From a61118472d6a0f0848783be016560387a79d5f11 Mon Sep 17 00:00:00 2001 From: Chunlin Zhang Date: Fri, 28 Dec 2018 10:11:51 +0800 Subject: [PATCH] configure all access permissions in APIJSON_MODELS now, and rename roles to @role in APIJSON_REQUESTS to fix previous misunderstanding --- demo/apps/apijson_demo/settings.ini | 29 +++++++------ uliweb_apijson/apijson/settings.ini | 7 ++-- uliweb_apijson/apijson/views.py | 65 ++++++++++++++++++++++------- 3 files changed, 72 insertions(+), 29 deletions(-) diff --git a/demo/apps/apijson_demo/settings.ini b/demo/apps/apijson_demo/settings.ini index 78e636f..f9a25f3 100644 --- a/demo/apps/apijson_demo/settings.ini +++ b/demo/apps/apijson_demo/settings.ini @@ -6,29 +6,30 @@ moment = 'apijson_demo.models.Moment' [APIJSON_MODELS] moment = { "user_id_field" : "user_id", - "GET" : { - "roles" : ["OWNER"] - }, - + "GET" : { "roles" : ["OWNER"] }, + "POST" : { "roles" : ["OWNER"] }, + "PUT" : { "roles" : ["OWNER"] }, + "DELETE" : { "roles" : ["OWNER"] }, } comment = { "user_id_field" : "user_id", - "GET" : { - "roles" : ["OWNER"] - }, + "GET" : { "roles" : ["OWNER"] }, + "POST" : { "roles" : ["OWNER"] }, + "PUT" : { "roles" : ["OWNER"] }, + "DELETE" : { "roles" : ["OWNER"] }, } [APIJSON_REQUESTS] moment = { "moment": { "POST" :{ - "ADD":{"roles": ["OWNER"]}, + "ADD":{"@role": "OWNER"}, "DISALLOW" : ["id"], "NECESSARY" : ["content"], }, "PUT" :{ - "ADD":{"roles": ["OWNER"]}, - "NECESSARY" : ["content"], + "ADD":{"@role": "OWNER"}, + "NECESSARY" : ["id","content"], }, } } @@ -36,9 +37,13 @@ moment = { comment = { "comment": { "POST" :{ - "ADD" :{"roles": ["OWNER"]}, + "ADD" :{"@role": "OWNER"}, "DISALLOW" : ["id"], "NECESSARY" : ["content"] - } + }, + "PUT" :{ + "ADD":{"@role": "OWNER"}, + "NECESSARY" : ["id","content"], + }, } } diff --git a/uliweb_apijson/apijson/settings.ini b/uliweb_apijson/apijson/settings.ini index 7b7668b..cee3792 100644 --- a/uliweb_apijson/apijson/settings.ini +++ b/uliweb_apijson/apijson/settings.ini @@ -10,7 +10,8 @@ OWNER = _('APIJSON OWNER'), 'uliweb.contrib.rbac.trusted', True user = { "user_id_field" : "id", "secret_fields" : ["password"], - "GET" : { - "roles" : ["ADMIN","OWNER"] - } + "GET" : { "roles" : ["ADMIN","OWNER"] }, + "POST" : { "roles" : ["ADMIN","OWNER"] }, + "PUT" : { "roles" : ["ADMIN","OWNER"] }, + "DELETE" : { "roles" : ["ADMIN","OWNER"] }, } diff --git a/uliweb_apijson/apijson/views.py b/uliweb_apijson/apijson/views.py index 7cceeac..85e28cb 100644 --- a/uliweb_apijson/apijson/views.py +++ b/uliweb_apijson/apijson/views.py @@ -268,6 +268,7 @@ def _post_one(self,key,tag): tag = tag or key modelname = key params = self.request_data[key] + params_role = params.get("@role") try: model = getattr(models,modelname) @@ -283,17 +284,33 @@ def _post_one(self,key,tag): ADD = request_setting_POST.get("ADD") permission_check_ok = False if ADD: - roles = ADD.get("roles") + ADD_role = ADD.get("@role") + if ADD_role and not params_role: + params_role = ADD_role + + POST = model_setting.get("POST") + if POST: + roles = POST.get("roles") + if params_role: + if not params_role in roles: + return json({"code":401,"msg":"'%s' not accessible by role '%s'"%(modelname,params_role)}) + roles = [params_role] + if roles: - for r in roles: - if r == "OWNER": + for role in roles: + if role == "OWNER": if request.user: permission_check_ok = True - if user_id_field: - params[user_id_field] = request.user.id - else: - #need OWNER, but don't know how to set user id - return json({"code":400,"msg":"no permission"}) + if user_id_field: + params[user_id_field] = request.user.id + else: + #need OWNER, but don't know how to set user id + return json({"code":400,"msg":"no permission"}) + break + else: + if functions.has_role(request.user,role): + permission_check_ok = True + break if not permission_check_ok: return json({"code":400,"msg":"no permission"}) @@ -347,6 +364,7 @@ def _put_one(self,key,tag): tag = tag or key modelname = key params = self.request_data[key] + params_role = params.get("@role") try: model = getattr(models,modelname) @@ -359,9 +377,14 @@ def _put_one(self,key,tag): request_setting_model = request_setting_tag.get(modelname,{}) request_setting_PUT = request_setting_model.get("PUT",{}) - ADD = request_setting_PUT.get("ADD") permission_check_ok = False + ADD = request_setting_PUT.get("ADD") + if ADD: + ADD_role = ADD.get("@role") + if ADD_role and not params_role: + params_role = ADD_role + try: id_ = params.get("id") if not id_: @@ -371,17 +394,28 @@ def _put_one(self,key,tag): return json({"code":400,"msg":"id '%s' cannot convert to integer"%(params.get("id"))}) obj = model.get(id_) - if ADD: - roles = ADD.get("roles") + PUT = model_setting.get("PUT") + if PUT: + roles = PUT.get("roles") + if params_role: + if not params_role in roles: + return json({"code":401,"msg":"'%s' not accessible by role '%s'"%(modelname,params_role)}) + roles = [params_role] if roles: - for r in roles: - if r == "OWNER": + for role in roles: + if role == "OWNER": if request.user: if user_id_field: - if getattr(obj,user_id_field)!=request.user.id: + if obj.to_dict().get(user_id_field)==request.user.id: permission_check_ok = True + break else: return json({"code":400,"msg":"need login user"}) + else: + if functions.has_role(request.user,role): + permission_check_ok = True + break + if not permission_check_ok: return json({"code":400,"msg":"no permission"}) @@ -409,3 +443,6 @@ def _put_one(self,key,tag): self.rdict["code"] = 400 self.rdict["message"] = "fail" self.rdict[key] = obj_dict + + def delete(self): + return json(self.rdict)