diff options
| author | Frederick Muriuki Muriithi | 2026-03-30 11:13:49 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2026-03-30 11:13:49 -0500 |
| commit | 89c21772afcf5bcb8390dc965387129eead38762 (patch) | |
| tree | 77e415e76a3e751f37b2bee2a8c199d8b86dfe03 | |
| parent | a9d5cc0ad0a9eeac2fb1276baa2ac8b294a18133 (diff) | |
| download | gn-libs-89c21772afcf5bcb8390dc965387129eead38762.tar.gz | |
Add checks for privileges.
* Make privileges a package rather than a module and rename previous module. * Add generic checks for most-common features of the system.
| -rw-r--r-- | gn_libs/privileges/__init__.py | 2 | ||||
| -rw-r--r-- | gn_libs/privileges/authspec.py (renamed from gn_libs/privileges.py) | 0 | ||||
| -rw-r--r-- | gn_libs/privileges/checks.py | 48 |
3 files changed, 50 insertions, 0 deletions
diff --git a/gn_libs/privileges/__init__.py b/gn_libs/privileges/__init__.py new file mode 100644 index 0000000..9b2af85 --- /dev/null +++ b/gn_libs/privileges/__init__.py @@ -0,0 +1,2 @@ +from .authspec import check, parse, SpecificationValueError +from .checks import can_view, can_edit, can_create, can_delete diff --git a/gn_libs/privileges.py b/gn_libs/privileges/authspec.py index 32c943d..32c943d 100644 --- a/gn_libs/privileges.py +++ b/gn_libs/privileges/authspec.py diff --git a/gn_libs/privileges/checks.py b/gn_libs/privileges/checks.py new file mode 100644 index 0000000..3b52d35 --- /dev/null +++ b/gn_libs/privileges/checks.py @@ -0,0 +1,48 @@ +import uuid +import logging +from functools import partial + +from gn_libs.sqlite3 import DbConnection + +from .authspec import check + + +logger = logging.getLogger(__name__) + + +class PrivilegeCheckError(Exception): + """Raise when there's an error when checking for privileges.""" + + +def privileges_fulfill_specs( + queried_privileges: tuple[str, ...], + resource_spec: str, + system_spec: str +) -> bool: + """Check whether a user's privileges fulfill the given specs.""" + return (check(resource_spec, queried_privileges) or + check(system_spec, queried_privileges)) + + +can_view = partial( + privileges_fulfill_specs, + resource_spec="(OR group:resource:view-resource system:resource:view)", + system_spec="(OR system:system-wide:data:view system:resource:view)") + + +can_edit = partial( + privileges_fulfill_specs, + resource_spec="(OR group:resource:edit-resource system:resource:edit)", + system_spec="(OR system:system-wide:data:edit system:resource:edit)") + + +can_create = partial( + privileges_fulfill_specs, + resource_spec="(OR group:resource:create-resource)", + system_spec="(OR system:system-wide:data:create)") + + +can_delete = partial( + privileges_fulfill_specs, + resource_spec="(OR group:resource:delete-resource system:resource:delete)", + system_spec="(OR system:system-wide:data:delete system:resource:delete)") |