Skip to content

Commit

Permalink
Removed auth groups from tests, controller, model and logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@rossjones
rossjones committed Aug 28, 2012
1 parent fbb9160 commit 45c3181
Show file tree
Hide file tree
Showing 57 changed files with 207 additions and 2,314 deletions.
61 changes: 15 additions & 46 deletions ckan/authz.py
View file
Expand Up @@ -27,7 +27,7 @@ class Authorizer(object):
'''
blacklister = Blacklister
extensions = PluginImplementations(IAuthorizer)

@classmethod
def am_authorized(cls, c, action, domain_object):
username = c.user or c.author
Expand All @@ -36,7 +36,7 @@ def am_authorized(cls, c, action, domain_object):
@classmethod
def is_authorized(cls, username, action, domain_object):
'''Authorize `action` by `username` on `domain_object`.
:param username: a user identifier (may be e.g. an IP address).
:param action: a ckan.model.authz.Action enumeration.
:param domain_object: the domain object instance (or class/type in the
Expand All @@ -47,7 +47,7 @@ def is_authorized(cls, username, action, domain_object):
if isinstance(username, str):
username = username.decode('utf8')
assert isinstance(username, unicode), type(username)

for extension in cls.extensions:
authorized = extension.is_authorized(username,
action,
Expand Down Expand Up @@ -92,7 +92,7 @@ def get_domain_object_roles_printable(cls, domain_obj):
printable_prs = []
for user, role in prs:
printable_prs.append('%s - \t%s' % (user.name, role))
return '%s roles:\n' % domain_obj.name + '\n'.join(printable_prs)
return '%s roles:\n' % domain_obj.name + '\n'.join(printable_prs)

@classmethod
def get_domain_object_roles(cls, domain_obj):
Expand All @@ -102,29 +102,9 @@ def get_domain_object_roles(cls, domain_obj):
q = model.Session.query(model.PackageRole).filter_by(package=domain_obj)
elif isinstance(domain_obj, model.Group):
q = model.Session.query(model.GroupRole).filter_by(group=domain_obj)
elif isinstance(domain_obj, model.AuthorizationGroup):
q = model.Session.query(model.AuthorizationGroupRole).filter_by(authorization_group=domain_obj)
prs = [ (pr.user, pr.role) for pr in q.all() ]
return prs

@classmethod
def get_authorization_groups(cls, username):
q = model.Session.query(model.AuthorizationGroup)
q = q.autoflush(False)
user = model.User.by_name(username, autoflush=False)
if username == model.PSEUDO_USER__VISITOR or not user:
q = q.filter(model.AuthorizationGroup.users.any(name=model.PSEUDO_USER__VISITOR))
else:
q = q.filter(model.AuthorizationGroup.users.any(
sa.or_(model.User.name==model.PSEUDO_USER__VISITOR,
model.User.name==model.PSEUDO_USER__LOGGED_IN,
model.User.name==username)))

groups = q.all()
for extension in cls.extensions:
extra_groups = extension.get_authorization_groups(username)
groups.extend(extra_groups)
return groups

@classmethod
def get_roles(cls, username, domain_obj):
Expand All @@ -134,25 +114,22 @@ def get_roles(cls, username, domain_obj):
assert isinstance(username, unicode), repr(username)

# filter by user and pseudo-users
# TODO: these can be made into subqueries/joins!
# TODO: these can be made into subqueries/joins!
user = model.User.by_name(username, autoflush=False)
visitor = model.User.by_name(model.PSEUDO_USER__VISITOR, autoflush=False)
q = cls._get_roles_query(domain_obj)
q = q.autoflush(False)

filters = [model.UserObjectRole.user==visitor]
# check for groups:
for authz_group in cls.get_authorization_groups(username):
filters.append(model.UserObjectRole.authorized_group==authz_group)


if (username != model.PSEUDO_USER__VISITOR) and (user is not None):
logged_in = model.User.by_name(model.PSEUDO_USER__LOGGED_IN)
filters.append(model.UserObjectRole.user==user)
filters.append(model.UserObjectRole.user==logged_in)

q = q.filter(sa.or_(*filters))
return [pr.role for pr in q]

