alberanid/eventman
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

renamed permissions; server-side permissio check

Browse source
This commit is contained in:
Davide Alberani 2016-05-29 14:06:34 +02:00
parent 495f1a6b57
commit bdcd1b1410
3 changed files with 43 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
angular_app/index.html
View file

@ -52,7 +52,7 @@
<div ng-if="logo.imgURL" class="navbar-brand"><a ng-if="logo.link" href="{{logo.link}}" target="_blank"><img src="{{logo.imgURL}}" /></a></div> <div ng-if="logo.imgURL" class="navbar-brand"><a ng-if="logo.link" href="{{logo.link}}" target="_blank"><img src="{{logo.imgURL}}" /></a></div>
<ul class="nav navbar-nav"> <ul class="nav navbar-nav">
<li ng-class="{active: isActive('/events') || isActive('/event')}"><a ui-sref="events">{{'Events' | translate}}</a></li> <li ng-class="{active: isActive('/events') || isActive('/event')}"><a ui-sref="events">{{'Events' | translate}}</a></li>
<li ng-if="requires('admin')" ng-class="{active: isActive('/persons') || isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li> <li ng-if="hasPermission('persons:get')" ng-class="{active: isActive('/persons') || isActive('/person') || isActive('/import/persons')}"><a ui-sref="persons">{{'Persons' | translate}}</a></li>
</ul> </ul>
</div> </div>
<div class="collapse navbar-collapse"> <div class="collapse navbar-collapse">

18
angular_app/js/app.js vendored
View file

@ -58,21 +58,25 @@ eventManApp.run(['$rootScope', '$state', '$stateParams', '$log', 'Info',
}; };
/* Check GUI privileges. */ /* Check GUI privileges. */
$rootScope.requires = function(permission) { $rootScope.hasPermission = function(permission) {
if (!($rootScope.info && $rootScope.info.user && if (!($rootScope.info && $rootScope.info.user &&
$rootScope.info.user.username && $rootScope.info.user.privileges)) { $rootScope.info.user.username && $rootScope.info.user.permissions)) {
return false; return false;
} }
var accepted = false; var granted = false;
angular.forEach($rootScope.info.user.privileges || [], var splitted_permission = permission.split(':');
var main_permission = splitted_permission + ':all';
angular.forEach($rootScope.info.user.permissions || [],
function(value, idx) { function(value, idx) {
if (value === permission) { if (value === 'admin:all' || value === main_permission || value === permission) {
accepted = true; granted = true;
return; return;
} }
} }
); );
return accepted; return granted;
}; };
}] }]
); );

41
eventman_server.py
View file

@ -78,7 +78,6 @@ def requires(permissions):
return requires_wrapper() return requires_wrapper()
class BaseHandler(tornado.web.RequestHandler): class BaseHandler(tornado.web.RequestHandler):
"""Base class for request handlers.""" """Base class for request handlers."""
# A property to access the first value of each argument. # A property to access the first value of each argument.
@ -135,6 +134,34 @@ class BaseHandler(tornado.web.RequestHandler):
"""Retrieve current user from the secure cookie.""" """Retrieve current user from the secure cookie."""
return self.get_secure_cookie("user") return self.get_secure_cookie("user")
def get_user_info(self):
current_user = self.get_current_user()
if current_user:
user_info = {}
user_info['username'] = current_user
res = self.db.query('users', {'username': current_user})
if res:
user = res[0]
user_info['permissions'] = user.get('permissions') or []
return user_info
return {}
def has_permission(self, permission):
"""Check permissions of the current user.
:param permission: the permission to check
:type permission: str
:returns: True if the user is allowed to perform the action or False
:rtype: bool
"""
user_info = self.get_user_info()
user_permissions = user_info.get('permissions') or []
if not user_info:
return False
main_permission = '%s:all' % permission.split(':')[0]
return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
def logout(self): def logout(self):
"""Remove the secure cookie used fro authentication.""" """Remove the secure cookie used fro authentication."""
self.clear_cookie("user") self.clear_cookie("user")
@ -605,14 +632,8 @@ class InfoHandler(BaseHandler):
@authenticated @authenticated
def get(self, **kwds): def get(self, **kwds):
info = {} info = {}
current_user = self.get_current_user() user_info = self.get_user_info()
if current_user: if user_info:
user_info = {}
user_info['username'] = current_user
res = self.db.query('users', {'username': current_user})
if res:
user = res[0]
user_info['privileges'] = user.get('privileges') or []
info['user'] = user_info info['user'] = user_info
self.write({'info': info}) self.write({'info': info})
@ -749,7 +770,7 @@ def run():
if not db_connector.query('users', {'username': 'admin'}): if not db_connector.query('users', {'username': 'admin'}):
db_connector.add('users', db_connector.add('users',
{'username': 'admin', 'password': utils.hash_password('eventman'), {'username': 'admin', 'password': utils.hash_password('eventman'),
'privileges': ['admin']}) 'permissions': ['admin:all']})
# If present, use the cookie_secret stored into the database. # If present, use the cookie_secret stored into the database.
cookie_secret = db_connector.query('settings', {'setting': 'server_cookie_secret'}) cookie_secret = db_connector.query('settings', {'setting': 'server_cookie_secret'})