6hUddlZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z ddlZddlddlZddlZddlmZej*GddZej*Gdd Zej*Gd d ZeZiae eefed <dd ddZehdZGdde Z!GddejDjFjHZ$y)N) OrderedDict defaultdict)TupleDictOptionalListSetType)*) CmfEntitycReZdZUdZeeed<dZeed<dZeeed<dZ eed<y)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__rr str__annotations__rrr./cmf/models/cmf_access_list.pyrrs2Hc#hL#"M3s8"L#rrceZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e je Zeeed<e je Zeeed <y) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrrrrr r! dataclassesfieldlistr$rrr%rrrrrskHdBND#NCOS):):):4)PL$~&P'8{'8'8'NJ^$NrrcbeZdZUejeZeee fe d<ejdZ eee efe d<eje Zeee d<ejeZeeeej&j(fe d<ejeZeeefe d<y) AclDatar"aclc ttSN)rr)rrrzAclData.&s U`aeUfracl_inherit_by used_fieldsstatic_access_control_modelscacheN)rrrr'r(dictr,rrrrr0rsetr1r r2r cmfmodels BaseModelr3rrrrr+r+#s%6[%6%6t%LCc>! "L+<;+<+fullreadwritec eZdZy)_AclStopN)rrrrrrrCrC>srrCceZdZUdZdZdZeed<dZe jjjjdgzZ dZedZed Ze d1d eed eed eed eedeedeedee j(j*deedeedeefdZed2dZed3dZed4dZedZedZdZedZ edZ!ee"ddgdddd5d Z#ee$d!"d5d#Z%ed6d$Z&fd%Z'ed&Z(fd'Z)d(Z*fd)Z+d*Z,d+Z-d,Z.d-Z/d5fd. Z0d/Z1d0Z2xZ3S)7 CmfAccessListTN _ACL_DATAisubject_list_aclcdd|jggdg}tjj|D]}|j y)N parent_id=)sys_typerKautofilter)rr7 CmfAccessRuler)delete)self acl_filteracl_items rclear_auto_aclzCmfAccessList.clear_auto_aclKsE"C13LM ,,111D H OO  rc tdtjdt}hd}|j gd}|D]}t |j |j|j|j|j}||j|j<||j|j<|js|j|jj|jtjj dgdgd ggd  }|D]}|j r|j"|vr?tdtjd |d |j d|j"d ]|j Dchc]!}t%j&|j#} }|j(r-|j(D chc]} t%j&| c} nd} | r|j*j-| t/| |j0xrt%j&|j0| t%j&|j"} |jj3|j4}|s@tdtjd |d|j4d|j"d |j6dk(r|j8j| |j:j| t<jj>jAD]+} | jBdk(s| |jD| jF<-|tH_%tdtjdtM|dtM|dycc}wcc} w)u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): start>denyr?r@rA denyWrite)rr!r fields)rrrr r!OR)rrKN)rrKF)rJrLrrrrrOrZz): skip z due to empty subjects(z) or invalid access_level()N)rrrrz due to absent access_list(rMstaticz ): loaded z acl, z rules)'printosgetpidr+slistrrrrr r!r,r0appendr7rPrrsysinternrr1updaterrgetrJrLr%r$r6r8iter_subclassesacl_typer2 class_namerErGlen)clsacl_datavalid_access_levels access_lists access_listaccess_list_data access_rules access_rulesubject subjects_data field_nameobject_fields_dataaccess_rule_datamodels r load_acl_datazCmfAccessList.load_acl_dataPsc "299;-x899Lyy(YyZ ' [K-$--+..{GWGW*99;KfKf h 3CHLL).. /0@HLL),, -))'' (B(BCJJ;>>Z [++1113KLi2k (! GK'';+C+CK^+^( Xk]-k.B.B-CD00;0H0H/ILMCNCWCWXSZZ 3XMX,,LWKdKd!eZ#**Z"8!e26 !$$++,>?-&[5M5M5vRUR\R\]h]u]uRv0szz+JbJb?c e  (||// 0E0EF #( Xk]1+2G2G1HI00;0H0H/ILM##v- ++223CD --445EFC! GFZZ))99; PE~~)JO55e6F6FG P#+  "299;-z#l:K9LFSVWcSdReeklmCY!es &N8N=c:|j}|xr |jS)uНабор полей, по которым существуют правила, чтобы не проверять всё подряд.)rGr1)rlrms rr1zCmfAccessList.used_fieldss==0H000rinitial_acl_keyr object_fieldrr! object_idobject_instance object_dictobject_parent_idis_newc4   !"#$%tj}d9"$fd "#$ f d! !# %fd}d|vr$tt_tj%n|d%d%vrdD]}%j |d%dxxd z cc<d}} r j d g j j# j$tjj d " tjk(} tjk(rtjj}"j!|j jn`tj"}|r#|j j#|j$nd#d $|d"|d}|ds|dr%dxxd z cc<t$}|Nt'tdr=| sr8j)dr&|s#|dsd}| r| j)dr| }rj)dr}|r|#}ss|#}|tj*}|dj-|d}|durtj.j1dd|d srtj*dk(r7tjj3d | | tj sAt5i}t5itj6|<ndtj6|<n|n|}|!t'tdrr j)dr|stj8sd}rj-d}n#j:j<r j:}|r|#}tj>j-|d}|dur~tj"j k7rMtj.j1dd|d s(t5i}t5itj>|<ndtj>|<n|n|}|\| rZd}| r| j)dr| }tj@jC| |}|dk(rn|d k(r t5d!h}n t5i}|r| rp#rn sltEtd"d}|OtjFjId#d$gd%d&d'#gd(d)#ggg*Dchc]}|j }}|t_%| |vrt$}| |} |r||vrd }|sh| rft[d.tj\d/ d0#d1|d2d3d4d5|d6d7xrtj^j-d8ta||Scc}w#tL$rv}|jNd }tPjRj-jU|}|||d+k(r|d,d-|tWjXd Yd}~nd}~wwxYw|):u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :param perm_security_level_allowed_ids - ? :param checked_policy - объект проверен бизнес логикой и нужно использовать указанную политику :return: Set[str]/False/raise CmfPermissionError Nc| fd  fd fdt t g rd|rM|dvrdddt|dk(rdt|d k(r ttd |rTrRtt}|j }|d k(rn0|d k(rdt|d k(rtt d d|drdddt }tj||}|S#t$rY.wxYw)Nc2|vrj|yyr.)add) access_level_deniedgranteds r add_grantzBCmfAccessList.check_access..calc_access..add_grants .KK ./rc|jr|jk(r|jr|jvr|jzr|jdk(rdddt|jdk(rt|jdk(r#j dj dy|jdk(rddy|jdk(r dyyyyy)Nr?rAr@rWrX)rrrrrCr)rulerrr}rrs r check_rulezCCmfAccessList.check_access..calc_access..check_rules**d.?.?<.O!//<4CUCU3U!DMM1((F2!&)!'*!&)&**f4&**k9 6* 7+**g5!'*!&)**f4!&)524V/Prc  jj|}|sI|tjk(ryt d|ddt j td|||jvr)t d|jdtd|j|jtj|j|jD] }| |jr|jSy)Nz. !!! CmfAccessList.check_access: acl_key z not found, processed z, pid=uНе загружен ACL z0 !!! CmfAccessList.check_access: recursion z in u+!!! Кольцевые ссылки у ACL )r,rgg new_acl_idr_r`raCmfACLNotFoundErrorrCmfErrorrc itertoolschainr$r%r )acl_keyr,rrm check_aclrprocessed_aclss rrzBCmfAccessList.check_access..calc_access..check_aclsll&&w/!,,.$$+9,B>BRRXY[YbYbYdXegh.0J7).TV]^^66^+LSVVHTXYgXhij"%PQXPY#Z[[%%cff- &OOC,<,.calc_accesss / * *, 94eGUFN0H- "o.(#"%)::!&)!'*!&)#N(61!&) #N (61#N)^`npp M ' =I#,#D#DL#y0%3!&)&%/&&7 ~E^_k^lm>?@@ !f%g&f%"'NM5@@P]^M   sCD// D;:D;c d} r|jrd}nډk(r|jr |jvrd}n vr|jr |jvrd}nr|jr |jvrd}nxrv|tj k(rc r j ddr' rM r js?n jjs(}|stj}|jdrd}|rd}n#|j r vr |jv}nd}|rthd}n|r tdh}n t}tj||S)NFT user_local ContactAdmins) group_code>r?r@rAr@)acl_allow_createacl_static_owner_write_fieldsacl_static_self_write_fieldsacl_static_user_write_fieldsr7 CmfPersonrgroldr current_userin_person_groupacl_static_public_fieldsrr9r)static_acl_model allow_write _chk_person allow_readresult_checking_personrcurrent_person_idrrrr}r~rr!s r calc_staticz/CmfAccessList.check_access..calc_static4sbK*;;"  $55(FF$(8(V(VV" 77(EE$(8(U(UU" #3#P#P$(8(U(UU" #3v7G7G#G!+//,*M'v1K1K[j[u[u[y[y- ""#..K../.J"&K! #<<H\^gpI_I!-1A1Z1Z!ZJ"&J 9:/'-77I Ircd} j}|s td|jj}|rt j xrt j xrt j xrt j xrt j f}|j j|}|dxxdz cc<ndxxdz cc< |}|r k(rdxxdz cc<t}|}|jvrd} }|s#rjd}nr tdd}t j xrt j xrt j |xrt j ||xrt j |f}|j j|}|dxxdz cc<|Sdxxdz cc< ||| }||j |<t|j  jkDrt j|j t|j t j|zz}td t|j d |d zd tj|j j! jdzDcic]\}}|| c}}|_|Scc}}w)Nu8Система ACL не инициализированаacl_check_cache_staticacl_check_calc_staticacl_check_owner_skip _acl_policyacl_check_cacheacl_check_calc)rr}z!CmfAccessList: shrink cache, len z, size iz Kb)rGCmfACLNotInitializedErrorr2rgrdrer3 _full_accessr1rrk_CACHE_MAX_SIZE getsizeofr_risliceitems)rrmr cache_key object_field_checked_policy_ cache_sizekvrrrrlrr|rrr}r~rrr!stats rcheck_with_acl_dataz7CmfAccessList.check_access..check_with_acl_dataasG}}H/0jkk'DDHHV JJ017#**Y"7#C ?(C =SZZ %= =SZZ %=  #..,,Y7&12a7201Q61)*:;G":K'K/0A50*G , x';';;$(M"0&"*5//-*H(*1/=RV*WJJ01#C ?(C =SZZ %=!?cjj&?#C ?(C E #..,,Y7&*+q0+N)*a/*)(?anoG07HNN9-8>>*S-@-@@%(]]8>>%B3x~~CVWZWdWdenWoCo%o ?HNN@S?TT[\fhl\l[mmpqs .7-=-=hnn>R>R>TVYViViklVl-m*o%)QAqD*oN*os% K= profiler_data acl_check)racl_check_skiprrrrrrrrTid_onlyFrcurrent_user_is_anonymousdisable_permissionsacl_admin_moderCmfProjectPermSchemez CmfProject:#current_user_is_sharelink_anonymousproject_perm_browse_cache.z PPP-PR-BROWSE)project_id_simplecheckobj_dict_simplecheckobj raise_errorpub_api) r|rr!rr~rrperm_security_level_allowed_idsrrzCmfTimeTrackerHistory: project_idzPPP-WORKLOG-VIEWr?r=r@acl_owned_projects--rr[ cmf_owner_idrKcmf_owner_assistantsINrZrO request_iddebugz2CmfAccessList.check_access(): waiting for loading z !!! ACL access denied for z(or z)(z ), request z , to acl=z, model=z, field=z (requsted z), object_owner_id=(r]NN)1r__dict__rrr load_fieldsrvaluerr7rEsubject_full_group_listanonymous_usersharelink_anonymous_userCmfPersonGroupsharelink_grouprrrhasattr startswith api_scopergrcheck_project_role_access check_accessrrrr is_not_null%project_perm_timetrackerhistory_cacheCmfSecurityLevelcheck_perm_security_levelr CmfProjectrbrrargsREDIS_DBredis _new_acl_keytimesleepr_current_personrCmfPermissionError)&rlr|rr}rr!r~rrrrrrrr_CmfAccessList__grstat_keyresultrequested_object_fieldrr_userr ppp_cache_keyppp_ressec_res_acl_owned_projectsprojecteacl_idrrrrrrrs&```` ```` ` ` ` @@@@@@rrzCmfAccessList.check_accesssRjjn !n !