Improved permission check #393

This commit is contained in:
Sven Heidemann 2023-10-02 16:08:16 +02:00
parent 76d94c0f60
commit 72fb363492
3 changed files with 25 additions and 4 deletions

View File

@ -24,3 +24,4 @@ class FeatureFlagsEnum(Enum):
game_server = "GameServer" game_server = "GameServer"
sync_xp = "SyncXp" sync_xp = "SyncXp"
short_role_name = "ShortRoleName" short_role_name = "ShortRoleName"
technician_full_access = "TechnicianFullAccess"

View File

@ -26,6 +26,7 @@ class FeatureFlagsSettings(ConfigurationModelABC):
FeatureFlagsEnum.game_server.value: False, # 25.09.2023 #366 FeatureFlagsEnum.game_server.value: False, # 25.09.2023 #366
FeatureFlagsEnum.sync_xp.value: False, # 25.09.2023 #366 FeatureFlagsEnum.sync_xp.value: False, # 25.09.2023 #366
FeatureFlagsEnum.short_role_name.value: False, # 28.09.2023 #378 FeatureFlagsEnum.short_role_name.value: False, # 28.09.2023 #378
FeatureFlagsEnum.technician_full_access.value: False, # 02.10.2023 #393
} }
def __init__(self, **kwargs: dict): def __init__(self, **kwargs: dict):

View File

@ -1,6 +1,7 @@
from typing import Callable from typing import Callable
from ariadne import ObjectType from ariadne import ObjectType
from cpl_core.configuration import ConfigurationABC
from cpl_core.dependency_injection import ServiceProviderABC from cpl_core.dependency_injection import ServiceProviderABC
from cpl_core.type import T from cpl_core.type import T
from cpl_discord.service import DiscordBotServiceABC from cpl_discord.service import DiscordBotServiceABC
@ -10,6 +11,7 @@ from bot_api.exception.service_error_code_enum import ServiceErrorCode
from bot_api.exception.service_exception import ServiceException from bot_api.exception.service_exception import ServiceException
from bot_api.route.route import Route from bot_api.route.route import Route
from bot_core.configuration.feature_flags_enum import FeatureFlagsEnum from bot_core.configuration.feature_flags_enum import FeatureFlagsEnum
from bot_core.configuration.feature_flags_settings import FeatureFlagsSettings
from bot_data.model.achievement import Achievement from bot_data.model.achievement import Achievement
from bot_data.model.auth_role_enum import AuthRoleEnum from bot_data.model.auth_role_enum import AuthRoleEnum
from bot_data.model.auth_user import AuthUser from bot_data.model.auth_user import AuthUser
@ -75,7 +77,12 @@ class QueryABC(ObjectType):
def get_services(services: ServiceProviderABC) -> ServiceProviderABC: def get_services(services: ServiceProviderABC) -> ServiceProviderABC:
return services return services
@ServiceProviderABC.inject
def get_config(config: ConfigurationABC) -> ConfigurationABC:
return config
services = get_services() services = get_services()
config = get_config()
permissions: PermissionService = services.get_service(PermissionService) permissions: PermissionService = services.get_service(PermissionService)
bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC) bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC)
@ -84,6 +91,11 @@ class QueryABC(ObjectType):
for u in user.users: for u in user.users:
guild = bot.get_guild(u.server.discord_id) guild = bot.get_guild(u.server.discord_id)
settings: ServerConfig = config.get_configuration(f"ServerConfig_{guild.id}")
if not FeatureFlagsSettings.get_flag_from_dict(settings.feature_flags, FeatureFlagsEnum.technician_full_access):
continue
if permissions.is_member_technician(guild.get_member(u.discord_id)): if permissions.is_member_technician(guild.get_member(u.discord_id)):
return True return True
@ -216,23 +228,30 @@ class QueryABC(ObjectType):
@ServiceProviderABC.inject @ServiceProviderABC.inject
def _can_user_mutate_data(self, server: Server, permission: UserRoleEnum, services: ServiceProviderABC): def _can_user_mutate_data(self, server: Server, permission: UserRoleEnum, services: ServiceProviderABC):
@ServiceProviderABC.inject
def get_config(config: ConfigurationABC) -> ConfigurationABC:
return config
config = get_config()
permissions: PermissionService = services.get_service(PermissionService) permissions: PermissionService = services.get_service(PermissionService)
bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC) bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC)
auth_user = Route.get_user() auth_user = Route.get_user()
if auth_user == "system" or auth_user.auth_role == AuthRoleEnum.admin: if auth_user == "system":
return return
member = bot.get_guild(server.discord_id).get_member( member = bot.get_guild(server.discord_id).get_member(
auth_user.users.where(lambda x: x.server.id == server.id).single().discord_id auth_user.users.where(lambda x: x.server.id == server.id).single().discord_id
) )
settings: ServerConfig = config.get_configuration(f"ServerConfig_{member.guild.id}")
technician_full_access_flag = FeatureFlagsSettings.get_flag_from_dict(settings.feature_flags, FeatureFlagsEnum.technician_full_access)
check_perm = lambda x: True check_perm = lambda x: False
match permission: match permission:
case UserRoleEnum.moderator: case UserRoleEnum.moderator:
check_perm = lambda x: permissions.is_member_moderator(x) check_perm = lambda x: technician_full_access_flag and permissions.is_member_technician(x) or permissions.is_member_moderator(x)
case UserRoleEnum.admin: case UserRoleEnum.admin:
check_perm = lambda x: permissions.is_member_admin(x) check_perm = lambda x: technician_full_access_flag and permissions.is_member_technician(x) or permissions.is_member_admin(x)
case UserRoleEnum.technician: case UserRoleEnum.technician:
check_perm = lambda x: permissions.is_member_technician(x) check_perm = lambda x: permissions.is_member_technician(x)