in Allura/allura/lib/security.py [0:0]
def has_access(obj, permission: str, user: M.User | None = None, project: M.Project | None = None, roles=None) -> bool:
'''Return whether the given user has the permission name on the given object.
- First, all the roles for a user in the given project context are computed.
- If the given object's ACL contains a DENY for this permission on this
user's project role, return False and deny access. TODO: make ACL order
matter instead of doing DENY first; see ticket [#6715]
- Next, for each role, the given object's ACL is examined linearly. If an ACE
is found which matches the permission and user, and that ACE ALLOWs access,
then the function returns True and access is permitted. If the ACE DENYs
access, then that role is removed from further consideration.
- If the obj is not a Neighborhood and the given user has the 'admin'
permission on the current neighborhood, then the function returns True and
access is allowed.
- If the obj is not a Project and the given user has the 'admin'
permission on the current project, then the function returns True and
access is allowed.
- If none of the ACEs on the object ALLOW access, and there are no more roles
to be considered, then the function returns False and access is denied.
- Processing continues using the remaining roles and the
obj.parent_security_context(). If the parent_security_context is None, then
the function returns False and access is denied.
The effect of this processing is that:
1. If the user's project_role is DENYed, access is denied (e.g. if the user
has been blocked for a permission on a specific tool).
2. Else, if *any* role for the user is ALLOWed access via a linear
traversal of the ACLs, then access is allowed.
3. Otherwise, DENY access to the resource.
'''
from allura import model as M
DEBUG = False
if obj is None:
if DEBUG:
log.debug(f'{user} denied {permission} on {debug_obj(obj)} ({debug_obj(project)})')
return False
if roles is None:
if user is None:
user = c.user
assert user, 'c.user should always be at least M.User.anonymous()'
cred = Credentials.get()
if project is None:
if isinstance(obj, M.Neighborhood):
project = obj.neighborhood_project
if project is None:
log.error('Neighborhood project missing for %s', obj)
return False
elif isinstance(obj, M.Project):
project = obj.root_project
else:
project = getattr(obj, 'project', None) or c.project
project = project.root_project
roles: RoleCache = cred.user_roles(user_id=user._id, project_id=project._id).reaching_roles
# TODO: move deny logic into loop below; see ticket [#6715]
if is_denied(obj, permission, user, project):
if DEBUG:
log.debug(f"{user.username} '{permission}' denied on {debug_obj(obj)} ({debug_obj(project)})")
return False
chainable_roles = []
for role in roles:
for ace in obj.acl:
if M.ACE.match(ace, role['_id'], permission):
if ace.access == M.ACE.ALLOW:
# access is allowed
if DEBUG:
log.debug(
f"{user.username} '{permission}' granted on {debug_obj(obj)} ({debug_obj(project)})")
return True
else:
# access is denied for this particular role
if DEBUG:
log.debug(f"{user.username} '{permission}' denied for role={role['name'] or role['_id']} (BUT continuing to see if other roles permit) on {debug_obj(obj)} ({debug_obj(project)})")
break
else:
# access neither allowed or denied, may chain to parent context
chainable_roles.append(role)
parent = obj.parent_security_context()
if parent and chainable_roles:
result = has_access(parent, permission, user=user, project=project, roles=tuple(chainable_roles))
elif not isinstance(obj, M.Neighborhood):
result = has_access(project.neighborhood, 'admin', user=user)
if not (result or isinstance(obj, M.Project)):
result = has_access(project, 'admin', user=user)
else:
result = False
if DEBUG:
log.debug(
f"{user.username} '{permission}' {result} from parent(s) on {debug_obj(obj)} ({debug_obj(project)})")
return result