mirror of
https://gitlab.crans.org/bde/nk20
synced 2025-06-23 02:48:22 +02:00
Check permissions per request instead of per user
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
@ -4,12 +4,12 @@
|
||||
from datetime import date
|
||||
|
||||
from django.contrib.auth.backends import ModelBackend
|
||||
from django.contrib.auth.models import User, AnonymousUser
|
||||
from django.contrib.auth.models import User
|
||||
from django.contrib.contenttypes.models import ContentType
|
||||
from django.db.models import Q, F
|
||||
from django.utils import timezone
|
||||
from note.models import Note, NoteUser, NoteClub, NoteSpecial
|
||||
from note_kfet.middlewares import get_current_session
|
||||
from note_kfet.middlewares import get_current_request
|
||||
from member.models import Membership, Club
|
||||
|
||||
from .decorators import memoize
|
||||
@ -33,7 +33,7 @@ class PermissionBackend(ModelBackend):
|
||||
:param t: The type of the permissions: view, change, add or delete
|
||||
:return: The queryset of the permissions of the user (memoized) grouped by clubs
|
||||
"""
|
||||
if isinstance(user, AnonymousUser):
|
||||
if not user.is_authenticated:
|
||||
# Unauthenticated users have no permissions
|
||||
return Permission.objects.none()
|
||||
|
||||
@ -43,7 +43,8 @@ class PermissionBackend(ModelBackend):
|
||||
|
||||
for membership in memberships:
|
||||
for role in membership.roles.all():
|
||||
for perm in role.permissions.filter(type=t, mask__rank__lte=get_current_session().get("permission_mask", -1)).all():
|
||||
for perm in role.permissions.filter(
|
||||
type=t, mask__rank__lte=get_current_request().session.get("permission_mask", -1)).all():
|
||||
if not perm.permanent:
|
||||
if membership.date_start > date.today() or membership.date_end < date.today():
|
||||
continue
|
||||
@ -88,20 +89,22 @@ class PermissionBackend(ModelBackend):
|
||||
|
||||
@staticmethod
|
||||
@memoize
|
||||
def filter_queryset(user, model, t, field=None):
|
||||
def filter_queryset(request, model, t, field=None):
|
||||
"""
|
||||
Filter a queryset by considering the permissions of a given user.
|
||||
:param user: The owner of the permissions that are fetched
|
||||
:param request: The current request
|
||||
:param model: The concerned model of the queryset
|
||||
:param t: The type of modification (view, add, change, delete)
|
||||
:param field: The field of the model to test, if concerned
|
||||
:return: A query that corresponds to the filter to give to a queryset
|
||||
"""
|
||||
if user is None or isinstance(user, AnonymousUser):
|
||||
user = request.user
|
||||
|
||||
if user is None or not user.is_authenticated:
|
||||
# Anonymous users can't do anything
|
||||
return Q(pk=-1)
|
||||
|
||||
if user.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
|
||||
if user.is_superuser and get_current_request().session.get("permission_mask", -1) >= 42:
|
||||
# Superusers have all rights
|
||||
return Q()
|
||||
|
||||
@ -122,7 +125,7 @@ class PermissionBackend(ModelBackend):
|
||||
|
||||
@staticmethod
|
||||
@memoize
|
||||
def check_perm(user_obj, perm, obj=None):
|
||||
def check_perm(request, perm, obj=None):
|
||||
"""
|
||||
Check is the given user has the permission over a given object.
|
||||
The result is then memoized.
|
||||
@ -130,10 +133,12 @@ class PermissionBackend(ModelBackend):
|
||||
primary key, the result is not memoized. Moreover, the right could change
|
||||
(e.g. for a transaction, the balance of the user could change)
|
||||
"""
|
||||
if user_obj is None or isinstance(user_obj, AnonymousUser):
|
||||
user_obj = request.user
|
||||
|
||||
if user_obj is None or not user_obj.is_authenticated:
|
||||
return False
|
||||
|
||||
sess = get_current_session()
|
||||
sess = request.session
|
||||
|
||||
if user_obj.is_superuser and sess.get("permission_mask", -1) >= 42:
|
||||
return True
|
||||
@ -152,7 +157,10 @@ class PermissionBackend(ModelBackend):
|
||||
return False
|
||||
|
||||
def has_perm(self, user_obj, perm, obj=None):
|
||||
return PermissionBackend.check_perm(user_obj, perm, obj)
|
||||
# Warning: this does not check that user_obj has the permission,
|
||||
# but if the current request has the permission.
|
||||
# This function is implemented for backward compatibility, and should not be used.
|
||||
return PermissionBackend.check_perm(get_current_request(), perm, obj)
|
||||
|
||||
def has_module_perms(self, user_obj, app_label):
|
||||
return False
|
||||
|
||||
@ -5,7 +5,7 @@ from functools import lru_cache
|
||||
from time import time
|
||||
|
||||
from django.contrib.sessions.models import Session
|
||||
from note_kfet.middlewares import get_current_session
|
||||
from note_kfet.middlewares import get_current_request
|
||||
|
||||
|
||||
def memoize(f):
|
||||
@ -48,11 +48,11 @@ def memoize(f):
|
||||
last_collect = time()
|
||||
|
||||
# If there is no session, then we don't memoize anything.
|
||||
sess = get_current_session()
|
||||
if sess is None or sess.session_key is None:
|
||||
request = get_current_request()
|
||||
if request is None or request.session is None or request.session.session_key is None:
|
||||
return f(*args, **kwargs)
|
||||
|
||||
sess_key = sess.session_key
|
||||
sess_key = request.session.session_key
|
||||
if sess_key not in sess_funs:
|
||||
# lru_cache makes the job of memoization
|
||||
# We store only the 512 latest data per session. It has to be enough.
|
||||
|
||||
@ -45,7 +45,7 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
|
||||
|
||||
perms = self.get_required_object_permissions(request.method, model_cls)
|
||||
# if not user.has_perms(perms, obj):
|
||||
if not all(PermissionBackend.check_perm(user, perm, obj) for perm in perms):
|
||||
if not all(PermissionBackend.check_perm(request, perm, obj) for perm in perms):
|
||||
# If the user does not have permissions we need to determine if
|
||||
# they have read permissions to see 403, or not, and simply see
|
||||
# a 404 response.
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from note_kfet.middlewares import get_current_authenticated_user
|
||||
from note_kfet.middlewares import get_current_request
|
||||
from permission.backends import PermissionBackend
|
||||
|
||||
|
||||
@ -31,8 +31,8 @@ def pre_save_object(sender, instance, **kwargs):
|
||||
if hasattr(instance, "_force_save") or hasattr(instance, "_no_signal"):
|
||||
return
|
||||
|
||||
user = get_current_authenticated_user()
|
||||
if user is None:
|
||||
request = get_current_request()
|
||||
if request is None:
|
||||
# Action performed on shell is always granted
|
||||
return
|
||||
|
||||
@ -45,7 +45,7 @@ def pre_save_object(sender, instance, **kwargs):
|
||||
# We check if the user can change the model
|
||||
|
||||
# If the user has all right on a model, then OK
|
||||
if PermissionBackend.check_perm(user, app_label + ".change_" + model_name, instance):
|
||||
if PermissionBackend.check_perm(request, app_label + ".change_" + model_name, instance):
|
||||
return
|
||||
|
||||
# In the other case, we check if he/she has the right to change one field
|
||||
@ -58,7 +58,8 @@ def pre_save_object(sender, instance, **kwargs):
|
||||
# If the field wasn't modified, no need to check the permissions
|
||||
if old_value == new_value:
|
||||
continue
|
||||
if not PermissionBackend.check_perm(user, app_label + ".change_" + model_name + "_" + field_name, instance):
|
||||
if not PermissionBackend.check_perm(request, app_label + ".change_" + model_name + "_" + field_name,
|
||||
instance):
|
||||
raise PermissionDenied(
|
||||
_("You don't have the permission to change the field {field} on this instance of model"
|
||||
" {app_label}.{model_name}.")
|
||||
@ -66,7 +67,7 @@ def pre_save_object(sender, instance, **kwargs):
|
||||
)
|
||||
else:
|
||||
# We check if the user has right to add the object
|
||||
has_perm = PermissionBackend.check_perm(user, app_label + ".add_" + model_name, instance)
|
||||
has_perm = PermissionBackend.check_perm(request, app_label + ".add_" + model_name, instance)
|
||||
|
||||
if not has_perm:
|
||||
raise PermissionDenied(
|
||||
@ -87,8 +88,8 @@ def pre_delete_object(instance, **kwargs):
|
||||
# Don't check permissions on force-deleted objects
|
||||
return
|
||||
|
||||
user = get_current_authenticated_user()
|
||||
if user is None:
|
||||
request = get_current_request()
|
||||
if request is None:
|
||||
# Action performed on shell is always granted
|
||||
return
|
||||
|
||||
@ -97,7 +98,7 @@ def pre_delete_object(instance, **kwargs):
|
||||
model_name = model_name_full[1]
|
||||
|
||||
# We check if the user has rights to delete the object
|
||||
if not PermissionBackend.check_perm(user, app_label + ".delete_" + model_name, instance):
|
||||
if not PermissionBackend.check_perm(request, app_label + ".delete_" + model_name, instance):
|
||||
raise PermissionDenied(
|
||||
_("You don't have the permission to delete this instance of model {app_label}.{model_name}.")
|
||||
.format(app_label=app_label, model_name=model_name))
|
||||
|
||||
@ -8,7 +8,7 @@ from django.urls import reverse_lazy
|
||||
from django.utils.html import format_html
|
||||
from django_tables2 import A
|
||||
from member.models import Membership
|
||||
from note_kfet.middlewares import get_current_authenticated_user
|
||||
from note_kfet.middlewares import get_current_request
|
||||
from permission.backends import PermissionBackend
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ class RightsTable(tables.Table):
|
||||
def render_user(self, value):
|
||||
# If the user has the right, link the displayed user with the page of its detail.
|
||||
s = value.username
|
||||
if PermissionBackend.check_perm(get_current_authenticated_user(), "auth.view_user", value):
|
||||
if PermissionBackend.check_perm(get_current_request(), "auth.view_user", value):
|
||||
s = format_html("<a href={url}>{name}</a>",
|
||||
url=reverse_lazy('member:user_detail', kwargs={"pk": value.pk}), name=s)
|
||||
return s
|
||||
@ -28,7 +28,7 @@ class RightsTable(tables.Table):
|
||||
def render_club(self, value):
|
||||
# If the user has the right, link the displayed user with the page of its detail.
|
||||
s = value.name
|
||||
if PermissionBackend.check_perm(get_current_authenticated_user(), "member.view_club", value):
|
||||
if PermissionBackend.check_perm(get_current_request(), "member.view_club", value):
|
||||
s = format_html("<a href={url}>{name}</a>",
|
||||
url=reverse_lazy('member:club_detail', kwargs={"pk": value.pk}), name=s)
|
||||
|
||||
@ -42,7 +42,7 @@ class RightsTable(tables.Table):
|
||||
| Q(name="Bureau de club"))
|
||||
& Q(weirole__isnull=True))).all()
|
||||
s = ", ".join(str(role) for role in roles)
|
||||
if PermissionBackend.check_perm(get_current_authenticated_user(), "member.change_membership_roles", record):
|
||||
if PermissionBackend.check_perm(get_current_request(), "member.change_membership_roles", record):
|
||||
s = format_html("<a href='" + str(reverse_lazy("member:club_manage_roles", kwargs={"pk": record.pk}))
|
||||
+ "'>" + s + "</a>")
|
||||
return s
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
from django.contrib.auth.models import AnonymousUser
|
||||
from django.contrib.contenttypes.models import ContentType
|
||||
from django.template.defaultfilters import stringfilter
|
||||
from django import template
|
||||
from note_kfet.middlewares import get_current_authenticated_user, get_current_session
|
||||
from permission.backends import PermissionBackend
|
||||
from note_kfet.middlewares import get_current_request
|
||||
|
||||
from ..backends import PermissionBackend
|
||||
|
||||
|
||||
@stringfilter
|
||||
@ -14,9 +14,10 @@ def not_empty_model_list(model_name):
|
||||
"""
|
||||
Return True if and only if the current user has right to see any object of the given model.
