Skip to content

Loading…

Allowing more complex permissions checks #25

Merged
merged 1 commit into from

2 participants

@dklyle

logical AND of all top level permissions. Will use logical OR for all
first level tuples (check that use has one permissions in the tuple)

Allows users with different roles to access a panel, while a user with
a third role won't be allowed to access the same panel.

Examples:
Checks for all required permissions
('openstack.roles.admin', 'openstack.roles.L3-support')

Checks for admin AND (L2 or L3)
('openstack.roles.admin', ('openstack.roles.L3-support',
                           'openstack.roles.L2-support'),)
@dklyle dklyle Allowing for more complex combinations of permissions. Will check for
logical AND of all top level permissions.  Will use logical OR for all
first level tuples (check that use has one permissions in the tuple)

Allows users with different roles to access a panel, while a user with
a third role won't be allowed to access the same panel.

Examples:
    Checks for all required permissions
    ('openstack.roles.admin', 'openstack.roles.L3-support')

    Checks for admin AND (L2 or L3)
    ('openstack.roles.admin', ('openstack.roles.L3-support',
                               'openstack.roles.L2-support'),)
4e40eed
@gabrielhurley

Since this should be backwards-compatible with the standard django functionality I'm okay with extending it here. Looks good to me.

@gabrielhurley gabrielhurley merged commit 0ad712a into gabrielhurley:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 7, 2013
  1. @dklyle

    Allowing for more complex combinations of permissions. Will check for

    dklyle committed
    logical AND of all top level permissions.  Will use logical OR for all
    first level tuples (check that use has one permissions in the tuple)
    
    Allows users with different roles to access a panel, while a user with
    a third role won't be allowed to access the same panel.
    
    Examples:
        Checks for all required permissions
        ('openstack.roles.admin', 'openstack.roles.L3-support')
    
        Checks for admin AND (L2 or L3)
        ('openstack.roles.admin', ('openstack.roles.L3-support',
                                   'openstack.roles.L2-support'),)
Showing with 50 additions and 0 deletions.
  1. +50 −0 openstack_auth/user.py
View
50 openstack_auth/user.py
@@ -142,3 +142,53 @@ def save(*args, **kwargs):
def delete(*args, **kwargs):
# Presume we can't write to Keystone.
pass
+
+ # Check for OR'd permission rules, check that user has one of the
+ # required permission.
+ def has_a_matching_perm(self, perm_list, obj=None):
+ """
+ Returns True if the user has one of the specified permissions. If
+ object is passed, it checks if the user has any of the required perms
+ for this object.
+ """
+ # If there are no permissions to check, just return true
+ if not perm_list:
+ return True
+ # Check that user has at least one of the required permissions.
+ for perm in perm_list:
+ if self.has_perm(perm, obj):
+ return True
+ return False
+
+ # Override the default has_perms method. Allowing for more
+ # complex combinations of permissions. Will check for logical AND of
+ # all top level permissions. Will use logical OR for all first level
+ # tuples (check that use has one permissions in the tuple)
+ #
+ # Examples:
+ # Checks for all required permissions
+ # ('openstack.roles.admin', 'openstack.roles.L3-support')
+ #
+ # Checks for admin AND (L2 or L3)
+ # ('openstack.roles.admin', ('openstack.roles.L3-support',
+ # 'openstack.roles.L2-support'),)
+ def has_perms(self, perm_list, obj=None):
+ """
+ Returns True if the user has all of the specified permissions.
+ Tuples in the list will possess the required permissions if
+ the user has a permissions matching one of the elements of
+ that tuple
+ """
+ # If there are no permissions to check, just return true
+ if not perm_list:
+ return True
+ for perm in perm_list:
+ if isinstance(perm, basestring):
+ # check that the permission matches
+ if not self.has_perm(perm, obj):
+ return False
+ else:
+ # check that a permission in the tuple matches
+ if not self.has_a_matching_perm(perm, obj):
+ return False
+ return True
Something went wrong with that request. Please try again.