From b8606bc0b5abdd5fd3791bb066740fa7a15181b4 Mon Sep 17 00:00:00 2001 From: Dirk Alders Date: Mon, 21 Oct 2024 17:29:49 +0200 Subject: [PATCH] Initial access cotrol implemented --- pages/access.py | 64 +++- pages/admin.py | 2 + pages/context.py | 3 +- pages/forms.py | 7 +- pages/help.py | 20 +- pages/management/commands/migrate_to_db.py | 73 ---- ...ricalpikipage_group_perms_read_and_more.py | 73 ++++ pages/models.py | 6 + pages/page.py | 347 ------------------ pages/views.py | 5 + requirements.txt | 1 + 11 files changed, 173 insertions(+), 428 deletions(-) delete mode 100644 pages/management/commands/migrate_to_db.py create mode 100644 pages/migrations/0002_historicalpikipage_group_perms_read_and_more.py delete mode 100644 pages/page.py diff --git a/pages/access.py b/pages/access.py index 6917f7f..175de41 100644 --- a/pages/access.py +++ b/pages/access.py @@ -1,14 +1,72 @@ +from django.conf import settings +import logging + +from .models import PikiPage + +logger = logging.getLogger(settings.ROOT_LOGGER_NAME).getChild(__name__) + + class access_control(object): def __init__(self, request, rel_path): self._request = request self._rel_path = rel_path + self._user = request.user + try: + self._page = PikiPage.objects.get(rel_path=rel_path) + except PikiPage.DoesNotExist: + self._page = None + self._read = None + self._write = None + + def __analyse_access_rights__(self): + if self._read is None or self._write is None: + self._read = False + self._write = False + # + if self._user.is_superuser: + # A superuser has full access + logger.debug("User is superuser -> full access granted") + self._read = True + self._write = True + elif self._page is None: + if self._user.is_staff: + # Page creation is allowed for staff users + logger.debug("Page does not exist and user is staff -> full access granted") + self._read = True + self._write = True + else: + logger.debug("Page does not exist and user is not staff -> no access granted") + else: + user_is_owner = self._page.owner == self._user + user_in_page_group = self._page.group in self._user.groups.all() + # read permissions + if user_is_owner and self._page.owner_perms_read: + logger.debug("Read access granted, due to owner permissions of page") + self._read = True + elif user_in_page_group and self._page.group_perms_read: + logger.debug("Read access granted, due to group permissions of page") + self._read = True + elif self._page.other_perms_read: + logger.debug("Read access granted, due to other permissions of page") + self._read = True + # write permissions + if user_is_owner and self._page.owner_perms_write: + logger.debug("Write access granted, due to owner permissions of page") + self._write = True + elif user_in_page_group and self._page.group_perms_write: + logger.debug("Write access granted, due to group permissions of page") + self._write = True + elif self._page.other_perms_write: + logger.debug("Write access granted, due to other permissions of page") + self._write = True def may_read(self): - return "private" not in self._rel_path or self.may_write() + self.__analyse_access_rights__() + return self._read def may_write(self): - # /!\ rel_path is the filsystem rel_path - caused by the flat folder structure /!\ - return self._request.user.is_authenticated and self._request.user.username in ['root', 'dirk'] + self.__analyse_access_rights__() + return self._write def may_read_attachment(self): return self.may_read() diff --git a/pages/admin.py b/pages/admin.py index 6260b56..1c30807 100644 --- a/pages/admin.py +++ b/pages/admin.py @@ -10,6 +10,8 @@ class PikiPageAdmin(SimpleHistoryAdmin): search_fields = ('rel_path', 'tags', ) list_filter = ( ('deleted', admin.BooleanFieldListFilter), + ('other_perms_read', admin.BooleanFieldListFilter), + ('other_perms_write', admin.BooleanFieldListFilter), ) ordering = ["rel_path"] diff --git a/pages/context.py b/pages/context.py index a123bc7..96f3342 100644 --- a/pages/context.py +++ b/pages/context.py @@ -5,7 +5,6 @@ import os from django.conf import settings from django.utils.translation import gettext as _ -from pages.access import access_control import pages.parameter from .help import actionbar as actionbar_add_help import mycreole @@ -74,7 +73,7 @@ def actionbar(context, request, caller_name, **kwargs): bar = context[context.ACTIONBAR] if not cms_mode_active(request): if caller_name in ['page', 'edit', 'delete', 'rename']: - acc = access_control(request, kwargs["rel_path"]) + acc = kwargs["acc"] if acc.may_write(): add_page_menu(request, bar, kwargs["rel_path"], kwargs.get('is_available', False)) if acc.may_modify_attachment(): diff --git a/pages/forms.py b/pages/forms.py index 256975b..b192ddd 100644 --- a/pages/forms.py +++ b/pages/forms.py @@ -9,7 +9,12 @@ from .models import PikiPage class EditForm(forms.ModelForm): class Meta: model = PikiPage - fields = ["page_txt", "tags", "owner", "group"] + fields = [ + "page_txt", + "tags", + "owner", "owner_perms_read", "owner_perms_write", + "group", "group_perms_read", "group_perms_write", + "other_perms_read", "other_perms_write",] class RenameForm(forms.Form): # Note that it is not inheriting from forms.ModelForm diff --git a/pages/help.py b/pages/help.py index 1c3ceec..d2e316e 100644 --- a/pages/help.py +++ b/pages/help.py @@ -35,8 +35,24 @@ CREOLE += mycreole.render_simple(""" ACCESS = mycreole.render_simple(_(""" = Access -* Currently just two specific users have write access. -* Pages containing "private" in the relative page path have no public read access. +== Administrator +If the user has //Superuser status//, the user is able to create, read and write all pages. +== Create new pages +Only users with //Superuser status// or //Staff status// are able to create new pages. +== Page rigths +All following subsections are able to grant read or write access to the user +=== Owner permissions +Every page has an owner, if the user is the owner, the defined read or write permissions will be granted. +=== Group permissions +Every page has a group, if the user is in that group, the defined read or write permissions will be granted. +=== Other permissions +If no other mechanism granted the permissions, the defined read or write permissions for all other users will be granted. + += Default permissions +| =Mechanism | =Read | Write | +| Owner | X | X | +| Group | X | X | +| Other | X | - | """)) SEARCH = mycreole.render_simple(_( diff --git a/pages/management/commands/migrate_to_db.py b/pages/management/commands/migrate_to_db.py deleted file mode 100644 index 2399c51..0000000 --- a/pages/management/commands/migrate_to_db.py +++ /dev/null @@ -1,73 +0,0 @@ -from django.conf import settings -from django.contrib.auth.models import User -from django.core.management.base import BaseCommand -from pages.page import full_path_all_pages, page_wrapped - -from pages.models import PikiPage - -from datetime import datetime -import fstools -import os -import shutil -from zoneinfo import ZoneInfo - - -def add_page_data(rel_path, tags, page_txt, creation_time, creation_user, modified_time, modified_user): - try: - page = PikiPage.objects.get(rel_path=rel_path) - except PikiPage.DoesNotExist: - page = PikiPage(rel_path=rel_path) - # - page.tags = tags - page.page_txt = page_txt - # - page.creation_time = datetime.fromtimestamp(creation_time, ZoneInfo("UTC")) - creation_user = creation_user or "dirk" - page.creation_user = User.objects.get(username=creation_user) - modified_user = modified_user or "dirk" - page.modified_time = datetime.fromtimestamp(modified_time, ZoneInfo("UTC")) - page.modified_user = User.objects.get(username=modified_user) - page.owner = page.owner or page.creation_user - # - page.save() - - -class Command(BaseCommand): - def handle(self, *args, **options): - for path in full_path_all_pages(): - fs_page = page_wrapped(None, path) - if fs_page._page.is_available(): - self.stdout.write(self.style.MIGRATE_HEADING("Migration of page '%s'" % fs_page.rel_path)) - for history_number in fs_page._page.history_numbers_list(): - self.stdout.write(self.style.MIGRATE_HEADING(" * Adding history version %d" % history_number)) - h_page = page_wrapped(None, path, history_version=history_number) - add_page_data( - rel_path=h_page.rel_path, - tags=h_page.tags, - page_txt=h_page._page.raw_page_src, - # - creation_time=h_page.creation_time, - creation_user=h_page.creation_user, - modified_time=h_page.modified_time, - modified_user=h_page.modified_user - ) - # - self.stdout.write(self.style.MIGRATE_HEADING(" * Adding current version")) - add_page_data( - rel_path=fs_page.rel_path, - tags=fs_page.tags, - page_txt=fs_page._page.raw_page_src, - # - creation_time=fs_page.creation_time, - creation_user=fs_page.creation_user, - modified_time=fs_page.modified_time, - modified_user=fs_page.modified_user - ) - # - src = os.path.join(path, "attachments") - if os.path.isdir(src): - dst = os.path.join(settings.MYCREOLE_ROOT, fs_page.rel_path) - for attachment in fstools.filelist(src): - self.stdout.write(self.style.MIGRATE_HEADING(" * Copy attachment ''%s to new location" % os.path.basename(attachment))) - fstools.mkdir(dst) - shutil.copy(attachment, dst) diff --git a/pages/migrations/0002_historicalpikipage_group_perms_read_and_more.py b/pages/migrations/0002_historicalpikipage_group_perms_read_and_more.py new file mode 100644 index 0000000..ca8beb6 --- /dev/null +++ b/pages/migrations/0002_historicalpikipage_group_perms_read_and_more.py @@ -0,0 +1,73 @@ +# Generated by Django 5.1.2 on 2024-10-21 10:49 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('pages', '0001_initial'), + ] + + operations = [ + migrations.AddField( + model_name='historicalpikipage', + name='group_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='historicalpikipage', + name='group_perms_write', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='historicalpikipage', + name='other_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='historicalpikipage', + name='other_perms_write', + field=models.BooleanField(default=False), + ), + migrations.AddField( + model_name='historicalpikipage', + name='owner_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='historicalpikipage', + name='owner_perms_write', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='pikipage', + name='group_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='pikipage', + name='group_perms_write', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='pikipage', + name='other_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='pikipage', + name='other_perms_write', + field=models.BooleanField(default=False), + ), + migrations.AddField( + model_name='pikipage', + name='owner_perms_read', + field=models.BooleanField(default=True), + ), + migrations.AddField( + model_name='pikipage', + name='owner_perms_write', + field=models.BooleanField(default=True), + ), + ] diff --git a/pages/models.py b/pages/models.py index 80dc4fc..f566527 100644 --- a/pages/models.py +++ b/pages/models.py @@ -34,8 +34,14 @@ class PikiPage(models.Model): owner = models.ForeignKey(User, null=True, blank=True, on_delete=models.SET_NULL, related_name="owner") group = models.ForeignKey(Group, null=True, blank=True, on_delete=models.SET_NULL, related_name="group") # owner_perms + owner_perms_read = models.BooleanField(default=True) + owner_perms_write = models.BooleanField(default=True) # group_perms + group_perms_read = models.BooleanField(default=True) + group_perms_write = models.BooleanField(default=True) # other_perms + other_perms_read = models.BooleanField(default=True) + other_perms_write = models.BooleanField(default=False) # history = HistoricalRecords() diff --git a/pages/page.py b/pages/page.py deleted file mode 100644 index 474367e..0000000 --- a/pages/page.py +++ /dev/null @@ -1,347 +0,0 @@ -import difflib -from django.conf import settings -from django.utils.translation import gettext as _ -import fstools -import json -import logging -from pages import messages, url_page -import mycreole -import os -import shutil -import time -from . import timestamp_to_datetime - -logger = logging.getLogger(settings.ROOT_LOGGER_NAME).getChild(__name__) - - -SPLITCHAR = ":" -HISTORY_FOLDER_NAME = 'history' - - -def full_path_all_pages(expression="*"): - system_pages = fstools.dirlist(settings.SYSTEM_PAGES_ROOT, expression=expression, rekursive=False) - system_pages = [os.path.join(settings.PAGES_ROOT, os.path.basename(path)) for path in system_pages] - pages = fstools.dirlist(settings.PAGES_ROOT, expression=expression, rekursive=False) - rv = [] - for path in set(system_pages + pages): - p = page_wrapped(None, path) - if p.is_available(): - rv.append(path) - return rv - - -class base(dict): - @property - def rel_path(self): - return os.path.basename(self._path).replace(2*SPLITCHAR, "/") - - def is_available(self): - is_a = os.path.isfile(self.filename) - if not is_a: - logger.debug("Not available - %s", self.filename) - return is_a - - def history_numbers_list(self): - history_folder = os.path.join(self._path, HISTORY_FOLDER_NAME) - return list(set([int(os.path.basename(filename)[:5]) for filename in fstools.filelist(history_folder)])) - - -class meta_data(base): - META_FILE_NAME = 'meta.json' - # - KEY_CREATION_TIME = "creation_time" - KEY_CREATION_USER = "creation_user" - KEY_MODIFIED_TIME = "modified_time" - KEY_MODIFIED_USER = "modified_user" - KEY_TAGS = "tags" - - def __init__(self, path, history_version=None): - self._path = path - self._history_version = history_version - # - # Load data from disk - try: - with open(self.filename, 'r') as fh: - super().