This repository has been archived by the owner on Oct 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
resource_permission.py
108 lines (86 loc) · 3.61 KB
/
resource_permission.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from sqlalchemy.orm import joinedload
from permission_query import PermissionQuery
class ResourcePermission(PermissionQuery):
"""ResourcePermission class
Query permissions and restrictions for a resource type.
"""
def permissions(self, resource_type, params, username, group, session):
"""Query permitted resources for a resource type with optional
name or parent_id filter.
Return resources if available and permitted.
:param str resource_type: Resource type
:param obj params: Optional request parameters with
name=<name filter>&parent_id=<parent filter>
:param str username: User name
:param str group: Group name
:param Session session: DB session
"""
permissions = {}
name = params.get('name')
parent_id = params.get('parent_id')
Permission = self.config_models.model('permissions')
Resource = self.config_models.model('resources')
query = self.user_permissions_query(username, group, session) \
.join(Permission.resource).filter(Resource.type == resource_type) \
.order_by(Permission.priority) \
.distinct(Permission.priority)
# eager load relations
query = query.options(joinedload(Permission.resource))
# optional filters
if name is not None:
# filter by resource name
query = query.filter(Resource.name == name)
if parent_id is not None:
try:
parent_id = int(parent_id)
except ValueError:
parent_id = -1
# filter by resource parent ID
query = query.filter(Resource.parent_id == parent_id)
for permission in query.all():
resource = permission.resource
# NOTE: permissions sorted by priority, so permission with
# higher priority will override lower priority
permissions[resource.id] = {
'id': resource.id,
'name': resource.name,
'parent_id': resource.parent_id,
'writable': permission.write
}
return permissions
def restrictions(self, resource_type, params, username, group, session):
"""Query restricted resources for a resource type with optional
name or parent_id filter.
Return restricted resources.
:param str resource_type: Resource type
:param obj params: Optional request parameters with
name=<name filter>&parent_id=<parent filter>
:param str username: User name
:param str group: Group name
:param Session session: DB session
"""
restrictions = {}
name = params.get('name')
parent_id = params.get('parent_id')
Resource = self.config_models.model('resources')
query = self.resource_restrictions_query(
resource_type, username, group, session
)
# optional filters
if name is not None:
# filter by resource name
query = query.filter(Resource.name == name)
if parent_id is not None:
try:
parent_id = int(parent_id)
except ValueError:
parent_id = -1
# filter by resource parent ID
query = query.filter(Resource.parent_id == parent_id)
for resource in query.all():
restrictions[resource.id] = {
'id': resource.id,
'name': resource.name,
'parent_id': resource.parent_id
}
return restrictions