Fix #923 - add allow_admin to user_has_privilege decorator
This commit is contained in:
Jessica Tallon
parent
97650abd78
commit
7bfc81b21a
@ -106,25 +106,26 @@ class User(Base, UserMixin):
|
|||||||
super(User, self).delete(**kwargs)
|
super(User, self).delete(**kwargs)
|
||||||
_log.info('Deleted user "{0}" account'.format(self.username))
|
_log.info('Deleted user "{0}" account'.format(self.username))
|
||||||
|
|
||||||
def has_privilege(self,*priv_names):
|
def has_privilege(self, privilege, allow_admin=True):
|
||||||
"""
|
"""
|
||||||
This method checks to make sure a user has all the correct privileges
|
This method checks to make sure a user has all the correct privileges
|
||||||
to access a piece of content.
|
to access a piece of content.
|
||||||
|
|
||||||
:param priv_names A variable number of unicode objects which rep-
|
:param privilege A unicode object which represent the different
|
||||||
-resent the different privileges which may give
|
privileges which may give the user access to
|
||||||
the user access to this content. If you pass
|
content.
|
||||||
multiple arguments, the user will be granted
|
|
||||||
access if they have ANY of the privileges
|
:param allow_admin If this is set to True the then if the user is
|
||||||
passed.
|
an admin, then this will always return True
|
||||||
|
even if the user hasn't been given the
|
||||||
|
privilege. (defaults to True)
|
||||||
"""
|
"""
|
||||||
if len(priv_names) == 1:
|
priv = Privilege.query.filter_by(privilege_name=privilege).one()
|
||||||
priv = Privilege.query.filter(
|
if priv in self.all_privileges:
|
||||||
Privilege.privilege_name==priv_names[0]).one()
|
return True
|
||||||
return (priv in self.all_privileges)
|
elif allow_admin and self.has_privilege(u'admin', allow_admin=False):
|
||||||
elif len(priv_names) > 1:
|
return True
|
||||||
return self.has_privilege(priv_names[0]) or \
|
|
||||||
self.has_privilege(*priv_names[1:])
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def is_banned(self):
|
def is_banned(self):
|
||||||
|
|||||||
@ -74,7 +74,7 @@ def require_active_login(controller):
|
|||||||
return new_controller_func
|
return new_controller_func
|
||||||
|
|
||||||
|
|
||||||
def user_has_privilege(privilege_name):
|
def user_has_privilege(privilege_name, allow_admin=True):
|
||||||
"""
|
"""
|
||||||
Requires that a user have a particular privilege in order to access a page.
|
Requires that a user have a particular privilege in order to access a page.
|
||||||
In order to require that a user have multiple privileges, use this
|
In order to require that a user have multiple privileges, use this
|
||||||
@ -85,14 +85,17 @@ def user_has_privilege(privilege_name):
|
|||||||
the privilege object. This object is
|
the privilege object. This object is
|
||||||
the name of the privilege, as assigned
|
the name of the privilege, as assigned
|
||||||
in the Privilege.privilege_name column
|
in the Privilege.privilege_name column
|
||||||
|
|
||||||
|
:param allow_admin If this is true then if the user is an admin
|
||||||
|
it will allow the user even if the user doesn't
|
||||||
|
have the privilage given in privilage_name.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def user_has_privilege_decorator(controller):
|
def user_has_privilege_decorator(controller):
|
||||||
@wraps(controller)
|
@wraps(controller)
|
||||||
@require_active_login
|
@require_active_login
|
||||||
def wrapper(request, *args, **kwargs):
|
def wrapper(request, *args, **kwargs):
|
||||||
user_id = request.user.id
|
if not request.user.has_privilege(privilege_name, allow_admin):
|
||||||
if not request.user.has_privilege(privilege_name):
|
|
||||||
raise Forbidden()
|
raise Forbidden()
|
||||||
|
|
||||||
return controller(request, *args, **kwargs)
|
return controller(request, *args, **kwargs)
|
||||||
@ -369,7 +372,8 @@ def require_admin_or_moderator_login(controller):
|
|||||||
@wraps(controller)
|
@wraps(controller)
|
||||||
def new_controller_func(request, *args, **kwargs):
|
def new_controller_func(request, *args, **kwargs):
|
||||||
if request.user and \
|
if request.user and \
|
||||||
not request.user.has_privilege(u'admin',u'moderator'):
|
not (request.user.has_privilege(u'admin')
|
||||||
|
or request.user.has_privilege(u'moderator')):
|
||||||
|
|
||||||
raise Forbidden()
|
raise Forbidden()
|
||||||
elif not request.user:
|
elif not request.user:
|
||||||
|
|||||||
@ -158,7 +158,7 @@
|
|||||||
{%- trans %}Create new collection{% endtrans -%}
|
{%- trans %}Create new collection{% endtrans -%}
|
||||||
</a>
|
</a>
|
||||||
{% template_hook("header_dropdown_buttons") %}
|
{% template_hook("header_dropdown_buttons") %}
|
||||||
{% if request.user.has_privilege('admin','moderator') %}
|
{% if request.user.has_privilege('moderator') %}
|
||||||
<p>
|
<p>
|
||||||
<span class="dropdown_title">{% trans %}Moderation powers:{% endtrans %}</span>
|
<span class="dropdown_title">{% trans %}Moderation powers:{% endtrans %}</span>
|
||||||
<a href="{{ request.urlgen('mediagoblin.moderation.media_panel') }}">
|
<a href="{{ request.urlgen('mediagoblin.moderation.media_panel') }}">
|
||||||
|
|||||||
@ -175,7 +175,7 @@
|
|||||||
{% for privilege in privileges %}
|
{% for privilege in privileges %}
|
||||||
<tr>
|
<tr>
|
||||||
<td>{{ privilege.privilege_name }}</td>
|
<td>{{ privilege.privilege_name }}</td>
|
||||||
{% if privilege in user.all_privileges %}
|
{% if user.has_privilege(privilege.privilege_name) %}
|
||||||
<td class="user_with_privilege">
|
<td class="user_with_privilege">
|
||||||
{% trans %}Yes{% endtrans %}{% else %}
|
{% trans %}Yes{% endtrans %}{% else %}
|
||||||
<td class="user_without_privilege">
|
<td class="user_without_privilege">
|
||||||
@ -183,7 +183,7 @@
|
|||||||
</td>
|
</td>
|
||||||
{% if request.user.has_privilege('admin') %}
|
{% if request.user.has_privilege('admin') %}
|
||||||
<td>
|
<td>
|
||||||
{% if privilege in user.all_privileges %}
|
{% if user.has_privilege(privilege.privilege_name) %}
|
||||||
<input type=submit id="{{ privilege.privilege_name }}"
|
<input type=submit id="{{ privilege.privilege_name }}"
|
||||||
class="submit_button button_action"
|
class="submit_button button_action"
|
||||||
value =" -" />
|
value =" -" />
|
||||||
|
|||||||
@ -179,20 +179,17 @@ class TestUserHasPrivilege:
|
|||||||
self._setup()
|
self._setup()
|
||||||
|
|
||||||
# then test out the user.has_privilege method for one privilege
|
# then test out the user.has_privilege method for one privilege
|
||||||
assert not self.natalie_user.has_privilege(u'commenter')
|
assert not self.aeva_user.has_privilege(u'admin')
|
||||||
assert self.aeva_user.has_privilege(u'active')
|
assert self.natalie_user.has_privilege(u'active')
|
||||||
|
|
||||||
|
def test_allow_admin(self, test_app):
|
||||||
def test_user_has_privileges_multiple(self, test_app):
|
|
||||||
self._setup()
|
self._setup()
|
||||||
|
|
||||||
# when multiple args are passed to has_privilege, the method returns
|
# This should work because she is an admin.
|
||||||
# True if the user has ANY of the privileges
|
assert self.natalie_user.has_privilege(u'commenter')
|
||||||
assert self.natalie_user.has_privilege(u'admin',u'commenter')
|
|
||||||
assert self.aeva_user.has_privilege(u'moderator',u'active')
|
|
||||||
assert not self.natalie_user.has_privilege(u'commenter',u'uploader')
|
|
||||||
|
|
||||||
|
|
||||||
|
# Test that we can look this out ignoring that she's an admin
|
||||||
|
assert not self.natalie_user.has_privilege(u'commenter', allow_admin=False)
|
||||||
|
|
||||||
def test_media_data_init(test_app):
|
def test_media_data_init(test_app):
|
||||||
Session.rollback()
|
Session.rollback()
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user