[open-ils-commits] r14818 - in trunk/Open-ILS: examples src/perlmods/OpenILS/Application (erickson)
svn at svn.open-ils.org
svn at svn.open-ils.org
Fri Nov 6 18:24:44 EST 2009
Author: erickson
Date: 2009-11-06 18:24:38 -0500 (Fri, 06 Nov 2009)
New Revision: 14818
Modified:
trunk/Open-ILS/examples/fm_IDL.xml
trunk/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
trunk/Open-ILS/src/perlmods/OpenILS/Application/AppUtils.pm
Log:
Patch from Lebbeous Fogle-Weekley to add support for controlling access of org unit settings
based on the new in-database org settings permission setup
Modified: trunk/Open-ILS/examples/fm_IDL.xml
===================================================================
--- trunk/Open-ILS/examples/fm_IDL.xml 2009-11-06 22:02:15 UTC (rev 14817)
+++ trunk/Open-ILS/examples/fm_IDL.xml 2009-11-06 23:24:38 UTC (rev 14818)
@@ -1742,10 +1742,14 @@
<field name="label" reporter:datatype="text"/>
<field name="description" reporter:datatype="text"/>
<field name="datatype" reporter:datatype="text"/>
+ <field name="view_perm" reporter:datatype="link"/>
+ <field name="update_perm" reporter:datatype="link"/>
<field name="fm_class" reporter:datatype="text"/>
</fields>
<links>
<link field="name" reltype="has_many" key="name" map="" class="aous"/>
+ <link field="view_perm" reltype="has_a" key="id" map="" class="ppl"/>
+ <link field="update_perm" reltype="has_a" key="id" map="" class="ppl"/>
</links>
<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
<actions>
Modified: trunk/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
===================================================================
--- trunk/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm 2009-11-06 22:02:15 UTC (rev 14817)
+++ trunk/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm 2009-11-06 23:24:38 UTC (rev 14818)
@@ -50,6 +50,22 @@
my $set_ou_settings;
+#__PACKAGE__->register_method(
+# method => "allowed_test",
+# api_name => "open-ils.actor.allowed_test",
+#);
+#sub allowed_test {
+# my($self, $conn, $auth, $orgid, $permcode) = @_;
+# my $e = new_editor(authtoken => $auth);
+# return $e->die_event unless $e->checkauth;
+#
+# return {
+# orgid => $orgid,
+# permcode => $permcode,
+# result => $e->allowed($permcode, $orgid)
+# };
+#}
+
__PACKAGE__->register_method(
method => "update_user_setting",
api_name => "open-ils.actor.patron.settings.update",
@@ -97,13 +113,11 @@
api_name => "open-ils.actor.org_unit.settings.update",
signature => {
desc => q/
- Updates the value for a given org unit setting. The permission to update an org unit setting
- is either the UPDATE_ORG_UNIT_SETTING_ALL, a specific UPDATE_ORG_UNIT_SETTING.<setting_name>
- permission, or a permission the maps to a prefix of the setting name. For example, if the setting
- was called "foo.bar.baz" the user could update the setting if he\she had the following perms:
- UPDATE_ORG_UNIT_SETTING.foo
- UPDATE_ORG_UNIT_SETTING.foo.bar
- UPDATE_ORG_UNIT_SETTING.foo.bar.baz/,
+ Updates the value for a given org unit setting. The permission to update
+ an org unit setting is either the UPDATE_ORG_UNIT_SETTING_ALL, or a specific
+ permission specified in the update_perm column of the
+ config.org_unit_setting_type table's row corresponding to the setting being
+ changed./,
params => [
{desc => 'authtoken', type => 'string'},
{desc => 'org unit id', type => 'number'},
@@ -124,23 +138,17 @@
for my $name (keys %$settings) {
my $val = $$settings{$name};
- my $type = $e->retrieve_config_org_unit_setting_type($name) or return $e->die_event;
+ my $type = $e->retrieve_config_org_unit_setting_type([
+ $name,
+ {flesh => 1, flesh_fields => {'coust' => ['update_perm']}}
+ ]) or return $e->die_event;
my $set = $e->search_actor_org_unit_setting({org_unit => $org_id, name => $name})->[0];
- unless($all_allowed) {
- my $allowed = 0;
- my $perm = 'UPDATE_ORG_UNIT_SETTING';
- for my $part (split(/\./, $name)) {
- $perm = "$perm.$part";
- if($e->allowed($perm, $org_id)) {
- $allowed = 1;
- last;
- }
- }
+ # If there is no relevant permission, the default assumption will
+ # be, "no, the caller cannot change that value."
