magpie.api.management.user.user_utils

Module Contents

Functions

create_user(user_name: magpie.typedefs.Str, password: Optional[Str], email: magpie.typedefs.Str, group_name: Optional[Str], db_session: sqlalchemy.orm.session.Session) → pyramid.httpexceptions.HTTPException

Creates a user if it is permitted and not conflicting. Password must be set to None if using external identity.

create_user_resource_permission_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, overwrite: bool = False) → pyramid.httpexceptions.HTTPException

Creates a permission on a user/resource combination if it is permitted, and optionally not conflicting.

assign_user_group(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None

Creates a user-group relationship (user membership to a group).

delete_user_group(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None

Deletes a user-group relationship (user membership to a group).

delete_user_resource_permission_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, similar: bool = True) → pyramid.httpexceptions.HTTPException

Get validated response on deleted user resource permission.

get_similar_user_resource_permission(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session) → Optional[PermissionSet]

Obtains the user service/resource permission that corresponds to the provided one.

get_user_resource_permissions_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False, effective_permissions: bool = False) → pyramid.httpexceptions.HTTPException

Retrieves user resource permissions with or without inherited group permissions. Alternatively retrieves the

get_user_services(user: magpie.models.User, request: pyramid.request.Request, cascade_resources: bool = False, format_as_list: bool = False, inherit_groups_permissions: bool = False, resolve_groups_permissions: bool = False) → magpie.typedefs.UserServicesType

Returns services by type with corresponding services by name containing sub-dict information.

get_user_service_permissions(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → List[PermissionSet]

filter_user_permission(resource_permission_list: List[PermissionTuple], user: magpie.models.User) → Iterable[PermissionTuple]

Retrieves only user Direct Permissions amongst a list of user/group resource/service permissions.

resolve_user_group_permissions(resource_permission_list: List[ResolvablePermissionType]) → Iterable[PermissionSet]

Reduces overlapping user Inherited Permissions for corresponding resources/services amongst the given list.

regroup_permissions_by_resource(resource_permissions: Iterable[ResolvablePermissionType], resolve: bool = False) → magpie.typedefs.ResourcePermissionMap

Regroups multiple uncategorized permissions into a dictionary of corresponding resource IDs.

get_user_resources_permissions_dict(user: magpie.models.User, request: pyramid.request.Request, resource_types: Optional[List[Str]] = None, resource_ids: Optional[List[int]] = None, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap

Creates a dictionary of resources ID with corresponding permissions of the user.

get_user_service_resources_permissions_dict(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap

Retrieves all permissions the user has for every Resource nested under the Service.

check_user_info(user_name: magpie.typedefs.Str = None, email: magpie.typedefs.Str = None, password: magpie.typedefs.Str = None, group_name: magpie.typedefs.Str = None, check_name: bool = True, check_email: bool = True, check_password: bool = True, check_group: bool = True) → None

Validates provided user information to ensure they are adequate for user creation.

get_user_groups_checked(user: magpie.models.User, db_session: sqlalchemy.orm.session.Session) → List[Str]

Obtains the validated list of group names from a pre-validated user.
magpie.api.management.user.user_utils.LOGGER[source]
magpie.api.management.user.user_utils.create_user(user_name: magpie.typedefs.Str, password: Optional[Str], email: magpie.typedefs.Str, group_name: Optional[Str], db_session: sqlalchemy.orm.session.Session) → pyramid.httpexceptions.HTTPException[source]

Creates a user if it is permitted and not conflicting. Password must be set to None if using external identity.

Created user will immediately assigned membership to the group matching group_name (can be MAGPIE_ANONYMOUS_GROUP for minimal access). If no group is provided, this anonymous group will be applied by default, creating a user effectively without any permissions other than ones set directly for him.

Furthermore, the user will also always be associated with MAGPIE_ANONYMOUS_GROUP (if not already explicitly or implicitly requested with group_name) to allow access to resources with public permission. Argument group_name MUST be an existing group if provided.

Returns

valid HTTP response on successful operation.

magpie.api.management.user.user_utils.create_user_resource_permission_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, overwrite: bool = False) → pyramid.httpexceptions.HTTPException[source]

Creates a permission on a user/resource combination if it is permitted, and optionally not conflicting.

Parameters

  • user – user for which to create/update the permission.

  • resource – service or resource for which to create the permission.

  • permission – permission with modifiers to be applied.

  • db_session – database connection.

