diff options
author | Alejandro Sirgo Rica <asirgo@soleta.eu> | 2024-06-25 17:29:02 +0200 |
---|---|---|
committer | Alejandro Sirgo Rica <asirgo@soleta.eu> | 2024-06-27 10:03:14 +0200 |
commit | 977b457d5ce7661e8b4680d5543ad4d31063dcf1 (patch) | |
tree | b978944834f149c3aea9083c166fc2ba7b1d950f /ogcp | |
parent | 25bb1ff73b537c53b07c7d41c28e1b52c149c026 (diff) |
ogcp: add user permission mechanism
Add a new user permission system to control the allowed operations
accessible from each account.
Add a permission matrix editable through the user/add and user/edit
views. The permission matrix has client, center, room, folder, image
and repository as permission targets and add, update and delete as
permission types.
Restrict each view based on the user permissions, hide all actions
from not autheticated users.
permissions defined in the class UserForm.
Serialize each user permissions into ogcp.json as:
{
...
"USERS" [
{
"USER": "admin"
...
"PERMISSIONS": {
"CLIENT": {
"ADD": true,
"UPDATE": true,
"DELETE": true,
},
... <- same structure for "CENTER", "ROOM", "FOLDER", "IMAGE"
and "REPOSITORY"
}
},
...
],
...
}
Grant all the permissions to old user configuration to not disrupt their
workflow. The administrator will need to assign the permissions for each
user.
Ignore scope and permission restrictions for admin users.
Save permissions and scopes even if the user is admin to account for the
case of a temporal admin promotion without losing the previous
configuration.
Use template inheritance for add_user.html and edit_user.html to prevent
big code duplication with the new HTML code to render the permission
matrix.
Make user administration an admin only feature.
Define methods get_permission and target_is_disabled to improve readability
in template conditionals that disable features based on user permissions.
Diffstat (limited to 'ogcp')
-rw-r--r-- | ogcp/forms/auth.py | 15 | ||||
-rw-r--r-- | ogcp/models.py | 13 | ||||
-rw-r--r-- | ogcp/templates/auth/add_user.html | 54 | ||||
-rw-r--r-- | ogcp/templates/auth/edit_user.html | 54 | ||||
-rw-r--r-- | ogcp/templates/auth/user_form.html | 126 | ||||
-rw-r--r-- | ogcp/templates/base.html | 2 | ||||
-rw-r--r-- | ogcp/templates/commands.html | 8 | ||||
-rw-r--r-- | ogcp/templates/images.html | 16 | ||||
-rw-r--r-- | ogcp/templates/repos.html | 24 | ||||
-rw-r--r-- | ogcp/templates/scopes.html | 57 | ||||
-rw-r--r-- | ogcp/templates/servers.html | 2 | ||||
-rw-r--r-- | ogcp/templates/users.html | 2 | ||||
-rw-r--r-- | ogcp/views.py | 72 |
13 files changed, 309 insertions, 136 deletions
diff --git a/ogcp/forms/auth.py b/ogcp/forms/auth.py index d85931b..a76ec7c 100644 --- a/ogcp/forms/auth.py +++ b/ogcp/forms/auth.py @@ -7,7 +7,8 @@ from wtforms import ( Form, SubmitField, HiddenField, SelectField, BooleanField, IntegerField, - StringField, RadioField, PasswordField, SelectMultipleField, widgets + StringField, RadioField, PasswordField, SelectMultipleField, FormField, + widgets ) from wtforms.validators import InputRequired, Optional from flask_wtf import FlaskForm @@ -28,6 +29,12 @@ class LoginForm(FlaskForm): ) +class PermissionForm(FlaskForm): + add = BooleanField(_l('Add'), default=True) + update = BooleanField(_l('Update'), default=True) + delete = BooleanField(_l('Delete'), default=True) + + class UserForm(FlaskForm): username = StringField( label=_l('Username'), @@ -50,6 +57,12 @@ class UserForm(FlaskForm): option_widget=widgets.CheckboxInput(), widget=widgets.ListWidget(prefix_label=False) ) + client_permissions = FormField(PermissionForm, label=_l('Client Permissions')) + center_permissions = FormField(PermissionForm, label=_l('Center Permissions')) + room_permissions = FormField(PermissionForm, label=_l('Room Permissions')) + folder_permissions = FormField(PermissionForm, label=_l('Folder Permissions')) + image_permissions = FormField(PermissionForm, label=_l('Image