nk20/apps/permission/backends.py

# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

from django.conf import settings
from django.contrib.auth.backends import ModelBackend
from django.contrib.auth.models import User, AnonymousUser
from django.contrib.contenttypes.models import ContentType
from django.db.models import Q, F
from django.utils import timezone
from note.models import Note, NoteUser, NoteClub, NoteSpecial
from note_kfet.middlewares import get_current_session
from member.models import Membership, Club

from .decorators import memoize
from .models import Permission


class PermissionBackend(ModelBackend):
    """
    Manage permissions of users
    """
    supports_object_permissions = True
    supports_anonymous_user = False
    supports_inactive_user = False

    @staticmethod
    @memoize
    def get_raw_permissions(user, t):
        """
        Query permissions of a certain type for a user, then memoize it.
        :param user: The owner of the permissions
        :param t: The type of the permissions: view, change, add or delete
        :return: The queryset of the permissions of the user (memoized) grouped by clubs
        """
        if isinstance(user, AnonymousUser):
            # Unauthenticated users have no permissions
            return Permission.objects.none()

        memberships = Membership.objects.filter(user=user).all()
        
        perms = []

        for membership in memberships:
            for role in membership.roles.all():
                for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
                    if not perm.permanent:
                        if membership.date_start > timezone.now().date() or membership.date_end < timezone.now().date():
                            continue
                    perm.membership = membership
                    perms.append(perm)
        return perms


    @staticmethod
    def permissions(user, model, type):
        """
        List all permissions of the given user that applies to a given model and a give type
        :param user: The owner of the permissions
        :param model: The model that the permissions shoud apply
        :param type: The type of the permissions: view, change, add or delete
        :return: A generator of the requested permissions
        """

        for permission in PermissionBackend.get_raw_permissions(user, type):
            if not isinstance(model.model_class()(), permission.model.model_class()) or not permission.membership:
                continue

            membership = permission.membership
            club = membership.club

            permission = permission.about(
                user=user,
                club=club,
                membership=membership,
                User=User,
                Club=Club,
                Membership=Membership,
                Note=Note,
                NoteUser=NoteUser,
                NoteClub=NoteClub,
                NoteSpecial=NoteSpecial,
                F=F,
                Q=Q,
                now=timezone.now(),
                today=timezone.now().date(),
            )
            yield permission

    @staticmethod
    @memoize
    def filter_queryset(user, model, t, field=None):
        """
        Filter a queryset by considering the permissions of a given user.
        :param user: The owner of the permissions that are fetched
        :param model: The concerned model of the queryset
        :param t: The type of modification (view, add, change, delete)
        :param field: The field of the model to test, if concerned
        :return: A query that corresponds to the filter to give to a queryset
        """
        if user is None or isinstance(user, AnonymousUser):
            # Anonymous users can't do anything
            return Q(pk=-1)

        if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            # Superusers have all rights
            return Q()

        if not isinstance(model, ContentType):
            model = ContentType.objects.get_for_model(model)

        # Never satisfied
        query = Q(pk=-1)
        perms = PermissionBackend.permissions(user, model, t)
        for perm in perms:
            if perm.field and field != perm.field:
                continue
            if perm.type != t or perm.model != model:
                continue
            perm.update_query()
            query = query | perm.query
        return query

    @staticmethod
    @memoize
    def check_perm(user_obj, perm, obj=None):
        """
        Check is the given user has the permission over a given object.
        The result is then memoized.
        Exception: for add permissions, since the object is not hashable since it doesn't have any
        primary key, the result is not memoized. Moreover, the right could change
        (e.g. for a transaction, the balance of the user could change)
        """
        if user_obj is None or isinstance(user_obj, AnonymousUser):
            return False

        sess = get_current_session()
        if sess is not None and sess.session_key is None:
            return False

        if user_obj.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
            return True

        if obj is None:
            return True

        perm = perm.split('.')[-1].split('_', 2)
        perm_type = perm[0]
        perm_field = perm[2] if len(perm) == 3 else None

        ct = ContentType.objects.get_for_model(obj)
        if any(permission.applies(obj, perm_type, perm_field)
               for permission in PermissionBackend.permissions(user_obj, ct, perm_type)):
            return True
        return False

    def has_perm(self, user_obj, perm, obj=None):
        return PermissionBackend.check_perm(user_obj, perm, obj)

    def has_module_perms(self, user_obj, app_label):
        return False

    def get_all_permissions(self, user_obj, obj=None):
        ct = ContentType.objects.get_for_model(obj)
        return list(self.permissions(user_obj, ct, "view"))
Update a lot of things 2020-03-07 12:12:17 +00:00			`# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay`
			`# SPDX-License-Identifier: GPL-3.0-or-later`

Linters 2020-05-29 19:43:24 +00:00			`from django.conf import settings`
Fix CI 2020-03-20 01:14:43 +00:00			`from django.contrib.auth.backends import ModelBackend`
Anonymous users have no right 2020-03-20 17:22:20 +00:00			`from django.contrib.auth.models import User, AnonymousUser`
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`from django.contrib.contenttypes.models import ContentType`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`from django.db.models import Q, F`
Create a test to check that permission queries are well formed 2020-05-30 13:46:09 +00:00			`from django.utils import timezone`
Remove note activities 2020-03-31 12:57:44 +00:00			`from note.models import Note, NoteUser, NoteClub, NoteSpecial`
Implements permission masks 2020-03-19 15:12:52 +00:00			`from note_kfet.middlewares import get_current_session`
Restructurate code 2020-03-20 13:43:35 +00:00			`from member.models import Membership, Club`
Added permission app 2019-09-18 12:26:42 +00:00
Fix CI 2020-04-01 22:42:00 +00:00			`from .decorators import memoize`
Anonymous users have no right 2020-03-20 17:22:20 +00:00			`from .models import Permission`

Added permission app 2019-09-18 12:26:42 +00:00
Update a lot of things 2020-03-07 12:12:17 +00:00			`class PermissionBackend(ModelBackend):`
Comment code 2020-03-20 14:58:14 +00:00			`"""`
			`Manage permissions of users`
			`"""`
Added permission app 2019-09-18 12:26:42 +00:00			`supports_object_permissions = True`
			`supports_anonymous_user = False`
			`supports_inactive_user = False`

Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00			`@staticmethod`
			`@memoize`
			`def get_raw_permissions(user, t):`
			`"""`
			`Query permissions of a certain type for a user, then memoize it.`
			`:param user: The owner of the permissions`
			`:param t: The type of the permissions: view, change, add or delete`
			`:return: The queryset of the permissions of the user (memoized) grouped by clubs`
			`"""`
			`if isinstance(user, AnonymousUser):`
			`# Unauthenticated users have no permissions`
			`return Permission.objects.none()`

:bug: Calculating permissions faster 2020-07-28 13:25:08 +00:00			`memberships = Membership.objects.filter(user=user).all()`

			`perms = []`

			`for membership in memberships:`
			`for role in membership.roles.all():`
Only staff with good permission mask can visit Django Admin 2020-07-29 09:38:59 +00:00			`for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():`
:bug: Calculating permissions faster 2020-07-28 13:25:08 +00:00			`if not perm.permanent:`
			`if membership.date_start > timezone.now().date() or membership.date_end < timezone.now().date():`
			`continue`
			`perm.membership = membership`
			`perms.append(perm)`
			`return perms`
With distinct permissions, we don't need to check ~ 100 000 permissions to check if someone can log in 2020-05-29 19:11:51 +00:00
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`@staticmethod`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`def permissions(user, model, type):`
Comment code 2020-03-20 14:58:14 +00:00			`"""`
			`List all permissions of the given user that applies to a given model and a give type`
			`:param user: The owner of the permissions`
			`:param model: The model that the permissions shoud apply`
			`:param type: The type of the permissions: view, change, add or delete`
			`:return: A generator of the requested permissions`
			`"""`
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00
			`for permission in PermissionBackend.get_raw_permissions(user, type):`
:bug: Calculating permissions faster 2020-07-28 13:25:08 +00:00			`if not isinstance(model.model_class()(), permission.model.model_class()) or not permission.membership:`
Comment code 2020-03-20 14:58:14 +00:00			`continue`

