ji}UddlZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z ddlZddlddlZddlZddlmZej,rddlmZej2GddZej2Gd d Zej2Gd d ZeZiae eefe d <ddddZ!e"hdZ#Gdde$Z%GddejLjNjPZ(y)N) OrderedDict defaultdict)TupleDictOptionalListSetType)*) CmfEntity)cmf_access_list_metricscReZdZUdZeeed<dZeed<dZeeed<dZ eed<y)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__rr str__annotations__rrr./cmf/models/cmf_access_list.pyrrs2Hc#hL#"M3s8"L#rrceZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e je Zeeed<e je Zeeed <y) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrrrr r!r" dataclassesfieldlistr%rrr&rrrrrskHdBND#NCOS):):):4)PL$~&P'8{'8'8'NJ^$NrrcbeZdZUejeZeee fe d<ejdZ eee efe d<eje Zeee d<ejeZeeeej&j(fe d<ejeZeeefe d<y) AclDatar#aclc ttSN)rr*rrrzAclData.(s U`aeUfracl_inherit_by used_fieldsstatic_access_control_modelscacheN)rrrr(r)dictr-rrrrr1rsetr2r r3r cmfmodels BaseModelr4rrrrr,r,%s%6[%6%6t%LCc>! "L+<;+<+fullreadwritec eZdZy)_AclStopN)rrrrrrrDrD@srrDceZdZUdZdZdZeed<dZe jjjjdgzZ dZedZed Ze d2d eed eed eed eedeedeedee j(j*deedeedeefdZed3dZed4dZed5dZedZedZdZedZ edZ!ee"ddgddd d6d!Z#ee$d"#d6d$Z%ed7d%Z&fd&Z'ed'Z(fd(Z)d)Z*fd*Z+d+Z,d,Z-d-Z.d.Z/d6fd/ Z0d0Z1d1Z2xZ3S)8 CmfAccessListTN _ACL_DATAisubject_list_aclcdd|jggdg}tjj|dgD]}|j y)N parent_id=)sys_typerLautorMfilterfields)rr8 CmfAccessRuler*delete)self acl_filteracl_items rclear_auto_aclzCmfAccessList.clear_auto_aclMsI"C13LM ,,11ZL1Y H OO  rc  tdtjdtj dd}d}d}d}d}d}t }hd}|j gd} | D]} |d z }t| j| j| j| j| j } | |j| j<| |j| j<| js|j| jj| jt j"j d gd gd ggd} | D]} |d z }| j$r| j&|vrD|d z }tdtjd| d| j$d| j&d g| j$Dchc]!}t)j*|j#}}| j,r-| j,Dchc]}t)j*|c}nd}|r|j.j1|t3|| j4xrt)j*| j4|t)j*| j&}|jj7| j8} | sE|d z }tdtjd| d| j8d| j&d | j:dk(r"|d z }| j<j|| j>j|t@j jBjED]+}|jFdk(s||jH|jJ<-|tL_'|tPjRrtTjVjYd tTjZjY|tTj\jY|tTj^jY|tTj`jY|tTjbjY|tdtjdte| dte| dycc}wcc}w)u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): start load_acl_datar<r>denyr@rArB denyWrite)rr"r!rQ)rrr r!r"OR)rrLN)rrLF)rKrMrrrrrOz): skip z due to empty subjects(z) or invalid access_level()N)rrrrz due to absent access_list(rNstaticz ): loaded z acl, z rules)3printosgetpidcmfutilmake_prof_pointr,slistrrrr r!r"r-r1appendr8rRrrsysinternrr2updaterrgetrKrMr&r%r7r9iter_subclassesacl_typer3 class_namerFrHconfigMETRICS_ACCESS_LISTr rYrB access_list access_ruleaccess_rule_absentaccess_rule_emptyaccess_rule_autolen)cls prof_pointaccess_list_countaccess_rule_countaccess_rule_absent_countaccess_rule_empty_countaccess_rule_auto_countacl_datavalid_access_levels access_listsrqaccess_list_data access_rulesrrsubject subjects_data field_nameobject_fields_dataaccess_rule_datamodels rrYzCmfAccessList.load_acl_dataRsU "299;-x89,,_cB #$ "#!"9Lyy(YyZ ' [K  " -$--+..{GWGW*99;KfKf h 3CHLL).. /0@HLL),, -))'' (B(BCJJ;>>Z [++1113KLi2k (% GK  " '';+C+CK^+^'1,'( Xk]-k.B.B-CD00;0H0H/ILMCNCWCWXSZZ 3XMX,,LWKdKd!eZ#**Z"8!e26 !$$++,>?-&[5M5M5vRUR\R\]h]u]uRv0szz+JbJb?c e  (||// 0E0EF #(A-(( Xk]1+2G2G1HI00;0H0H/ILM##v-&!+& ++223CD --445EFK% GNZZ))99; PE~~)JO55e6F6FG P#+   % % # 1 1 7 7 : # / / 5 56G H # / / 5 56G H # 6 6 < <=U V # 5 5 ; ;j-|d}|dur~tj"j k7rMtj.j1dd|d s(t5i}t5itj>|<ndtj>|<n|n|}|\| rZd}| r| j)dr| }tj@jC| |}|dk(rn|d k(r t5d!h}n t5i}|r| rp#rn sltEtd"d}|OtjFjId#d$gd%d&d'#gd(d)#ggg*Dchc]}|j }}|t_%| |vrt$}| |} |r||vrd }|sh| rft[d.tj\d/ d0#d1|d2d3d4d5|d6d7xrtj^j-d8ta||Scc}w#tL$rv}|jNd }tPjRj-jU|}|||d+k(r|d,d-|tWjXd Yd}~nd}~wwxYw|):u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :param perm_security_level_allowed_ids - ? :param checked_policy - объект проверен бизнес логикой и нужно использовать указанную политику :return: Set[str]/False/raise CmfPermissionError Nc| fd  fd fdt t g rd|rM|dvrdddt|dk(rdt|d k(r ttd |rTrRtt}|j }|d k(rn0|d k(rdt|d k(rtt d d|drdddt }tj||}|S#t$rY.wxYw)Nc2|vrj|yyr/)add) access_level_deniedgranteds r add_grantzBCmfAccessList.check_access..calc_access..add_grants .KK ./rc|jr|jk(r|jr|jvr|jzr|jdk(rdddt|jdk(rt|jdk(r#j dj dy|jdk(rddy|jdk(r dyyyyy)Nr@rBrArZr[)rrrrrDr)rulerrrrrs r check_rulezCCmfAccessList.check_access..calc_access..check_rules**d.?.?<.O!//<4CUCU3U!DMM1((F2!&)!'*!&)&**f4&**k9 6* 7+**g5!'*!&)**f4!&)524V/Prc  jj|}|sI|tjk(ryt d|ddt j td|||jvr)t d|jdtd|j|jtj|j|jD] }| |jr|jSy)Nz. !!! CmfAccessList.check_access: acl_key z not found, processed z, pid=uНе загружен ACL z0 !!! CmfAccessList.check_access: recursion z in u+!!! Кольцевые ссылки у ACL )r-rkg new_acl_idrarbrcCmfACLNotFoundErrorrCmfErrorrg itertoolschainr%r&r!)acl_keyr-rr~ check_aclrprocessed_aclss rrzBCmfAccessList.check_access..calc_access..check_aclsll&&w/!,,.$$+9,B>BRRXY[YbYbYdXegh.0J7).TV]^^66^+LSVVHTXYgXhij"%PQXPY#Z[[%%cff- &OOC,<,zInvalid model acl policy z.acl_default_user_policy(z!), valid: default, readonly, deny) r6 ValueErrorrDgetattrr8acl_default_user_policyrtupler: setdefault)r~checked_policyr model_cls model_policy granted_tuplerrrrrrrcurrent_person__member_ofr is_local_userrs` ` @@@@@@@r calc_accessz/CmfAccessList.check_access..calc_accesss / * *, 94eGUFN0H- "o.(#"%)::!&)!'*!&)#N(61!&) #N (61#N)^`npp M ' =I#,#D#DL#y0%3!&)&%/&&7 ~E^_k^lm>?@@ !f%g&f%"'NM5@@P]^M   sCD// D;:D;c d} r|jrd}nډk(r|jr |jvrd}n vr|jr |jvrd}nr|jr |jvrd}nxrv|tj k(rc r j ddr' rM r js?n jjs(}|stj}|jdrd}|rd}n#|j r vr |jv}nd}|rthd}n|r tdh}n t}tj||S)NFT user_local ContactAdmins) group_code>r@rArBrA)acl_allow_createacl_static_owner_write_fieldsacl_static_self_write_fieldsacl_static_user_write_fieldsr8 CmfPersonrkroldr current_userin_person_groupacl_static_public_fieldsrr:r)static_acl_model allow_write _chk_person allow_readresult_checking_personrcurrent_person_idrrrrrrr"s r calc_staticz/CmfAccessList.check_access..calc_staticJsbK*;;"  $55(FF$(8(V(VV" 77(EE$(8(U(UU" #3#P#P$(8(U(UU" #3v7G7G#G!+//,*M'v1K1K[j[u[u[y[y- ""#..K../.J"&K! #<<H\^gpI_I!-1A1Z1Z!ZJ"&J 9:/'-77I Ircd} j}|s td|jj}|rt j xrt j xrt j xrt j xrt j f}|j j|}|dxxdz cc<ndxxdz cc< |}|r k(rdxxdz cc<t}|}|jvrd} }|s#rjd}nr tdd}t j xrt j xrt j |xrt j ||xrt j |f}|j j|}|dxxdz cc<|Sdxxdz cc< ||| }||j |<t|j  jkDrt j|j t|j t j|zz}td t|j d |d zd tj|j j! jdzDcic]\}}|| c}}|_|Scc}}w)Nu8Система ACL не инициализированаacl_check_cache_staticr]acl_check_calc_staticacl_check_owner_skip _acl_policyacl_check_cacheacl_check_calc)rrz!CmfAccessList: shrink cache, len z, size iz Kb)rHCmfACLNotInitializedErrorr3rkrhrir4 _full_accessr2rrv_CACHE_MAX_SIZE getsizeofrarisliceitems)rr~r cache_key object_field_checked_policy_ cache_sizekvrrrrwrrrrrrrrr"stats rcheck_with_acl_dataz7CmfAccessList.check_access..check_with_acl_datawsG}}H/0jkk'DDHHV JJ017#**Y"7#C ?(C =SZZ %= =SZZ %=  #..,,Y7&12a7201Q61)*:;G":K'K/0A50*G , x';';;$(M"0&"*5//-*H(*1/=RV*WJJ01#C ?(C =SZZ %=!?cjj&?#C ?(C E #..,,Y7&*+q0+N)*a/*)(?anoG07HNN9-8>>*S-@-@@%(]]8>>%B3x~~CVWZWdWdenWoCo%o ?HNN@S?TT[\fhl\l[mmpqs .7-=-=hnn>R>R>TVYViViklVl-m*o%)QAqD*oN*os% K= profiler_data acl_check)racl_check_skiprrrrrrr]rTid_onlyFrcurrent_user_is_anonymousdisable_permissionsacl_admin_moderCmfProjectPermSchemez CmfProject:#current_user_is_sharelink_anonymousproject_perm_browse_cache.z PPP-PR-BROWSE)project_id_simplecheckobj_dict_simplecheckobj raise_errorpub_api) rrr"rrrrperm_security_level_allowed_idsrrzCmfTimeTrackerHistory: project_idzPPP-WORKLOG-VIEWr@r>rAacl_owned_projects--rr^ cmf_owner_idrLcmf_owner_assistantsINrQrP request_iddebugz2CmfAccessList.check_access(): waiting for loading z !!! ACL access denied for z(or z)(z ), request z , to acl=z, model=z, field=z (requsted z), object_owner_id=(r_)NN)1r__dict__rrr load_fieldsrvaluerr8rFsubject_full_group_listanonymous_usersharelink_anonymous_userCmfPersonGroupsharelink_grouprrrhasattr startswith api_scoperkrcheck_project_role_access check_accessrrrr is_not_null%project_perm_timetrackerhistory_cacheCmfSecurityLevelcheck_perm_security_levelr CmfProjectrfrrargsREDIS_DBredis _new_acl_keytimesleepracurrent_personrCmfPermissionError)&rwrrrrr"rrrrrrrrr_CmfAccessList__grstat_keyresultrequested_object_fieldrr_userr ppp_cache_keyppp_ressec_res_acl_owned_projectsprojecteacl_idrrrrrrrs&```` ```` ` ` ` @@@@@@rrzCmfAccessList.check_accesssRjjn !n !