open-law/app/controllers/require_permission.py

129 lines
3.9 KiB
Python

from flask_login import current_user
from flask import flash, redirect, url_for, request, make_response
import functools
from app import models as m, db
from app.logger import log
def check_permissions(
entity_type: m.Permission.Entity,
access: list[m.Permission.Access],
entities: list[dict],
):
if not current_user.is_authenticated:
flash("You do not have permission", "danger")
return make_response(redirect(url_for("home.get_all")))
request_args = (
{**request.view_args, **request.args} if request.view_args else {**request.args}
)
entity = None
for model in entities:
entity_id_field = (model.__name__ + "_id").lower()
entity_id = request_args.get(entity_id_field)
entity: m.Book | m.Collection | m.Section | m.Interpretation | m.Comment = (
db.session.get(model, entity_id)
)
if entity is None:
log(log.INFO, "No entity [%s] found", entities)
flash("You do not have permission", "danger")
return make_response(redirect(url_for("home.get_all")))
book_id = request_args.get("book_id")
if book_id:
book: m.Book = db.session.get(m.Book, book_id)
if book and book.user_id == current_user.id:
# user has access because he is book owner
log(log.INFO, "User [%s] is book owner [%s]", current_user, book)
return None
if type(entity) == m.Comment:
log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
entity = entity.interpretation
if not entity or not entity.access_groups:
log(
log.INFO,
"Entity [%s] of entity.access_groups [%s] not found",
access,
entity,
)
flash("You do not have permission", "warning")
return make_response(redirect(url_for("home.get_all")))
# check if user is not owner of book
if not book_id and entity.access_groups[0].book.user_id == current_user.id:
# user has access because he is book owner
log(
log.INFO,
"User [%s] is book owner [%s]",
current_user,
entity.access_groups[0].book,
)
return None
access_group_query = (
m.AccessGroup.query.join(
m.PermissionAccessGroups,
m.PermissionAccessGroups.access_group_id == m.AccessGroup.id,
)
.join(m.Permission, m.PermissionAccessGroups.permission_id == m.Permission.id)
.filter(
m.AccessGroup.id.in_(
[access_group.id for access_group in entity.access_groups]
)
)
.filter(m.AccessGroup.users.any(id=current_user.id))
.filter(m.Permission.entity_type == entity_type)
)
for access in access:
access_group_query = access_group_query.filter(
m.Permission.access.op("&")(access) > 0
)
access_groups = access_group_query.all()
if access_groups:
log(
log.INFO,
"User [%s] has permission to [%s] [%s]",
access,
current_user,
entity,
)
return
log(
log.INFO,
"User [%s] dont have permission to [%s] [%s]",
current_user,
access,
entity,
)
flash("You do not have permission", "danger")
return make_response(redirect(url_for("home.get_all")))
def require_permission(
entity_type: m.Permission.Entity,
access: list[m.Permission.Access],
entities: list[dict],
):
def decorator(f):
@functools.wraps(f)
def permission_checker(*args, **kwargs):
if response := check_permissions(
entity_type=entity_type,
access=access,
entities=entities,
):
return response
return f(*args, **kwargs)
return permission_checker
return decorator