Revision 17629fea pithos/backends/simple.py
| b/pithos/backends/simple.py | ||
|---|---|---|
| 205 | 205 |
|
| 206 | 206 |
logger.debug("list_containers: %s %s %s %s", account, marker, limit, until)
|
| 207 | 207 |
if user != account: |
| 208 |
raise NotAllowedError |
|
| 208 |
if until: |
|
| 209 |
raise NotAllowedError |
|
| 210 |
containers = self._allowed_containers(user, account) |
|
| 211 |
start = 0 |
|
| 212 |
if marker: |
|
| 213 |
try: |
|
| 214 |
start = containers.index(marker) + 1 |
|
| 215 |
except ValueError: |
|
| 216 |
pass |
|
| 217 |
if not limit or limit > 10000: |
|
| 218 |
limit = 10000 |
|
| 219 |
return containers[start:start + limit] |
|
| 209 | 220 |
return self._list_objects(account, '', '/', marker, limit, False, [], until) |
| 210 | 221 |
|
| 211 | 222 |
def get_container_meta(self, user, account, container, until=None): |
| ... | ... | |
| 757 | 768 |
sql = 'delete from groups where account = ?' |
| 758 | 769 |
self.con.execute(sql, (account,)) |
| 759 | 770 |
|
| 760 |
def _is_allowed(self, user, account, container, name, op='read'): |
|
| 761 |
if user == account: |
|
| 762 |
return True |
|
| 763 |
path = os.path.join(account, container, name) |
|
| 764 |
if op == 'read' and self._get_public(path): |
|
| 765 |
return True |
|
| 766 |
perm_path, perms = self._get_permissions(path) |
|
| 767 |
|
|
| 768 |
# Expand groups. |
|
| 769 |
for x in ('read', 'write'):
|
|
| 770 |
g_perms = set() |
|
| 771 |
for y in perms.get(x, []): |
|
| 772 |
if ':' in y: |
|
| 773 |
g_account, g_name = y.split(':', 1)
|
|
| 774 |
groups = self._get_groups(g_account) |
|
| 775 |
if g_name in groups: |
|
| 776 |
g_perms.update(groups[g_name]) |
|
| 777 |
else: |
|
| 778 |
g_perms.add(y) |
|
| 779 |
perms[x] = g_perms |
|
| 780 |
|
|
| 781 |
if op == 'read' and ('*' in perms['read'] or user in perms['read']):
|
|
| 782 |
return True |
|
| 783 |
if '*' in perms['write'] or user in perms['write']: |
|
| 784 |
return True |
|
| 785 |
return False |
|
| 786 |
|
|
| 787 |
def _can_read(self, user, account, container, name): |
|
| 788 |
if not self._is_allowed(user, account, container, name, 'read'): |
|
| 789 |
raise NotAllowedError |
|
| 790 |
|
|
| 791 |
def _can_write(self, user, account, container, name): |
|
| 792 |
if not self._is_allowed(user, account, container, name, 'write'): |
|
| 793 |
raise NotAllowedError |
|
| 794 |
|
|
| 795 | 771 |
def _check_permissions(self, path, permissions): |
| 796 | 772 |
# Check for existing permissions. |
| 797 | 773 |
sql = '''select name from permissions |
| ... | ... | |
| 860 | 836 |
sql = 'delete from public where name = ?' |
| 861 | 837 |
self.con.execute(sql, (path,)) |
| 862 | 838 |
self.con.commit() |
| 839 |
|
|
| 840 |
def _is_allowed(self, user, account, container, name, op='read'): |
|
| 841 |
if user == account: |
|
| 842 |
return True |
|
| 843 |
path = os.path.join(account, container, name) |
|
| 844 |
if op == 'read' and self._get_public(path): |
|
| 845 |
return True |
|
| 846 |
perm_path, perms = self._get_permissions(path) |
|
| 847 |
|
|
| 848 |
# Expand groups. |
|
| 849 |
for x in ('read', 'write'):
|
|
| 850 |
g_perms = set() |
|
| 851 |
for y in perms.get(x, []): |
|
| 852 |
if ':' in y: |
|
| 853 |
g_account, g_name = y.split(':', 1)
|
|
| 854 |
groups = self._get_groups(g_account) |
|
| 855 |
if g_name in groups: |
|
| 856 |
g_perms.update(groups[g_name]) |
|
| 857 |
else: |
|
| 858 |
g_perms.add(y) |
|
| 859 |
perms[x] = g_perms |
|
| 860 |
|
|
| 861 |
if op == 'read' and ('*' in perms['read'] or user in perms['read']):
|
|
| 862 |
return True |
|
| 863 |
if '*' in perms['write'] or user in perms['write']: |
|
| 864 |
return True |
|
| 865 |
return False |
|
| 866 |
|
|
| 867 |
def _can_read(self, user, account, container, name): |
|
| 868 |
if not self._is_allowed(user, account, container, name, 'read'): |
|
| 869 |
raise NotAllowedError |
|
| 870 |
|
|
| 871 |
def _can_write(self, user, account, container, name): |
|
| 872 |
if not self._is_allowed(user, account, container, name, 'write'): |
|
| 873 |
raise NotAllowedError |
|
| 874 |
|
|
| 875 |
def _allowed_paths(self, user, prefix=None): |
|
| 876 |
sql = '''select distinct name from permissions where (user = ? |
|
| 877 |
or user in (select account || ':' || gname from groups where user = ?))''' |
|
| 878 |
param = (user, user) |
|
| 879 |
if prefix: |
|
| 880 |
sql += ' and name like ?' |
|
| 881 |
param += (prefix + '/%',) |
|
| 882 |
c = self.con.execute(sql, param) |
|
| 883 |
return [x[0] for x in c.fetchall()] |
|
| 884 |
|
|
| 885 |
def _allowed_accounts(self, user): |
|
| 886 |
allow = set() |
|
| 887 |
for path in self._allowed_paths(user): |
|
| 888 |
allow.add(path.split('/', 1)[0])
|
|
| 889 |
return sorted(allow) |
|
| 890 |
|
|
| 891 |
def _allowed_containers(self, user, account): |
|
| 892 |
allow = set() |
|
| 893 |
for path in self._allowed_paths(user, account): |
|
| 894 |
allow.add(path.split('/', 2)[1])
|
|
| 895 |
return sorted(allow) |
|
Also available in: Unified diff