add org-app endpoint & permissions

This commit is contained in:
adamscmRH
2018-03-19 11:30:37 -04:00
parent a7625b8747
commit e9a128138a
10 changed files with 226 additions and 133 deletions

View File

@@ -580,13 +580,13 @@ class UserAccess(BaseAccess):
class OAuth2ApplicationAccess(BaseAccess):
'''
I can read, change or delete OAuth applications when:
I can read, change or delete OAuth 2 applications when:
- I am a superuser.
- I am the admin of the organization of the user of the application.
- I am the user of the application.
I can create OAuth applications when:
- I am a user in the organization of the application.
I can create OAuth 2 applications when:
- I am a superuser.
- I am the admin of the organization of the user of the application.
- I am the admin of the organization of the organization of the application.
'''
model = OAuth2Application
@@ -596,50 +596,79 @@ class OAuth2ApplicationAccess(BaseAccess):
return self.model.objects.filter(organization__in=self.user.organizations)
def can_change(self, obj, data):
return self.can_read(obj)
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser:
if not self.check_related('organization', Organization, data, role_field='admin_role'):
return False
return True
else:
return False
def can_delete(self, obj):
return self.can_read(obj)
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser:
return True
else:
return False
def can_add(self, data):
if self.user.is_superuser:
return True
user = get_object_from_data('user', User, data)
if not user:
return False
return set(self.user.admin_of_organizations.all()) & set(user.organizations.all())
return True
if not data:
return Organization.accessible_objects(self.user, 'admin_role').exists()
return self.check_related('organization', Organization, data, role_field='admin_role')
class OAuth2TokenAccess(BaseAccess):
'''
I can read, change or delete an OAuth2 token when:
I can read, change or delete an app token when:
- I am a superuser.
- I am the admin of the organization of the user of the token.
- I am the admin of the organization of the application of the token.
- I am the user of the token.
I can create an OAuth token when:
I can create an OAuth2 app token when:
- I have the read permission of the related application.
I can read, change or delete a personal token when:
-
I can create an OAuth2 Personal Access Token when:
- I am a user. But I can only create a PAT for myself.
'''
model = OAuth2AccessToken
select_related = ('user', 'application')
def filtered_queryset(self):
accessible_users = User.objects.filter(
pk__in=self.user.admin_of_organizations.values('member_role__members')
) | User.objects.filter(pk=self.user.pk)
return self.model.objects.filter(user__in=accessible_users)
def filtered_queryset(self):
org_access_qs = Organization.objects.filter(
Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
return self.model.objects.filter(application__organization__in=org_access_qs) | self.model.objects.filter(user__id=self.user.pk)
def can_change(self, obj, data):
return self.can_read(obj)
print 'obj user:', obj.user, '\nself.user:', self.user
if (self.user.is_superuser) | (obj.user == self.user):
return True
elif self.user.is_system_auditor:
return False
elif not obj.application:
return False
return self.user in obj.application.organization.admin_role
def can_delete(self, obj):
return self.can_read(obj)
if (self.user.is_superuser) | (obj.user == self.user):
return True
elif self.user.is_system_auditor:
return False
elif not obj.application:
return False
return self.user in obj.application.organization.admin_role
def can_add(self, data):
app = get_object_from_data('application', OAuth2Application, data)
if not app:
return True
return OAuth2ApplicationAccess(self.user).can_read(app)
if 'application' in data:
app = get_object_from_data('application', OAuth2Application, data)
if self.user.is_system_auditor:
return False
elif app is None:
return True
return OAuth2ApplicationAccess(self.user).can_read(app)
return True
class OrganizationAccess(BaseAccess):