U -dz@sUddlZddlZddlZddlZddlmZddlmZmZm Z m Z m Z m Z ddl Z ddlTddlZddlZejGdddZejGdddZejGd d d Zd aiaeeefed <dd ddZedddhZGdddeZGdddejjj Z dS)N) OrderedDict)TupleDictOptionalListSetType)*c@sFeZdZUdZeeed<dZeed<dZeeed<dZ eed<dS)AccessRuleDataNsubjects object_model object_fields access_level) __name__ __module__ __qualname__r rstr__annotations__r r rrr./models/cmf_access_list.pyr s  r c@szeZdZUdZeed<dZeed<dZeed<dZ eed<dZ eed<e j e dZeeed<e j e dZeeed <dS) AccessListDataNdisabledidcodeinherit_acl_idobject_owner_iddefault_factory custom_rules auto_rules)rrrrboolrrrrrr dataclassesfieldlistrrr rrrrrrs      rc@seZdZUejedZeee fe d<eje dZ e ee d<ejedZeeeejjfe d<ejedZeeefe d<dS)AclDataracl used_fieldsstatic_access_control_modelscacheN)rrrr!r"dictr%rrrrsetr&rr'rcmfmodels BaseModelr(rrrrrr$"s $r$F_acl_cache_granted_tuplesd)defaultreadonlyZprivatefullwritereadc@s eZdZdS)_AclStopN)rrrrrrrr6<sr6c seZdZUdZdZdZeed<dZddZ e dd Z e d d Z e d;e ee ee ee ee ee ee ejje ee ee ed d dZedddZeddZe ddZe ddZeedddd Ze d!d"Zfd#d$Zfd%d&Z d'd(Z!fd)d*Z"d+d,Z#d-d.Z$d/d0Z%d1d2Z&d?fd3d4 Z'd5d6Z(d7d8Z)e d@d9d:Z*Z+S)A CmfAccessListTN _ACL_DATAicCs6dd|jgdddgg}tjj|dD] }|q$dS)N parent_id=sys_typeautofilter)rr, CmfAccessRuler#delete)selfZ acl_filterZacl_itemrrrclear_auto_aclFszCmfAccessList.clear_auto_aclc Cstdtdt}dddddh}|jdd d gd }|D]\}t|j|j|j|j |j d }tdtd |jd|jd||j |j<||j |j<q>t j jddddgdddggddddddgd}|D]Z}|jr|j|krtdtd|d|jd|jd qdd|jD}|jr:d d|jDnd} | rP|j| t||joft|j| t|jd!} |j |j}|stdtd|d"|jd|jd qtdtd#|jd$| jd%| jd&| jd'| jd(|jd|jd|jd)kr|j| q|j| qtj jD]} | j d*kr8| |j!| j"<q8|t#_$tdtd+t%|d,t%|d-dS).u TODO: что делаем, если загрузка acl падает??? Всё разрешаем или всё запрещаем? zload_acl_data(pid z): startr3r5r4deny denyWriterrrfields)rrrrrz ): add acl(z, )ORr;NFr:r<r r r rr?rGz): skip z due to empty subjects(z) or invalid access_level(cSsh|]}t|jqSr)sysinternr).0subjectrrr jsz.CmfAccessList.load_acl_data..cSsh|]}t|qSr)rKrL)rMZ field_namerrrrOls)r r r rz due to absent access_list(z): add rule(type=z , subjects=, model=z , fields=z, level=z, acl=(r=Zstaticz ): loaded z acl, z rules)&printosgetpidr$slistrrrrrrr%r,r@r rr r&updater r rKrLgetr:r<rappendrr+r-iter_subclassesZacl_typer' class_namer7r9len) clsacl_dataZvalid_access_levelsZ access_listsZ access_listZaccess_list_dataZ access_rulesZ access_ruleZ subjects_dataZobject_fields_dataZaccess_rule_datamodelrrr load_acl_dataKsn$  $  $F  zCmfAccessList.load_acl_datacCs|j}|o|jS)uНабор полей, по которым существуют правила, чтобы не проверять всё подряд.)r9r&)r[r\rrrr&szCmfAccessList.used_fields) initial_acl_keyr object_fieldrr object_idobject_instance object_dictobject_parent_idis_newc s fdd}  f dd}dtkrDtt_tj}d|krhdD]}||dqV|dd 7<d }}| r| d g| jj| jtj j | d d | tj krtj }|jjn>tjotjjjtjtjtjstjr|dd 7<t}|d kr| rrt| dkr| sdtkrzddtjjddgdddgddgggdDt_| tjkrt}|d kr>|jstdj  r>tot ot  ot otf}j |}|d k r(|dd 7<n|dd 7<|}|d krl rl krl|dd 7<t}|d krzj!krd tot ot otf}j |}|d k r|dd 7<n|d d 7<| }|j |<t"j |j#krzt$j t"j t$|}t%d!t"j d"|d#d$d%d&t&'j (|j#d'D_ |r||krd(}|s| rt%d)tjd*| d+d,|d-d. d/d0|d1 d2 otj) d3t* ||S)4u Проверка/получение прав доступа к объекту или его полю. Возвращает список доступных прав. Если raise_error == True, то генерирует стандартную ошибку о недостаточности прав доступа. Если текущий пользователь админ, или владелец объекта, или проверка прав отключена, то выдаём полные права. :param object_parent_id: TODO: object_instance может быть без филдов при sget и is_web_public :param object_instance: :param is_new: :param object_id: :param object_dict: :param initial_acl_key: id/code - списка доступа, по которому начинанать поиск. :param object_model: имя модели объекта, если пременимо :param object_field: поле объекта, если применимо :param access_level: если указан, то проверяется наличие конкретного уровня доступа. :param object_owner_id: владелец объекта, параметр для удобства, если указан и совпадает с текущим пользователем, то получаем полные права. :param raise_error: определяет: return False или raise CmfPermissionError :param checking_person - если указан, проверяются его права, а не сессионный g.current_person :return: Set[str]/False/raise CmfPermissionError csfdd fddfddttgz rV d r rtt }|j}|dkrn:|d krd tn$|d krtntd d |d rֈddd Wntk rYnXt}t||}|S)Ncs|kr|dSN)add)Z access_level_)deniedgrantedrr add_grantszBCmfAccessList.check_access..calc_access..add_grantcs|jr|jkr|jr |jkr|j@r|jdkrRdddtn^|jdkrbtnN|jdkrddn.|jdkrddn|jdkrddS)Nr3r4r5rDrE)r r r rr6rg)rule)rjrhr`r r rr check_rules2        zCCmfAccessList.check_access..calc_access..check_rulecsj|}|s.calc_access..check_aclglobalr1r2r5rDzInvalid model acl policy z.acl_default_user_policy(z!), valid: default, readonly, denyr3r4) r*getattrr,Zacl_default_user_policyr6rmtupler. setdefault)Z model_clsZ model_policyZ granted_tuple)r\current_person__member_ofr_ is_local_userr`r )rjrprlrhrirqr r calc_accesssB   z/CmfAccessList.check_access..calc_accesscsd}r jrd}nkr2 jr2 jkr2d}nrkrP jrP jkrPd}nTrj jrj jkrjd}n:r tjkrrddrrrjsnjjsd}t |rdddhndh}t ||S)NFT user_localr3r4r5) Zacl_allow_createZacl_static_owner_write_fieldsZacl_static_self_write_fieldsZacl_static_user_write_fieldsr, CmfPersonrVryoldrtr.ru)Z allow_writeZresult_) rvcurrent_person_idrwrercr`rarbrstatic_acl_modelrr calc_staticsF   z/CmfAccessList.check_access..calc_static profiler_data acl_check)racl_check_skipacl_check_owner_skipacl_check_cacheacl_check_calcacl_check_cache_staticacl_check_calc_staticrNryTid_onlyr CmfProjectacl_owned_projectscSsh|] }|jqSr)r)rMZprojectrrrrO\sz-CmfAccessList.check_access..