External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-14 01:34:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Streamlining RBAC layer code, adding tests for PUT operations.

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-21 10:25:49 -04:00
parent 8cae93c55f
commit 9237cd6176
3 changed files with 58 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/main/rbac.py
View File

@@ -2,6 +2,7 @@ from lib.main.models import *
from lib.main.serializers import *
from rest_framework import permissions
from django.contrib.auth.models import AnonymousUser
from django.core.exceptions import PermissionDenied
# FIXME: this will probably need to be subclassed by object type
@@ -10,6 +11,7 @@ class CustomRbac(permissions.BasePermission):
def _common_user_check(self, request):
# no anonymous users
if type(request.user) == AnonymousUser:
# 401, not 403, hence no raised exception
return False
# superusers are always good
if request.user.is_superuser:
@@ -17,23 +19,26 @@ class CustomRbac(permissions.BasePermission):
# other users must have associated acom user records & be active
acom_user = User.objects.filter(auth_user = request.user)
if len(acom_user) != 1:
return False
raise PermissionDenied()
if not acom_user[0].active:
return False
raise PermissionDenied()
return True
def has_permission(self, request, view, obj=None):
if not self._common_user_check(request):
return False
if obj is None:
# filtering happens in the view
return True
else:
# haven't tested around these confines yet
raise Exception("FIXME")
raise Exception("did not expect to get to this position")
def has_object_permission(self, request, view, obj):
if request.user.is_superuser:
return True
if not self._common_user_check(request):
return False
# FIXME: TODO: verify the user is actually allowed to see this resource
if not view.permissions_check(request, obj):
raise PermissionDenied()
return True