authnzerver.permissions module

This contains the permissions and user-role models for authnzerver.

authnzerver.permissions.check_item_access(permissions_model, userid=2, role='anonymous', action='view', target_name='collection', target_owner=1, target_visibility='private', target_sharedwith=None, debug=False)[source]

This does a check for user access to a target item.

Parameters:
  • permissions_policy (dict) – A permissions model returned by load_permissions_json().
  • userid (int) – The userid of the user requesting access.
  • role (str) – The role of the user requesting access.
  • action (str) – The action requested to be applied to the item.
  • target_name (str) – The name of the item for which the policy will be checked.
  • target_owner (int) – The userid of the user that owns the item for which the policy will be checked.
  • target_visibility (str) – The visibility of the item for which the policy will be checked.
  • target_sharedwith (str) – A CSV string of the userids that the target item is shared with.
  • debug (bool) – If True, will report the various policy decisions applied.
Returns:

True if access was granted. False otherwise.
Return type:

bool
authnzerver.permissions.check_role_limits(permissions_model, role, limit_name, value_to_check)[source]

This applies the role limits to a value to check.

Parameters:
  • permissions_model (dict) – A permissions model returned by load_permissions_json().
  • role (str) – The name of the role to check the limits for.
  • limit_name (str) – The name of limit to check.
  • value_to_check (float or int) – The value to check against the limit.
Returns:

Returns True if the limit hasn’t been exceeded. Returns False otherwise.
Return type:

bool
authnzerver.permissions.get_item_actions(permissions_model, role_name, target_name, target_visibility, target_ownership, debug=False)[source]

Returns the possible actions for a target given a role and target status.

Parameters:
  • permissions_policy (dict) – A permissions model returned by load_permissions_json().
  • role_name (str) – The name of the role to find the valid actions for.
  • target_name (str) – The name of the item to check the valid actions for.
  • target_visibility (str) – The visibility of the tiem to check the valid actions for.
  • target_ownership ({'for_owned','for_other'}) – If ‘for_owned’, only the valid actions for the target item available if the item is owned by the user will be returned. If ‘for_other’, only the valid actions subject to the visibility of the item owned by other users will be returned.
  • debug (bool) – If True, will print the policy decisions being taken.
Returns:

Returns a set of valid actions for the target item based on the applied policy. If the actions don’t make sense, returns an empty set, in which case access MUST be denied.
Return type:

set
authnzerver.permissions.load_permissions_json(model_json)[source]

Loads a permissions JSON and returns the model.

authnzerver.permissions.load_policy_and_check_access(permissions_json, userid=2, role='anonymous', action='view', target_name='collection', target_owner=1, target_visibility='private', target_sharedwith=None, debug=False)[source]

Does a check for user access to a target item.

This version loads a permissions JSON from disk every time it is called.

Parameters:
  • permissions_policy (dict) – A permissions model returned by load_permissions_json().
  • userid (int) – The userid of the user requesting access.
  • role (str) – The role of the user requesting access.
  • action (str) – The action requested to be applied to the item.
  • target_name (str) – The name of the item for which the policy will be checked.
  • target_owner (int) – The userid of the user that owns the item for which the policy will be checked.
  • target_visibility (str) – The visibility of the item for which the policy will be checked.
  • target_sharedwith (str) – A CSV string of the userids that the target item is shared with.
  • debug (bool) – If True, will report the various policy decisions applied.
Returns:

True if access was granted. False otherwise.
Return type:

bool
authnzerver.permissions.load_policy_and_check_limits(permissions_json, role, limit_name, value_to_check)[source]

Applies the role limits to a value to check.

This version loads a policy JSON every time it is called.

Parameters:
  • permissions_model (dict) – A permissions model returned by load_permissions_json().
  • role (str) – The name of the role to check the limits for.
  • limit_name (str) – The name of limit to check.
  • value_to_check (float or int) – The value to check against the limit.
Returns:

Returns True if the limit hasn’t been exceeded. Returns False otherwise.
Return type:

bool
authnzerver.permissions.pii_hash(item, salt)[source]