##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
permissions: expose new view that lists all available views for usage in whitelist access.
marcink -
r1943:089c11e9 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,61 b''
1
2
3 <div class="panel panel-default">
4 <div class="panel-heading">
5 <h3 class="panel-title">${_('View whitelist')}</h3>
6 </div>
7 <div class="panel-body">
8 <div class="">
9
10 <p class="pr-description">
11 View white list defines a set of views that can be accessed using auth token without the need to login.
12 Adding ?auth_token = SECRET_TOKEN to the url authenticates this request as if it
13 came from the the logged in user who owns this authentication token.
14
15 E.g. adding `RepoFilesView.repo_file_raw` allows to access a raw diff using such url:
16 http[s]://server.com/{repo_name}/raw/{commit_id}/{file_path}?auth_token=SECRET_TOKEN
17
18 White list can be defined inside `${c.whitelist_file}` under `${c.whitelist_key}=` setting
19
20 Currently under this settings following views are set:
21 </p>
22
23 <pre>
24 % for entry in c.whitelist_views:
25 ${entry}
26 % endfor
27 </pre>
28
29 </div>
30
31 </div>
32 </div>
33
34
35 <div class="panel panel-default">
36 <div class="panel-heading">
37 <h3 class="panel-title">${_('List of views available for usage in whitelist access')}</h3>
38 </div>
39 <div class="panel-body">
40 <div class="">
41
42
43 <table class="rctable ip-whitelist">
44 <tr>
45 <th>Active</th>
46 <th>View FQN</th>
47 <th>URL pattern</th>
48 </tr>
49
50 % for route_name, view_fqn, view_url, active in c.view_data:
51 <tr>
52 <td class="td-x">${h.bool2icon(active)}</td>
53 <td class="td-x">${view_fqn}</td>
54 <td class="td-x" title="${route_name}">${view_url}</td>
55 </tr>
56 % endfor
57 </table>
58 </div>
59
60 </div>
61 </div>
Show file before | Show file after | Hide comments
@@ -201,22 +201,21 b' rss_include_diff = false'
201 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
201 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
202 gist_alias_url =
202 gist_alias_url =
203
203
204 ## List of controllers (using glob pattern syntax) that AUTH TOKENS could be
204 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
205 ## used for access.
205 ## used for access.
206 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
206 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
207 ## came from the the logged in user who own this authentication token.
207 ## came from the the logged in user who own this authentication token.
208 ##
208 ##
209 ## Syntax is ControllerClass:function_pattern.
209 ## list of all views can be found under `_admin/permissions/auth_token_access`
210 ## To enable access to raw_files put `FilesController:raw`.
211 ## To enable access to patches add `ChangesetController:changeset_patch`.
212 ## The list should be "," separated and on a single line.
210 ## The list should be "," separated and on a single line.
213 ##
211 ##
214 ## Recommended controllers to enable:
212 ## Most common views to enable:
215 # ChangesetController:changeset_patch,
213 # ChangesetController:changeset_patch
216 # ChangesetController:changeset_raw,
214 # ChangesetController:changeset_raw
217 # FilesController:raw,
215 # RepoFilesView.repo_files_diff
218 # FilesController:archivefile,
216 # RepoFilesView.repo_archivefile
219 # GistsController:*,
217 # RepoFilesView.repo_file_raw
218 # GistView:*
220 api_access_controllers_whitelist =
219 api_access_controllers_whitelist =
221
220
222 ## default encoding used to convert from and to unicode
221 ## default encoding used to convert from and to unicode
Show file before | Show file after | Hide comments
@@ -175,22 +175,21 b' rss_include_diff = false'
175 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
175 ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/{gistid}
176 gist_alias_url =
176 gist_alias_url =
177
177
178 ## List of controllers (using glob pattern syntax) that AUTH TOKENS could be
178 ## List of views (using glob pattern syntax) that AUTH TOKENS could be
179 ## used for access.
179 ## used for access.
180 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
180 ## Adding ?auth_token=TOKEN_HASH to the url authenticates this request as if it
181 ## came from the the logged in user who own this authentication token.
181 ## came from the the logged in user who own this authentication token.
182 ##
182 ##
183 ## Syntax is ControllerClass:function_pattern.
183 ## list of all views can be found under `_admin/permissions/auth_token_access`
184 ## To enable access to raw_files put `FilesController:raw`.
185 ## To enable access to patches add `ChangesetController:changeset_patch`.
186 ## The list should be "," separated and on a single line.
184 ## The list should be "," separated and on a single line.
187 ##
185 ##
188 ## Recommended controllers to enable:
186 ## Most common views to enable:
189 # ChangesetController:changeset_patch,
187 # ChangesetController:changeset_patch
190 # ChangesetController:changeset_raw,
188 # ChangesetController:changeset_raw
191 # FilesController:raw,
189 # RepoFilesView.repo_files_diff
192 # FilesController:archivefile,
190 # RepoFilesView.repo_archivefile
193 # GistsController:*,
191 # RepoFilesView.repo_file_raw
192 # GistView:*
194 api_access_controllers_whitelist =
193 api_access_controllers_whitelist =
195
194
196 ## default encoding used to convert from and to unicode
195 ## default encoding used to convert from and to unicode
Show file before | Show file after | Hide comments
@@ -102,6 +102,10 b' def admin_routes(config):'
102 name='admin_permissions_overview',
102 name='admin_permissions_overview',
103 pattern='/permissions/overview')
103 pattern='/permissions/overview')
104
104
105 config.add_route(
106 name='admin_permissions_auth_token_access',
107 pattern='/permissions/auth_token_access')
108
105 # users admin
109 # users admin
106 config.add_route(
110 config.add_route(
107 name='users',
111 name='users',
Show file before | Show file after | Hide comments
@@ -18,8 +18,10 b''
18 # RhodeCode Enterprise Edition, including its added features, Support services,
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
20
21 import re
21 import logging
22 import logging
22 import formencode
23 import formencode
24 from pyramid.interfaces import IRoutesMapper
23
25
24 from pyramid.view import view_config
26 from pyramid.view import view_config
25 from pyramid.httpexceptions import HTTPFound
27 from pyramid.httpexceptions import HTTPFound
@@ -31,6 +33,7 b' from rhodecode.apps._base import BaseApp'
31 from rhodecode.lib import helpers as h
33 from rhodecode.lib import helpers as h
32 from rhodecode.lib.auth import (
34 from rhodecode.lib.auth import (
33 LoginRequired, HasPermissionAllDecorator, CSRFRequired)
35 LoginRequired, HasPermissionAllDecorator, CSRFRequired)
36 from rhodecode.lib.utils2 import aslist
34 from rhodecode.model.db import User, UserIpMap
37 from rhodecode.model.db import User, UserIpMap
35 from rhodecode.model.forms import (
38 from rhodecode.model.forms import (
36 ApplicationPermissionsForm, ObjectPermissionsForm, UserPermissionsForm)
39 ApplicationPermissionsForm, ObjectPermissionsForm, UserPermissionsForm)
@@ -308,3 +311,59 b' class AdminPermissionsView(BaseAppView):'
308 c.user = User.get_default_user(refresh=True)
311 c.user = User.get_default_user(refresh=True)
309 c.perm_user = c.user.AuthUser
312 c.perm_user = c.user.AuthUser
310 return self._get_template_context(c)
313 return self._get_template_context(c)
314
315 @LoginRequired()
316 @HasPermissionAllDecorator('hg.admin')
317 @view_config(
318 route_name='admin_permissions_auth_token_access', request_method='GET',
319 renderer='rhodecode:templates/admin/permissions/permissions.mako')
320 def auth_token_access(self):
321 from rhodecode import CONFIG
322
323 c = self.load_default_context()
324 c.active = 'auth_token_access'
325
326 c.user = User.get_default_user(refresh=True)
327 c.perm_user = c.user.AuthUser
328
329 mapper = self.request.registry.queryUtility(IRoutesMapper)
330 c.view_data = []
331
332 _argument_prog = re.compile('\{(.*?)\}|:\((.*)\)')
333 introspector = self.request.registry.introspector
334
335 view_intr = {}
336 for view_data in introspector.get_category('views'):
337 intr = view_data['introspectable']
338
339 if 'route_name' in intr and intr['attr']:
340 view_intr[intr['route_name']] = '{}.{}'.format(
341 str(intr['derived_callable'].func_name), intr['attr']
342 )
343
344 c.whitelist_key = 'api_access_controllers_whitelist'
345 c.whitelist_file = CONFIG.get('__file__')
346 whitelist_views = aslist(
347 CONFIG.get(c.whitelist_key), sep=',')
348
349 for route_info in mapper.get_routes():
350 if not route_info.name.startswith('__'):
351 routepath = route_info.pattern
352
353 def replace(matchobj):
354 if matchobj.group(1):
355 return "{%s}" % matchobj.group(1).split(':')[0]
356 else:
357 return "{%s}" % matchobj.group(2)
358
359 routepath = _argument_prog.sub(replace, routepath)
360
361 if not routepath.startswith('/'):
362 routepath = '/' + routepath
363
364 view_fqn = view_intr.get(route_info.name, 'NOT AVAILABLE')
365 active = view_fqn in whitelist_views
366 c.view_data.append((route_info.name, view_fqn, routepath, active))
367
368 c.whitelist_views = whitelist_views
369 return self._get_template_context(c)
Show file before | Show file after | Hide comments
@@ -71,6 +71,7 b' function registerRCRoutes() {'
71 pyroutes.register('admin_permissions_object_update', '/_admin/permissions/object/update', []);
71 pyroutes.register('admin_permissions_object_update', '/_admin/permissions/object/update', []);
72 pyroutes.register('admin_permissions_ips', '/_admin/permissions/ips', []);
72 pyroutes.register('admin_permissions_ips', '/_admin/permissions/ips', []);
73 pyroutes.register('admin_permissions_overview', '/_admin/permissions/overview', []);
73 pyroutes.register('admin_permissions_overview', '/_admin/permissions/overview', []);
74 pyroutes.register('admin_permissions_auth_token_access', '/_admin/permissions/auth_token_access', []);
74 pyroutes.register('users', '/_admin/users', []);
75 pyroutes.register('users', '/_admin/users', []);
75 pyroutes.register('users_data', '/_admin/users_data', []);
76 pyroutes.register('users_data', '/_admin/users_data', []);
76 pyroutes.register('edit_user_auth_tokens', '/_admin/users/%(user_id)s/edit/auth_tokens', ['user_id']);
77 pyroutes.register('edit_user_auth_tokens', '/_admin/users/%(user_id)s/edit/auth_tokens', ['user_id']);
@@ -176,7 +177,7 b' function registerRCRoutes() {'
176 pyroutes.register('my_account_edit', '/_admin/my_account/edit', []);
177 pyroutes.register('my_account_edit', '/_admin/my_account/edit', []);
177 pyroutes.register('my_account_update', '/_admin/my_account/update', []);
178 pyroutes.register('my_account_update', '/_admin/my_account/update', []);
178 pyroutes.register('my_account_password', '/_admin/my_account/password', []);
179 pyroutes.register('my_account_password', '/_admin/my_account/password', []);
179 pyroutes.register('my_account_password_update', '/_admin/my_account/password', []);
180 pyroutes.register('my_account_password_update', '/_admin/my_account/password/update', []);
180 pyroutes.register('my_account_auth_tokens', '/_admin/my_account/auth_tokens', []);
181 pyroutes.register('my_account_auth_tokens', '/_admin/my_account/auth_tokens', []);
181 pyroutes.register('my_account_auth_tokens_add', '/_admin/my_account/auth_tokens/new', []);
182 pyroutes.register('my_account_auth_tokens_add', '/_admin/my_account/auth_tokens/new', []);
182 pyroutes.register('my_account_auth_tokens_delete', '/_admin/my_account/auth_tokens/delete', []);
183 pyroutes.register('my_account_auth_tokens_delete', '/_admin/my_account/auth_tokens/delete', []);
Show file before | Show file after | Hide comments
@@ -41,6 +41,9 b''
41 <li class="${'active' if c.active=='ips' else ''}">
41 <li class="${'active' if c.active=='ips' else ''}">
42 <a href="${h.route_path('admin_permissions_ips')}">${_('IP Whitelist')}</a>
42 <a href="${h.route_path('admin_permissions_ips')}">${_('IP Whitelist')}</a>
43 </li>
43 </li>
44 <li class="${'active' if c.active=='auth_token_access' else ''}">
45 <a href="${h.route_path('admin_permissions_auth_token_access')}">${_('AuthToken Access')}</a>
46 </li>
44 <li class="${'active' if c.active=='perms' else ''}">
47 <li class="${'active' if c.active=='perms' else ''}">
45 <a href="${h.route_path('admin_permissions_overview')}">${_('Overview')}</a>
48 <a href="${h.route_path('admin_permissions_overview')}">${_('Overview')}</a>
46 </li>
49 </li>
General Comments 0
You need to be logged in to leave comments. Login now