forked from openedx/openedx-authz
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmatcher.py
More file actions
58 lines (42 loc) · 2.24 KB
/
matcher.py
File metadata and controls
58 lines (42 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
"""Custom condition checker. Note only used for data_library scope"""
from django.contrib.auth import get_user_model
from edx_django_utils.cache import RequestCache
from openedx_authz.api.data import ContentLibraryData, CourseOverviewData, ScopeData, UserData
from openedx_authz.rest_api.utils import get_user_by_username_or_email
User = get_user_model()
SCOPES_WITH_ADMIN_OR_SUPERUSER_CHECK = {
(ContentLibraryData.NAMESPACE, ContentLibraryData),
(CourseOverviewData.NAMESPACE, CourseOverviewData),
}
def is_admin_or_superuser_check(request_user: str, request_action: str, request_scope: str) -> bool: # pylint: disable=unused-argument
"""
Evaluates custom, non-role-based conditions for authorization checks.
Checks attribute-based conditions that don't rely on role assignments.
Currently handles ContentLibraryData and CourseOverviewData scopes by granting access to staff
and superusers.
Args:
request_user (str): Namespaced user key (format: "user::<username>")
request_action (str): Namespaced action key (format: "action::<action_name>")
request_scope (str): Namespaced scope key (format: "scope_type::<scope_id>")
Returns:
bool: True if the condition is satisfied (user is staff/superuser for
ContentLibraryData and CourseOverviewData scopes), False otherwise (including when user
doesn't exist or scope type is not supported)
"""
scope = ScopeData(namespaced_key=request_scope)
username = UserData(namespaced_key=request_user).external_key
request_cache = RequestCache("rbac_is_admin_or_superuser")
# TODO: This special case for superuser and staff users is currently only for
# content libraries and course overviews. See: https://github.com/openedx/openedx-authz/issues/87
if (scope.NAMESPACE, type(scope)) not in SCOPES_WITH_ADMIN_OR_SUPERUSER_CHECK:
return False
cached_response = request_cache.get_cached_response(username)
if cached_response.is_found:
return cached_response.value
try:
user = get_user_by_username_or_email(username)
except User.DoesNotExist:
return False
is_allowed = user.is_staff or user.is_superuser
request_cache.set(username, is_allowed)
return is_allowed