Filter JSON before output #100
Comments
|
Hi Adam. You have two options: Using nefertari-guards Things to consider when using nefertari-guards are: a) ACL inheritance will probably be disabled in next versions. b) Collection ACL filtering doesn't respect order of ACEs in ACL. Thus if your ACL says "allow user1 view, deny everyone view" - in terms of Pyramid, this ACL allows view to user1, because it comes before Deny, but ACL filtering will still hide that item, because it denies access to one of user1's identifiers("everyone"). Using nefertari tools |
|
Thanks for pointing me in the right direction and the insight into the next version. Greatly appreciate it. |
|
The nefertari-guards mixin is working as expected for system users, however I'm stumped when it comes to defining _acl's for non system users. Have tried inserting data via a range of means without luck. Example; POST :6543/v1/auth/register username='agent1' email='[email protected]' password='password' _acl="[{'action': 'allow', 'permission': 'all', 'principal': 'agent1'}]"
"(exceptions.ValueError) need more than 1 value to unpack"
PATCH :6543/v1/users/agent1 _acl="[{'action': 'allow', 'permission': 'all', 'principal': 'agent1'}]"
"(exceptions.ValueError) need more than 1 value to unpack"
POST :6543/v1/auth/register username='agent1' email='[email protected]' password='password' _acl="[(Allow, agent1, 'update')]"
"(exceptions.ValueError) need more than 1 value to unpack"
PATCH :6543/v1/users/agent1 _acl="[(Allow, agent1, 'update')]"
"(exceptions.ValueError) need more than 1 value to unpack"Tried event handlers @registry.add
def set_item_owner(event):
""" Set owner of an item. """
user = getattr(event.view.request, 'user', None)
log.info('Set item owner to: {}'.format(str(user.username)))
perms = [{"action": "allow", "permission": "all", "principal": str(user.username)}]
if '_acl' not in event.fields and user is not None:
event.set_field_value('_acl', perms)Switched log.info to log.warning for debugging and discovered that the user auth model doesn’t seem to run assigned event handlers. Cant get data into the _acl field for non system users. Must be overlooking something but not sure what. Is this expected behaviour? Edit: I've updated to the latest builds of ramses, nefertari, nefertari-guards. Having some partial success, will continue to run some tests and get back to you. Ticket resolved, was able to fix the issue by updating to the latest release versions of ramses, nefertari, nefertari-guards |
Good. I'll leave this ticket open for a while if you have more questions. |
Thanks for that. Re-reading helped solved a few inspected behaviours I was experiencing.
What I'm trying to achieve is allow users to view the filtered collection summary, and to their own {items}, but Deny them from other users {items} At the moment, it looks like {items} inherit the permissions from their collection, there for, since the collection filtering requires View permissions, all users have access to all other users {items} I've had a look at before_show and after_show in hopes of being able to filter the {item} results from there, but no luck so far. Is this issue scheduled to be resolved in the next update? |
|
These 2 PRs have been merged into the respective develop branches of nefertari-guards and ramses and should address your issue. In essence, it disables acl inheritance when nefertari-guards is used. It makes sense because when using nefertari-guards, acls are stored at the object level and some objects may have permissive ACLs while their parent collections may deny things and we don't want to inherit from those deny rules in that case. |
|
Sounds good. I will pull the development branch if I get a few spare moments this or next week. Also permitting Allow to supersede Deny would be handy. For example; Where as in its current state with Denies superseding Allows you have to write many times more permissions to achieve the same effect. Not sure why Pyramid does the opposite, but may be overlooking something http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html#creating-your-own-authentication-policy |
in |
Quick question,
Is there any existing tooling to filter json views before output with the existing tooling?
Useage example; instances where you have a collection with items and those items have user ownership and you want to hide the items from non-owners when the collection is queried via a GET /api/collection
If so great, but if not I'll look into monkey patching the views.py functions in ramses or something.
The text was updated successfully, but these errors were encountered: