magpie.api.management.user.user_utils
¶
Module Contents¶
Functions¶
|
Creates a user if it is permitted and not conflicting. Password must be set to |
|
Creates a permission on a user/resource combination if it is permitted, and optionally not conflicting. |
|
Creates a user-group relationship (user membership to a group). |
|
Deletes a user-group relationship (user membership to a group). |
|
Get validated response on deleted user resource permission. |
|
Obtains the user service/resource permission that corresponds to the provided one. |
|
Retrieves user resource permissions with or without inherited group permissions. Alternatively retrieves the |
|
Returns services by type with corresponding services by name containing sub-dict information. |
|
|
|
Retrieves only user Direct Permissions amongst a list of user/group resource/service permissions. |
|
Reduces overlapping user Inherited Permissions for corresponding resources/services amongst the given list. |
|
Regroups multiple uncategorized permissions into a dictionary of corresponding resource IDs. |
|
Creates a dictionary of resources ID with corresponding permissions of the user. |
|
Retrieves all permissions the user has for every Resource nested under the Service. |
|
Validates provided user information to ensure they are adequate for user creation. |
|
Obtains the validated list of group names from a pre-validated user. |
-
magpie.api.management.user.user_utils.
create_user
(user_name: magpie.typedefs.Str, password: Optional[Str], email: magpie.typedefs.Str, group_name: Optional[Str], db_session: sqlalchemy.orm.session.Session) → pyramid.httpexceptions.HTTPException[source]¶ Creates a user if it is permitted and not conflicting. Password must be set to
None
if using external identity.Created user will immediately assigned membership to the group matching
group_name
(can beMAGPIE_ANONYMOUS_GROUP
for minimal access). If no group is provided, this anonymous group will be applied by default, creating a user effectively without any permissions other than ones set directly for him.Furthermore, the user will also always be associated with
MAGPIE_ANONYMOUS_GROUP
(if not already explicitly or implicitly requested withgroup_name
) to allow access to resources with public permission. Argumentgroup_name
MUST be an existing group if provided.- Returns
valid HTTP response on successful operation.
-
magpie.api.management.user.user_utils.
create_user_resource_permission_response
(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, overwrite: bool = False) → pyramid.httpexceptions.HTTPException[source]¶ Creates a permission on a user/resource combination if it is permitted, and optionally not conflicting.
- Parameters
user – user for which to create/update the permission.
resource – service or resource for which to create the permission.
permission – permission with modifiers to be applied.
db_session – database connection.
overwrite – If the corresponding (user, resource, permission[name]) exists, there is a conflict. Conflict is considered only by permission-name regardless of other modifiers. If overwrite is
False
, the conflict will be raised and not be applied. If overwrite isTrue
, the permission modifiers will be replaced by the new ones, or created if missing.
- Returns
valid HTTP response on successful operation.
-
magpie.api.management.user.user_utils.
assign_user_group
(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None[source]¶ Creates a user-group relationship (user membership to a group).
- Returns
nothing - user-group is created.
- Raises
HTTPError – corresponding error matching problem encountered.
-
magpie.api.management.user.user_utils.
delete_user_group
(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None[source]¶ Deletes a user-group relationship (user membership to a group).
- Returns
nothing - user-group is deleted.
- Raises
HTTPNotFound – if the combination cannot be found.
-
magpie.api.management.user.user_utils.
delete_user_resource_permission_response
(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, similar: bool = True) → pyramid.httpexceptions.HTTPException[source]¶ Get validated response on deleted user resource permission.
- Parameters
user – user for which to delete the permission.
resource – service or resource for which to delete the permission.
permission – permission with modifiers to be deleted.
db_session – database connection.
similar – Allow matching provided permission against any similar database permission. Otherwise, must match exactly.
- Returns
valid HTTP response on successful operations.
- Raises
HTTPException – error HTTP response of corresponding situation.
-
magpie.api.management.user.user_utils.
get_similar_user_resource_permission
(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session) → Optional[PermissionSet][source]¶ Obtains the user service/resource permission that corresponds to the provided one.
Lookup considers only similar applied permission such that other permission modifiers don’t affect comparison.
-
magpie.api.management.user.user_utils.
get_user_resource_permissions_response
(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False, effective_permissions: bool = False) → pyramid.httpexceptions.HTTPException[source]¶ Retrieves user resource permissions with or without inherited group permissions. Alternatively retrieves the effective user resource permissions, where group permissions are implied as True.
- Returns
valid HTTP response on successful operations.
- Raises
HTTPException – error HTTP response of corresponding situation.
-
magpie.api.management.user.user_utils.
get_user_services
(user: magpie.models.User, request: pyramid.request.Request, cascade_resources: bool = False, format_as_list: bool = False, inherit_groups_permissions: bool = False, resolve_groups_permissions: bool = False) → magpie.typedefs.UserServicesType[source]¶ Returns services by type with corresponding services by name containing sub-dict information.
See also
- Parameters
user – user for which to find services
request – request with database session connection
cascade_resources – If
False
, return only services which the User has Immediate Permissions on specialized top-level resources corresponding to a Service. Otherwise, return every service that has at least one sub-resource with permissions (children at any-level). In both cases, the permissions looked for consider either only Direct Permissions or any Inherited Permissions according to the value ofinherit_groups_permissions
.inherit_groups_permissions – If
False
, return only user-specific service/sub-resources Direct Permissions. Otherwise, resolve Inherited Permissions using all groups the user is member of.resolve_groups_permissions – Whether to combine Direct Permissions and Inherited Permissions for respective resources or not.
format_as_list – returns as list of service dict information (not grouped by type and by name)
- Returns
Only services which the user as Direct Permissions or considering all tree hierarchy, and for each case, either considering only user permissions or every Inherited Permissions, according to provided options.
- Return type
Mapping of services by type to corresponding services by name containing each sub-mapping of their information, unless
format_as_list
isTrue
, in which case a flat list of service information is returned.
-
magpie.api.management.user.user_utils.
get_user_service_permissions
(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → List[PermissionSet][source]¶
-
magpie.api.management.user.user_utils.
filter_user_permission
(resource_permission_list: List[PermissionTuple], user: magpie.models.User) → Iterable[PermissionTuple][source]¶ Retrieves only user Direct Permissions amongst a list of user/group resource/service permissions.
-
magpie.api.management.user.user_utils.
resolve_user_group_permissions
(resource_permission_list: List[ResolvablePermissionType]) → Iterable[PermissionSet][source]¶ Reduces overlapping user Inherited Permissions for corresponding resources/services amongst the given list.
User Direct Permissions have the top-most priority and are therefore selected first if permissions are found for corresponding resource. In such case, only one entry is possible (it is invalid to have more than one combination of
(User, Resource, Permission)
, including modifiers, as per validation during their creation).Otherwise, for corresponding Inherited Permissions, resolve the prioritized permission across every group. Similarly to users,
magpie.groups.group_utils.get_similar_group_resource_permission()
validate that only one combination of(Group, Resource, Permission)
can exist including permission modifiers. Only, cross-group memberships for a given resource must then be computed.- Priority of combined group-only permissions follows 3 conditions:
Permissions inherited from special group
MAGPIE_ANONYMOUS_GROUP
have lower priority than any other more explicit group membership, regardless of permission modifiers applied on it.Permissions of same group priority with
Access.DENY
are prioritized overAccess.ALLOW
.Permissions of same group priority with
Scope.RECURSIVE
are prioritized overAccess.MATCH
as they affect a larger range of resources when Effective Permissions are eventually requested.
Note
Resource tree inherited resolution is not considered here (no recursive Effective Permissions computed). Only same-level scope of every given resource is processed independently. The intended behaviour here is therefore to help illustrate in responses how deep is a given permission going to have an impact onto lower-level resources, making
Scope.RECURSIVE
more important than specific instanceScope.MATCH
.See also
Sorting methods of
magpie.permissions.PermissionSet
that orders the permissions with desired result.magpie.groups.group_utils.get_similar_group_resource_permission()
magpie.users.user_utils.get_similar_user_resource_permission()
-
magpie.api.management.user.user_utils.
regroup_permissions_by_resource
(resource_permissions: Iterable[ResolvablePermissionType], resolve: bool = False) → magpie.typedefs.ResourcePermissionMap[source]¶ Regroups multiple uncategorized permissions into a dictionary of corresponding resource IDs.
While regrouping the various permissions (both Direct Permissions and any amount of groups Inherited Permissions) under their respective resource by ID, optionally resolve overlapping or conflicting permissions by name such that only one permission persists for that resource and name.
See also
- Parameters
resource_permissions – List of resource permissions to process. Can include both user Direct Permissions and its groups Inherited Permissions.
resolve – When
False
, only mapping by resource ID is accomplished. Full listing of permissions is returned. Otherwise, resolves the corresponding resource permissions (by same ID) considering various priority rules to obtain unique permission names per resource.
- Returns
resolved permission
-
magpie.api.management.user.user_utils.
get_user_resources_permissions_dict
(user: magpie.models.User, request: pyramid.request.Request, resource_types: Optional[List[Str]] = None, resource_ids: Optional[List[int]] = None, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap[source]¶ Creates a dictionary of resources ID with corresponding permissions of the user.
See also
- Parameters
user – user for which to find resources permissions
request – request with database session connection
resource_types – filter the search query with only the specified resource types
resource_ids – filter the search query to only the specified resource IDs
inherit_groups_permissions – Whether to include group inherited permissions from user memberships or not. If
False
, return only user-specific resource permissions. Otherwise, resolve inherited permissions using all groups the user is member of.resolve_groups_permissions – whether to combine corresponding user/group permissions into one or not.
- Returns
Only resources which the user has permissions on, or including all Inherited Permissions, according to
inherit_groups_permissions
argument.
-
magpie.api.management.user.user_utils.
get_user_service_resources_permissions_dict
(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap[source]¶ Retrieves all permissions the user has for every Resource nested under the Service.
The retrieved permissions can either include only Direct Permissions or a combination of user and group Inherited Permissions accordingly to provided options.
- Returns
dictionary of resource IDs with corresponding permissions.
-
magpie.api.management.user.user_utils.
check_user_info
(user_name: magpie.typedefs.Str = None, email: magpie.typedefs.Str = None, password: magpie.typedefs.Str = None, group_name: magpie.typedefs.Str = None, check_name: bool = True, check_email: bool = True, check_password: bool = True, check_group: bool = True) → None[source]¶ Validates provided user information to ensure they are adequate for user creation.
Using
check_
prefixed arguments, individual field checks can be disabled (check all by default).- Raises
HTTPException – appropriate error for the invalid field value or format that was checked as applicable.
- Returns
nothing if all enabled checks are successful.
-
magpie.api.management.user.user_utils.
get_user_groups_checked
(user: magpie.models.User, db_session: sqlalchemy.orm.session.Session) → List[Str][source]¶ Obtains the validated list of group names from a pre-validated user.