220 lines
8.1 KiB
Python
220 lines
8.1 KiB
Python
from flask import jsonify
|
|
|
|
from database import db
|
|
from models import Organization, User, File
|
|
from sqlalchemy.orm.attributes import flag_modified
|
|
|
|
from utils import Perm, PermOperation
|
|
|
|
|
|
class RoleService:
|
|
@staticmethod
|
|
def create_role(org: Organization, role: str, perms: list[Perm]) -> dict | tuple:
|
|
if role in org.roles:
|
|
return jsonify({"error": f"Role {role} already exists in organization {org.name}"}), 400
|
|
|
|
roles = org.roles.copy()
|
|
roles[role] = {
|
|
"permissions": Perm.get_int(perms),
|
|
"users": [],
|
|
"status": "active"
|
|
}
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return org.roles[role]
|
|
|
|
@staticmethod
|
|
def delete_role(org: Organization, role: str) -> dict:
|
|
roles = org.roles.copy()
|
|
del roles[role]
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return roles
|
|
|
|
@staticmethod
|
|
def change_role_status(org: Organization, role: str, status: str) -> Organization | tuple:
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
|
|
if org.roles[role]["status"] == status:
|
|
return jsonify({"error": f"Role {role} is already {status} in organization {org.name}"}), 400
|
|
|
|
roles = org.roles.copy()
|
|
roles[role]["status"] = status
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return org
|
|
|
|
@staticmethod
|
|
def get_role(org: Organization, role: str) -> dict | None:
|
|
if role not in org.roles:
|
|
return None
|
|
return org.roles[role]
|
|
|
|
@staticmethod
|
|
def check_role_permission(org: Organization, role: str, perm: Perm, doc_handle=None) -> bool | tuple:
|
|
from services import FileService
|
|
|
|
if doc_handle:
|
|
file = FileService.get_file_by_document_handle(doc_handle)
|
|
if not file:
|
|
return jsonify({"error": "File not found"}), 404
|
|
|
|
if role not in file.acl or not Perm.check_perm(file.acl[role], perm.value):
|
|
return False
|
|
|
|
return True
|
|
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
|
|
role_perms = org.roles[role]["permissions"]
|
|
return Perm.check_perm(role_perms, perm.value)
|
|
|
|
@staticmethod
|
|
def check_user_permission(user: User, org: Organization, perm: Perm) -> bool:
|
|
for role in user.roles[org.id]:
|
|
if RoleService.check_role_permission(org, role, perm):
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def get_roles(org: Organization) -> dict:
|
|
return org.roles
|
|
|
|
@staticmethod
|
|
def get_users_in_role(org: Organization, role: str) -> list | tuple:
|
|
from services import UserService
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
return [UserService.get_user(user_id).username for user_id in org.roles[role]["users"]]
|
|
|
|
@staticmethod
|
|
def get_roles_for_user(user: User, org: Organization) -> list:
|
|
return [role for role in org.roles if user.id in org.roles[role]["users"]]
|
|
|
|
@staticmethod
|
|
def get_perms_for_role(org: Organization, role: str, return_str=False) -> list[Perm | str] | tuple:
|
|
from services import FileService
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
perms_list = Perm.get_perms(org.roles[role]["permissions"], return_str)
|
|
for f in FileService.list_files_in_org(org):
|
|
perms_list.append({f.document_handle: Perm.get_perms(f.acl[role], return_str)})
|
|
return perms_list
|
|
|
|
|
|
@staticmethod
|
|
def get_roles_for_perm(org: Organization, perm: Perm) -> list:
|
|
from services import FileService
|
|
roles = []
|
|
if Perm.get_int([perm]) > 0b111:
|
|
for role in org.roles:
|
|
if RoleService.check_role_permission(org, role, perm):
|
|
roles.append(role)
|
|
else:
|
|
for file in FileService.list_files_in_org(org):
|
|
file_roles = []
|
|
for role in file.acl:
|
|
if Perm.check_perm(file.acl[role], perm.value):
|
|
file_roles.append(role)
|
|
if file_roles:
|
|
roles.append({file.name: file_roles})
|
|
return roles
|
|
|
|
@staticmethod
|
|
def add_user_to_role(role: str, org: Organization, user: User) -> User | tuple:
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
|
|
if user.id in org.roles[role]["users"]:
|
|
return jsonify({"error": f"User {user.username} already has role {role} in organization {org.name}"}), 400
|
|
|
|
if org.roles[role]["status"] != "active":
|
|
return jsonify({"error": f"Role {role} is not active in organization {org.name}"}), 400
|
|
|
|
roles = user.roles.copy()
|
|
if str(org.id) not in roles or not roles[str(org.id)]:
|
|
roles[str(org.id)] = []
|
|
roles[str(org.id)].append(role)
|
|
user.roles = roles
|
|
flag_modified(user, "roles")
|
|
db.commit()
|
|
db.refresh(user)
|
|
|
|
roles = org.roles.copy()
|
|
roles[role]["users"].append(user.id)
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return user
|
|
|
|
@staticmethod
|
|
def remove_user_from_role(role: str, org: Organization, user: User) -> User | tuple:
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
|
|
if user.id not in org.roles[role]["users"]:
|
|
return jsonify({"error": f"User {user.username} does not have role {role} in organization {org.name}"}), 400
|
|
|
|
if org.roles[role]["status"] != "active":
|
|
return jsonify({"error": f"Role {role} is not active in organization {org.name}"}), 400
|
|
|
|
roles = user.roles.copy()
|
|
roles[str(org.id)].remove(role)
|
|
user.roles = roles
|
|
flag_modified(user, "roles")
|
|
db.commit()
|
|
db.refresh(user)
|
|
|
|
roles = org.roles.copy()
|
|
roles[role]["users"].remove(user.id)
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return user
|
|
|
|
@staticmethod
|
|
def change_perm_on_role(org: Organization, role: str, perm: Perm, operation: PermOperation) -> dict | tuple:
|
|
if Perm.get_int([perm]) <= 0b111:
|
|
return jsonify({"error": f"Permission {perm} is not allowed for organization's roles"}), 400
|
|
|
|
if role not in org.roles:
|
|
return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 400
|
|
|
|
if org.roles[role]["status"] != "active":
|
|
return jsonify({"error": f"Role {role} is not active in organization {org.name}"}), 400
|
|
|
|
roles = org.roles.copy()
|
|
roles[role]["permissions"] = PermOperation.calc(roles[role]["permissions"], perm, operation)
|
|
org.roles = roles
|
|
flag_modified(org, "roles")
|
|
db.commit()
|
|
db.refresh(org)
|
|
return org.roles[role]
|
|
|
|
@staticmethod
|
|
def change_perm_on_role_in_file(file: File, role: str, perm: Perm, operation: PermOperation) -> dict | tuple:
|
|
if Perm.get_int([perm]) > 0b111:
|
|
return jsonify({"error": f"Permission {perm} is not allowed for files' roles"}), 400
|
|
|
|
if role not in file.acl:
|
|
file.acl[role] = 0
|
|
|
|
if (file.acl[role] & perm.value != 0 and operation == PermOperation.ADD) or (file.acl[role] & perm.value == 0 and operation == PermOperation.REMOVE):
|
|
return jsonify({"error": f"Role {role} already has permission {perm} in file {file.name}"}), 400
|
|
|
|
file.acl[role] = PermOperation.calc(file.acl[role], perm, operation)
|
|
flag_modified(file, "acl")
|
|
db.commit()
|
|
db.refresh(file)
|
|
return file.acl
|