default requiring permissions to run a script to True w/ burnettk

This commit is contained in:
jasquat 2022-12-21 11:39:12 -05:00
parent fcc79e639a
commit 7ed4adc619
9 changed files with 41 additions and 6 deletions

View File

@ -14,10 +14,6 @@ from spiffworkflow_backend.services.group_service import GroupService
class AddPermission(Script): class AddPermission(Script):
"""AddUserToGroup.""" """AddUserToGroup."""
@staticmethod
def requires_privileged_permissions() -> bool:
return True
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """ return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """

View File

@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
class FactService(Script): class FactService(Script):
"""FactService.""" """FactService."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Just your basic class that can pull in data from a few api endpoints and return """Just your basic class that can pull in data from a few api endpoints and

View File

@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetCurrentUser(Script): class GetCurrentUser(Script):
"""GetCurrentUser.""" """GetCurrentUser."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Return the current user.""" return """Return the current user."""

View File

@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetEnv(Script): class GetEnv(Script):
"""GetEnv.""" """GetEnv."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Returns the current environment - ie testing, staging, production.""" return """Returns the current environment - ie testing, staging, production."""

View File

@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetFrontendUrl(Script): class GetFrontendUrl(Script):
"""GetFrontendUrl.""" """GetFrontendUrl."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Return the url to the frontend.""" return """Return the url to the frontend."""

View File

@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetGroupMembers(Script): class GetGroupMembers(Script):
"""GetGroupMembers.""" """GetGroupMembers."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Return the list of usernames of the users in the given group.""" return """Return the list of usernames of the users in the given group."""

View File

@ -14,6 +14,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetLocaltime(Script): class GetLocaltime(Script):
"""GetLocaltime.""" """GetLocaltime."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Converts a Datetime object into a Datetime object for a specific timezone. return """Converts a Datetime object into a Datetime object for a specific timezone.

View File

@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
class GetProcessInfo(Script): class GetProcessInfo(Script):
"""GetProcessInfo.""" """GetProcessInfo."""
@staticmethod
def requires_privileged_permissions() -> bool:
"""We have deemed this function safe to run without elevated permissions."""
return False
def get_description(self) -> str: def get_description(self) -> str:
"""Get_description.""" """Get_description."""
return """Returns a dictionary of information about the currently running process.""" return """Returns a dictionary of information about the currently running process."""

View File

@ -51,6 +51,7 @@ class Script:
@staticmethod @staticmethod
def requires_privileged_permissions() -> bool: def requires_privileged_permissions() -> bool:
"""It seems safer to default to True and make safe functions opt in for any user to run them."""
return True return True
@staticmethod @staticmethod
@ -82,7 +83,7 @@ class Script:
""" """
instance = subclass() instance = subclass()
def run_subclass(*ar: Any, **kw: Any) -> Any: def check_script_permission() -> None:
if subclass.requires_privileged_permissions(): if subclass.requires_privileged_permissions():
script_function_name = get_script_function_name(subclass) script_function_name = get_script_function_name(subclass)
uri = f"/v1.0/can-run-privileged-script/{script_function_name}" uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
@ -100,13 +101,16 @@ class Script:
raise ScriptUnauthorizedForUserError( raise ScriptUnauthorizedForUserError(
f"User {user.username} does not have access to run privileged script '{script_function_name}'" f"User {user.username} does not have access to run privileged script '{script_function_name}'"
) )
def run_script_if_allowed(*ar: Any, **kw: Any) -> Any:
check_script_permission()
return subclass.run( return subclass.run(
instance, instance,
script_attributes_context, script_attributes_context,
*ar, *ar,
**kw, **kw,
) )
return run_subclass return run_script_if_allowed
def get_script_function_name(subclass: type[Script]) -> str: def get_script_function_name(subclass: type[Script]) -> str:
return subclass.__module__.split(".")[-1] return subclass.__module__.split(".")[-1]