[controller] UM: cleaned up rights checking

- better handling of inconsistent UM-model API

[controller] UM: cleaned up rights checking
- better handling of inconsistent UM-model API
c160ea05 · Benjamin Fischer · 6250994c · c160ea05
Commit c160ea05 authored Jan 10, 2017 by Benjamin Fischer
--- a/vispa/controller/usermanagement.py
+++ b/vispa/controller/usermanagement.py
@@ -29,6 +29,8 @@ def call_mix(func, *args, **kwargs):
 class Rights(int):
    levels = [
        "none",
+        "private",
+        "protected",
        "public",
        "indirect",
        "member",
@@ -36,20 +38,45 @@ class Rights(int):
        "admin",
    ]

+    @staticmethod
+    def has_user(user, listing):
+        return any(
+            user.id == (item.id if isinstance(item, User) else item.user_id)
+            for item in listing
+        )
+
    def test(self, obj):
        """
        Tests wether the object interaction is allowed with the given rights.
        """
        user = cherrypy.request.user
-        fallback = (lambda: [user]) if user == obj else list
-        return self <= (
-            self.admin if user.serveradmin else
-            self.manager if getattr(obj, "get_managers", fallback)() else
-            self.member if user in getattr(obj, "get_users", fallback)() else
-            self.indirect if False else  # TODO: implement this
-            self.public if getattr(self, "privacy", -1) == Group.PUBLIC else
-            self.none
-        )
+
+        if user.serveradmin:
+            return True
+
+        if self > self.manager:
+            return False
+        if obj == user:
+            return True
+        if user in getattr(obj, "get_managers", list)():
+            return True
+
+        if self > self.member:
+            return False
+        if self.has_user(user, getattr(obj, "users", [])):
+            return True
+
+        if self > self.indirect:
+            return False
+        if self.has_user(user, getattr(obj, "get_users", list)()):
+            return True
+
+        return self <= {
+            Group.PUBLIC: self.public,
+            Group.PROTECTED: self.protected,
+            Group.PRIVATE: self.private,
+            None: self.none,
+        }[getattr(obj, "privacy", None)]

    @staticmethod
    def extend(base, extension, delete=[]):