Mercurial > libervia-pubsub
comparison src/backend.py @ 387:04e7dcc436ca
backend: admins can delete node, change schema, change config or delete items even if they are not owner of a node
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Tue, 12 Feb 2019 21:10:00 +0100 |
| parents | aa3a464df605 |
| children | 1c13ba86a421 |
comparison
equal
deleted
inserted
replaced
| 386:0fedfb5cd7c7 | 387:04e7dcc436ca |
|---|---|
| 166 def __init__(self, storage, config): | 166 def __init__(self, storage, config): |
| 167 utility.EventDispatcher.__init__(self) | 167 utility.EventDispatcher.__init__(self) |
| 168 self.storage = storage | 168 self.storage = storage |
| 169 self._callbackList = [] | 169 self._callbackList = [] |
| 170 self.config = config | 170 self.config = config |
| 171 self.admins = config[u'admins_jids_list'] | |
| 172 | |
| 173 def isAdmin(self, entity_jid): | |
| 174 """Return True if an entity is an administrator""" | |
| 175 return entity_jid.userhostJID() in self.admins | |
| 171 | 176 |
| 172 def supportsPublishOptions(self): | 177 def supportsPublishOptions(self): |
| 173 return True | 178 return True |
| 174 def supportsPublisherAffiliation(self): | 179 def supportsPublisherAffiliation(self): |
| 175 return True | 180 return True |
| 613 if not nodeIdentifier: | 618 if not nodeIdentifier: |
| 614 return defer.fail(error.NoRootNode()) | 619 return defer.fail(error.NoRootNode()) |
| 615 | 620 |
| 616 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 621 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 617 d.addCallback(_getAffiliation, requestor) | 622 d.addCallback(_getAffiliation, requestor) |
| 618 d.addCallback(self._doSetNodeConfiguration, options) | 623 d.addCallback(self._doSetNodeConfiguration, requestor, options) |
| 619 return d | 624 return d |
| 620 | 625 |
| 621 def _doSetNodeConfiguration(self, result, options): | 626 def _doSetNodeConfiguration(self, result, requestor, options): |
| 622 node, affiliation = result | 627 node, affiliation = result |
| 623 | 628 |
| 624 if affiliation != 'owner': | 629 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 625 raise error.Forbidden() | 630 raise error.Forbidden() |
| 626 | 631 |
| 627 return node.setConfiguration(options) | 632 return node.setConfiguration(options) |
| 628 | 633 |
| 629 def getNodeSchema(self, nodeIdentifier, pep, recipient): | 634 def getNodeSchema(self, nodeIdentifier, pep, recipient): |
| 648 if not nodeIdentifier: | 653 if not nodeIdentifier: |
| 649 return defer.fail(error.NoRootNode()) | 654 return defer.fail(error.NoRootNode()) |
| 650 | 655 |
| 651 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 656 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 652 d.addCallback(_getAffiliation, requestor) | 657 d.addCallback(_getAffiliation, requestor) |
| 653 d.addCallback(self._doSetNodeSchema, schema) | 658 d.addCallback(self._doSetNodeSchema, requestor, schema) |
| 654 return d | 659 return d |
| 655 | 660 |
| 656 def _doSetNodeSchema(self, result, schema): | 661 def _doSetNodeSchema(self, result, requestor, schema): |
| 657 node, affiliation = result | 662 node, affiliation = result |
| 658 | 663 |
| 659 if affiliation != 'owner': | 664 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 660 raise error.Forbidden() | 665 raise error.Forbidden() |
| 661 | 666 |
| 662 return node.setSchema(schema) | 667 return node.setSchema(schema) |
| 663 | 668 |
| 664 def getAffiliations(self, entity, nodeIdentifier, pep, recipient): | 669 def getAffiliations(self, entity, nodeIdentifier, pep, recipient): |
| 665 return self.storage.getAffiliations(entity, nodeIdentifier, pep, recipient) | 670 return self.storage.getAffiliations(entity, nodeIdentifier, pep, recipient) |
| 666 | 671 |
| 667 def getAffiliationsOwner(self, nodeIdentifier, requestor, pep, recipient): | 672 def getAffiliationsOwner(self, nodeIdentifier, requestor, pep, recipient): |
| 668 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 673 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 669 d.addCallback(_getAffiliation, requestor) | 674 d.addCallback(_getAffiliation, requestor) |
| 670 d.addCallback(self._doGetAffiliationsOwner) | 675 d.addCallback(self._doGetAffiliationsOwner, requestor) |
| 671 return d | 676 return d |
| 672 | 677 |
| 673 def _doGetAffiliationsOwner(self, result): | 678 def _doGetAffiliationsOwner(self, result, requestor): |
| 674 node, affiliation = result | 679 node, affiliation = result |
| 675 | 680 |
| 676 if affiliation != 'owner': | 681 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 677 raise error.Forbidden() | 682 raise error.Forbidden() |
| 678 return node.getAffiliations() | 683 return node.getAffiliations() |
| 679 | 684 |
| 680 def setAffiliationsOwner(self, nodeIdentifier, requestor, affiliations, pep, recipient): | 685 def setAffiliationsOwner(self, nodeIdentifier, requestor, affiliations, pep, recipient): |
| 681 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 686 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 688 # with "none" affiliation | 693 # with "none" affiliation |
| 689 | 694 |
| 690 # TODO: return error with failed affiliations in case of failure | 695 # TODO: return error with failed affiliations in case of failure |