Permissions')) + repository_permissions = FormField(PermissionForm, label=_l('Repository Permissions')) submit_btn = SubmitField( label=_l('Submit') ) diff --git a/ogcp/models.py b/ogcp/models.py index d27b869..ef050ed 100644 --- a/ogcp/models.py +++ b/ogcp/models.py @@ -8,7 +8,18 @@ from flask_login import UserMixin class User(UserMixin): - def __init__(self, username, scopes, admin): + def __init__(self, username, scopes, admin, permissions): self.id = username self.scopes = scopes self.admin = admin + self.permissions = permissions + + def get_permission(self, target, action): + if self.admin or not target in self.permissions: + return True + return self.permissions[target].get(action, True) + + def target_is_disabled(self, target): + if self.admin or not target in self.permissions or not self.permissions[target]: + return False + return all(value == False for value in self.permissions[target].values()) diff --git a/ogcp/templates/auth/add_user.html b/ogcp/templates/auth/add_user.html index cc5ed09..4661236 100644 --- a/ogcp/templates/auth/add_user.html +++ b/ogcp/templates/auth/add_user.html @@ -1,53 +1,5 @@ -{% extends 'users.html' %} -{% import "bootstrap/wtf.html" as wtf %} +{% extends 'auth/user_form.html' %} -{% set sidebar_state = 'disabled' %} -{% set btn_back = true %} +{% block subhead_heading %}{{_('Add user')}}{% endblock %} -{% block nav_user_add %}active{% endblock %} -{% block content %} - -<h1 class="m-5">{{_('Add a user')}}</h1> - -<form action="{{ url_for('user_add_post') }}" method="post" class="form"> - {{ form.hidden_tag() }} - - <div class="form-group"> - {{ form.username.label(class_='form-label') }} - {{ form.username(class_='form-control') }} - </div> - - <div class="form-group"> - {{ form.pwd.label(class_='form-label') }} - {{ form.pwd(class_='form-control') }} - </div> - - <div class="form-group"> - {{ form.pwd_confirm.label(class_='form-label') }} - {{ form.pwd_confirm(class_='form-control') }} - </div> - - <div class="form-group form-check"> - {{ form.admin(class_='form-check-input') }} - {{ form.admin.label(class_='form-check-label') }} - </div> - - <div class="form-group"> - {{ form.scopes.label(class_='form-label') }} - <div class="form-text text-muted">{{ form.scopes.description }}</div> - <div> - {% for value, label, checked in form.scopes.iter_choices() %} - <div class="form-check"> - <input class="form-check-input" type="checkbox" name="{{ form.scopes.name }}" value="{{ value }}" {% if checked %} checked {% endif %}> - <label class="form-check-label">{{ label }}</label> - </div> - {% endfor %} - </div> - </div> - - <div class="form-group"> - {{ form.submit_btn(class_='btn btn-primary') }} - </div> -</form> - -{% endblock %} +{% block form_action %}{{ url_for('user_add_post') }}{% endblock %} diff --git a/ogcp/templates/auth/edit_user.html b/ogcp/templates/auth/edit_user.html index 3b10508..42ba5aa 100644 --- a/ogcp/templates/auth/edit_user.html +++ b/ogcp/templates/auth/edit_user.html @@ -1,53 +1,9 @@ -{% extends 'users.html' %} -{% import "bootstrap/wtf.html" as wtf %} +{% extends 'auth/user_form.html' %} -{% set sidebar_state = 'disabled' %} -{% set btn_back = true %} +{% block subhead_heading %}{{_('Edit user {}').format(form.username.data)}}{% endblock %} -{% block nav_user_edit %}active{% endblock %} -{% block content %} +{% block form_action %}{{ url_for('user_edit_post') }}{% endblock %} -<h1 class="m-5">{{_('Edit user {}').format(form.username.data)}}</h1> +{% block pwd_field %}<input type="password" name="pwd" class="form-control" placeholder="{{ _('Leave blank if not changing') }}">{% endblock %} -<form action="{{ url_for('user_edit_post') }}" method="post" class="form"> - {{ form.hidden_tag() }} - - <div class="form-group"> - {{ form.username.label(class_='form-label') }} - {{ form.username(class_='form-control') }} - </div> - - <div class="form-group"> - {{ form.pwd.label(class_='form-label') }} - <input type="password" name="pwd" class="form-control" placeholder="{{ _('Leave blank if not changing') }}"> - </div> - - <div class="form-group"> - {{ form.pwd_confirm.label(class_='form-label') }} - <input type="password" name="pwd_confirm" class="form-control" placeholder="{{ _('Leave blank if not changing') }}"> - </div> - - <div class="form-group form-check"> - {{ form.admin(class_='form-check-input') }} - {{ form.admin.label(class_='form-check-label') }} - </div> - - <div class="form-group"> - {{ form.scopes.label(class_='form-label') }} - <div class="form-text text-muted">{{ form.scopes.description }}</div> - <div> - {% for value, label, checked in form.scopes.iter_choices() %} - <div class="form-check"> - <input class="form-check-input" type="checkbox" name="{{ form.scopes.name }}" value="{{ value }}" {% if checked %} checked {% endif %}> - <label class="form-check-label">{{ label }}</label> - </div> - {% endfor %} - </div> - </div> - - <div class="form-group"> - {{ form.submit_btn(class_='btn btn-primary') }} - </div> -</form> - -{% endblock %} +{% block pwd_confirm_field %}<input type="password" name="pwd_confirm" class="form-control" placeholder="{{ _('Leave blank if not changing') }}">{% endblock %} diff --git a/ogcp/templates/auth/user_form.html b/ogcp/templates/auth/user_form.html new file mode 100644 index 0000000..7b6b338 --- /dev/null +++ b/ogcp/templates/auth/user_form.html @@ -0,0 +1,126 @@ +{% extends 'users.html' %} +{% import "bootstrap/wtf.html" as wtf %} + +{% set sidebar_state = 'disabled' %} +{% set btn_back = true %} + +{% block nav_user_add %}active{% endblock %} +{% block content %} + +<h1 class="m-5">{% block subhead_heading %}{% endblock %}</h1> + +<form action="{% block form_action %}{% endblock %}" method="post" class="form"> + {{ form.hidden_tag() }} + + <div class="form-group"> + {{ form.username.label(class_='form-label') }} + {{ form.username(class_='form-control') }} + </div> + + <div class="form-group"> + {{ form.pwd.label(class_='form-label') }} + {% block pwd_field %}{{ form.pwd(class_='form-control') }}{% endblock %} + </div> + + <div class="form-group"> + {{ form.pwd_confirm.label(class_='form-label') }} + {% block pwd_confirm_field %}{{ form.pwd_confirm(class_='form-control') }}{% endblock %} + </div> + + <div class="form-group"> + <div class="custom-control custom-switch"> + {{ form.admin(class_="custom-control-input", id="adminToggle") }} + <label class="custom-control-label" for="adminToggle">{{ form.admin.label.text }}</label> + </div> + </div> + + <!-- jQuery --> + <script src="{{ url_for('static', filename='AdminLTE/plugins/jquery/jquery.min.js') }}"></script> + <script> + $(document).ready(function(){ + + var isAdminEnabled = $('#adminToggle').is(':checked'); + if(isAdminEnabled) { + $('#PermissionSection').hide(); + } + + $('#adminToggle').change(function() { + isAdminEnabled = $(this).is(':checked'); + $('#PermissionSection').toggle(!isAdminEnabled); + }); + }); + </script> + + <div id="PermissionSection"> + <div class="form-group"> + <label class="form-label">{{ _('Permissions') }}</label> + <table class="text-center table"> + <thead> + <tr> + <th></th> + <th>{{ form.client_permissions.add.label.text }}</th> + <th>{{ form.client_permissions.update.label.text }}</th> + <th>{{ form.client_permissions.delete.label.text }}</th> + </tr> + </thead> + <tbody> + <tr> + <th>{{ form.client_permissions.label }}</th> + <td>{{ form.client_permissions.add() }}</td> + <td>{{ form.client_permissions.update() }}</td> + <td>{{ form.client_permissions.delete() }}</td> + </tr> + <tr> + <th>{{ form.center_permissions.label }}</th> + <td>{{ form.center_permissions.add() }}</td> + <td>{{ form.center_permissions.update() }}</td> + <td>{{ form.center_permissions.delete() }}</td> + </tr> + <tr> + <th>{{ form.room_permissions.label }}</th> + <td>{{ form.room_permissions.add() }}</td> + <td>{{ form.room_permissions.update() }}</td> + <td>{{ form.room_permissions.delete() }}</td> + </tr> + <tr> + <th>{{ form.folder_permissions.label }}</th> + <td>{{ form.folder_permissions.add() }}</td> + <td>{{ form.folder_permissions.update() }}</td> + <td>{{ form.folder_permissions.delete() }}</td> + </tr> + <tr> + <th>{{ form.image_permissions.label }}</th> + <td>{{ form.image_permissions.add() }}</td> + <td>{{ form.image_permissions.update() }}</td> + <td>{{ form.image_permissions.delete() }}</td> + </tr> + <tr> + <th>{{ form.repository_permissions.label }}</th> + <td>{{ form.repository_permissions.add() }}</td> + <td>{{ form.repository_permissions.update() }}</td> + <td>{{ form.repository_permissions.delete() }}</td> + </tr> + </tbody> + </table> + </div> + + <div class="form-group"> + {{ form.scopes.label(class_='form-label') }} + <div class="form-text text-muted">{{ form.scopes.description }}</div> + <div> + {% for value, label, checked in form.scopes.iter_choices() %} + <div class="form-check"> + <input class="form-check-input" type="checkbox" name="{{ form.scopes.name }}" value="{{ value }}" {% if checked %} checked {% endif %}> + <label class="form-check-label">{{ label }}</label> + </div> + {% endfor %} + </div> + </div> + </div> + + <div class="form-group"> + {{ form.submit_btn(class_='btn btn-primary') }} + </div> +</form> + +{% endblock %} diff --git a/ogcp/templates/base.html b/ogcp/templates/base.html index 9839029..2af9873 100644 --- a/ogcp/templates/base.html +++ b/ogcp/templates/base.html @@ -36,10 +36,10 @@ <li class="nav-item {% block nav_scopes%}{% endblock %}"> <a class="nav-link" href="{{ url_for('scopes') }}">{{ _('Scopes management') }}</a> </li> - {% if current_user.admin %} <li class="nav-item {% block nav_repos %}{% endblock %}"> <a class="nav-link" href="{{ url_for('manage_repos') }}">{{ _('Repos') }}</a> </li> + {% if current_user.admin %} <li class="nav-item {% block nav_users %}{% endblock %}"> <a class="nav-link" href="{{ url_for('users') }}">{{ _('Users') }}</a> </li> diff --git a/ogcp/templates/commands.html b/ogcp/templates/commands.html index 7a63c38..9bb0176 100644 --- a/ogcp/templates/commands.html +++ b/ogcp/templates/commands.html @@ -16,7 +16,7 @@ {% endblock %} {% block commands %} - +{% if current_user.is_authenticated %} <div class="dropdown btn"> <button class="btn btn-secondary btn-light dropdown-toggle{% block nav_client %}{% endblock %}" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-expanded="false"> {{ _('Client') }} @@ -66,10 +66,14 @@ {{ _('Image') }} </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> + {% if current_user.get_permission('IMAGE', 'ADD') %} <input class="btn btn-light dropdown-item{% block nav_image_create %}{% endblock %}" type="submit" value="{{ _('Create image') }}" form="scopesForm" formaction="{{ url_for('action_image_create') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('IMAGE', 'UPDATE') %} <input class="btn btn-light dropdown-item {% block nav_image_update %}{% endblock %}" type="submit" value="{{ _('Update image') }}" form="scopesForm" formaction="{{ url_for('action_image_update') }}" formmethod="get"> + {% endif %} <input class="btn btn-light dropdown-item{% block nav_image_restore %}{% endblock %}" type="submit" value="{{ _('Restore Image') }}" form="scopesForm" formaction="{{ url_for('action_image_restore') }}" formmethod="get"> </div> @@ -109,7 +113,7 @@ form="scopesForm" formaction="{{ url_for('action_legacy_rt_log') }}" formmethod="get" formtarget="_blank"> </div> </div> - +{% endif %} {% if btn_back %} <button class="btn btn-danger ml-3" type="button" id="backButton" onclick="history.back()"> {{ _("Back") }} diff --git a/ogcp/templates/images.html b/ogcp/templates/images.html index c439e52..00bb2e4 100644 --- a/ogcp/templates/images.html +++ b/ogcp/templates/images.html @@ -58,13 +58,15 @@ {% endblock %} {% block commands %} - <input class="btn btn-light" type="submit" value="{{ _('Image details') }}" - form="imagesForm" formaction="{{ url_for('action_image_info') }}" formmethod="get"> - <input class="btn btn-light" type="submit" value="{{ _('List images') }}" - form="imagesForm" formaction="{{ url_for('action_image_list') }}" formmethod="get"> -{% if current_user.admin %} - <input class="btn btn-light" type="submit" value="{{ _('Delete image') }}" - form="imagesForm" formaction="{{ url_for('action_image_delete') }}" formmethod="get"> +{% if current_user.is_authenticated %} + <input class="btn btn-light" type="submit" value="{{ _('Image details') }}" + form="imagesForm" formaction="{{ url_for('action_image_info') }}" formmethod="get"> + <input class="btn btn-light" type="submit" value="{{ _('List images') }}" + form="imagesForm" formaction="{{ url_for('action_image_list') }}" formmethod="get"> + {% if current_user.get_permission('IMAGE', 'DELETE') %} + <input class="btn btn-light" type="submit" value="{{ _('Delete image') }}" + form="imagesForm" formaction="{{ url_for('action_image_delete') }}" formmethod="get"> + {% endif %} {% endif %} {% if btn_back %} <button class="btn btn-danger ml-3" type="button" id="backButton" onclick="history.back()"> diff --git a/ogcp/templates/repos.html b/ogcp/templates/repos.html index ef56d2a..06bee58 100644 --- a/ogcp/templates/repos.html +++ b/ogcp/templates/repos.html @@ -50,14 +50,22 @@ {% endblock %} {% block commands %} - <input class="btn btn-light {% block nav_repo_info %}{% endblock %}" type="submit" value="{{ _('Repo details') }}" - form="reposForm" formaction="{{ url_for('action_repo_info') }}" formmethod="get"> - <input class="btn btn-light {% block nav_repo_add %}{% endblock %}" type="submit" value="{{ _('Add repo') }}" - form="reposForm" formaction="{{ url_for('action_repo_add') }}" formmethod="get"> - <input class="btn btn-light {% block nav_repo_delete %}{% endblock %}" type="submit" value="{{ _('Delete repo') }}" - form="reposForm" formaction="{{ url_for('action_repo_delete') }}" formmethod="get"> - <input class="btn btn-light {% block nav_repo_update %}{% endblock %}" type="submit" value="{{ _('Update repo') }}" - form="reposForm" formaction="{{ url_for('action_repo_update') }}" formmethod="get"> +{% if current_user.is_authenticated %} + <input class="btn btn-light {% block nav_repo_info %}{% endblock %}" type="submit" value="{{ _('Repo details') }}" + form="reposForm" formaction="{{ url_for('action_repo_info') }}" formmethod="get"> + {% if current_user.get_permission('REPOSITORY', 'ADD') %} + <input class="btn btn-light {% block nav_repo_add %}{% endblock %}" type="submit" value="{{ _('Add repo') }}" + form="reposForm" formaction="{{ url_for('action_repo_add') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('REPOSITORY', 'DELETE') %} + <input class="btn btn-light {% block nav_repo_delete %}{% endblock %}" type="submit" value="{{ _('Delete repo') }}" + form="reposForm" formaction="{{ url_for('action_repo_delete') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('REPOSITORY', 'UPDATE') %} + <input class="btn btn-light {% block nav_repo_update %}{% endblock %}" type="submit" value="{{ _('Update repo') }}" + form="reposForm" formaction="{{ url_for('action_repo_update') }}" formmethod="get"> + {% endif %} +{% endif %} {% if btn_back %} <button class="btn btn-danger ml-3" type="button" id="backButton" onclick="history.back()"> diff --git a/ogcp/templates/scopes.html b/ogcp/templates/scopes.html index dc5eb71..8236877 100644 --- a/ogcp/templates/scopes.html +++ b/ogcp/templates/scopes.html @@ -16,72 +16,103 @@ {% endblock %} {% block commands %} - {% if current_user.is_authenticated %} +{% if current_user.is_authenticated %} + + {% if not current_user.target_is_disabled('CLIENT') %} <div class="dropdown btn"> <button class="btn btn-secondary btn-light dropdown-toggle {% block nav_client %}{% endblock %}" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-expanded="false"> {{ _('Client') }} </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> + {% if current_user.get_permission('CLIENT', 'ADD') %} <input class="btn btn-light dropdown-item {% block nav_client_add %}{% endblock %}" type="submit" value="{{ _('Add client') }}" - form="scopesForm" formaction="{{ url_for('action_client_add') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_client_add') }}" formmethod="get"> + {% endif %} <input class="btn btn-light dropdown-item {% block nav_client_update %}{% endblock %}" type="submit" value="{{ _('Update client') }}" form="scopesForm" formaction="{{ url_for('action_client_update') }}" formmethod="get"> + {% if current_user.get_permission('CLIENT', 'UPDATE') %} <input class="btn btn-light dropdown-item {% block nav_client_move %}{% endblock %}" type="submit" value="{{ _('Move client') }}" - form="scopesForm" formaction="{{ url_for('action_client_move') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_client_move') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('CLIENT', 'ADD') %} <input class="btn btn-light dropdown-item {% block nav_clients_import %}{% endblock %}" type="submit" value="{{ _('Import clients') }}" - form="scopesForm" formaction="{{ url_for('action_clients_import_get') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_clients_import_get') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('CLIENT', 'DELETE') %} <input class="btn btn-light dropdown-item {% block nav_client_delete %}{% endblock %}" type="submit" value="{{ _('Delete client') }}" - form="scopesForm" formaction="{{ url_for('action_client_delete') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_client_delete') }}" formmethod="get"> + {% endif %} </div> </div> {% endif %} - {% if current_user.admin %} + <div class="dropdown btn"> <button class="btn btn-secondary btn-light dropdown-toggle {% block nav_room %}{% endblock %}" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-expanded="false"> {{ _('Room') }} </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> + {% if current_user.get_permission('ROOM', 'ADD') %} <input class="btn btn-light dropdown-item {% block nav_room_add %}{% endblock %}" type="submit" value="{{ _('Add room') }}" - form="scopesForm" formaction="{{ url_for('action_room_add') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_room_add') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('ROOM', 'UPDATE') %} <input class="btn btn-light dropdown-item {% block nav_room_update %}{% endblock %}" type="submit" value="{{ _('Update room') }}" - form="scopesForm" formaction="{{ url_for('action_room_update') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_room_update') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('ROOM', 'DELETE') %} <input class="btn btn-light dropdown-item {% block nav_room_delete %}{% endblock %}" type="submit" value="{{ _('Delete room') }}" - form="scopesForm" formaction="{{ url_for('action_room_delete') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_room_delete') }}" formmethod="get"> + {% endif %} <input class="btn btn-light dropdown-item {% block nav_room_info %}{% endblock %}" type="submit" value="{{ _('Room details') }}" form="scopesForm" formaction="{{ url_for('action_room_info') }}" formmethod="get"> </div> </div> + <div class="dropdown btn"> <button class="btn btn-secondary btn-light dropdown-toggle {% block nav_center %}{% endblock %}" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-expanded="false"> {{ _('Center') }} </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> + {% if current_user.get_permission('CENTER', 'ADD') %} <input class="btn btn-light dropdown-item {% block nav_center_add %}{% endblock %}" type="submit" value="{{ _('Add center') }}" - form="scopesForm" formaction="{{ url_for('action_center_add') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_center_add') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('CENTER', 'UPDATE') %} <input class="btn btn-light dropdown-item {% block nav_center_update %}{% endblock %}" type="submit" value="{{ _('Update center') }}" - form="scopesForm" formaction="{{ url_for('action_center_update') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_center_update') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('CENTER', 'DELETE') %} <input class="btn btn-light dropdown-item {% block nav_center_delete %}{% endblock %}" type="submit" value="{{ _('Delete center') }}" - form="scopesForm" formaction="{{ url_for('action_center_delete') }}" formmethod="get"> + form="scopesForm" formaction="{{ url_for('action_center_delete') }}" formmethod="get"> + {% endif %} <input class="btn btn-light dropdown-item {% block nav_center_info %}{% endblock %}" type="submit" value="{{ _('Center details') }}" form="scopesForm" formaction="{{ url_for('action_center_info') }}" formmethod="get"> </div> </div> + {% if not current_user.target_is_disabled('FOLDER') %} <div class="dropdown btn"> <button class="btn btn-secondary btn-light dropdown-toggle {% block nav_folder %}{% endblock %}" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-expanded="false"> {{ _('Folder') }} </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> + {% if current_user.get_permission('FOLDER', 'ADD') %} <input class="btn btn-light dropdown-item {% block nav_folder_add %}{% endblock %}" type="submit" value="{{ _('Add folder') }}" form="scopesForm" formaction="{{ url_for('action_folder_add') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('FOLDER', 'UPDATE') %} <input class="btn btn-light dropdown-item {% block nav_folder_update %}{% endblock %}" type="submit" value="{{ _('Update folder') }}" form="scopesForm" formaction="{{ url_for('action_folder_update') }}" formmethod="get"> + {% endif %} + {% if current_user.get_permission('FOLDER', 'DELETE') %} <input class="btn btn-light dropdown-item {% block nav_folder_delete %}{% endblock %}" type="submit" value="{{ _('Delete folder') }}" form="scopesForm" formaction="{{ url_for('action_folder_delete') }}" formmethod="get"> + {% endif %} </div> </div> - {% endif %} +{% endif %} + {% if btn_back %} <button class="btn btn-danger ml-3" type="button" id="backButton" onclick="history.back()"> {{ _("Back") }} diff --git a/ogcp/templates/servers.html b/ogcp/templates/servers.html index 9a466ea..bc09c4f 100644 --- a/ogcp/templates/servers.html +++ b/ogcp/templates/servers.html @@ -25,6 +25,7 @@ {% endblock %} {% block commands %} +{% if current_user.is_authenticated %} <input class="btn btn-light {% block nav_server_add %}{% endblock %}" type="submit" value="{{ _('Add server') }}" form="serversForm" formaction="{{ url_for('server_add_get') }}" formmethod="get"> <input class="btn btn-light {% block nav_server_delete %}{% endblock %}" type="submit" value="{{ _('Delete server') }}" @@ -34,5 +35,6 @@ {{ _("Back") }} </button> {% endif %} +{% endif %} {% endblock %} diff --git a/ogcp/templates/users.html b/ogcp/templates/users.html index 72f23f3..01b0a60 100644 --- a/ogcp/templates/users.html +++ b/ogcp/templates/users.html @@ -24,6 +24,7 @@ {% endblock %} {% block commands %} +{% if current_user.is_authenticated %} <input class="btn btn-light {% block nav_user_add %}{% endblock %}" type="submit" value="{{ _('Add user') }}" form="usersForm" formaction="{{ url_for('user_add_get') }}" formmethod="get"> <input class="btn btn-light {% block nav_user_edit %}{% endblock %}" type="submit" value="{{ _('Edit user') }}" @@ -35,5 +36,6 @@ {{ _("Back") }} </button> {% endif %} +{% endif %} {% endblock %} diff --git a/ogcp/views.py b/ogcp/views.py index 45a0f73..9868e78 100644 --- a/ogcp/views.py +++ b/ogcp/views.py @@ -311,7 +311,7 @@ def get_scopes(ips=set()): list_scopes.append(server_scope) all_scopes = {'scope': list_scopes} all_scopes = sort_scopes(all_scopes) - if