improve permission check

This commit is contained in:
Davide Alberani 2016-05-30 23:14:56 +02:00
parent bdcd1b1410
commit c2fe50de16

View file

@ -60,24 +60,6 @@ def authenticated(method):
return my_wrapper return my_wrapper
def requires(permissions):
if not isinstance(permissions, (list, tuple)):
permissions = [permissions]
def requires_wrapper(self, *args, **kwargs):
if 'none' in permissions:
return method(self, *args, **kwargs)
current_user = self.get_current_user()
res = self.db.query('users', {'username': current_user})
if not res:
return self.redirect('/v%s%s' % (API_VERSION, self.get_login_url()))
user = res[0]
if current_user == 'admin':
return method(self, *args, **kwargs)
if 'permissions' not in user:
return self.redirect('/v%s%s' % (API_VERSION, self.get_login_url()))
return requires_wrapper()
class BaseHandler(tornado.web.RequestHandler): class BaseHandler(tornado.web.RequestHandler):
"""Base class for request handlers.""" """Base class for request handlers."""
# A property to access the first value of each argument. # A property to access the first value of each argument.
@ -130,12 +112,14 @@ class BaseHandler(tornado.web.RequestHandler):
for key, value in kwargs.iteritems(): for key, value in kwargs.iteritems():
setattr(self, key, value) setattr(self, key, value)
def get_current_user(self): @property
def current_user(self):
"""Retrieve current user from the secure cookie.""" """Retrieve current user from the secure cookie."""
return self.get_secure_cookie("user") return self.get_secure_cookie("user")
def get_user_info(self): @property
current_user = self.get_current_user() def current_user_info(self):
current_user = self.current_user
if current_user: if current_user:
user_info = {} user_info = {}
user_info['username'] = current_user user_info['username'] = current_user
@ -155,13 +139,17 @@ class BaseHandler(tornado.web.RequestHandler):
:returns: True if the user is allowed to perform the action or False :returns: True if the user is allowed to perform the action or False
:rtype: bool :rtype: bool
""" """
user_info = self.get_user_info() user_info = self.current_user_info
user_permissions = user_info.get('permissions') or [] user_permissions = user_info.get('permissions') or []
if not user_info: if not user_info:
return False return False
main_permission = '%s:all' % permission.split(':')[0] main_permission = '%s:all' % permission.split(':')[0]
return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions return 'admin:all' in user_permissions or main_permission in user_permissions or permission in user_permissions
def build_error(self, message='', status=400):
self.set_status(status)
self.write({'error': True, 'message': message})
def logout(self): def logout(self):
"""Remove the secure cookie used fro authentication.""" """Remove the secure cookie used fro authentication."""
self.clear_cookie("user") self.clear_cookie("user")
@ -187,6 +175,7 @@ class CollectionHandler(BaseHandler):
Introduce basic CRUD operations.""" Introduce basic CRUD operations."""
# set of documents we're managing (a collection in MongoDB or a table in a SQL database) # set of documents we're managing (a collection in MongoDB or a table in a SQL database)
document = None
collection = None collection = None
# set of documents used to store incremental sequences # set of documents used to store incremental sequences
@ -268,18 +257,24 @@ class CollectionHandler(BaseHandler):
def get(self, id_=None, resource=None, resource_id=None, **kwargs): def get(self, id_=None, resource=None, resource_id=None, **kwargs):
if resource: if resource:
# Handle access to sub-resources. # Handle access to sub-resources.
if not self.has_permission('%s:%s-read' % (self.document, resource)):
return self.build_error(status=401, message='insufficient permissions')
method = getattr(self, 'handle_get_%s' % resource, None) method = getattr(self, 'handle_get_%s' % resource, None)
if method and callable(method): if method and callable(method):
self.write(method(id_, resource_id, **kwargs)) self.write(method(id_, resource_id, **kwargs))
return return
if id_ is not None: if id_ is not None:
# read a single document # read a single document
if not self.has_permission('%s:read' % self.document):
return self.build_error(status=401, message='insufficient permissions')
self.write(self.db.get(self.collection, id_)) self.write(self.db.get(self.collection, id_))
else: else:
# return an object containing the list of all objects in the collection; # return an object containing the list of all objects in the collection;
# e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]} # e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]}
# Please, never return JSON lists that are not encapsulated into an object, # Please, never return JSON lists that are not encapsulated into an object,
# to avoid XSS vulnerabilities. # to avoid XSS vulnerabilities.
if not self.has_permission('%s:read' % self.collection):
return self.build_error(status=401, message='insufficient permissions')
self.write({self.collection: self.db.query(self.collection)}) self.write({self.collection: self.db.query(self.collection)})
@gen.coroutine @gen.coroutine
@ -287,15 +282,23 @@ class CollectionHandler(BaseHandler):
def post(self, id_=None, resource=None, resource_id=None, **kwargs): def post(self, id_=None, resource=None, resource_id=None, **kwargs):
data = escape.json_decode(self.request.body or '{}') data = escape.json_decode(self.request.body or '{}')
self._clean_dict(data) self._clean_dict(data)
method = self.request.method.lower()
if resource: if resource:
if not self.has_permission('%s:%s-%s' % (self.document, resource,
'create' if method == 'post' else 'update')):
return self.build_error(status=401, message='insufficient permissions')
# Handle access to sub-resources. # Handle access to sub-resources.
method = getattr(self, 'handle_%s_%s' % (self.request.method.lower(), resource), None) handler = getattr(self, 'handle_%s_%s' % (method, resource), None)
if method and callable(method): if handler and callable(handler):
self.write(method(id_, resource_id, data, **kwargs)) self.write(handler(id_, resource_id, data, **kwargs))
return return
if id_ is None: if id_ is None:
if not self.has_permission('%s:%s' % (self.document, 'create' if method == 'post' else 'update')):
return self.build_error(status=401, message='insufficient permissions')
newData = self.db.add(self.collection, data) newData = self.db.add(self.collection, data)
else: else:
if not self.has_permission('%s:%s' % (self.collection, 'create' if method == 'post' else 'update')):
return self.build_error(status=401, message='insufficient permissions')
merged, newData = self.db.update(self.collection, id_, data) merged, newData = self.db.update(self.collection, id_, data)
self.write(newData) self.write(newData)
@ -397,10 +400,10 @@ class CollectionHandler(BaseHandler):
class PersonsHandler(CollectionHandler): class PersonsHandler(CollectionHandler):
"""Handle requests for Persons.""" """Handle requests for Persons."""
document = 'person'
collection = 'persons' collection = 'persons'
object_id = 'person_id' object_id = 'person_id'
#@requires('persons-list')
def handle_get_events(self, id_, resource_id=None, **kwargs): def handle_get_events(self, id_, resource_id=None, **kwargs):
# Get a list of events attended by this person. # Get a list of events attended by this person.
# Inside the data of each event, a 'person_data' dictionary is # Inside the data of each event, a 'person_data' dictionary is
@ -410,8 +413,6 @@ class PersonsHandler(CollectionHandler):
# If resource_id is given, only the specified event is considered. # If resource_id is given, only the specified event is considered.
# #
# If the 'all' parameter is given, every event (also unattended ones) is returned. # If the 'all' parameter is given, every event (also unattended ones) is returned.
self.set_status(401)
return {'error': True, 'message': 'insufficient privileges'}
args = self.request.arguments args = self.request.arguments
query = {} query = {}
if id_ and not self.tobool(args.get('all')): if id_ and not self.tobool(args.get('all')):
@ -436,6 +437,7 @@ class PersonsHandler(CollectionHandler):
class EventsHandler(CollectionHandler): class EventsHandler(CollectionHandler):
"""Handle requests for Events.""" """Handle requests for Events."""
document = 'event'
collection = 'events' collection = 'events'
object_id = 'event_id' object_id = 'event_id'
@ -505,7 +507,7 @@ class EventsHandler(CollectionHandler):
if person_id is None: if person_id is None:
person_id = str(new_person_data.get('person_id')) person_id = str(new_person_data.get('person_id'))
env.update({'PERSON_ID': person_id, 'EVENT_ID': id_, env.update({'PERSON_ID': person_id, 'EVENT_ID': id_,
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.get_current_user(), 'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user,
'WEB_REMOTE_IP': self.request.remote_ip}) 'WEB_REMOTE_IP': self.request.remote_ip})
stdin_data = {'old': old_person_data, stdin_data = {'old': old_person_data,
'new': new_person_data, 'new': new_person_data,
@ -632,7 +634,7 @@ class InfoHandler(BaseHandler):
@authenticated @authenticated
def get(self, **kwds): def get(self, **kwds):
info = {} info = {}
user_info = self.get_user_info() user_info = self.current_user_info
if user_info: if user_info:
info['user'] = user_info info['user'] = user_info
self.write({'info': info}) self.write({'info': info})