| 691 node, requestor_affiliation = result | 696 node, requestor_affiliation = result |
| 692 | 697 |
| 693 if requestor_affiliation != 'owner': | 698 if requestor_affiliation != 'owner' and not self.isAdmin(requestor): |
| 694 raise error.Forbidden() | 699 raise error.Forbidden() |
| 695 | 700 |
| 696 # we don't allow requestor to change its own affiliation | 701 # we don't allow requestor to change its own affiliation |
| 697 requestor_bare = requestor.userhostJID() | 702 requestor_bare = requestor.userhostJID() |
| 698 if requestor_bare in affiliations and affiliations[requestor_bare] != 'owner': | 703 if requestor_bare in affiliations and affiliations[requestor_bare] != 'owner': |
| 714 return d | 719 return d |
| 715 | 720 |
| 716 def getSubscriptionsOwner(self, nodeIdentifier, requestor, pep, recipient): | 721 def getSubscriptionsOwner(self, nodeIdentifier, requestor, pep, recipient): |
| 717 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 722 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 718 d.addCallback(_getAffiliation, requestor) | 723 d.addCallback(_getAffiliation, requestor) |
| 719 d.addCallback(self._doGetSubscriptionsOwner) | 724 d.addCallback(self._doGetSubscriptionsOwner, requestor) |
| 720 return d | 725 return d |
| 721 | 726 |
| 722 def _doGetSubscriptionsOwner(self, result): | 727 def _doGetSubscriptionsOwner(self, result, requestor): |
| 723 node, affiliation = result | 728 node, affiliation = result |
| 724 | 729 |
| 725 if affiliation != 'owner': | 730 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 726 raise error.Forbidden() | 731 raise error.Forbidden() |
| 727 return node.getSubscriptions() | 732 return node.getSubscriptions() |
| 728 | 733 |
| 729 def setSubscriptionsOwner(self, nodeIdentifier, requestor, subscriptions, pep, recipient): | 734 def setSubscriptionsOwner(self, nodeIdentifier, requestor, subscriptions, pep, recipient): |
| 730 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 735 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 741 # with "none" subscription | 746 # with "none" subscription |
| 742 | 747 |
| 743 # TODO: return error with failed subscriptions in case of failure | 748 # TODO: return error with failed subscriptions in case of failure |
| 744 node, requestor_affiliation = result | 749 node, requestor_affiliation = result |
| 745 | 750 |
| 746 if requestor_affiliation != 'owner': | 751 if requestor_affiliation != 'owner' and not self.isAdmin(requestor): |
| 747 raise error.Forbidden() | 752 raise error.Forbidden() |
| 748 | 753 |
| 749 d_list = [] | 754 d_list = [] |
| 750 | 755 |
| 751 for subscription in subscriptions.copy(): | 756 for subscription in subscriptions.copy(): |
| 1119 '//event/pubsub/retract') | 1124 '//event/pubsub/retract') |
| 1120 | 1125 |
| 1121 def purgeNode(self, nodeIdentifier, requestor, pep, recipient): | 1126 def purgeNode(self, nodeIdentifier, requestor, pep, recipient): |
| 1122 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 1127 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 1123 d.addCallback(_getAffiliation, requestor) | 1128 d.addCallback(_getAffiliation, requestor) |
| 1124 d.addCallback(self._doPurge) | 1129 d.addCallback(self._doPurge, requestor) |
| 1125 return d | 1130 return d |
| 1126 | 1131 |
| 1127 def _doPurge(self, result): | 1132 def _doPurge(self, result, requestor): |
| 1128 node, affiliation = result | 1133 node, affiliation = result |
| 1129 persistItems = node.getConfiguration()[const.OPT_PERSIST_ITEMS] | 1134 persistItems = node.getConfiguration()[const.OPT_PERSIST_ITEMS] |
| 1130 | 1135 |
| 1131 if affiliation != 'owner': | 1136 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 1132 raise error.Forbidden() | 1137 raise error.Forbidden() |
| 1133 | 1138 |
| 1134 if not persistItems: | 1139 if not persistItems: |
| 1135 raise error.NodeNotPersistent() | 1140 raise error.NodeNotPersistent() |
| 1136 | 1141 |
| 1154 return d | 1159 return d |
| 1155 | 1160 |
| 1156 def deleteNode(self, nodeIdentifier, requestor, pep, recipient, redirectURI=None): | 1161 def deleteNode(self, nodeIdentifier, requestor, pep, recipient, redirectURI=None): |
| 1157 d = self.storage.getNode(nodeIdentifier, pep, recipient) | 1162 d = self.storage.getNode(nodeIdentifier, pep, recipient) |
| 1158 d.addCallback(_getAffiliation, requestor) | 1163 d.addCallback(_getAffiliation, requestor) |
| 1159 d.addCallback(self._doPreDelete, redirectURI, pep, recipient) | 1164 d.addCallback(self._doPreDelete, requestor, redirectURI, pep, recipient) |
| 1160 return d | 1165 return d |
| 1161 | 1166 |
| 1162 def _doPreDelete(self, result, redirectURI, pep, recipient): | 1167 def _doPreDelete(self, result, requestor, redirectURI, pep, recipient): |
| 1163 node, affiliation = result | 1168 node, affiliation = result |
| 1164 | 1169 |
| 1165 if affiliation != 'owner': | 1170 if affiliation != 'owner' and not self.isAdmin(requestor): |
| 1166 raise error.Forbidden() | 1171 raise error.Forbidden() |
| 1167 | 1172 |
| 1168 data = {'node': node, | 1173 data = {'node': node, |
| 1169 'redirectURI': redirectURI} | 1174 'redirectURI': redirectURI} |
| 1170 | 1175 |