Load flask principal permissions even for web and api endpoints.
This commit is contained in:
parent
23cbcb2979
commit
9278871381
6 changed files with 33 additions and 15 deletions
2
app.py
2
app.py
|
@ -8,7 +8,7 @@ from flask.ext.login import LoginManager
|
|||
app = Flask(__name__)
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
Principal(app, use_sessions=False)
|
||||
Principal(app, use_sessions=True)
|
||||
|
||||
app.secret_key = '1cb18882-6d12-440d-a4cc-b7430fb5f884'
|
||||
|
||||
|
|
|
@ -41,8 +41,8 @@ def process_basic_auth():
|
|||
ctx = _request_ctx_stack.top
|
||||
ctx.authenticated_user = authenticated
|
||||
|
||||
identity_changed.send(app, identity=Identity(authenticated.username))
|
||||
|
||||
identity_changed.send(app, identity=Identity(authenticated.username,
|
||||
'username'))
|
||||
return
|
||||
|
||||
# We weren't able to authenticate via basic auth.
|
||||
|
@ -85,7 +85,7 @@ def process_token():
|
|||
ctx = _request_ctx_stack.top
|
||||
ctx.validated_token = validated
|
||||
|
||||
identity_changed.send(app, identity=Identity(validated.code))
|
||||
identity_changed.send(app, identity=Identity(validated.code, 'token'))
|
||||
|
||||
return
|
||||
|
||||
|
@ -111,4 +111,4 @@ def extract_namespace_repo_from_session(f):
|
|||
abort(400)
|
||||
|
||||
return f(session['namespace'], session['repository'], *args, **kwargs)
|
||||
return wrapper
|
||||
return wrapper
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
|
||||
from flask.ext.principal import identity_loaded, UserNeed, Permission
|
||||
from flask.ext.login import current_user
|
||||
from collections import namedtuple
|
||||
from functools import partial
|
||||
|
||||
|
@ -42,22 +43,30 @@ class UserPermission(Permission):
|
|||
def on_identity_loaded(sender, identity):
|
||||
logger.debug('Identity loaded: %s' % identity)
|
||||
# We have verified an identity, load in all of the permissions
|
||||
if get_authenticated_user():
|
||||
identity.provides.add(UserNeed(get_authenticated_user().username))
|
||||
|
||||
for user in model.get_all_repo_permissions(get_authenticated_user()):
|
||||
if identity.auth_type == 'username':
|
||||
logger.debug('Computing permissions for user: %s' % identity.id)
|
||||
|
||||
user_object = model.get_user(identity.id)
|
||||
|
||||
identity.provides.add(UserNeed(user_object.username))
|
||||
for user in model.get_all_repo_permissions(user_object):
|
||||
grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
|
||||
user.repositorypermission.repository.name,
|
||||
user.repositorypermission.role.name)
|
||||
logger.debug('User added permission: {0}'.format(grant))
|
||||
identity.provides.add(grant)
|
||||
|
||||
if get_validated_token():
|
||||
query = model.get_user_repo_permissions(get_validated_token().user,
|
||||
get_validated_token().repository)
|
||||
elif identity.auth_type == 'token':
|
||||
logger.debug('Computing permissions for token: %s' % identity.id)
|
||||
|
||||
token = model.get_token(identity.id)
|
||||
query = model.get_user_repo_permissions(token.user, token.repository)
|
||||
for permission in query:
|
||||
t_grant = _RepositoryNeed(get_validated_token().repository.namespace,
|
||||
get_validated_token().repository.name,
|
||||
permission.role.name)
|
||||
t_grant = _RepositoryNeed(token.repository.namespace,
|
||||
token.repository.name, permission.role.name)
|
||||
logger.debug('Token added permission: {0}'.format(t_grant))
|
||||
identity.provides.add(t_grant)
|
||||
|
||||
else:
|
||||
logger.error('Unknown identity auth type: %s' % identity.auth_type)
|
||||
|
|
|
@ -50,6 +50,10 @@ def verify_token(code, namespace_name, repository_name):
|
|||
return None
|
||||
|
||||
|
||||
def get_token(code):
|
||||
return AccessToken.get(AccessToken.code == code)
|
||||
|
||||
|
||||
def change_password(user, new_password):
|
||||
pw_hash = bcrypt.hashpw(new_password, bcrypt.gensalt())
|
||||
user.password_hash = pw_hash
|
||||
|
|
|
@ -219,7 +219,7 @@ def get_image_ancestry(namespace, repository, image_id, headers):
|
|||
image_id))
|
||||
except IOError:
|
||||
abort(404) #'Image not found', 404)
|
||||
response = make_response(json.dumps(json.loads(data)), 200)
|
||||
response = make_response(json.dumps(json.loads(data)), 200)
|
||||
response.headers.extend(headers)
|
||||
return response
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@ import logging
|
|||
|
||||
from flask import abort, send_file, redirect, request, url_for
|
||||
from flask.ext.login import login_user, UserMixin
|
||||
from flask.ext.principal import identity_changed, Identity
|
||||
|
||||
from data import model
|
||||
from app import app, login_manager
|
||||
|
@ -46,6 +47,10 @@ def signin():
|
|||
logger.debug('Successfully signed in as: %s' % username)
|
||||
|
||||
login_user(_LoginWrappedDBUser(verified))
|
||||
|
||||
identity_changed.send(app, identity=Identity(verified.username,
|
||||
'username'))
|
||||
|
||||
return redirect(request.args.get('next') or url_for('index'))
|
||||
|
||||
abort(403)
|
||||
|
|
Reference in a new issue