Revision f2e30877
Factorisation du prédicat d'accès à VigiBoard.
Les utilisateurs du groupe "managers" ont accès à toutes les données.
git-svn-id: https://vigilo-dev.si.c-s.fr/svn@3028 b22e2e97-25c9-44ff-b637-2e5ceca36478
vigiboard/controllers/root.py | ||
---|---|---|
42 | 42 |
""" |
43 | 43 |
autocomplete = AutoCompleteController() |
44 | 44 |
|
45 |
# Prédicat pour la restriction de l'accès aux interfaces. |
|
46 |
# L'utilisateur doit avoir la permission "vigiboard-read" |
|
47 |
# ou appartenir au groupe "managers" pour accéder à VigiBoard. |
|
48 |
access_restriction = All( |
|
49 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
50 |
Any(in_group('managers'), |
|
51 |
has_permission('vigiboard-read'), |
|
52 |
msg=l_("You don't have read access to VigiBoard")) |
|
53 |
) |
|
54 |
|
|
45 | 55 |
def process_form_errors(self, *argv, **kwargv): |
46 | 56 |
""" |
47 | 57 |
Gestion des erreurs de validation : On affiche les erreurs |
... | ... | |
70 | 80 |
validators=DefaultSchema(), |
71 | 81 |
error_handler = process_form_errors) |
72 | 82 |
@expose('events_table.html') |
73 |
@require( |
|
74 |
All( |
|
75 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
76 |
Any(in_group('managers'), |
|
77 |
has_permission('vigiboard-read'), |
|
78 |
msg=l_("You don't have read access to VigiBoard")) |
|
79 |
)) |
|
83 |
@require(access_restriction) |
|
80 | 84 |
def default(self, page, supitemgroup, host, service, |
81 | 85 |
output, trouble_ticket, from_date, to_date): |
82 | 86 |
""" |
... | ... | |
223 | 227 |
validators=MaskedEventsSchema(), |
224 | 228 |
error_handler = process_form_errors) |
225 | 229 |
@expose('raw_events_table.html') |
226 |
@require( |
|
227 |
All( |
|
228 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
229 |
Any(in_group('managers'), |
|
230 |
has_permission('vigiboard-read'), |
|
231 |
msg=l_("You don't have read access to VigiBoard")) |
|
232 |
)) |
|
230 |
@require(access_restriction) |
|
233 | 231 |
def masked_events(self, idcorrevent, page): |
234 | 232 |
""" |
235 | 233 |
Affichage de la liste des événements bruts masqués dans un |
... | ... | |
335 | 333 |
validators=EventSchema(), |
336 | 334 |
error_handler = process_form_errors) |
337 | 335 |
@expose('history_table.html') |
338 |
@require( |
|
339 |
All( |
|
340 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
341 |
Any(in_group('managers'), |
|
342 |
has_permission('vigiboard-read'), |
|
343 |
msg=l_("You don't have read access to VigiBoard")) |
|
344 |
)) |
|
336 |
@require(access_restriction) |
|
345 | 337 |
def event(self, idevent, page): |
346 | 338 |
""" |
347 | 339 |
Affichage de l'historique d'un événement brut. |
... | ... | |
430 | 422 |
validators=ItemSchema(), |
431 | 423 |
error_handler = process_form_errors) |
432 | 424 |
@expose('events_table.html') |
433 |
@require( |
|
434 |
All( |
|
435 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
436 |
Any(in_group('managers'), |
|
437 |
has_permission('vigiboard-read'), |
|
438 |
msg=l_("You don't have read access to VigiBoard")) |
|
439 |
)) |
|
425 |
@require(access_restriction) |
|
440 | 426 |
def item(self, page, host, service): |
441 | 427 |
""" |
442 | 428 |
Affichage de l'historique de l'ensemble des événements corrélés |
... | ... | |
658 | 644 |
validators=GetPluginValueSchema(), |
659 | 645 |
error_handler = handle_validation_errors_json) |
660 | 646 |
@expose('json') |
661 |
@require( |
|
662 |
All( |
|
663 |
not_anonymous(msg=l_("You need to be authenticated")), |
|
664 |
Any(in_group('managers'), |
|
665 |
has_permission('vigiboard-read'), |
|
666 |
msg=l_("You don't have read access to VigiBoard")) |
|
667 |
)) |
|
647 |
@require(access_restriction) |
|
668 | 648 |
def get_plugin_value(self, idcorrevent, plugin_name, *arg, **krgv): |
669 | 649 |
""" |
670 | 650 |
Permet de récupérer la valeur d'un plugin associée à un CorrEvent |
vigiboard/controllers/vigiboardrequest.py | ||
---|---|---|
5 | 5 |
from time import mktime |
6 | 6 |
from logging import getLogger |
7 | 7 |
|
8 |
from tg import config, tmpl_context |
|
8 |
from tg import config, tmpl_context, request
|
|
9 | 9 |
from tg.i18n import get_lang |
10 | 10 |
from pylons.i18n import ugettext as _ |
11 | 11 |
from paste.deploy.converters import asbool |
12 |
from repoze.what.predicates import in_group |
|
12 | 13 |
|
13 | 14 |
from sqlalchemy import not_, and_, asc, desc |
14 | 15 |
from sqlalchemy.sql.expression import or_, null as expr_null, union |
... | ... | |
61 | 62 |
self.lang = lang |
62 | 63 |
self.generaterq = False |
63 | 64 |
|
65 |
is_manager = in_group('managers').is_met(request.environ) |
|
66 |
|
|
64 | 67 |
# Sélectionne tous les IDs des services auxquels |
65 | 68 |
# l'utilisateur a accès. |
66 | 69 |
lls_query = DBSession.query( |
... | ... | |
79 | 82 |
LowLevelService.idservice, |
80 | 83 |
) |
81 | 84 |
), |
82 |
).filter( |
|
83 |
SUPITEM_GROUP_TABLE.c.idgroup.in_(self.user_groups) |
|
84 | 85 |
) |
85 | 86 |
|
86 | 87 |
# Sélectionne tous les IDs des hôtes auxquels |
... | ... | |
93 | 94 |
).join( |
94 | 95 |
(SUPITEM_GROUP_TABLE, SUPITEM_GROUP_TABLE.c.idsupitem == \ |
95 | 96 |
Host.idhost), |
96 |
).filter( |
|
97 |
SUPITEM_GROUP_TABLE.c.idgroup.in_(self.user_groups), |
|
98 | 97 |
) |
99 | 98 |
|
99 |
# Les managers ont accès à tout, les autres sont soumis |
|
100 |
# aux vérifications classiques d'accès aux données. |
|
101 |
if not is_manager: |
|
102 |
lls_query = lls_query.filter( |
|
103 |
SUPITEM_GROUP_TABLE.c.idgroup.in_(self.user_groups) |
|
104 |
) |
|
105 |
host_query = host_query.filter( |
|
106 |
SUPITEM_GROUP_TABLE.c.idgroup.in_(self.user_groups) |
|
107 |
) |
|
108 |
|
|
109 |
|
|
100 | 110 |
# Objet Selectable renvoyant des informations sur un SupItem |
101 | 111 |
# concerné par une alerte, avec prise en compte des droits d'accès. |
102 | 112 |
# On est obligés d'utiliser sqlalchemy.sql.expression.union |
Also available in: Unified diff