authnzerver.actions.access module

This contains functions to apply access control.

authnzerver.actions.access.check_user_access(payload, raiseonfail=False, override_permissions_json=None, override_authdb_path=None)[source]

Checks for user access to a specified item based on a permissions policy.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • user_id: int
    • user_role: str
    • action: str
    • target_name: str
    • target_owner: int
    • target_visibility: str
    • target_sharedwith: str

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_permissions_json (str or None) –

    If given as a str, is the alternative path to the permissions JSON to load and use for this request. Normally, the path to the permissions JSON has already been specified as a process-local variable by the main authnzerver start up routines. If you want to use some other permissions model JSON (e.g. for testing), provide that here.

    Note that we load the permissions JSON from disk every time we need to take a decision. This might be a bit slower, but allows for much faster policy changes by just changing the permissions JSON file and not having to restart the authnzerver.

  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'messages': list of str messages if any}

Return type:

dict
authnzerver.actions.access.check_user_limit(payload, raiseonfail=False, override_permissions_json=None, override_authdb_path=None)[source]

Applies a specified limit to an item based on a permissions policy.

Parameters:
  • payload (dict) –

    This is the input payload dict. Required items:

    • user_id: int
    • user_role: str
    • limit_name: str
    • value_to_check: any

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_permissions_json (str or None) –

    If given as a str, is the alternative path to the permissions JSON to load and use for this request. Normally, the path to the permissions JSON has already been specified as a process-local variable by the main authnzerver start up routines. If you want to use some other permissions model JSON (e.g. for testing), provide that here.

    Note that we load the permissions JSON from disk every time we need to take a decision. This might be a bit slower, but allows for much faster policy changes by just changing the permissions JSON file and not having to restart the authnzerver.

  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
Returns:

The dict returned is of the form:

{'success': True or False,
 'messages': list of str messages if any}

Return type:

dict