示例#1
0
    def _get_principals(self, request):
        """
            Calculates the identities that can be used
            when authorizing the user
        """
        principals = [Everyone, Authenticated, request.authenticated_userid]
        if is_owner(request.context, request.authenticated_userid):
            principals.append(Owner)

        principals.extend(get_user_roles(request, request.authenticated_userid))
        request.__effective_principals__ = principals
        return principals
示例#2
0
文件: token.py 项目: UPCnet/max
    def __acl__(self):
        acl = [
            (Allow, Manager, view_token),
            (Allow, Owner, view_token),
        ]

        # When checking permissions directly on the object (For example when determining
        # the visible fields), request.context.owner will be related to the owner of where we are posting the
        # activity, for example, when posting to a context, the context), so we need to provide permissions
        # for the owner of the object itself, or the flatten will result empty...
        if is_owner(self, self.request.authenticated_userid):
            acl.append((Allow, self.request.authenticated_userid, view_token))

        return acl
示例#3
0
文件: ASObjects.py 项目: UPCnet/max
    def __acl__(self):
        acl = [
            (Allow, Manager, delete_comment),
            (Allow, Owner, delete_comment),
        ]
        activity = self.__parent__.activity

        # If the user accessing the activity owns it, give it permission to delete
        if is_owner(activity, activity.request.authenticated_userid):
            acl.append((Allow, activity.request.authenticated_userid, delete_comment))

        if activity.get('contexts', []) and hasattr(activity.request.actor, 'getSubscription'):
            subscription = activity.request.actor.getSubscription(activity['contexts'][0])
            if subscription:
                permissions = subscription.get('permissions', [])
                if 'delete' in permissions:
                    acl.append((Allow, activity.request.authenticated_userid, delete_comment))

        return acl
示例#4
0
文件: activity.py 项目: UPCnet/max
    def __acl__(self):
        acl = [
            (Allow, Manager, view_activity),
            (Allow, Manager, delete_activity),
            (Allow, Manager, list_comments),
            (Allow, Manager, add_comment),
            (Allow, Manager, favorite),
            (Allow, Manager, unfavorite),
            (Allow, Manager, like),
            (Allow, Owner, view_activity),
            (Allow, Owner, delete_activity),
        ]
        if is_self_operation(self.request):
            acl.append((Allow, self.request.authenticated_userid, favorite))

            if self.has_favorite_from(self.request.actor):
                acl.append((Allow, self.request.authenticated_userid, unfavorite))

        # When checking permissions directly on the object (For example when determining
        # the visible fields), request.context.owner will be related to the owner of where we are posting the
        # activity, for example, when posting to a context, the context), so we need to provide permissions
        # for the owner of the object itself, or the flatten will result empty...
        if is_owner(self, self.request.authenticated_userid):
            acl.append((Allow, self.request.authenticated_userid, view_activity))

        # If we have an activity that has contexts, grant view_activity if the context
        # subscription provides the read permission.
        #
        # There's two use case where the actor's that just posted the activity may not have a subscription.
        #  1. A Manager is posting in a context as himself (not impersonating) and he's not subscribed.
        #     As we allow this in static acls, a manager will already have the permissions granted below.
        #  2. A Manager is posting in a context as a context, so the context won't be subcribed in any way.
        #     As the user authenticated wil be a manager, it will already have the permissions granted below.

        if self.get("contexts", []) and hasattr(self.request.actor, "getSubscription"):
            from max.models import Context

            # When dealing with context activities, request context will be already loaded, so reuse it
            activity_context_same_as_request_context = (
                isinstance(self.request.context, Context)
                and self.request.context["hash"] == self["contexts"][0]["hash"]
            )
            if activity_context_same_as_request_context:
                context = self.request.context
            else:
                # When activity context is not loaded, instantiate a lazy one
                context = Context.from_object(self.request, self["contexts"][0])

            subscription = self.request.actor.getSubscription(context)
            if subscription:
                permissions = subscription.get("permissions", [])
                if "read" in permissions:
                    acl.append((Allow, self.request.authenticated_userid, view_activity))
                    acl.append((Allow, self.request.authenticated_userid, list_comments))

                    # Allow like on non impersonated requests
                    if is_self_operation(self.request):
                        acl.append((Allow, self.request.authenticated_userid, like))

                if "flag" in permissions:
                    acl.append((Allow, self.request.authenticated_userid, flag))
                    acl.append((Allow, self.request.authenticated_userid, unflag))

                if "delete" in permissions:
                    acl.append((Allow, self.request.authenticated_userid, delete_activity))
                    acl.append((Allow, self.request.authenticated_userid, delete_comment))

                if "write" in permissions:
                    acl.append((Allow, self.request.authenticated_userid, add_comment))

            # If no susbcription found, check context policy
            else:
                # XXX This should be cached at resource level
                context.wake()
                if context.get("permissions", {}).get("read", DEFAULT_CONTEXT_PERMISSIONS["read"]) == "public":
                    acl.append((Allow, self.request.authenticated_userid, view_activity))
                    if is_self_operation(self.request):
                        acl.append((Allow, self.request.authenticated_userid, like))

            # Only context activites can be flagged/unflagged, so we give permissions to
            # Manager here, as it don't make sense to do it globally
            acl.extend([(Allow, Manager, flag), (Allow, Manager, unflag)])

        # Activies without a context are considered public to all authenticated users, so commentable.
        # Those activities commments also will be readable by all authenticated users.
        # Owners of activities can delete them outside contexts.
        else:
            acl.extend(
                [
                    (Allow, Authenticated, view_activity),
                    (Allow, Authenticated, add_comment),
                    (Allow, Owner, delete_comment),
                    (Allow, Authenticated, list_comments),
                ]
            )
            if is_self_operation(self.request):
                acl.append((Allow, self.request.authenticated_userid, like))

        # Allow unlike only if actor has a like on this activity.
        # Allow Managers to unlike likes from other users
        if self.has_like_from(self.request.actor):
            acl.append((Allow, Manager, unlike))
            if is_self_operation(self.request):
                acl.append((Allow, self.request.authenticated_userid, unlike))

        return acl