##// END OF EJS Templates
api: added audit logs for user-group related calls....
marcink -
r2686:7f25a959 default
parent child Browse files
Show More
@@ -638,8 +638,18 b' def grant_user_permission_to_user_group('
638 638 perm = get_perm_or_error(perm, prefix='usergroup.')
639 639
640 640 try:
641 UserGroupModel().grant_user_permission(
641 changes = UserGroupModel().grant_user_permission(
642 642 user_group=user_group, user=user, perm=perm)
643
644 action_data = {
645 'added': changes['added'],
646 'updated': changes['updated'],
647 'deleted': changes['deleted'],
648 }
649 audit_logger.store_api(
650 'user_group.edit.permissions', action_data=action_data,
651 user=apiuser)
652
643 653 Session().commit()
644 654 return {
645 655 'msg':
@@ -698,8 +708,17 b' def revoke_user_permission_from_user_gro'
698 708 user = get_user_or_error(userid)
699 709
700 710 try:
701 UserGroupModel().revoke_user_permission(
711 changes = UserGroupModel().revoke_user_permission(
702 712 user_group=user_group, user=user)
713 action_data = {
714 'added': changes['added'],
715 'updated': changes['updated'],
716 'deleted': changes['deleted'],
717 }
718 audit_logger.store_api(
719 'user_group.edit.permissions', action_data=action_data,
720 user=apiuser)
721
703 722 Session().commit()
704 723 return {
705 724 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
@@ -764,11 +783,20 b' def grant_user_group_permission_to_user_'
764 783 'user group `%s` does not exist' % (sourceusergroupid,))
765 784
766 785 try:
767 UserGroupModel().grant_user_group_permission(
786 changes = UserGroupModel().grant_user_group_permission(
768 787 target_user_group=target_user_group,
769 788 user_group=user_group, perm=perm)
789
790 action_data = {
791 'added': changes['added'],
792 'updated': changes['updated'],
793 'deleted': changes['deleted'],
794 }
795 audit_logger.store_api(
796 'user_group.edit.permissions', action_data=action_data,
797 user=apiuser)
798
770 799 Session().commit()
771
772 800 return {
773 801 'msg': 'Granted perm: `%s` for user group: `%s` '
774 802 'in user group: `%s`' % (
@@ -835,8 +863,17 b' def revoke_user_group_permission_from_us'
835 863 'user group `%s` does not exist' % (sourceusergroupid,))
836 864
837 865 try:
838 UserGroupModel().revoke_user_group_permission(
866 changes = UserGroupModel().revoke_user_group_permission(
839 867 target_user_group=target_user_group, user_group=user_group)
868 action_data = {
869 'added': changes['added'],
870 'updated': changes['updated'],
871 'deleted': changes['deleted'],
872 }
873 audit_logger.store_api(
874 'user_group.edit.permissions', action_data=action_data,
875 user=apiuser)
876
840 877 Session().commit()
841 878
842 879 return {
@@ -80,6 +80,7 b' class UserGroupModel(BaseModel):'
80 80 'updated': [],
81 81 'deleted': []
82 82 }
83 change_obj = user_group.get_api_data()
83 84 # update permissions
84 85 for member_id, perm, member_type in perm_updates:
85 86 member_id = int(member_id)
@@ -97,7 +98,9 b' class UserGroupModel(BaseModel):'
97 98 self.grant_user_group_permission(
98 99 target_user_group=user_group, user_group=member_id, perm=perm)
99 100
100 changes['updated'].append({'type': member_type, 'id': member_id,
101 changes['updated'].append({
102 'change_obj': change_obj,
103 'type': member_type, 'id': member_id,
101 104 'name': member_name, 'new_perm': perm})
102 105
103 106 # set new permissions
@@ -115,7 +118,9 b' class UserGroupModel(BaseModel):'
115 118 self.grant_user_group_permission(
116 119 target_user_group=user_group, user_group=member_id, perm=perm)
117 120
118 changes['added'].append({'type': member_type, 'id': member_id,
121 changes['added'].append({
122 'change_obj': change_obj,
123 'type': member_type, 'id': member_id,
119 124 'name': member_name, 'new_perm': perm})
120 125
121 126 # delete permissions
@@ -132,8 +137,11 b' class UserGroupModel(BaseModel):'
132 137 self.revoke_user_group_permission(
133 138 target_user_group=user_group, user_group=member_id)
134 139
135 changes['deleted'].append({'type': member_type, 'id': member_id,
140 changes['deleted'].append({
141 'change_obj': change_obj,
142 'type': member_type, 'id': member_id,
136 143 'name': member_name, 'new_perm': perm})
144
137 145 return changes
138 146
139 147 def get(self, user_group_id, cache=False):
@@ -400,10 +408,18 b' class UserGroupModel(BaseModel):'
400 408 :param user: Instance of User, user_id or username
401 409 :param perm: Instance of Permission, or permission_name
402 410 """
411 changes = {
412 'added': [],
413 'updated': [],
414 'deleted': []
415 }
403 416
404 417 user_group = self._get_user_group(user_group)
405 418 user = self._get_user(user)
406 419 permission = self._get_perm(perm)
420 perm_name = permission.permission_name
421 member_id = user.user_id
422 member_name = user.username
407 423
408 424 # check if we have that permission already
409 425 obj = self.sa.query(UserUserGroupToPerm)\
@@ -422,7 +438,12 b' class UserGroupModel(BaseModel):'
422 438 'granted permission: {} to user: {} on usergroup: {}'.format(
423 439 perm, user, user_group), namespace='security.usergroup')
424 440
425 return obj
441 changes['added'].append({
442 'change_obj': user_group.get_api_data(),
443 'type': 'user', 'id': member_id,
444 'name': member_name, 'new_perm': perm_name})
445
446 return changes
426 447
427 448 def revoke_user_permission(self, user_group, user):
428 449 """
@@ -432,9 +453,17 b' class UserGroupModel(BaseModel):'
432 453 or users_group name
433 454 :param user: Instance of User, user_id or username
434 455 """
456 changes = {
457 'added': [],
458 'updated': [],
459 'deleted': []
460 }
435 461
436 462 user_group = self._get_user_group(user_group)
437 463 user = self._get_user(user)
464 perm_name = 'usergroup.none'
465 member_id = user.user_id
466 member_name = user.username
438 467
439 468 obj = self.sa.query(UserUserGroupToPerm)\
440 469 .filter(UserUserGroupToPerm.user == user)\
@@ -447,6 +476,13 b' class UserGroupModel(BaseModel):'
447 476 'revoked permission from user: {} on usergroup: {}'.format(
448 477 user, user_group), namespace='security.usergroup')
449 478
479 changes['deleted'].append({
480 'change_obj': user_group.get_api_data(),
481 'type': 'user', 'id': member_id,
482 'name': member_name, 'new_perm': perm_name})
483
484 return changes
485
450 486 def grant_user_group_permission(self, target_user_group, user_group, perm):
451 487 """
452 488 Grant user group permission for given target_user_group
@@ -455,9 +491,19 b' class UserGroupModel(BaseModel):'
455 491 :param user_group:
456 492 :param perm:
457 493 """
494 changes = {
495 'added': [],
496 'updated': [],
497 'deleted': []
498 }
499
458 500 target_user_group = self._get_user_group(target_user_group)
459 501 user_group = self._get_user_group(user_group)
460 502 permission = self._get_perm(perm)
503 perm_name = permission.permission_name
504 member_id = user_group.users_group_id
505 member_name = user_group.users_group_name
506
461 507 # forbid assigning same user group to itself
462 508 if target_user_group == user_group:
463 509 raise RepoGroupAssignmentError('target repo:%s cannot be '
@@ -482,7 +528,12 b' class UserGroupModel(BaseModel):'
482 528 perm, user_group, target_user_group),
483 529 namespace='security.usergroup')
484 530
485 return obj
531 changes['added'].append({
532 'change_obj': target_user_group.get_api_data(),
533 'type': 'user_group', 'id': member_id,
534 'name': member_name, 'new_perm': perm_name})
535
536 return changes
486 537
487 538 def revoke_user_group_permission(self, target_user_group, user_group):
488 539 """
@@ -491,8 +542,17 b' class UserGroupModel(BaseModel):'
491 542 :param target_user_group:
492 543 :param user_group:
493 544 """
545 changes = {
546 'added': [],
547 'updated': [],
548 'deleted': []
549 }
550
494 551 target_user_group = self._get_user_group(target_user_group)
495 552 user_group = self._get_user_group(user_group)
553 perm_name = 'usergroup.none'
554 member_id = user_group.users_group_id
555 member_name = user_group.users_group_name
496 556
497 557 obj = self.sa.query(UserGroupUserGroupToPerm)\
498 558 .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
@@ -507,6 +567,13 b' class UserGroupModel(BaseModel):'
507 567 user_group, target_user_group),
508 568 namespace='security.repogroup')
509 569
570 changes['deleted'].append({
571 'change_obj': target_user_group.get_api_data(),
572 'type': 'user_group', 'id': member_id,
573 'name': member_name, 'new_perm': perm_name})
574
575 return changes
576
510 577 def get_perms_summary(self, user_group_id):
511 578 permissions = {
512 579 'repositories': {},
General Comments 0
You need to be logged in to leave comments. Login now