tiUddlZddlZddlZddlZddlmZmZddlmZm Z m Z m Z m Z m Z mZddlZddlddlZddlZddlmZej.rddlmZej4GddZej4Gd d Zej4Gd d ZeZia e eefe!d <ddddZ"e#hdZ$Gdde%Z&GddejNjPjRZ)y)N) OrderedDict defaultdict)TupleDictOptionalListSetTypeLiteral)*) CmfEntity)cmf_access_list_metricscReZdZUdZeeed<dZeed<dZeeed<dZ eed<y)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__rr str__annotations__rrr./cmf/models/cmf_access_list.pyrrs2Hc#hL#"M3s8"L#rrceZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e je Zeeed<e je Zeeed <y) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrr rr!r"r# dataclassesfieldlistr&rrr'rrrrrskHdBND#NCOS):):):4)PL$~&P'8{'8'8'NJ^$NrrcbeZdZUejeZeee fe d<ejdZ eee efe d<eje Zeee d<ejeZeeeej&j(fe d<ejeZeeefe d<y) AclDatar$aclc ttSN)rr+rrrzAclData.(s U`aeUfracl_inherit_by used_fieldsstatic_access_control_modelscacheN)rrrr)r*dictr.rrrrr2rsetr3r r4r cmfmodels BaseModelr5rrrrr-r-%s%6[%6%6t%LCc>! "L+<;+<+fullreadwritec eZdZy)_AclStopN)rrrrrrrErE@srrEceZdZUdZdZdZeed<dZe jjjjdgzZ dZedZed ZdZed3d Ze d4d eed eed eedeedeedeedee j,j.deedeedeefdZed5dZed6dZed7dZedZedZ dZ!edZ"edZ#ee$ddgddd !d3d"Z%ee&d#$d3d%Z'ed8d&Z(fd'Z)ed(Z*fd)Z+d*Z,fd+Z-d,Z.d-Z/d.Z0d/Z1d3fd0 Z2d1Z3d2Z4xZ5S)9 CmfAccessListTN _ACL_DATAisubject_list_aclcdd|jggdg}tjj|dgD]}|j y)N parent_id=)sys_typerMautorNfilterfields)r r9 CmfAccessRuler+delete)self acl_filteracl_items rclear_auto_aclzCmfAccessList.clear_auto_aclMsI"C13LM ,,11ZL1Y H OO  rc  tdtjdtj dd}d}d}d}d}d}t }hd}|j gd} | D]} |d z }t| j| j| j| j| j } | |j| j<| |j| j<| js|j| jj| jt j"j d gd gd ggd} | D]} |d z }| j$r| j&|vrD|d z }tdtjd| d| j$d| j&d g| j$Dchc]!}t)j*|j#}}| j,r-| j,Dchc]}t)j*|c}nd}|r|j.j1|t3|| j4xrt)j*| j4|t)j*| j&}|jj7| j8} | sE|d z }tdtjd| d| j8d| j&d | j:dk(r"|d z }| j<j|| j>j|t@j jBjED]+}|jFdk(s||jH|jJ<-|tL_'|tPjRrtTjVjYd tTjZjY|tTj\jY|tTj^jY|tTj`jY|tTjbjY|tdtjdte| dte| dycc}wcc}w)u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): start load_acl_datar=r>denyrArBrC denyWrite)rr#r"rR)rr r!r"r#OR)rrMN)rrMF)rLrNrrrrrPz): skip z due to empty subjects(z) or invalid access_level()N)rrrrz due to absent access_list(rOstaticz ): loaded z acl, z rules)3printosgetpidcmfutilmake_prof_pointr-slistrrr r!r"r#r.r2appendr9rSrrsysinternrr3updaterrgetrLrNr'r&r8r:iter_subclassesacl_typer4 class_namerGrIconfigMETRICS_ACCESS_LISTrrZrC access_list access_ruleaccess_rule_absentaccess_rule_emptyaccess_rule_autolen)cls prof_pointaccess_list_countaccess_rule_countaccess_rule_absent_countaccess_rule_empty_countaccess_rule_auto_countacl_datavalid_access_levels access_listsrraccess_list_data access_rulesrssubject subjects_data field_nameobject_fields_dataaccess_rule_datamodels rrZzCmfAccessList.load_acl_dataRsU "299;-x89,,_cB #$ "#!"9Lyy(YyZ ' [K  " -$--+..{GWGW*99;KfKf h 3CHLL).. /0@HLL),, -))'' (B(BCJJ;>>Z [++1113KLi2k (% GK  " '';+C+CK^+^'1,'( Xk]-k.B.B-CD00;0H0H/ILMCNCWCWXSZZ 3XMX,,LWKdKd!eZ#**Z"8!e26 !$$++,>?-&[5M5M5vRUR\R\]h]u]uRv0szz+JbJb?c e  (||// 0E0EF #(A-(( Xk]1+2G2G1HI00;0H0H/ILM##v-&!+& ++223CD --445EFK% GNZZ))99; PE~~)JO55e6F6FG P#+   % % # 1 1 7 7 : # / / 5 56G H # / / 5 56G H # 6 6 < <=U V # 5 5 ; ;j-|d}|dur~tj"j k7rMtj.j1dd|d s(t5i}t5itj>|<ndtj>|<n|n|}|\| rZd}| r| j)dr| }tj@jC| |}|dk(rn|d k(r t5d!h}n t5i}|r| rp'rn sltEtd"d}|OtjFjId#d$gd%d&d''gd(d)'ggg*Dchc]}|j }}|t_%| |vrt$}d+k(rr}n tM}tNjQ|d}|rx|jRrl|j-d,}|rYtjTjW||jRj-} | r"| jY|d.s t[|| |} |r||vrd }|sh| rftkd2tjld3 d4'd5|d6d7d8d9|d:d;xrtjnj-d<t[||Scc}w#t\$rv}!|!j^d }"t`jbj-je|"}#|#|#|d/k(r|d0d1|"tgjhd Yd}!~!nd}!~!wwxYw|)>u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :param perm_security_level_allowed_ids - ? :param checked_policy - объект проверен бизнес логикой и нужно использовать указанную политику :return: Set[str]/False/raise CmfPermissionError Nc> fd  fd  fdt t g  rd|rM|dvrdddt|dk(rdt|d k(r ttd |d}rrtt}|j }|d k7r*|j rj r |j }|d k(rd}n2|d k(rd }n*|d k(rd }n"td||j |j |srd}|dk(rdddn"|d k(r dn|d k(s|sn td|t }tj||}|S#t$rY.wxYw)Nc2|vrj|yyr0)add) access_level_deniedgranteds r add_grantzBCmfAccessList.check_access..calc_access..add_grants .KK ./rc|jr|jk(r|jr|jvr|jzr|jdk(rdddt|jdk(rt|jdk(r#j dj dy|jdk(rddy|jdk(r dyyyyy)NrArCrBr[r\)rrrrrEr)rulerrrrrs r check_rulezCCmfAccessList.check_access..calc_access..check_rules**d.?.?<.O!//<4CUCU3U!DMM1((F2!&)!'*!&)&**f4&**k9 6* 7+**g5!'*!&)**f4!&)524V/Prc  jj|}|sI|tjk(ryt d|ddt j td|||jvr)t d|jdtd|j|jtj|j|jD] }| |jr|jSy)Nz. !!! CmfAccessList.check_access: acl_key z not found, processed z, pid=uНе загружен ACL z0 !!! CmfAccessList.check_access: recursion z in u+!!! Кольцевые ссылки у ACL )r.rlr new_acl_idrbrcrdCmfACLNotFoundErrorr CmfErrorrh itertoolschainr&r'r")acl_keyr.rr check_aclrprocessed_aclss rrzBCmfAccessList.check_access..calc_access..check_aclsll&&w/!,,.$$+9,B>BRRXY[YbYbYdXegh.0J7).TV]^^66^+LSVVHTXYgXhij"%PQXPY#Z[[%%cff- &OOC,<,)rr? model_policydefault_policy) r7 ValueErrorrEgetattrr9acl_default_user_policyacl_default_ib_admin_policyrtupler; setdefault)rchecked_policyrr model_clsr granted_tuplerrrrrrrrxrr is_local_userrs` ` @@@@@@@r calc_accessz/CmfAccessList.check_access..calc_accesss / * *, 94eGUFN0HC "o.(#"%)::!&)!'*!&)#N(61!