2018-01-11 12:10:27 +00:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
#
|
2019-05-20 04:30:55 +00:00
|
|
|
import time
|
2018-01-11 12:10:27 +00:00
|
|
|
from rest_framework import permissions
|
2018-11-23 02:25:35 +00:00
|
|
|
from django.conf import settings
|
2021-04-25 08:22:38 +00:00
|
|
|
from common.exceptions import MFAVerifyRequired
|
2018-07-20 10:42:01 +00:00
|
|
|
|
|
|
|
from orgs.utils import current_org
|
2021-08-18 02:22:40 +00:00
|
|
|
from common.utils import is_uuid
|
2018-01-11 12:10:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
|
|
|
|
"""Allows access to valid user, is active and not expired"""
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
return super(IsValidUser, self).has_permission(request, view) \
|
|
|
|
and request.user.is_valid
|
|
|
|
|
|
|
|
|
|
|
|
class IsAppUser(IsValidUser):
|
|
|
|
"""Allows access only to app user """
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
return super(IsAppUser, self).has_permission(request, view) \
|
|
|
|
and request.user.is_app
|
|
|
|
|
|
|
|
|
2018-07-25 03:21:12 +00:00
|
|
|
class IsSuperUser(IsValidUser):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
return super(IsSuperUser, self).has_permission(request, view) \
|
|
|
|
and request.user.is_superuser
|
|
|
|
|
|
|
|
|
|
|
|
class IsSuperUserOrAppUser(IsSuperUser):
|
|
|
|
def has_permission(self, request, view):
|
2021-09-10 09:56:10 +00:00
|
|
|
if request.user.is_anonymous:
|
|
|
|
return False
|
2018-07-25 03:21:12 +00:00
|
|
|
return super(IsSuperUserOrAppUser, self).has_permission(request, view) \
|
2019-04-15 06:33:40 +00:00
|
|
|
or request.user.is_app
|
2018-07-25 03:21:12 +00:00
|
|
|
|
|
|
|
|
2019-09-12 10:56:26 +00:00
|
|
|
class IsSuperAuditor(IsValidUser):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
return super(IsSuperAuditor, self).has_permission(request, view) \
|
|
|
|
and request.user.is_super_auditor
|
|
|
|
|
|
|
|
|
|
|
|
class IsOrgAuditor(IsValidUser):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
if not current_org:
|
|
|
|
return False
|
|
|
|
return super(IsOrgAuditor, self).has_permission(request, view) \
|
|
|
|
and current_org.can_audit_by(request.user)
|
|
|
|
|
|
|
|
|
2018-07-23 04:55:13 +00:00
|
|
|
class IsOrgAdmin(IsValidUser):
|
2018-01-11 12:10:27 +00:00
|
|
|
"""Allows access only to superuser"""
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
2019-08-01 09:10:02 +00:00
|
|
|
if not current_org:
|
|
|
|
return False
|
2018-07-23 04:55:13 +00:00
|
|
|
return super(IsOrgAdmin, self).has_permission(request, view) \
|
|
|
|
and current_org.can_admin_by(request.user)
|
2018-01-11 12:10:27 +00:00
|
|
|
|
|
|
|
|
2018-07-23 04:55:13 +00:00
|
|
|
class IsOrgAdminOrAppUser(IsValidUser):
|
2018-01-11 12:10:27 +00:00
|
|
|
"""Allows access between superuser and app user"""
|
|
|
|
|
|
|
|
def has_permission(self, request, view):
|
2019-08-01 09:10:02 +00:00
|
|
|
if not current_org:
|
|
|
|
return False
|
2021-09-10 09:56:10 +00:00
|
|
|
if request.user.is_anonymous:
|
|
|
|
return False
|
2018-07-23 04:55:13 +00:00
|
|
|
return super(IsOrgAdminOrAppUser, self).has_permission(request, view) \
|
|
|
|
and (current_org.can_admin_by(request.user) or request.user.is_app)
|
2018-01-11 12:10:27 +00:00
|
|
|
|
|
|
|
|
2018-07-23 04:55:13 +00:00
|
|
|
class IsOrgAdminOrAppUserOrUserReadonly(IsOrgAdminOrAppUser):
|
2018-01-11 12:10:27 +00:00
|
|
|
def has_permission(self, request, view):
|
|
|
|
if IsValidUser.has_permission(self, request, view) \
|
|
|
|
and request.method in permissions.SAFE_METHODS:
|
|
|
|
return True
|
|
|
|
else:
|
2018-07-23 04:55:13 +00:00
|
|
|
return IsOrgAdminOrAppUser.has_permission(self, request, view)
|
2018-01-11 12:10:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
class IsCurrentUserOrReadOnly(permissions.BasePermission):
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
|
|
if request.method in permissions.SAFE_METHODS:
|
|
|
|
return True
|
|
|
|
return obj == request.user
|
2018-07-20 10:42:01 +00:00
|
|
|
|
|
|
|
|
2018-11-23 02:25:35 +00:00
|
|
|
class WithBootstrapToken(permissions.BasePermission):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
authorization = request.META.get('HTTP_AUTHORIZATION', '')
|
|
|
|
if not authorization:
|
|
|
|
return False
|
|
|
|
request_bootstrap_token = authorization.split()[-1]
|
|
|
|
return settings.BOOTSTRAP_TOKEN == request_bootstrap_token
|
2019-06-19 02:47:26 +00:00
|
|
|
|
|
|
|
|
2021-03-15 06:53:19 +00:00
|
|
|
class UserCanAnyPermCurrentOrg(permissions.BasePermission):
|
2021-03-02 06:57:48 +00:00
|
|
|
def has_permission(self, request, view):
|
2021-03-15 06:53:19 +00:00
|
|
|
return current_org.can_any_by(request.user)
|
2021-03-02 06:57:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
class UserCanUpdatePassword(permissions.BasePermission):
|
2019-07-24 04:50:39 +00:00
|
|
|
def has_permission(self, request, view):
|
|
|
|
return request.user.can_update_password()
|
|
|
|
|
|
|
|
|
2021-03-02 06:57:48 +00:00
|
|
|
class UserCanUpdateSSHKey(permissions.BasePermission):
|
2019-07-24 04:50:39 +00:00
|
|
|
def has_permission(self, request, view):
|
|
|
|
return request.user.can_update_ssh_key()
|
|
|
|
|
|
|
|
|
2019-06-24 12:39:45 +00:00
|
|
|
class NeedMFAVerify(permissions.BasePermission):
|
|
|
|
def has_permission(self, request, view):
|
2021-07-27 08:06:00 +00:00
|
|
|
if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
|
|
|
|
return True
|
|
|
|
|
2019-06-24 12:39:45 +00:00
|
|
|
mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
|
|
|
|
if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
|
|
|
|
return True
|
2021-04-25 08:22:38 +00:00
|
|
|
raise MFAVerifyRequired()
|
2019-07-02 06:17:56 +00:00
|
|
|
|
|
|
|
|
2019-09-12 10:56:26 +00:00
|
|
|
class CanUpdateDeleteUser(permissions.BasePermission):
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def has_delete_object_permission(request, view, obj):
|
2019-09-16 09:59:21 +00:00
|
|
|
if request.user.is_anonymous:
|
|
|
|
return False
|
2019-09-12 10:56:26 +00:00
|
|
|
if not request.user.can_admin_current_org:
|
|
|
|
return False
|
|
|
|
# 超级管理员 / 组织管理员
|
|
|
|
if str(request.user.id) == str(obj.id):
|
|
|
|
return False
|
|
|
|
# 超级管理员
|
|
|
|
if request.user.is_superuser:
|
|
|
|
if obj.is_superuser and obj.username in ['admin']:
|
|
|
|
return False
|
2019-07-02 06:17:56 +00:00
|
|
|
return True
|
2019-09-12 10:56:26 +00:00
|
|
|
# 组织管理员
|
|
|
|
if obj.is_superuser:
|
|
|
|
return False
|
|
|
|
if obj.is_super_auditor:
|
|
|
|
return False
|
2019-12-09 03:50:52 +00:00
|
|
|
if obj.can_admin_current_org:
|
2019-09-12 10:56:26 +00:00
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def has_update_object_permission(request, view, obj):
|
2019-09-16 09:59:21 +00:00
|
|
|
if request.user.is_anonymous:
|
|
|
|
return False
|
2019-09-12 10:56:26 +00:00
|
|
|
if not request.user.can_admin_current_org:
|
|
|
|
return False
|
|
|
|
# 超级管理员 / 组织管理员
|
|
|
|
if str(request.user.id) == str(obj.id):
|
2019-07-02 06:17:56 +00:00
|
|
|
return True
|
2019-09-12 10:56:26 +00:00
|
|
|
# 超级管理员
|
|
|
|
if request.user.is_superuser:
|
|
|
|
return True
|
|
|
|
# 组织管理员
|
|
|
|
if obj.is_superuser:
|
|
|
|
return False
|
|
|
|
if obj.is_super_auditor:
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
|
|
def has_object_permission(self, request, view, obj):
|
2019-09-16 09:59:21 +00:00
|
|
|
if request.user.is_anonymous:
|
|
|
|
return False
|
2019-09-12 10:56:26 +00:00
|
|
|
if not request.user.can_admin_current_org:
|
2019-07-02 06:17:56 +00:00
|
|
|
return False
|
2019-09-12 10:56:26 +00:00
|
|
|
if request.method in ['DELETE']:
|
|
|
|
return self.has_delete_object_permission(request, view, obj)
|
|
|
|
if request.method in ['PUT', 'PATCH']:
|
|
|
|
return self.has_update_object_permission(request, view, obj)
|
2019-07-02 06:17:56 +00:00
|
|
|
return True
|
2020-08-19 05:49:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
class IsObjectOwner(IsValidUser):
|
|
|
|
def has_object_permission(self, request, view, obj):
|
|
|
|
return (super().has_object_permission(request, view, obj) and
|
|
|
|
request.user == getattr(obj, 'user', None))
|
2021-03-11 12:17:44 +00:00
|
|
|
|
|
|
|
|
|
|
|
class HasQueryParamsUserAndIsCurrentOrgMember(permissions.BasePermission):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
query_user_id = request.query_params.get('user')
|
2021-08-18 02:22:40 +00:00
|
|
|
if not query_user_id or not is_uuid(query_user_id):
|
2021-03-11 12:17:44 +00:00
|
|
|
return False
|
|
|
|
query_user = current_org.get_members().filter(id=query_user_id).first()
|
|
|
|
return bool(query_user)
|
2021-08-24 06:20:54 +00:00
|
|
|
|
|
|
|
|
|
|
|
class OnlySuperUserCanList(IsValidUser):
|
|
|
|
def has_permission(self, request, view):
|
|
|
|
user = request.user
|
|
|
|
if view.action == 'list' and not user.is_superuser:
|
|
|
|
return False
|
|
|
|
return True
|