| Server IP : 85.214.239.14 / Your IP : 18.116.36.71 Web Server : Apache/2.4.61 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /srv/modoboa/env/lib64/python3.5/site-packages/modoboa/lib/ |
Upload File : |
"""Object level permissions."""
from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
from modoboa.core import constants as core_constants, signals as core_signals
from modoboa.core.models import ObjectAccess, User
def get_account_roles(user, account=None):
"""Return the list of available account roles.
This function is used to create or modify an account.
:param ``User`` user: connected user
:param ``User`` account: account beeing modified (None on creation)
:return: list of strings
"""
result = [core_constants.SIMPLEUSERS_ROLE]
filters = core_signals.user_can_set_role.send(
sender="get_account_roles", user=user, role="DomainAdmins",
account=account)
condition = (
user.has_perm("admin.add_domain") and
(not filters or True in [flt[1] for flt in filters]))
if condition:
result += [core_constants.DOMAINADMINS_ROLE]
if user.is_superuser:
result += [
core_constants.RESELLERS_ROLE, core_constants.SUPERADMINS_ROLE]
return sorted(result, key=lambda role: role[1])
def grant_access_to_object(user, obj, is_owner=False):
"""Grant access to an object for a given user
There are two different cases where we want to grant access to an
object for a specific user:
* He is the owner (he's just created the object)
* He is going to administrate the object (but he is not the owner)
If the user is the owner, we also grant access to this object to
all super users.
:param user: a ``User`` object
:param obj: an admin. object (Domain, Mailbox, ...)
:param is_owner: the user is the unique object's owner
"""
ct = ContentType.objects.get_for_model(obj)
entry, created = ObjectAccess.objects.get_or_create(
user=user, content_type=ct, object_id=obj.id)
entry.is_owner = is_owner
entry.save()
if not created or not is_owner:
return
for su in User.objects.filter(is_superuser=True):
if su == user:
continue
ObjectAccess.objects.get_or_create(
user=su, content_type=ct, object_id=obj.id
)
def grant_access_to_objects(user, objects, ct):
"""Grant access to a collection of objects
All objects in the collection must share the same type (ie. ``ct``
applies to all objects).
:param user: a ``User`` object
:param objects: a list of objects
:param ct: the content type
"""
for obj in objects:
ObjectAccess.objects.get_or_create(
user=user, content_type=ct, object_id=obj.id)
def ungrant_access_to_object(obj, user=None):
"""Ungrant access to an object for a specific user
If no user is provided, all entries referencing this object are
deleted from the database.
If a user is provided, we only remove his access. If it was the
owner, we give the ownership to the first super admin we find.
:param obj: an object inheriting from ``models.Model``
:param user: a ``User`` object
"""
ct = ContentType.objects.get_for_model(obj)
if user is not None:
try:
ObjectAccess.objects.get(
user=user, content_type=ct, object_id=obj.id
).delete()
except ObjectAccess.DoesNotExist:
pass
try:
ObjectAccess.objects.get(
content_type=ct, object_id=obj.id, is_owner=True
)
except ObjectAccess.DoesNotExist:
grant_access_to_object(
User.objects.filter(is_superuser=True)[0], obj, True
)
else:
ObjectAccess.objects.filter(
content_type=ct, object_id=obj.id
).delete()
def ungrant_access_to_objects(objects):
"""Cancel all accesses for a given object list.
:param objects: a list of objects inheriting from ``models.Model``
"""
for obj in objects:
ct = ContentType.objects.get_for_model(obj)
ObjectAccess.objects.filter(content_type=ct, object_id=obj.id).delete()
def get_object_owner(obj):
"""Return the unique owner of this object
:param obj: an object inheriting from ``model.Model``
:return: a ``User`` object
"""
ct = ContentType.objects.get_for_model(obj)
try:
entry = ObjectAccess.objects.get(
content_type=ct, object_id=obj.id, is_owner=True
)
except ObjectAccess.DoesNotExist:
return None
return entry.user
def add_permissions_to_group(group, permissions):
"""Add the specified permissions to a django group."""
if isinstance(group, str):
group = Group.objects.get(name=group)
for appname, modelname, permname in permissions:
ct = ContentType.objects.get_by_natural_key(appname, modelname)
if group.permissions.filter(
content_type=ct, codename=permname).exists():
continue
group.permissions.add(
Permission.objects.get(content_type=ct, codename=permname)
)