`+ J+ JZG G G R # %)mAO??D'D d "G - !,  - [Q!-   ' ' 7 / 2 2 8 8 +66M(.(<(<(T(TUdnr(T(s %(71;K;K(K %!"<"<<"("7"7"G"G"I)--o.@.@.F.FGNNE$)HHNN! % 0 0 $(! % (+,G(H %(+,G(H %()S1A-B%&!+&% >gf.DE%) 8L8L]8[1#>c:dJ$4$?$? $N- Y11-@&  $.,/@.A) M "?(2l3D2E$FM#0/!++ ? 9:>>}cRc>"66PPQUWfhrfqUd]b Qe!" y 8V=Q=Q=^=^0?ll{,1YYi,7Yx/=qO_O_ >_>a &+2YF JOrA77 FEI33MB_%F >gf.DE)"6"67O"P1!:_:_J(__\:  ++77 / : :; #-,/@.A) M AAEEmUXYc>&!..*;*;;FD_D_DyDyz~AShrfqUd]b EzEe"'rQVWYQZ?? NRV?? N_$F >=J$4$?$? $N- --GGHgistG& J&xr >.3D'")!-A4"H "* $*#4#4#:#:$($< $~s4Qb:cd#0066oWbVc6d#!! JJx)) *##  3::j)* M&,h(8M8Mh_e8M8f1f1f#hh #is-2C4 C9,C9c |j||d}tjjdgddt |g}|sg}|dd|D cgc]} | j c} gg}|j |||Scc} w) NT)rtrrrJrrrr)rZrOorder_by)rr7rPrbr)rJ) rlrtrrZrOr r member_of related_rulesrs rrHzCmfAccessList.subject_list_acls//J`d/e ,,22;-Q[]acghqcrPs2t F4='Q4'QRSxxvfxxHH(RsA: c`tjstjry|r t|y)NTF)rrrr)messagers rcheck_admin_modezCmfAccessList.check_admin_modes' A$4$4 $W- -rc>tjjjtj j jdvr5tjs%tjjs tddt_ dt_ y)NTractivate_admin_mode) r7r admin_grouprrr rg_member_of all_parents is_supportrrrrrrrr'z!CmfAccessList.activate_admin_modesi  , , . 1 19I9I9V9V9b9bko9b9p p)B)B$%:; ; $rcFdt_dt_dt_y)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrrr)rls r init_contextzCmfAccessList.init_contexts!%&*#rc*ttddt_tjr0tjs dt_t t_n+tjtjk(t_tjjtjdt_tjstjjstjtjk7r~tj dk7rk|j"s6t%tj&j)j*|_tjj-|j"tj r dt_tj.rctj0rRtj&j3}tjj-|j*j4yyy)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTrsd_api)rAPPrr system_personrr5rrr7rErconfigIS_AUTHORIZATORrrr_CmfAccessList__guest_group_idrr guest_grouprrsharelink_access_requestsharelink_access_grantedrr)rlrs r setup_contextzCmfAccessList.setup_contextsT!(-BD I #A *-%A ' //1??BA *0*>*>*V*VWXWgWgqu*V*vA '..,,77((A,<,<< x/+++.v/D/D/P/P/R/U/U+VC(++//0D0DE  $(A ! % %!*D*D$33CCEO ' ' + +O,>,>,D,D E+E %rct}t}|D]-}|j|jt|d/|j}|sy|j j D]Z}g|j|jD]:}|j|js|j|jZ\|r|j|yy)u Нужно по списку субъектов получить список затронутых ACL и вызвать trigger_reload(access_list_ids) TODO: плохо, что ищем по текущим данным ACL, которые могут устареть. Можно перенести эту логику на серверный обработчик события T)rrN)access_list_ids)r5rfrrrGr,valuesr%r$ intersectionrrrtrigger_reload)rl subjects_idsr:affected_subjects_idsrrmr,rs rsubject_changed_hookz"CmfAccessList.subject_changed_hooks% #& pJ ! ( ()D)DPST^P_im)D)n o p== <<&&( C<#..