open-law/app/controllers/require_permission.py

from flask_login import current_user
from flask import flash, redirect, url_for, request, make_response
import functools

from app import models as m, db
from app.logger import log


def check_permissions(
    entity_type: m.Permission.Entity,
    access: list[m.Permission.Access],
    entities: list[dict],
):
    if not current_user.is_authenticated:
        flash("You do not have permission", "danger")
        return make_response(redirect(url_for("home.get_all")))

    request_args = (
        {**request.view_args, **request.args} if request.view_args else {**request.args}
    )
    entity = None
    for model in entities:
        entity_id_field = (model.__name__ + "_id").lower()
        entity_id = request_args.get(entity_id_field)
        entity: m.Book | m.Collection | m.Section | m.Interpretation | m.Comment = (
            db.session.get(model, entity_id)
        )

    if entity is None:
        log(log.INFO, "No entity [%s] found", entities)
        flash("You do not have permission", "danger")
        return make_response(redirect(url_for("home.get_all")))

    book_id = request_args.get("book_id")
    if book_id:
        book: m.Book = db.session.get(m.Book, book_id)
        if book and book.user_id == current_user.id:
            # user has access because he is book owner
            log(log.INFO, "User [%s] is book owner [%s]", current_user, book)
            return None

    if type(entity) == m.Comment:
        log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
        entity = entity.interpretation

    if not entity or not entity.access_groups:
        log(
            log.INFO,
            "User [%s] dont have permission to [%s] [%s]",
            access.name,
            current_user,
            entity,
        )
        flash("You do not have permission", "warning")
        return make_response(redirect(url_for("home.get_all")))

    # check if user is not owner of book
    if not book_id and entity.access_groups[0].book.user_id == current_user.id:
        # user has access because he is book owner
        log(
            log.INFO,
            "User [%s] is book owner [%s]",
            current_user,
            entity.access_groups[0].book,
        )
        return None

    access_group_query = (
        m.AccessGroup.query.join(
            m.PermissionAccessGroups,
            m.PermissionAccessGroups.access_group_id == m.AccessGroup.id,
        )
        .join(m.Permission, m.PermissionAccessGroups.permission_id == m.Permission.id)
        .filter(
            m.AccessGroup.id.in_(
                [access_group.id for access_group in entity.access_groups]
            )
        )
        .filter(m.AccessGroup.users.any(id=current_user.id))
        .filter(m.Permission.entity_type == entity_type)
    )

    for access in access:
        access_group_query = access_group_query.filter(
            m.Permission.access.op("&")(access) > 0
        )

    access_groups = access_group_query.all()

    if access_groups:
        log(
            log.INFO,
            "User [%s] has permission to [%s] [%s]",
            access.name,
            current_user,
            entity,
        )
        return

    log(
        log.INFO,
        "User [%s] dont have permission to [%s] [%s]",
        access.name,
        current_user,
        entity,
    )
    flash("You do not have permission", "danger")
    return make_response(redirect(url_for("home.get_all")))


def require_permission(
    entity_type: m.Permission.Entity,
    access: list[m.Permission.Access],
    entities: list[dict],
):
    def decorator(f):
        @functools.wraps(f)
        def permission_checker(*args, **kwargs):
            if response := check_permissions(
                entity_type=entity_type,
                access=access,
                entities=entities,
            ):
                return response
            return f(*args, **kwargs)

        return permission_checker

    return decorator
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`from flask_login import current_user`
			`from flask import flash, redirect, url_for, request, make_response`
			`import functools`

			`from app import models as m, db`
fix approve comment 2023-06-01 05:29:27 +00:00			`from app.logger import log`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00

			`def check_permissions(`
			`entity_type: m.Permission.Entity,`
			`access: list[m.Permission.Access],`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`entities: list[dict],`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`):`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`if not current_user.is_authenticated:`
			`flash("You do not have permission", "danger")`
			`return make_response(redirect(url_for("home.get_all")))`

require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`request_args = (`
			`{request.view_args, request.args} if request.view_args else {**request.args}`
			`)`
wait for refactor routes 2023-05-29 14:37:51 +00:00			`entity = None`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`for model in entities:`
			`entity_id_field = (model.__name__ + "_id").lower()`
wait for refactor routes 2023-05-29 14:37:51 +00:00			`entity_id = request_args.get(entity_id_field)`
fix approve comment 2023-06-01 05:29:27 +00:00			`entity: m.Book \| m.Collection \| m.Section \| m.Interpretation \| m.Comment = (`
			`db.session.get(model, entity_id)`
wait for refactor routes 2023-05-29 14:37:51 +00:00			`)`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`if entity is None:`
fix approve comment 2023-06-01 05:29:27 +00:00			`log(log.INFO, "No entity [%s] found", entities)`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`flash("You do not have permission", "danger")`
			`return make_response(redirect(url_for("home.get_all")))`

			`book_id = request_args.get("book_id")`
fix approve comment 2023-06-01 05:29:27 +00:00			`if book_id:`
			`book: m.Book = db.session.get(m.Book, book_id)`
			`if book and book.user_id == current_user.id:`
			`# user has access because he is book owner`
			`log(log.INFO, "User [%s] is book owner [%s]", current_user, book)`
			`return None`

			`if type(entity) == m.Comment:`
			`log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")`
			`entity = entity.interpretation`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`if not entity or not entity.access_groups:`
fix approve comment 2023-06-01 05:29:27 +00:00			`log(`
			`log.INFO,`
			`"User [%s] dont have permission to [%s] [%s]",`
			`access.name,`
			`current_user,`
			`entity,`
			`)`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`flash("You do not have permission", "warning")`
			`return make_response(redirect(url_for("home.get_all")))`

			`# check if user is not owner of book`
fix approve comment 2023-06-01 05:29:27 +00:00			`if not book_id and entity.access_groups[0].book.user_id == current_user.id:`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`# user has access because he is book owner`
fix approve comment 2023-06-01 05:29:27 +00:00			`log(`
			`log.INFO,`
			`"User [%s] is book owner [%s]",`
			`current_user,`
			`entity.access_groups[0].book,`
			`)`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`return None`

			`access_group_query = (`
			`m.AccessGroup.query.join(`
			`m.PermissionAccessGroups,`
			`m.PermissionAccessGroups.access_group_id == m.AccessGroup.id,`
			`)`
			`.join(m.Permission, m.PermissionAccessGroups.permission_id == m.Permission.id)`
			`.filter(`
			`m.AccessGroup.id.in_(`
			`[access_group.id for access_group in entity.access_groups]`
			`)`
			`)`
			`.filter(m.AccessGroup.users.any(id=current_user.id))`
			`.filter(m.Permission.entity_type == entity_type)`
			`)`

			`for access in access:`
			`access_group_query = access_group_query.filter(`
			`m.Permission.access.op("&")(access) > 0`
			`)`

			`access_groups = access_group_query.all()`

			`if access_groups:`
fix approve comment 2023-06-01 05:29:27 +00:00			`log(`
			`log.INFO,`
			`"User [%s] has permission to [%s] [%s]",`
			`access.name,`
			`current_user,`
			`entity,`
			`)`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`return`

fix approve comment 2023-06-01 05:29:27 +00:00			`log(`
			`log.INFO,`
			`"User [%s] dont have permission to [%s] [%s]",`
			`access.name,`
			`current_user,`
			`entity,`
			`)`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`flash("You do not have permission", "danger")`
			`return make_response(redirect(url_for("home.get_all")))`


			`def require_permission(`
			`entity_type: m.Permission.Entity,`
			`access: list[m.Permission.Access],`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`entities: list[dict],`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`):`
			`def decorator(f):`
			`@functools.wraps(f)`
			`def permission_checker(args, *kwargs):`
			`if response := check_permissions(`
			`entity_type=entity_type,`
			`access=access,`
connected permissions checks and testing editor access 2023-05-31 11:18:11 +00:00			`entities=entities,`
require_permission, start connecting permissions to routes 2023-05-29 13:14:00 +00:00			`):`
			`return response`
			`return f(args, *kwargs)`

			`return permission_checker`

			`return decorator`