@classmethod
def is_sysadmin(cls, user):
'''Returns whether the given user a sys-admin?
Expand Down Expand Up @@ -180,9 +157,6 @@ def get_admins(cls, domain_obj):
elif isinstance(domain_obj, model.Group):
q = model.Session.query(model.GroupRole).filter_by(group=domain_obj,
role=model.Role.ADMIN)
elif isinstance(domain_obj, model.AuthorizationGroup):
q = model.Session.query(model.AuthorizationGroupRole).filter_by(authorization_group=domain_obj,
role=model.Role.ADMIN)
q = q.autoflush(False)
admins = [do_role.user for do_role in q.all() if do_role.user]
return admins
Expand All @@ -202,24 +176,22 @@ def authorized_query(cls, username, entity, action=model.Action.READ):
# This gets the role table the entity is joined to. we
# need to use this in the queries below as if we use
# model.UserObjectRole a cross join happens always
# returning all the roles.
# returning all the roles.
if hasattr(entity, 'continuity'):
q = q.filter_by(current=True)
q = q.outerjoin('continuity', 'roles')
continuity = entity.continuity.property.mapper.class_
role_cls = continuity.roles.property.mapper.class_
role_cls = continuity.roles.property.mapper.class_
else:
role_cls = entity.roles.property.mapper.class_
role_cls = entity.roles.property.mapper.class_
q = q.outerjoin('roles')

if hasattr(entity, 'state'):
state = entity.state
else:
state = None

filters = [model.UserObjectRole.user==visitor]
for authz_group in cls.get_authorization_groups(username):
filters.append(role_cls.authorized_group==authz_group)
if user:
filters.append(role_cls.user==user)
filters.append(role_cls.user==logged_in)
Expand All @@ -234,7 +206,7 @@ def authorized_query(cls, username, entity, action=model.Action.READ):
model.RoleAction.action==action,
state and state!=model.State.DELETED),
)
q = q.filter(sa.or_(*filters))
q = q.filter(sa.or_(*filters))
q = q.distinct()

return q
Expand Down Expand Up @@ -282,9 +254,6 @@ def _get_roles_query(cls, domain_obj):
elif isinstance(domain_obj, model.Group):
q = q.with_polymorphic(model.GroupRole)
q = q.filter(model.GroupRole.group==domain_obj)
elif isinstance(domain_obj, model.AuthorizationGroup):
q = q.with_polymorphic(model.AuthorizationGroupRole)
q = q.filter(model.AuthorizationGroupRole.authorization_group==domain_obj)
elif isinstance(domain_obj, model.System):
q = q.with_polymorphic(model.SystemRole)
q = q.filter(model.SystemRole.context==unicode(model.System.__name__))
Expand All @@ -295,4 +264,4 @@ def _get_roles_query(cls, domain_obj):
q = q.filter_by(context=unicode(context))
return q


14 changes: 0 additions & 14 deletions ckan/config/routing.py
View file
Expand Up @@ -58,7 +58,6 @@ def make_map():
'tag',
'group',
'related',
'authorizationgroup',
'revision',
'licenses',
'rating',
Expand Down Expand Up @@ -119,8 +118,6 @@ def make_map():
action='format_autocomplete', conditions=GET)
m.connect('/util/resource/format_icon',
action='format_icon', conditions=GET)
m.connect('/util/authorizationgroup/autocomplete',
action='authorizationgroup_autocomplete')
m.connect('/util/group/autocomplete', action='group_autocomplete')
m.connect('/util/markdown', action='markdown')
m.connect('/util/dataset/munge_name', action='munge_package_name')
Expand Down Expand Up @@ -229,17 +226,6 @@ def make_map():
register_package_plugins(map)
register_group_plugins(map)

# authz group
map.redirect('/authorizationgroups', '/authorizationgroup')
map.redirect('/authorizationgroups/{url:.*}', '/authorizationgroup/{url}')
with SubMapper(map, controller='authorization_group') as m:
m.connect('/authorizationgroup', action='index')
m.connect('/authorizationgroup/list', action='list')
m.connect('/authorizationgroup/new', action='new')
m.connect('/authorizationgroup/edit/{id}', action='edit')
m.connect('/authorizationgroup/authz/{id}', action='authz')
m.connect('/authorizationgroup/{id}', action='read')

# tags
map.redirect('/tags', '/tag')
map.redirect('/tags/{url:.*}', '/tag/{url}')
Expand Down

0 comments on commit 45c3181

Please sign in to comment.