--rrI cmf_owner_idr;Zcmf_owner_assistantsINrGr?u8Система ACL не инициализированаrrrrrz!CmfAccessList: shrink cache, len z, size iz KbcSsi|]\}}||qSrr)rMkvrrr sz.CmfAccessList.check_access..Fz !!! ACL access denied for z(or z)(z ), request z , to acl=rPz, field=z (requsted z), object_owner_id=(rH)+grrruZ load_fieldsrvalueryr,r7subject_full_group_listZsharelink_anonymous_userCmfPersonGroupsharelink_grouprgcurrent_personrwrvdisable_permissionsacl_admin_mode _full_accesscmfutilZget_class_name_by_idrrTrr9ZCmfACLNotInitializedErrorr'rVrKrLr(r&rZ_CACHE_MAX_SIZE getsizeofrQrnisliceitemsrzCmfPermissionError)r[r_r r`rrrarbrcrdre raise_errorZchecking_personrxr~statZstat_keyresultZrequested_object_fieldrZ cache_keyZ cache_sizer) r\rvr|r_rwrercr`rarbr rr}r check_accesss%`                   $ P zCmfAccessList.check_accessFc sz|s|r|jj}tjjj}dd|gdd|gg}ddtjj|dgdD}|t ||rb|Sfd d|D}|S) NZchild_idr;Z parent_modelrcSsh|]}|jrt|jqSr)r:rKrL)rMZrelationrrrrOsz8CmfAccessList.subject_full_group_list..r:rJcs"h|]}tj|drqS)rF)rZ get_obj_by_id)rMZgroup_idrGobjrrrOs) rrr,r@r Z RelationCacherTrgrKrL)rN subject_idrrG_kwargsZgroup_model_namesZrelation_filterrrrrrs z%CmfAccessList.subject_full_group_listc Ks\|j||dd}tjjdgddt|gd}|s4g}|dddd |Dgg}|j|||d S) NT)rNrrr:r rrrcSsg|] }|jqSr)r:)rMrkrrr sz2CmfAccessList.subject_list_acl..)rGr?order_by)rr,r@rTr#) r[rNrrGr?rrZ member_ofZ related_rulesrrrsubject_list_acls zCmfAccessList.subject_list_aclcheck_admin_modecCs tjs tjrdS|rt|dS)NT)rrrr)messagerrrrrs zCmfAccessList.check_admin_modecCs:tjjtjjjddkr*tjs*t ddt_ dt_ dS)NTractivate_admin_mode) r,rZ admin_grouprrrZ rg_member_ofZ all_parentsZ is_supportrrrrrrrrs z!CmfAccessList.activate_admin_modecCsdt_dt_dt_dS)uПервоначальная инициализация контекста, чтобы работали g.current_person, в т.ч. создание пользователей.TN)rrrvrr[rrr init_contextszCmfAccessList.init_contextcCsttddt_tjr*tjs*dt_tt_n"tjtjkt_t j j tjddt_tjrXdt_tj r~tj r~t j}tj|jjdS)u\Сейчас уже должны быть рабочие g.current_person и g.system_personrNTr)rsZAPPrrZ system_personrr*rvrr,r7rZsharelink_access_requestZsharelink_access_grantedrrrgrr)r[rrrr setup_contexts    zCmfAccessList.setup_contextCmfAccessList:changed)ZchannelcKs"dd}tddat|dS)Nc Ss~tdtdtrrtddatj>tj t j j dt