matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'feature/transition_acls' into 'feature/transition_acls'

Browse Source 
Feature/transition acls

See merge request !10
This commit is contained in:
Roberto Rosario
2017-02-24 00:04:54 +00:00
parent 976e6d552f f27e882ad2
commit cca5a44dc1
3 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
mayan/apps/acls/managers.py
View File

@@ -48,6 +48,10 @@ class AccessControlListManager(models.Manager):
def check_access(self, permissions, user, obj, related=None): def check_access(self, permissions, user, obj, related=None):
if user.is_superuser or user.is_staff: if user.is_superuser or user.is_staff:
logger.debug('Permissions "%s" on "%s" granted to user "%s" as superuser or staff',
permissions,
obj,
user)
return True return True
try: try:
@@ -77,15 +81,31 @@ class AccessControlListManager(models.Manager):
for group in user.groups.all(): for group in user.groups.all():
for role in group.roles.all(): for role in group.roles.all():
if set(stored_permissions).intersection(set(self.get_inherited_permissions(role=role, obj=obj))): if set(stored_permissions).intersection(set(self.get_inherited_permissions(role=role, obj=obj))):
logger.debug('Permissions "%s" on "%s" granted to user "%s" through role "%s" via inherited ACL',
permissions,
obj,
user,
role)
return True return True
user_roles.append(role) user_roles.append(role)
if not self.filter(content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk, permissions__in=stored_permissions, role__in=user_roles).exists(): if not self.filter(content_type=ContentType.objects.get_for_model(obj), object_id=obj.pk, permissions__in=stored_permissions, role__in=user_roles).exists():
logger.debug('Permissions "%s" on "%s" denied for user "%s"',
permissions,
obj,
user)
raise PermissionDenied(ugettext('Insufficient access.')) raise PermissionDenied(ugettext('Insufficient access.'))
logger.debug('Permissions "%s" on "%s" granted to user "%s" through roles "%s" by direct ACL',
permissions,
obj,
user,
user_roles)
def filter_by_access(self, permission, user, queryset): def filter_by_access(self, permission, user, queryset):
if user.is_superuser or user.is_staff: if user.is_superuser or user.is_staff:
logger.debug('Unfiltered queryset returned to user "%s" as superuser or staff',
user)
return queryset return queryset
user_roles = [] user_roles = []
@@ -124,5 +144,8 @@ class AccessControlListManager(models.Manager):
content_type=content_type, role__in=user_roles, content_type=content_type, role__in=user_roles,
permissions=permission.stored_permission permissions=permission.stored_permission
).values_list('object_id', flat=True)) ).values_list('object_id', flat=True))
logger.debug('Filtered queryset returned to user "%s" based on roles "%s"',
user,
user_roles)
return queryset.filter(parent_acl_query | acl_query) return queryset.filter(parent_acl_query | acl_query)

5
mayan/apps/permissions/classes.py
View File

@@ -61,8 +61,9 @@ class Permission(object):
if permission.stored_permission.requester_has_this(requester): if permission.stored_permission.requester_has_this(requester):
return True return True
logger.debug('no permission') logger.debug('User "%s" does not have permissions "%s"',
requester,
permissions)
raise PermissionDenied(_('Insufficient permissions.')) raise PermissionDenied(_('Insufficient permissions.'))
@classmethod @classmethod

12
mayan/apps/permissions/models.py
View File

@@ -46,17 +46,25 @@ class StoredPermission(models.Model):
verbose_name_plural = _('Permissions') verbose_name_plural = _('Permissions')
def requester_has_this(self, user): def requester_has_this(self, user):
logger.debug('user: %s', user)
if user.is_superuser or user.is_staff: if user.is_superuser or user.is_staff:
logger.debug('Permission "%s" granted to user "%s" as superuser or staff',
self,
user)
return True return True
# Request is one of the permission's holders? # Request is one of the permission's holders?
for group in user.groups.all(): for group in user.groups.all():
for role in group.roles.all(): for role in group.roles.all():
if self in role.permissions.all(): if self in role.permissions.all():
logger.debug('Permission "%s" granted to user "%s" through role "%s"',
self,
user,
role)
return True return True
logger.debug('Fallthru') logger.debug('Fallthru: Permission "%s" not granted to user "%s"',
self,
user)
return False return False