magpie.permissions¶
Attributes¶
Classes¶
Applicable Permission values (names) under certain Service and Resource. |
|
Applicable types of Permission according to context. |
|
Applicable access modifier of Permission values. |
|
Applicable access modifier of Permission values. |
|
Explicit definition of a |
Functions¶
|
Obtains the formatted permission representations after validation that each of their name is a known member of |
Module Contents¶
- class magpie.permissions.Permission[source]¶
Bases:
magpie.utils.ExtendedEnum
Applicable Permission values (names) under certain Service and Resource.
- class magpie.permissions.PermissionType[source]¶
Bases:
magpie.utils.ExtendedEnum
Applicable types of Permission according to context.
- class magpie.permissions.Access[source]¶
Bases:
magpie.utils.ExtendedEnum
Applicable access modifier of Permission values.
- class magpie.permissions.Scope[source]¶
Bases:
magpie.utils.ExtendedEnum
Applicable access modifier of Permission values.
- class magpie.permissions.PermissionSet(permission: magpie.typedefs.AnyPermissionType, access: Access | magpie.typedefs.Str | None = None, scope: Scope | magpie.typedefs.Str | None = None, typ: PermissionType | None = None, reason: magpie.typedefs.Str | None = None)[source]¶
Bases:
object
Explicit definition of a
Permission
with applicableAccess
andScope
to resolve it.The
Permission
is the name of the applicable permission on themagpie.models.Resource
. TheScope
defines how thePermission
should impact the resolution of the perceived Effective Permissions over amagpie.models.Resource
tree hierarchy. TheAccess
defines how thePermission
access should be interpreted (granted or denied).Optionally, a
PermissionType
can be provided to specifically indicate which kind of permission this set represents. This type is only for informative purposes, and is not saved to database nor displayed by the explicit string representation. It is returned within JSON representation and can be employed by Effective Permissions resolution to be more verbose about returned results.On missing
Access
orScope
specifications, they default toAccess.ALLOW
andScope.RECURSIVE
to handle backward compatible naming convention of plainpermission_name
.Initializes the permission definition, possibly using required conversion from other implementations.
- Parameters:
permission – Name of the permission, or any other implementation from which the name can be inferred.
access – Effective behaviour of the permissions. Generally, grant or deny the specified permission.
scope – Scope for which the permission affects hierarchical resources. Important for effective resolution.
typ – Type of permission being represented. Informative only, does not impact behavior if omitted.
reason – Slightly more indicative information on why the current permission-type has this value. Value should be either explicitly provided or will be inferred if converted from input PermissionTuple.
See also
- property name: Permission[source]¶
- property type: PermissionType | None[source]¶
- __lt__(other: Any) bool [source]¶
Ascending sort of permission according to their name, access and scope modifiers.
First sort by permission name alphabetically, followed by increasing restrictive access and increasing range of scoped resources.
Using this sorting methodology, similar permissions by name are grouped together first, and permissions of same name with modifiers are then ordered, the first having less priority when selecting a single item to display with conflicting possibilities. Respecting
Access.DENY
is more important thanAccess.ALLOW
(to protect the Resource), andScope.MATCH
is closer to the actual Resource thanScope.RECURSIVE
permission received from a farther parent in the hierarchy.Sorted explicit string representation becomes:
[name1]-[allow]-[match] [name1]-[allow]-[recursive] [name1]-[deny]-[match] [name1]-[deny]-[recursive] [name2]-[allow]-[match] [name2]-[allow]-[recursive] [name2]-[deny]-[match] [name2]-[deny]-[recursive] ...
- We then obtain two crucial ordering results:
We can easily pick the last sorted item with highest resolution priority to find the final result of corresponding permissions. (note: final result for same user or group, their direct/inherited resolution is not considered here).
Picking the first element with lowest priority also displays the permission that impacts the widest range of resources. For instance in Magpie UI, indicating that a permission as
Scope.RECURSIVE
is more verbose as it tell other resources under it are also receive the specifiedAccess
modifier rather than only the punctual resource.
Warning
Alphabetically sorting permissions by string representation (implicit/explicit) is not equivalent to sorting them according to Permission priority according to how modifiers are resolved. To obtain the prioritized sorting as strings, a list of
PermissionSet
(with the strings as input) should be used to convert and correctly interpreted the raw strings, and then be converted back after sorting.# valid priority-sorted strings [str(perm) for perm in sorted(PermissionSet(p) for p in permission_strings)] # not equivalent to raw sorting list(sorted(permission_strings))
- __str__() magpie.typedefs.Str [source]¶
Obtains the compound literal representation of the
PermissionSet
.Employed for database storage supporting
ziggurat
format.
- __repr__() magpie.typedefs.Str [source]¶
Obtains the visual representation of the
PermissionSet
.
- like(other: Any) bool [source]¶
Evaluates if one permission is similar to another permission definition regardless of modifiers.
This is different than
==
operator which will evaluate exactly equal permission definitions.
- json() magpie.typedefs.PermissionDict [source]¶
Obtains the JSON representation of this
PermissionSet
.
- webhook_params() magpie.typedefs.JSON [source]¶
Obtain JSON representation employed for Webhook reference.
- ace(user_or_group: magpie.models.User | magpie.models.Group | None) magpie.typedefs.AccessControlEntryType [source]¶
Converts the
PermissionSet
into an ACE thatpyramid
can understand.
- property reason: magpie.typedefs.Str | None[source]¶
Indicative reason of the returned value defined by
type()
or inferred by thePermissionTuple
.See also
combine()
- Returns:
Single string that describes the reason (source) of the permission, or multiple strings if updated by combination of multiple permissions.
- classmethod resolve(permission1: magpie.typedefs.ResolvablePermissionType, permission2: magpie.typedefs.ResolvablePermissionType, context: PermissionType = PermissionType.INHERITED, multiple_choice: magpie.typedefs.Str | None = None) magpie.typedefs.ResolvablePermissionType [source]¶
Resolves provided permissions into a single one considering various modifiers and groups for a resource.
Permissions MUST have the same Permission name. The associated Resource on which the two compared permissions are applied on should also be the same This method SHOULD NOT be used by itself to obtain for Effective Permission since it does not handle multi-level Resource resolution. Resolution is accomplished in this case only for a given level in the tree hierarchy.
The comparison considers both the
Access
andScope
of every Inherited Permission of the User, as well as its Group memberships sorted by their priority.See also
magpie.api.management.user.user_utils.combine_user_group_permissions()
- Parameters:
permission1 – Permission to compare.
permission2 – Permission to compare.
context – Control the resolution context (local/effective) of the permissions (safeguard against invalid definitions).
multiple_choice – Alternate explanation to default
PERMISSION_REASON_MULTIPLE
applied if multiple Permission refer to distinct Group of equal priority and equivalent access definitions, meaning they are interchangeable without impacting resolution to access the same target Resource.
- Returns:
Permission with highest priority to resolve access a resource without considering scope.
- property group_priority: magpie.typedefs.GroupPriority | None[source]¶
Priority accessor in case of group inherited permission resolved by
PermissionTuple
.
- property perm_tuple: ziggurat_foundations.permissions.PermissionTuple | None[source]¶
Get the original
PermissionTuple
if available (PermissionSet
must have been created by one).
- property implicit_permission: magpie.typedefs.Str | None[source]¶
Obtain the implicit string representation of the
PermissionSet
as plainPermission
name.This representation is backward compatible with prior versions of Magpie where explicit representation of permission names in the database did not exist.
If the contained modifiers of the
PermissionSet
(notably theAccess.DENY
) result in a string representation that is not possible according to non existing permissions for older Magpie instances, the returned value will beNone
.See also
explicit_permission()
for the new representation.
- property explicit_permission: magpie.typedefs.Str[source]¶
Obtain the explicit string representation of the
PermissionSet
.This format is always guaranteed to be completely defined contrary to
implicit_permission()
.See also
__str__()
(default string value).implicit_permission()
for the old representation.
- classmethod _convert(permission: magpie.typedefs.AnyPermissionType) PermissionSet | None [source]¶
Converts any permission representation to the
PermissionSet
with applicable enum members.Supports older
Permission
representation such that implicit conversion of permission name withoutaccess
andscope
values are padded with defaults. Also, pre-defined partial or full definition from literal string representation are parsed to generate thePermissionSet
instance.- Parameters:
permission – implicit or explicit permission name string, or any other known permission implementation
- Raises:
ValueError – when the permission name cannot be identified or parsed
- magpie.permissions.format_permissions(permissions: Collection[magpie.typedefs.AnyPermissionType] | None, permission_type: PermissionType | None = None, force_unique: bool = True) Dict[magpie.typedefs.Str, List[magpie.typedefs.Str] | magpie.typedefs.PermissionDict | magpie.typedefs.Str] [source]¶
Obtains the formatted permission representations after validation that each of their name is a known member of
Permission
enum, and optionally with modifiers as defined byPermissionSet
.The returned lists are sorted alphabetically by permission name, and then in order of resolution priority (from highest to lowest) for each subset or corresponding name.
The permissions are cleaned from any duplicate entries, unless
force_unique
is specified to allow it. If no or emptypermissions
is provided, empty lists are returned.Note
Field
permission_names
provides both the older implicit permission names and the newer explicit name representation. For this reason, there will be semantically “duplicate” permissions in that list, but there will not be any literal string duplicates. Implicit names are immediately followed by their explicit name, unless implicit names do not apply for the given permission (e.g.: whenAccess.DENY
did not exist). Only detailed and explicit JSON representations are provided in thepermissions
list.When
permission_type
is equal toPermissionType.ALLOWED
, the collection of every applicablePermissionSet
is automatically generated by expanding all combinations ofAccess
andScope
with every providedPermission
name inpermissions
. This allows more concise definition of allowed permissions undermagpie.services.Services
and their children Resource by only definingPermission
names without manually listing all variations ofPermissionSet
.For other
permission_type
values, which represent Applied Permission only explicitly providedpermissions
are returned, to effectively return the collection of active permissions.- Parameters:
permissions – multiple permissions of any implementation and type, to be rendered both as names and JSON.
permission_type – indication of the represented permissions to be formatted, for informative indication.
force_unique – whether to remove duplicate entries by association of name, access and scope or not.
- Returns:
JSON with the permissions listed as implicit+explicit names, as permission set objects, and their type.