Module: check_mk
Branch: master
Commit: ed742dc2e8710ee65f6bc45cc6fbba735f045f04
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ed742dc2e8710e…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Wed Mar 19 10:14:00 2014 +0100
Also custom views now have permissions
In that past only builtin views had permissions that you could disable in a
role and that way remove those views for certain users. Now this also works
for custom views - i.e. views that a user has created with a new unique name
and and that is published for other users.
Please note that regardless of a view's permission the owner of the view can
always see it. If you do not like this you can remove the permission for
creating custom views.
---
.werks/748 | 15 +++++++++++++++
ChangeLog | 1 +
web/htdocs/config.py | 22 +++++++++++++++++++---
web/htdocs/views.py | 42 +++++++++++++++++++++++++++++++-----------
web/htdocs/wato.py | 4 ++++
5 files changed, 70 insertions(+), 14 deletions(-)
diff --git a/.werks/748 b/.werks/748
new file mode 100644
index 0000000..e880521
--- /dev/null
+++ b/.werks/748
@@ -0,0 +1,15 @@
+Title: Also custom views now have permissions
+Level: 2
+Component: multisite
+Version: 1.2.5i1
+Date: 1395220282
+Class: feature
+
+In that past only builtin views had permissions that you could disable in a
+role and that way remove those views for certain users. Now this also works
+for custom views - i.e. views that a user has created with a new unique name
+and and that is published for other users.
+
+Please note that regardless of a view's permission the owner of the view can
+always see it. If you do not like this you can remove the permission for
+creating custom views.
diff --git a/ChangeLog b/ChangeLog
index 1d0cf29..f9e9ae0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -227,6 +227,7 @@
* 0123 New time range filter for Downtimes and Comments...
* 0683 New column painter for the last time a service was OK...
* 0561 quicksearch: now able to search with multiple filters...
+ * 0748 Also custom views now have permissions...
* 0302 FIX: Fixed highlight of choosen elements in foldertee/views snapin in
Chrome/IE
* 0239 FIX: Fixed incorrect html formatting when displaying host or service
comments...
* 0307 FIX: Increased performance of multisite GUI with a large userbase...
diff --git a/web/htdocs/config.py b/web/htdocs/config.py
index 8ff45dd..f748d98 100644
--- a/web/htdocs/config.py
+++ b/web/htdocs/config.py
@@ -72,9 +72,10 @@ except:
# Global table of available permissions. Plugins may add their own
# permissions by calling declare_permission()
-permissions_by_name = {}
-permissions_by_order = []
-permission_sections = {}
+permissions_by_name = {}
+permissions_by_order = []
+permission_sections = {}
+permission_declaration_functions = []
# Constants for BI
ALL_HOSTS = '(.*)'
@@ -184,6 +185,21 @@ def declare_permission_section(name, title, prio = 0, do_sort =
False):
# be listed first, e.g. in the edit dialogs
permission_sections[name] = (prio, title, do_sort)
+# Some module have a non-fixed list of permissions. For example for
+# each user defined view there is also a permission. This list is
+# not known at the time of the loading of the module - though. For
+# that purpose module can register functions. These functions should
+# just call declare_permission(). They are being called in the correct
+# situations.
+def declare_dynamic_permissions(func):
+ permission_declaration_functions.append(func)
+
+# This function needs to be called by all code that needs access
+# to possible dynamic permissions
+def load_dynamic_permissions():
+ for func in permission_declaration_functions:
+ func()
+
# Compute permissions for HTTP user and set in
# global variables. Also store user.
def login(u):
diff --git a/web/htdocs/views.py b/web/htdocs/views.py
index 053798f..95d9f34 100644
--- a/web/htdocs/views.py
+++ b/web/htdocs/views.py
@@ -72,20 +72,21 @@ def load_plugins():
loaded_with_language = current_language
# Declare permissions for builtin views
- config.declare_permission_section("view", _("Builtin views"),
do_sort = True)
+ config.declare_permission_section("view", _("Multisite Views"),
do_sort = True)
for name, view in multisite_builtin_views.items():
config.declare_permission("view.%s" % name,
view["title"],
view["description"],
config.builtin_role_ids)
+ # Make sure that custom views also have permissions
+ config.declare_dynamic_permissions(declare_custom_view_permissions)
+
# Add painter names to painter objects (e.g. for JSON web service)
for n, p in multisite_painters.items():
p["name"] = n
-
-
##################################################################################
# Layouts
##################################################################################
@@ -237,6 +238,7 @@ class Filter:
# Load all views - users or builtins
def load_views():
+ declare_custom_view_permissions()
html.multisite_views = {}
# first load builtins. Set username to ''
@@ -273,7 +275,6 @@ def load_views():
if view['datasource'] not in multisite_datasources:
continue
-
# Maybe resolve inherited attributes
builtin_view = html.multisite_views.get(('', name))
if builtin_view:
@@ -293,6 +294,26 @@ def load_views():
html.available_views = available_views()
+# Load all users views just in order to declare permissions of custom views
+def declare_custom_view_permissions():
+ # Now scan users subdirs for files "views.mk"
+ subdirs = os.listdir(config.config_dir)
+ for user in subdirs:
+ try:
+ dirpath = config.config_dir + "/" + user
+ if os.path.isdir(dirpath):
+ path = dirpath + "/views.mk"
+ if not os.path.exists(path):
+ continue
+ views = eval(file(path).read())
+ for name, view in views.items():
+ if view["public"] and not
config.permission_exists("view." + name):
+ config.declare_permission("view." + name,
view["title"],
+ view["description"],
['admin','user','guest'])
+ except:
+ if opt_debug:
+ raise
+
# Get the list of views which are available to the user
# (which could be retrieved with get_view)
def available_views():
@@ -308,12 +329,12 @@ def available_views():
# 2. views of special users allowed to globally override builtin views
for (u, n), view in html.multisite_views.items():
if n not in views and view["public"] and config.user_may(u,
"general.force_views"):
- # Honor original permissions for the current user
- permname = "view.%s" % n
- if config.permission_exists(permname) \
- and not config.may(permname):
- continue
- views[n] = view
+ # Honor original permissions for the current user
+ permname = "view.%s" % n
+ if config.permission_exists(permname) \
+ and not config.may(permname):
+ continue
+ views[n] = view
# 3. Builtin views, if allowed.
for (u, n), view in html.multisite_views.items():
@@ -2764,7 +2785,6 @@ def ajax_inv_render_tree():
node = inventory.get(tree, invpath)
if not node:
html.show_error(_("Invalid path %s in inventory tree") % invpath)
- html.debug(tree)
else:
render_inv_subtree_container(hostname, invpath, node)
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 4de2be2..ca18501 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -11213,6 +11213,10 @@ def mode_edit_role(phase):
html.context_button(_("All Roles"), make_link([("mode",
"roles")]), "back")
return
+ # Make sure that all dynamic permissions are available (e.g. those for custom
+ # views)
+ config.load_dynamic_permissions()
+
roles = userdb.load_roles()
role = roles[id]