endpoints: clarify repo access decorators
This commit is contained in:
Jimmy Zelinskie
parent
3d1c1f9f39
commit
82bcd45727
2 changed files with 40 additions and 32 deletions
|
|
@ -8,7 +8,7 @@ from flask import Blueprint
|
|||
from app import metric_queue
|
||||
from auth.permissions import (AdministerRepositoryPermission, ReadRepositoryPermission,
|
||||
ModifyRepositoryPermission)
|
||||
from data import model # TODO: stop using model directly
|
||||
from endpoints.decorators import require_repo_permission
|
||||
from util.metrics.metricqueue import time_blueprint
|
||||
|
||||
|
||||
|
|
@ -17,35 +17,6 @@ time_blueprint(appr_bp, metric_queue)
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def _raise_unauthorized(repository, scopes):
|
||||
raise StandardError("Unauthorized acces to %s", repository)
|
||||
|
||||
|
||||
def _get_reponame_kwargs(*args, **kwargs):
|
||||
return [kwargs['namespace_name'], kwargs['repo_name']]
|
||||
|
||||
|
||||
def require_repo_permission(permission_class, scopes=None, allow_public=False,
|
||||
raise_method=_raise_unauthorized,
|
||||
get_reponame_method=_get_reponame_kwargs):
|
||||
def wrapper(func):
|
||||
@wraps(func)
|
||||
def wrapped(*args, **kwargs):
|
||||
namespace_name, repo_name = get_reponame_method(*args, **kwargs)
|
||||
|
||||
logger.debug('Checking permission %s for repo: %s/%s', permission_class,
|
||||
namespace_name, repo_name)
|
||||
permission = permission_class(namespace_name, repo_name)
|
||||
if (permission.can() or
|
||||
(allow_public and
|
||||
model.repository.repository_is_public(namespace_name, repo_name))):
|
||||
return func(*args, **kwargs)
|
||||
repository = namespace_name + '/' + repo_name
|
||||
raise_method(repository, scopes)
|
||||
return wrapped
|
||||
return wrapper
|
||||
|
||||
|
||||
def _raise_method(repository, scopes):
|
||||
raise UnauthorizedAccess("Unauthorized access for: %s" % repository,
|
||||
{"package": repository, "scopes": scopes})
|
||||
|
|
|
|||
|
|
@ -1,10 +1,19 @@
|
|||
""" Various decorators for endpoint and API handlers. """
|
||||
|
||||
import features
|
||||
import logging
|
||||
|
||||
from functools import wraps
|
||||
|
||||
from flask import abort
|
||||
|
||||
import features
|
||||
|
||||
from auth.auth_context import (get_validated_oauth_token, get_authenticated_user,
|
||||
get_validated_token, get_grant_context)
|
||||
from functools import wraps
|
||||
from data import model # TODO: stop using model directly
|
||||
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def anon_allowed(func):
|
||||
|
|
@ -34,3 +43,31 @@ def check_anon_protection(func):
|
|||
|
||||
abort(401)
|
||||
return wrapper
|
||||
|
||||
def _raise_unauthorized(repository, scopes):
|
||||
raise StandardError("Unauthorized acces to %s", repository)
|
||||
|
||||
|
||||
def _get_reponame_kwargs(*args, **kwargs):
|
||||
return [kwargs['namespace_name'], kwargs['repo_name']]
|
||||
|
||||
|
||||
def require_repo_permission(permission_class, scopes=None, allow_public=False,
|
||||
raise_method=_raise_unauthorized,
|
||||
get_reponame_method=_get_reponame_kwargs):
|
||||
def wrapper(func):
|
||||
@wraps(func)
|
||||
def wrapped(*args, **kwargs):
|
||||
namespace_name, repo_name = get_reponame_method(*args, **kwargs)
|
||||
|
||||
logger.debug('Checking permission %s for repo: %s/%s', permission_class,
|
||||
namespace_name, repo_name)
|
||||
permission = permission_class(namespace_name, repo_name)
|
||||
if (permission.can() or
|
||||
(allow_public and
|
||||
model.repository.repository_is_public(namespace_name, repo_name))):
|
||||
return func(*args, **kwargs)
|
||||
repository = namespace_name + '/' + repo_name
|
||||
raise_method(repository, scopes)
|
||||
return wrapped
|
||||
return wrapper
|
||||
|
|
|
|||
Reference in a new issue