default requiring permissions to run a script to True w/ burnettk
This commit is contained in:
jasquat
parent
da603ffef7
commit
1c72850245
|
|
@ -14,10 +14,6 @@ from spiffworkflow_backend.services.group_service import GroupService
|
|||
class AddPermission(Script):
|
||||
"""AddUserToGroup."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
return True
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """
|
||||
|
|
|
|||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class FactService(Script):
|
||||
"""FactService."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Just your basic class that can pull in data from a few api endpoints and
|
||||
|
|
|
|||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetCurrentUser(Script):
|
||||
"""GetCurrentUser."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Return the current user."""
|
||||
|
|
|
|||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetEnv(Script):
|
||||
"""GetEnv."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Returns the current environment - ie testing, staging, production."""
|
||||
|
|
|
|||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetFrontendUrl(Script):
|
||||
"""GetFrontendUrl."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Return the url to the frontend."""
|
||||
|
|
|
|||
|
|
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetGroupMembers(Script):
|
||||
"""GetGroupMembers."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Return the list of usernames of the users in the given group."""
|
||||
|
|
|
|||
|
|
@ -14,6 +14,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetLocaltime(Script):
|
||||
"""GetLocaltime."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Converts a Datetime object into a Datetime object for a specific timezone.
|
||||
|
|
|
|||
|
|
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
|
|||
class GetProcessInfo(Script):
|
||||
"""GetProcessInfo."""
|
||||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""We have deemed this function safe to run without elevated permissions."""
|
||||
return False
|
||||
|
||||
def get_description(self) -> str:
|
||||
"""Get_description."""
|
||||
return """Returns a dictionary of information about the currently running process."""
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ class Script:
|
|||
|
||||
@staticmethod
|
||||
def requires_privileged_permissions() -> bool:
|
||||
"""It seems safer to default to True and make safe functions opt in for any user to run them."""
|
||||
return True
|
||||
|
||||
@staticmethod
|
||||
|
|
@ -82,7 +83,7 @@ class Script:
|
|||
"""
|
||||
instance = subclass()
|
||||
|
||||
def run_subclass(*ar: Any, **kw: Any) -> Any:
|
||||
def check_script_permission() -> None:
|
||||
if subclass.requires_privileged_permissions():
|
||||
script_function_name = get_script_function_name(subclass)
|
||||
uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
|
||||
|
|
@ -100,13 +101,16 @@ class Script:
|
|||
raise ScriptUnauthorizedForUserError(
|
||||
f"User {user.username} does not have access to run privileged script '{script_function_name}'"
|
||||
)
|
||||
|
||||
def run_script_if_allowed(*ar: Any, **kw: Any) -> Any:
|
||||
check_script_permission()
|
||||
return subclass.run(
|
||||
instance,
|
||||
script_attributes_context,
|
||||
*ar,
|
||||
**kw,
|
||||
)
|
||||
return run_subclass
|
||||
return run_script_if_allowed
|
||||
|
||||
def get_script_function_name(subclass: type[Script]) -> str:
|
||||
return subclass.__module__.split(".")[-1]
|
||||
|
|
|
|||
Loading…
Reference in New Issue