`+ J+ JZG G G R # %)mAO??D'D d "G - !,  - [Q!-   ' ' 7 / 2 2 8 8 +66M(.(<(<(T(TUdnr(T(s %(71;K;K(K %!"<"<<"("7"7"G"G"I)--o.@.@.F.FGNNE$)HHNN! % 0 0 $(! % (+,G(H %(+,G(H %()S1A-B%&!+&% >gf.DE%) 8L8L]8[1#>c:dJ$4$?$? $N- Y11-@&  $.,/@.A) M "?(2l3D2E$FM#0/!++ ? 9:>>}cRc>"66PPQUWfhrfqUd]b Qe!" y 8V=Q=Q=^=^0?ll{,1YYi,7Yx/=qO_O_ >_>a &+2YF JOrA77 FEI33MB_%F >gf.DE)"6"67O"P1!:_:_J(__\:  ++77 / : :; #-,/@.A) M AAEEmUXYc>&!..*;*;;FD_D_DyDyz~AShrfqUd]b EzEe"'rQVWYQZ?? NRV?? N_$F >=J$4$?$? $N- --GGHgistG& J&xr >.3D'")!-A4"H "* $*#4#4#:#:$($< $~s4Qb:cd#0066oWbVc6d#!! JJx)) *##  3::j)* M&,h(8M8Mh_e8M8f1f1f#hh #is-2C4 C9,C9c |j||d}tjjdgddt |g}|sg}|dd|D cgc]} | j c} gg}|j |||Scc} w) NT)rr$rrKrrrr)rQrPorder_by)rr8rRrfr*rK) rwrr$rQrPr+r% member_of related_rulesrs rrIzCmfAccessList.subject_list_acls//J`d/e ,,22;-Q[]acghqcrPs2t F4='Q4'QRSxxvfxxHH(RsA: c`tjstjry|r t|y)NTF)rrrr)messagers rcheck_admin_modezCmfAccessList.check_admin_modes' A$4$4 $W- -rc>tjjjtj j jdvr5tjs%tjjs tddt_ dt_ y)NTractivate_admin_mode) r8r admin_grouprrr rg_member_of all_parents is_supportrrrrrrrr2z!CmfAccessList.activate_admin_modesi  , , . 1 19I9I9V9V9b9bko9b9p p)B)B$%:; ; $rcFdt_dt_dt_y)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrrr)rws r init_contextzCmfAccessList.init_contexts!%&*#rc*ttddt_tjr0tjs dt_t t_n+tjtjk(t_tjjtjdt_tjstjjstjtjk7r~tj dk7rk|j"s6t%tj&j)j*|_tjj-|j"tj r dt_tj.rctj0rRtj&j3}tjj-|j*j4yyy)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTrsd_api)rAPPrr system_personrr6rrr8rFrroIS_AUTHORIZATORrrr_CmfAccessList__guest_group_idrr guest_grouprrsharelink_access_requestsharelink_access_grantedrr)rwrs r setup_contextzCmfAccessList.setup_contextsT!(-BD I #A *-%A ' //1??BA *0*>*>*V*VWXWgWgqu*V*vA '..,,77((A,<,<< x/+++.v/D/D/P/P/R/U/U+VC(++//0D0DE  $(A ! % %!*D*D$33CCEO ' ' + +O,>,>,D,D E+E %rct}t}|D]-}|j|jt|d/|j}|sy|j j D]Z}g|j|jD]:}|j|js|j|jZ\|r|j|dyy)u Нужно по списку субъектов получить список затронутых ACL и вызвать trigger_reload(access_list_ids) TODO: плохо, что ищем по текущим данным ACL, которые могут устареть. Можно перенести эту логику на серверный обработчик события T)r$rNF)access_list_idsuser_show_acl_apply_progress)r6rjrrrHr-valuesr&r% intersectionrrrtrigger_reload)rw subjects_idsrDaffected_subjects_idsr$r~r-rs rsubject_changed_hookz"CmfAccessList.subject_changed_hooks% #& pJ ! ( ()D)DPST^P_im)D)n o p== <<&&( C<#..<3+;+;< (55dmmD#''/      ]b  c rrDu,Применение изменений ACL ) only_onceonly_once_args descriptionshow_bg_progressbar countdownc  tjdtjj d}t |sdg} fd |D]z}|d}tjdn_tj jj|}|sJ|jdk(rd}tjdn  |g||stjd|d ttjd }d }d t|z }|D]}||z }|r!tj|j d,|j#d dgddt gd dgDchc]}|j$} }| sjtjd|j dt| t| d kDrCtjd|j tj|j dtj|j |  tjdycc}w)Nzacl::proccess_chanded_acl startFc|sy|D]G}|vrj|tjjj |Iyr/)rrFrHr1rk) acl_id_list_acl_id_full_idsprocess_acl_lists rrWz@CmfAccessList.proccess_chanded_acl_job..process_acl_list sP' Vh& W% !8!8!G!G!K!KG!TU  VrTz8process_changed_acl(): acl_id is None, drop_all_cache!!!rz(process_changed_acl(): drop_all_cache!!!z#process_changed_acl(): changed_acl=z, affected_acl=c"t|tSr/) issubclassr )ms rr0z8CmfAccessList.proccess_chanded_acl_job..:s 1i8Prrr;rrperm_effective_acl_idre)rQrPslicez3acl::proccess_chanded_acl run invalidate_ids model=z len=z>acl::proccess_chanded_acl too many, flush all cache for model=zacl::proccess_chanded_acl end)rrr8rFrYr6rHr-rkr r*rd iter_modelsrv CMF_CACHEinvalidate_idsrnrfr) rDdrop_all_cacherr- model_listpctpct_steprrobj_idsrVrWs @@rproccess_chanded_acl_jobz&CmfAccessList.proccess_chanded_acl_jobs: 13 **,5#fO V& 'F~!%RS))--11&9Cxx8#!%BC fX & ' GG9/9J/ZbYcd e'--.PQR Z( @E 8OC(()9)94@!;;tTlD[]acghpcqCr{|B{C;DEEGE GGI%JZJZI[[`adelam`no p7|c!XY^YiYiXjkl(()9)94@  $ $U%5%5w ?) @* /1Es,H<CmfAccessList:changed)channelc Nd}tddatj|y)Nc$tdtjdtrStddatj j 5tjjdddytdy#1swYyxYw)Nzacl::reload handler spawnedzacl::reload handler do reloadFzacl::reload handler skip) rarr_acl_need_reloadr7app cmf_contextr8rFrYrrrhandlerz,CmfAccessList.on_acl_change..handlerYso / 1 JJqM57#( WW((*9((668990299s BBzacl::reload spawn handlerT)rarlgeventspawn)datar%ros r on_acl_changezCmfAccessList.on_acl_changeTs$ 3 )+ Wrc tdg}|Ftdd|Dcgc] }t|c}i|D]}|jt|r)tddt|i|j|ntddd}|rAtj j tjjjt|jd|iycc}w)Nzacl::reload triggerrgrDaccess_list_id)kwargs) racmf_emit_server_eventrrgrdeferred_force_show_progressbarrr8rFrfnameschedule_deferred_job)rwrurDrEjob_access_list_ids rrHzCmfAccessList.trigger_reloadis #%   & !'"$_^S%8$_` b#2 ?"))#n*=> ?  !"9rBrKcmf_deferred_jobrfon_server_eventrsrHrrrrrSrrrrrrr __classcell__)rs@rrFrFDs OIwO**,,::FF J  K UnUnn11 .2*.*.*.-1'+>B*..2%) ,0\%c]\#3-\#3- \ #3- \ &c] \ }\&cjj&:&:;\"$\'sm\TN\\|"II%%  "F"FHdd2(9':BX]ikmJ2mJ2X456&ll.P22& (    L \ \rrF))r(rrhr collectionsrrtypingrrrrr r rp cmf.includecmf.appr7cmf.fields.cmf_access_list cmf.modelsr rorp cmf.metricsr dataclassrrr,r6_acl_changed_idsr:r_policy_prioritiesrr ExceptionrDrQrrFrrrrs 099 !  3  OOO HHH5024u -2 ./  y I\CJJ..<<I\r