renamed permissions; server-side permissio check

2016-05-29 14:06:34 +02:00 · 2016-05-29 14:06:34 +02:00 · bdcd1b1410
commit bdcd1b1410
parent 495f1a6b57
3 changed files with 43 additions and 18 deletions
--- a/angular_app/index.html
+++ b/angular_app/index.html
@ -52,7 +52,7 @@
                    <div ng-if="logo.imgURL" class="navbar-brand"><a ng-if="logo.link" href="{{logo.link}}" target="_blank"><img src="{{logo.imgURL}}" /></a></div>
                    <ul class="nav navbar-nav">
                        <li ng-class="{active: isActive('/events') || isActive('/event')}"><a ui-sref="events">{{'Events' | translate}}</a></li>
-                        <li ng-if="requires('admin')" ng-class="{active: isActive('/persons') ||  isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li>
+                        <li ng-if="hasPermission('persons:get')" ng-class="{active: isActive('/persons') ||  isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li>
                    </ul>
                </div>
                <div class="collapse navbar-collapse">
--- a/angular_app/js/app.js
+++ b/angular_app/js/app.js
@ -58,21 +58,25 @@ eventManApp.run(['$rootScope', '$state', '$stateParams', '$log', 'Info',
        };

        /* Check GUI privileges. */
-        $rootScope.requires = function(permission) {
+        $rootScope.hasPermission = function(permission) {
            if (!($rootScope.info && $rootScope.info.user &&
-                        $rootScope.info.user.username && $rootScope.info.user.privileges)) {
+                        $rootScope.info.user.username && $rootScope.info.user.permissions)) {
                return false;
            }
-            var accepted = false;
-            angular.forEach($rootScope.info.user.privileges || [],
+            var granted = false;
+            var splitted_permission = permission.split(':');
+            var main_permission = splitted_permission + ':all';
+
+            angular.forEach($rootScope.info.user.permissions || [],
                    function(value, idx) {
-                        if (value === permission) {
-                            accepted = true;
+                        if (value === 'admin:all' || value === main_permission || value === permission) {
+                            granted = true;
                            return;
                        }
+                        
                    }
            );
-            return accepted;
+            return granted;
        };
    }]
 );
--- a/eventman_server.py
+++ b/eventman_server.py
@ -78,7 +78,6 @@ def requires(permissions):
    return requires_wrapper()


-
 class BaseHandler(tornado.web.RequestHandler):
    """Base class for request handlers."""
    # A property to access the first value of each argument.
@ -135,6 +134,34 @@ class BaseHandler(tornado.web.RequestHandler):
        """Retrieve current user from the secure cookie."""
        return self.get_secure_cookie("user")

+    def get_user_info(self):
+        current_user = self.get_current_user()
+        if current_user:
+            user_info = {}
+            user_info['username'] = current_user
+            res = self.db.query('users', {'username': current_user})
+            if res:
+                user = res[0]
+                user_info['permissions'] = user.get('permissions') or []
+            return user_info
+        return {}
+
+    def has_permission(self, permission):
+        """Check permissions of the current user.
+
+        :param permission: the permission to check
+        :type permission: str
+
+        :returns: True if the user is allowed to perform the action or False
+        :rtype: bool
+        """
+        user_info = self.get_user_info()
+        user_permissions = user_info.get('permissions') or []
+        if not user_info:
+            return False
+        main_permission = '%s:all' % permission.split(':')[0]
+        return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
+
    def logout(self):
        """Remove the secure cookie used fro authentication."""
        self.clear_cookie("user")
@ -605,14 +632,8 @@ class InfoHandler(BaseHandler):
    @authenticated
    def get(self, **kwds):
        info = {}
-        current_user = self.get_current_user()
-        if current_user:
-            user_info = {}
-            user_info['username'] = current_user
-            res = self.db.query('users', {'username': current_user})
-            if res:
-                user = res[0]
-                user_info['privileges'] = user.get('privileges') or []
+        user_info = self.get_user_info()
+        if user_info:
            info['user'] = user_info
        self.write({'info': info})

@ -749,7 +770,7 @@ def run():
    if not db_connector.query('users', {'username': 'admin'}):
        db_connector.add('users',
                {'username': 'admin', 'password': utils.hash_password('eventman'),
-                 'privileges': ['admin']})
+                 'permissions': ['admin:all']})

    # If present, use the cookie_secret stored into the database.
    cookie_secret = db_connector.query('settings', {'setting': 'server_cookie_secret'})