__init__(json.load(fh)) - except (FileNotFoundError, json.decoder.JSONDecodeError) as e: - super().__init__() - - def delete(self): - os.remove(self.filename) - - @property - def filename(self): - if not self._history_version: - return os.path.join(self._path, self.META_FILE_NAME) - else: - return self.history_filename(self._history_version) - - def history_filename(self, history_version): - return os.path.join(self._path, HISTORY_FOLDER_NAME, "%05d_%s" % (history_version, self.META_FILE_NAME)) - - def update_required(self, tags): - return tags != self.get(self.KEY_TAGS) - - def update(self, username, tags): - if self._history_version: - logger.error("A history version %05d can not be updated!", self._history_version) - return False - else: - if username: - self[self.KEY_MODIFIED_TIME] = int(time.time()) - self[self.KEY_MODIFIED_USER] = username - # - if self.KEY_CREATION_USER not in self: - self[self.KEY_CREATION_USER] = self[self.KEY_MODIFIED_USER] - if self.KEY_CREATION_TIME not in self: - self[self.KEY_CREATION_TIME] = self[self.KEY_MODIFIED_TIME] - if tags: - self[self.KEY_TAGS] = tags - # - if username or tags: - self.save() - return True - - def save(self): - if self._history_version: - logger.error("A history version %05d can not be updated!", self._history_version) - return False - else: - with open(self.filename, 'w') as fh: - json.dump(self, fh, indent=4) - return True - - def store_to_history(self, history_number): - history_filename = self.history_filename(history_number) - fstools.mkdir(os.path.dirname(history_filename)) - shutil.copy(self.filename, history_filename) - - -class page_data(base): - PAGE_FILE_NAME = 'page' - - def __init__(self, path, history_version=None): - self._history_version = history_version - self._path = path - self._raw_page_src = None - - def _load_page_src(self): - if self._raw_page_src is None: - try: - with open(self.filename, 'r') as fh: - self._raw_page_src = fh.read() - except FileNotFoundError: - self._raw_page_src = "" - - def delete(self): - os.remove(self.filename) - - def rename(self, page_name): - # Change backslash to slash and remove double slashes - page_name = page_name.replace("\\", "/") - while "//" in page_name: - page_name = page_name.replace("//", "/") - # move path - target_path = os.path.join(settings.PAGES_ROOT, page_name.replace("/", 2*SPLITCHAR)) - shutil.move(self._path, target_path) - # set my path - self._path = target_path - - def update_required(self, page_txt): - return page_txt.replace("\r\n", "\n") != self.raw_page_src - - def update_page(self, page_txt): - if self._history_version: - logger.error("A history version %05d can not be updated!", self._history_version) - return False - else: - # save the new page content - fstools.mkdir(os.path.dirname(self.filename)) - with open(self.filename, 'w') as fh: - fh.write(page_txt) - self._raw_page_src = page_txt - return True - - @property - def filename(self): - if not self._history_version: - return os.path.join(self._path, self.PAGE_FILE_NAME) - else: - return self.history_filename(self._history_version) - - def history_filename(self, history_version): - return os.path.join(self._path, HISTORY_FOLDER_NAME, "%05d_%s" % (history_version, self.PAGE_FILE_NAME)) - - @property - def rel_path(self): - return os.path.basename(self._path).replace(2*SPLITCHAR, "/") - - @property - def title(self): - return os.path.basename(self._path).split(2*SPLITCHAR)[-1] - - @property - def raw_page_src(self): - self._load_page_src() - return self._raw_page_src - - def store_to_history(self, history_number): - history_filename = self.history_filename(history_number) - fstools.mkdir(os.path.dirname(history_filename)) - shutil.copy(self.filename, history_filename) - - -class page_wrapped(object): - """ - This class holds different page and meta instances and decides which will be used in which case. - """ - - def __init__(self, request, path, history_version=None): - """_summary_ - - Args: - request (_type_): The django request or None (if None, the page functionality is limited) - path (_type_): A rel_path of the django page or the filesystem path to the page - history_version (_type_, optional): The history version of the page to be created - """ - self._request = request - # - page_path = self.