Delegated superuser API access
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
This commit is contained in:
Joseph Schorr
parent
d9ce8fdf52
commit
87efcb9e3d
4 changed files with 41 additions and 4 deletions
|
|
@ -27,7 +27,7 @@ _SuperUserNeed = partial(namedtuple('superuserneed', ['type']), 'superuser')
|
|||
|
||||
REPO_ROLES = [None, 'read', 'write', 'admin']
|
||||
TEAM_ROLES = [None, 'member', 'creator', 'admin']
|
||||
USER_ROLES = [None, 'read', 'admin']
|
||||
USER_ROLES = [None, 'read', 'admin', 'superuser']
|
||||
|
||||
TEAM_REPO_ROLES = {
|
||||
'admin': 'admin',
|
||||
|
|
@ -54,6 +54,7 @@ SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)
|
|||
SCOPE_MAX_USER_ROLES.update({
|
||||
scopes.READ_USER: 'read',
|
||||
scopes.DIRECT_LOGIN: 'admin',
|
||||
scopes.SUPERUSER: 'superuser',
|
||||
})
|
||||
|
||||
|
||||
|
|
@ -113,8 +114,14 @@ class QuayDeferredPermissionUser(Identity):
|
|||
if user_object is None:
|
||||
return super(QuayDeferredPermissionUser, self).can(permission)
|
||||
|
||||
# Add the superuser need, if applicable.
|
||||
if superusers.is_superuser(user_object.username):
|
||||
# Add the superuser need, if applicable:
|
||||
# - If the user's role is an admin (direct login) and they are a superuser
|
||||
# - If the user has granted the superuser scope
|
||||
superuser_role = self._user_role_for_scopes('superuser')
|
||||
|
||||
if superuser_role == 'admin' and superusers.is_superuser(user_object.username):
|
||||
self.provides.add(_SuperUserNeed())
|
||||
elif superuser_role == 'superuser':
|
||||
self.provides.add(_SuperUserNeed())
|
||||
|
||||
# Add the user specific permissions, only for non-oauth permission
|
||||
|
|
|
|||
Reference in a new issue