hierarchical permissions bootstrap

2021-05-10 00:22:29 +02:00 · 2021-05-10 00:22:29 +02:00 · 284cea56de
commit 284cea56de
parent 79d02aee72
12 changed files with 129 additions and 5 deletions
--- a/bootstrap/data_static/Role.csv
+++ b/bootstrap/data_static/Role.csv
@ -0,0 +1,2 @@
 name
 admin
--- a/bootstrap/data_static/User.csv
+++ b/bootstrap/data_static/User.csv
@ -0,0 +1,2 @@
 username
 daniel
--- a/bootstrap/data_static/_process_order
+++ b/bootstrap/data_static/_process_order
@ -0,0 +1,2 @@
 Role
 User
--- a/oshipka/persistance/init.py
+++ b/oshipka/persistance/init.py
@ -187,6 +187,8 @@ if SECURITY_ENABLED:
        name = db.Column(db.Unicode)
        profile_image_url = db.Column(db.String)
        _m_n_table_roles = 'Role'
        roles = db.relationship('Role', secondary=roles_users,
                                backref=db.backref('users', lazy='dynamic'))
@ -379,7 +381,10 @@ def update_m_ns(instance, m_ns):
    instance = instance
    for key, ids in m_ns.items():
        child_rel = getattr(instance, "_m_n_table_{}".format(key))
-        child_table = getattr(webapp_models, child_rel)
+        if key not in ['roles']:
            child_table = getattr(webapp_models, child_rel)
        else:
            child_table = Role
        children = db.session.query(child_table).filter(child_table.id.in_(ids)).all()
        setattr(instance, key, children)
--- a/oshipka/webapp/default_routes.py
+++ b/oshipka/webapp/default_routes.py
@ -1,8 +1,8 @@
 import urllib
 import requests
-from flask import send_from_directory, redirect, request, url_for, session, jsonify, abort
+from flask import send_from_directory, redirect, request, url_for, session, jsonify, abort, render_template
-from flask_security import login_user
+from flask_login import login_required, current_user
 from oshipka.util.strings import random_string_generator
 from oshipka.webapp import oshipka_bp, app
@ -28,6 +28,7 @@ def get_media(model_name, instance_id, column, filepath):
 if SECURITY_ENABLED:
    from flask_security import login_user, roles_required
    from oshipka.persistance import User, db
    app.config['SSO_BASE_URL'] = SSO_BASE_URL
@ -99,3 +100,10 @@ if SECURITY_ENABLED:
                    del session['oidc_state']
                return redirect(redirect_uri)
        return response.text
    @oshipka_bp.route('/permissions')
    @login_required
    @roles_required(*['admin'])
    def get_permissions():
        return render_template('permissions.html', MODEL_VIEWS=MODEL_VIEWS, users=User.query.all())
--- a/oshipka/webapp/templates/permissions.html
+++ b/oshipka/webapp/templates/permissions.html
@ -0,0 +1,12 @@
 {% extends "layout.html" %}
 {% block content %}
    <h1>Admin permissions</h1>
    <p>{{ _("Who can access the admin permissions page (this one!):") }}</p>
    {% include "users_roles_multiselect.html" %}
    {% for mv in MODEL_VIEWS %}
        <h2><a href="{{ url_for(mv + '_model_permissions') }}">{{ mv }}</a></h2>
        <p>{{ _("Who can access the permissions page for") }} {{ mv }}</p>
        {% include "users_roles_multiselect.html" %}
    {% endfor %}
 {% endblock %}
--- a/oshipka/webapp/templates/users_roles_multiselect.html
+++ b/oshipka/webapp/templates/users_roles_multiselect.html
@ -0,0 +1,16 @@
 <form>
    <label>Users:
        <select multiple>
            {% for user in users %}
                <option value="{{ user.id }}">{{ user.username }}</option>
            {% endfor %}
        </select>
    </label>
    <label>Roles:
        <select multiple>
            {% for user in roles %}
                <option value="{{ user.id }}">{{ user.username }}</option>
            {% endfor %}
        </select>
    </label>
 </form>
--- a/oshipka/webapp/views.py
+++ b/oshipka/webapp/views.py
@ -182,10 +182,10 @@ def default_create_func(vc):
 def create_acls(model_acl, instance, user):
    instance_public_acl = model_acl(user=user, instance=instance, acl_type=SHARING_TYPE_TYPES_TYPE_PUBLIC)
    db.session.add(instance_public_acl)
