default requiring permissions to run a script to True w/ burnettk
This commit is contained in:
jasquat
parent
da603ffef7
commit
1c72850245
|
|
@ -14,10 +14,6 @@ from spiffworkflow_backend.services.group_service import GroupService
|
||||||
class AddPermission(Script):
|
class AddPermission(Script):
|
||||||
"""AddUserToGroup."""
|
"""AddUserToGroup."""
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def requires_privileged_permissions() -> bool:
|
|
||||||
return True
|
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """
|
return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class FactService(Script):
|
class FactService(Script):
|
||||||
"""FactService."""
|
"""FactService."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Just your basic class that can pull in data from a few api endpoints and
|
return """Just your basic class that can pull in data from a few api endpoints and
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetCurrentUser(Script):
|
class GetCurrentUser(Script):
|
||||||
"""GetCurrentUser."""
|
"""GetCurrentUser."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Return the current user."""
|
return """Return the current user."""
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetEnv(Script):
|
class GetEnv(Script):
|
||||||
"""GetEnv."""
|
"""GetEnv."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Returns the current environment - ie testing, staging, production."""
|
return """Returns the current environment - ie testing, staging, production."""
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetFrontendUrl(Script):
|
class GetFrontendUrl(Script):
|
||||||
"""GetFrontendUrl."""
|
"""GetFrontendUrl."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Return the url to the frontend."""
|
return """Return the url to the frontend."""
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetGroupMembers(Script):
|
class GetGroupMembers(Script):
|
||||||
"""GetGroupMembers."""
|
"""GetGroupMembers."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Return the list of usernames of the users in the given group."""
|
return """Return the list of usernames of the users in the given group."""
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetLocaltime(Script):
|
class GetLocaltime(Script):
|
||||||
"""GetLocaltime."""
|
"""GetLocaltime."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Converts a Datetime object into a Datetime object for a specific timezone.
|
return """Converts a Datetime object into a Datetime object for a specific timezone.
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
||||||
class GetProcessInfo(Script):
|
class GetProcessInfo(Script):
|
||||||
"""GetProcessInfo."""
|
"""GetProcessInfo."""
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""We have deemed this function safe to run without elevated permissions."""
|
||||||
|
return False
|
||||||
|
|
||||||
def get_description(self) -> str:
|
def get_description(self) -> str:
|
||||||
"""Get_description."""
|
"""Get_description."""
|
||||||
return """Returns a dictionary of information about the currently running process."""
|
return """Returns a dictionary of information about the currently running process."""
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,7 @@ class Script:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def requires_privileged_permissions() -> bool:
|
def requires_privileged_permissions() -> bool:
|
||||||
|
"""It seems safer to default to True and make safe functions opt in for any user to run them."""
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
@ -82,7 +83,7 @@ class Script:
|
||||||
"""
|
"""
|
||||||
instance = subclass()
|
instance = subclass()
|
||||||
|
|
||||||
def run_subclass(*ar: Any, **kw: Any) -> Any:
|
def check_script_permission() -> None:
|
||||||
if subclass.requires_privileged_permissions():
|
if subclass.requires_privileged_permissions():
|
||||||
script_function_name = get_script_function_name(subclass)
|
script_function_name = get_script_function_name(subclass)
|
||||||
uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
|
uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
|
||||||
|
|
@ -100,13 +101,16 @@ class Script:
|
||||||
raise ScriptUnauthorizedForUserError(
|
raise ScriptUnauthorizedForUserError(
|
||||||
f"User {user.username} does not have access to run privileged script '{script_function_name}'"
|
f"User {user.username} does not have access to run privileged script '{script_function_name}'"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def run_script_if_allowed(*ar: Any, **kw: Any) -> Any:
|
||||||
|
check_script_permission()
|
||||||
return subclass.run(
|
return subclass.run(
|
||||||
instance,
|
instance,
|
||||||
script_attributes_context,
|
script_attributes_context,
|
||||||
*ar,
|
*ar,
|
||||||
**kw,
|
**kw,
|
||||||
)
|
)
|
||||||
return run_subclass
|
return run_script_if_allowed
|
||||||
|
|
||||||
def get_script_function_name(subclass: type[Script]) -> str:
|
def get_script_function_name(subclass: type[Script]) -> str:
|
||||||
return subclass.__module__.split(".")[-1]
|
return subclass.__module__.split(".")[-1]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue