jumpserver/apps/common/permissions.py

# -*- coding: utf-8 -*-
#

from rest_framework import permissions
from django.contrib.auth.mixins import UserPassesTestMixin
from django.shortcuts import redirect
from django.http.response import HttpResponseForbidden

from orgs.utils import current_org


class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
    """Allows access to valid user, is active and not expired"""

    def has_permission(self, request, view):
        return super(IsValidUser, self).has_permission(request, view) \
            and request.user.is_valid


class IsAppUser(IsValidUser):
    """Allows access only to app user """

    def has_permission(self, request, view):
        return super(IsAppUser, self).has_permission(request, view) \
            and request.user.is_app


class IsSuperUser(IsValidUser):
    def has_permission(self, request, view):
        return super(IsSuperUser, self).has_permission(request, view) \
               and request.user.is_superuser


class IsSuperUserOrAppUser(IsSuperUser):
    def has_permission(self, request, view):
        return super(IsSuperUserOrAppUser, self).has_permission(request, view) \
            and (request.user.is_superuser or request.user.is_app)


class IsOrgAdmin(IsValidUser):
    """Allows access only to superuser"""

    def has_permission(self, request, view):
        return super(IsOrgAdmin, self).has_permission(request, view) \
            and current_org.can_admin_by(request.user)


class IsOrgAdminOrAppUser(IsValidUser):
    """Allows access between superuser and app user"""

    def has_permission(self, request, view):
        return super(IsOrgAdminOrAppUser, self).has_permission(request, view) \
            and (current_org.can_admin_by(request.user) or request.user.is_app)


class IsOrgAdminOrAppUserOrUserReadonly(IsOrgAdminOrAppUser):
    def has_permission(self, request, view):
        if IsValidUser.has_permission(self, request, view) \
                and request.method in permissions.SAFE_METHODS:
            return True
        else:
            return IsOrgAdminOrAppUser.has_permission(self, request, view)


class IsCurrentUserOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        return obj == request.user


class AdminUserRequiredMixin(UserPassesTestMixin):
    def test_func(self):
        if not self.request.user.is_authenticated:
            return False
        elif not current_org.can_admin_by(self.request.user):
            self.raise_exception = True
            return False
        return True

    def dispatch(self, request, *args, **kwargs):
        if not request.user.is_authenticated:
            return super().dispatch(request, *args, **kwargs)

        if not current_org:
            return redirect('orgs:switch-a-org')

        if not current_org.can_admin_by(request.user):
            print("{} cannot admin {}".format(request.user, current_org))
            if request.user.is_org_admin:
                print("Is org admin")
                return redirect('orgs:switch-a-org')
            return HttpResponseForbidden()
        return super().dispatch(request, *args, **kwargs)
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00			`# -- coding: utf-8 --`
			`#`

			`from rest_framework import permissions`
[Bugfix] 解决Node.root() 死循环，移动AdminRequired到permission中 (#1571) 2018-07-20 10:42:01 +00:00			`from django.contrib.auth.mixins import UserPassesTestMixin`
Tmp org (#1579) * [Update] 添加org api, 升级到django 2.0 * [Update] fix some bug * [Update] 修改一些bug 2018-07-25 03:21:12 +00:00			`from django.shortcuts import redirect`
			`from django.http.response import HttpResponseForbidden`
[Bugfix] 解决Node.root() 死循环，移动AdminRequired到permission中 (#1571) 2018-07-20 10:42:01 +00:00
			`from orgs.utils import current_org`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00

			`class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):`
			`"""Allows access to valid user, is active and not expired"""`

			`def has_permission(self, request, view):`
			`return super(IsValidUser, self).has_permission(request, view) \`
			`and request.user.is_valid`


			`class IsAppUser(IsValidUser):`
			`"""Allows access only to app user """`

			`def has_permission(self, request, view):`
			`return super(IsAppUser, self).has_permission(request, view) \`
			`and request.user.is_app`


Tmp org (#1579) * [Update] 添加org api, 升级到django 2.0 * [Update] fix some bug * [Update] 修改一些bug 2018-07-25 03:21:12 +00:00			`class IsSuperUser(IsValidUser):`
			`def has_permission(self, request, view):`
			`return super(IsSuperUser, self).has_permission(request, view) \`
			`and request.user.is_superuser`


			`class IsSuperUserOrAppUser(IsSuperUser):`
			`def has_permission(self, request, view):`
			`return super(IsSuperUserOrAppUser, self).has_permission(request, view) \`
			`and (request.user.is_superuser or request.user.is_app)`


[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`class IsOrgAdmin(IsValidUser):`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00			`"""Allows access only to superuser"""`

			`def has_permission(self, request, view):`
[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`return super(IsOrgAdmin, self).has_permission(request, view) \`
			`and current_org.can_admin_by(request.user)`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00

[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`class IsOrgAdminOrAppUser(IsValidUser):`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00			`"""Allows access between superuser and app user"""`

			`def has_permission(self, request, view):`
[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`return super(IsOrgAdminOrAppUser, self).has_permission(request, view) \`
			`and (current_org.can_admin_by(request.user) or request.user.is_app)`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00

[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`class IsOrgAdminOrAppUserOrUserReadonly(IsOrgAdminOrAppUser):`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00			`def has_permission(self, request, view):`
			`if IsValidUser.has_permission(self, request, view) \`
			`and request.method in permissions.SAFE_METHODS:`
			`return True`
			`else:`
[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`return IsOrgAdminOrAppUser.has_permission(self, request, view)`
[Feature] 添加setting页面 2018-01-11 12:10:27 +00:00

			`class IsCurrentUserOrReadOnly(permissions.BasePermission):`
			`def has_object_permission(self, request, view, obj):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
			`return obj == request.user`
[Bugfix] 解决Node.root() 死循环，移动AdminRequired到permission中 (#1571) 2018-07-20 10:42:01 +00:00

			`class AdminUserRequiredMixin(UserPassesTestMixin):`
			`def test_func(self):`
			`if not self.request.user.is_authenticated:`
			`return False`
[Update] 修改permission (#1574) 2018-07-23 04:55:13 +00:00			`elif not current_org.can_admin_by(self.request.user):`
[Bugfix] 解决Node.root() 死循环，移动AdminRequired到permission中 (#1571) 2018-07-20 10:42:01 +00:00			`self.raise_exception = True`
			`return False`
			`return True`
Tmp org (#1579) * [Update] 添加org api, 升级到django 2.0 * [Update] fix some bug * [Update] 修改一些bug 2018-07-25 03:21:12 +00:00
			`def dispatch(self, request, args, *kwargs):`
Tmp org (#1583) * [Update] 修改一些内容 * [Update] 修改datatable 支持process * [Bugfix] 修复asset queryset 没有valid方法的bug 2018-07-25 07:05:28 +00:00			`if not request.user.is_authenticated:`
			`return super().dispatch(request, args, *kwargs)`

Tmp org (#1579) * [Update] 添加org api, 升级到django 2.0 * [Update] fix some bug * [Update] 修改一些bug 2018-07-25 03:21:12 +00:00			`if not current_org:`
			`return redirect('orgs:switch-a-org')`

			`if not current_org.can_admin_by(request.user):`
			`print("{} cannot admin {}".format(request.user, current_org))`
			`if request.user.is_org_admin:`
			`print("Is org admin")`
			`return redirect('orgs:switch-a-org')`
			`return HttpResponseForbidden()`
			`return super().dispatch(request, args, *kwargs)`