&) #N (61#N)^`npp QUM ' =I#,#D#DL% 1%AAOOF_O`'0'L'L #y0)/%3)3%/)/(*L%==y?d?dff&-&,N!V+f%g&f%#z1f%#v-^$%5~FF "'NM5@@P]^M   sD2F FFc d} r|jrd}nډk(r|jr |jvrd}n vr|jr |jvrd}nr|jr |jvrd}nxrv|tj k(rc r j ddr' rM r js?n jjs(}|stj}|jdrd}|rd}n#|j r vr |jv}nd}|rthd}n|r tdh}n t}tj||S)NFT user_local ContactAdmins) group_code>rArBrCrB)acl_allow_createacl_static_owner_write_fieldsacl_static_self_write_fieldsacl_static_user_write_fieldsr9 CmfPersonrlroldr current_userin_person_groupacl_static_public_fieldsrr;r)static_acl_model allow_write _chk_person allow_readresult_checking_personrcurrent_person_idrrrrrrr#s r calc_staticz/CmfAccessList.check_access..calc_staticnsbK*;;"  $55(FF$(8(V(VV" 77(EE$(8(U(UU" #3#P#P$(8(U(UU" #3v7G7G#G!+//,*M'v1K1K[j[u[u[y[y- ""#..K../.J"&K! #<<H\^gpI_I!-1A1Z1Z!ZJ"&J 9:/'-77I Ircd} j}|s td|jj}|rt j xrt j xrt j xrt j xrt j f}|j j|}|dxxdz cc<ndxxdz cc< |}|r k(rdxxdz cc<t}|}|jvrd} }|s#rjd}nr tdd}t j xrt j xrt j |xrt j ||xrt j |f}|j j|}|dxxdz cc<|Sdxxdz cc< ||| }||j |<t|j  jkDrt j|j t|j t j|zz}td t|j d |d zd tj|j j! jdzDcic]\}}|| c}}|_|Scc}}w)Nu8Система ACL не инициализированаacl_check_cache_staticr^acl_check_calc_staticacl_check_owner_skip _acl_policyacl_check_cacheacl_check_calc)rrz!CmfAccessList: shrink cache, len z, size iz Kb)rICmfACLNotInitializedErrorr4rlrirjr5 _full_accessr3rrw_CACHE_MAX_SIZE getsizeofrbrisliceitems)rrr cache_key object_field_checked_policy_ cache_sizekvrrrrxrrrrrrrrr#stats rcheck_with_acl_dataz7CmfAccessList.check_access..check_with_acl_datasG}}H/0jkk'DDHHV JJ017#**Y"7#C ?(C =SZZ %= =SZZ %=  #..,,Y7&12a7201Q61)*:;G":K'K/0A50*G , x';';;$(M"0&"*5//-*H(*1/=RV*WJJ01#C ?(C =SZZ %=!?cjj&?#C ?(C E #..,,Y7&*+q0+N)*a/*)(?anoG07HNN9-8>>*S-@-@@%(]]8>>%B3x~~CVWZWdWdenWoCo%o ?HNN@S?TT[\fhl\l[mmpqs .7-=-=hnn>R>R>TVYViViklVl-m*o%)QAqD*oN*os% K= profiler_data acl_check)racl_check_skiprrrrrrr^rTid_onlyFrcurrent_user_is_anonymousdisable_permissionsacl_admin_moderCmfProjectPermSchemez CmfProject:#current_user_is_sharelink_anonymousproject_perm_browse_cache.z PPP-PR-BROWSE)project_id_simplecheckobj_dict_simplecheckobj raise_errorpub_api) rrr#rrrrperm_security_level_allowed_idsrrzCmfTimeTrackerHistory: project_idzPPP-WORKLOG-VIEWrAr?rBacl_owned_projects--r r_ cmf_owner_idrMcmf_owner_assistantsINrRrQ CmfAttachment category_id)r scheme_id)r request_iddebugz2CmfAccessList.check_access(): waiting for loading z !!! ACL access denied for z(or z)(z ), request z , to acl=z, model=z, field=z (requsted z), object_owner_id=(r`)NN)8r__dict__rrr load_fieldsr valuerr9rGsubject_full_group_listanonymous_usersharelink_anonymous_userrsharelink_grouprrrhasattr startswith api_scoperlrcheck_project_role_access check_accessrrrr is_not_null%project_perm_timetrackerhistory_cacheCmfSecurityLevelcheck_perm_security_levelr