fix: use auth handler, avoid legacy calls for role/perm checks
This commit is contained in:
Lance Edgar
parent
bd1993f440
commit
518c108c88
|
|
@ -194,7 +194,7 @@ class PermissionsRenderer(Object):
|
|||
rendered = False
|
||||
for key in sorted(perms, key=lambda p: perms[p]['label'].lower()):
|
||||
checked = auth.has_permission(Session(), principal, key,
|
||||
include_guest=self.include_guest,
|
||||
include_anonymous=self.include_guest,
|
||||
include_authenticated=self.include_authenticated)
|
||||
if checked:
|
||||
label = perms[key]['label']
|
||||
|
|
|
|||
|
|
@ -30,7 +30,6 @@ from sqlalchemy import orm
|
|||
from openpyxl.styles import Font, PatternFill
|
||||
|
||||
from rattail.db.model import Role
|
||||
from rattail.db.auth import administrator_role, guest_role, authenticated_role
|
||||
from rattail.excel import ExcelWriter
|
||||
|
||||
import colander
|
||||
|
|
@ -107,8 +106,11 @@ class RoleView(PrincipalMasterView):
|
|||
if role.node_type and role.node_type != self.rattail_config.node_type():
|
||||
return False
|
||||
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
|
||||
# only "root" can edit Administrator
|
||||
if role is administrator_role(self.Session()):
|
||||
if role is auth.get_role_administrator(self.Session()):
|
||||
return self.request.is_root
|
||||
|
||||
# only "admin" can edit "admin-ish" roles
|
||||
|
|
@ -116,11 +118,11 @@ class RoleView(PrincipalMasterView):
|
|||
return self.request.is_admin
|
||||
|
||||
# can edit Authenticated only if user has permission
|
||||
if role is authenticated_role(self.Session()):
|
||||
if role is auth.get_role_authenticated(self.Session()):
|
||||
return self.has_perm('edit_authenticated')
|
||||
|
||||
# can edit Guest only if user has permission
|
||||
if role is guest_role(self.Session()):
|
||||
if role is auth.get_role_anonymous(self.Session()):
|
||||
return self.has_perm('edit_guest')
|
||||
|
||||
# current user can edit their own roles, only if they have permission
|
||||
|
|
@ -139,11 +141,14 @@ class RoleView(PrincipalMasterView):
|
|||
if role.node_type and role.node_type != self.rattail_config.node_type():
|
||||
return False
|
||||
|
||||
if role is administrator_role(self.Session()):
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
|
||||
if role is auth.get_role_administrator(self.Session()):
|
||||
return False
|
||||
if role is authenticated_role(self.Session()):
|
||||
if role is auth.get_role_authenticated(self.Session()):
|
||||
return False
|
||||
if role is guest_role(self.Session()):
|
||||
if role is auth.get_role_anonymous(self.Session()):
|
||||
return False
|
||||
|
||||
# only "admin" can delete "admin-ish" roles
|
||||
|
|
@ -186,17 +191,17 @@ class RoleView(PrincipalMasterView):
|
|||
|
||||
# session_timeout
|
||||
f.set_renderer('session_timeout', self.render_session_timeout)
|
||||
if self.editing and role is guest_role(self.Session()):
|
||||
if self.editing and role is auth.get_role_anonymous(self.Session()):
|
||||
f.set_readonly('session_timeout')
|
||||
|
||||
# sync_me, node_type
|
||||
if not self.creating:
|
||||
include = True
|
||||
if role is administrator_role(self.Session()):
|
||||
if role is auth.get_role_administrator(self.Session()):
|
||||
include = False
|
||||
elif role is authenticated_role(self.Session()):
|
||||
elif role is auth.get_role_authenticated(self.Session()):
|
||||
include = False
|
||||
elif role is guest_role(self.Session()):
|
||||
elif role is auth.get_role_anonymous(self.Session()):
|
||||
include = False
|
||||
if not include:
|
||||
f.remove('sync_me', 'sync_users', 'node_type')
|
||||
|
|
@ -227,7 +232,7 @@ class RoleView(PrincipalMasterView):
|
|||
for groupkey in self.tailbone_permissions:
|
||||
for key in self.tailbone_permissions[groupkey]['perms']:
|
||||
if auth.has_permission(self.Session(), role, key,
|
||||
include_guest=False,
|
||||
include_anonymous=False,
|
||||
include_authenticated=False):
|
||||
granted.append(key)
|
||||
f.set_default('permissions', granted)
|
||||
|
|
@ -235,12 +240,14 @@ class RoleView(PrincipalMasterView):
|
|||
f.remove_field('permissions')
|
||||
|
||||
def render_users(self, role, field):
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
|
||||
if role is guest_role(self.Session()):
|
||||
if role is auth.get_role_anonymous(self.Session()):
|
||||
return ("The guest role is implied for all anonymous users, "
|
||||
"i.e. when not logged in.")