    instance_authn_acl = model_acl(instance=instance, acl_type=SHARING_TYPE_TYPES_TYPE_AUTHN)
    db.session.add(instance_authn_acl)
    if user:
        instance_authn_acl = model_acl(user=user, instance=instance, acl_type=SHARING_TYPE_TYPES_TYPE_AUTHN)
        instance_authz_acl = model_acl(user=user, instance=instance, acl_type=SHARING_TYPE_TYPES_TYPE_AUTHZ)
        db.session.add(instance_authn_acl)
        db.session.add(instance_authz_acl)
--- a/vm_gen/templates/html/_permissions.html
+++ b/vm_gen/templates/html/_permissions.html
@ -0,0 +1,42 @@
 <table>
    <tr>
        <th></th>
        <th>{{ _("Public") }}</th>
        <th>{{ _("Logged") }}</th>
        [%- if 'Ownable' in inherits %]
        <th>{{ _("Owner") }}</th>
        [%- endif %]
    </tr>
    {% for verb in ['list', 'get', 'update', 'delete'] %}
    <tr>
        <td>{{ verb }}</td>
        {% for scope in ['public', 'logged'[%- if 'Ownable' in inherits %], 'owner'[%- endif %] ] %}
            <td><input type="checkbox" id="[[ name ]]-{{ scope }}-{{ verb }}" checked="checked"/></td>
        {% endfor %}
    </tr>
    {% endfor %}
 </table>
 <h2>Instance Permissions</h2>
 <table>
    <tr>
        <th></th>
        <th>{{ _("Public") }}</th>
        <th>{{ _("Logged") }}</th>
        [%- if 'Ownable' in inherits %]
        <th>{{ _("Owner") }}</th>
        [%- endif %]
    </tr>
    {% for column in [[ columns ]] %}
    <tr>
        <td>{{ column.name }}</td>
        {% for scope in ['public', 'logged'[%- if 'Ownable' in inherits %], 'owner'[%- endif %] ] %}
            <td>
                <input type="checkbox" id="[[ name ]]-{{ column }}-{{ scope }}-read" checked="checked"/> r
                <input type="checkbox" id="[[ name ]]-{{ column }}-{{ scope }}-write" checked="checked"/> w
            </td>
        {% endfor %}
    </tr>
    {% endfor %}
 </table>
--- a/vm_gen/templates/html/permissions_instance.html
+++ b/vm_gen/templates/html/permissions_instance.html
@ -0,0 +1,9 @@
 {% extends "layout.html" %}
 {% block content %}
    <h2>{{ _("Instance permissions for ") }} {{ _("[[ name ]]") }}: {% include "[[ name|camel_to_snake ]]/_title.html" %} </h2>
    <p>{{ _("Who has specific permissions for this instance") }}</p>
    {% include "users_roles_multiselect.html" %}
    <br><br>
    {% include "[[ name|camel_to_snake ]]/_permissions.html" %}
 {% endblock %}
--- a/vm_gen/templates/html/permissions_model.html
+++ b/vm_gen/templates/html/permissions_model.html
@ -0,0 +1,9 @@
 {% extends "layout.html" %}
 {% block content %}
    <h2>{{ _("Default permissions for") }} {{ _("[[ name ]]") }} </h2>
    <p>{{ _("Who can access the model pages for") }} {{ _("[[ name ]]") }}</p>
    {% include "users_roles_multiselect.html" %}
    <br><br>
    {% include "[[ name|camel_to_snake ]]/_permissions.html" %}
 {% endblock %}
--- a/vm_gen/templates/routes_py
+++ b/vm_gen/templates/routes_py
@ -4,6 +4,9 @@
 Edit the hooks in webapp/routes/[[ name|camel_to_snake ]]_hooks.py instead
 """
 from flask import render_template
 from flask_security import login_required
 from oshipka.webapp import app
 from oshipka.webapp.views import ModelView
 from webapp.routes.[[ name|camel_to_snake ]]_hooks import *
@ -29,3 +32,17 @@ from webapp.models import [[ name ]], [[ name ]]Acl
                                        the_roles_required=[[ verb_values.the_roles_required if verb_values.the_roles_required else '[]' ]],
                                        )
 [% endfor %]
@app.route("/[[ name|camel_to_snake|pluralize ]]/permissions")
@login_required
 def [[ name|camel_to_snake ]]_model_permissions():
    return render_template("[[ name|camel_to_snake ]]/permissions_model.html")
@app.route("/[[ name|camel_to_snake|pluralize ]]/<int:instance_id>/permissions")
@login_required
 def [[ name|camel_to_snake ]]_instance_permissions(instance_id):
    instance = [[ name ]].query.filter_by(id=instance_id).first()
    if not instance:
        abort(404)
    return render_template("[[ name|camel_to_snake ]]/permissions_instance.html", instance=instance)