do not force permissions to use the v1.0 path prefix but it can be used if desired w/ burnettk
This commit is contained in:
jasquat
parent
4ddc99527a
commit
36c395e074
|
|
@ -18,6 +18,7 @@ from werkzeug.exceptions import NotFound
|
||||||
|
|
||||||
import spiffworkflow_backend.load_database_models # noqa: F401
|
import spiffworkflow_backend.load_database_models # noqa: F401
|
||||||
from spiffworkflow_backend.config import setup_config
|
from spiffworkflow_backend.config import setup_config
|
||||||
|
from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
|
||||||
from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_blueprint
|
from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_blueprint
|
||||||
from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
|
from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
|
||||||
openid_blueprint,
|
openid_blueprint,
|
||||||
|
|
@ -117,7 +118,7 @@ def create_app() -> flask.app.Flask:
|
||||||
]
|
]
|
||||||
CORS(app, origins=origins_re, max_age=3600)
|
CORS(app, origins=origins_re, max_age=3600)
|
||||||
|
|
||||||
connexion_app.add_api("api.yml", base_path="/v1.0")
|
connexion_app.add_api("api.yml", base_path=V1_API_PATH_PREFIX)
|
||||||
|
|
||||||
mail = Mail(app)
|
mail = Mail(app)
|
||||||
app.config["MAIL_APP"] = mail
|
app.config["MAIL_APP"] = mail
|
||||||
|
|
|
||||||
|
|
@ -83,120 +83,120 @@ permissions:
|
||||||
groups: [admin-ro]
|
groups: [admin-ro]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/*
|
uri: /process-instances/*
|
||||||
|
|
||||||
tasks-crud:
|
tasks-crud:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/tasks/*
|
uri: /tasks/*
|
||||||
service-tasks:
|
service-tasks:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/service-tasks
|
uri: /service-tasks
|
||||||
user-groups-for-current-user:
|
user-groups-for-current-user:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/user-groups/for-current-user
|
uri: /user-groups/for-current-user
|
||||||
|
|
||||||
# read all for everybody
|
# read all for everybody
|
||||||
read-all-process-groups:
|
read-all-process-groups:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-groups/*
|
uri: /process-groups/*
|
||||||
read-all-process-models:
|
read-all-process-models:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-models/*
|
uri: /process-models/*
|
||||||
read-all-process-instances-for-me:
|
read-all-process-instances-for-me:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-instances/for-me/*
|
uri: /process-instances/for-me/*
|
||||||
read-process-instance-reports:
|
read-process-instance-reports:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/reports/*
|
uri: /process-instances/reports/*
|
||||||
processes-read:
|
processes-read:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/processes
|
uri: /processes
|
||||||
|
|
||||||
|
|
||||||
manage-procurement-admin:
|
manage-procurement-admin:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement:*
|
uri: /process-groups/manage-procurement:*
|
||||||
manage-procurement-admin-slash:
|
manage-procurement-admin-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement/*
|
uri: /process-groups/manage-procurement/*
|
||||||
manage-procurement-admin-models:
|
manage-procurement-admin-models:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/manage-procurement:*
|
uri: /process-models/manage-procurement:*
|
||||||
manage-procurement-admin-models-slash:
|
manage-procurement-admin-models-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/manage-procurement/*
|
uri: /process-models/manage-procurement/*
|
||||||
manage-procurement-admin-instances:
|
manage-procurement-admin-instances:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement:*
|
uri: /process-instances/manage-procurement:*
