Check callers of match_policies and get_action_values #1691
Comments
fredreichbier
added
the
Generic: Code-cleanup
|
Hi @fredreichbier I guess you know what to do? ;-) |
fredreichbier
changed the title
This adds a function match_policies_strict as a short-hand for the most usual calls to PolicyClass.match_policies. Working on #1691
This adds a function match_policies_strict as a short-hand for the most usual calls to PolicyClass.match_policies. Working on #1691
|
I think in the medium run, we should refactor our policy matching routines a bit. #1757 contains a first idea. However, as this is quite a big change, I would suggest we do this after 3.1? |
|
Refactoring policy matching sounds nice, but we'll do it in 3.2 at the earliest. |
This adds a function match_policies_strict as a short-hand for the most usual calls to PolicyClass.match_policies. Working on #1691
This adds a function match_policies_strict as a short-hand for the most usual calls to PolicyClass.match_policies. Working on #1691
|
We should also consider the following in this issue: In certain cases we only have a serial number in the request but we would also have to match for realm and resolver. Imagine an administrator who has a policy that allows the admin to unassign tokens in But the endpoint So we either need to add the tokenowner in such cases or we should add the |
|
This is an interesting point! I think in case of unassigning a token, i.e. when the privacyidea/privacyidea/api/lib/prepolicy.py Line 1092 in f1543ce ... but I'm currently not sure how this should behave. Should we set |
This adds a function match_policies_strict as a short-hand for the most usual calls to PolicyClass.match_policies. Working on #1691
Match...allowrd() checks if an action would be allowed based on the policies. It also takes into account, if policies for this situation are defined at_all. Working on #1691
This is used, when the policies are only matched for scope and action: In the webui before a user has logged in. Working on #1691
The remaining policy_object.match_policies calls are replaced by the top level Match.generic().policies() function. Working on #1691
Replace the remaining policy calls for get_action_values with the new Match API. Working on #1691
The get_default_settings of a token class also reads policy definitions. So we also want to use the Match API there. Here we replace the old policy handling with the new Match API, which also requires a signature change of the get_default_settings method. Working on #1691
cornelinux
added
the
Status: Waiting for review
A policy can be used to display the privacyIDEA node in the UI to help the admin and user to distinguish the different privacyIDEA instances. Working on #1691
The gerneric constructor is a legacy constructor, if the other constructors will not match. Taken from PR privacyidea#1870 Working on privacyidea#1691
This is a shortcut for tests in the scope user or admin, if an action is either allowed or if no policies are defined at all. In those cases the user or admin would be allowed to perform the requested action. Taken from privacyidea#1870 Working on privacyidea#1691
Match...allowrd() checks if an action would be allowed based on the policies. It also takes into account, if policies for this situation are defined at_all. Working on privacyidea#1691
This is used, when the policies are only matched for scope and action: In the webui before a user has logged in. Working on privacyidea#1691
The remaining policy_object.match_policies calls are replaced by the top level Match.generic().policies() function. Working on privacyidea#1691
Replace the remaining policy calls for get_action_values with the new Match API. Working on privacyidea#1691
The get_default_settings of a token class also reads policy definitions. So we also want to use the Match API there. Here we replace the old policy handling with the new Match API, which also requires a signature change of the get_default_settings method. Working on privacyidea#1691
A policy can be used to display the privacyIDEA node in the UI to help the admin and user to distinguish the different privacyIDEA instances. Working on privacyidea#1691
In #1672 (last comment), we clarified and documented the meaning of parameters for
match_policiesandget_action_values. We should now ensure that all calling locations of these methods actually pass the parameters correctly (i.e. if they passresolver=None, they really don't care about the resolver).The text was updated successfully, but these errors were encountered: