From de7e152081b0b499bb5d9f1f89d1e168f0f90d9f Mon Sep 17 00:00:00 2001 From: eeintech Date: Wed, 2 Feb 2022 14:01:53 -0500 Subject: [PATCH 1/4] Experimenting with children models permissions --- InvenTree/users/models.py | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py index 2f73e67955..458e2d0758 100644 --- a/InvenTree/users/models.py +++ b/InvenTree/users/models.py @@ -176,6 +176,10 @@ class RuleSet(models.Model): 'django_q_success', ] + RULESET_CHANGE_DELETE = [ + ('part', 'bomitem') + ] + RULE_OPTIONS = [ 'can_view', 'can_add', @@ -225,13 +229,15 @@ class RuleSet(models.Model): for role in cls.RULESET_NAMES: if table in cls.RULESET_MODELS[role]: + print(f'{user} | {role} | {permission}') + if check_user_role(user, role, permission): return True # Print message instead of throwing an error name = getattr(user, 'name', user.pk) - logger.info(f"User '{name}' failed permission check for {table}.{permission}") + print(f"User '{name}' failed permission check for {table}.{permission}") return False @@ -453,6 +459,32 @@ def update_group_roles(group, debug=False): if debug: print(f"Removing permission {perm} from group {group.name}") + print(group_permissions) + + # Automatically enable delete permission for children models if parent model has change permission + for change_delete in RuleSet.RULESET_CHANGE_DELETE: + perm_change = f'{change_delete[0]}.change_{change_delete[0]}' + perm_delete = f'{change_delete[0]}.delete_{change_delete[1]}' + + print(perm_change) + # Check if permission is in the group + if perm_change in group_permissions: + if perm_delete not in group_permissions: + # Create delete permission object + add_model(f'{change_delete[0]}_{change_delete[1]}', 'delete', ruleset.can_delete) + + # Add to group + permission = get_permission_object(perm_delete) + print(permission) + + if permission: + group.permissions.add(permission) + print(f"Added permission {perm_delete} to group {group.name}") + else: + print(f'{perm_delete} already exists for group {group.name}') + else: + print(f'{perm_change} disabled') + @receiver(post_save, sender=Group, dispatch_uid='create_missing_rule_sets') def create_missing_rule_sets(sender, instance, **kwargs): From ef70e665bb8ec2c340cddfa77e478b93a94c04bf Mon Sep 17 00:00:00 2001 From: eeintech Date: Mon, 7 Feb 2022 15:36:56 -0500 Subject: [PATCH 2/4] Refactored and added permission check for children models --- InvenTree/users/models.py | 59 +++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py index 458e2d0758..10f326305c 100644 --- a/InvenTree/users/models.py +++ b/InvenTree/users/models.py @@ -176,8 +176,9 @@ class RuleSet(models.Model): 'django_q_success', ] - RULESET_CHANGE_DELETE = [ - ('part', 'bomitem') + RULESET_CHANGE_INHERIT = [ + ('part', 'partparameter'), + ('part', 'bomitem'), ] RULE_OPTIONS = [ @@ -229,11 +230,19 @@ class RuleSet(models.Model): for role in cls.RULESET_NAMES: if table in cls.RULESET_MODELS[role]: - print(f'{user} | {role} | {permission}') - if check_user_role(user, role, permission): return True + # Check for children models which inherits from parent role + for child in cls.RULESET_CHANGE_INHERIT: + # Get child model name + child_name = f'{child[0]}_{child[1]}' + + if child_name == table: + # Check if parent role has change permission + if check_user_role(user, role, 'change'): + return True + # Print message instead of throwing an error name = getattr(user, 'name', user.pk) @@ -459,31 +468,27 @@ def update_group_roles(group, debug=False): if debug: print(f"Removing permission {perm} from group {group.name}") - print(group_permissions) + # Enable all action permissions for certain children models + # if parent model has 'change' permission + for (parent, child) in RuleSet.RULESET_CHANGE_INHERIT: + parent_change_perm = f'{parent}.change_{parent}' + parent_child_string = f'{parent}_{child}' - # Automatically enable delete permission for children models if parent model has change permission - for change_delete in RuleSet.RULESET_CHANGE_DELETE: - perm_change = f'{change_delete[0]}.change_{change_delete[0]}' - perm_delete = f'{change_delete[0]}.delete_{change_delete[1]}' + # Check if parent change permission exists + if parent_change_perm in group_permissions: + # Add child model permissions + for action in ['add', 'change', 'delete']: + child_perm = f'{parent}.{action}_{child}' - print(perm_change) - # Check if permission is in the group - if perm_change in group_permissions: - if perm_delete not in group_permissions: - # Create delete permission object - add_model(f'{change_delete[0]}_{change_delete[1]}', 'delete', ruleset.can_delete) - - # Add to group - permission = get_permission_object(perm_delete) - print(permission) - - if permission: - group.permissions.add(permission) - print(f"Added permission {perm_delete} to group {group.name}") - else: - print(f'{perm_delete} already exists for group {group.name}') - else: - print(f'{perm_change} disabled') + # Check if child permission not already in group + if child_perm not in group_permissions: + # Create permission object + add_model(parent_child_string, action, ruleset.can_delete) + # Add to group + permission = get_permission_object(child_perm) + if permission: + group.permissions.add(permission) + print(f"Adding permission {child_perm} to group {group.name}") @receiver(post_save, sender=Group, dispatch_uid='create_missing_rule_sets') From fd63fcde43b9d06ae0748b6bd25df85f583d3f54 Mon Sep 17 00:00:00 2001 From: eeintech Date: Mon, 7 Feb 2022 15:39:06 -0500 Subject: [PATCH 3/4] Reverted print statement to logger --- InvenTree/users/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py index 10f326305c..eecfd2f4d9 100644 --- a/InvenTree/users/models.py +++ b/InvenTree/users/models.py @@ -246,7 +246,7 @@ class RuleSet(models.Model): # Print message instead of throwing an error name = getattr(user, 'name', user.pk) - print(f"User '{name}' failed permission check for {table}.{permission}") + logger.info(f"User '{name}' failed permission check for {table}.{permission}") return False From 3b45c1406a0c231ed1f4f7b78763c0dde7143f48 Mon Sep 17 00:00:00 2001 From: eeintech Date: Mon, 7 Feb 2022 15:42:39 -0500 Subject: [PATCH 4/4] Improved approach to permission check at runtime --- InvenTree/users/models.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py index eecfd2f4d9..f2b72e5efa 100644 --- a/InvenTree/users/models.py +++ b/InvenTree/users/models.py @@ -233,15 +233,15 @@ class RuleSet(models.Model): if check_user_role(user, role, permission): return True - # Check for children models which inherits from parent role - for child in cls.RULESET_CHANGE_INHERIT: - # Get child model name - child_name = f'{child[0]}_{child[1]}' + # Check for children models which inherits from parent role + for (parent, child) in cls.RULESET_CHANGE_INHERIT: + # Get child model name + parent_child_string = f'{parent}_{child}' - if child_name == table: - # Check if parent role has change permission - if check_user_role(user, role, 'change'): - return True + if parent_child_string == table: + # Check if parent role has change permission + if check_user_role(user, parent, 'change'): + return True # Print message instead of throwing an error name = getattr(user, 'name', user.pk)