Refactor permissions.py from IAM app (#4336)

4 years ago · df8590e747
parent b5bac8c0a5
commit df8590e747
11 changed files with 17024 additions and 15223 deletions
--- a/cvat/apps/engine/views.py
+++ b/cvat/apps/engine/views.py
@ -272,7 +272,7 @@ class ProjectViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = ProjectPermission('list', self.request, self)
+            perm = ProjectPermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)
        return queryset

@ -571,7 +571,7 @@ class TaskViewSet(UploadMixin, viewsets.ModelViewSet):
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = TaskPermission('list', self.request, self)
+            perm = TaskPermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        return queryset
@ -949,7 +949,7 @@ class JobViewSet(viewsets.GenericViewSet, mixins.ListModelMixin,
        queryset = super().get_queryset()

        if self.action == 'list':
-            perm = JobPermission.create_list(self.request)
+            perm = JobPermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        return queryset
@ -1113,7 +1113,7 @@ class IssueViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = IssuePermission.create_list(self.request)
+            perm = IssuePermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        return queryset
@ -1183,7 +1183,7 @@ class CommentViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = CommentPermission.create_list(self.request)
+            perm = CommentPermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        return queryset
@ -1240,7 +1240,7 @@ class UserViewSet(viewsets.GenericViewSet, mixins.ListModelMixin,
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = UserPermission(self.request, self)
+            perm = UserPermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        return queryset
@ -1319,7 +1319,7 @@ class CloudStorageViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        queryset = super().get_queryset()
        if self.action == 'list':
-            perm = CloudStoragePermission(self.request, self)
+            perm = CloudStoragePermission.create_scope_list(self.request)
            queryset = perm.filter(queryset)

        provider_type = self.request.query_params.get('provider_type', None)
--- a/cvat/apps/iam/permissions.py
+++ b/cvat/apps/iam/permissions.py
--- a/cvat/apps/iam/rules/projects.csv
+++ b/cvat/apps/iam/rules/projects.csv
@ -44,3 +44,7 @@ export:backup,Project,Sandbox,None,,GET,/projects/{id}/backup,Admin,N/A
 export:backup,Project,Sandbox,"Owner, Assignee",,GET,/projects/{id}/backup,None,N/A
 export:backup,Project,Organization,"Owner, Assignee",,GET,/projects/{id}/backup,None,Worker
 export:backup,Project,Organization,None,,GET,/projects/{id}/backup,User,Maintainer
+update:organization,"Project, Organization",Sandbox,"None, Assignee",,PATCH,/projects/{id},Admin,N/A
+update:organization,"Project, Organization",Sandbox,Owner,,PATCH,/projects/{id},Worker,N/A
+update:organization,"Project, Organization",Organization,"None, Assignee",,PATCH,/projects/{id},User,Maintainer
+update:organization,"Project, Organization",Organization,Owner,,PATCH,/projects/{id},Worker,Worker
--- a/cvat/apps/iam/rules/projects.rego
+++ b/cvat/apps/iam/rules/projects.rego
@ -129,14 +129,14 @@ allow {


 allow {
-    input.scope == utils.DELETE
+    { utils.DELETE, utils.UPDATE_ORG }[input.scope]
    utils.is_sandbox
    utils.has_perm(utils.WORKER)
    utils.is_resource_owner
 }

 allow {
-    input.scope == utils.DELETE
+    { utils.DELETE, utils.UPDATE_ORG }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.WORKER)
    organizations.is_member
@ -144,7 +144,7 @@ allow {
 }

 allow {
-    input.scope == utils.DELETE
+    { utils.DELETE, utils.UPDATE_ORG }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.USER)
    organizations.is_staff
--- a/cvat/apps/iam/rules/projects_test.gen.rego
+++ b/cvat/apps/iam/rules/projects_test.gen.rego
--- a/cvat/apps/iam/rules/tasks.csv
+++ b/cvat/apps/iam/rules/tasks.csv
@ -75,4 +75,8 @@ export:annotations,Task,Organization,"Owner, Project:owner, Assignee, Project:as
 export:backup,Task,Sandbox,None,,GET,/tasks/{id}/backup,Admin,N/A
 export:backup,Task,Sandbox,"Owner, Project:owner, Assignee, Project:assignee",,GET,/tasks/{id}/backup,None,N/A
 export:backup,Task,Organization,None,,GET,/tasks/{id}/backup,User,Maintainer
-export:backup,Task,Organization,"Owner, Project:owner, Assignee, Project:assignee",,GET,/tasks/{id}/backup,None,Worker
+export:backup,Task,Organization,"Owner, Project:owner, Assignee, Project:assignee",,GET,/tasks/{id}/backup,None,Worker
+update:organization,"Task, Organization",Sandbox,"None, Assignee",,PATCH,/tasks/{id},Admin,N/A
+update:organization,"Task, Organization",Sandbox,"Owner, Project:owner, Project:assignee",,PATCH,/tasks/{id},Worker,N/A
+update:organization,"Task, Organization",Organization,"None, Assignee",,PATCH,/tasks/{id},User,Maintainer
+update:organization,"Task, Organization",Organization,"Owner, Project:owner, Project:assignee",,PATCH,/tasks/{id},Worker,Worker
--- a/cvat/apps/iam/rules/tasks.rego
+++ b/cvat/apps/iam/rules/tasks.rego
@ -244,7 +244,7 @@ allow {

 allow {
    { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT,
-      utils.DELETE }[input.scope]
+      utils.DELETE, utils.UPDATE_ORG }[input.scope]
    utils.is_sandbox
    is_project_staff
    utils.has_perm(utils.WORKER)
@ -252,7 +252,7 @@ allow {

 allow {
    { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT,
-      utils.DELETE }[input.scope]
+      utils.DELETE, utils.UPDATE_ORG }[input.scope]
    utils.is_sandbox
    is_task_owner
    utils.has_perm(utils.WORKER)
@ -260,7 +260,7 @@ allow {

 allow {
    { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT,
-      utils.DELETE }[input.scope]
+      utils.DELETE, utils.UPDATE_ORG }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.USER)
    organizations.has_perm(organizations.MAINTAINER)
@ -268,7 +268,7 @@ allow {

 allow {
    { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT,
-      utils.DELETE }[input.scope]
+      utils.DELETE, utils.UPDATE_ORG }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.WORKER)
    organizations.has_perm(organizations.WORKER)
@ -277,7 +277,7 @@ allow {

 allow {
    { utils.UPDATE_OWNER, utils.UPDATE_ASSIGNEE, utils.UPDATE_PROJECT,
-      utils.DELETE }[input.scope]
+      utils.DELETE, utils.UPDATE_ORG }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.WORKER)
    organizations.has_perm(organizations.WORKER)
--- a/cvat/apps/iam/rules/tasks_test.gen.rego
+++ b/cvat/apps/iam/rules/tasks_test.gen.rego
--- a/cvat/apps/iam/rules/utils.rego
+++ b/cvat/apps/iam/rules/utils.rego
@ -49,6 +49,7 @@ CREATE_IN_ISSUE := "create@issue"
 IMPORT_DATASET := "import:dataset"
 IMPORT_BACKUP := "import:backup"
 EXPORT_BACKUP := "export:backup"
+UPDATE_ORG := "update:organization"


 get_priority(privilege) = priority {
--- a/cvat/apps/organizations/views.py
+++ b/cvat/apps/organizations/views.py
@ -60,7 +60,7 @@ class OrganizationViewSet(viewsets.ModelViewSet):

    def get_queryset(self):
        queryset = super().get_queryset()
-        permission = OrganizationPermission(self.request, self)
+        permission = OrganizationPermission.create_scope_list(self.request)
        return permission.filter(queryset)

    def get_serializer_class(self):
@ -122,7 +122,7 @@ class MembershipViewSet(mixins.RetrieveModelMixin, mixins.DestroyModelMixin,

    def get_queryset(self):
        queryset = super().get_queryset()
-        permission = MembershipPermission(self.request, self)
+        permission = MembershipPermission.create_scope_list(self.request)
        return permission.filter(queryset)

 # TODO
@ -175,7 +175,7 @@ class InvitationViewSet(viewsets.ModelViewSet):

    def get_queryset(self):
        queryset = super().get_queryset()
-        permission = InvitationPermission(self.request, self)
+        permission = InvitationPermission.create_scope_list(self.request)
        return permission.filter(queryset)

    def perform_create(self, serializer):
--- a/cvat/settings/base.py
+++ b/cvat/settings/base.py
@ -443,12 +443,6 @@ LOCAL_LOAD_MAX_FILES_SIZE = 512 * 1024 * 1024  # 512 MB
 RESTRICTIONS = {
    'user_agreements': [],

-    # this setting limits the number of tasks for the user
-    'task_limit': None,
-
-    # this setting limits the number of projects for the user
-    'project_limit': None,
-
    # this setting reduces task visibility to owner and assignee only
    'reduce_task_visibility': False,