add delete scopes for users, groups, servers

e.g. cull-idle services do not need permission to start servers in order to be able to stop them
This commit is contained in:
Min RK
2021-09-21 14:39:27 +02:00
parent 4f6ef54b50
commit 8cac83fc96
5 changed files with 17 additions and 6 deletions

View File

@@ -129,7 +129,7 @@ class GroupAPIHandler(_GroupAPIHandler):
self.write(json.dumps(self.group_model(group))) self.write(json.dumps(self.group_model(group)))
self.set_status(201) self.set_status(201)
@needs_scope('admin:groups') @needs_scope('delete:groups')
def delete(self, group_name): def delete(self, group_name):
"""Delete a group by name""" """Delete a group by name"""
group = self.find_group(group_name) group = self.find_group(group_name)

View File

@@ -266,7 +266,7 @@ class UserAPIHandler(APIHandler):
self.write(json.dumps(self.user_model(user))) self.write(json.dumps(self.user_model(user)))
self.set_status(201) self.set_status(201)
@needs_scope('admin:users') @needs_scope('delete:users')
async def delete(self, user_name): async def delete(self, user_name):
user = self.find_user(user_name) user = self.find_user(user_name)
if user is None: if user is None:
@@ -525,7 +525,7 @@ class UserServerAPIHandler(APIHandler):
self.set_header('Content-Type', 'text/plain') self.set_header('Content-Type', 'text/plain')
self.set_status(status) self.set_status(status)
@needs_scope('servers') @needs_scope('delete:servers')
async def delete(self, user_name, server_name=''): async def delete(self, user_name, server_name=''):
user = self.find_user(user_name) user = self.find_user(user_name)
options = self.get_json_body() options = self.get_json_body()

View File

@@ -89,6 +89,7 @@ def expand_self_scope(name):
'users:activity', 'users:activity',
'read:users:activity', 'read:users:activity',
'servers', 'servers',
'delete:servers',
'read:servers', 'read:servers',
'tokens', 'tokens',
'read:tokens', 'read:tokens',

View File

@@ -36,13 +36,16 @@ scope_definitions = {
}, },
'admin:users': { 'admin:users': {
'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.', 'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.',
'subscopes': ['admin:auth_state', 'users', 'read:roles:users'], 'subscopes': ['admin:auth_state', 'users', 'read:roles:users', 'delete:users'],
}, },
'admin:auth_state': {'description': 'Read a users authentication state.'}, 'admin:auth_state': {'description': 'Read a users authentication state.'},
'users': { 'users': {
'description': 'Read and write permissions to user models (excluding servers, tokens and authentication state).', 'description': 'Read and write permissions to user models (excluding servers, tokens and authentication state).',
'subscopes': ['read:users', 'list:users', 'users:activity'], 'subscopes': ['read:users', 'list:users', 'users:activity'],
}, },
'delete:users': {
'description': "Delete users.",
},
'list:users': { 'list:users': {
'description': 'List users, including at least their names.', 'description': 'List users, including at least their names.',
'subscopes': ['read:users:name'], 'subscopes': ['read:users:name'],
@@ -76,12 +79,13 @@ scope_definitions = {
'admin:server_state': {'description': 'Read and write users server state.'}, 'admin:server_state': {'description': 'Read and write users server state.'},
'servers': { 'servers': {
'description': 'Start and stop user servers.', 'description': 'Start and stop user servers.',
'subscopes': ['read:servers'], 'subscopes': ['read:servers', 'delete:servers'],
}, },
'read:servers': { 'read:servers': {
'description': 'Read users names and their server models (excluding the server state).', 'description': 'Read users names and their server models (excluding the server state).',
'subscopes': ['read:users:name'], 'subscopes': ['read:users:name'],
}, },
'delete:servers': {'description': "Stop and delete users' servers."},
'tokens': { 'tokens': {
'description': 'Read, write, create and delete user tokens.', 'description': 'Read, write, create and delete user tokens.',
'subscopes': ['read:tokens'], 'subscopes': ['read:tokens'],
@@ -89,7 +93,7 @@ scope_definitions = {
'read:tokens': {'description': 'Read user tokens.'}, 'read:tokens': {'description': 'Read user tokens.'},
'admin:groups': { 'admin:groups': {
'description': 'Read and write group information, create and delete groups.', 'description': 'Read and write group information, create and delete groups.',
'subscopes': ['groups', 'read:roles:groups'], 'subscopes': ['groups', 'read:roles:groups', 'delete:groups'],
}, },
'groups': { 'groups': {
'description': 'Read and write group information, including adding/removing users to/from groups.', 'description': 'Read and write group information, including adding/removing users to/from groups.',
@@ -104,6 +108,9 @@ scope_definitions = {
'subscopes': ['read:groups:name'], 'subscopes': ['read:groups:name'],
}, },
'read:groups:name': {'description': 'Read group names.'}, 'read:groups:name': {'description': 'Read group names.'},
'delete:groups': {
'description': "Delete groups.",
},
'list:services': { 'list:services': {
'description': 'List services, including at least their names.', 'description': 'List services, including at least their names.',
'subscopes': ['read:services:name'], 'subscopes': ['read:services:name'],

View File

@@ -182,6 +182,7 @@ def test_orm_roles_delete_cascade(db):
'admin:users', 'admin:users',
'admin:auth_state', 'admin:auth_state',
'users', 'users',
'delete:users',
'list:users', 'list:users',
'read:users', 'read:users',
'users:activity', 'users:activity',
@@ -218,6 +219,7 @@ def test_orm_roles_delete_cascade(db):
{ {
'admin:groups', 'admin:groups',
'groups', 'groups',
'delete:groups',
'list:groups', 'list:groups',
'read:groups', 'read:groups',
'read:roles:groups', 'read:roles:groups',
@@ -229,6 +231,7 @@ def test_orm_roles_delete_cascade(db):
{ {
'admin:groups', 'admin:groups',
'groups', 'groups',
'delete:groups',
'list:groups', 'list:groups',
'read:groups', 'read:groups',
'read:roles:groups', 'read:roles:groups',