Project

Profile

Help

Story #9613

As a developer, I can make permission object filtering chainable

Added by bmbouter about 2 months ago. Updated 11 days ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulpcore/2066":https://github.com/pulp/pulpcore/issues/2066


Motivation

As a developer with the new Roles facilities in pulpcore==3.17, you likely will want to filter by permissions with something like this example taken from this PR.

current_user = get_current_authenticated_user()
qs = Task.objects.filter(finished_at__lt=finished_before, state__in=states)
units_deleted, details = get_objects_for_user(current_user, "core.delete_task", qs=qs).delete()

As you can see, this needs to determine who the current user is, and you can't build the queryset in one go by using chaining.

Proposal

Introduce a with_perm chainable call on all querysets for Pulp objects. It could be used like this:

  • qs.with_perm("core.task_delete")
  • qs.with_perm("core.task_delete", "core.task_view")
  • qs.with_perms(["core.task_delete", "core.task_view"])
  • qs.with_perm("core.task_delete").with_perm( "core.task_view")

Related issues

Blocks Pulp - Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm`CLOSED - DUPLICATE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by bmbouter about 2 months ago

  • Related to Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm` added

#2 Updated by bmbouter about 2 months ago

  • Related to deleted (Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm`)

#3 Updated by bmbouter about 2 months ago

  • Blocks Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm` added

#4 Updated by gerrod about 2 months ago

I think it should be mentioned that with_perms will probably call get_authenticated_user implicitly for the permission check. In that case we should probably create our own custom version that can be ran in tasks outside of a django view. Or we would need to make a rule to do all queryset permission checks inside a view before handing off to a task.

#5 Updated by mdellweg about 2 months ago

If we want to allow both of these syntaxes, we should specify, whether one or all of the permissions are needed: qs.with_perm("core.task_delete", "core.task_view") qs.with_perms(["core.task_delete", "core.task_view"])

#6 Updated by fao89 11 days ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF