Module: check_mk Branch: master Commit: ed742dc2e8710ee65f6bc45cc6fbba735f045f04 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ed742dc2e8710e… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Wed Mar 19 10:14:00 2014 +0100 Also custom views now have permissions In that past only builtin views had permissions that you could disable in a role and that way remove those views for certain users. Now this also works for custom views - i.e. views that a user has created with a new unique name and and that is published for other users. Please note that regardless of a view's permission the owner of the view can always see it. If you do not like this you can remove the permission for creating custom views. --- .werks/748 | 15 +++++++++++++++ ChangeLog | 1 + web/htdocs/config.py | 22 +++++++++++++++++++--- web/htdocs/views.py | 42 +++++++++++++++++++++++++++++++----------- web/htdocs/wato.py | 4 ++++ 5 files changed, 70 insertions(+), 14 deletions(-) diff --git a/.werks/748 b/.werks/748 new file mode 100644 index 0000000..e880521 --- /dev/null +++ b/.werks/748 @@ -0,0 +1,15 @@ +Title: Also custom views now have permissions +Level: 2 +Component: multisite +Version: 1.2.5i1 +Date: 1395220282 +Class: feature + +In that past only builtin views had permissions that you could disable in a +role and that way remove those views for certain users. Now this also works +for custom views - i.e. views that a user has created with a new unique name +and and that is published for other users. + +Please note that regardless of a view's permission the owner of the view can +always see it. If you do not like this you can remove the permission for +creating custom views. diff --git a/ChangeLog b/ChangeLog index 1d0cf29..f9e9ae0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -227,6 +227,7 @@ * 0123 New time range filter for Downtimes and Comments... * 0683 New column painter for the last time a service was OK... * 0561 quicksearch: now able to search with multiple filters... + * 0748 Also custom views now have permissions... * 0302 FIX: Fixed highlight of choosen elements in foldertee/views snapin in Chrome/IE * 0239 FIX: Fixed incorrect html formatting when displaying host or service comments... * 0307 FIX: Increased performance of multisite GUI with a large userbase... diff --git a/web/htdocs/config.py b/web/htdocs/config.py index 8ff45dd..f748d98 100644 --- a/web/htdocs/config.py +++ b/web/htdocs/config.py @@ -72,9 +72,10 @@ except: # Global table of available permissions. Plugins may add their own # permissions by calling declare_permission() -permissions_by_name = {} -permissions_by_order = [] -permission_sections = {} +permissions_by_name = {} +permissions_by_order = [] +permission_sections = {} +permission_declaration_functions = [] # Constants for BI ALL_HOSTS = '(.*)' @@ -184,6 +185,21 @@ def declare_permission_section(name, title, prio = 0, do_sort = False): # be listed first, e.g. in the edit dialogs permission_sections[name] = (prio, title, do_sort) +# Some module have a non-fixed list of permissions. For example for +# each user defined view there is also a permission. This list is +# not known at the time of the loading of the module - though. For +# that purpose module can register functions. These functions should +# just call declare_permission(). They are being called in the correct +# situations. +def declare_dynamic_permissions(func): + permission_declaration_functions.append(func) + +# This function needs to be called by all code that needs access +# to possible dynamic permissions +def load_dynamic_permissions(): + for func in permission_declaration_functions: + func() + # Compute permissions for HTTP user and set in # global variables. Also store user. def login(u): diff --git a/web/htdocs/views.py b/web/htdocs/views.py index 053798f..95d9f34 100644 --- a/web/htdocs/views.py +++ b/web/htdocs/views.py @@ -72,20 +72,21 @@ def load_plugins(): loaded_with_language = current_language # Declare permissions for builtin views - config.declare_permission_section("view", _("Builtin views"), do_sort = True) + config.declare_permission_section("view", _("Multisite Views"), do_sort = True) for name, view in multisite_builtin_views.items(): config.declare_permission("view.%s" % name, view["title"], view["description"], config.builtin_role_ids) + # Make sure that custom views also have permissions + config.declare_dynamic_permissions(declare_custom_view_permissions) + # Add painter names to painter objects (e.g. for JSON web service) for n, p in multisite_painters.items(): p["name"] = n - - ################################################################################## # Layouts ################################################################################## @@ -237,6 +238,7 @@ class Filter: # Load all views - users or builtins def load_views(): + declare_custom_view_permissions() html.multisite_views = {} # first load builtins. Set username to '' @@ -273,7 +275,6 @@ def load_views(): if view['datasource'] not in multisite_datasources: continue - # Maybe resolve inherited attributes builtin_view = html.multisite_views.get(('', name)) if builtin_view: @@ -293,6 +294,26 @@ def load_views(): html.available_views = available_views() +# Load all users views just in order to declare permissions of custom views +def declare_custom_view_permissions(): + # Now scan users subdirs for files "views.mk" + subdirs = os.listdir(config.config_dir) + for user in subdirs: + try: + dirpath = config.config_dir + "/" + user + if os.path.isdir(dirpath): + path = dirpath + "/views.mk" + if not os.path.exists(path): + continue + views = eval(file(path).read()) + for name, view in views.items(): + if view["public"] and not config.permission_exists("view." + name): + config.declare_permission("view." + name, view["title"], + view["description"], ['admin','user','guest']) + except: + if opt_debug: + raise + # Get the list of views which are available to the user # (which could be retrieved with get_view) def available_views(): @@ -308,12 +329,12 @@ def available_views(): # 2. views of special users allowed to globally override builtin views for (u, n), view in html.multisite_views.items(): if n not in views and view["public"] and config.user_may(u, "general.force_views"): - # Honor original permissions for the current user - permname = "view.%s" % n - if config.permission_exists(permname) \ - and not config.may(permname): - continue - views[n] = view + # Honor original permissions for the current user + permname = "view.%s" % n + if config.permission_exists(permname) \ + and not config.may(permname): + continue + views[n] = view # 3. Builtin views, if allowed. for (u, n), view in html.multisite_views.items(): @@ -2764,7 +2785,6 @@ def ajax_inv_render_tree(): node = inventory.get(tree, invpath) if not node: html.show_error(_("Invalid path %s in inventory tree") % invpath) - html.debug(tree) else: render_inv_subtree_container(hostname, invpath, node) diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 4de2be2..ca18501 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -11213,6 +11213,10 @@ def mode_edit_role(phase): html.context_button(_("All Roles"), make_link([("mode", "roles")]), "back") return + # Make sure that all dynamic permissions are available (e.g. those for custom + # views) + config.load_dynamic_permissions() + roles = userdb.load_roles() role = roles[id]