mirror of https://gitlab.com/tildes/tildes.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 lines
2.1 KiB
55 lines
2.1 KiB
# Copyright (c) 2020 Tildes contributors <code@tildes.net>
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
"""Contains the UserPermissions class."""
|
|
|
|
from sqlalchemy import BigInteger, Column, ForeignKey
|
|
from sqlalchemy.dialects.postgresql import ENUM
|
|
from sqlalchemy.orm import relationship
|
|
|
|
from tildes.enums import UserPermission, UserPermissionType
|
|
from tildes.models import DatabaseModel
|
|
from tildes.models.group import Group
|
|
from tildes.models.user import User
|
|
|
|
|
|
class UserPermissions(DatabaseModel):
|
|
"""Model for a user's permissions in a group (or all groups)."""
|
|
|
|
__tablename__ = "user_permissions"
|
|
|
|
permission_id: int = Column(BigInteger, primary_key=True)
|
|
user_id: int = Column(BigInteger, ForeignKey("users.user_id"), nullable=False)
|
|
group_id: int = Column(BigInteger, ForeignKey("groups.group_id"), nullable=True)
|
|
permission: UserPermission = Column(ENUM(UserPermission), nullable=False)
|
|
permission_type: UserPermissionType = Column(
|
|
ENUM(UserPermissionType), nullable=False, server_default="ALLOW"
|
|
)
|
|
|
|
user: User = relationship("User", innerjoin=True, backref="permissions")
|
|
group: Group = relationship("Group", innerjoin=True)
|
|
|
|
@property
|
|
def auth_principal(self) -> str:
|
|
"""Return the permission as a string usable as an auth principal.
|
|
|
|
The principal is made up of two parts, separated by a colon. The first part is
|
|
the group_id the permission applies to, or a * for all groups. The second part
|
|
is the permission name, prefixed by a ! if the permission is being denied
|
|
instead of allowed:
|
|
|
|
- "5:topic.tag" for allowing the topic.tag permission in group id 5
|
|
- "*:topic.tag" for allowing the topic.tag permission in all groups
|
|
- "3:!topic.tag" for denying the topic.tag permission in group id 3
|
|
"""
|
|
if self.group_id:
|
|
principal = f"{self.group_id}:"
|
|
else:
|
|
principal = "*:"
|
|
|
|
if self.permission_type == UserPermissionType.DENY:
|
|
principal += "!"
|
|
|
|
principal += str(self.permission.name)
|
|
|
|
return principal
|