U !]h{@sUddlZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z ddlZddlTddlZddlZddlmZejGdddZejGdd d ZejGd d d ZeZiae eefed <dd ddZedddhZGddde Z!Gdddej"j#j$Z$dS)N) OrderedDict defaultdict)TupleDictOptionalListSetType)*) CmfEntityc@sFeZdZUdZeeed<dZeed<dZeeed<dZ eed<dS)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__r rstr__annotations__rrrrr./cmf/models/cmf_access_list.pyr s  r c@szeZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e j e dZeeed<e j e dZeeed <dS) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrrrrrr dataclassesfieldlistr rr r!rrrrrs      rc@seZdZUejedZeee fe d<ejdddZ eee efe d<eje dZeee d<ejedZeeeejjfe d<ejedZeeefe d<d S) AclDataraclcCsttSN)rr%rrrr&zAclData.acl_inherit_by used_fieldsstatic_access_control_modelscacheN)rrrr#r$dictr'rrrrr+rsetr,rr-r cmfmodels BaseModelr.rrrrrr&#s $$r&_acl_cache_granted_tuplesd)defaultreadonlyZprivatefullwritereadc@s eZdZdS)_AclStopN)rrrrrrrr<>sr<cseZdZUdZdZdZeed<dZe j j j j dgZ ddZed d Zed d ZedDeeeeeeeeeeeeee jjeeeeeed ddZedEddZedFddZedGddZeddZeddZdZeddZ eddZ!ee"dd gd!dd"d#dHd$d%Z#ee$d&d'dId(d)Z%edJd*d+Z&fd,d-Z'ed.d/Z(fd0d1Z)d2d3Z*fd4d5Z+d6d7Z,d8d9Z-d:d;Z.dd? Z0d@dAZ1dBdCZ2Z3S)L CmfAccessListTN _ACL_DATAisubject_list_aclcCs6dd|jgdddgg}tjj|dD] }|q$dS)N parent_id=sys_typeautofilter)rr2 CmfAccessRuler%delete)selfZ acl_filterZacl_itemrrrclear_auto_aclKszCmfAccessList.clear_auto_aclc Cs4tdtdt}dddddh}|jdd d gd }|D]R}t|j|j|j|j |j d }||j |j<||j |j<|j r>|j |j  |jq>tjjd dddgdddggddddddgd}|D]}|jr|j|krtdtd|d|jd|jd qdd|jD}|jr0dd|jDnd} | rF|j| t||jo\t|j| t|jd} |j |j}|stdtd|d |jd|jd q|jd!kr|j | q|j | qtjj D]} | j!d"kr| |j"| j#<q|t$_%tdtd#t&|d$t&|d%dS)&u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): startr9r;r:deny denyWriterrrfields)rrrrrORrBNFrArCrrr rrFrNz): skip z due to empty subjects(z) or invalid access_level()cSsh|]}t|jqSr)sysinternr).0subjectrrr qsz.CmfAccessList.load_acl_data..cSsh|]}t|qSr)rRrS)rTZ field_namerrrrVss)r rrrz due to absent access_list(rDZstaticz ): loaded z acl, z rules)'printosgetpidr&slistrrrrrrr'r+appendr2rGr rrr,updater rrRrSgetrArCr!r r1r3iter_subclassesZacl_typer- class_namer=r?len) clsacl_dataZvalid_access_levelsZ access_listsZ access_listZaccess_list_dataZ access_rulesZ access_ruleZ subjects_dataZobject_fields_dataZaccess_rule_datamodelrrr load_acl_dataPsj   $  $  zCmfAccessList.load_acl_datacCs|j}|o|jS)uНабор полей, по которым существуют правила, чтобы не проверять всё подряд.)r?r,)rarbrrrr,szCmfAccessList.used_fields) initial_acl_keyr object_fieldrr object_idobject_instance object_dictobject_parent_idis_newcstj}d>fdd  f dd fdd}d|krvtt_tjn|dd krd D]}|d qd d 7<d} }rd gjjjt j j ddtj k}tj krpt j}|jjn\tj}|r0|jj|jndd|d|d}|ds\|drpdd 7<t}|dkrtt dr| s r dr|s|dsd}| r| dr| } rވ drވ }|r| } s s |}|tj}|d|d}|dkrt jjdd| ddstjdkr~t j jd | | tj d sti}titj|<n dtj|<n|dkrn|}|dkrtt dr r dr|stjsd} r d }n jjr j}|r| }tj|d}|dkrtjjkr~t jjdd!| dds~ti}titj|<n dtj|<n|dkrn|}|dkr| rd}| r| dr| }t j !