CmfProjectrgrr6APPget_cache_projectattachment_scheme_idCmfAttachmentSchemeCategoryget_cache_instancecheck_category_accessCmfPermissionErrorrargsREDIS_DBredis _new_acl_keytimesleeprbcurrent_personr)*rxrrrrr#rrrrrrrrr_CmfAccessList__grstat_keyresultrequested_object_fieldrr _userr ppp_cache_keyppp_ressec_res_acl_owned_projectsproject object_data cache_projectrscheme_categoryeacl_idrrrrrrrs*```` ```` ` ` ` @@@@@@rrzCmfAccessList.check_accesss[RjjD !D !L+ J+ JZG G G R # %)mAO??D'D d "G - !,  - [Q!-   ' ' 7 / 2 2 8 8 +66M(.(<(<(T(TUdnr(T(s %(71;K;K(K %!"<"<<"("7"7"G"G"I)--o.@.@.F.FGNNE$)HHNN! % 0 0 $(! % (+,G(H %(+,G(H %()S1A-B%&!+&% >gf.DE%) 8L8L]8[1#>c:dJ$4$?$? $N- Y11-@&  $.,/@.A) M "?(2l3D2E$FM#0/!++ ? 9:>>}cRc>"66PPQUWfhrfqUd]b Qe!" y 8V=Q=Q=^=^0?ll{,1YYi,7Yx/=qO_O_ >_>a &+2YF JOrA77 FEI33MB_%F >gf.DE)"6"67O"P1!:_:_J(__\:  ++77 / : :; #-,/@.A) M AAEEmUXYc>&!..*;*;;FD_D_DyDyz~AShrfqUd]b EzEe"'rQVWYQZ?? NRV?? N_$F >=J$4$?$? $N- --GGHgistG& J&xr >.3D'")!-A4"H "* $*#4#4#:#:$($< $~s4Qb:cd#0066oWbVc6d#!! JJx)) *##  3::j)* M&,h(8M8Mh_e8M8f1f1f#hh #is-2C4 C9,C9c |j||d}tjjdgddt |g}|sg}|dd|D cgc]} | j c} gg}|j |||Scc} w) NT)rr7rrLrrrr )rRrQorder_by)rr9rSrgr+rL) rxrr7rRrQr>r8 member_of related_rulesrs rrJzCmfAccessList.subject_list_acls//J`d/e ,,22;-Q[]acghqcrPs2t F4='Q4'QRSxxvfxxHH(RsA: c`tjstjry|r t|y)NTF)rrrr)messagers rcheck_admin_modezCmfAccessList.check_admin_modes' A$4$4 $W- -rc>tjjjtj j jdvr5tjs%tjjs tddt_ dt_ y)NTractivate_admin_mode) r9r admin_groupr rr" rg_member_of all_parents is_supportrrrrrrrrEz!CmfAccessList.activate_admin_modesi  , , . 1 19I9I9V9V9b9bko9b9p p)B)B$%:; ; $rcFdt_dt_dt_y)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrrr)rxs r init_contextzCmfAccessList.init_contexts!%&*#rc*ttddt_tjr0tjs dt_t t_n+tjtjk(t_tjjtjdt_tjstjjstjtjk7r~tj dk7rk|j"s6t%tj&j)j*|_tjj-|j"tj r dt_tj.rctj0rRtj&j3}tjj-|j*j4yyy)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTrsd_api)rrrr system_personrr7rr"r9rGrrpIS_AUTHORIZATORrrr _CmfAccessList__guest_group_idrr guest_groupr rsharelink_access_requestsharelink_access_grantedr r)rxr s r setup_contextzCmfAccessList.setup_contextsT!(-BD I #A *-%A ' //1??BA *0*>*>*V*VWXWgWgqu*V*vA '..,,77((A,<,<< x/+++.v/D/D/P/P/R/U/U+VC(++//0D0DE  $(A ! % %!*D*D$33CCEO ' ' + +O,>,>,D,D E+E %rct}t}|D]-}|j|jt|d/|j}|sy|j j D]Z}g|j|jD]:}|j|js|j|jZ\|r|j|dyy)u Нужно по списку субъектов получить список затронутых ACL и вызвать trigger_reload(access_list_ids) TODO: плохо, что ищем по текущим данным ACL, которые могут устареть. Можно перенести эту логику на серверный обработчик события T)r7rNF)access_list_idsuser_show_acl_apply_progress)r7rkrrrIr.valuesr'r& intersectionrrr trigger_reload)rx subjects_idsrVaffected_subjects_idsr7rr.rs rsubject_changed_hookz"CmfAccessList.subject_changed_hook"s% #& pJ ! ( ()D)DPST^P_im)D)n o p== <<&&( C<#..