fix: use auth handler, avoid legacy calls for role/perm checks

This commit is contained in:
Lance Edgar 2024-08-06 10:36:20 -05:00
parent bd1993f440
commit 518c108c88
3 changed files with 37 additions and 24 deletions

View file

@ -194,7 +194,7 @@ class PermissionsRenderer(Object):
rendered = False rendered = False
for key in sorted(perms, key=lambda p: perms[p]['label'].lower()): for key in sorted(perms, key=lambda p: perms[p]['label'].lower()):
checked = auth.has_permission(Session(), principal, key, checked = auth.has_permission(Session(), principal, key,
include_guest=self.include_guest, include_anonymous=self.include_guest,
include_authenticated=self.include_authenticated) include_authenticated=self.include_authenticated)
if checked: if checked:
label = perms[key]['label'] label = perms[key]['label']

View file

@ -30,7 +30,6 @@ from sqlalchemy import orm
from openpyxl.styles import Font, PatternFill from openpyxl.styles import Font, PatternFill
from rattail.db.model import Role from rattail.db.model import Role
from rattail.db.auth import administrator_role, guest_role, authenticated_role
from rattail.excel import ExcelWriter from rattail.excel import ExcelWriter
import colander import colander
@ -107,8 +106,11 @@ class RoleView(PrincipalMasterView):
if role.node_type and role.node_type != self.rattail_config.node_type(): if role.node_type and role.node_type != self.rattail_config.node_type():
return False return False
app = self.get_rattail_app()
auth = app.get_auth_handler()
# only "root" can edit Administrator # only "root" can edit Administrator
if role is administrator_role(self.Session()): if role is auth.get_role_administrator(self.Session()):
return self.request.is_root return self.request.is_root
# only "admin" can edit "admin-ish" roles # only "admin" can edit "admin-ish" roles
@ -116,11 +118,11 @@ class RoleView(PrincipalMasterView):
return self.request.is_admin return self.request.is_admin
# can edit Authenticated only if user has permission # can edit Authenticated only if user has permission
if role is authenticated_role(self.Session()): if role is auth.get_role_authenticated(self.Session()):
return self.has_perm('edit_authenticated') return self.has_perm('edit_authenticated')
# can edit Guest only if user has permission # can edit Guest only if user has permission
if role is guest_role(self.Session()): if role is auth.get_role_anonymous(self.Session()):
return self.has_perm('edit_guest') return self.has_perm('edit_guest')
# current user can edit their own roles, only if they have permission # current user can edit their own roles, only if they have permission
@ -139,11 +141,14 @@ class RoleView(PrincipalMasterView):
if role.node_type and role.node_type != self.rattail_config.node_type(): if role.node_type and role.node_type != self.rattail_config.node_type():
return False return False
if role is administrator_role(self.Session()): app = self.get_rattail_app()
auth = app.get_auth_handler()
if role is auth.get_role_administrator(self.Session()):
return False return False
if role is authenticated_role(self.Session()): if role is auth.get_role_authenticated(self.Session()):
return False return False
if role is guest_role(self.Session()): if role is auth.get_role_anonymous(self.Session()):
return False return False
# only "admin" can delete "admin-ish" roles # only "admin" can delete "admin-ish" roles
@ -186,17 +191,17 @@ class RoleView(PrincipalMasterView):
# session_timeout # session_timeout
f.set_renderer('session_timeout', self.render_session_timeout) f.set_renderer('session_timeout', self.render_session_timeout)
if self.editing and role is guest_role(self.Session()): if self.editing and role is auth.get_role_anonymous(self.Session()):
f.set_readonly('session_timeout') f.set_readonly('session_timeout')
# sync_me, node_type # sync_me, node_type
if not self.creating: if not self.creating:
include = True include = True
if role is administrator_role(self.Session()): if role is auth.get_role_administrator(self.Session()):
include = False include = False
elif role is authenticated_role(self.Session()): elif role is auth.get_role_authenticated(self.Session()):
include = False include = False
elif role is guest_role(self.Session()): elif role is auth.get_role_anonymous(self.Session()):
include = False include = False
if not include: if not include:
f.remove('sync_me', 'sync_users', 'node_type') f.remove('sync_me', 'sync_users', 'node_type')
@ -227,7 +232,7 @@ class RoleView(PrincipalMasterView):
for groupkey in self.tailbone_permissions: for groupkey in self.tailbone_permissions:
for key in self.tailbone_permissions[groupkey]['perms']: for key in self.tailbone_permissions[groupkey]['perms']:
if auth.has_permission(self.Session(), role, key, if auth.has_permission(self.Session(), role, key,
include_guest=False, include_anonymous=False,
include_authenticated=False): include_authenticated=False):
granted.append(key) granted.append(key)
f.set_default('permissions', granted) f.set_default('permissions', granted)
@ -235,12 +240,14 @@ class RoleView(PrincipalMasterView):
f.remove_field('permissions') f.remove_field('permissions')
def render_users(self, role, field): def render_users(self, role, field):
app = self.get_rattail_app()
auth = app.get_auth_handler()
if role is guest_role(self.Session()): if role is auth.get_role_anonymous(self.Session()):
return ("The guest role is implied for all anonymous users, " return ("The guest role is implied for all anonymous users, "
"i.e. when not logged in.") "i.e. when not logged in.")
if role is authenticated_role(self.Session()): if role is auth.get_role_authenticated(self.Session()):
return ("The authenticated role is implied for all users, " return ("The authenticated role is implied for all users, "
"but only when logged in.") "but only when logged in.")
@ -308,7 +315,9 @@ class RoleView(PrincipalMasterView):
return available return available
def render_session_timeout(self, role, field): def render_session_timeout(self, role, field):
if role is guest_role(self.Session()): app = self.get_rattail_app()
auth = app.get_auth_handler()
if role is auth.get_role_anonymous(self.Session()):
return "(not applicable)" return "(not applicable)"
if role.session_timeout is None: if role.session_timeout is None:
return "" return ""
@ -347,6 +356,8 @@ class RoleView(PrincipalMasterView):
auth.revoke_permission(role, pkey) auth.revoke_permission(role, pkey)
def template_kwargs_view(self, **kwargs): def template_kwargs_view(self, **kwargs):
app = self.get_rattail_app()
auth = app.get_auth_handler()
model = self.model model = self.model
role = kwargs['instance'] role = kwargs['instance']
if role.users: if role.users:
@ -362,8 +373,8 @@ class RoleView(PrincipalMasterView):
else: else:
kwargs['users'] = None kwargs['users'] = None
kwargs['guest_role'] = guest_role(self.Session()) kwargs['guest_role'] = auth.get_role_anonymous(self.Session())
kwargs['authenticated_role'] = authenticated_role(self.Session()) kwargs['authenticated_role'] = auth.get_role_authenticated(self.Session())
role = kwargs['instance'] role = kwargs['instance']
if role not in (kwargs['guest_role'], kwargs['authenticated_role']): if role not in (kwargs['guest_role'], kwargs['authenticated_role']):
@ -384,9 +395,11 @@ class RoleView(PrincipalMasterView):
return kwargs return kwargs
def before_delete(self, role): def before_delete(self, role):
admin = administrator_role(self.Session()) app = self.get_rattail_app()
guest = guest_role(self.Session()) auth = app.get_auth_handler()
authenticated = authenticated_role(self.Session()) admin = auth.get_role_administrator(self.Session())
guest = auth.get_role_anonymous(self.Session())
authenticated = auth.get_role_authenticated(self.Session())
if role in (admin, guest, authenticated): if role in (admin, guest, authenticated):
self.request.session.flash("You may not delete the {} role.".format(role.name), 'error') self.request.session.flash("You may not delete the {} role.".format(role.name), 'error')
return self.redirect(self.request.get_referrer(default=self.request.route_url('roles'))) return self.redirect(self.request.get_referrer(default=self.request.route_url('roles')))
@ -402,7 +415,7 @@ class RoleView(PrincipalMasterView):
.options(orm.joinedload(model.Role._permissions)) .options(orm.joinedload(model.Role._permissions))
roles = [] roles = []
for role in all_roles: for role in all_roles:
if auth.has_permission(session, role, permission, include_guest=False): if auth.has_permission(session, role, permission, include_anonymous=False):
roles.append(role) roles.append(role)
return roles return roles
@ -475,7 +488,7 @@ class RoleView(PrincipalMasterView):
# and show an 'X' for any role which has this perm # and show an 'X' for any role which has this perm
for col, role in enumerate(roles, 2): for col, role in enumerate(roles, 2):
if auth.has_permission(self.Session(), role, key, if auth.has_permission(self.Session(), role, key,
include_guest=False): include_anonymous=False):
sheet.cell(row=writing_row, column=col, value="X") sheet.cell(row=writing_row, column=col, value="X")
writing_row += 1 writing_row += 1

View file

@ -279,7 +279,7 @@ class UserView(PrincipalMasterView):
permissions = self.request.registry.settings.get('tailbone_permissions', {}) permissions = self.request.registry.settings.get('tailbone_permissions', {})
f.set_renderer('permissions', PermissionsRenderer(request=self.request, f.set_renderer('permissions', PermissionsRenderer(request=self.request,
permissions=permissions, permissions=permissions,
include_guest=True, include_anonymous=True,
include_authenticated=True)) include_authenticated=True))
else: else:
f.remove('permissions') f.remove('permissions')