current_user.scopes: + if not current_user.admin and current_user.scopes: remove_disabled_scopes(all_scopes) clients = get_clients() add_state_and_ips(all_scopes, clients['clients'], ips) @@ -369,7 +369,10 @@ def load_user(username): if not user_dict: return None - user = User(username, user_dict.get('SCOPES'), user_dict.get('ADMIN')) + user = User(username, + user_dict.get('SCOPES'), + user_dict.get('ADMIN'), + user_dict.get('PERMISSIONS', {})) return user @app.errorhandler(404) @@ -458,7 +461,10 @@ def login(): user_dict = authenticate_user(form_user, pwd_hash) if not user_dict: return render_template('auth/login.html', form=form) - user = User(form_user, user_dict.get('SCOPES'), user_dict.get('ADMIN')) + user = User(form_user, + user_dict.get('SCOPES'), + user_dict.get('ADMIN'), + user_dict.get('PERMISSIONS', {})) login_user(user) return redirect(url_for('index')) return render_template('auth/login.html', form=LoginForm()) @@ -3027,6 +3033,38 @@ def save_user(form, preserve_pwd): 'PASS': pwd_hash, 'ADMIN': admin, 'SCOPES': scopes, + 'PERMISSIONS': { + 'CLIENT': { + 'ADD': form.client_permissions.add.data, + 'UPDATE': form.client_permissions.update.data, + 'DELETE': form.client_permissions.delete.data, + }, + 'CENTER': { + 'ADD': form.center_permissions.add.data, + 'UPDATE': form.center_permissions.update.data, + 'DELETE': form.center_permissions.delete.data, + }, + 'ROOM': { + 'ADD': form.room_permissions.add.data, + 'UPDATE': form.room_permissions.update.data, + 'DELETE': form.room_permissions.delete.data, + }, + 'FOLDER': { + 'ADD': form.folder_permissions.add.data, + 'UPDATE': form.folder_permissions.update.data, + 'DELETE': form.folder_permissions.delete.data, + }, + 'IMAGE': { + 'ADD': form.image_permissions.add.data, + 'UPDATE': form.image_permissions.update.data, + 'DELETE': form.image_permissions.delete.data, + }, + 'REPOSITORY': { + 'ADD': form.repository_permissions.add.data, + 'UPDATE': form.repository_permissions.update.data, + 'DELETE': form.repository_permissions.delete.data, + }, + }, } filename = os.path.join(app.root_path, ogcp_cfg_path) @@ -3110,6 +3148,34 @@ def user_edit_get(): form.username.render_kw = {'readonly': True} form.admin.data = user.get('ADMIN') form.scopes.data = user.get('SCOPES') + + if 'PERMISSIONS' in user: + permissions = user.get('PERMISSIONS') + + def get_permission(target, action): + if not target in permissions: + return True + return permissions[target].get(action, True) + + form.client_permissions.add.data = get_permission('CLIENT', 'ADD') + form.client_permissions.update.data = get_permission('CLIENT', 'UPDATE') + form.client_permissions.delete.data = get_permission('CLIENT', 'DELETE') + form.center_permissions.add.data = get_permission('CENTER', 'ADD') + form.center_permissions.update.data = get_permission('CENTER', 'UPDATE') + form.center_permissions.delete.data = get_permission('CENTER', 'DELETE') + form.room_permissions.add.data = get_permission('ROOM', 'ADD') + form.room_permissions.update.data = get_permission('ROOM', 'UPDATE') + form.room_permissions.delete.data = get_permission('ROOM', 'DELETE') + form.folder_permissions.add.data = get_permission('FOLDER', 'ADD') + form.folder_permissions.update.data = get_permission('FOLDER', 'UPDATE') + form.folder_permissions.delete.data = get_permission('FOLDER', 'DELETE') + form.image_permissions.add.data = get_permission('IMAGE', 'ADD') + form.image_permissions.update.data = get_permission('IMAGE', 'UPDATE') + form.image_permissions.delete.data = get_permission('IMAGE', 'DELETE') + form.repository_permissions.add.data = get_permission('REPOSITORY', 'ADD') + form.repository_permissions.update.data = get_permission('REPOSITORY', 'UPDATE') + form.repository_permissions.delete.data = get_permission('REPOSITORY', 'DELETE') + form.scopes.choices = get_available_centers() return render_template('auth/edit_user.html', form=form) |