| |}|d"krn|d#krtd$h}nti}|dkrt| rtrtstt"td%d}|dkrfd&d't j#j$d(d)gd*d+d,gd-d.gggd/D}|t_%| |krtt}|dkr z|}Wq Wnxt&k r}zX|j'd }t(j)*|}|dkrʂ||d0krڂ|d1d2|t+,d W5d}~XYnXqt|r ||kr d}|s| rt-d3tj.d4d5d6|d7d8d9 d:|d;d<oxt j/d=t0||S)?u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :param perm_security_level_allowed_ids - ? :param checked_policy - объект проверен бизнес логикой и нужно использовать указанную политику :return: Set[str]/False/raise CmfPermissionError Ncs^fdd fddfddttg z rV d|r|dkrd d d n&|d krd n|d krn td |t r rtt }|j}|dkrn:|dkrd tn$|d krtntd d|d r,d d d Wntk rDYnXt}t ||}|S)Ncs|kr|dSr()add)Z access_level_)deniedgrantedrr add_grantszBCmfAccessList.check_access..calc_access..add_grantcs|jr|jkr|jr |jkr|j@r|jdkrRdddtn^|jdkrbtnN|jdkrddn.|jdkrddn|jdkrddS)Nr9r:r;rKrL)rrr rr<rl)rule)rormrfrr rr check_rules2        zCCmfAccessList.check_access..calc_access..check_rulecsj|}|sL|tjkrdStd|ddttd|||jkrztd|jdt d| |jt |j |jD] }|q|jr|jSdS)Nz. !!! CmfAccessList.check_access: acl_key z not found, processed z, pid=uНе загружен ACL z0 !!! CmfAccessList.check_access: recursion z in u+!!! Кольцевые ссылки у ACL )r'r]gZ new_acl_idrWrXrYCmfACLNotFoundErrorrCmfErrorr[ itertoolschainr r!r)Zacl_keyr'rp)rb check_aclrqprocessed_aclsrrrws      zBCmfAccessList.check_access..calc_access..check_aclglobal)r9r:r9r:r;rKz@Invalid policy value checked_policy, allowed: read, write, fulllr7r8zInvalid model acl policy z.acl_default_user_policy(z!), valid: default, readonly, deny) r0 ValueErrorr<getattrr2Zacl_default_user_policyrttupler4 setdefault)rbchecked_policyrfZ model_clsZ model_policyZ granted_tuple)current_person__member_ofre is_local_userr) rbrorwrqrmrnrfrxr r calc_accesss^      z/CmfAccessList.check_access..calc_accesscsd}r|jrd}n kr2|jr2|jkr2d}nkrP|jrP|jkrPd}nnrj|jrj|jkrjd}nTr|tjkrrddrrrjsnjjs}|st j }|j ddrd}t |rdddhndh}t ||S) NFT user_localZ ContactAdmins)Z group_coder9r:r;)Zacl_allow_createZacl_static_owner_write_fieldsZacl_static_self_write_fieldsZacl_static_user_write_fieldsr2 CmfPersonr]roldrr current_userZin_person_groupr|r4r})static_acl_modelZ allow_writeZ _chk_personresult_) checking_personrcurrent_person_idrrkrirfrgrhrrr calc_static4sN    z/CmfAccessList.check_access..calc_staticcs"d}j}|std|j }|rt o:t  oFt  oRt o^tf}|j|}|dk r dd7<n dd7<|}|dkrʈ rʈ krʈ dd7<t}|dkr}|jkrd}}|srd}n rt dd}to*t o8t |oFt||oTt|f}|j|}|dk r dd7<n dd7<|||d }||j|<t |jj krt |jt |jt |}t d t |jd |d d ddt|jj dD|_|S)Nu8Система ACL не инициализированаacl_check_cache_staticacl_check_calc_staticacl_check_owner_skipZ _acl_policyacl_check_cacheacl_check_calc)r~rfz!CmfAccessList: shrink cache, len z, size iz KbcSsi|]\}}||qSrr)rTkvrrr szKCmfAccessList.check_access..check_with_acl_data..)r?ZCmfACLNotInitializedErrorr-r]rRrSr. _full_accessr,r{r`_CACHE_MAX_SIZE getsizeofrWruisliceitems)rrbrZ cache_keyZ object_field_Zchecked_policy_Z cache_size)rrr~rarrerkrirfrgrhrrstatrrcheck_with_acl_dataQsj               z7CmfAccessList.check_access..check_with_acl_data profiler_data acl_check)racl_check_skiprrrrrrrrTid_onlyFrcurrent_user_is_anonymousdisable_permissionsacl_admin_moderCmfProjectPermSchemez CmfProject:#current_user_is_sharelink_anonymousproject_perm_browse_cache.z PPP-PR-BROWSE)Zproject_id_simplecheckZobj_dict_simplecheckobj raise_errorZpub_api) rerrrrgrjriperm_security_level_allowed_idsr~rzCmfTimeTrackerHistory: project_idzPPP-WORKLOG-VIEWr9r8r;acl_owned_projectscSsh|] }|jqSrr)rTZprojectrrrrV>sz-CmfAccessList.check_access..--rrOZ cmf_owner_idrBZcmf_owner_assistantsINrNrF request_iddebugz2CmfAccessList.check_access(): waiting for loading z !!! ACL access denied for z(or z)(z ), request z , to acl=z, model=z, field=z (requsted z), object_owner_id=(rQ)NN)1rr__dict__rrr}Z load_fieldsrvaluerr2r=subject_full_group_listanonymous_userZsharelink_anonymous_userCmfPersonGroupsharelink_grouprlrrhasattr startswith api_scoper]rZcheck_project_role_access check_accessr|rrrZ is_not_nullZ%project_perm_timetrackerhistory_cacheZCmfSecurityLevelZcheck_perm_security_levelr{Z CmfProjectrZrrsargsREDIS_DBredis _new_acl_keytimesleeprWcurrent_personrCmfPermissionError)rarerrfrrrgrhrirjrkrrrr~Z_CmfAccessList__grZstat_keyresultZrequested_object_fieldrr_userrZ ppp_cache_keyZppp_resZsec_resZ_acl_owned_projectseacl_idrr)rrr~rrarrrerrkrirfrgrhrrrrrs<)p&I                                P zCmfAccessList.check_accessFc sz|s|r|jj}tjjj}dd|gdd|gg}ddtjj|dgdD}|t ||rb|Sfd d|D}|S) NZchild_idrBZ parent_modelrcSsh|]}|jrt|jqSr)rArRrS)rTZrelationrrrrVpsz8CmfAccessList.subject_full_group_list..rArPcs"h|]}tj|drqS)rM)cmfutilZ get_obj_by_id)rTZgroup_idrNrrrrVxs) rrr2rGr Z RelationCacherZrlrRrS)rU subject_idrrN_kwargsZgroup_model_namesZrelation_filterrrrrris z%CmfAccessList.subject_full_group_listc Ks\|j||dd}tjjdgddt|gd}|s4g}|dddd |Dgg}|j|||d S) NT)rUrrrAr rrrcSsg|] }|jqSr)rA)rTrprrr sz2CmfAccessList.subject_list_acl..)rNrForder_by)rr2rGrZr%) rarUrrNrFrrZ member_ofZ related_rulesrrrr@{s zCmfAccessList.subject_list_aclcheck_admin_modecCs tjs tjrdS|rt|dS)NTF)rrrrr)messagerrrrrs  zCmfAccessList.check_admin_modecCsBtjjtjjjddkr2tjs2tj js2t ddt_ dt_ dS)NTractivate_admin_mode) r2rZ admin_grouprrrrZ rg_member_ofZ all_parentsZ is_supportrrrrrrrrrsz!CmfAccessList.activate_admin_modecCsdt_dt_dt_dS)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrrrr)rarrr init_contextszCmfAccessList.init_contextcCsttddt_tjr*tjs*dt_tt_nftjtjkt_t j j tjddt_tjj stjtj krtjdkr|jstt jj|_tj|jtjrdt_tjrtjrt j}tj|jjdS)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTrZsd_api)r{ZAPPrrrZ system_personrr0rrr2r=rrrr_CmfAccessList__guest_group_idrrZ guest_grouprrlZsharelink_access_requestZsharelink_access_grantedrr)rarrrr setup_contexts"    zCmfAccessList.setup_contextcCst}t}|D]}||jt|ddq|j}|s.process_acl_listTz8process_changed_acl(): acl_id is None, drop_all_cache!!!ryz(process_changed_acl(): drop_all_cache!!!z#process_changed_acl(): changed_acl=z, affected_acl=cSs t|tSr() issubclassr )mrrrr)r*z8CmfAccessList.proccess_chanded_acl_job..rr5cSsh|] }|jqSrr)rTrrrrrVsz9CmfAccessList.proccess_chanded_acl_job..rrperm_effective_acl_idre)rNrFslicez3acl::proccess_chanded_acl run invalidate_ids model=z len=z>acl::proccess_chanded_acl too many, flush all cache for model=zacl::proccess_chanded_acl end)rrrr2r=rdr0r?r'r]rr%rZ iter_modelsr`Z CMF_CACHEZinvalidate_idsr_rZ) rZdrop_all_cacherr'Z model_listZpctZpct_steprcZobj_idsrrrproccess_chanded_acl_jobsT         z&CmfAccessList.proccess_chanded_acl_jobCmfAccessList:changed)ZchannelcKs"dd}tddat|dS)Nc SsPtdtdtrDtddatjtj W5QRXntddS)Nzacl::reload handler spawnedzacl::reload handler do reloadFzacl::reload handler skip) rWrr_acl_need_reloadr1ZappZ cmf_contextr2r=rdrrrrhandler0s  z,CmfAccessList.on_acl_change..handlerzacl::reload spawn handlerT)rWrgeventZspawn)datarrrrr on_acl_change+s zCmfAccessList.on_acl_changecCstdg}|dk rDtdddd|Di|D]}|t|q0|rftddt|i||ntddd}t|jd|iddS)Nzacl::reload triggerrrcSsg|] }t|qSr)r)rTaccess_list_idrrrrJsz0CmfAccessList.trigger_reload..r)kwargs)rWZcmf_emit_server_eventr[rZschedule_deferred_jobr)rarrZjob_access_list_idrrrr@s  zCmfAccessList.trigger_reloadcstdddgS)NrZpolicyparent)supersave_preload_fieldsrI __class__rrrVsz!CmfAccessList.save_preload_fieldscCs d|S)NzCmfAccessList::created:r)rrrrrYszCmfAccessList._new_acl_keyc s<||j|jr.tjj||jtjddt j f|S)Nr)ex) rrrkrrr0rrrrrsave)rIrrrrr]s zCmfAccessList.savec Ksg}tjjD]F}||jdddddddgddd |jgdd |jgdd |jggd q||jddddddgd d |jgd |S) NrrrnamerZperm_inherit_acl_idZ perm_acl_idrOrBrr)r1r2r r^extendrZr)rIrrrcrrrfind_acl_usagees     zCmfAccessList.find_acl_usagec sL|}|r2td|dt|d|dd||jtjf|S)Nu)Не возможно удалить acl u,, т.к. на него существует u ссылок, r)rZCmfOrmIntegrityErrorr`rrrrH)rIrusagerrrrHts  zCmfAccessList.deletecCsdSr(rrrrr_calc_perm_parent~szCmfAccessList._calc_perm_parentcCsdSr(rrrrr_calc_perm_has_aclsz CmfAccessList._calc_perm_has_aclcKsdSr(r)rIrrrr_calc_perm_aclszCmfAccessList._calc_perm_aclcCsdSr(rrrrr_calc_perm_effective_aclsz&CmfAccessList._calc_perm_effective_aclcs|s tjg}tj|dS)N) spread_models)r2rGr_acl_spread_inheritance)rIrrrrrsz%CmfAccessList._acl_spread_inheritancecCs2||jr d|_|jddtj|jdS)NFTZ only_data) save_preparerrr2r=rr)rIZ_rulerrrsave_rule_hooks  zCmfAccessList.save_rule_hookcCsR||js@tjjdd|gdd|jggds@d|_|jddtj|jdS)NrrBrz!=rETr) rrr2rGrZrrr=r)rIrprrrdelete_rule_hooks  zCmfAccessList.delete_rule_hook)NNNNNNNNNNTNNN)NNFN)NNNNN)rT)N)N)NN)N)4rrr__doc__ZTEXKOM_no_cacher?r&rrr1rNcmf_access_listr=Z api_methodsrJ classmethodrdr,rrr2r3r/r"r staticmethodrr@rrrrrrZcmf_deferred_jobrZon_server_eventrrrrrrrHrrrrrrr __classcell__rrrrr=Bs    C  Q      ! L     r=)%r#rurRr collectionsrrtypingrrrrrr rZ cmf.includeZcmf.appr1Zcmf.fields.cmf_access_listZ cmf.modelsr Z dataclassr rr&r0Z_acl_changed_idsr4rZ_policy_prioritiesr|r Exceptionr<rNrr=rrrrs4