__page_path__(path) - # Page - self._page = page_data(page_path, history_version=history_version) - self._page_meta = meta_data(page_path, history_version=history_version) - - def __page_path__(self, path): - if path.startswith(settings.PAGES_ROOT): - # must be a filesystem path - return path - else: - # must be a relative url - return os.path.join(settings.PAGES_ROOT, path.replace("/", 2*SPLITCHAR)) - - def __page_choose__(self): - return self._page - - def __meta_choose__(self): - return self._page_meta - - def __store_history__(self): - if self._page.is_available(): - try: - history_number = max(self._page.history_numbers_list()) + 1 - except ValueError: - history_number = 1 # no history yet - self._page.store_to_history(history_number) - self._page_meta.store_to_history(history_number) - - # - # meta_data - # - @property - def creation_time(self): - meta = self.__meta_choose__() - rv = meta.get(meta.KEY_CREATION_TIME) - return rv - - @property - def creation_user(self): - meta = self.__meta_choose__() - rv = meta.get(meta.KEY_CREATION_USER) - return rv - - def delete(self): - self.__store_history__() - self._page.delete() - self._page_meta.delete() - - @property - def modified_time(self): - meta = self.__meta_choose__() - rv = meta.get(meta.KEY_MODIFIED_TIME) - return rv - - @property - def modified_user(self): - meta = self.__meta_choose__() - rv = meta.get(meta.KEY_MODIFIED_USER) - return rv - - def rename(self, page_name): - self._page.rename(page_name) - - @property - def tags(self): - meta = self.__meta_choose__() - rv = meta.get(meta.KEY_TAGS) - return rv - - # - # page - # - @property - def attachment_path(self): - page = self.__page_choose__() - rv = page.attachment_path - return rv - - def is_available(self): - return self._page.is_available() - - def userpage_is_available(self): - return self._page.is_available() - - @property - def raw_page_src(self): - page = self.__page_choose__() - rv = page.raw_page_src - return rv - - @property - def rel_path(self): - page = self.__page_choose__() - rv = page.rel_path - return rv - - def render_meta(self): - page = self.__page_choose__() - rv = page.render_meta(self.creation_time, self.modified_time, self.creation_user, self.modified_user, self.tags) - return rv - - def render_to_html(self): - page = self.__page_choose__() - rv = page.render_to_html() - return rv - - def render_text(self, request, txt): - page = self.__page_choose__() - rv = page.render_text(request, txt) - return rv - - @property - def title(self): - page = self.__page_choose__() - rv = page.title - return rv - - def update_page(self, txt, tags): - if self._page.update_required(txt) or self._page_meta.update_required(tags): - rv = False - # Store history - self.__store_history__() - username = None - if self._page.update_required(txt): - # Update page - rv |= self._page.update_page(txt) - # Identify username, to update meta - try: - if self._request.user.is_authenticated: - username = self._request.user.username - else: - logger.warning("Page edit without having a logged in user. This is not recommended. Check your access definitions!") - except AttributeError: - logger.exception("Page edit without having a request object. Check programming!") - rv |= self._page_meta.update(username, tags) - # Update search index - from pages.search import update_item - update_item(self) - return rv diff --git a/pages/views.py b/pages/views.py index 9a461aa..4d862de 100644 --- a/pages/views.py +++ b/pages/views.py @@ -78,6 +78,7 @@ def page(request, rel_path): context_adaption( context, request, + acc=acc, rel_path=rel_path, title=title, upload_path=rel_path, @@ -110,6 +111,7 @@ def edit(request, rel_path): context_adaption( context, request, + acc=acc, rel_path=rel_path, is_available=is_available, form=form, @@ -141,6 +143,7 @@ def edit(request, rel_path): context_adaption( context, request, + acc=acc, rel_path=rel_path, is_available=is_available, form=form, @@ -176,6 +179,7 @@ def delete(request, rel_path): context_adaption( context, request, + acc=acc, rel_path=rel_path, is_available=is_available, # TODO: Add translation @@ -222,6 +226,7 @@ def rename(request, rel_path): context_adaption( context, request, + acc=acc, rel_path=rel_path, is_available=is_available, form=form, diff --git a/requirements.txt b/requirements.txt index 14b60e6..1a5389d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ Django +django-simple-history Pillow python-creole pytz