TechQA.

Inconsistent ACL Permission on Pyramid/Websauna

70 views Asked by At

I'm troubleshooting is_visible method on Websauna since it is not working properly (at least for me). The file can be found here.

The issue is, it appears the ACL context suddenly changes from what it shows a line above. Here is the method laced with print logs.

def is_visible(self, context: Resource, request: Request) -> bool:
    """Determine if we should render this button.

    :param context: Traversal context
    :param request: Current HTTP Request.
    :returns: Boolean indicating if button is visible or not.
    """
    visible = True
    if self.permission is not None:
        print(context, '&' , self.permission)
        print('******CONTEXT & PERMISSION')
        print(context.__acl__)
        print('******+++++++CONTEXT ACL')
        print(request.has_permission(self.permission, context))
        print('-------------HAS PERMISSION EVAL')
        if not request.has_permission(self.permission, context):
            visible = False

    if self.feature is not None:
        if self.feature not in request.registry.features:
            visible = False

    return visible

Here is the log showing how context shows different values from the ones has_permission() refers to when it denies access.

The first two lines in the log below shows call to resolve_custom_principals which is a copy of resolve_principals but extended with my own ACEs like (Allow, "mygroup:admin", "add")...

Reading the log, the context a line above has the correct acl including custom ACEs. Why is Pyramid ACL using different context when checking permission in the next line? Which in this case returns ACLDenied.

[11:13:01] [websauna.myaddon.auth.principals resolve_custom_principals] ['system.Authenticated', 'user:74', 'mygroup:admin', 'mygroup:manager', 'team_member:1']
[11:13:01] [websauna.myaddon.auth.principals resolve_custom_principals] ['system.Authenticated', 'user:74', 'mygroup:admin', 'mygroup:manager', 'team_member:1']
<websauna.myaddon.crud.org.OrgResource object at 0x7fa021f883c8> & add
******CONTEXT & PERMISSION
[('Allow', 'mygroup:admin', 'add'), ('Allow', 'mygroup:manager', 'add'), ('Allow', 'mygroup:senior', 'add'), ('Allow', 'mygroup:assistant', 'add'), ('Deny', 'mygroup:legcle', 'add'), ('Deny', 'mygroup:clerk', 'add'), ('Deny', 'mygroup:intern', 'add'), ('Allow', 'mygroup:admin', 'edit'), ('Allow', 'mygroup:manager', 'edit')]
******+++++++CONTEXT ACL
ACLDenied permission 'add' via ACE '<default deny>' in ACL [('Allow', 'system.Authenticated', 'authenticated'), ('Allow', 'superuser:superuser', 'shell'), ('Allow', 'system.Everyone', 'view')] on context <websauna.myaddon.crud.org.OrgResource object at 0x7fa021f883c8> for principals ['system.Everyone', 'system.Authenticated', 74, 'system.Authenticated', 'user:74']
-------------HAS PERMISSION EVAL
<websauna.myaddon.crud.org.OrgResource object at 0x7fa021f883c8> & add
******CONTEXT & PERMISSION
[('Allow', 'mygroup:admin', 'add'), ('Allow', 'mygroup:manager', 'add'), ('Allow', 'mygroup:senior', 'add'), ('Allow', 'mygroup:assistant', 'add'), ('Deny', 'mygroup:legcle', 'add'), ('Deny', 'mygroup:clerk', 'add'), ('Deny', 'mygroup:intern', 'add'), ('Allow', 'mygroup:admin', 'edit'), ('Allow', 'mygroup:manager', 'edit')]
******+++++++CONTEXT ACL
ACLDenied permission 'add' via ACE '<default deny>' in ACL [('Allow', 'system.Authenticated', 'authenticated'), ('Allow', 'superuser:superuser', 'shell'), ('Allow', 'system.Everyone', 'view')] on context <websauna.myaddon.crud.org.OrgResource object at 0x7fa021f883c8> for principals ['system.Everyone', 'system.Authenticated', 74, 'system.Authenticated', 'user:74']
-------------HAS PERMISSION EVAL
[11:13:01] [websauna.system.core.session create_session] Skipped session creation for http://localhost:6543/websauna-static/bootstrap.min.css

Please let me know if you need more info or how I can make the question clearer.

UPDATE 1: The is_visible function is called in the view template to determine which button to render. In my case, it is not showing the buttons yet permissions are set in the context.

<div id="crud-page-buttons" class="header-resources">
    {% for button in resource_buttons %}
        {% if button.is_visible(context, request) %}
            {{ button.render(context, request)|safe }}
        {% endif %}
    {% endfor %}
</div>

UPDATE 2:
I'm using:
Pyramid 1.10.4
Websauna 1.0a13

acl pyramid websauna
Original Q&A
1

There are 1 answers

0
Michael Merickel On

I suspect websauna is not invoking your resolve_custom_principals function and is rather using its default resolve_principals function? I think it's pretty clear that the principals pulled in when has_permission are invoked are not the ones from your resolve_custom_principals function and thus something is not connected up correctly with this override.

Related Questions in ACL

Related Questions in PYRAMID

Related Questions in WEBSAUNA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions