nk20/apps/permission/scopes.py

# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later
from oauth2_provider.oauth2_validators import OAuth2Validator
from oauth2_provider.scopes import BaseScopes
from member.models import Club
from note_kfet.middlewares import get_current_request

from .backends import PermissionBackend
from .models import Permission


class PermissionScopes(BaseScopes):
    """
    An OAuth2 scope is defined by a permission object and a club.
    A token will have a subset of permissions from the owner of the application,
    and can be useful to make queries through the API with limited privileges.
    """

    def get_all_scopes(self):
        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
                for p in Permission.objects.all() for club in Club.objects.all()}

    def get_available_scopes(self, application=None, request=None, *args, **kwargs):
        if not application:
            return []
        return [f"{p.id}_{p.membership.club.id}"
                for t in Permission.PERMISSION_TYPES
                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]

    def get_default_scopes(self, application=None, request=None, *args, **kwargs):
        if not application:
            return []
        return [f"{p.id}_{p.membership.club.id}"
                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]


class PermissionOAuth2Validator(OAuth2Validator):
    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
        """
        User can request as many scope as he wants, including invalid scopes,
        but it will have only the permissions he has.

        This allows clients to request more permission to get finally a
        subset of permissions.
        """

        valid_scopes = set()

        for t in Permission.PERMISSION_TYPES:
            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
                scope = f"{p.id}_{p.membership.club.id}"
                if scope in scopes:
                    valid_scopes.add(scope)

        request.scopes = valid_scopes

        return valid_scopes
Update 131 files - /apps/activity/api/serializers.py - /apps/activity/api/urls.py - /apps/activity/api/views.py - /apps/activity/tests/test_activities.py - /apps/activity/__init__.py - /apps/activity/admin.py - /apps/activity/apps.py - /apps/activity/forms.py - /apps/activity/tables.py - /apps/activity/urls.py - /apps/activity/views.py - /apps/api/__init__.py - /apps/api/apps.py - /apps/api/serializers.py - /apps/api/tests.py - /apps/api/urls.py - /apps/api/views.py - /apps/api/viewsets.py - /apps/logs/signals.py - /apps/logs/apps.py - /apps/logs/__init__.py - /apps/logs/api/serializers.py - /apps/logs/api/urls.py - /apps/logs/api/views.py - /apps/member/api/serializers.py - /apps/member/api/urls.py - /apps/member/api/views.py - /apps/member/templatetags/memberinfo.py - /apps/member/__init__.py - /apps/member/admin.py - /apps/member/apps.py - /apps/member/auth.py - /apps/member/forms.py - /apps/member/hashers.py - /apps/member/signals.py - /apps/member/tables.py - /apps/member/urls.py - /apps/member/views.py - /apps/note/api/serializers.py - /apps/note/api/urls.py - /apps/note/api/views.py - /apps/note/models/__init__.py - /apps/note/static/note/js/consos.js - /apps/note/templates/note/mails/negative_balance.txt - /apps/note/templatetags/getenv.py - /apps/note/templatetags/pretty_money.py - /apps/note/tests/test_transactions.py - /apps/note/__init__.py - /apps/note/admin.py - /apps/note/apps.py - /apps/note/forms.py - /apps/note/signals.py - /apps/note/tables.py - /apps/note/urls.py - /apps/note/views.py - /apps/permission/api/serializers.py - /apps/permission/api/urls.py - /apps/permission/api/views.py - /apps/permission/templatetags/perms.py - /apps/permission/tests/test_oauth2.py - /apps/permission/tests/test_permission_denied.py - /apps/permission/tests/test_permission_queries.py - /apps/permission/tests/test_rights_page.py - /apps/permission/__init__.py - /apps/permission/admin.py - /apps/permission/backends.py - /apps/permission/apps.py - /apps/permission/decorators.py - /apps/permission/permissions.py - /apps/permission/scopes.py - /apps/permission/signals.py - /apps/permission/tables.py - /apps/permission/urls.py - /apps/permission/views.py - /apps/registration/tests/test_registration.py - /apps/registration/__init__.py - /apps/registration/apps.py - /apps/registration/forms.py - /apps/registration/tables.py - /apps/registration/tokens.py - /apps/registration/urls.py - /apps/registration/views.py - /apps/treasury/api/serializers.py - /apps/treasury/api/urls.py - /apps/treasury/api/views.py - /apps/treasury/templatetags/escape_tex.py - /apps/treasury/tests/test_treasury.py - /apps/treasury/__init__.py - /apps/treasury/admin.py - /apps/treasury/apps.py - /apps/treasury/forms.py - /apps/treasury/signals.py - /apps/treasury/tables.py - /apps/treasury/urls.py - /apps/treasury/views.py - /apps/wei/api/serializers.py - /apps/wei/api/urls.py - /apps/wei/api/views.py - /apps/wei/forms/surveys/__init__.py - /apps/wei/forms/surveys/base.py - /apps/wei/forms/surveys/wei2021.py - /apps/wei/forms/surveys/wei2022.py - /apps/wei/forms/surveys/wei2023.py - /apps/wei/forms/__init__.py - /apps/wei/forms/registration.py - /apps/wei/management/commands/export_wei_registrations.py - /apps/wei/management/commands/import_scores.py - /apps/wei/management/commands/wei_algorithm.py - /apps/wei/templates/wei/weilist_sample.tex - /apps/wei/tests/test_wei_algorithm_2021.py - /apps/wei/tests/test_wei_algorithm_2022.py - /apps/wei/tests/test_wei_algorithm_2023.py - /apps/wei/tests/test_wei_registration.py - /apps/wei/__init__.py - /apps/wei/admin.py - /apps/wei/apps.py - /apps/wei/tables.py - /apps/wei/urls.py - /apps/wei/views.py - /note_kfet/settings/__init__.py - /note_kfet/settings/base.py - /note_kfet/settings/development.py - /note_kfet/settings/secrets_example.py - /note_kfet/static/js/base.js - /note_kfet/admin.py - /note_kfet/inputs.py - /note_kfet/middlewares.py - /note_kfet/urls.py - /note_kfet/views.py - /note_kfet/wsgi.py - /entrypoint.sh 2024-02-07 01:26:49 +00:00			`# Copyright (C) 2018-2024 by BDE ENS Paris-Saclay`
Implement OAuth2 scopes based on permissions Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 21:30:01 +00:00			`# SPDX-License-Identifier: GPL-3.0-or-later`
Implement optional scopes : clients can request scopes, but they are not guaranteed to get them Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-12-23 20:59:37 +00:00			`from oauth2_provider.oauth2_validators import OAuth2Validator`
Implement OAuth2 scopes based on permissions Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 21:30:01 +00:00			`from oauth2_provider.scopes import BaseScopes`
			`from member.models import Club`
Better templates for OAuth2 authentication Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 19:31:51 +00:00			`from note_kfet.middlewares import get_current_request`
Implement OAuth2 scopes based on permissions Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 21:30:01 +00:00
			`from .backends import PermissionBackend`
			`from .models import Permission`