:bug: Calculating permissions faster 2020-07-28 13:25:08 +00:00			`membership = permission.membership`
			`club = membership.club`
Add PDF member lists 2020-04-23 16:28:16 +00:00
More optimisation 2020-03-20 00:46:59 +00:00			`permission = permission.about(`
			`user=user,`
			`club=club,`
Add PDF member lists 2020-04-23 16:28:16 +00:00			`membership=membership,`
More optimisation 2020-03-20 00:46:59 +00:00			`User=User,`
			`Club=Club,`
			`Membership=Membership,`
			`Note=Note,`
			`NoteUser=NoteUser,`
			`NoteClub=NoteClub,`
			`NoteSpecial=NoteSpecial,`
			`F=F,`
Add initial WEI permissions 2020-04-22 11:28:52 +00:00			`Q=Q,`
Create a test to check that permission queries are well formed 2020-05-30 13:46:09 +00:00			`now=timezone.now(),`
			`today=timezone.now().date(),`
More optimisation 2020-03-20 00:46:59 +00:00			`)`
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00			`yield permission`
Added permission app 2019-09-18 12:26:42 +00:00
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`@staticmethod`
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00			`@memoize`
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`def filter_queryset(user, model, t, field=None):`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`"""`
			`Filter a queryset by considering the permissions of a given user.`
			`:param user: The owner of the permissions that are fetched`
			`:param model: The concerned model of the queryset`
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`:param t: The type of modification (view, add, change, delete)`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`:param field: The field of the model to test, if concerned`
			`:return: A query that corresponds to the filter to give to a queryset`
			`"""`
Anonymous users have no right 2020-03-20 17:22:20 +00:00			`if user is None or isinstance(user, AnonymousUser):`
			`# Anonymous users can't do anything`
			`return Q(pk=-1)`

Only staff with good permission mask can visit Django Admin 2020-07-29 09:38:59 +00:00			`if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`# Superusers have all rights`
			`return Q()`

Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`if not isinstance(model, ContentType):`
			`model = ContentType.objects.get_for_model(model)`

Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`# Never satisfied`
			`query = Q(pk=-1)`
More optimisation 2020-03-20 00:46:59 +00:00			`perms = PermissionBackend.permissions(user, model, t)`
			`for perm in perms:`
Protect views from viewing if the user has no right to view an object 2020-03-19 01:26:06 +00:00			`if perm.field and field != perm.field:`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`continue`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`if perm.type != t or perm.model != model:`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`continue`
More optimisation 2020-03-20 00:46:59 +00:00			`perm.update_query()`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`query = query \| perm.query`
			`return query`

The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`@staticmethod`
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00			`@memoize`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`def check_perm(user_obj, perm, obj=None):`
			`"""`
			`Check is the given user has the permission over a given object.`
			`The result is then memoized.`
			`Exception: for add permissions, since the object is not hashable since it doesn't have any`
			`primary key, the result is not memoized. Moreover, the right could change`
			`(e.g. for a transaction, the balance of the user could change)`
			`"""`
Anonymous users have no right 2020-03-20 17:22:20 +00:00			`if user_obj is None or isinstance(user_obj, AnonymousUser):`
			`return False`

Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00			`sess = get_current_session()`
			`if sess is not None and sess.session_key is None:`
Don't display a note that we can't see, fix CI, fix distinct fields on PostgresSQL DB 2020-04-09 22:02:22 +00:00			`return False`
Optimize permissions, use memoization 2020-04-01 22:30:22 +00:00
Only staff with good permission mask can visit Django Admin 2020-07-29 09:38:59 +00:00			`if user_obj.is_superuser and get_current_session().get("permission_mask", -1) >= 42:`
Update a lot of things 2020-03-07 12:12:17 +00:00			`return True`

Added permission app 2019-09-18 12:26:42 +00:00			`if obj is None:`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`return True`

			`perm = perm.split('.')[-1].split('_', 2)`
			`perm_type = perm[0]`
Added permission app 2019-09-18 12:26:42 +00:00			`perm_field = perm[2] if len(perm) == 3 else None`
:bug: Calculating permissions faster 2020-07-28 13:25:08 +00:00
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`ct = ContentType.objects.get_for_model(obj)`
			`if any(permission.applies(obj, perm_type, perm_field)`
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`for permission in PermissionBackend.permissions(user_obj, ct, perm_type)):`
Handle permissions (and it seems working!) 2020-03-18 13:42:35 +00:00			`return True`
			`return False`
Update a lot of things 2020-03-07 12:12:17 +00:00
The memoization doesn't work when objects don't have a primary key. 2020-04-02 12:50:28 +00:00			`def has_perm(self, user_obj, perm, obj=None):`
			`return PermissionBackend.check_perm(user_obj, perm, obj)`

Update a lot of things 2020-03-07 12:12:17 +00:00			`def has_module_perms(self, user_obj, app_label):`
			`return False`
Added permission app 2019-09-18 12:26:42 +00:00
			`def get_all_permissions(self, user_obj, obj=None):`
Optimize permissions, full support add perms, more fixtures 2020-03-19 23:06:28 +00:00			`ct = ContentType.objects.get_for_model(obj)`
			`return list(self.permissions(user_obj, ct, "view"))`