improve permission check
This commit is contained in:
parent
bdcd1b1410
commit
c2fe50de16
1 changed files with 32 additions and 30 deletions
|
@ -60,24 +60,6 @@ def authenticated(method):
|
||||||
return my_wrapper
|
return my_wrapper
|
||||||
|
|
||||||
|
|
||||||
def requires(permissions):
|
|
||||||
if not isinstance(permissions, (list, tuple)):
|
|
||||||
permissions = [permissions]
|
|
||||||
def requires_wrapper(self, *args, **kwargs):
|
|
||||||
if 'none' in permissions:
|
|
||||||
return method(self, *args, **kwargs)
|
|
||||||
current_user = self.get_current_user()
|
|
||||||
res = self.db.query('users', {'username': current_user})
|
|
||||||
if not res:
|
|
||||||
return self.redirect('/v%s%s' % (API_VERSION, self.get_login_url()))
|
|
||||||
user = res[0]
|
|
||||||
if current_user == 'admin':
|
|
||||||
return method(self, *args, **kwargs)
|
|
||||||
if 'permissions' not in user:
|
|
||||||
return self.redirect('/v%s%s' % (API_VERSION, self.get_login_url()))
|
|
||||||
return requires_wrapper()
|
|
||||||
|
|
||||||
|
|
||||||
class BaseHandler(tornado.web.RequestHandler):
|
class BaseHandler(tornado.web.RequestHandler):
|
||||||
"""Base class for request handlers."""
|
"""Base class for request handlers."""
|
||||||
# A property to access the first value of each argument.
|
# A property to access the first value of each argument.
|
||||||
|
@ -130,12 +112,14 @@ class BaseHandler(tornado.web.RequestHandler):
|
||||||
for key, value in kwargs.iteritems():
|
for key, value in kwargs.iteritems():
|
||||||
setattr(self, key, value)
|
setattr(self, key, value)
|
||||||
|
|
||||||
def get_current_user(self):
|
@property
|
||||||
|
def current_user(self):
|
||||||
"""Retrieve current user from the secure cookie."""
|
"""Retrieve current user from the secure cookie."""
|
||||||
return self.get_secure_cookie("user")
|
return self.get_secure_cookie("user")
|
||||||
|
|
||||||
def get_user_info(self):
|
@property
|
||||||
current_user = self.get_current_user()
|
def current_user_info(self):
|
||||||
|
current_user = self.current_user
|
||||||
if current_user:
|
if current_user:
|
||||||
user_info = {}
|
user_info = {}
|
||||||
user_info['username'] = current_user
|
user_info['username'] = current_user
|
||||||
|
@ -155,13 +139,17 @@ class BaseHandler(tornado.web.RequestHandler):
|
||||||
:returns: True if the user is allowed to perform the action or False
|
:returns: True if the user is allowed to perform the action or False
|
||||||
:rtype: bool
|
:rtype: bool
|
||||||
"""
|
"""
|
||||||
user_info = self.get_user_info()
|
user_info = self.current_user_info
|
||||||
user_permissions = user_info.get('permissions') or []
|
user_permissions = user_info.get('permissions') or []
|
||||||
if not user_info:
|
if not user_info:
|
||||||
return False
|
return False
|
||||||
main_permission = '%s:all' % permission.split(':')[0]
|
main_permission = '%s:all' % permission.split(':')[0]
|
||||||
return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
|
return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
|
||||||
|
|
||||||
|
def build_error(self, message='', status=400):
|
||||||
|
self.set_status(status)
|
||||||
|
self.write({'error': True, 'message': message})
|
||||||
|
|
||||||
def logout(self):
|
def logout(self):
|
||||||
"""Remove the secure cookie used fro authentication."""
|
"""Remove the secure cookie used fro authentication."""
|
||||||
self.clear_cookie("user")
|
self.clear_cookie("user")
|
||||||
|
@ -187,6 +175,7 @@ class CollectionHandler(BaseHandler):
|
||||||
|
|
||||||
Introduce basic CRUD operations."""
|
Introduce basic CRUD operations."""
|
||||||
# set of documents we're managing (a collection in MongoDB or a table in a SQL database)
|
# set of documents we're managing (a collection in MongoDB or a table in a SQL database)
|
||||||
|
document = None
|
||||||
collection = None
|
collection = None
|
||||||
|
|
||||||
# set of documents used to store incremental sequences
|
# set of documents used to store incremental sequences
|
||||||
|
@ -268,18 +257,24 @@ class CollectionHandler(BaseHandler):
|
||||||
def get(self, id_=None, resource=None, resource_id=None, **kwargs):
|
def get(self, id_=None, resource=None, resource_id=None, **kwargs):
|
||||||
if resource:
|
if resource:
|
||||||
# Handle access to sub-resources.
|
# Handle access to sub-resources.
|
||||||
|
if not self.has_permission('%s:%s-read' % (self.document, resource)):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
method = getattr(self, 'handle_get_%s' % resource, None)
|
method = getattr(self, 'handle_get_%s' % resource, None)
|
||||||
if method and callable(method):
|
if method and callable(method):
|
||||||
self.write(method(id_, resource_id, **kwargs))
|
self.write(method(id_, resource_id, **kwargs))
|
||||||
return
|
return
|
||||||
if id_ is not None:
|
if id_ is not None:
|
||||||
# read a single document
|
# read a single document
|
||||||
|
if not self.has_permission('%s:read' % self.document):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
self.write(self.db.get(self.collection, id_))
|
self.write(self.db.get(self.collection, id_))
|
||||||
else:
|
else:
|
||||||
# return an object containing the list of all objects in the collection;
|
# return an object containing the list of all objects in the collection;
|
||||||
# e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]}
|
# e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]}
|
||||||
# Please, never return JSON lists that are not encapsulated into an object,
|
# Please, never return JSON lists that are not encapsulated into an object,
|
||||||
# to avoid XSS vulnerabilities.
|
# to avoid XSS vulnerabilities.
|
||||||
|
if not self.has_permission('%s:read' % self.collection):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
self.write({self.collection: self.db.query(self.collection)})
|
self.write({self.collection: self.db.query(self.collection)})
|
||||||
|
|
||||||
@gen.coroutine
|
@gen.coroutine
|
||||||
|
@ -287,15 +282,23 @@ class CollectionHandler(BaseHandler):
|
||||||
def post(self, id_=None, resource=None, resource_id=None, **kwargs):
|
def post(self, id_=None, resource=None, resource_id=None, **kwargs):
|
||||||
data = escape.json_decode(self.request.body or '{}')
|
data = escape.json_decode(self.request.body or '{}')
|
||||||
self._clean_dict(data)
|
self._clean_dict(data)
|
||||||
|
method = self.request.method.lower()
|
||||||
if resource:
|
if resource:
|
||||||
|
if not self.has_permission('%s:%s-%s' % (self.document, resource,
|
||||||
|
'create' if method == 'post' else 'update')):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
# Handle access to sub-resources.
|
# Handle access to sub-resources.
|
||||||
method = getattr(self, 'handle_%s_%s' % (self.request.method.lower(), resource), None)
|
handler = getattr(self, 'handle_%s_%s' % (method, resource), None)
|
||||||
if method and callable(method):
|
if handler and callable(handler):
|
||||||
self.write(method(id_, resource_id, data, **kwargs))
|
self.write(handler(id_, resource_id, data, **kwargs))
|
||||||
return
|
return
|
||||||
if id_ is None:
|
if id_ is None:
|
||||||
|
if not self.has_permission('%s:%s' % (self.document, 'create' if method == 'post' else 'update')):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
newData = self.db.add(self.collection, data)
|
newData = self.db.add(self.collection, data)
|
||||||
else:
|
else:
|
||||||
|
if not self.has_permission('%s:%s' % (self.collection, 'create' if method == 'post' else 'update')):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions')
|
||||||
merged, newData = self.db.update(self.collection, id_, data)
|
merged, newData = self.db.update(self.collection, id_, data)
|
||||||
self.write(newData)
|
self.write(newData)
|
||||||
|
|
||||||
|
@ -397,10 +400,10 @@ class CollectionHandler(BaseHandler):
|
||||||
|
|
||||||
class PersonsHandler(CollectionHandler):
|
class PersonsHandler(CollectionHandler):
|
||||||
"""Handle requests for Persons."""
|
"""Handle requests for Persons."""
|
||||||
|
document = 'person'
|
||||||
collection = 'persons'
|
collection = 'persons'
|
||||||
object_id = 'person_id'
|
object_id = 'person_id'
|
||||||
|
|
||||||
#@requires('persons-list')
|
|
||||||
def handle_get_events(self, id_, resource_id=None, **kwargs):
|
def handle_get_events(self, id_, resource_id=None, **kwargs):
|
||||||
# Get a list of events attended by this person.
|
# Get a list of events attended by this person.
|
||||||
# Inside the data of each event, a 'person_data' dictionary is
|
# Inside the data of each event, a 'person_data' dictionary is
|
||||||
|
@ -410,8 +413,6 @@ class PersonsHandler(CollectionHandler):
|
||||||
# If resource_id is given, only the specified event is considered.
|
# If resource_id is given, only the specified event is considered.
|
||||||
#
|
#
|
||||||
# If the 'all' parameter is given, every event (also unattended ones) is returned.
|
# If the 'all' parameter is given, every event (also unattended ones) is returned.
|
||||||
self.set_status(401)
|
|
||||||
return {'error': True, 'message': 'insufficient privileges'}
|
|
||||||
args = self.request.arguments
|
args = self.request.arguments
|
||||||
query = {}
|
query = {}
|
||||||
if id_ and not self.tobool(args.get('all')):
|
if id_ and not self.tobool(args.get('all')):
|
||||||
|
@ -436,6 +437,7 @@ class PersonsHandler(CollectionHandler):
|
||||||
|
|
||||||
class EventsHandler(CollectionHandler):
|
class EventsHandler(CollectionHandler):
|
||||||
"""Handle requests for Events."""
|
"""Handle requests for Events."""
|
||||||
|
document = 'event'
|
||||||
collection = 'events'
|
collection = 'events'
|
||||||
object_id = 'event_id'
|
object_id = 'event_id'
|
||||||
|
|
||||||
|
@ -505,7 +507,7 @@ class EventsHandler(CollectionHandler):
|
||||||
if person_id is None:
|
if person_id is None:
|
||||||
person_id = str(new_person_data.get('person_id'))
|
person_id = str(new_person_data.get('person_id'))
|
||||||
env.update({'PERSON_ID': person_id, 'EVENT_ID': id_,
|
env.update({'PERSON_ID': person_id, 'EVENT_ID': id_,
|
||||||
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.get_current_user(),
|
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user,
|
||||||
'WEB_REMOTE_IP': self.request.remote_ip})
|
'WEB_REMOTE_IP': self.request.remote_ip})
|
||||||
stdin_data = {'old': old_person_data,
|
stdin_data = {'old': old_person_data,
|
||||||
'new': new_person_data,
|
'new': new_person_data,
|
||||||
|
@ -632,7 +634,7 @@ class InfoHandler(BaseHandler):
|
||||||
@authenticated
|
@authenticated
|
||||||
def get(self, **kwds):
|
def get(self, **kwds):
|
||||||
info = {}
|
info = {}
|
||||||
user_info = self.get_user_info()
|
user_info = self.current_user_info
|
||||||
if user_info:
|
if user_info:
|
||||||
info['user'] = user_info
|
info['user'] = user_info
|
||||||
self.write({'info': info})
|
self.write({'info': info})
|
||||||
|
|
Loading…
Reference in a new issue