renamed permissions; server-side permissio check

angular_app/index.html

@@ -52,7 +52,7 @@
                     <div ng-if="logo.imgURL" class="navbar-brand"><a ng-if="logo.link" href="{{logo.link}}" target="_blank"><img src="{{logo.imgURL}}" /></a></div>
                     <ul class="nav navbar-nav">
                         <li ng-class="{active: isActive('/events') || isActive('/event')}"><a ui-sref="events">{{'Events' | translate}}</a></li>
-                        <li ng-if="requires('admin')" ng-class="{active: isActive('/persons') ||  isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li>
+                        <li ng-if="hasPermission('persons:get')" ng-class="{active: isActive('/persons') ||  isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li>
                     </ul>
                 </div>
                 <div class="collapse navbar-collapse">

angular_app/js/app.js

@@ -58,21 +58,25 @@ eventManApp.run(['$rootScope', '$state', '$stateParams', '$log', 'Info',
         };
 
         /* Check GUI privileges. */
-        $rootScope.requires = function(permission) {
+        $rootScope.hasPermission = function(permission) {
             if (!($rootScope.info && $rootScope.info.user &&
-                        $rootScope.info.user.username && $rootScope.info.user.privileges)) {
+                        $rootScope.info.user.username && $rootScope.info.user.permissions)) {
                 return false;
             }
-            var accepted = false;
-            angular.forEach($rootScope.info.user.privileges || [],
+            var granted = false;
+            var splitted_permission = permission.split(':');
+            var main_permission = splitted_permission + ':all';
+
+            angular.forEach($rootScope.info.user.permissions || [],
                     function(value, idx) {
-                        if (value === permission) {
-                            accepted = true;
+                        if (value === 'admin:all' || value === main_permission || value === permission) {
+                            granted = true;
                             return;
                         }
+                        
                     }
             );
-            return accepted;
+            return granted;
         };
     }]
 );

eventman_server.py

@@ -78,7 +78,6 @@ def requires(permissions):
     return requires_wrapper()
 
 
-
 class BaseHandler(tornado.web.RequestHandler):
     """Base class for request handlers."""
     # A property to access the first value of each argument.
@@ -135,6 +134,34 @@ class BaseHandler(tornado.web.RequestHandler):
         """Retrieve current user from the secure cookie."""
         return self.get_secure_cookie("user")
 
+    def get_user_info(self):
+        current_user = self.get_current_user()
+        if current_user:
+            user_info = {}
+            user_info['username'] = current_user
+            res = self.db.query('users', {'username': current_user})
+            if res:
+                user = res[0]
+                user_info['permissions'] = user.get('permissions') or []
+            return user_info
+        return {}
+
+    def has_permission(self, permission):
+        """Check permissions of the current user.
+
+        :param permission: the permission to check
+        :type permission: str
+
+        :returns: True if the user is allowed to perform the action or False
+        :rtype: bool
+        """
+        user_info = self.get_user_info()
+        user_permissions = user_info.get('permissions') or []
+        if not user_info:
+            return False
+        main_permission = '%s:all' % permission.split(':')[0]
+        return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
+
     def logout(self):
         """Remove the secure cookie used fro authentication."""
         self.clear_cookie("user")
@@ -605,14 +632,8 @@ class InfoHandler(BaseHandler):
     @authenticated
     def get(self, **kwds):
         info = {}
-        current_user = self.get_current_user()
-        if current_user:
-            user_info = {}
-            user_info['username'] = current_user
-            res = self.db.query('users', {'username': current_user})
-            if res:
-                user = res[0]
-                user_info['privileges'] = user.get('privileges') or []
+        user_info = self.get_user_info()
+        if user_info:
             info['user'] = user_info
         self.write({'info': info})
 
@@ -749,7 +770,7 @@ def run():
     if not db_connector.query('users', {'username': 'admin'}):
         db_connector.add('users',
                 {'username': 'admin', 'password': utils.hash_password('eventman'),
-                 'privileges': ['admin']})
+                 'permissions': ['admin:all']})
 
     # If present, use the cookie_secret stored into the database.
     cookie_secret = db_connector.query('settings', {'setting': 'server_cookie_secret'})