<3+;+;< (55dmmD#''/      ]b  c rrVu,Применение изменений ACL ) only_onceonly_once_args descriptionshow_bg_progressbar countdownc  tjdtjj d}t |sdg} fd |D]z}|d}tjdn_tj jj|}|sJ|jdk(rd}tjdn  |g||stjd|d ttjd }d }d t|z }|D]}||z }|r!tj|j d,|j#d dgddt gd dgDchc]}|j$} }| sjtjd|j dt| t| d kDrCtjd|j tj|j dtj|j |  tjdycc}w)Nzacl::proccess_chanded_acl startFc|sy|D]G}|vrj|tjjj |Iyr0)rrGrIr2rl) acl_id_list_acl_id_full_idsprocess_acl_lists rriz@CmfAccessList.proccess_chanded_acl_job..process_acl_listXsP' Vh& W% !8!8!G!G!K!KG!TU  VrTz8process_changed_acl(): acl_id is None, drop_all_cache!!!rz(process_changed_acl(): drop_all_cache!!!z#process_changed_acl(): changed_acl=z, affected_acl=c"t|tSr0) issubclassr )ms rr1z8CmfAccessList.proccess_chanded_acl_job..rs 1i8Prrr<rr perm_effective_acl_idre)rRrQslicez3acl::proccess_chanded_acl run invalidate_ids model=z len=z>acl::proccess_chanded_acl too many, flush all cache for model=zacl::proccess_chanded_acl end)rrr9rGrZr7rIr.rlr!r+re iter_modelsrw CMF_CACHEinvalidate_idsrorgr ) rVdrop_all_cacher1r. model_listpctpct_steprrobj_idsrhris @@rproccess_chanded_acl_jobz&CmfAccessList.proccess_chanded_acl_job<s: 13 **,5#fO V& 'F~!%RS))--11&9Cxx8#!%BC fX & ' GG9/9J/ZbYcd e'--.PQR Z( @E 8OC(()9)94@!;;tTlD[]acghpcqCr{|B{C;DEEGE GGI%JZJZI[[`adelam`no p7|c!XY^YiYiXjkl(()9)94@  $ $U%5%5w ?) @* /1Es,H<CmfAccessList:changed)channelc Nd}tddatj|y)Nc$tdtjdtrStddatj j 5tjjdddytdy#1swYyxYw)Nzacl::reload handler spawnedzacl::reload handler do reloadFzacl::reload handler skip) rbr r!_acl_need_reloadr8app cmf_contextr9rGrZrrrhandlerz,CmfAccessList.on_acl_change..handlerso / 1 JJqM57#( WW((*9((668990299s BBzacl::reload spawn handlerT)rbr~geventspawn)datar8rs r on_acl_changezCmfAccessList.on_acl_changes$ 3 )+ Wrc tdg}|Ftdd|Dcgc] }t|c}i|D]}|jt|r)tddt|i|j|ntddd}|rAtj j tjjjt|jd|iycc}w)Nzacl::reload triggerryrVaccess_list_id)kwargs) rbcmf_emit_server_eventrrhrdeferred_force_show_progressbarrr9rGrxnameschedule_deferred_job)rxrrVrWjob_access_list_ids rrZzCmfAccessList.trigger_reloads #%   & !'"$_^S%8$_` b#2 ?"))#n*=> ?  !"9B*..2%) ,0F%c]F#3-F#3- F #3- F &c] F }F&cjj&:&:;F"$F'smFTNFFP"II%%  "F"FHdd2(9':BX]ikmJ2mJ2X456&ll.P22& (    L \ \rrG)*r)rrir  collectionsrrtypingrrrrr r r r cmf.includecmf.appr8cmf.fields.cmf_access_list cmf.modelsr rprq cmf.metricsr dataclassrrr-r7_acl_changed_idsr;r_policy_prioritiesrr ExceptionrErRrrGrrrrs 0BBB !  3  OOO HHH5024u -2 ./  y A\CJJ..<<A\r