+ return $e->die_event unless ($all_allowed ||
+ ($type->update_perm && $e->allowed($type->update_perm->code, $org_id)));
- return $e->die_event unless $allowed;
- }
-
if(defined $val) {
$val = OpenSRF::Utils::JSON->perl2JSON($val);
if($set) {
@@ -204,13 +212,22 @@
__PACKAGE__->register_method(
method => "ranged_ou_settings",
api_name => "open-ils.actor.org_unit_setting.values.ranged.retrieve",
+ signature => {
+ desc => q/
+ Retrieves all org unit settings for the given org_id, up to whatever limit
+ is implied for retrieving OU settings by the authenticated users' permissions./,
+ params => [
+ {desc => 'authtoken', type => 'string'},
+ {desc => 'org unit id', type => 'number'},
+ ],
+ return => {desc => 'A hashref of "ranged" settings'}
+ }
);
sub ranged_ou_settings {
my( $self, $client, $auth, $org_id ) = @_;
my $e = new_editor(authtoken => $auth);
return $e->event unless $e->checkauth;
- return $e->event unless $e->allowed('VIEW_ORG_SETTINGS', $org_id);
my %ranged_settings;
my $org_list = $U->get_org_ancestors($org_id);
@@ -219,11 +236,22 @@
# start at the context org and capture the setting value
# without clobbering settings we've already captured
- for my $org_id (@$org_list) {
+ for my $this_org_id (@$org_list) {
- my @sets = grep { $_->org_unit == $org_id } @$settings;
+ my @sets = grep { $_->org_unit == $this_org_id } @$settings;
for my $set (@sets) {
+ my $type = $e->retrieve_config_org_unit_setting_type([
+ $set->name,
+ {flesh => 1, flesh_fields => {coust => ['view_perm']}}
+ ]);
+
+ # If there is no relevant permission, the default assumption will
+ # be, "yes, the caller can have that value."
+ if ($type && $type->view_perm) {
+ next if not $e->allowed($type->view_perm->code, $org_id);
+ }
+
$ranged_settings{$set->name} = OpenSRF::Utils::JSON->JSON2perl($set->value)
unless defined $ranged_settings{$set->name};
}
@@ -237,6 +265,18 @@
__PACKAGE__->register_method(
api_name => 'open-ils.actor.ou_setting.ancestor_default',
method => 'ou_ancestor_setting',
+ signature => {
+ desc => q/Get an org unit setting value as seen from your org unit. IF AND ONLY IF
+ you provide an authentication token, this method will make sure that the given
+ user has permission to view that setting, if there is a permission associated
+ with the setting./,
+ params => [
+ {desc => 'org unit id', type => 'number'},
+ {desc => 'setting name', type => 'string'},
+ {desc => '(optional) authtoken', type => 'string'},
+ ],
+ return => {desc => 'A value for the org unit setting, or undef'}
+ }
);
# ------------------------------------------------------------------
@@ -247,18 +287,30 @@
# otherwise, returns NULL
# ------------------------------------------------------------------
sub ou_ancestor_setting {
- my( $self, $client, $orgid, $name ) = @_;
- return $U->ou_ancestor_setting($orgid, $name);
+ my( $self, $client, $orgid, $name, $auth ) = @_;
+ return $U->ou_ancestor_setting($orgid, $name, undef, $auth);
}
__PACKAGE__->register_method(
api_name => 'open-ils.actor.ou_setting.ancestor_default.batch',
method => 'ou_ancestor_setting_batch',
+ signature => {
+ desc => q/Get org unit setting name => value pairs as seen from the specified org unit.
+ IF AND ONLY IF you provide an authentication token, this method will make sure
+ that the given user has permission to view that setting, if there is a
+ permission associated with the setting./,
+ params => [
+ {desc => 'org unit id', type => 'number'},
+ {desc => 'setting name list', type => 'array'},
+ {desc => '(optional) authtoken', type => 'string'},
+ ],
+ return => {desc => 'A hash with name => value pairs for the org unit settings'}
+ }
);
sub ou_ancestor_setting_batch {
- my( $self, $client, $orgid, $name_list ) = @_;
+ my( $self, $client, $orgid, $name_list, $auth ) = @_;
my %values;
- $values{$_} = $U->ou_ancestor_setting($orgid, $_) for @$name_list;
+ $values{$_} = $U->ou_ancestor_setting($orgid, $_, undef, $auth) for @$name_list;
return \%values;
}
Modified: trunk/Open-ILS/src/perlmods/OpenILS/Application/AppUtils.pm
===================================================================
--- trunk/Open-ILS/src/perlmods/OpenILS/Application/AppUtils.pm 2009-11-06 22:02:15 UTC (rev 14817)
+++ trunk/Open-ILS/src/perlmods/OpenILS/Application/AppUtils.pm 2009-11-06 23:24:38 UTC (rev 14818)
@@ -1167,9 +1167,28 @@
return undef;
}
+
+# If an authentication token is provided AND this org unit setting has a
+# view_perm, then make sure the user referenced by the auth token has
+# that permission. This means that if you call this method without an
+# authtoken param, you can get whatever org unit setting values you want.
+# API users beware.
sub ou_ancestor_setting {
- my( $self, $orgid, $name, $e ) = @_;
- $e = $e || OpenILS::Utils::CStoreEditor->new;
+ my( $self, $orgid, $name, $e, $auth ) = @_;
+ $e = $e || OpenILS::Utils::CStoreEditor->new(
+ (defined $auth) ? (authtoken => $auth) : ()
+ );
+ my $coust = $e->retrieve_config_org_unit_setting_type([
+ $name, {flesh => 1, flesh_fields => {coust => ['view_perm']}}
+ ]);
+
+ if ($auth && $coust && $coust->view_perm) {
+ # And you can't have permission if you don't have a valid session.
+ return undef if not $e->checkauth;
+ # And now that we know you MIGHT have permission, we check it.
+ return undef if not $e->allowed($coust->view_perm->code, $orgid);
+ }
+
my $query = {from => ['actor.org_unit_ancestor_setting', $name, $orgid]};
my $setting = $e->json_query($query)->[0];
return undef unless $setting;
More information about the open-ils-commits
mailing list