def check_availability_of_auto_approving(items, user, project):
if user.is_staff:
return True
# Skip approval of private offering for project users
if all(item.offering.is_private for item in items):
return structure_permissions._has_admin_access(user, project)
# Skip approval of public offering belonging to the same organization under which the request is done
if all(
item.offering.shared
and item.offering.customer == project.customer
and item.offering.plugin_options.get(
'auto_approve_in_service_provider_projects'
)
is True
for item in items
):
return True
# Service provider is not required to approve termination order
if (
len(items) == 1
and items[0].type == models.OrderItem.Types.TERMINATE
and structure_permissions._has_owner_access(user, items[0].offering.customer)
):
return True
return user_can_approve_order(user, project)
def check_project_permissions(self, attrs):
if self.instance:
project = self.instance.project
else:
project = attrs['instance'].service_project_link.project
if not structure_permissions._has_admin_access(self.context['request'].user, project):
raise exceptions.PermissionDenied()
def test_if_project_customer_has_been_changed_then_users_permissions_must_be_deleted(
self,
):
self.fixture.admin
self.change_customer()
self.assertFalse(
permissions._has_admin_access(self.fixture.admin, self.project)
)
def _validate_service_project_link(self, spl):
""" Administrator can create tenant only using not shared service settings """
user = self.context['request'].user
message = _('You do not have permissions to create tenant in this project using selected service.')
if spl.service.settings.shared and not user.is_staff:
raise serializers.ValidationError(message)
if not spl.service.settings.shared and not structure_permissions._has_admin_access(user, spl.project):
raise serializers.ValidationError(message)
return spl
def remove_ssh_key_from_tenants(sender, structure, user, role, **kwargs):
""" Delete user ssh keys from tenants that he does not have access now. """
tenants = Tenant.objects.filter(**{sender.__name__.lower(): structure})
ssh_keys = core_models.SshPublicKey.objects.filter(user=user)
for tenant in tenants:
if structure_permissions._has_admin_access(user, tenant.project):
continue # no need to delete ssh keys if user still have permissions for tenant.
serialized_tenant = core_utils.serialize_instance(tenant)
for key in ssh_keys:
core_tasks.BackendMethodTask().delay(serialized_tenant,
'remove_ssh_key_from_tenant',
key.name, key.fingerprint)
def user_can_terminate_resource(request, view, resource=None):
if not resource:
return
# Project manager/admin and customer owner are allowed to terminate resource.
if structure_permissions._has_admin_access(request.user, resource.project):
return
# Service provider is allowed to terminate resource too.
if structure_permissions._has_owner_access(request.user, resource.offering.customer):
return
raise exceptions.PermissionDenied()
def remove_ssh_key_from_all_tenants_on_it_deletion(sender, instance, **kwargs):
""" Delete key from all tenants that are accessible for user on key deletion. """
ssh_key = instance
user = ssh_key.user
tenants = structure_filters.filter_queryset_for_user(
Tenant.objects.all(), user)
for tenant in tenants:
if not structure_permissions._has_admin_access(user, tenant.project):
continue
serialized_tenant = core_utils.serialize_instance(tenant)
core_tasks.BackendMethodTask().delay(serialized_tenant,
'remove_ssh_key_from_tenant',
ssh_key.name, ssh_key.fingerprint)
def check_availability_of_auto_approving(items, user, project):
if user.is_staff:
return True
# Skip approval of private offering for project users
if all(item.offering.is_private for item in items):
return structure_permissions._has_admin_access(user, project)
# Service provider is not required to approve termination order
if (len(items) == 1 and
items[0].type == models.OrderItem.Types.TERMINATE and
structure_permissions._has_owner_access(user, items[0].offering.customer)):
return True
return user_can_approve_order(user, project)
def user_can_reject_order(request, view, order=None):
if not order:
return
user = request.user
if user.is_staff:
return
if user == order.created_by:
return
if structure_permissions._has_admin_access(user, order.project):
return
raise exceptions.PermissionDenied()
def user_can_approve_order(user, project):
if user.is_staff:
return True
if django_settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_owner_access(user, project.customer):
return True
if django_settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_manager_access(user, project):
return True
if django_settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \
structure_permissions._has_admin_access(user, project):
return True
return False
def user_can_terminate_resource(request, view, resource=None):
if not resource:
return
# Allow to terminate resource in soft-deleted project
project = structure_models.Project.all_objects.get(id=resource.project_id)
# Project manager/admin and customer owner are allowed to terminate resource.
if structure_permissions._has_admin_access(request.user, project):
return
# Service provider is allowed to terminate resource too.
if structure_permissions._has_owner_access(request.user,
resource.offering.customer):
return
raise exceptions.PermissionDenied()
def check_permissions_for_state_change(request, view, order=None):
if not order:
return
user = request.user
if user.is_staff:
return
if settings.WALDUR_MARKETPLACE['OWNER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_owner_access(user, order.project.customer):
return
if settings.WALDUR_MARKETPLACE['MANAGER_CAN_APPROVE_ORDER'] and \
structure_permissions._has_manager_access(user, order.project):
return
if settings.WALDUR_MARKETPLACE['ADMIN_CAN_APPROVE_ORDER'] and \
structure_permissions._has_admin_access(user, order.project):
return
raise rf_exceptions.PermissionDenied()
