1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
'''
Created on Apr 5, 2011
@author: leifj
'''
from django.db import models
from django.db.models.fields import CharField, DateTimeField
from django.contrib.auth.models import Group, User
from django.contrib.contenttypes.models import ContentType
from django.contrib.contenttypes import generic
class AccessControlEntry(models.Model):
group = models.ForeignKey(Group, blank=True, null=True, on_delete=models.SET_NULL)
user = models.ForeignKey(User, blank=True, null=True, on_delete=models.SET_NULL)
content_type = models.ForeignKey(ContentType)
object_id = models.PositiveIntegerField()
content_object = generic.GenericForeignKey('content_type', 'object_id')
permission = CharField(max_length=256)
modify_time = DateTimeField(auto_now=True)
create_time = DateTimeField(auto_now_add=True)
def __unicode__(self):
return "%s can %s on %s" % (self.group.__unicode__(),self.permission,self.content_object.__unicode__())
class Meta:
unique_together = (('group','permission'),('user','permission'))
def allow(object,ug,permission):
if isinstance(ug, Group):
return allow_group(object,ug,permission)
elif isinstance(ug,User):
return allow_user(object,ug,permission)
elif isinstance(ug,str):
if ug == 'anyone':
ace,created = AccessControlEntry.objects.get_or_create(content_object=object,user=None,group=None)
return ace
else:
raise Exception,"Don't know how to allow %s to do stuff" % repr(ug)
def deny(object,ug,permission):
if isinstance(ug, Group):
return deny_group(object,ug,permission)
elif isinstance(ug,User):
return deny_user(object,ug,permission)
elif isinstance(ug,str):
if ug == 'anyone':
acl = AccessControlEntry.objects.filter(content_object=object,user=None,group=None,permission=permission)
for ace in acl: # just in case we grew duplicates
ace.delete()
return None
else:
raise Exception,"Don't know how to allow %s to do stuff" % repr(ug)
def acl(object):
return AccessControlEntry.objects.filter(content_object=object)
def allow_user(object,user,permission):
ace,created = AccessControlEntry.objects.get_or_create(content_object=object,user=user,permission=permission)
return ace
def deny_user(object,user,permission):
acl = AccessControlEntry.objects.filter(content_object=object,user=user,permission=permission)
for ace in acl:
ace.delete()
return None
def allow_group(object,group,permission):
ace,created = AccessControlEntry.objects.get_or_create(content_object=object,group=group,permission=permission)
return ace
def deny_group(object,group,permission):
acl = AccessControlEntry.objects.filter(content_object=object,group=group,permission=permission)
for ace in acl:
ace.delete()
return None
def is_allowed(object,user,permission):
for ace in AccessControlEntry.objects.filter(content_object=object,permission=permission):
if (not ace.group and not ace.user) or (ace.group in user.groups) or (user == ace.user):
return True
return False
|