def has_perm(self, user_obj, perm, obj=None): ''' main method, calls other methods based on permission type queried ''' if not user_obj.is_authenticated(): allowed_tokens = getattr(user_obj, 'allowed_tokens', []) user_obj = AnonymousUser() user_obj.allowed_tokens = allowed_tokens if obj is None: return False try: perm_label, perm_type = perm.split('.') perm_action, perm_ct = perm_type.split('_') except: return False if perm_label != self.app_label: return False ct = ContentType.objects.get_for_model(obj) if ct.name != perm_ct: return False method_name = '_has_%s_perm' % perm_action # run any custom perms per model, continue if not None # allows complete overriding of standard authorisation, eg for public # experiments model_spec_perm = getattr(obj, method_name, lambda *args, **kwargs: None)(user_obj) if type(model_spec_perm) == bool: return model_spec_perm #get_acls obj_acls = ObjectACL.objects.filter( content_type=ct, object_id=obj.id).filter( self.get_perm_bool(perm_action)).filter( ObjectACL.get_effective_query()) query = Q(pluginId='django_user', entityId=str(user_obj.id)) if user_obj.is_authenticated(): for name, group in user_obj.get_profile().ext_groups: query |= Q(pluginId=name, entityId=str(group)) else: # the only authorisation available for anonymous users is tokenauth tgp = TokenGroupProvider() for name, group in tgp.getGroups(user_obj): query |= Q(pluginId=name, entityId=str(group)) return obj_acls.filter(query).count() > 0
def _query_shared(self, user): ''' get all shared experiments, not owned ones ''' # if the user is not authenticated, only tokens apply # this is almost duplicate code of end of has_perm in authorisation.py # should be refactored, but cannot think of good way atm if not user.is_authenticated(): from tardis.tardis_portal.auth.token_auth import TokenGroupProvider query = Q(id=None) tgp = TokenGroupProvider() for group in tgp.getGroups(user): query |= Q(objectacls__pluginId=tgp.name, objectacls__entityId=str(group), objectacls__canRead=True) &\ (Q(objectacls__effectiveDate__lte=datetime.today()) | Q(objectacls__effectiveDate__isnull=True)) &\ (Q(objectacls__expiryDate__gte=datetime.today()) | Q(objectacls__expiryDate__isnull=True)) return query # for which experiments does the user have read access # based on USER permissions? query = Q(objectacls__pluginId=django_user, objectacls__entityId=str(user.id), objectacls__canRead=True, objectacls__isOwner=False) &\ (Q(objectacls__effectiveDate__lte=datetime.today()) | Q(objectacls__effectiveDate__isnull=True)) &\ (Q(objectacls__expiryDate__gte=datetime.today()) | Q(objectacls__expiryDate__isnull=True)) # for which does experiments does the user have read access # based on GROUP permissions for name, group in user.userprofile.ext_groups: query |= Q(objectacls__pluginId=name, objectacls__entityId=str(group), objectacls__canRead=True) &\ (Q(objectacls__effectiveDate__lte=datetime.today()) | Q(objectacls__effectiveDate__isnull=True)) &\ (Q(objectacls__expiryDate__gte=datetime.today()) | Q(objectacls__expiryDate__isnull=True)) return query
def has_perm(self, user_obj, perm, obj=None): ''' main method, calls other methods based on permission type queried ''' if not user_obj.is_authenticated(): allowed_tokens = getattr(user_obj, 'allowed_tokens', []) user_obj = AnonymousUser() user_obj.allowed_tokens = allowed_tokens if obj is None: return False try: perm_label, perm_type = perm.split('.') # the following is necessary because of the ridiculous naming # of 'Dataset_File'...... type_list = perm_type.split('_') perm_action = type_list[0] perm_ct = '_'.join(type_list[1:]) except: return False if perm_label != self.app_label: return False ct = ContentType.objects.get_for_model(obj) if ct.model != perm_ct: return False method_name = '_has_%s_perm' % perm_action # run any custom perms per model, continue if not None # allows complete overriding of standard authorisation, eg for public # experiments model_spec_perm = getattr(obj, method_name, lambda *args, **kwargs: None)(user_obj) if type(model_spec_perm) == bool: return model_spec_perm elif model_spec_perm is not None: # pass auth to a different object, if False try this ACL # works when returned object is parent. # makes it impossible to 'hide' child objects if type(model_spec_perm) not in (list, set, QuerySet): model_spec_perm = [model_spec_perm] for msp in model_spec_perm: new_ct = ContentType.objects.get_for_model(msp) new_perm = '%s.%s_%s' % (perm_label, perm_action, new_ct) if user_obj.has_perm(new_perm, msp): return True #get_acls obj_acls = ObjectACL.objects\ .filter(content_type=ct, object_id=obj.id)\ .filter(self.get_perm_bool(perm_action))\ .filter(ObjectACL.get_effective_query()) query = Q(pluginId='django_user', entityId=str(user_obj.id)) if user_obj.is_authenticated(): for name, group in user_obj.get_profile().ext_groups: query |= Q(pluginId=name, entityId=str(group)) else: # the only authorisation available for anonymous users is tokenauth tgp = TokenGroupProvider() for group in tgp.getGroups(user_obj): query |= Q(pluginId=tgp.name, entityId=str(group)) return obj_acls.filter(query).count() > 0