Skip to content
Snippets Groups Projects
Select Git revision
  • gh-pages
  • master default protected
  • docker-hub-org
  • release-patch
  • rule-config-and-validation
  • analysis-job-completion-ticket
  • fwd-slash
  • swagger-fix-undocumented-codegen
  • unit-improvements-backport-1
  • lookup
  • container-mixin-support
  • signed-url-upload
  • classification-edit
  • nginx-unit
  • generic-storage
  • rerun-jobs-replace
  • super-awesome-abstract-container-route
  • batch-job-create
  • slash-files
  • save-search
  • 2.1.0
  • 2.0.0
  • 1.0.90
  • 1.0.89
  • swagger-pr-tag-test
  • 1.0.88
  • 1.0.87
  • 1.0.86
  • 1.0.85
  • 1.0.84
  • testing
  • 1.0.83
  • 1.0.82
  • 1.0.81
  • 1.0.80
  • 1.0.79
  • 1.0.78
  • 1.0.77
  • 1.0.76
  • 1.0.75
40 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
__init__.py 2.65 KiB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95 






from ..dao import APIPermissionException
from ..types import Origin

ROLES = [
    {
        'rid': 'ro',
        'name': 'Read-Only',
    },
    {
        'rid': 'rw',
        'name': 'Read-Write',
    },
    {
        'rid': 'admin',
        'name': 'Admin',
    },
]

INTEGER_ROLES = {r['rid']: i for i, r in enumerate(ROLES)}

def _get_access(uid, site, container):
    permissions_list = container.get('roles', container.get('permissions', []))
    for perm in permissions_list:
        if perm['_id'] == uid and perm['site'] == site:
            return INTEGER_ROLES[perm['access']]
    return -1

def has_access(uid, container, perm, site):
    return _get_access(uid, site, container) >= INTEGER_ROLES[perm]

class APIAuthProviderException(Exception):
    pass

class APIUnknownUserException(Exception):
    pass


def always_ok(exec_op):
    """
    This decorator leaves the original method unchanged.
    It is used as permissions checker when the request is a superuser_request
    """
    return exec_op

def require_login(handler_method):
    """
    A decorator to ensure the request is not a public request.

    Accepts superuser and non-superuser requests.
    Accepts drone and user requests.
    """
    def check_login(self, *args, **kwargs):
        if self.public_request:
            raise APIPermissionException('Login required.')
        return handler_method(self, *args, **kwargs)
    return check_login

def require_admin(handler_method):
    """
    A decorator to ensure the request is made as superuser.

    Accepts drone and user requests.
    """
    def check_admin(self, *args, **kwargs):
        if not self.user_is_admin:
            raise APIPermissionException('Admin user required.')
        return handler_method(self, *args, **kwargs)
    return check_admin

def require_superuser(handler_method):
    """
    A decorator to ensure the request is made as superuser.

    Accepts drone and user requests.
    """
    def check_superuser(self, *args, **kwargs):
        if not self.superuser_request:
            raise APIPermissionException('Superuser required.')
        return handler_method(self, *args, **kwargs)
    return check_superuser

def require_drone(handler_method):
    """
    A decorator to ensure the request is made as a drone.

    Will also ensure superuser, which is implied with a drone request.
    """
    def check_drone(self, *args, **kwargs):
        if self.origin.get('type', '') != Origin.device:
            raise APIPermissionException('Drone request required.')
        if not self.superuser_request:
            raise APIPermissionException('Superuser required.')
        return handler_method(self, *args, **kwargs)
    return check_drone