Delegated superuser API access

Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
2015-06-28 11:22:34 +03:00 · 2015-06-28 11:22:34 +03:00 · 87efcb9e3d
commit 87efcb9e3d
parent d9ce8fdf52
4 changed files with 41 additions and 4 deletions
--- a/auth/scopes.py
+++ b/auth/scopes.py
@ -1,5 +1,5 @@
 from collections import namedtuple
-
+import features

 Scope = namedtuple('scope', ['scope', 'icon', 'dangerous', 'title', 'description'])

@ -59,6 +59,15 @@ DIRECT_LOGIN = Scope(scope='direct_user_login',
                     description=('This scope should not be available to OAuth applications. '
                                  'Never approve a request for this scope!'))

+SUPERUSER = Scope(scope='super:user',
+                  icon='fa-street-view',
+                  dangerous=True,
+                  title='Super User Access',
+                  description=('This application will be able to administer your installation '
+                               'including managing users, managing organizations and other '
+                               'features found in the superuser panel. You should have '
+                               'absolute trust in the requesting application before granting this '
+                               'permission.'))

 ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
                                              READ_USER, ORG_ADMIN)}
@ -73,6 +82,9 @@ IMPLIED_SCOPES = {
  None: set(),
 }

+if features.SUPER_USERS:
+  ALL_SCOPES[SUPERUSER.scope] = SUPERUSER
+  IMPLIED_SCOPES[SUPERUSER] = {SUPERUSER}

 def scopes_from_scope_string(scopes):
  if not scopes: