Skip to content

Commit

Permalink
Added permissions checking
Browse files Browse the repository at this point in the history
  • Loading branch information
benjackwhite committed Mar 18, 2024
1 parent ee741c5 commit e85484a
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
1 change: 1 addition & 0 deletions ee/rbac/test/test_user_access_control.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ def setUp(self):
super().setUp()
self.organization.available_features = [
AvailableFeature.PROJECT_BASED_PERMISSIONING,
AvailableFeature.ROLE_BASED_ACCESS,
]
self.organization.save()

Expand Down
21 changes: 19 additions & 2 deletions ee/rbac/user_access_control.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
from typing import List, Optional

from ee.models.rbac.access_control import AccessControl
from posthog.constants import AvailableFeature
from posthog.models import (
Organization,
OrganizationMembership,
Expand Down Expand Up @@ -32,7 +33,7 @@ def access_level_satisfied(resource: APIScopeObject, current_level: str, require


class UserAccessControl:
def __init__(self, user: User, organization: Optional[Organization] = None, team: Optional[Team] = None):
def __init__(self, user: User, organization: Organization, team: Optional[Team] = None):
self._user = user
self._team = team
self._organization = organization
Expand All @@ -41,14 +42,27 @@ def __init__(self, user: User, organization: Optional[Organization] = None, team
def _organization_membership(self, organization: Organization) -> Optional[OrganizationMembership]:
return OrganizationMembership.objects.get(organization=organization, user=self.user)

@property
def _rbac_supported(self) -> bool:
return self._organization.is_feature_available(AvailableFeature.ROLE_BASED_ACCESS)

@property
def _access_controls_supported(self) -> bool:
# NOTE: This is a proxy feature. We may want to consider making it explicit later
# ADVANCED_PERMISSIONS was only for dashboard collaborators, PROJECT_BASED_PERMISSIONING for project permissions
# both now apply to this generic access control
return self._organization.is_feature_available(
AvailableFeature.PROJECT_BASED_PERMISSIONING
) or self._organization.is_feature_available(AvailableFeature.ADVANCED_PERMISSIONS)

# @cached_property
def _access_controls_for_object(self, resource: APIScopeObject, resource_id: str) -> List[AccessControl]:
"""
Used when checking an individual object - gets all access controls for the object and its type
"""
# TODO: Make this more efficient
role_memberships = self._user.role_memberships.select_related("role").all()
role_ids = [membership.role.id for membership in role_memberships]
role_ids = [membership.role.id for membership in role_memberships] if self._rbac_supported else []

# TODO: Need to determine if there exists any ACs for the resource to determine if we should return None or not
return AccessControl.objects.filter(
Expand Down Expand Up @@ -77,6 +91,9 @@ def access_control_for_object(self, resource: APIScopeObject, resource_id: str)

# TODO: Override this based on your Org membership level

if not self._access_controls_supported:
return None

access_controls = self._access_controls_for_object(resource, resource_id)
if not access_controls:
return
Expand Down

0 comments on commit e85484a

Please sign in to comment.