tdddrftd tW5QRXntd dS) Nzacl::reload handler spawnedrzacl::reload handler do reloadFz!CmfAccessList::clear_jscache:lockTi)ZnxZpxz0acl::reload handler do CMF_CACHE.flush_jscache()zacl::reload handler skip)rQtimesleep _acl_changedr+ZappZ cmf_contextr,r7r^ZREDIS_DBZredisr*rrRrSrdebugZ CMF_CACHEZ flush_jscacherrrrhandlers    z,CmfAccessList.on_acl_change..handlerzacl::reload spawn handlerT)rQrgeventZspawn)rrrrr on_acl_changeszCmfAccessList.on_acl_changecCstdtdddS)Nzacl::reload triggerr)rQZcmf_emit_server_eventrrrrtrigger_reloadszCmfAccessList.trigger_reloadcstdddgS)NrZpolicyparent)supersave_preload_fieldsrB __class__rrrsz!CmfAccessList.save_preload_fieldsc s|tjf|Srf)rrsave)rBkwargsrrrrszCmfAccessList.savec Ksg}tjjD]F}||jdddddddgddd |jgdd |jgdd |jggd q||jddddddgd d |jgd |S) NrrrnameZperm_effective_acl_idZperm_inherit_acl_idZ perm_acl_idrIr;rr)r+r,Z CmfEntityrXextendrTr)rBrrr]rrrfind_acl_usage s     zCmfAccessList.find_acl_usagec sH|}|r2td|dt|d|dd|tjf|S)Nu)Не возможно удалить acl u,, т.к. на него существует u ссылок, )rZCmfOrmIntegrityErrorrZrrrA)rBrusagerrrrA/s zCmfAccessList.deletecCsdSrfrrrrr_calc_perm_parent9szCmfAccessList._calc_perm_parentcCsdSrfrrrrr_calc_perm_has_acl<sz CmfAccessList._calc_perm_has_aclcCsdSrfrrrrr_calc_perm_acl?szCmfAccessList._calc_perm_aclcCsdSrfrrrrr_calc_perm_effective_aclBsz&CmfAccessList._calc_perm_effective_aclcs|s tjg}tj|dS)N) spread_models)r,r@r_acl_spread_inheritance)rBrrrrrEsz%CmfAccessList._acl_spread_inheritancecCs$||jr d|_|jdddS)NFTZ only_data) save_preparerr)rBZ_rulerrrsave_rule_hookJszCmfAccessList.save_rule_hookcCsD||js@tjjdd|gdd|jggds@d|_|jdddS)Nrr;rz!=r>Tr)rrr,r@rTrr)rBrkrrrdelete_rule_hookPs  zCmfAccessList.delete_rule_hookcCs|jddrdSdd|jddD}|s.dStj }|sBtd|r`|jr`tj|_tj|_dS|rp|t |8}|j j tjj kr|r|t |8}|j tj kr|r|t |8}|sdS|jd|d |d d S) z)deprecated method, due not API integratedF)rTcSsh|]}|js|jqSr)Zno_aclrY)rMr"rrrrO`sz:CmfAccessList.subject_model_check_write..)Z is_changedzAccess Prohibitedztry change fields z on )rN)rvaluesrZ public_accessrrerZ cmf_ownerZ cmf_authorr*rr{rrv)r[rNZ allow_createZallow_user_fieldsZallow_owner_fieldsZallow_self_fieldsZchanged_fieldsZis_userrrrsubject_model_check_writeXs.      z'CmfAccessList.subject_model_check_write) NNNNNNNNNNTN)NNFN)NNNNN)rT)N)FNNN),rrr__doc__Zno_cacher9r$rrrC classmethodr^r&rrr+r,r-r)r r staticmethodrrrrrrZon_server_eventrrrrrrArrrrrrrr __classcell__rrrrr7@s   A              r7)!r!rnrKr collectionsrtypingrrrrrrrZ cmf.includeZcmf.appr+Zcmf.fields.cmf_access_listZ dataclassr rr$rr.rZ_policy_prioritiesrtr Exceptionr6rGZcmf_access_listr7rrrrs2