|
||||
|
||||
if role is authenticated_role(self.Session()):
|
||||
if role is auth.get_role_authenticated(self.Session()):
|
||||
return ("The authenticated role is implied for all users, "
|
||||
"but only when logged in.")
|
||||
|
||||
|
|
@ -308,7 +315,9 @@ class RoleView(PrincipalMasterView):
|
|||
return available
|
||||
|
||||
def render_session_timeout(self, role, field):
|
||||
if role is guest_role(self.Session()):
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
if role is auth.get_role_anonymous(self.Session()):
|
||||
return "(not applicable)"
|
||||
if role.session_timeout is None:
|
||||
return ""
|
||||
|
|
@ -347,6 +356,8 @@ class RoleView(PrincipalMasterView):
|
|||
auth.revoke_permission(role, pkey)
|
||||
|
||||
def template_kwargs_view(self, **kwargs):
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
model = self.model
|
||||
role = kwargs['instance']
|
||||
if role.users:
|
||||
|
|
@ -362,8 +373,8 @@ class RoleView(PrincipalMasterView):
|
|||
else:
|
||||
kwargs['users'] = None
|
||||
|
||||
kwargs['guest_role'] = guest_role(self.Session())
|
||||
kwargs['authenticated_role'] = authenticated_role(self.Session())
|
||||
kwargs['guest_role'] = auth.get_role_anonymous(self.Session())
|
||||
kwargs['authenticated_role'] = auth.get_role_authenticated(self.Session())
|
||||
|
||||
role = kwargs['instance']
|
||||
if role not in (kwargs['guest_role'], kwargs['authenticated_role']):
|
||||
|
|
@ -384,9 +395,11 @@ class RoleView(PrincipalMasterView):
|
|||
return kwargs
|
||||
|
||||
def before_delete(self, role):
|
||||
admin = administrator_role(self.Session())
|
||||
guest = guest_role(self.Session())
|
||||
authenticated = authenticated_role(self.Session())
|
||||
app = self.get_rattail_app()
|
||||
auth = app.get_auth_handler()
|
||||
admin = auth.get_role_administrator(self.Session())
|
||||
guest = auth.get_role_anonymous(self.Session())
|
||||
authenticated = auth.get_role_authenticated(self.Session())
|
||||
if role in (admin, guest, authenticated):
|
||||
self.request.session.flash("You may not delete the {} role.".format(role.name), 'error')
|
||||
return self.redirect(self.request.get_referrer(default=self.request.route_url('roles')))
|
||||
|
|
@ -402,7 +415,7 @@ class RoleView(PrincipalMasterView):
|
|||
.options(orm.joinedload(model.Role._permissions))
|
||||
roles = []
|
||||
for role in all_roles:
|
||||
if auth.has_permission(session, role, permission, include_guest=False):
|
||||
if auth.has_permission(session, role, permission, include_anonymous=False):
|
||||
roles.append(role)
|
||||
return roles
|
||||
|
||||
|
|
@ -475,7 +488,7 @@ class RoleView(PrincipalMasterView):
|
|||
# and show an 'X' for any role which has this perm
|
||||
for col, role in enumerate(roles, 2):
|
||||
if auth.has_permission(self.Session(), role, key,
|
||||
include_guest=False):
|
||||
include_anonymous=False):
|
||||
sheet.cell(row=writing_row, column=col, value="X")
|
||||
|
||||
writing_row += 1
|
||||
|
|
|
|||
|
|
@ -279,7 +279,7 @@ class UserView(PrincipalMasterView):
|
|||
permissions = self.request.registry.settings.get('tailbone_permissions', {})
|
||||
f.set_renderer('permissions', PermissionsRenderer(request=self.request,
|
||||
permissions=permissions,
|
||||
include_guest=True,
|
||||
include_anonymous=True,
|
||||
include_authenticated=True))
|
||||
else:
|
||||
f.remove('permissions')
|
||||
|
|
|
|||
Loading…
Reference in a new issue