  • overwrite – If the corresponding (user, resource, permission[name]) exists, there is a conflict. Conflict is considered only by permission-name regardless of other modifiers. If overwrite is False, the conflict will be raised and not be applied. If overwrite is True, the permission modifiers will be replaced by the new ones, or created if missing.

Returns

valid HTTP response on successful operation.

magpie.api.management.user.user_utils.assign_user_group(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None[source]

Creates a user-group relationship (user membership to a group).

Returns

nothing - user-group is created.

Raises

HTTPError – corresponding error matching problem encountered.

magpie.api.management.user.user_utils.delete_user_group(user: magpie.models.User, group: magpie.models.Group, db_session: sqlalchemy.orm.session.Session) → None[source]

Deletes a user-group relationship (user membership to a group).

Returns

nothing - user-group is deleted.

Raises

HTTPNotFound – if the combination cannot be found.

magpie.api.management.user.user_utils.delete_user_resource_permission_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session, similar: bool = True) → pyramid.httpexceptions.HTTPException[source]

Get validated response on deleted user resource permission.

Parameters

  • user – user for which to delete the permission.

  • resource – service or resource for which to delete the permission.

  • permission – permission with modifiers to be deleted.

  • db_session – database connection.

  • similar – Allow matching provided permission against any similar database permission. Otherwise, must match exactly.

Returns

valid HTTP response on successful operations.

Raises

HTTPException – error HTTP response of corresponding situation.

magpie.api.management.user.user_utils.get_similar_user_resource_permission(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, permission: magpie.permissions.PermissionSet, db_session: sqlalchemy.orm.session.Session) → Optional[PermissionSet][source]

Obtains the user service/resource permission that corresponds to the provided one.

Lookup considers only similar applied permission such that other permission modifiers don’t affect comparison.

magpie.api.management.user.user_utils.get_user_resource_permissions_response(user: magpie.models.User, resource: magpie.typedefs.ServiceOrResourceType, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False, effective_permissions: bool = False) → pyramid.httpexceptions.HTTPException[source]

Retrieves user resource permissions with or without inherited group permissions. Alternatively retrieves the effective user resource permissions, where group permissions are implied as True.

Returns

valid HTTP response on successful operations.

Raises

HTTPException – error HTTP response of corresponding situation.

magpie.api.management.user.user_utils.get_user_services(user: magpie.models.User, request: pyramid.request.Request, cascade_resources: bool = False, format_as_list: bool = False, inherit_groups_permissions: bool = False, resolve_groups_permissions: bool = False) → magpie.typedefs.UserServicesType[source]

Returns services by type with corresponding services by name containing sub-dict information.

See also

regroup_permissions_by_resource()

Parameters

  • user – user for which to find services

  • request – request with database session connection

  • cascade_resources – If False, return only services which the User has Immediate Permissions on specialized top-level resources corresponding to a Service. Otherwise, return every service that has at least one sub-resource with permissions (children at any-level). In both cases, the permissions looked for consider either only Direct Permissions or any Inherited Permissions according to the value of inherit_groups_permissions.

  • inherit_groups_permissions – If False, return only user-specific service/sub-resources Direct Permissions. Otherwise, resolve Inherited Permissions using all groups the user is member of.

  • resolve_groups_permissions – Whether to combine Direct Permissions and Inherited Permissions for respective resources or not.

  • format_as_list – returns as list of service dict information (not grouped by type and by name)

Returns

Only services which the user as Direct Permissions or considering all tree hierarchy, and for each case, either considering only user permissions or every Inherited Permissions, according to provided options.

Return type

Mapping of services by type to corresponding services by name containing each sub-mapping of their information, unless format_as_list is True, in which case a flat list of service information is returned.

magpie.api.management.user.user_utils.get_user_service_permissions(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → List[PermissionSet][source]
magpie.api.management.user.user_utils.filter_user_permission(resource_permission_list: List[PermissionTuple], user: magpie.models.User) → Iterable[PermissionTuple][source]

Retrieves only user Direct Permissions amongst a list of user/group resource/service permissions.

magpie.api.management.user.user_utils.resolve_user_group_permissions(resource_permission_list: List[ResolvablePermissionType]) → Iterable[PermissionSet][source]

Reduces overlapping user Inherited Permissions for corresponding resources/services amongst the given list.

User Direct Permissions have the top-most priority and are therefore selected first if permissions are found for corresponding resource. In such case, only one entry is possible (it is invalid to have more than one combination of (User, Resource, Permission), including modifiers, as per validation during their creation).

Otherwise, for corresponding Inherited Permissions, resolve the prioritized permission across every group. Similarly to users, magpie.groups.group_utils.get_similar_group_resource_permission() validate that only one combination of (Group, Resource, Permission) can exist including permission modifiers. Only, cross-group memberships for a given resource must then be computed.

Priority of combined group-only permissions follows 3 conditions:

  1. Permissions inherited from special group MAGPIE_ANONYMOUS_GROUP have lower priority than any other more explicit group membership, regardless of permission modifiers applied on it.

  2. Permissions of same group priority with Access.DENY are prioritized over Access.ALLOW.

  3. Permissions of same group priority with Scope.RECURSIVE are prioritized over Access.MATCH as they affect a larger range of resources when Effective Permissions are eventually requested.

Note

Resource tree inherited resolution is not considered here (no recursive Effective Permissions computed). Only same-level scope of every given resource is processed independently. The intended behaviour here is therefore to help illustrate in responses how deep is a given permission going to have an impact onto lower-level resources, making Scope.RECURSIVE more important than specific instance Scope.MATCH.

See also

  • Sorting methods of magpie.permissions.PermissionSet that orders the permissions with desired result.

  • magpie.groups.group_utils.get_similar_group_resource_permission()

  • magpie.users.user_utils.get_similar_user_resource_permission()

magpie.api.management.user.user_utils.regroup_permissions_by_resource(resource_permissions: Iterable[ResolvablePermissionType], resolve: bool = False) → magpie.typedefs.ResourcePermissionMap[source]

Regroups multiple uncategorized permissions into a dictionary of corresponding resource IDs.

While regrouping the various permissions (both Direct Permissions and any amount of groups Inherited Permissions) under their respective resource by ID, optionally resolve overlapping or conflicting permissions by name such that only one permission persists for that resource and name.

See also

resolve_user_group_permissions()

Parameters

  • resource_permissions – List of resource permissions to process. Can include both user Direct Permissions and its groups Inherited Permissions.

  • resolve – When False, only mapping by resource ID is accomplished. Full listing of permissions is returned. Otherwise, resolves the corresponding resource permissions (by same ID) considering various priority rules to obtain unique permission names per resource.

Returns

resolved permission

magpie.api.management.user.user_utils.get_user_resources_permissions_dict(user: magpie.models.User, request: pyramid.request.Request, resource_types: Optional[List[Str]] = None, resource_ids: Optional[List[int]] = None, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap[source]

Creates a dictionary of resources ID with corresponding permissions of the user.

See also

regroup_permissions_by_resource()

Parameters

  • user – user for which to find resources permissions

  • request – request with database session connection

  • resource_types – filter the search query with only the specified resource types

  • resource_ids – filter the search query to only the specified resource IDs

  • inherit_groups_permissions – Whether to include group inherited permissions from user memberships or not. If False, return only user-specific resource permissions. Otherwise, resolve inherited permissions using all groups the user is member of.

  • resolve_groups_permissions – whether to combine corresponding user/group permissions into one or not.

Returns

Only resources which the user has permissions on, or including all Inherited Permissions, according to inherit_groups_permissions argument.

magpie.api.management.user.user_utils.get_user_service_resources_permissions_dict(user: magpie.models.User, service: magpie.models.Service, request: pyramid.request.Request, inherit_groups_permissions: bool = True, resolve_groups_permissions: bool = False) → magpie.typedefs.ResourcePermissionMap[source]

Retrieves all permissions the user has for every Resource nested under the Service.

The retrieved permissions can either include only Direct Permissions or a combination of user and group Inherited Permissions accordingly to provided options.

See also

get_user_resources_permissions_dict() regroup_permissions_by_resource()

Returns

dictionary of resource IDs with corresponding permissions.

magpie.api.management.user.user_utils.check_user_info(user_name: magpie.typedefs.Str = None, email: magpie.typedefs.Str = None, password: magpie.typedefs.Str = None, group_name: magpie.typedefs.Str = None, check_name: bool = True, check_email: bool = True, check_password: bool = True, check_group: bool = True) → None[source]

Validates provided user information to ensure they are adequate for user creation.

Using check_ prefixed arguments, individual field checks can be disabled (check all by default).

Raises

HTTPException – appropriate error for the invalid field value or format that was checked as applicable.

Returns

nothing if all enabled checks are successful.

magpie.api.management.user.user_utils.get_user_groups_checked(user: magpie.models.User, db_session: sqlalchemy.orm.session.Session) → List[Str][source]

Obtains the validated list of group names from a pre-validated user.