|
||||||
manage-procurement-admin-instances-slash:
|
manage-procurement-admin-instances-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement/*
|
uri: /process-instances/manage-procurement/*
|
||||||
|
|
||||||
finance-admin:
|
finance-admin:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement:procurement:*
|
uri: /process-groups/manage-procurement:procurement:*
|
||||||
|
|
||||||
manage-revenue-streams-instances:
|
manage-revenue-streams-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
||||||
|
|
||||||
manage-procurement-invoice-instances:
|
manage-procurement-invoice-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
||||||
|
|
||||||
manage-procurement-instances:
|
manage-procurement-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
|
uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
|
||||||
|
|
||||||
create-test-instances:
|
create-test-instances:
|
||||||
groups: ["test"]
|
groups: ["test"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/misc:test:*
|
uri: /process-instances/misc:test:*
|
||||||
|
|
||||||
core1-admin-instances:
|
core1-admin-instances:
|
||||||
groups: ["core-contributor", "Finance Team"]
|
groups: ["core-contributor", "Finance Team"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form:*
|
uri: /process-instances/misc:category_number_one:process-model-with-form:*
|
||||||
core1-admin-instances-slash:
|
core1-admin-instances-slash:
|
||||||
groups: ["core-contributor", "Finance Team"]
|
groups: ["core-contributor", "Finance Team"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form/*
|
uri: /process-instances/misc:category_number_one:process-model-with-form/*
|
||||||
|
|
|
||||||
|
|
@ -47,44 +47,44 @@ permissions:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/tasks/*
|
uri: /tasks/*
|
||||||
|
|
||||||
# Everyone can see everything (all groups, and processes are visible)
|
# Everyone can see everything (all groups, and processes are visible)
|
||||||
read-all-process-groups:
|
read-all-process-groups:
|
||||||
groups: [ everybody ]
|
groups: [ everybody ]
|
||||||
users: [ ]
|
users: [ ]
|
||||||
allowed_permissions: [ read ]
|
allowed_permissions: [ read ]
|
||||||
uri: /v1.0/process-groups/*
|
uri: /process-groups/*
|
||||||
read-all-process-models:
|
read-all-process-models:
|
||||||
groups: [ everybody ]
|
groups: [ everybody ]
|
||||||
users: [ ]
|
users: [ ]
|
||||||
allowed_permissions: [ read ]
|
allowed_permissions: [ read ]
|
||||||
uri: /v1.0/process-models/*
|
uri: /process-models/*
|
||||||
read-all-process-instance:
|
read-all-process-instance:
|
||||||
groups: [ everybody ]
|
groups: [ everybody ]
|
||||||
users: [ ]
|
users: [ ]
|
||||||
allowed_permissions: [ read ]
|
allowed_permissions: [ read ]
|
||||||
uri: /v1.0/process-instances/*
|
uri: /process-instances/*
|
||||||
read-process-instance-reports:
|
read-process-instance-reports:
|
||||||
groups: [ everybody ]
|
groups: [ everybody ]
|
||||||
users: [ ]
|
users: [ ]
|
||||||
allowed_permissions: [ read ]
|
allowed_permissions: [ read ]
|
||||||
uri: /v1.0/process-instances/reports/*
|
uri: /process-instances/reports/*
|
||||||
processes-read:
|
processes-read:
|
||||||
groups: [ everybody ]
|
groups: [ everybody ]
|
||||||
users: [ ]
|
users: [ ]
|
||||||
allowed_permissions: [ read ]
|
allowed_permissions: [ read ]
|
||||||
uri: /v1.0/processes
|
uri: /processes
|
||||||
# Members of the Education group can change the processes under "education".
|
# Members of the Education group can change the processes under "education".
|
||||||
education-admin:
|
education-admin:
|
||||||
groups: ["Education", "President"]
|
groups: ["Education", "President"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/education:*
