Mercurial > kallithea
comparison rhodecode/lib/auth.py @ 2165:dc2584ba5fbc
merged beta into default branch
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Wed, 28 Mar 2012 19:54:16 +0200 |
| parents | 79a95f338fd0 097327aaf2ad |
| children | b8d5a5c9f66d |
comparison
equal
deleted
inserted
replaced
| 2097:8fd6650bb436 | 2165:dc2584ba5fbc |
|---|---|
| 41 if __platform__ in PLATFORM_WIN: | 41 if __platform__ in PLATFORM_WIN: |
| 42 from hashlib import sha256 | 42 from hashlib import sha256 |
| 43 if __platform__ in PLATFORM_OTHERS: | 43 if __platform__ in PLATFORM_OTHERS: |
| 44 import bcrypt | 44 import bcrypt |
| 45 | 45 |
| 46 from rhodecode.lib import str2bool, safe_unicode | 46 from rhodecode.lib.utils2 import str2bool, safe_unicode |
| 47 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError | 47 from rhodecode.lib.exceptions import LdapPasswordError, LdapUsernameError |
| 48 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug | 48 from rhodecode.lib.utils import get_repo_slug, get_repos_group_slug |
| 49 from rhodecode.lib.auth_ldap import AuthLdap | 49 from rhodecode.lib.auth_ldap import AuthLdap |
| 50 | 50 |
| 51 from rhodecode.model import meta | 51 from rhodecode.model import meta |
| 519 def __wrapper(self, func, *fargs, **fkwargs): | 519 def __wrapper(self, func, *fargs, **fkwargs): |
| 520 cls = fargs[0] | 520 cls = fargs[0] |
| 521 self.user = cls.rhodecode_user | 521 self.user = cls.rhodecode_user |
| 522 self.user_perms = self.user.permissions | 522 self.user_perms = self.user.permissions |
| 523 log.debug('checking %s permissions %s for %s %s', | 523 log.debug('checking %s permissions %s for %s %s', |
| 524 self.__class__.__name__, self.required_perms, cls, | 524 self.__class__.__name__, self.required_perms, cls, self.user) |
| 525 self.user) | |
| 526 | 525 |
| 527 if self.check_permissions(): | 526 if self.check_permissions(): |
| 528 log.debug('Permission granted for %s %s' % (cls, self.user)) | 527 log.debug('Permission granted for %s %s' % (cls, self.user)) |
| 529 return func(*fargs, **fkwargs) | 528 return func(*fargs, **fkwargs) |
| 530 | 529 |
| 602 | 601 |
| 603 try: | 602 try: |
| 604 user_perms = set([self.user_perms['repositories'][repo_name]]) | 603 user_perms = set([self.user_perms['repositories'][repo_name]]) |
| 605 except KeyError: | 604 except KeyError: |
| 606 return False | 605 return False |
| 606 | |
| 607 if self.required_perms.intersection(user_perms): | 607 if self.required_perms.intersection(user_perms): |
| 608 return True | 608 return True |
| 609 return False | 609 return False |
| 610 | 610 |
| 611 | 611 |
| 653 def __init__(self, *perms): | 653 def __init__(self, *perms): |
| 654 available_perms = config['available_permissions'] | 654 available_perms = config['available_permissions'] |
| 655 | 655 |
| 656 for perm in perms: | 656 for perm in perms: |
| 657 if perm not in available_perms: | 657 if perm not in available_perms: |
| 658 raise Exception("'%s' permission in not defined" % perm) | 658 raise Exception("'%s' permission is not defined" % perm) |
| 659 self.required_perms = set(perms) | 659 self.required_perms = set(perms) |
| 660 self.user_perms = None | 660 self.user_perms = None |
| 661 self.granted_for = '' | |
| 662 self.repo_name = None | 661 self.repo_name = None |
| 662 self.group_name = None | |
| 663 | 663 |
| 664 def __call__(self, check_Location=''): | 664 def __call__(self, check_Location=''): |
| 665 user = request.user | 665 user = request.user |
| 666 log.debug('checking %s %s %s', self.__class__.__name__, | 666 cls_name = self.__class__.__name__ |
| 667 self.required_perms, user) | 667 check_scope = { |
| 668 'HasPermissionAll': '', | |
| 669 'HasPermissionAny': '', | |
| 670 'HasRepoPermissionAll': 'repo:%s' % self.repo_name, | |
| 671 'HasRepoPermissionAny': 'repo:%s' % self.repo_name, | |
| 672 'HasReposGroupPermissionAll': 'group:%s' % self.group_name, | |
| 673 'HasReposGroupPermissionAny': 'group:%s' % self.group_name, | |
| 674 }.get(cls_name, '?') | |
| 675 log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, | |
| 676 self.required_perms, user, check_scope, | |
| 677 check_Location or 'unspecified location') | |
| 668 if not user: | 678 if not user: |
| 669 log.debug('Empty request user') | 679 log.debug('Empty request user') |
| 670 return False | 680 return False |
| 671 self.user_perms = user.permissions | 681 self.user_perms = user.permissions |
| 672 self.granted_for = user | |
| 673 | |
| 674 if self.check_permissions(): | 682 if self.check_permissions(): |
| 675 log.debug('Permission granted %s @ %s', self.granted_for, | 683 log.debug('Permission granted for user: %s @ %s', user, |
| 676 check_Location or 'unspecified location') | 684 check_Location or 'unspecified location') |
| 677 return True | 685 return True |
| 678 | 686 |
| 679 else: | 687 else: |
| 680 log.debug('Permission denied for %s @ %s', self.granted_for, | 688 log.debug('Permission denied for user: %s @ %s', user, |
| 681 check_Location or 'unspecified location') | 689 check_Location or 'unspecified location') |
| 682 return False | 690 return False |
| 683 | 691 |
| 684 def check_permissions(self): | 692 def check_permissions(self): |
| 685 """Dummy function for overriding""" | 693 """Dummy function for overriding""" |
| 699 return True | 707 return True |
| 700 return False | 708 return False |
| 701 | 709 |
| 702 | 710 |
| 703 class HasRepoPermissionAll(PermsFunction): | 711 class HasRepoPermissionAll(PermsFunction): |
| 704 | |
| 705 def __call__(self, repo_name=None, check_Location=''): | 712 def __call__(self, repo_name=None, check_Location=''): |
| 706 self.repo_name = repo_name | 713 self.repo_name = repo_name |
| 707 return super(HasRepoPermissionAll, self).__call__(check_Location) | 714 return super(HasRepoPermissionAll, self).__call__(check_Location) |
| 708 | 715 |
| 709 def check_permissions(self): | 716 def check_permissions(self): |
| 710 if not self.repo_name: | 717 if not self.repo_name: |
| 711 self.repo_name = get_repo_slug(request) | 718 self.repo_name = get_repo_slug(request) |
| 712 | 719 |
| 713 try: | 720 try: |
| 714 self.user_perms = set( | 721 self._user_perms = set( |
| 715 [self.user_perms['repositories'][self.repo_name]] | 722 [self.user_perms['repositories'][self.repo_name]] |
| 716 ) | 723 ) |
| 717 except KeyError: | 724 except KeyError: |
| 718 return False | 725 return False |
| 719 self.granted_for = self.repo_name | 726 if self.required_perms.issubset(self._user_perms): |
| 720 if self.required_perms.issubset(self.user_perms): | |
| 721 return True | 727 return True |
| 722 return False | 728 return False |
| 723 | 729 |
| 724 | 730 |
| 725 class HasRepoPermissionAny(PermsFunction): | 731 class HasRepoPermissionAny(PermsFunction): |
| 726 | |
| 727 def __call__(self, repo_name=None, check_Location=''): | 732 def __call__(self, repo_name=None, check_Location=''): |
| 728 self.repo_name = repo_name | 733 self.repo_name = repo_name |
| 729 return super(HasRepoPermissionAny, self).__call__(check_Location) | 734 return super(HasRepoPermissionAny, self).__call__(check_Location) |
| 730 | 735 |
| 731 def check_permissions(self): | 736 def check_permissions(self): |
| 732 if not self.repo_name: | 737 if not self.repo_name: |
| 733 self.repo_name = get_repo_slug(request) | 738 self.repo_name = get_repo_slug(request) |
| 734 | 739 |
| 735 try: | 740 try: |
| 736 self.user_perms = set( | 741 self._user_perms = set( |
| 737 [self.user_perms['repositories'][self.repo_name]] | 742 [self.user_perms['repositories'][self.repo_name]] |
| 738 ) | 743 ) |
| 739 except KeyError: | 744 except KeyError: |
| 740 return False | 745 return False |
| 741 self.granted_for = self.repo_name | 746 if self.required_perms.intersection(self._user_perms): |
| 742 if self.required_perms.intersection(self.user_perms): | |
| 743 return True | 747 return True |
| 744 return False | 748 return False |
| 745 | 749 |
| 746 | 750 |
| 747 class HasReposGroupPermissionAny(PermsFunction): | 751 class HasReposGroupPermissionAny(PermsFunction): |
| 749 self.group_name = group_name | 753 self.group_name = group_name |
| 750 return super(HasReposGroupPermissionAny, self).__call__(check_Location) | 754 return super(HasReposGroupPermissionAny, self).__call__(check_Location) |
| 751 | 755 |
| 752 def check_permissions(self): | 756 def check_permissions(self): |
| 753 try: | 757 try: |
| 754 self.user_perms = set( | 758 self._user_perms = set( |
| 755 [self.user_perms['repositories_groups'][self.group_name]] | 759 [self.user_perms['repositories_groups'][self.group_name]] |
| 756 ) | 760 ) |
| 757 except KeyError: | 761 except KeyError: |
| 758 return False | 762 return False |
| 759 self.granted_for = self.repo_name | 763 if self.required_perms.intersection(self._user_perms): |
| 760 if self.required_perms.intersection(self.user_perms): | |
| 761 return True | 764 return True |
| 762 return False | 765 return False |
| 763 | 766 |
| 764 | 767 |
| 765 class HasReposGroupPermissionAll(PermsFunction): | 768 class HasReposGroupPermissionAll(PermsFunction): |
| 767 self.group_name = group_name | 770 self.group_name = group_name |
| 768 return super(HasReposGroupPermissionAny, self).__call__(check_Location) | 771 return super(HasReposGroupPermissionAny, self).__call__(check_Location) |
| 769 | 772 |
| 770 def check_permissions(self): | 773 def check_permissions(self): |
| 771 try: | 774 try: |
| 772 self.user_perms = set( | 775 self._user_perms = set( |
| 773 [self.user_perms['repositories_groups'][self.group_name]] | 776 [self.user_perms['repositories_groups'][self.group_name]] |
| 774 ) | 777 ) |
| 775 except KeyError: | 778 except KeyError: |
| 776 return False | 779 return False |
| 777 self.granted_for = self.repo_name | 780 if self.required_perms.issubset(self._user_perms): |
| 778 if self.required_perms.issubset(self.user_perms): | |
| 779 return True | 781 return True |
| 780 return False | 782 return False |
| 781 | 783 |
| 782 | 784 |
| 783 #============================================================================== | 785 #============================================================================== |
| 786 class HasPermissionAnyMiddleware(object): | 788 class HasPermissionAnyMiddleware(object): |
| 787 def __init__(self, *perms): | 789 def __init__(self, *perms): |
| 788 self.required_perms = set(perms) | 790 self.required_perms = set(perms) |
| 789 | 791 |
| 790 def __call__(self, user, repo_name): | 792 def __call__(self, user, repo_name): |
| 793 # repo_name MUST be unicode, since we handle keys in permission | |
| 794 # dict by unicode | |
| 795 repo_name = safe_unicode(repo_name) | |
| 791 usr = AuthUser(user.user_id) | 796 usr = AuthUser(user.user_id) |
| 792 try: | 797 try: |
| 793 self.user_perms = set([usr.permissions['repositories'][repo_name]]) | 798 self.user_perms = set([usr.permissions['repositories'][repo_name]]) |
| 794 except: | 799 except Exception: |
| 800 log.error('Exception while accessing permissions %s' % | |
| 801 traceback.format_exc()) | |
| 795 self.user_perms = set() | 802 self.user_perms = set() |
| 796 self.granted_for = '' | |
| 797 self.username = user.username | 803 self.username = user.username |
| 798 self.repo_name = repo_name | 804 self.repo_name = repo_name |
| 799 return self.check_permissions() | 805 return self.check_permissions() |
| 800 | 806 |
| 801 def check_permissions(self): | 807 def check_permissions(self): |
| 802 log.debug('checking mercurial protocol ' | 808 log.debug('checking mercurial protocol ' |
| 803 'permissions %s for user:%s repository:%s', self.user_perms, | 809 'permissions %s for user:%s repository:%s', self.user_perms, |
| 804 self.username, self.repo_name) | 810 self.username, self.repo_name) |
| 805 if self.required_perms.intersection(self.user_perms): | 811 if self.required_perms.intersection(self.user_perms): |
| 806 log.debug('permission granted') | 812 log.debug('permission granted for user:%s on repo:%s' % ( |
| 807 return True | 813 self.username, self.repo_name |
| 808 log.debug('permission denied') | 814 ) |
| 809 return False | 815 ) |
| 816 return True | |
| 817 log.debug('permission denied for user:%s on repo:%s' % ( | |
| 818 self.username, self.repo_name | |
| 819 ) | |
| 820 ) | |
| 821 return False |