PowerOn/gateway
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gateway/modules/interfaces/gatewayAccess.py

111 lines
No EOL
4.5 KiB
Python
Raw Blame History

"""
Access control functions for the Gateway system.
Manages user access and permissions.
"""
from typing import Dict, Any, List, Optional
def _uam(currentUser: Dict[str, Any], table: str, recordset: List[Dict[str, Any]], _mandateId: int, _userId: int, db) -> List[Dict[str, Any]]:
"""
Unified user access management function that filters data based on user privileges
and adds access control attributes.
Args:
currentUser: Current user information dictionary
table: Name of the table
recordset: Recordset to filter based on access rules
_mandateId: Current mandate ID
_userId: Current user ID
db: Database connector instance
Returns:
Filtered recordset with access control attributes
"""
userPrivilege = currentUser.get("privilege", "user")
filtered_records = []
# Apply filtering based on privilege
if userPrivilege == "sysadmin":
filtered_records = recordset # System admins see all records
elif userPrivilege == "admin":
# Admins see records in their mandate
filtered_records = [r for r in recordset if r.get("_mandateId") == _mandateId]
else: # Regular users
# Users only see records they own within their mandate
filtered_records = [r for r in recordset
if r.get("_mandateId") == _mandateId and r.get("_userId") == _userId]
# Add access control attributes to each record
for record in filtered_records:
record_id = record.get("id")
# Set access control flags based on user permissions
if table == "mandates":
record["_hideView"] = False # Everyone can view
record["_hideEdit"] = not _canModify(currentUser, "mandates", record_id, _mandateId, _userId, db)
record["_hideDelete"] = not _canModify(currentUser, "mandates", record_id, _mandateId, _userId, db)
elif table == "users":
record["_hideView"] = False # Everyone can view
record["_hideEdit"] = not _canModify(currentUser, "users", record_id, _mandateId, _userId, db)
record["_hideDelete"] = not _canModify(currentUser, "users", record_id, _mandateId, _userId, db)
else:
# Default access control for other tables
record["_hideView"] = False
record["_hideEdit"] = not _canModify(currentUser, table, record_id, _mandateId, _userId, db)
record["_hideDelete"] = not _canModify(currentUser, table, record_id, _mandateId, _userId, db)
return filtered_records
def _canModify(currentUser: Dict[str, Any], table: str, recordId: Optional[int] = None, _mandateId: int = None, _userId: int = None, db = None) -> bool:
"""
Checks if the current user can modify (create/update/delete) records in a table.
Args:
currentUser: Current user information dictionary
table: Name of the table
recordId: Optional record ID for specific record check
_mandateId: Current mandate ID
_userId: Current user ID
db: Database connector instance
Returns:
Boolean indicating permission
"""
userPrivilege = currentUser.get("privilege", "user")
# System admins can modify anything
if userPrivilege == "sysadmin":
return True
# Check specific record permissions
if recordId is not None:
# Get the record to check ownership
records = db.getRecordset(table, recordFilter={"id": recordId})
if not records:
return False
record = records[0]
# Admins can modify anything in their mandate
if userPrivilege == "admin" and record.get("_mandateId") == _mandateId:
# Exception: Can't modify Root mandate unless you are a sysadmin
if table == "mandates" and recordId == 1 and userPrivilege != "sysadmin":
return False
return True
# Users can only modify their own records
if (record.get("_mandateId") == _mandateId and
record.get("_userId") == _userId):
return True
return False
else:
# For general table modify permission (e.g., create)
# Admins can create anything in their mandate
if userPrivilege == "admin":
return True
# Regular users can create most entities
if table == "mandates":
return False # Regular users can't create mandates
return True
Reference in a new issue View git blame Copy permalink