@@ -23,7 +23,7 @@ def __begin__(self):
2323 def get (self ):
2424 for key in self .request_data :
2525 if key [- 2 :]== "[]" :
26- rsp = self ._query_array (key )
26+ rsp = self ._get_array (key )
2727 else :
2828 rsp = self ._get_one (key )
2929 if rsp : return rsp
@@ -42,6 +42,8 @@ def _get_one(self,key):
4242 return json ({"code" :400 ,"msg" :"model '%s' not found" % (modelname )})
4343 model_column_set = None
4444 q = model .all ()
45+
46+ #rbac check begin
4547 rbac_get = model_setting .get ("rbac_get" ,{})
4648 if not rbac_get :
4749 return json ({"code" :401 ,"msg" :"'%s' not accessible by apijson" % (modelname )})
@@ -74,6 +76,7 @@ def _get_one(self,key):
7476
7577 if not permission_check_ok :
7678 return json ({"code" :401 ,"msg" :"no permission" })
79+ #rbac check end
7780
7881 filtered = False
7982
@@ -111,7 +114,7 @@ def _get_one(self,key):
111114 del o [k ]
112115 self .rdict [key ] = o
113116
114- def _query_array (self ,key ):
117+ def _get_array (self ,key ):
115118 params = self .request_data [key ]
116119 query_count = None
117120 query_page = None
@@ -146,9 +149,8 @@ def _query_array(self,key):
146149 return json ({"code" :400 ,"msg" :"no model found in array query" })
147150
148151 #model settings
149- model_setting = settings .APIJSON_MODEL .get (modelname ,{})
152+ model_setting = settings .APIJSON_MODELS .get (modelname ,{})
150153 secret_fields = model_setting ["secret_fields" ]
151- public = model_setting .get ("public" ,False )
152154
153155 #model params
154156 #column
@@ -165,6 +167,47 @@ def _query_array(self,key):
165167 model_order = model_param .get ("@order" )
166168
167169 q = model .all ()
170+
171+ #rbac check begin
172+ rbac_get = model_setting .get ("rbac_get" ,{})
173+ if not rbac_get :
174+ return json ({"code" :401 ,"msg" :"'%s' not accessible by apijson" % (modelname )})
175+
176+ roles = rbac_get .get ("roles" )
177+ perms = rbac_get .get ("perms" )
178+ params_role = params .get ("@role" )
179+ permission_check_ok = False
180+ user_role = None
181+ if params_role :
182+ if params_role not in roles :
183+ return json ({"code" :401 ,"msg" :"'%s' not accessible by role '%s'" % (modelname ,params_role )})
184+ if functions .has_role (request .user ,params_role ):
185+ permission_check_ok = True
186+ user_role = params_role
187+ else :
188+ return json ({"code" :401 ,"msg" :"user doesn't have role '%s'" % (params_role )})
189+ if not permission_check_ok and roles :
190+ for role in roles :
191+ if functions .has_role (request .user ,role ):
192+ permission_check_ok = True
193+ user_role = role
194+ break
195+
196+ if not permission_check_ok and perms :
197+ for perm in perms :
198+ if functions .has_permission (request .user ,perm ):
199+ permission_check_ok = True
200+ break
201+
202+ if not permission_check_ok :
203+ return json ({"code" :401 ,"msg" :"no permission" })
204+ #rbac check end
205+
206+ if user_role == "OWNER" :
207+ owner_filtered ,q = self ._filter_owner (model ,model_setting ,q )
208+ if not owner_filtered :
209+ return json ({"code" :401 ,"msg" :"'%s' cannot filter with owner" % (modelname )})
210+
168211 if query_count :
169212 if query_page :
170213 q = q .offset (query_page * query_count )
@@ -183,13 +226,6 @@ def _query_array(self,key):
183226 column = getattr (model .c ,sort_key )
184227 q = q .order_by (getattr (column ,sort_order )())
185228
186- if not public :
187- if not request .user :
188- return json ({"code" :401 ,"msg" :"'%s' not accessable for unauthorized request" % (modelname )})
189- owner_filtered ,q = self ._filter_owner (model ,model_setting ,q )
190- if not owner_filtered :
191- return json ({"code" :401 ,"msg" :"'%s' not accessable because not public" % (modelname )})
192-
193229 def _get_info (i ):
194230 d = i .to_dict ()
195231 if secret_fields :
0 commit comments