def _authorize_query(query: Query) -> Optional[Query]: """Authorize an existing query with an oso instance, user and action.""" # Get the query session. session = query.session # Check whether this is an oso session. if not isinstance(session, AuthorizedSessionBase): # Not an authorized session. return None oso = session.oso_context["oso"] user = session.oso_context["user"] action = session.oso_context["action"] # TODO (dhatch): This is necessary to allow ``authorize_query`` to work # on queries that have already been made. If a query has a LIMIT or OFFSET # applied, SQLAlchemy will by default throw an error if filters are applied. # This prevents these errors from occuring, but could result in some # incorrect queries. We should remove this if possible. query = query.enable_assertions(False) entities = {column["entity"] for column in query.column_descriptions} for entity in entities: # Only apply authorization to columns that represent a mapper entity. if entity is None: continue authorized_filter = authorize_model(oso, user, action, query.session, entity) if authorized_filter is not None: query = query.filter(authorized_filter) return query
def authorize_query(query: Query, get_oso, get_user, get_action) -> Query: """Authorize an existing query with an oso instance, user and action.""" oso = get_oso() action = get_action() actor = get_user() # TODO (dhatch): This is necessary to allow ``authorize_query`` to work # on queries that have already been made. If a query has a LIMIT or OFFSET # applied, SQLAlchemy will by default throw an error if filters are applied. # This prevents these errors from occuring, but could result in some # incorrect queries. We should remove this if possible. query = query.enable_assertions(False) entities = {column["entity"] for column in query.column_descriptions} for entity in entities: # Only apply authorization to columns that represent a mapper entity. if entity is None: continue authorized_filter = authorize_model_filter(oso, actor, action, query.session, entity) if authorized_filter is not None: query = query.filter(authorized_filter) return query