|
uri: /process-groups/education:*
|
||||||
|
|
||||||
# Anyone can start an education process.
|
# Anyone can start an education process.
|
||||||
education-everybody:
|
education-everybody:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form/*
|
uri: /process-instances/misc:category_number_one:process-model-with-form/*
|
||||||
|
|
|
||||||
|
|
@ -67,24 +67,24 @@ permissions:
|
||||||
groups: [admin]
|
groups: [admin]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/*
|
uri: /process-instances/*
|
||||||
|
|
||||||
tasks-crud:
|
tasks-crud:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/tasks/*
|
uri: /tasks/*
|
||||||
|
|
||||||
service-tasks:
|
service-tasks:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/service-tasks
|
uri: /service-tasks
|
||||||
user-groups-for-current-user:
|
user-groups-for-current-user:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/user-groups/for-current-user
|
uri: /user-groups/for-current-user
|
||||||
|
|
||||||
|
|
||||||
# read all for everybody
|
# read all for everybody
|
||||||
|
|
@ -92,79 +92,79 @@ permissions:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-groups/*
|
uri: /process-groups/*
|
||||||
read-all-process-models:
|
read-all-process-models:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-models/*
|
uri: /process-models/*
|
||||||
read-all-process-instances-for-me:
|
read-all-process-instances-for-me:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-instances/for-me/*
|
uri: /process-instances/for-me/*
|
||||||
manage-process-instance-reports:
|
manage-process-instance-reports:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/reports/*
|
uri: /process-instances/reports/*
|
||||||
processes-read:
|
processes-read:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/processes
|
uri: /processes
|
||||||
|
|
||||||
|
|
||||||
manage-procurement-admin-instances:
|
manage-procurement-admin-instances:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement:*
|
uri: /process-instances/manage-procurement:*
|
||||||
manage-procurement-admin-instances-slash:
|
manage-procurement-admin-instances-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement/*
|
uri: /process-instances/manage-procurement/*
|
||||||
manage-procurement-admin-instance-logs:
|
manage-procurement-admin-instance-logs:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/logs/manage-procurement:*
|
uri: /logs/manage-procurement:*
|
||||||
manage-procurement-admin-instance-logs-slash:
|
manage-procurement-admin-instance-logs-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/logs/manage-procurement/*
|
uri: /logs/manage-procurement/*
|
||||||
|
|
||||||
manage-revenue-streams-instances:
|
manage-revenue-streams-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
||||||
manage-revenue-streams-instance-logs:
|
manage-revenue-streams-instance-logs:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/logs/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
uri: /logs/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
||||||
|
|
||||||
manage-procurement-invoice-instances:
|
manage-procurement-invoice-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
||||||
manage-procurement-invoice-instance-logs:
|
manage-procurement-invoice-instance-logs:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/logs/manage-procurement:procurement:core-contributor-invoice-management:*
|
uri: /logs/manage-procurement:procurement:core-contributor-invoice-management:*
|
||||||
|
|
||||||
manage-procurement-instances:
|
manage-procurement-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
|
uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
|
||||||
manage-procurement-instance-logs:
|
manage-procurement-instance-logs:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/logs/manage-procurement:vendor-lifecycle-management:*
|
uri: /logs/manage-procurement:vendor-lifecycle-management:*
|
||||||
|
|
|
||||||
|
|
@ -68,18 +68,18 @@ permissions:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/tasks/*
|
uri: /tasks/*
|
||||||
|
|
||||||
service-tasks:
|
service-tasks:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/service-tasks
|
uri: /service-tasks
|
||||||
user-groups-for-current-user:
|
user-groups-for-current-user:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/user-groups/for-current-user
|
uri: /user-groups/for-current-user
|
||||||
|
|
||||||
|
|
||||||
# read all for everybody
|
# read all for everybody
|
||||||
|
|
@ -87,86 +87,86 @@ permissions:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-groups/*
|
uri: /process-groups/*
|
||||||
read-all-process-models:
|
read-all-process-models:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-models/*
|
uri: /process-models/*
|
||||||
read-all-process-instances-for-me:
|
read-all-process-instances-for-me:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/process-instances/for-me/*
|
uri: /process-instances/for-me/*
|
||||||
read-process-instance-reports:
|
read-process-instance-reports:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/reports/*
|
uri: /process-instances/reports/*
|
||||||
processes-read:
|
processes-read:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /v1.0/processes
|
uri: /processes
|
||||||
|
|
||||||
|
|
||||||
manage-procurement-admin:
|
manage-procurement-admin:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement:*
|
uri: /process-groups/manage-procurement:*
|
||||||
manage-procurement-admin-slash:
|
manage-procurement-admin-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement/*
|
uri: /process-groups/manage-procurement/*
|
||||||
manage-procurement-admin-models:
|
