Mercurial > hg > ChinaGisRestApi

changeset 60:9fdadb60529f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
working on authentication and authorization
author casties
date Mon, 25 Oct 2010 23:24:19 +0200
parents a5f2550a5b44
children e81d034b28a5
files RestDbGisApi.py RestDbInterface.py
diffstat 2 files changed, 51 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/RestDbGisApi.py	Fri Oct 22 19:37:55 2010 +0200
+++ b/RestDbGisApi.py	Mon Oct 25 23:24:19 2010 +0200
@@ -56,13 +56,33 @@
         return self.getLiveKmlUrl(schema=schema,table=table)
 
 
-    def checkTableMetaPermission(self,action,schema,table,user=None):
+    def getTableOwner(self,schema,table):
+        """returns the owner of the table"""
+        # TODO: look up in metadata
+        return None
+
+    def isAllowed(self,action,schema,table,user=None,owner=None):
         """returns if the requested action on the table is allowed"""
-        logging.debug("checktablemetapermissions action=%s schema=%s table=%s user=%s"%(action,schema,table,user))
         if user is None:
             user = self.REQUEST.get('AUTHENTICATED_USER',None)
-        logging.debug("user=%s"%user)
-        # TODO: what now?
+        logging.debug("isAllowed action=%s schema=%s table=%s user=%s"%(action,schema,table,user))
+        # TODO: check permissions from meta data table
+        if action == "create":
+            if user is not None and str(user) != 'Anonymous User':
+                # any authenticated user can create
+                return True
+            else:
+                return False
+        
+        if action == "update":
+            if owner is None:
+                owner = self.getTableOwner(schema,table)
+            if user is not None and str(user) == str(owner):
+                # update only your own table
+                return True
+            else:
+                return False
+        
         return True
 
     def setTableMetaTypes(self,schema,table,fields):
@@ -101,8 +121,10 @@
         # should be cross-site accessible 
         if RESPONSE is None:
             RESPONSE = self.REQUEST.RESPONSE
-            
         RESPONSE.setHeader('Access-Control-Allow-Origin', '*')
+        
+        user = self.REQUEST.get('AUTHENTICATED_USER',None)
+        logging.debug("user=%s"%user)
                 
         # everything else has its own template
         pt = getattr(self.template, '%s_schema_table'%resultFormat, None)
@@ -133,7 +155,7 @@
                 
             sqlFields.append({'name':name, 'type':type, 'sqltype':sqltype})
             
-        if self.checkTableMetaPermission("create", schema, table):
+        if self.isAllowed("create", schema, table):
             self.executeSQL('drop table if exists "%s"."%s"'%(schema,table),hasResult=False)
             fieldString = ", ".join(['"%s" %s'%(f['name'],f['sqltype']) for f in sqlFields])
             sqlString = 'create table "%s"."%s" (%s)'%(schema,table,fieldString)
--- a/RestDbInterface.py	Fri Oct 22 19:37:55 2010 +0200
+++ b/RestDbInterface.py	Mon Oct 25 23:24:19 2010 +0200
@@ -6,6 +6,7 @@
 
 from OFS.Folder import Folder
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+from AccessControl import getSecurityManager, Unauthorized
 from Products.ZSQLExtend import ZSQLExtend
 import logging
 import re
@@ -185,6 +186,15 @@
             cur.close()
             return None
 
+    def isAllowed(self,action,schema,table,user=None):
+        """returns if the requested action on the table is allowed"""
+        if user is None:
+            user = self.REQUEST.get('AUTHENTICATED_USER',None)
+        logging.debug("isAllowed action=%s schema=%s table=%s user=%s"%(action,schema,table,user))
+        # no default policy!
+        return True
+
+
     def publishTraverse(self,request,name):
         """change the traversal"""
         # get stored path
@@ -426,6 +436,7 @@
         """create a table with the given fields
            returns list of created fields"""
         logging.debug("createEmptyTable")
+
         sqlFields = []
         for f in fields:
             if isinstance(f,dict):
@@ -442,7 +453,15 @@
                 
             sqlFields.append({'name':name, 'type':type, 'sqltype':sqltype})
             
-        self.executeSQL('drop table if exists "%s"."%s"'%(schema,table),hasResult=False)
+        if self.hasTable(schema,table):
+            # TODO: find owner
+            if not self.isAllowed("update", schema, table):
+                raise Unauthorized
+            self.executeSQL('drop table "%s"."%s"'%(schema,table),hasResult=False)
+        else:
+            if not self.isAllowed("create", schema, table):
+                raise Unauthorized
+            
         fieldString = ", ".join(['"%s" %s'%(f['name'],f['sqltype']) for f in sqlFields])
         sqlString = 'create table "%s"."%s" (%s)'%(schema,table,fieldString)
         logging.debug("createemptytable: SQL=%s"%sqlString)
@@ -464,6 +483,9 @@
         '''
         from xml.dom.pulldom import parseString,parse
         
+        if not (fieldsOnly or self.isAllowed("create", schema, table)):
+            raise Unauthorized
+
         namespace = "urn:schemas-microsoft-com:office:spreadsheet"
         containerTagName = "Table"
         rowTagName = "Row"