Skip to content

Commit

Permalink
feat(core): Add field level permission and validation checks
Browse files Browse the repository at this point in the history 
ref: #250 #252 #96 #93 #95 #90 #11
  • Loading branch information
@jon-nfc
jon-nfc committed Aug 28, 2024
1 parent e59a08b commit 5c4a802
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 35 deletions.
27 changes: 23 additions & 4 deletions app/access/mixin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,10 +182,23 @@ def user_organizations(self) -> list():


# ToDo: Ensure that the group has access to item
def has_organization_permission(self, organization: int=None) -> bool:
def has_organization_permission(self, organization: int = None, permissions_required: list = None) -> bool:
""" Check if user has permission within organization.
Args:
organization (int, optional): Organization to check. Defaults to None.
permissions_required (list, optional): if doing object level permissions, pass in required permission. Defaults to None.
Returns:
bool: True for yes.
"""

has_permission = False

if permissions_required is None:

permissions_required = self.get_permission_required()

if not organization:

organization = self.object_organization()
Expand All @@ -203,7 +216,7 @@ def has_organization_permission(self, organization: int=None) -> bool:

assembled_permission = str(permission["content_type__app_label"]) + '.' + str(permission["codename"])

if assembled_permission in self.get_permission_required() and (team['organization_id'] == organization or organization == 0):
if assembled_permission in permissions_required and (team['organization_id'] == organization or organization == 0):

return True

Expand Down Expand Up @@ -263,9 +276,15 @@ def permission_check(self, request, permissions_required: list = None) -> bool:

return True

perms = self.get_permission_required()
if permissions_required:

perms = permissions_required

else:

perms = self.get_permission_required()

if self.has_organization_permission():
if self.has_organization_permission(permissions_required = perms):

return True

Expand Down
3 changes: 0 additions & 3 deletions app/core/forms/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,6 @@ def __init__(self, *args, **kwargs):

if team_user.team.organization.name not in user_organizations:

if not user_organizations:

self.user_organizations = []

user_organizations += [ team_user.team.organization.name ]
user_organizations_id += [ team_user.team.organization.id ]
Expand Down
11 changes: 10 additions & 1 deletion app/core/forms/ticket.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,20 @@ def __init__(self, request, *args, **kwargs):

ticket_type += self.Meta.model.tech_fields

fields_allowed = self.fields_allowed

for field in original_fields:

for field in fields_allowed: # Remove fields not intended for the ticket type

if field not in ticket_type:

fields_allowed.remove(field)


for field in original_fields: # Remove fields user cant edit unless field is hidden

if field not in fields_allowed and not self.fields[field].widget.is_hidden:

del self.fields[field]


Expand Down
69 changes: 42 additions & 27 deletions app/core/forms/validate_ticket.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,52 +56,51 @@ class TicketValidation(
'subscribed_teams',
]

@property
def fields_allowed(self):

def validate_field_permission(self):
""" Check field permissions
Users can't edit all fields. They can only adjust fields that they
have the permissions to adjust.
Raises:
PermissionDenied: Access Denied when user has no ticket permissions assigned
PermissionDenied: _description_
"""

fields_allowed: list = []


if self.permission_check(
request = self.request,
permissions_required = [ 'add_ticket_'+ self.initial['type_ticket'] ]
if self.has_organization_permission(
organization=self.instance.organization.id,
permissions_required = [ 'core.add_ticket_'+ self.initial['type_ticket'] ],
) and not self.request.user.is_superuser:

fields_allowed = fields_allowed + self.add_fields
fields_allowed = self.add_fields


if self.permission_check(
request = self.request,
permissions_required = [ 'change_ticket_'+ self.initial['type_ticket'] ]
if self.has_organization_permission(
organization=self.instance.organization.id,
permissions_required = [ 'core.change_ticket_'+ self.initial['type_ticket'] ],
) and not self.request.user.is_superuser:

fields_allowed = fields_allowed + self.change_fields
if len(fields_allowed) == 0:

fields_allowed = self.add_fields + self.change_fields

else:

fields_allowed = fields_allowed + self.change_fields

if self.permission_check(
request = self.request,
permissions_required = [ 'delete_ticket_'+ self.initial['type_ticket'] ]
if self.has_organization_permission(
organization=self.instance.organization.id,
permissions_required = [ 'core.delete_ticket_'+ self.initial['type_ticket'] ],
) and not self.request.user.is_superuser:

fields_allowed = fields_allowed + self.delete_fields

if self.permission_check(
request = self.request,
permissions_required = [ 'import_ticket_'+ self.initial['type_ticket'] ]
if self.has_organization_permission(
organization=self.instance.organization.id,
permissions_required = [ 'core.import_ticket_'+ self.initial['type_ticket'] ],
) and not self.request.user.is_superuser:

fields_allowed = fields_allowed + self.import_fields

if self.permission_check(
request = self.request,
permissions_required = [ 'triage_ticket_'+ self.initial['type_ticket'] ]
if self.has_organization_permission(
organization=self.instance.organization.id,
permissions_required = [ 'core.triage_ticket_'+ self.initial['type_ticket'] ],
) and not self.request.user.is_superuser:

fields_allowed = fields_allowed + self.triage_fields
Expand All @@ -116,6 +115,22 @@ def validate_field_permission(self):

fields_allowed = fields_allowed + all_fields

return fields_allowed


def validate_field_permission(self):
""" Check field permissions
Users can't edit all fields. They can only adjust fields that they
have the permissions to adjust.
Raises:
PermissionDenied: Access Denied when user has no ticket permissions assigned
PermissionDenied: _description_
"""

fields_allowed = self.fields_allowed

if len(fields_allowed) == 0:

raise PermissionDenied('Access Denied')
Expand Down

0 comments on commit 5c4a802

Please sign in to comment.