# HG changeset patch # User casties # Date 1288041859 -7200 # Node ID 9fdadb60529f657464ab08802c5b47500e32c83b # Parent a5f2550a5b44dd2a6f5a8d4b0895d642244f5c0c working on authentication and authorization diff -r a5f2550a5b44 -r 9fdadb60529f RestDbGisApi.py --- a/RestDbGisApi.py Fri Oct 22 19:37:55 2010 +0200 +++ b/RestDbGisApi.py Mon Oct 25 23:24:19 2010 +0200 @@ -56,13 +56,33 @@ return self.getLiveKmlUrl(schema=schema,table=table) - def checkTableMetaPermission(self,action,schema,table,user=None): + def getTableOwner(self,schema,table): + """returns the owner of the table""" + # TODO: look up in metadata + return None + + def isAllowed(self,action,schema,table,user=None,owner=None): """returns if the requested action on the table is allowed""" - logging.debug("checktablemetapermissions action=%s schema=%s table=%s user=%s"%(action,schema,table,user)) if user is None: user = self.REQUEST.get('AUTHENTICATED_USER',None) - logging.debug("user=%s"%user) - # TODO: what now? + logging.debug("isAllowed action=%s schema=%s table=%s user=%s"%(action,schema,table,user)) + # TODO: check permissions from meta data table + if action == "create": + if user is not None and str(user) != 'Anonymous User': + # any authenticated user can create + return True + else: + return False + + if action == "update": + if owner is None: + owner = self.getTableOwner(schema,table) + if user is not None and str(user) == str(owner): + # update only your own table + return True + else: + return False + return True def setTableMetaTypes(self,schema,table,fields): @@ -101,8 +121,10 @@ # should be cross-site accessible if RESPONSE is None: RESPONSE = self.REQUEST.RESPONSE - RESPONSE.setHeader('Access-Control-Allow-Origin', '*') + + user = self.REQUEST.get('AUTHENTICATED_USER',None) + logging.debug("user=%s"%user) # everything else has its own template pt = getattr(self.template, '%s_schema_table'%resultFormat, None) @@ -133,7 +155,7 @@ sqlFields.append({'name':name, 'type':type, 'sqltype':sqltype}) - if self.checkTableMetaPermission("create", schema, table): + if self.isAllowed("create", schema, table): self.executeSQL('drop table if exists "%s"."%s"'%(schema,table),hasResult=False) fieldString = ", ".join(['"%s" %s'%(f['name'],f['sqltype']) for f in sqlFields]) sqlString = 'create table "%s"."%s" (%s)'%(schema,table,fieldString) diff -r a5f2550a5b44 -r 9fdadb60529f RestDbInterface.py --- a/RestDbInterface.py Fri Oct 22 19:37:55 2010 +0200 +++ b/RestDbInterface.py Mon Oct 25 23:24:19 2010 +0200 @@ -6,6 +6,7 @@ from OFS.Folder import Folder from Products.PageTemplates.PageTemplateFile import PageTemplateFile +from AccessControl import getSecurityManager, Unauthorized from Products.ZSQLExtend import ZSQLExtend import logging import re @@ -185,6 +186,15 @@ cur.close() return None + def isAllowed(self,action,schema,table,user=None): + """returns if the requested action on the table is allowed""" + if user is None: + user = self.REQUEST.get('AUTHENTICATED_USER',None) + logging.debug("isAllowed action=%s schema=%s table=%s user=%s"%(action,schema,table,user)) + # no default policy! + return True + + def publishTraverse(self,request,name): """change the traversal""" # get stored path @@ -426,6 +436,7 @@ """create a table with the given fields returns list of created fields""" logging.debug("createEmptyTable") + sqlFields = [] for f in fields: if isinstance(f,dict): @@ -442,7 +453,15 @@ sqlFields.append({'name':name, 'type':type, 'sqltype':sqltype}) - self.executeSQL('drop table if exists "%s"."%s"'%(schema,table),hasResult=False) + if self.hasTable(schema,table): + # TODO: find owner + if not self.isAllowed("update", schema, table): + raise Unauthorized + self.executeSQL('drop table "%s"."%s"'%(schema,table),hasResult=False) + else: + if not self.isAllowed("create", schema, table): + raise Unauthorized + fieldString = ", ".join(['"%s" %s'%(f['name'],f['sqltype']) for f in sqlFields]) sqlString = 'create table "%s"."%s" (%s)'%(schema,table,fieldString) logging.debug("createemptytable: SQL=%s"%sqlString) @@ -464,6 +483,9 @@ ''' from xml.dom.pulldom import parseString,parse + if not (fieldsOnly or self.isAllowed("create", schema, table)): + raise Unauthorized + namespace = "urn:schemas-microsoft-com:office:spreadsheet" containerTagName = "Table" rowTagName = "Row"