			`class PermissionScopes(BaseScopes):`
			`"""`
			`An OAuth2 scope is defined by a permission object and a club.`
			`A token will have a subset of permissions from the owner of the application,`
			`and can be useful to make queries through the API with limited privileges.`
			`"""`

			`def get_all_scopes(self):`
			`return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"`
			`for p in Permission.objects.all() for club in Club.objects.all()}`

			`def get_available_scopes(self, application=None, request=None, args, *kwargs):`
			`if not application:`
			`return []`
			`return [f"{p.id}_{p.membership.club.id}"`
			`for t in Permission.PERMISSION_TYPES`
Better templates for OAuth2 authentication Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 19:31:51 +00:00			`for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]`
Implement OAuth2 scopes based on permissions Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 21:30:01 +00:00
			`def get_default_scopes(self, application=None, request=None, args, *kwargs):`
			`if not application:`
			`return []`
			`return [f"{p.id}_{p.membership.club.id}"`
Better templates for OAuth2 authentication Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 19:31:51 +00:00			`for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]`
Implement optional scopes : clients can request scopes, but they are not guaranteed to get them Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-12-23 20:59:37 +00:00

			`class PermissionOAuth2Validator(OAuth2Validator):`
			`def validate_scopes(self, client_id, scopes, client, request, args, *kwargs):`
			`"""`
			`User can request as many scope as he wants, including invalid scopes,`
			`but it will have only the permissions he has.`

			`This allows clients to request more permission to get finally a`
			`subset of permissions.`
			`"""`

			`valid_scopes = set()`

			`for t in Permission.PERMISSION_TYPES:`
			`for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):`
			`scope = f"{p.id}_{p.membership.club.id}"`
			`if scope in scopes:`
			`valid_scopes.add(scope)`

			`request.scopes = valid_scopes`

			`return valid_scopes`