1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
from .db import get_db
from .permissions import is_admin
from flask import g
import functools
permissions = [
"p_create_threads",
"p_reply_threads",
"p_manage_threads",
"p_delete_posts",
"p_view_threads",
"p_vote",
"p_create_polls",
"p_approve",
"p_create_subforum",
"p_view_forum"
]
def get_role_config(forum_id, role):
db = get_db()
fid = forum_id
the = None
while the == None and fid != None:
the = db.execute("""
SELECT * FROM role_config
WHERE forum = ? AND role = ?;
""", (fid,role)).fetchone()
fid = db.execute("""
SELECT * FROM forums WHERE id = ?
""",(fid,)).fetchone()['parent']
if the == None:
if role == "other":
raise(RuntimeError(
"unable to find permissions for role 'other', " +
"which should have associated permissions in all contexts."))
else:
return get_role_config(forum_id, "other")
return the
def get_user_role(forum_id, username):
db = get_db()
user = db.execute('SELECT * FROM users WHERE username = ?',
(username,)).fetchone()
if user == None: return "other"
if user['admin']: return "bureaucrat"
fid = forum_id
the = None
while fid != None:
r = db.execute("""
SELECT * FROM role_assignments
WHERE forum = ? AND user = ?;
""",(fid,username)).fetchone()
# the user's role is equal to the role assignnment of the closest
# ancestor unless the user's role is "bureaucrat" in any ancestor
# in which case, the users role is "bureaucrat"
if the == None or (r and r['role'] == "bureaucrat"):
the = r
fid = db.execute("""
SELECT * FROM forums WHERE id = ?
""",(fid,)).fetchone()['parent']
return the['role'] if the != None else 'other'
def get_forum_roles(forum_id):
db = get_db()
ancestors = db.execute("""
WITH RECURSIVE fs AS
(SELECT * FROM forums WHERE id = ?
UNION ALL
SELECT forums.* FROM forums, fs WHERE fs.parent=forums.id)
SELECT * FROM fs;
""",(forum_id,)).fetchall()
configs = []
for a in ancestors:
configs += db.execute("""
SELECT * FROM role_config WHERE forum = ?
""",(a['id'],)).fetchall()
return set(r['role'] for r in configs)
def has_permission(forum_id, username, permission, login_required=True):
db = get_db()
forum = db.execute("SELECT * FROM forums WHERE id = ?",(forum_id,)).fetchone()
user = db.execute('SELECT * FROM users WHERE username = ?',
(username,)).fetchone() if username else None
if forum['unlisted'] and not (user and user['admin']): return False
if username == None and login_required: return False
role = get_user_role(forum_id, username) if username else "other"
if role == "bureaucrat": return True
config = get_role_config(forum_id, role)
return config[permission]
def is_bureaucrat(forum_id, user):
if user == None: return False
return get_user_role(forum_id, user) == "bureaucrat"
# ^ the above could perhaps be refactored to use the new DB wrappers, but I am
# not focusing on it right now
# decorators for paths that require certain permissions
# the path must accept an object implementing get_forum
def requires_permission(*a, **k):
def decorator(f):
@functools.wraps(f)
def wrapper(obj, *args, **kwargs):
if not obj.get_forum().has_permission(g.user, *a, **k):
abort(403)
return f(obj, *args, **kwargs)
return wrapper
return decorator
def requires_bureaucrat(f):
@functools.wraps(f)
@requires_permission("p_view_forum")
def wrapper(obj, *args, **kwargs):
if not obj.get_forum().is_bureaucrat(g.user):
abort(403)
return f(forum, *args, **kwargs)
return wrapper
|