wip

ansible · Nov 18, 2021 · 645d08c · 645d08c
1 parent 426cdf5
commit 645d08c
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 40 deletions.
diff --git a/galaxy_ng/app/access_control/fields.py b/galaxy_ng/app/access_control/fields.py
@@ -1,8 +1,5 @@
-from django.contrib.auth.models import Permission
-from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 
-
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 

diff --git a/galaxy_ng/app/access_control/mixins.py b/galaxy_ng/app/access_control/mixins.py
@@ -1,34 +1,25 @@
 from django.conf import settings
 from django.db import transaction
-from django.db.models import Q
-from pulpcore.app.role_util import assign_role, remove_role, get_groups_with_perms
-from pulpcore.app.models.role import GroupRole
-from django.contrib.contenttypes.models import ContentType
+from django.core.exceptions import BadRequest
+from django.utils.translation import gettext_lazy as _
 
-from django_lifecycle import hook
-
-
-def tmp_get_groups_with_perms_attched_roles(obj):
-    groups = get_groups_with_perms(obj)
-    ctype = ContentType.objects.get_for_model(obj)
+from rest_framework.exceptions import ValidationError
 
-    result = {}
-    for group in groups:
-        group_roles = GroupRole.objects.filter(
-            Q(object_id=None) | Q(content_type=ctype, object_id=obj.pk)
-        )
+from pulpcore.app.role_util import (
+    assign_role,
+    remove_role,
+    get_groups_with_perms_attached_roles
+)
 
-        result[group] = [gr.role.name for gr in group_roles]
-
-    return result
+from django_lifecycle import hook
 
 
 class GroupModelPermissionsMixin:
     _groups = None
 
     @property
     def groups(self):
-        return tmp_get_groups_with_perms_attched_roles(self)
+        return get_groups_with_perms_attached_roles(self)
 
     @groups.setter
     def groups(self, groups):
@@ -42,14 +33,20 @@ def _set_groups(self, groups):
         if self._state.adding:
             self._groups = groups
         else:
-            current_groups = tmp_get_groups_with_perms_attched_roles(self)
+            current_groups = get_groups_with_perms_attached_roles(self)
             for group in current_groups:
                 for perm in current_groups[group]:
                     remove_role(perm, group, self)
 
             for group in groups:
-                for perm in groups[group]:
-                    assign_role(perm, group, self)
+                for role in groups[group]:
+                    try:
+                        assign_role(role, group, self)
+                    except BadRequest:
+                        raise ValidationError(
+                            detail={'groups': _(f'Role {role} does not exist or does not '
+                                                'have any permissions related to this object.')}
+                        )
 
     @hook('after_save')
     def set_object_groups(self):

diff --git a/galaxy_ng/app/api/ui/viewsets/execution_environment.py b/galaxy_ng/app/api/ui/viewsets/execution_environment.py
@@ -6,7 +6,7 @@
 from django_filters import filters
 from django_filters.rest_framework import DjangoFilterBackend, filterset
 from drf_spectacular.utils import extend_schema
-from guardian.shortcuts import get_objects_for_user
+from pulpcore.app.role_util import get_objects_for_user
 from pulp_container.app import models as container_models
 from pulpcore.plugin import models as core_models
 from pulpcore.plugin.serializers import AsyncOperationResponseSerializer
@@ -47,7 +47,7 @@ class Meta:
     def has_permissions(self, queryset, name, value):
         perms = self.request.query_params.getlist(name)
         namespaces = get_objects_for_user(
-            self.request.user, perms, klass=container_models.ContainerNamespace)
+            self.request.user, perms, qs=container_models.ContainerNamespace.objects.all())
         return self.queryset.filter(namespace__in=namespaces)
 
 

diff --git a/galaxy_ng/app/api/ui/viewsets/my_namespace.py b/galaxy_ng/app/api/ui/viewsets/my_namespace.py
@@ -10,5 +10,5 @@ def get_queryset(self):
             self.request.user,
             ('galaxy.change_namespace', 'galaxy.upload_to_namespace'),
             any_perm=True,
-            klass=models.Namespace
+            qs=models.Namespace.objects.all()
         )
diff --git a/galaxy_ng/app/api/ui/viewsets/my_synclist.py b/galaxy_ng/app/api/ui/viewsets/my_synclist.py
@@ -30,9 +30,8 @@ def get_queryset(self):
         return get_objects_for_user(
             self.request.user,
             "galaxy.change_synclist",
-            any_perm=True,
-            accept_global_perms=False,
-            klass=models.SyncList,
+            # any_perm=True,
+            qs=models.SyncList.objects.all(),
         )
 
     @action(detail=True, methods=["post"])

diff --git a/galaxy_ng/app/api/v3/serializers/namespace.py b/galaxy_ng/app/api/v3/serializers/namespace.py
@@ -9,7 +9,7 @@
 from rest_framework import serializers
 
 from galaxy_ng.app import models
-from galaxy_ng.app.access_control.fields import GroupPermissionField, MyPermissionsField
+from galaxy_ng.app.access_control.fields import GroupPermissionField
 
 log = logging.getLogger(__name__)
 
@@ -66,7 +66,6 @@ class NamespaceSerializer(serializers.ModelSerializer):
     links = NamespaceLinkSerializer(many=True, required=False)
 
     groups = GroupPermissionField()
-    my_permissions = MyPermissionsField(source="*")
 
     class Meta:
         model = models.Namespace
@@ -80,7 +79,6 @@ class Meta:
             'links',
             'groups',
             'resources',
-            'my_permissions'
         )
 
     # replace with a NamespaceNameSerializer and validate_name() ?

diff --git a/galaxy_ng/app/auth/auth.py b/galaxy_ng/app/auth/auth.py
@@ -5,7 +5,7 @@
 from django.db import transaction
 from django.conf import settings
 
-from guardian import shortcuts
+from pulpcore.app.role_util import get_objects_for_group
 
 from rest_framework.authentication import BaseAuthentication
 from rest_framework.exceptions import AuthenticationFailed
@@ -82,11 +82,9 @@ def _ensure_group(self, account_scope, account):
     def _ensure_synclists(self, group):
         with transaction.atomic():
             # check for existing synclists
-            perms = ['galaxy.view_synclist']
 
             synclists_owned_by_group = \
-                shortcuts.get_objects_for_group(group, perms, klass=SyncList,
-                                                any_perm=False, accept_global_perms=True)
+                get_objects_for_group(group, 'galaxy.view_synclist', SyncList.objects.all())
             if synclists_owned_by_group:
                 return synclists_owned_by_group
 
@@ -104,8 +102,13 @@ def _ensure_synclists(self, group):
                 policy=SYNCLIST_DEFAULT_POLICY,
                 name=distro_name)
 
-            default_synclist.groups = {group: ['galaxy.view_synclist', 'galaxy.add_synclist',
-                                               'galaxy.delete_synclist', 'galaxy.change_synclist']}
+
+
+
+
+
+            # TODO need to create role for synclist owners
+            default_synclist.groups = {group: ['galaxy.synclist_owner']}
             default_synclist.save()
         return default_synclist