|
||||
"""
|
||||
user = get_current_authenticated_user()
|
||||
session = get_current_session()
|
||||
if user is None or isinstance(user, AnonymousUser):
|
||||
request = get_current_request()
|
||||
user = request.user
|
||||
session = request.session
|
||||
if user is None or not user.is_authenticated:
|
||||
return False
|
||||
elif user.is_superuser and session.get("permission_mask", -1) >= 42:
|
||||
return True
|
||||
@ -29,11 +30,12 @@ def model_list(model_name, t="view", fetch=True):
|
||||
"""
|
||||
Return the queryset of all visible instances of the given model.
|
||||
"""
|
||||
user = get_current_authenticated_user()
|
||||
request = get_current_request()
|
||||
user = request.user
|
||||
spl = model_name.split(".")
|
||||
ct = ContentType.objects.get(app_label=spl[0], model=spl[1])
|
||||
qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(user, ct, t))
|
||||
if user is None or isinstance(user, AnonymousUser):
|
||||
qs = ct.model_class().objects.filter(PermissionBackend.filter_queryset(request, ct, t))
|
||||
if user is None or not user.is_authenticated:
|
||||
return qs.none()
|
||||
if fetch:
|
||||
qs = qs.all()
|
||||
@ -49,7 +51,7 @@ def model_list_length(model_name, t="view"):
|
||||
|
||||
|
||||
def has_perm(perm, obj):
|
||||
return PermissionBackend.check_perm(get_current_authenticated_user(), perm, obj)
|
||||
return PermissionBackend.check_perm(get_current_request(), perm, obj)
|
||||
|
||||
|
||||
register = template.Library()
|
||||
|
||||
@ -28,7 +28,7 @@ class ProtectQuerysetMixin:
|
||||
"""
|
||||
def get_queryset(self, filter_permissions=True, **kwargs):
|
||||
qs = super().get_queryset(**kwargs)
|
||||
return qs.filter(PermissionBackend.filter_queryset(self.request.user, qs.model, "view")).distinct()\
|
||||
return qs.filter(PermissionBackend.filter_queryset(self.request, qs.model, "view")).distinct()\
|
||||
if filter_permissions else qs
|
||||
|
||||
def get_object(self, queryset=None):
|
||||
@ -53,7 +53,7 @@ class ProtectQuerysetMixin:
|
||||
# We could also delete the field, but some views might be affected.
|
||||
meta = form.instance._meta
|
||||
for key in form.base_fields:
|
||||
if not PermissionBackend.check_perm(self.request.user,
|
||||
if not PermissionBackend.check_perm(self.request,
|
||||
f"{meta.app_label}.change_{meta.model_name}_" + key, self.object):
|
||||
form.fields[key].widget = HiddenInput()
|
||||
|
||||
@ -101,7 +101,7 @@ class ProtectedCreateView(LoginRequiredMixin, CreateView):
|
||||
# noinspection PyProtectedMember
|
||||
app_label, model_name = model_class._meta.app_label, model_class._meta.model_name.lower()
|
||||
perm = app_label + ".add_" + model_name
|
||||
if not PermissionBackend.check_perm(request.user, perm, self.get_sample_object()):
|
||||
if not PermissionBackend.check_perm(request, perm, self.get_sample_object()):
|
||||
raise PermissionDenied(_("You don't have the permission to add an instance of model "
|
||||
"{app_label}.{model_name}.").format(app_label=app_label, model_name=model_name))
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
Reference in New Issue
Block a user