def test_webaccess_firerole_serialization(self): """webaccess - firerole role definition correctly serialized""" from invenio.modules.access.control import acc_get_role_definition from invenio.modules.access.firerole import compile_role_definition, \ deserialize def_ser = compile_role_definition(self.role_definition) tmp_def_ser = acc_get_role_definition(self.role_id) self.assertEqual(def_ser, deserialize(tmp_def_ser))
def test_webaccess_firerole_serialization(self): """webaccess - firerole role definition correctly serialized""" from invenio.modules.access.control import acc_get_role_definition from invenio.modules.access.firerole import compile_role_definition, \ deserialize def_ser = compile_role_definition(self.role_definition) tmp_def_ser = acc_get_role_definition(self.role_id) self.assertEqual(def_ser, deserialize(tmp_def_ser))
def do_upgrade(): """Implement your upgrades here.""" from invenio.modules.accounts.models import User from invenio.modules.editor.models import Bibdoc from invenio.modules.access.firerole import compile_role_definition # Update fireroles. Bibdoc.query.filter_by(status='firerole: allow any').update( dict(status='') ) # Migrate from email to uid. updates = [] for d in Bibdoc.query.filter(Bibdoc.status.like("firerole:%")): firerole = d.status[len("firerole:"):].strip() default_p, roles = compile_role_definition(firerole) lines = [] for allow_p, not_p, field, exp in roles: line = [] line.append("allow" if allow_p else "deny") if not_p: line.append("not") # Rewrite from email into using uid. if field == 'email' and len(exp) == 1: email = exp[0][1] try: u = User.query.filter_by(email=email).one() line.append('uid') line.append('"%s"' % u.id) lines.append(" ".join(line)) continue except Exception: warnings.warn("Can't find user for email %s" % email) line.append(field) for reg, value in exp: if isinstance(value, basestring): line.append('"%s"' % value) elif isinstance(value, float): line.append('"%s"' % time.strftime( "%Y-%m-%d", time.localtime(value) )) else: raise RuntimeError("Can't create line for %s" % exp) lines.append(" ".join(line)) lines.append("allow any" if default_p else "deny all") new_firerole = "\n".join(lines) if firerole != new_firerole: updates.append((d.id, "firerole: %s" % new_firerole)) for docid, status in updates: Bibdoc.query.filter_by(id=docid).update(dict(status=status))
def setUp(self): """Create a fake role.""" from invenio.modules.access.control import acc_add_role from invenio.modules.access.firerole import compile_role_definition, \ serialize self.role_name = 'test' self.role_description = 'test role' self.role_definition = 'allow email /.*@cern.ch/' self.role_id, dummy, dummy, dummy = acc_add_role(self.role_name, self.role_description, serialize(compile_role_definition(self.role_definition)), self.role_definition)
def setUp(self): """Create a fake role.""" from invenio.modules.access.control import acc_add_role from invenio.modules.access.firerole import compile_role_definition, \ serialize self.role_name = 'test' self.role_description = 'test role' self.role_definition = 'allow email /.*@cern.ch/' self.role_id, dummy, dummy, dummy = acc_add_role( self.role_name, self.role_description, serialize(compile_role_definition(self.role_definition)), self.role_definition)
def do_upgrade(): """Implement your upgrades here.""" from invenio.modules.accounts.models import User from invenio.modules.editor.models import Bibdoc from invenio.modules.access.firerole import compile_role_definition # Update fireroles. Bibdoc.query.filter_by(status='firerole: allow any').update( dict(status='')) # Migrate from email to uid. updates = [] for d in Bibdoc.query.filter(Bibdoc.status.like("firerole:%")): firerole = d.status[len("firerole:"):].strip() default_p, roles = compile_role_definition(firerole) lines = [] for allow_p, not_p, field, exp in roles: line = [] line.append("allow" if allow_p else "deny") if not_p: line.append("not") # Rewrite from email into using uid. if field == 'email' and len(exp) == 1: email = exp[0][1] try: u = User.query.filter_by(email=email).one() line.append('uid') line.append('"%s"' % u.id) lines.append(" ".join(line)) continue except Exception: warnings.warn("Can't find user for email %s" % email) line.append(field) for reg, value in exp: if isinstance(value, basestring): line.append('"%s"' % value) elif isinstance(value, float): line.append( '"%s"' % time.strftime("%Y-%m-%d", time.localtime(value))) else: raise RuntimeError("Can't create line for %s" % exp) lines.append(" ".join(line)) lines.append("allow any" if default_p else "deny all") new_firerole = "\n".join(lines) if firerole != new_firerole: updates.append((d.id, "firerole: %s" % new_firerole)) for docid, status in updates: Bibdoc.query.filter_by(id=docid).update(dict(status=status))
def save_acl(self, c): # Role - use Community id, because role name is limited to 32 chars. role_name = 'project_role_%s' % self.id role = AccROLE.query.filter_by(name=role_name).first() if not role: rule = 'allow group "%s"\ndeny any' % self.get_group_name() role = AccROLE(name=role_name, description='Owner of project %s' % self.title, firerole_def_ser=serialize( compile_role_definition(rule)), firerole_def_src=rule) db.session.add(role) # Argument fields = dict(keyword='collection', value=c.name) arg = AccARGUMENT.query.filter_by(**fields).first() if not arg: arg = AccARGUMENT(**fields) db.session.add(arg) # Action action = AccACTION.query.filter_by(name='viewrestrcoll').first() # User role alluserroles = UserAccROLE.query.filter_by(role=role).all() userrole = None if alluserroles: # Remove any user which is not the owner for ur in alluserroles: if ur.id_user == self.id_user: db.session.delete(ur) else: userrole = ur if not userrole: userrole = UserAccROLE(id_user=self.id_user, role=role) db.session.add(userrole) # Authorization auth = AccAuthorization.query.filter_by(role=role, action=action, argument=arg).first() if not auth: auth = AccAuthorization(role=role, action=action, argument=arg, argumentlistid=1)
def save_acl(self, c): # Role - use Community id, because role name is limited to 32 chars. role_name = 'instrument_role_%s' % self.id role = AccROLE.query.filter_by(name=role_name).first() if not role: rule = 'allow group "%s"\ndeny any' % self.get_group_name() role = AccROLE( name=role_name, description='Owner of instruments %s' % self.name, firerole_def_ser=serialize(compile_role_definition(rule)), firerole_def_src=rule) db.session.add(role) # Argument fields = dict(keyword='collection', value=c.name) arg = AccARGUMENT.query.filter_by(**fields).first() if not arg: arg = AccARGUMENT(**fields) db.session.add(arg) # Action action = AccACTION.query.filter_by(name='viewrestrcoll').first() # User role alluserroles = UserAccROLE.query.filter_by(role=role).all() userrole = None if alluserroles: # Remove any user which is not the owner for ur in alluserroles: if ur.id_user == self.user_id: db.session.delete(ur) else: userrole = ur if not userrole: userrole = UserAccROLE(id_user=self.user_id, role=role) db.session.add(userrole) # Authorization auth = AccAuthorization.query.filter_by(role=role, action=action, argument=arg).first() if not auth: auth = AccAuthorization(role=role, action=action, argument=arg, argumentlistid=1)