require_role(s) decorators

2024-11-08 09:53:59 +00:00 · 2014-03-04 17:38:10 +02:00 · 2014-03-04 17:38:10 +02:00 · 5003f36337
commit 5003f36337
parent 2854a1c8c0
2 changed files with 35 additions and 2 deletions
--- a/redash/authentication.py
+++ b/redash/authentication.py
@ -3,15 +3,18 @@ import hashlib
 import hmac
 from flask import current_app, request, make_response, g, redirect, url_for
 from flask.ext.googleauth import GoogleAuth, login
-from flask.ext.login import LoginManager, login_user, current_user
+from flask.ext.login import LoginManager, login_user, current_user, AnonymousUserMixin
 import time
 import logging
+from flask.ext.restful import abort
 from werkzeug.contrib.fixers import ProxyFix
+from models import AnonymousUser
 from redash import models, settings

 login_manager = LoginManager()
 logger = logging.getLogger('authentication')

+
 def sign(key, path, expires):
    if not key:
        return None
@ -85,6 +88,29 @@ def load_user(user_id):
    return models.User.select().where(models.User.id == user_id).first()


+def requires_role(role):
+    return requires_roles((role,))
+
+
+class requires_roles(object):
+    def __init__(self, roles):
+        self.roles = roles
+
+    def __call__(self, fn):
+        @functools.wraps(fn)
+        def decorated(*args, **kwargs):
+            has_roles = reduce(lambda a, b: a and b,
+                               map(lambda role: role in current_user.roles, self.roles),
+                               True)
+
+            if has_roles:
+                return fn(*args, **kwargs)
+            else:
+                abort(403)
+
+        return decorated
+
+
 def setup_authentication(app):
    if settings.GOOGLE_OPENID_ENABLED:
        openid_auth = GoogleAuth(app, url_prefix="/google_auth")
@ -94,6 +120,7 @@ def setup_authentication(app):
            openid_auth._OPENID_ENDPOINT = "https://www.google.com/a/%s/o8/ud?be=o8" % settings.GOOGLE_APPS_DOMAIN

    login_manager.init_app(app)
+    login_manager.anonymous_user = AnonymousUser
    app.wsgi_app = ProxyFix(app.wsgi_app)
    app.secret_key = settings.COOKIE_SECRET

--- a/redash/models.py
+++ b/redash/models.py
@ -3,7 +3,7 @@ import hashlib
 import time
 import datetime
 from flask.ext.peewee.utils import slugify
-from flask.ext.login import UserMixin
+from flask.ext.login import UserMixin, AnonymousUserMixin
 from passlib.apps import custom_app_context as pwd_context
 import peewee
 from playhouse.postgres_ext import ArrayField
@ -16,6 +16,12 @@ class BaseModel(db.Model):
        return cls.get(cls.id == model_id)


+class AnonymousUser(AnonymousUserMixin):
+    @property
+    def roles(self):
+        return []
+
+
 class User(BaseModel, UserMixin):
    id = peewee.PrimaryKeyField()
    name = peewee.CharField(max_length=320)