manage-procurement-admin-models:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/manage-procurement:*
|
uri: /process-models/manage-procurement:*
|
||||||
manage-procurement-admin-models-slash:
|
manage-procurement-admin-models-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/manage-procurement/*
|
uri: /process-models/manage-procurement/*
|
||||||
manage-procurement-admin-instances:
|
manage-procurement-admin-instances:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement:*
|
uri: /process-instances/manage-procurement:*
|
||||||
manage-procurement-admin-instances-slash:
|
manage-procurement-admin-instances-slash:
|
||||||
groups: ["Project Lead"]
|
groups: ["Project Lead"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/manage-procurement/*
|
uri: /process-instances/manage-procurement/*
|
||||||
|
|
||||||
finance-admin:
|
finance-admin:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/manage-procurement:procurement:*
|
uri: /process-groups/manage-procurement:procurement:*
|
||||||
|
|
||||||
manage-revenue-streams-instances:
|
manage-revenue-streams-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
|
||||||
|
|
||||||
manage-procurement-invoice-instances:
|
manage-procurement-invoice-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
|
||||||
|
|
||||||
manage-procurement-instances:
|
manage-procurement-instances:
|
||||||
groups: ["core-contributor", "demo"]
|
groups: ["core-contributor", "demo"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
|
uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
|
||||||
|
|
||||||
create-test-instances:
|
create-test-instances:
|
||||||
groups: ["test"]
|
groups: ["test"]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read]
|
allowed_permissions: [create, read]
|
||||||
uri: /v1.0/process-instances/misc:test:*
|
uri: /process-instances/misc:test:*
|
||||||
|
|
|
||||||
|
|
@ -34,29 +34,29 @@ permissions:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/tasks/*
|
uri: /tasks/*
|
||||||
|
|
||||||
# TODO: all uris should really have the same structure
|
# TODO: all uris should really have the same structure
|
||||||
finance-admin-group:
|
finance-admin-group:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: [testuser4]
|
users: [testuser4]
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-groups/finance/*
|
uri: /process-groups/finance/*
|
||||||
|
|
||||||
finance-admin-model:
|
finance-admin-model:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: [testuser4]
|
users: [testuser4]
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/finance/*
|
uri: /process-models/finance/*
|
||||||
|
|
||||||
finance-admin-model-lanes:
|
finance-admin-model-lanes:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: [testuser4]
|
users: [testuser4]
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-models/finance:model_with_lanes/*
|
uri: /process-models/finance:model_with_lanes/*
|
||||||
|
|
||||||
finance-admin-instance-run:
|
finance-admin-instance-run:
|
||||||
groups: ["Finance Team"]
|
groups: ["Finance Team"]
|
||||||
users: [testuser4]
|
users: [testuser4]
|
||||||
allowed_permissions: [create, read, update, delete]
|
allowed_permissions: [create, read, update, delete]
|
||||||
uri: /v1.0/process-instances/*
|
uri: /process-instances/*
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
"""Api_version."""
|
||||||
|
V1_API_PATH_PREFIX = "/v1.0"
|
||||||
|
|
@ -52,7 +52,11 @@ class Script:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def requires_privileged_permissions() -> bool:
|
def requires_privileged_permissions() -> bool:
|
||||||
"""It seems safer to default to True and make safe functions opt in for any user to run them."""
|
"""It seems safer to default to True and make safe functions opt in for any user to run them.
|
||||||
|
|
||||||
|
To give access to script for a given user, add a 'create' permission with following target-uri:
|
||||||
|
'/can-run-privileged-script/{script_name}'
|
||||||
|
"""
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
@ -88,7 +92,7 @@ class Script:
|
||||||
"""Check_script_permission."""
|
"""Check_script_permission."""
|
||||||
if subclass.requires_privileged_permissions():
|
if subclass.requires_privileged_permissions():
|
||||||
script_function_name = get_script_function_name(subclass)
|
script_function_name = get_script_function_name(subclass)
|
||||||
uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
|
uri = f"/can-run-privileged-script/{script_function_name}"
|
||||||
process_instance = ProcessInstanceModel.query.filter_by(
|
process_instance = ProcessInstanceModel.query.filter_by(
|
||||||
id=script_attributes_context.process_instance_id
|
id=script_attributes_context.process_instance_id
|
||||||
).first()
|
).first()
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ from SpiffWorkflow.task import Task as SpiffTask # type: ignore
|
||||||
from sqlalchemy import or_
|
from sqlalchemy import or_
|
||||||
from sqlalchemy import text
|
from sqlalchemy import text
|
||||||
|
|
||||||
|
from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
|
||||||
from spiffworkflow_backend.models.group import GroupModel
|
from spiffworkflow_backend.models.group import GroupModel
|
||||||
from spiffworkflow_backend.models.human_task import HumanTaskModel
|
from spiffworkflow_backend.models.human_task import HumanTaskModel
|
||||||
from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
|
from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
|
||||||
|
|
@ -75,6 +76,7 @@ class AuthorizationService:
|
||||||
) -> bool:
|
) -> bool:
|
||||||
"""Has_permission."""
|
"""Has_permission."""
|
||||||
principal_ids = [p.id for p in principals]
|
principal_ids = [p.id for p in principals]
|
||||||
|
target_uri_normalized = target_uri.removeprefix(V1_API_PATH_PREFIX)
|
||||||
|
|
||||||
permission_assignments = (
|
permission_assignments = (
|
||||||
PermissionAssignmentModel.query.filter(
|
PermissionAssignmentModel.query.filter(
|
||||||
|
|
@ -84,10 +86,12 @@ class AuthorizationService:
|
||||||
.join(PermissionTargetModel)
|
.join(PermissionTargetModel)
|
||||||
.filter(
|
.filter(
|
||||||
or_(
|
or_(
|
||||||
text(f"'{target_uri}' LIKE permission_target.uri"),
|
text(f"'{target_uri_normalized}' LIKE permission_target.uri"),
|
||||||
# to check for exact matches as well
|
# to check for exact matches as well
|
||||||
# see test_user_can_access_base_path_when_given_wildcard_permission unit test
|
# see test_user_can_access_base_path_when_given_wildcard_permission unit test
|
||||||
text(f"'{target_uri}' = replace(permission_target.uri, '/%', '')"),
|
text(
|
||||||
|
f"'{target_uri_normalized}' = replace(permission_target.uri, '/%', '')"
|
||||||
|
),
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.all()
|
.all()
|
||||||
|
|
@ -221,11 +225,12 @@ class AuthorizationService:
|
||||||
def find_or_create_permission_target(cls, uri: str) -> PermissionTargetModel:
|
def find_or_create_permission_target(cls, uri: str) -> PermissionTargetModel:
|
||||||
"""Find_or_create_permission_target."""
|
"""Find_or_create_permission_target."""
|
||||||
uri_with_percent = re.sub(r"\*", "%", uri)
|
uri_with_percent = re.sub(r"\*", "%", uri)
|
||||||
|
target_uri_normalized = uri_with_percent.removeprefix(V1_API_PATH_PREFIX)
|
||||||
permission_target: Optional[
|
permission_target: Optional[
|
||||||
PermissionTargetModel
|
PermissionTargetModel
|
||||||
] = PermissionTargetModel.query.filter_by(uri=uri_with_percent).first()
|
] = PermissionTargetModel.query.filter_by(uri=target_uri_normalized).first()
|
||||||
if permission_target is None:
|
if permission_target is None:
|
||||||
permission_target = PermissionTargetModel(uri=uri_with_percent)
|
permission_target = PermissionTargetModel(uri=target_uri_normalized)
|
||||||
db.session.add(permission_target)
|
db.session.add(permission_target)
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
return permission_target
|
return permission_target
|
||||||
|
|
|
||||||
|
|
@ -324,13 +324,9 @@ class BaseTest:
|
||||||
permission_names: Optional[list[str]] = None,
|
permission_names: Optional[list[str]] = None,
|
||||||
) -> UserModel:
|
) -> UserModel:
|
||||||
"""Add_permissions_to_user."""
|
"""Add_permissions_to_user."""
|
||||||
permission_target = PermissionTargetModel.query.filter_by(
|
permission_target = AuthorizationService.find_or_create_permission_target(
|
||||||
uri=target_uri
|
target_uri
|
||||||
).first()
|
)
|
||||||
if permission_target is None:
|
|
||||||
permission_target = PermissionTargetModel(uri=target_uri)
|
|
||||||
db.session.add(permission_target)
|
|
||||||
db.session.commit()
|
|
||||||
|
|
||||||
if permission_names is None:
|
if permission_names is None:
|
||||||
permission_names = [member.name for member in Permission]
|
permission_names = [member.name for member in Permission]
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ class TestAddPermission(BaseTest):
|
||||||
privileged_user = self.find_or_create_user("privileged_user")
|
privileged_user = self.find_or_create_user("privileged_user")
|
||||||
self.add_permissions_to_user(
|
self.add_permissions_to_user(
|
||||||
privileged_user,
|
privileged_user,
|
||||||
target_uri="/v1.0/can-run-privileged-script/add_permission",
|
target_uri="/can-run-privileged-script/add_permission",
|
||||||
permission_names=["create"],
|
permission_names=["create"],
|
||||||
)
|
)
|
||||||
process_model = load_test_spec(
|
process_model = load_test_spec(
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue