upstream/kallithea Commit - r239:b18f89d6

Adde draft for permissions systems, made all needed decorators, and checks. For future usage in the system.

marcink -

r239:b18f89d6 default

parent child

pylons_app/config/environment.py

0 +8 -6

             """Pylons environment configuration"""
-            import logging
-            import os
             from mako.lookup import TemplateLookup
             from pylons.configuration import PylonsConfig
             from pylons.error import handle_mako_error
+            from pylons_app.config.routing import make_map
+            from pylons_app.lib.auth import set_available_permissions
+            from pylons_app.model import init_model
             from sqlalchemy import engine_from_config
+            import logging
+            import os
             import pylons_app.lib.app_globals as app_globals
             import pylons_app.lib.helpers
-            from pylons_app.config.routing import make_map
-            from pylons_app.model import init_model
             log = logging.getLogger(__name__)
                 init_model(sa_engine_db1)
+                set_available_permissions(config)
                 # CONFIGURATION OPTIONS HERE (note: all config options will override
                 # any Pylons config options)

pylons_app/controllers/users.py

0 +3 -2

             from pylons.i18n.translation import _
             from pylons_app.lib import helpers as h
             from pylons.controllers.util import abort, redirect
-            from pylons_app.lib.auth import LoginRequired
+            from pylons_app.lib.auth import LoginRequired, CheckPermissionAll
             from pylons_app.lib.base import BaseController, render
             from pylons_app.model.db import User, UserLog
             from pylons_app.model.forms import UserForm
                     c.admin_user = session.get('admin_user')
                     c.admin_username = session.get('admin_username')
                     super(UsersController, self).__before__()
                 def index(self, format='html'):
                     """GET /users: All items in the collection"""
                     # url('users')

pylons_app/lib/app_globals.py

0 +1 0

                     self.paths = self.baseui.configitems('paths')
                     self.base_path = self.paths[0][1].replace('*', '')
                     self.changeset_annotation_colors = {}
+                    self.available_permissions = None # propagated after init_model

pylons_app/lib/auth.py

0 +80 -2

@@ -1,5 +1,5 b''
1	from functools import wraps	1	from functools import wraps
2	from pylons import session, url	2	from pylons import session, url, app_globals as g
3	from pylons.controllers.util import abort, redirect	3	from pylons.controllers.util import abort, redirect
4	from pylons_app.model import meta	4	from pylons_app.model import meta
5	from pylons_app.model.db import User	5	from pylons_app.model.db import User
@@ -47,7 +47,26 b' class AuthUser(object):'
47		47
48	def __init__(self):	48	def __init__(self):
49	pass	49	pass
50		50
		51
		52
		53	def set_available_permissions(config):
		54	"""
		55	This function will propagate pylons globals with all available defined
		56	permission given in db. We don't wannt to check each time from db for new
		57	permissions since adding a new permission also requires application restart
		58	ie. to decorate new views with the newly created permission
		59	@param config:
		60	"""
		61	from pylons_app.model.meta import Session
		62	from pylons_app.model.db import Permission
		63	logging.info('getting information about all available permissions')
		64	sa = Session()
		65	all_perms = sa.query(Permission).all()
		66	config['pylons.app_globals'].available_permissions = [x.permission_name for x in all_perms]
		67
		68
		69
51	#===============================================================================	70	#===============================================================================
52	# DECORATORS	71	# DECORATORS
53	#===============================================================================	72	#===============================================================================
@@ -73,3 +92,62 b' class LoginRequired(object):'
73	return redirect(url('login_home'))	92	return redirect(url('login_home'))
74		93
75	return _wrapper	94	return _wrapper
		95
		96	class PermsDecorator(object):
		97
		98	def __init__(self, *perms):
		99	available_perms = g.available_permissions
		100	for perm in perms:
		101	if perm not in available_perms:
		102	raise Exception("'%s' permission in not defined" % perm)
		103	self.required_perms = set(perms)
		104	self.user_perms = set([])#propagate this list from somewhere.
		105
		106	def __call__(self, func):
		107	@wraps(func)
		108	def _wrapper(args, *kwargs):
		109	logging.info('checking %s permissions %s for %s',
		110	self.__class__.__name__[-3:], self.required_perms, func.__name__)
		111
		112	if self.check_permissions():
		113	logging.info('Permission granted for %s', func.__name__)
		114	return func(args, *kwargs)
		115
		116	else:
		117	logging.warning('Permission denied for %s', func.__name__)
		118	#redirect with forbidden ret code
		119	return redirect(url('access_denied'), 403)
		120	return _wrapper
		121
		122
		123	def check_permissions(self):
		124	"""
		125	Dummy function for overiding
		126	"""
		127	raise Exception('You have to write this function in child class')
		128
		129	class CheckPermissionAll(PermsDecorator):
		130	"""
		131	Checks for access permission for all given predicates. All of them have to
		132	be meet in order to fulfill the request
		133	"""
		134
		135	def check_permissions(self):
		136	if self.required_perms.issubset(self.user_perms):
		137	return True
		138	return False
		139
		140
		141	class CheckPermissionAny(PermsDecorator):
		142	"""
		143	Checks for access permission for any of given predicates. In order to
		144	fulfill the request any of predicates must be meet
		145	"""
		146
		147	def check_permissions(self):
		148	if self.required_perms.intersection(self.user_perms):
		149	return True
		150	return False
		151
		152
		153

pylons_app/lib/db_manage.py

0 +26 -8

@@ -1,17 +1,16 b''
		1	from os.path import dirname as dn, join as jn
		2	from pylons_app.lib.auth import get_crypt_password
		3	from pylons_app.model import init_model
		4	from pylons_app.model.db import User, Permission
		5	from pylons_app.model.meta import Session, Base
		6	from sqlalchemy.engine import create_engine
1	import logging	7	import logging
2	from os.path import dirname as dn
3	from os.path import join as jn
4	from sqlalchemy.engine import create_engine
5	import os	8	import os
6	import sys	9	import sys
7	ROOT = dn(dn(dn(os.path.realpath(__file__))))	10	ROOT = dn(dn(dn(os.path.realpath(__file__))))
8	sys.path.append(ROOT)	11	sys.path.append(ROOT)
9		12
10	from pylons_app.model.db import User
11	from pylons_app.model.meta import Session, Base
12		13
13	from pylons_app.lib.auth import get_crypt_password
14	from pylons_app.model import init_model
15		14
16	log = logging.getLogger('db manage')	15	log = logging.getLogger('db manage')
17	log.setLevel(logging.DEBUG)	16	log.setLevel(logging.DEBUG)
@@ -68,9 +67,28 b' class DbManage(object):'
68	self.sa.rollback()	67	self.sa.rollback()
69	raise	68	raise
70		69
		70	def create_permissions(self):
		71	perms = [('can_view_admin_users', 'Access to admin user view'),
		72
		73	]
		74
		75	for p in perms:
		76	new_perm = Permission()
		77	new_perm.permission_name = p[0]
		78	new_perm.permission_longname = p[1]
		79	try:
		80	self.sa.add(new_perm)
		81	self.sa.commit()
		82	except:
		83	self.sa.rollback()
		84	raise
		85
		86
		87
71	if __name__ == '__main__':	88	if __name__ == '__main__':
72	dbmanage = DbManage(log_sql=True)	89	dbmanage = DbManage(log_sql=True)
73	dbmanage.create_tables(override=True)	90	dbmanage.create_tables(override=True)
74	dbmanage.admin_prompt()	91	dbmanage.admin_prompt()
		92	dbmanage.create_permissions()
75		93
76		94

pylons_app/model/db.py

0 +2 -1

                 __table_args__ = {'useexisting':True}
                 permission_id = Column("id", INTEGER(), nullable=False, unique=True, default=None, primary_key=1)
                 permission_name = Column("permission_name", TEXT(length=None, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
+                permission_longname = Column("permission_longname", TEXT(length=None, convert_unicode=False, assert_unicode=None), nullable=True, unique=None, default=None)
                 def __repr__(self):
                     return "<Permission('%s:%s')>" % (self.permission_id, self.permission_name)

pylons_app/templates/admin/admin.html

0 +6 -11

@@ -12,15 +12,10 b''
12	${self.submenu('')}	12	${self.submenu('')}
13	</%def>	13	</%def>
14	<%def name="main()">	14	<%def name="main()">
15	%if c.admin_user:	15	<div>
16	<div>	16	<h2>Welcome ${c.admin_username}</h2>
17	<h2>Welcome ${c.admin_username}</h2>	17	<div id="user_log">
18	<div id="user_log">	18	${c.log_data}
19	${c.log_data}	19	</div>
20	</div>	20	</div>
21	</div>
22	%else:
23	<h2>${_('Sorry only admin users can acces this area')}</h2>
24	%endif
25
26	</%def> No newline at end of file	21	</%def>

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages