refractor apijson models settings, add apijson style roles

zhangchunlin · zhangchunlin · commit 3f751508bccc · 2018-12-14T15:28:03.000+08:00
diff --git a/demo/apps/apijson_demo/dbinit.py b/demo/apps/apijson_demo/dbinit.py
@@ -10,6 +10,11 @@
 Moment = models.moment
 
 user_list = [
+    {
+        "username": "admin",
+        "nickname": "Administrator",
+        "email": "admin@localhost",
+    },
     {
         "username": "usera",
         "nickname": "User A",
@@ -101,7 +106,10 @@
         print("create user '%s'"%(d["username"]))
         u = User(**d)
         u.set_password("123")
+        if d["username"]=="admin":
+            u.is_superuser = True
         u.save()
+
 for d in privacy_list:
     user = User.get(User.c.username==d["username"])
     if user:
diff --git a/demo/apps/apijson_demo/views.py b/demo/apps/apijson_demo/views.py
@@ -5,9 +5,9 @@
 @expose('/')
 def index():
     if request.user:
-        user_info = "login as user '%s'"%(request.user)
+        user_info = "login as user '%s(%s)'"%(request.user.username,request.user)
     else:
-        user_info = "not login, you can login with username 'usera/userb/userc', and password '123'"
+        user_info = "not login, you can login with username 'admin/usera/userb/userc', and password '123'"
     request_get = [
         {
             "label":"Single record query: with id as parameter",
@@ -33,7 +33,7 @@ def index():
 }''',
         },
         {
-            "label":"Array query",
+            "label":"Array query: private data",
             "value":'''{
   "[]":{
     "@count":2,
diff --git a/demo/apps/settings.ini b/demo/apps/settings.ini
@@ -13,6 +13,7 @@ INSTALLED_APPS = [
     'uliweb.contrib.auth',
     'uliweb.contrib.i18n',
     'uliweb.contrib.flashmessage',
+    'uliweb.contrib.rbac',
     'uliweb_apps.site',
     'uliweb_apps.login',
     'uliweb_comui',
@@ -27,14 +28,9 @@ MAINMENU = {
     ]
 }
 
-[APIJSON_MODEL]
-#overwrite user table to public for test
-user = {
-    "user_id_field" : "id",
-    "secret_fields" : ["password"],
-    "default_filter_by_self" : True
-}
-
 [LAYOUT]
 logo_lg = "Uliweb"
 logo_mini = "U"
+
+[SESSION]
+timeout = 36000
diff --git a/uliweb_apijson/apijson/settings.ini b/uliweb_apijson/apijson/settings.ini
@@ -1,7 +1,16 @@
-[APIJSON_MODEL_CONFIG]
+#apijson style role names
+[ROLES]
+ADMIN = _('APIJSON ADMIN'), 'uliweb.contrib.rbac.superuser', True
+UNKNOWN = _('APIJSON UNKNOWN'), 'uliweb.contrib.rbac.anonymous', True
+LOGIN = _('APIJSON LOGIN'), 'uliweb.contrib.rbac.trusted', True
+#will do more when query in the database
+OWNER = _('APIJSON OWNER'), 'uliweb.contrib.rbac.trusted', True
+
+[APIJSON_MODELS]
 user = {
-    "public" : False,
     "user_id_field" : "id",
     "secret_fields" : ["password"],
-    "default_filter_by_self" : True
+    "rbac_get" : {
+        "roles" : ["ADMIN","OWNER"]
+    }
 }
diff --git a/uliweb_apijson/apijson/views.py b/uliweb_apijson/apijson/views.py
@@ -25,31 +25,64 @@ def get(self):
             if key[-2:]=="[]":
                 rsp = self._query_array(key)
             else:
-                rsp = self._query_one(key)
+                rsp = self._get_one(key)
             if rsp: return rsp
 
         return json(self.rdict)
 
-    def _query_one(self,key):
+    def _get_one(self,key):
         modelname = key
+        params = self.request_data[key]
+
         try:
             model = getattr(models,modelname)
-            model_setting = settings.APIJSON_MODEL.get(modelname,{})
+            model_setting = settings.APIJSON_MODELS.get(modelname,{})
         except ModelNotFound as e:
             log.error("try to find model '%s' but not found: '%s'"%(modelname,e))
             return json({"code":400,"msg":"model '%s' not found"%(modelname)})
         model_column_set = None
         q = model.all()
-        public = model_setting.get("public",False)
+        rbac_get = model_setting.get("rbac_get",{})
+        if not rbac_get:
+            return json({"code":401,"msg":"'%s' not accessible by apijson"%(modelname)})
+
+        roles = rbac_get.get("roles")
+        perms = rbac_get.get("perms")
+        params_role = params.get("@role")
+        permission_check_ok = False
+        user_role = None
+        if params_role:
+            if params_role not in roles:
+                return json({"code":401,"msg":"'%s' not accessible by role '%s'"%(modelname,params_role)})
+            if functions.has_role(request.user,params_role):
+                permission_check_ok = True
+                user_role = params_role
+            else:
+                return json({"code":401,"msg":"user doesn't have role '%s'"%(params_role)})
+        if not permission_check_ok and roles:
+            for role in roles:
+                if functions.has_role(request.user,role):
+                    permission_check_ok = True
+                    user_role = role
+                    break
+
+        if not permission_check_ok and perms:
+            for perm in perms:
+                if functions.has_permission(request.user,perm):
+                    permission_check_ok = True
+                    break
+
+        if not permission_check_ok:
+            return json({"code":401,"msg":"no permission"})
+
         filtered = False
-        if not public:
-            if not request.user:
-                return json({"code":401,"msg":"'%s' not accessable for unauthorized request"%(modelname)})
+
+        if user_role == "OWNER":
             owner_filtered,q = self._filter_owner(model,model_setting,q)
-            if owner_filtered:
-                filtered = True
-            else:
-                return json({"code":401,"msg":"'%s' not accessable because not public"%(modelname)})
+            if not owner_filtered:
+                return  json({"code":401,"msg":"'%s' cannot filter with owner"%(modelname)})
+            filtered = True
+
         params = self.request_data[key]
         if isinstance(params,dict):
             for n in params:
@@ -61,14 +94,9 @@ def _query_one(self,key):
                     filtered = True
                 else:
                     return json({"code":400,"msg":"'%s' have no attribute '%s'"%(modelname,n)})
-        #default filter
+        #default filter is trying to filter with owner
         if not filtered and request.user:
-            default_filter_by_self = model_setting.get("default_filter_by_self",False)
-            if default_filter_by_self:
-                user_id_field = model_setting.get("user_id_field")
-                if user_id_field:
-                    q = q.filter(getattr(model.c,user_id_field)==request.user.id)
-                    filtered = True
+            owner_filtered,q = self._filter_owner(model,model_setting,q)
         o = q.one()
         if o:
             o = o.to_dict()
