示例#1
0
def _authorize_query(query: Query) -> Optional[Query]:
    """Authorize an existing query with an oso instance, user and action."""
    # Get the query session.
    session = query.session

    # Check whether this is an oso session.
    if not isinstance(session, AuthorizedSessionBase):
        # Not an authorized session.
        return None

    oso = session.oso_context["oso"]
    user = session.oso_context["user"]
    action = session.oso_context["action"]

    # TODO (dhatch): This is necessary to allow ``authorize_query`` to work
    # on queries that have already been made.  If a query has a LIMIT or OFFSET
    # applied, SQLAlchemy will by default throw an error if filters are applied.
    # This prevents these errors from occuring, but could result in some
    # incorrect queries. We should remove this if possible.
    query = query.enable_assertions(False)

    entities = {column["entity"] for column in query.column_descriptions}
    for entity in entities:
        # Only apply authorization to columns that represent a mapper entity.
        if entity is None:
            continue

        authorized_filter = authorize_model(oso, user, action, query.session, entity)
        if authorized_filter is not None:
            query = query.filter(authorized_filter)

    return query
示例#2
0
def authorize_query(query: Query, get_oso, get_user, get_action) -> Query:
    """Authorize an existing query with an oso instance, user and action."""
    oso = get_oso()
    action = get_action()
    actor = get_user()

    # TODO (dhatch): This is necessary to allow ``authorize_query`` to work
    # on queries that have already been made.  If a query has a LIMIT or OFFSET
    # applied, SQLAlchemy will by default throw an error if filters are applied.
    # This prevents these errors from occuring, but could result in some
    # incorrect queries. We should remove this if possible.
    query = query.enable_assertions(False)

    entities = {column["entity"] for column in query.column_descriptions}
    for entity in entities:
        # Only apply authorization to columns that represent a mapper entity.
        if entity is None:
            continue

        authorized_filter = authorize_model_filter(oso, actor, action,
                                                   query.session, entity)
        if authorized_filter is not None:
            query = query.filter(authorized_filter)

    return query