From 695c19f86ec361db8b316358ac9a0609ecfb020f Mon Sep 17 00:00:00 2001 From: Javier Sánchez Parra Date: Fri, 3 Dec 2021 15:25:44 +0100 Subject: Add scope permission support ogCP limits which scopes can use each user. Configuration file stores allowed scopes by their names. Leave scope list empty to give a user permissions on all scopes. --- ogcp/cfg/ogcp.json | 8 ++++++-- ogcp/models.py | 3 ++- ogcp/views.py | 18 +++++++++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) (limited to 'ogcp') diff --git a/ogcp/cfg/ogcp.json b/ogcp/cfg/ogcp.json index b5f3606..3f8a82c 100644 --- a/ogcp/cfg/ogcp.json +++ b/ogcp/cfg/ogcp.json @@ -5,11 +5,15 @@ "USERS": [ { "USER": "admin", - "PASS": "pass" + "PASS": "pass", + "SCOPES": [ ] }, { "USER": "user", - "PASS": "pass" + "PASS": "pass", + "SCOPES": [ + "Unidad Organizativa (Default)" + ] } ] } diff --git a/ogcp/models.py b/ogcp/models.py index 9ad40db..4b88a41 100644 --- a/ogcp/models.py +++ b/ogcp/models.py @@ -8,5 +8,6 @@ from flask_login import UserMixin class User(UserMixin): - def __init__(self, username): + def __init__(self, username, scopes): self.id = username + self.scopes = scopes diff --git a/ogcp/views.py b/ogcp/views.py index 31b97b0..fe8d465 100644 --- a/ogcp/views.py +++ b/ogcp/views.py @@ -145,9 +145,20 @@ def add_state_and_ips(scope, clients, ips): scope['selected'] = set(scope['ip']).issubset(ips) return scope['ip'] +def get_allowed_scopes(scopes, allowed_scopes): + for scope in scopes.get('scope'): + if scope.get('name') in current_user.scopes: + allowed_scopes.append(scope) + else: + get_allowed_scopes(scope, allowed_scopes) + def get_scopes(ips=set()): r = g.server.get('/scopes') scopes = r.json() + if current_user.scopes: + allowed_scopes = [] + get_allowed_scopes(scopes, allowed_scopes) + scopes = {'scope': allowed_scopes} r = g.server.get('/clients') clients = r.json() add_state_and_ips(scopes, clients['clients'], ips) @@ -173,10 +184,11 @@ def get_user(username): @login_manager.user_loader def load_user(username): - if not get_user(username): + user_dict = get_user(username) + if not user_dict: return None - user = User(username) + user = User(username, user_dict.get('SCOPES')) return user @app.before_request @@ -218,7 +230,7 @@ def login(): user_dict = authenticate_user(form_user, pwd) if not user_dict: return render_template('auth/login.html', form=form) - user = User(form_user) + user = User(form_user, user_dict.get('SCOPES')) login_user(user) return redirect(url_for('index')) return render_template('auth/login.html', form=LoginForm()) -- cgit v1.2.3-18-g5258