<3+;+;< (55dmmD#''/        ? rr:u,Применение изменений ACL ) only_onceonly_once_args descriptionshow_bg_progressbar countdownc  tjdtjj d}t |sdg} fd |D]z}|d}tjdn_tj jj|}|sJ|jdk(rd}tjdn  |g||stjd|d ttjd }d }d t|z }|D]}||z }|r!tj|j d,|j#d dgddt gd dgDchc]}|j$} }| sjtjd|j dt| t| d kDrCtjd|j tj|j dtj|j |  tjdycc}w)Nzacl::proccess_chanded_acl startFc|sy|D]G}|vrj|tjjj |Iyr.)rrErGr0rg) acl_id_list_acl_id_full_idsprocess_acl_lists rrLz@CmfAccessList.proccess_chanded_acl_job..process_acl_list sP' Vh& W% !8!8!G!G!K!KG!TU  VrTz8process_changed_acl(): acl_id is None, drop_all_cache!!!rz(process_changed_acl(): drop_all_cache!!!z#process_changed_acl(): changed_acl=z, affected_acl=c"t|tSr.) issubclassr )ms rr/z8CmfAccessList.proccess_chanded_acl_job..$s 1i8Prrr:rrperm_effective_acl_idre)rZrOslicez3acl::proccess_chanded_acl run invalidate_ids model=z len=z>acl::proccess_chanded_acl too many, flush all cache for model=zacl::proccess_chanded_acl end)rrr7rErzr5rGr,rgrr)r iter_modelsrk CMF_CACHEinvalidate_idsrjrbr) r:drop_all_cacherr, model_listpctpct_stepryrobj_idsrKrLs @@rproccess_chanded_acl_jobz&CmfAccessList.proccess_chanded_acl_jobs: 13 **,5#fO V& 'F~!%RS))--11&9Cxx8#!%BC fX & ' GG9/9J/ZbYcd e'--.PQR Z( @E 8OC(()9)94@!;;tTlD[]acghpcqCr{|B{C;DEEGE GGI%JZJZI[[`adelam`no p7|c!XY^YiYiXjkl(()9)94@  $ $U%5%5w ?) @* /1Es,H<CmfAccessList:changed)channelc Nd}tddatj|y)Nc$tdtjdtrStddatj j 5tjjdddytdy#1swYyxYw)Nzacl::reload handler spawnedzacl::reload handler do reloadFzacl::reload handler skip) r_rr_acl_need_reloadr6app cmf_contextr7rErzrrrhandlerz,CmfAccessList.on_acl_change..handlerCso / 1 JJqM57#( WW((*9((668990299s BBzacl::reload spawn handlerT)r_rageventspawn)datarrds r on_acl_changezCmfAccessList.on_acl_change>s$ 3 )+ Wrc \tdg}|Ftdd|Dcgc] }t|c}i|D]}|jt|r)tddt|i|j|ntddd}t |j d|iycc}w)Nzacl::reload triggerr\r:access_list_id)kwargs)r_cmf_emit_server_eventrrcschedule_deferred_jobr[)rlrjr:job_access_list_ids rr=zCmfAccessList.trigger_reloadSs #%   & !'"$_^S%8$_` b#2 ?"))#n*=> ?  !"9B*..2%) ,0\%c]\#3-\#3- \ #3- \ &c] \ }\&cjj&:&:;\"$\'sm\TN\\|"II%%  "F"FH@@2(9':BX\hjlJ2lJ2X456&ll*P22& (    L 55rrE)%r'rrdr collectionsrrtypingrrrrr r re cmf.includecmf.appr6cmf.fields.cmf_access_list cmf.modelsr dataclassrrr+r5_acl_changed_idsr9r_policy_prioritiesrr ExceptionrCrZrrErrrrs 099 !   OOO HHH5024u -2 ./  y n 5CJJ..<<n 5r