def _add_tenant_filter(self, query, model_class, all_tenants):
"""Filter by the tenant ID associated with `model_class` (either
directly via a relationship with the tenants table, or via an
ancestor who has such a relationship)
"""
# Users/Groups etc. don't have tenants
if not model_class.is_resource:
return query
# not used from a request handler - no relevant user
if not has_request_context():
return query
# If a user that is allowed to get all the tenants in the system
# passed the `all_tenants` flag, no need to filter
if all_tenants_authorization() and all_tenants:
return query
if all_tenants:
tenant_ids = [tenant.id for tenant in current_user.all_tenants]
else:
tenant_ids = [self.current_tenant.id]
# Match any of the applicable tenant ids or if it's a global resource
tenant_filter = sql_or(
model_class.resource_availability == AvailabilityState.GLOBAL,
model_class._tenant_id.in_(tenant_ids))
return query.filter(tenant_filter)
def _add_permissions_filter(query, model_class):
"""Filter by the users present in either the `viewers` or `owners`
lists
"""
# not used from a request handler - no relevant user
if not has_request_context():
return query
# For users that are allowed to see all resources, regardless of tenant
# Queries of elements that aren't resources (tenants, users, etc.),
# shouldn't be filtered as well
if not model_class.is_resource or all_tenants_authorization():
return query
# Only get resources that are public - not private (note that ~ stands
# for NOT, in SQLA), *or* those where the current user is the creator
user_filter = sql_or(
model_class.resource_availability != AvailabilityState.PRIVATE,
model_class.creator == current_user)
return query.filter(user_filter)
def _add_tenant_filter(self, query, model_class, all_tenants):
"""Filter by the tenant ID associated with `model_class` (either
directly via a relationship with the tenants table, or via an
ancestor who has such a relationship)
"""
# Users/Groups etc. don't have tenants
if not model_class.is_resource:
return query
# not used from a request handler - no relevant user
if not has_request_context():
return query
current_tenant = self.current_tenant
# If a user passed the `all_tenants` flag
if all_tenants:
# If a user that is allowed to get all the tenants in the system
# no need to filter
if all_tenants_authorization():
return query
# Filter by all the tenants the user is allowed to list in
tenant_ids = [
tenant.id for tenant in current_user.all_tenants
if utils.tenant_specific_authorization(tenant,
model_class.__name__)
]
else:
# Specific tenant only
tenant_ids = [current_tenant.id] if current_tenant else []
# Match any of the applicable tenant ids or if it's a global resource
tenant_filter = sql_or(
model_class.visibility == VisibilityState.GLOBAL,
model_class._tenant_id.in_(tenant_ids)
)
return query.filter(tenant_filter)
def _add_tenant_filter(self, query, model_class, all_tenants):
"""Filter by the tenant ID associated with `model_class` (either
directly via a relationship with the tenants table, or via an
ancestor who has such a relationship)
"""
# Users/Groups etc. don't have tenants
if not model_class.is_resource:
return query
# not used from a request handler - no relevant user
if not has_request_context():
return query
current_tenant = self.current_tenant
# If a user passed the `all_tenants` flag
if all_tenants:
# If a user that is allowed to get all the tenants in the system
# no need to filter
if all_tenants_authorization():
return query
# Filter by all the tenants the user is allowed to list in
tenant_ids = [
tenant.id for tenant in current_user.all_tenants
if utils.tenant_specific_authorization(tenant,
model_class.__name__)
]
else:
# Specific tenant only
tenant_ids = [current_tenant.id] if current_tenant else []
# Match any of the applicable tenant ids or if it's a global resource
tenant_filter = sql_or(
model_class.visibility == VisibilityState.GLOBAL,
model_class._tenant_id.in_(tenant_ids)
)
return query.filter(tenant_filter)