Mercurial > kallithea
comparison rhodecode/lib/auth.py @ 2125:097327aaf2ad beta
more detailed logging on auth system
- docs updates for debugging
- code garden
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Tue, 13 Mar 2012 02:40:34 +0200 |
parents | 8ecfed1d8f8b |
children | dc2584ba5fbc 24095abde696 |
comparison
equal
deleted
inserted
replaced
2124:273ce1a99c3f | 2125:097327aaf2ad |
---|---|
519 def __wrapper(self, func, *fargs, **fkwargs): | 519 def __wrapper(self, func, *fargs, **fkwargs): |
520 cls = fargs[0] | 520 cls = fargs[0] |
521 self.user = cls.rhodecode_user | 521 self.user = cls.rhodecode_user |
522 self.user_perms = self.user.permissions | 522 self.user_perms = self.user.permissions |
523 log.debug('checking %s permissions %s for %s %s', | 523 log.debug('checking %s permissions %s for %s %s', |
524 self.__class__.__name__, self.required_perms, cls, | 524 self.__class__.__name__, self.required_perms, cls, self.user) |
525 self.user) | |
526 | 525 |
527 if self.check_permissions(): | 526 if self.check_permissions(): |
528 log.debug('Permission granted for %s %s' % (cls, self.user)) | 527 log.debug('Permission granted for %s %s' % (cls, self.user)) |
529 return func(*fargs, **fkwargs) | 528 return func(*fargs, **fkwargs) |
530 | 529 |
602 | 601 |
603 try: | 602 try: |
604 user_perms = set([self.user_perms['repositories'][repo_name]]) | 603 user_perms = set([self.user_perms['repositories'][repo_name]]) |
605 except KeyError: | 604 except KeyError: |
606 return False | 605 return False |
606 | |
607 if self.required_perms.intersection(user_perms): | 607 if self.required_perms.intersection(user_perms): |
608 return True | 608 return True |
609 return False | 609 return False |
610 | 610 |
611 | 611 |
656 for perm in perms: | 656 for perm in perms: |
657 if perm not in available_perms: | 657 if perm not in available_perms: |
658 raise Exception("'%s' permission is not defined" % perm) | 658 raise Exception("'%s' permission is not defined" % perm) |
659 self.required_perms = set(perms) | 659 self.required_perms = set(perms) |
660 self.user_perms = None | 660 self.user_perms = None |
661 self.granted_for = '' | |
662 self.repo_name = None | 661 self.repo_name = None |
662 self.group_name = None | |
663 | 663 |
664 def __call__(self, check_Location=''): | 664 def __call__(self, check_Location=''): |
665 user = request.user | 665 user = request.user |
666 log.debug('checking %s %s %s', self.__class__.__name__, | 666 cls_name = self.__class__.__name__ |
667 self.required_perms, user) | 667 check_scope = { |
668 'HasPermissionAll': '', | |
669 'HasPermissionAny': '', | |
670 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, | |
671 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, | |
672 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, | |
673 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, | |
674 }.get(cls_name, '?') | |
675 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, | |
676 self.required_perms, user, check_scope, | |
677 check_Location or 'unspecified location') | |
668 if not user: | 678 if not user: |
669 log.debug('Empty request user') | 679 log.debug('Empty request user') |
670 return False | 680 return False |
671 self.user_perms = user.permissions | 681 self.user_perms = user.permissions |
672 self.granted_for = user | |
673 | |
674 if self.check_permissions(): | 682 if self.check_permissions(): |
675 log.debug('Permission granted %s @ %s', self.granted_for, | 683 log.debug('Permission granted for user: %s @ %s', user, |
676 check_Location or 'unspecified location') | 684 check_Location or 'unspecified location') |
677 return True | 685 return True |
678 | 686 |
679 else: | 687 else: |
680 log.debug('Permission denied for %s @ %s', self.granted_for, | 688 log.debug('Permission denied for user: %s @ %s', user, |
681 check_Location or 'unspecified location') | 689 check_Location or 'unspecified location') |
682 return False | 690 return False |
683 | 691 |
684 def check_permissions(self): | 692 def check_permissions(self): |
685 """Dummy function for overriding""" | 693 """Dummy function for overriding""" |
699 return True | 707 return True |
700 return False | 708 return False |
701 | 709 |
702 | 710 |
703 class HasRepoPermissionAll(PermsFunction): | 711 class HasRepoPermissionAll(PermsFunction): |
704 | |
705 def __call__(self, repo_name=None, check_Location=''): | 712 def __call__(self, repo_name=None, check_Location=''): |
706 self.repo_name = repo_name | 713 self.repo_name = repo_name |
707 return super(HasRepoPermissionAll, self).__call__(check_Location) | 714 return super(HasRepoPermissionAll, self).__call__(check_Location) |
708 | 715 |
709 def check_permissions(self): | 716 def check_permissions(self): |
710 if not self.repo_name: | 717 if not self.repo_name: |
711 self.repo_name = get_repo_slug(request) | 718 self.repo_name = get_repo_slug(request) |
712 | 719 |
713 try: | 720 try: |
714 self.user_perms = set( | 721 self._user_perms = set( |
715 [self.user_perms['repositories'][self.repo_name]] | 722 [self.user_perms['repositories'][self.repo_name]] |
716 ) | 723 ) |
717 except KeyError: | 724 except KeyError: |
718 return False | 725 return False |
