Load flask principal permissions even for web and api endpoints.

This commit is contained in:
yackob03 2013-09-26 16:32:09 -04:00
parent 23cbcb2979
commit 9278871381
6 changed files with 33 additions and 15 deletions

2
app.py
View file

@ -8,7 +8,7 @@ from flask.ext.login import LoginManager
app = Flask(__name__)
logger = logging.getLogger(__name__)
Principal(app, use_sessions=False)
Principal(app, use_sessions=True)
app.secret_key = '1cb18882-6d12-440d-a4cc-b7430fb5f884'

View file

@ -41,8 +41,8 @@ def process_basic_auth():
ctx = _request_ctx_stack.top
ctx.authenticated_user = authenticated
identity_changed.send(app, identity=Identity(authenticated.username))
identity_changed.send(app, identity=Identity(authenticated.username,
'username'))
return
# We weren't able to authenticate via basic auth.
@ -85,7 +85,7 @@ def process_token():
ctx = _request_ctx_stack.top
ctx.validated_token = validated
identity_changed.send(app, identity=Identity(validated.code))
identity_changed.send(app, identity=Identity(validated.code, 'token'))
return
@ -111,4 +111,4 @@ def extract_namespace_repo_from_session(f):
abort(400)
return f(session['namespace'], session['repository'], *args, **kwargs)
return wrapper
return wrapper

View file

@ -1,6 +1,7 @@
import logging
from flask.ext.principal import identity_loaded, UserNeed, Permission
from flask.ext.login import current_user
from collections import namedtuple
from functools import partial
@ -42,22 +43,30 @@ class UserPermission(Permission):
def on_identity_loaded(sender, identity):
logger.debug('Identity loaded: %s' % identity)
# We have verified an identity, load in all of the permissions
if get_authenticated_user():
identity.provides.add(UserNeed(get_authenticated_user().username))
for user in model.get_all_repo_permissions(get_authenticated_user()):
if identity.auth_type == 'username':
logger.debug('Computing permissions for user: %s' % identity.id)
user_object = model.get_user(identity.id)
identity.provides.add(UserNeed(user_object.username))
for user in model.get_all_repo_permissions(user_object):
grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
user.repositorypermission.repository.name,
user.repositorypermission.role.name)
logger.debug('User added permission: {0}'.format(grant))
identity.provides.add(grant)
if get_validated_token():
query = model.get_user_repo_permissions(get_validated_token().user,
get_validated_token().repository)
elif identity.auth_type == 'token':
logger.debug('Computing permissions for token: %s' % identity.id)
token = model.get_token(identity.id)
query = model.get_user_repo_permissions(token.user, token.repository)
for permission in query:
t_grant = _RepositoryNeed(get_validated_token().repository.namespace,
get_validated_token().repository.name,
permission.role.name)
t_grant = _RepositoryNeed(token.repository.namespace,
token.repository.name, permission.role.name)
logger.debug('Token added permission: {0}'.format(t_grant))
identity.provides.add(t_grant)
else:
logger.error('Unknown identity auth type: %s' % identity.auth_type)

View file

@ -50,6 +50,10 @@ def verify_token(code, namespace_name, repository_name):
return None
def get_token(code):
return AccessToken.get(AccessToken.code == code)
def change_password(user, new_password):
pw_hash = bcrypt.hashpw(new_password, bcrypt.gensalt())
user.password_hash = pw_hash

View file

@ -219,7 +219,7 @@ def get_image_ancestry(namespace, repository, image_id, headers):
image_id))
except IOError:
abort(404) #'Image not found', 404)
response = make_response(json.dumps(json.loads(data)), 200)
response = make_response(json.dumps(json.loads(data)), 200)
response.headers.extend(headers)
return response

View file

@ -2,6 +2,7 @@ import logging
from flask import abort, send_file, redirect, request, url_for
from flask.ext.login import login_user, UserMixin
from flask.ext.principal import identity_changed, Identity
from data import model
from app import app, login_manager
@ -46,6 +47,10 @@ def signin():
logger.debug('Successfully signed in as: %s' % username)
login_user(_LoginWrappedDBUser(verified))
identity_changed.send(app, identity=Identity(verified.username,
'username'))
return redirect(request.args.get('next') or url_for('index'))
abort(403)