Tuuli/tuuli_backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

New way to check table and routes access

Browse source
This commit is contained in:
Andrew 2023-04-29 01:09:01 +07:00
parent a5aad5b5ea
commit b799d1312b
2 changed files with 166 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

185
app.py
View file

@ -255,11 +255,16 @@ async def createUser(
user: CreateUserDefinition,
access_token: str | None = Header(default=None),
):
is_admin = check_if_admin_access_token(connector, access_token)
if not is_admin:
try:
_user, _ = get_user_by_access_token(connector, access_token)
if not _user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "users", _user)
if acl != AccessType.READ and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
try:
@ -300,11 +305,16 @@ async def updateUser(
user: UserUpdateDefinition,
access_token: str | None = Header(default=None),
):
is_admin = check_if_admin_access_token(connector, access_token)
if not is_admin:
try:
_user, _ = get_user_by_access_token(connector, access_token)
if not _user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "users", _user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
try:
@ -344,11 +354,16 @@ async def removeUser(
user_id: int,
access_token: str | None = Header(default=None),
):
is_admin = check_if_admin_access_token(connector, access_token)
if not is_admin:
try:
_user, _ = get_user_by_access_token(connector, access_token)
if not _user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "users", _user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
try:
@ -408,11 +423,20 @@ async def items(
status_code=status.HTTP_404_NOT_FOUND,
)
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
try:
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
raise Exception("Not allowed")
user, group = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, tableName, user)
if acl != AccessType.READ and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
columns = parse_columns_from_definition(table_info["columns"])
@ -514,14 +538,22 @@ async def itemsCreate(
status_code=status.HTTP_404_NOT_FOUND,
)
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
try:
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
raise Exception("Not allowed")
user, group = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, tableName, user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
user, group = get_user_by_access_token(connector, access_token)
if not is_admin:
allowedColumns = get_allowed_columns_for_group(
connector, tableName, group.id if group else -1
@ -597,14 +629,22 @@ async def itemsUpdate(
status_code=status.HTTP_404_NOT_FOUND,
)
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
try:
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
raise Exception("Not allowed")
user, group = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, tableName, user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
user, group = get_user_by_access_token(connector, access_token)
if not is_admin:
allowedColumns = get_allowed_columns_for_group(
connector, tableName, group.id if group else -1
@ -682,17 +722,25 @@ async def itemsDelete(
status_code=status.HTTP_404_NOT_FOUND,
)
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
try:
is_admin = check_if_admin_access_token(connector, access_token)
if table_info["system"] and not is_admin:
raise Exception("Not allowed")
user, group = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, tableName, user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
user, group = get_user_by_access_token(connector, access_token)
if not is_admin:
allowedColumns = get_allowed_columns_for_group(
connector, tableName, group.id if group else -1
connector, tableName, group.id if group else 1
)
if not allowedColumns:
return JSONResponse(
@ -730,16 +778,21 @@ async def itemsDelete(
},
403: {
"model": ErrorResponse,
"description": "Requesting this endpoint requires admin access token",
"description": "Requesting this endpoint requires permissions",
},
},
)
async def getAssets(access_token: str | None = Header(default=None)):
is_admin = check_if_admin_access_token(connector, access_token)
if not is_admin:
try:
user, _ = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "assets", user)
if acl != AccessType.READ and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
assets = get_assets(connector)
@ -761,11 +814,16 @@ async def getAssets(access_token: str | None = Header(default=None)):
},
)
async def getAssetsTags(access_token: str | None = Header(default=None)):
is_admin = check_if_admin_access_token(connector, access_token)
if not is_admin:
try:
user, _ = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "assets", user)
if acl != AccessType.READ and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
assets = get_assets_tags(connector)
@ -833,11 +891,16 @@ async def createAsset(
asset: UploadFile,
access_token: str | None = Header(default=None),
):
user, _ = get_user_by_access_token(connector, access_token)
if not user:
try:
user, _ = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "assets", user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
filename = asset.filename
@ -902,14 +965,21 @@ async def updateAsset(
asset_update: AssetUpdateDefinition,
access_token: str | None = Header(default=None),
):
user = get_user_by_access_token(connector, access_token)
if not user:
try:
user, _ = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "assets", user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
ok, e = update_asset(connector, asset_id, asset_update.description, asset_update.tags)
ok, e = update_asset(
connector, asset_id, asset_update.description, asset_update.tags
)
if not ok:
if e:
return JSONResponse(
@ -952,11 +1022,16 @@ async def removeAsset(
delete_referencing: bool = False,
access_token: str | None = Header(default=None),
):
user = get_user_by_access_token(connector, access_token)
if not user:
try:
user, _ = get_user_by_access_token(connector, access_token)
if not user:
raise Exception("Not allowed")
acl = get_user_permissions_for_table(connector, "assets", user)
if acl != AccessType.WRITE and acl != AccessType.READ_WRITE:
raise Exception("Not allowed")
except Exception as e:
return JSONResponse(
ErrorResponse(error="Not allowed").dict(),
status_code=status.HTTP_403_FORBIDDEN,
ErrorResponse(error=str(e)).dict(), status_code=status.HTTP_403_FORBIDDEN
)
asset = get_asset_by_id(connector, asset_id)
@ -967,7 +1042,7 @@ async def removeAsset(
)
try:
minioClient.remove_object(BUCKET_NAME, asset.fid)
minioClient.remove_object(BUCKET_NAME, asset.name)
except Exception as e:
logger.error(f"Failed to remove asset from storage: {e}")
return JSONResponse(