Source code for watson.auth.authorization

# -*- coding: utf-8 -*-
import collections


Permission = collections.namedtuple('Permission', 'id name inherited value')



[docs]class Acl(object):

    """Access Control List functionality for managing users' roles and
    permissions.

    By default, the user model contains an `acl` attribute, which allows
    access to the Acl object.

    Attributes:
        allow_default (boolean): Whether or not to allow/deny access if the
                                 permission has not been set on that role.

    """
    allow_default = True
    _permissions = None


[docs]    def __init__(self, user):
        """Initializes the Acl.

        Args:
            watson.auth.models.UserMixin user: The user to validate against
        """
        self.user = user


    @property
    def permissions(self):
        if not self._permissions:
            self._generate_user_permissions()
        return self._permissions


[docs]    def has_role(self, role_key):
        """Validates a role against the associated roles on a user.

        Args:
            role_key (string|tuple|list): The role(s) to validate against.
        """
        for role in self.user.roles:
            if isinstance(role_key, (list, tuple)) and role.key in role_key:
                return True
            elif role.key == role_key:
                return True
        return False



[docs]    def has_permission(self, permission):
        """Check to see if a user has a specific permission.

        If the permission has not been set, then it access will be granted
        based on the allow_default attribute.

        Args:
            permission (string): The permission to find.
        """
        if permission not in self.permissions.keys():
            return self.allow_default
        if not self.permissions[permission].value:
            return False
        return True



[docs]    def _generate_user_permissions(self):
        """Internal method to generate the permissions for the user.

        Retrieve all the permissions associated with the users roles, and then
        merge the users individual permissions to overwrite the inherited
        role permissions.
        """
        permissions = {}
        for role in self.user.roles:
            permissions.update(
                {permission.permission.key: Permission(
                    id=permission.permission_id,
                    name=permission.permission.name,
                    inherited=1,
                    value=permission.value)
                    for permission in role.permissions})
        permissions.update(
            {permission.permission.key: Permission(
                id=permission.permission_id,
                name=permission.permission.name,
                inherited=0, value=permission.value)
                for permission in self.user.permissions})
        self._permissions = permissions