        model = get_user_obj_perms_model(obj)
        return model.objects.assign_perm(perm, user, obj)

    if group:
        model = get_group_obj_perms_model(obj)
        return model.objects.assign_perm(perm, group, obj)
示例#20
0
 def test_anonymous_user(self):
     anon = AnonymousUser()
     user, group = get_identity(anon)
     self.assertTrue(isinstance(user, User))
     self.assertEqual(group, None)
示例#21
0
 def test_user(self):
     user, group = get_identity(self.user)
     self.assertTrue(isinstance(user, User))
     self.assertEqual(group, None)
 def test_multiple_group_qs(self):
     user, group = get_identity(Group.objects.all())
     self.assertIsInstance(group, models.QuerySet)
     self.assertIsNone(user)
示例#23
0
 def test_group(self):
     user, group = get_identity(self.group)
     self.assertTrue(isinstance(group, Group))
     self.assertEqual(user, None)
 def test_multiple_group_list(self):
     user, group = get_identity([self.group])
     self.assertIsInstance(group, list)
     self.assertIsNone(user)