719 self.granted_for = self.repo_name | 726 if self.required_perms.issubset(self._user_perms): |
720 if self.required_perms.issubset(self.user_perms): | |
721 return True | 727 return True |
722 return False | 728 return False |
723 | 729 |
724 | 730 |
725 class HasRepoPermissionAny(PermsFunction): | 731 class HasRepoPermissionAny(PermsFunction): |
726 | |
727 def __call__(self, repo_name=None, check_Location=''): | 732 def __call__(self, repo_name=None, check_Location=''): |
728 self.repo_name = repo_name | 733 self.repo_name = repo_name |
729 return super(HasRepoPermissionAny, self).__call__(check_Location) | 734 return super(HasRepoPermissionAny, self).__call__(check_Location) |
730 | 735 |
731 def check_permissions(self): | 736 def check_permissions(self): |
732 if not self.repo_name: | 737 if not self.repo_name: |
733 self.repo_name = get_repo_slug(request) | 738 self.repo_name = get_repo_slug(request) |
734 | 739 |
735 try: | 740 try: |
736 self.user_perms = set( | 741 self._user_perms = set( |
737 [self.user_perms['repositories'][self.repo_name]] | 742 [self.user_perms['repositories'][self.repo_name]] |
738 ) | 743 ) |
739 except KeyError: | 744 except KeyError: |
740 return False | 745 return False |
741 self.granted_for = self.repo_name | 746 if self.required_perms.intersection(self._user_perms): |
742 if self.required_perms.intersection(self.user_perms): | |
743 return True | 747 return True |
744 return False | 748 return False |
745 | 749 |
746 | 750 |
747 class HasReposGroupPermissionAny(PermsFunction): | 751 class HasReposGroupPermissionAny(PermsFunction): |
749 self.group_name = group_name | 753 self.group_name = group_name |
750 return super(HasReposGroupPermissionAny, self).__call__(check_Location) | 754 return super(HasReposGroupPermissionAny, self).__call__(check_Location) |
751 | 755 |
752 def check_permissions(self): | 756 def check_permissions(self): |
753 try: | 757 try: |
754 self.user_perms = set( | 758 self._user_perms = set( |
755 [self.user_perms['repositories_groups'][self.group_name]] | 759 [self.user_perms['repositories_groups'][self.group_name]] |
756 ) | 760 ) |
757 except KeyError: | 761 except KeyError: |
758 return False | 762 return False |
759 self.granted_for = self.repo_name | 763 if self.required_perms.intersection(self._user_perms): |
760 if self.required_perms.intersection(self.user_perms): | |
761 return True | 764 return True |
762 return False | 765 return False |
763 | 766 |
764 | 767 |
765 class HasReposGroupPermissionAll(PermsFunction): | 768 class HasReposGroupPermissionAll(PermsFunction): |
767 self.group_name = group_name | 770 self.group_name = group_name |
768 return super(HasReposGroupPermissionAny, self).__call__(check_Location) | 771 return super(HasReposGroupPermissionAny, self).__call__(check_Location) |
769 | 772 |
770 def check_permissions(self): | 773 def check_permissions(self): |
771 try: | 774 try: |
772 self.user_perms = set( | 775 self._user_perms = set( |
773 [self.user_perms['repositories_groups'][self.group_name]] | 776 [self.user_perms['repositories_groups'][self.group_name]] |
774 ) | 777 ) |
775 except KeyError: | 778 except KeyError: |
776 return False | 779 return False |
777 self.granted_for = self.repo_name | 780 if self.required_perms.issubset(self._user_perms): |
778 if self.required_perms.issubset(self.user_perms): | |
779 return True | 781 return True |
780 return False | 782 return False |
781 | 783 |
782 | 784 |
783 #============================================================================== | 785 #============================================================================== |
796 self.user_perms = set([usr.permissions['repositories'][repo_name]]) | 798 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
797 except Exception: | 799 except Exception: |
798 log.error('Exception while accessing permissions %s' % | 800 log.error('Exception while accessing permissions %s' % |
799 traceback.format_exc()) | 801 traceback.format_exc()) |
800 self.user_perms = set() | 802 self.user_perms = set() |
801 self.granted_for = '' | |
802 self.username = user.username | 803 self.username = user.username |
803 self.repo_name = repo_name | 804 self.repo_name = repo_name |
804 return self.check_permissions() | 805 return self.check_permissions() |
805 | 806 |
806 def check_permissions(self): | 807 def check_permissions(self): |
807 log.debug('checking mercurial protocol ' | 808 log.debug('checking mercurial protocol ' |
808 'permissions %s for user:%s repository:%s', self.user_perms, | 809 'permissions %s for user:%s repository:%s', self.user_perms, |
809 self.username, self.repo_name) | 810 self.username, self.repo_name) |
810 if self.required_perms.intersection(self.user_perms): | 811 if self.required_perms.intersection(self.user_perms): |
811 log.debug('permission granted') | 812 log.debug('permission granted for user:%s on repo:%s' % ( |
812 return True | 813 self.username, self.repo_name |
813 log.debug('permission denied') | 814 ) |
814 return False | 815 ) |
816 return True | |
817 log.debug('permission denied for user:%s on repo:%s' % ( | |
818 self.username, self.repo_name | |
819 ) | |
820 ) | |
821 return False |