fix: use auth handler, avoid legacy calls for role/perm checks
This commit is contained in:
parent
bd1993f440
commit
518c108c88
|
@ -194,7 +194,7 @@ class PermissionsRenderer(Object):
|
||||||
rendered = False
|
rendered = False
|
||||||
for key in sorted(perms, key=lambda p: perms[p]['label'].lower()):
|
for key in sorted(perms, key=lambda p: perms[p]['label'].lower()):
|
||||||
checked = auth.has_permission(Session(), principal, key,
|
checked = auth.has_permission(Session(), principal, key,
|
||||||
include_guest=self.include_guest,
|
include_anonymous=self.include_guest,
|
||||||
include_authenticated=self.include_authenticated)
|
include_authenticated=self.include_authenticated)
|
||||||
if checked:
|
if checked:
|
||||||
label = perms[key]['label']
|
label = perms[key]['label']
|
||||||
|
|
|
@ -30,7 +30,6 @@ from sqlalchemy import orm
|
||||||
from openpyxl.styles import Font, PatternFill
|
from openpyxl.styles import Font, PatternFill
|
||||||
|
|
||||||
from rattail.db.model import Role
|
from rattail.db.model import Role
|
||||||
from rattail.db.auth import administrator_role, guest_role, authenticated_role
|
|
||||||
from rattail.excel import ExcelWriter
|
from rattail.excel import ExcelWriter
|
||||||
|
|
||||||
import colander
|
import colander
|
||||||
|
@ -107,8 +106,11 @@ class RoleView(PrincipalMasterView):
|
||||||
if role.node_type and role.node_type != self.rattail_config.node_type():
|
if role.node_type and role.node_type != self.rattail_config.node_type():
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
app = self.get_rattail_app()
|
||||||
|
auth = app.get_auth_handler()
|
||||||
|
|
||||||
# only "root" can edit Administrator
|
# only "root" can edit Administrator
|
||||||
if role is administrator_role(self.Session()):
|
if role is auth.get_role_administrator(self.Session()):
|
||||||
return self.request.is_root
|
return self.request.is_root
|
||||||
|
|
||||||
# only "admin" can edit "admin-ish" roles
|
# only "admin" can edit "admin-ish" roles
|
||||||
|
@ -116,11 +118,11 @@ class RoleView(PrincipalMasterView):
|
||||||
return self.request.is_admin
|
return self.request.is_admin
|
||||||
|
|
||||||
# can edit Authenticated only if user has permission
|
# can edit Authenticated only if user has permission
|
||||||
if role is authenticated_role(self.Session()):
|
if role is auth.get_role_authenticated(self.Session()):
|
||||||
return self.has_perm('edit_authenticated')
|
return self.has_perm('edit_authenticated')
|
||||||
|
|
||||||
# can edit Guest only if user has permission
|
# can edit Guest only if user has permission
|
||||||
if role is guest_role(self.Session()):
|
if role is auth.get_role_anonymous(self.Session()):
|
||||||
return self.has_perm('edit_guest')
|
return self.has_perm('edit_guest')
|
||||||
|
|
||||||
# current user can edit their own roles, only if they have permission
|
# current user can edit their own roles, only if they have permission
|
||||||
|
@ -139,11 +141,14 @@ class RoleView(PrincipalMasterView):
|
||||||
if role.node_type and role.node_type != self.rattail_config.node_type():
|
if role.node_type and role.node_type != self.rattail_config.node_type():
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if role is administrator_role(self.Session()):
|
app = self.get_rattail_app()
|
||||||
|
auth = app.get_auth_handler()
|
||||||
|
|
||||||
|
if role is auth.get_role_administrator(self.Session()):
|
||||||
return False
|
return False
|
||||||
if role is authenticated_role(self.Session()):
|
if role is auth.get_role_authenticated(self.Session()):
|
||||||
return False
|
return False
|
||||||
if role is guest_role(self.Session()):
|
if role is auth.get_role_anonymous(self.Session()):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# only "admin" can delete "admin-ish" roles
|
# only "admin" can delete "admin-ish" roles
|
||||||
|
@ -186,17 +191,17 @@ class RoleView(PrincipalMasterView):
|
||||||
|
|
||||||
# session_timeout
|
# session_timeout
|
||||||
f.set_renderer('session_timeout', self.render_session_timeout)
|
f.set_renderer('session_timeout', self.render_session_timeout)
|
||||||
if self.editing and role is guest_role(self.Session()):
|
if self.editing and role is auth.get_role_anonymous(self.Session()):
|
||||||
f.set_readonly('session_timeout')
|
f.set_readonly('session_timeout')
|
||||||
|
|
||||||
# sync_me, node_type
|
# sync_me, node_type
|
||||||
if not self.creating:
|
if not self.creating:
|
||||||
include = True
|
include = True
|
||||||
if role is administrator_role(self.Session()):
|
if role is auth.get_role_administrator(self.Session()):
|
||||||
include = False
|
include = False
|
||||||
elif role is authenticated_role(self.Session()):
|
elif role is auth.get_role_authenticated(self.Session()):
|
||||||
include = False
|
include = False
|
||||||
elif role is guest_role(self.Session()):
|
elif role is auth.get_role_anonymous(self.Session()):
|
||||||
include = False
|
include = False
|
||||||
if not include:
|
if not include:
|
||||||
f.remove('sync_me', 'sync_users', 'node_type')
|
f.remove('sync_me', 'sync_users', 'node_type')
|
||||||
|
@ -227,7 +232,7 @@ class RoleView(PrincipalMasterView):
|
||||||
for groupkey in self.tailbone_permissions:
|
for groupkey in self.tailbone_permissions:
|
||||||
for key in self.tailbone_permissions[groupkey]['perms']:
|
for key in self.tailbone_permissions[groupkey]['perms']:
|
||||||
if auth.has_permission(self.Session(), role, key,
|
if auth.has_permission(self.Session(), role, key,
|
||||||
include_guest=False,
|
include_anonymous=False,
|
||||||
include_authenticated=False):
|
include_authenticated=False):
|
||||||
granted.append(key)
|
granted.append(key)
|
||||||
f.set_default('permissions', granted)
|
f.set_default('permissions', granted)
|
||||||
|
@ -235,12 +240,14 @@ class RoleView(PrincipalMasterView):
|
||||||
f.remove_field('permissions')
|
f.remove_field('permissions')
|
||||||
|
|
||||||
def render_users(self, role, field):
|
def render_users(self, role, field):
|
||||||
|
app = self.get_rattail_app()
|
||||||
|
auth = app.get_auth_handler()
|
||||||
|
|
||||||
if role is guest_role(self.Session()):
|
if role is auth.get_role_anonymous(self.Session()):
|
||||||
return ("The guest role is implied for all anonymous users, "
|
return ("The guest role is implied for all anonymous users, "
|
||||||
"i.e. when not logged in.")
|
"i.e. when not logged in.")
|
||||||
|
|
||||||
if role is authenticated_role(self.Session()):
|
if role is auth.get_role_authenticated(self.Session()):
|
||||||
return ("The authenticated role is implied for all users, "
|
return ("The authenticated role is implied for all users, "
|
||||||
"but only when logged in.")
|
"but only when logged in.")
|
||||||
|
|
||||||
|
@ -308,7 +315,9 @@ class RoleView(PrincipalMasterView):
|
||||||
return available
|
return available
|
||||||
|
|
||||||
def render_session_timeout(self, role, field):
|
def render_session_timeout(self, role, field):
|
||||||
if role is guest_role(self.Session()):
|
app = self.get_rattail_app()
|
||||||
|
auth = app.get_auth_handler()
|
||||||
|
if role is auth.get_role_anonymous(self.Session()):
|
||||||
return "(not applicable)"
|
return "(not applicable)"
|
||||||
if role.session_timeout is None:
|
if role.session_timeout is None:
|
||||||
return ""
|
return ""
|
||||||
|
@ -347,6 +356,8 @@ class RoleView(PrincipalMasterView):
|
||||||
auth.revoke_permission(role, pkey)
|
auth.revoke_permission(role, pkey)
|
||||||
|
|
||||||
def template_kwargs_view(self, **kwargs):
|
def template_kwargs_view(self, **kwargs):
|
||||||
|
app = self.get_rattail_app()
|
||||||
|
auth = app.get_auth_handler()
|
||||||
model = self.model
|
model = self.model
|
||||||
role = kwargs['instance']
|
role = kwargs['instance']
|
||||||
if role.users:
|
if role.users:
|
||||||
|
@ -362,8 +373,8 @@ class RoleView(PrincipalMasterView):
|
||||||
else:
|
else:
|
||||||
kwargs['users'] = None
|
kwargs['users'] = None
|
||||||
|
|
||||||
kwargs['guest_role'] = guest_role(self.Session())
|
kwargs['guest_role'] = auth.get_role_anonymous(self.Session())
|
||||||
kwargs['authenticated_role'] = authenticated_role(self.Session())
|
kwargs['authenticated_role'] = auth.get_role_authenticated(self.Session())
|
||||||
|
|
||||||
role = kwargs['instance']
|
role = kwargs['instance']
|
||||||
if role not in (kwargs['guest_role'], kwargs['authenticated_role']):
|
if role not in (kwargs['guest_role'], kwargs['authenticated_role']):
|
||||||
|
@ -384,9 +395,11 @@ class RoleView(PrincipalMasterView):
|
||||||
return kwargs
|
return kwargs
|
||||||
|
|
||||||
def before_delete(self, role):
|
def before_delete(self, role):
|
||||||
admin = administrator_role(self.Session())
|
app = self.get_rattail_app()
|
||||||
guest = guest_role(self.Session())
|
auth = app.get_auth_handler()
|
||||||
authenticated = authenticated_role(self.Session())
|
admin = auth.get_role_administrator(self.Session())
|
||||||
|
guest = auth.get_role_anonymous(self.Session())
|
||||||
|
authenticated = auth.get_role_authenticated(self.Session())
|
||||||
if role in (admin, guest, authenticated):
|
if role in (admin, guest, authenticated):
|
||||||
self.request.session.flash("You may not delete the {} role.".format(role.name), 'error')
|
self.request.session.flash("You may not delete the {} role.".format(role.name), 'error')
|
||||||
return self.redirect(self.request.get_referrer(default=self.request.route_url('roles')))
|
return self.redirect(self.request.get_referrer(default=self.request.route_url('roles')))
|
||||||
|
@ -402,7 +415,7 @@ class RoleView(PrincipalMasterView):
|
||||||
.options(orm.joinedload(model.Role._permissions))
|
.options(orm.joinedload(model.Role._permissions))
|
||||||
roles = []
|
roles = []
|
||||||
for role in all_roles:
|
for role in all_roles:
|
||||||
if auth.has_permission(session, role, permission, include_guest=False):
|
if auth.has_permission(session, role, permission, include_anonymous=False):
|
||||||
roles.append(role)
|
roles.append(role)
|
||||||
return roles
|
return roles
|
||||||
|
|
||||||
|
@ -475,7 +488,7 @@ class RoleView(PrincipalMasterView):
|
||||||
# and show an 'X' for any role which has this perm
|
# and show an 'X' for any role which has this perm
|
||||||
for col, role in enumerate(roles, 2):
|
for col, role in enumerate(roles, 2):
|
||||||
if auth.has_permission(self.Session(), role, key,
|
if auth.has_permission(self.Session(), role, key,
|
||||||
include_guest=False):
|
include_anonymous=False):
|
||||||
sheet.cell(row=writing_row, column=col, value="X")
|
sheet.cell(row=writing_row, column=col, value="X")
|
||||||
|
|
||||||
writing_row += 1
|
writing_row += 1
|
||||||
|
|
|
@ -279,7 +279,7 @@ class UserView(PrincipalMasterView):
|
||||||
permissions = self.request.registry.settings.get('tailbone_permissions', {})
|
permissions = self.request.registry.settings.get('tailbone_permissions', {})
|
||||||
f.set_renderer('permissions', PermissionsRenderer(request=self.request,
|
f.set_renderer('permissions', PermissionsRenderer(request=self.request,
|
||||||
permissions=permissions,
|
permissions=permissions,
|
||||||
include_guest=True,
|
include_anonymous=True,
|
||||||
include_authenticated=True))
|
include_authenticated=True))
|
||||||
else:
|
else:
|
||||||
f.remove('permissions')
|
f.remove('permissions')
|
||||||
|
|
Loading…
Reference in a new issue