Commit c160ea05 authored by Benjamin Fischer's avatar Benjamin Fischer
Browse files

[controller] UM: cleaned up rights checking

- better handling of inconsistent UM-model API
parent 6250994c
......@@ -29,6 +29,8 @@ def call_mix(func, *args, **kwargs):
class Rights(int):
levels = [
"none",
"private",
"protected",
"public",
"indirect",
"member",
......@@ -36,20 +38,45 @@ class Rights(int):
"admin",
]
@staticmethod
def has_user(user, listing):
return any(
user.id == (item.id if isinstance(item, User) else item.user_id)
for item in listing
)
def test(self, obj):
"""
Tests wether the object interaction is allowed with the given rights.
"""
user = cherrypy.request.user
fallback = (lambda: [user]) if user == obj else list
return self <= (
self.admin if user.serveradmin else
self.manager if getattr(obj, "get_managers", fallback)() else
self.member if user in getattr(obj, "get_users", fallback)() else
self.indirect if False else # TODO: implement this
self.public if getattr(self, "privacy", -1) == Group.PUBLIC else
self.none
)
if user.serveradmin:
return True
if self > self.manager:
return False
if obj == user:
return True
if user in getattr(obj, "get_managers", list)():
return True
if self > self.member:
return False
if self.has_user(user, getattr(obj, "users", [])):
return True
if self > self.indirect:
return False
if self.has_user(user, getattr(obj, "get_users", list)()):
return True
return self <= {
Group.PUBLIC: self.public,
Group.PROTECTED: self.protected,
Group.PRIVATE: self.private,
None: self.none,
}[getattr(obj, "privacy", None)]
@staticmethod
def extend(base, extension, delete=[]):
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment