/
__init__.py
89 lines (73 loc) · 3.51 KB
/
__init__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
import re
from kinto.authorization import PERMISSIONS_INHERITANCE_TREE
from pyramid.exceptions import ConfigurationError
from pyramid.settings import asbool
from .authentication import AccountsAuthenticationPolicy as AccountsPolicy
from .utils import ACCOUNT_CACHE_KEY, ACCOUNT_POLICY_NAME
__all__ = ["ACCOUNT_CACHE_KEY", "ACCOUNT_POLICY_NAME", "AccountsPolicy"]
DOCS_URL = "https://kinto.readthedocs.io/en/stable/api/1.x/accounts.html"
def includeme(config):
config.add_api_capability(
"accounts",
description="Manage user accounts.",
url="https://kinto.readthedocs.io/en/latest/api/1.x/accounts.html",
)
config.scan("kinto.plugins.accounts.views")
PERMISSIONS_INHERITANCE_TREE["root"].update({"account:create": {}})
PERMISSIONS_INHERITANCE_TREE["account"] = {
"write": {"account": ["write"]},
"read": {"account": ["write", "read"]},
}
settings = config.get_settings()
if settings.get("account_validation", False):
config.add_api_capability(
"account-validation",
description="Validate accounts",
url="https://kinto.readthedocs.io/en/latest/api/1.x/accounts.html",
)
debug = asbool(settings.get("mail.debug_mailer", "false"))
config.include("pyramid_mailer" + (".debug" if debug else ""))
# Check that the account policy is mentioned in config if included.
accountClass = "AccountsPolicy"
policy = None
for k, v in settings.items():
m = re.match("multiauth\\.policy\\.(.*)\\.use", k)
if m:
if v.endswith(accountClass) or v.endswith("AccountsAuthenticationPolicy"):
policy = m.group(1)
if not policy:
error_msg = (
"Account policy missing the 'multiauth.policy.*.use' "
f"setting. See {accountClass} in docs {DOCS_URL}."
)
raise ConfigurationError(error_msg)
# Add some safety to avoid weird behaviour with basicauth default policy.
auth_policies = settings["multiauth.policies"]
if "basicauth" in auth_policies and policy in auth_policies:
if auth_policies.index("basicauth") < auth_policies.index(policy):
error_msg = (
"'basicauth' should not be mentioned before '%s' "
"in 'multiauth.policies' setting."
) % policy
raise ConfigurationError(error_msg)
# We assume anyone in account_create_principals is to create
# accounts for other people.
# No one can create accounts for other people unless they are an
# "admin", defined as someone matching account_write_principals.
# Therefore any account that is in account_create_principals
# should be in account_write_principals too.
creators = set(settings.get("account_create_principals", "").split())
admins = set(settings.get("account_write_principals", "").split())
cant_create_anything = creators.difference(admins)
# system.Everyone isn't an account.
cant_create_anything.discard("system.Everyone")
if cant_create_anything:
message = (
"Configuration has some principals in account_create_principals "
"but not in account_write_principals. These principals will only be "
"able to create their own accounts. This may not be what you want.\n"
"If you want these users to be able to create accounts for other users, "
"add them to account_write_principals.\n"
f"Affected users: {list(cant_create_anything)}"
)
raise ConfigurationError(message)