Make predefined rights plugins more restrictive and remove NoneAuth
Collections with tag are only allowed as direct children of a principal collections.
This commit is contained in:
parent
2cb7060539
commit
1bdc47bf44
@ -52,11 +52,7 @@ INTERNAL_TYPES = ("none", "authenticated", "owner_write", "owner_only",
|
|||||||
def load(configuration):
|
def load(configuration):
|
||||||
"""Load the rights manager chosen in configuration."""
|
"""Load the rights manager chosen in configuration."""
|
||||||
rights_type = configuration.get("rights", "type")
|
rights_type = configuration.get("rights", "type")
|
||||||
if configuration.get("auth", "type") == "none":
|
if rights_type == "authenticated":
|
||||||
rights_type = "none"
|
|
||||||
if rights_type == "none":
|
|
||||||
rights_class = NoneRights
|
|
||||||
elif rights_type == "authenticated":
|
|
||||||
rights_class = AuthenticatedRights
|
rights_class = AuthenticatedRights
|
||||||
elif rights_type == "owner_write":
|
elif rights_type == "owner_write":
|
||||||
rights_class = OwnerWriteRights
|
rights_class = OwnerWriteRights
|
||||||
@ -97,38 +93,54 @@ class BaseRights:
|
|||||||
raise NotImplementedError
|
raise NotImplementedError
|
||||||
|
|
||||||
|
|
||||||
class NoneRights(BaseRights):
|
|
||||||
def authorized(self, user, path, permissions):
|
|
||||||
return intersect_permissions(permissions)
|
|
||||||
|
|
||||||
|
|
||||||
class AuthenticatedRights(BaseRights):
|
class AuthenticatedRights(BaseRights):
|
||||||
def authorized(self, user, path, permissions):
|
def __init__(self, *args, **kwargs):
|
||||||
if not user:
|
super().__init__(*args, **kwargs)
|
||||||
return ""
|
self._verify_user = self.configuration.get("auth", "type") != "none"
|
||||||
return intersect_permissions(permissions)
|
|
||||||
|
|
||||||
|
|
||||||
class OwnerWriteRights(BaseRights):
|
|
||||||
def authorized(self, user, path, permissions):
|
def authorized(self, user, path, permissions):
|
||||||
if not user:
|
if self._verify_user and not user:
|
||||||
return ""
|
return ""
|
||||||
sane_path = storage.sanitize_path(path).strip("/")
|
sane_path = storage.sanitize_path(path).strip("/")
|
||||||
if user != sane_path.split("/", maxsplit=1)[0]:
|
if "/" not in sane_path:
|
||||||
return intersect_permissions(permissions, "Rr")
|
return intersect_permissions(permissions, "RW")
|
||||||
return intersect_permissions(permissions)
|
if sane_path.count("/") == 1:
|
||||||
|
return intersect_permissions(permissions, "rw")
|
||||||
|
return ""
|
||||||
|
|
||||||
|
|
||||||
class OwnerOnlyRights(BaseRights):
|
class OwnerWriteRights(AuthenticatedRights):
|
||||||
def authorized(self, user, path, permissions):
|
def authorized(self, user, path, permissions):
|
||||||
if not user:
|
if self._verify_user and not user:
|
||||||
return ""
|
return ""
|
||||||
sane_path = storage.sanitize_path(path).strip("/")
|
sane_path = storage.sanitize_path(path).strip("/")
|
||||||
if not sane_path:
|
if not sane_path:
|
||||||
return intersect_permissions(permissions, "R")
|
return intersect_permissions(permissions, "R")
|
||||||
if user != sane_path.split("/", maxsplit=1)[0]:
|
if self._verify_user:
|
||||||
|
owned = user == sane_path.split("/", maxsplit=1)[0]
|
||||||
|
else:
|
||||||
|
owned = True
|
||||||
|
if "/" not in sane_path:
|
||||||
|
return intersect_permissions(permissions, "RW" if owned else "R")
|
||||||
|
if sane_path.count("/") == 1:
|
||||||
|
return intersect_permissions(permissions, "rw" if owned else "r")
|
||||||
|
return ""
|
||||||
|
|
||||||
|
|
||||||
|
class OwnerOnlyRights(AuthenticatedRights):
|
||||||
|
def authorized(self, user, path, permissions):
|
||||||
|
if self._verify_user and not user:
|
||||||
|
return ""
|
||||||
|
sane_path = storage.sanitize_path(path).strip("/")
|
||||||
|
if not sane_path:
|
||||||
|
return intersect_permissions(permissions, "R")
|
||||||
|
if self._verify_user and user != sane_path.split("/", maxsplit=1)[0]:
|
||||||
|
return ""
|
||||||
|
if "/" not in sane_path:
|
||||||
|
return intersect_permissions(permissions, "RW")
|
||||||
|
if sane_path.count("/") == 1:
|
||||||
|
return intersect_permissions(permissions, "rw")
|
||||||
return ""
|
return ""
|
||||||
return intersect_permissions(permissions)
|
|
||||||
|
|
||||||
|
|
||||||
class Rights(BaseRights):
|
class Rights(BaseRights):
|
||||||
|
@ -1428,6 +1428,16 @@ class BaseFileSystemTest(BaseTest):
|
|||||||
self.configuration["storage"]["filesystem_folder"] = self.colpath
|
self.configuration["storage"]["filesystem_folder"] = self.colpath
|
||||||
# Disable syncing to disk for better performance
|
# Disable syncing to disk for better performance
|
||||||
self.configuration["internal"]["filesystem_fsync"] = "False"
|
self.configuration["internal"]["filesystem_fsync"] = "False"
|
||||||
|
# Allow access to anything for tests
|
||||||
|
rights_file_path = os.path.join(self.colpath, "rights")
|
||||||
|
with open(rights_file_path, "w") as f:
|
||||||
|
f.write("""\
|
||||||
|
[allow all]
|
||||||
|
user: .*
|
||||||
|
collection: .*
|
||||||
|
permissions: RrWw""")
|
||||||
|
self.configuration["rights"]["file"] = rights_file_path
|
||||||
|
self.configuration["rights"]["type"] = "from_file"
|
||||||
self.application = Application(self.configuration)
|
self.application = Application(self.configuration)
|
||||||
|
|
||||||
def teardown(self):
|
def teardown(self):
|
||||||
|
@ -99,18 +99,6 @@ class TestBaseAuthRequests(BaseTest):
|
|||||||
self._test_rights("authenticated", "tmp", "/other", "r", 207)
|
self._test_rights("authenticated", "tmp", "/other", "r", 207)
|
||||||
self._test_rights("authenticated", "tmp", "/other", "w", 207)
|
self._test_rights("authenticated", "tmp", "/other", "w", 207)
|
||||||
|
|
||||||
def test_none(self):
|
|
||||||
self._test_rights("none", "", "/", "r", 207)
|
|
||||||
self._test_rights("none", "", "/", "w", 207)
|
|
||||||
self._test_rights("none", "", "/tmp", "r", 207)
|
|
||||||
self._test_rights("none", "", "/tmp", "w", 207)
|
|
||||||
self._test_rights("none", "tmp", "/", "r", 207)
|
|
||||||
self._test_rights("none", "tmp", "/", "w", 207)
|
|
||||||
self._test_rights("none", "tmp", "/tmp", "r", 207)
|
|
||||||
self._test_rights("none", "tmp", "/tmp", "w", 207)
|
|
||||||
self._test_rights("none", "tmp", "/other", "r", 207)
|
|
||||||
self._test_rights("none", "tmp", "/other", "w", 207)
|
|
||||||
|
|
||||||
def test_from_file(self):
|
def test_from_file(self):
|
||||||
rights_file_path = os.path.join(self.colpath, "rights")
|
rights_file_path = os.path.join(self.colpath, "rights")
|
||||||
with open(rights_file_path, "w") as f:
|
with open(rights_file_path, "w") as f:
|
||||||
|
Loading…
Reference in New Issue
Block a user