1111from qwc_services_core .auth import auth_manager , optional_auth , get_identity , get_username
1212from qwc_services_core .api import CaseInsensitiveArgument
1313from qwc_services_core .database import DatabaseEngine
14+ from qwc_services_core .permissions_reader import PermissionsReader
1415from qwc_services_core .tenant_handler import (
1516 TenantHandler , TenantPrefixMiddleware , TenantSessionInterface )
1617from qwc_services_core .runtime_config import RuntimeConfig
4142# request parser
4243createpermalink_parser = reqparse .RequestParser (argument_class = CaseInsensitiveArgument )
4344createpermalink_parser .add_argument ('url' , required = False )
45+ createpermalink_parser .add_argument ('permitted_group' , required = False )
4446
4547resolvepermalink_parser = reqparse .RequestParser (argument_class = CaseInsensitiveArgument )
4648resolvepermalink_parser .add_argument ('key' , required = True )
@@ -75,6 +77,7 @@ class CreatePermalink(Resource):
7577
7678 @api .doc ('createpermalink' )
7779 @api .param ('url' , 'The URL for which to generate a permalink' , 'query' )
80+ @api .param ('permitted_group' , 'Optional, group to which to restrict the permalink' , 'query' )
7881 @api .param ('payload' , 'A json document with the state to store in the permalink' , 'body' )
7982 @api .expect (createpermalink_parser )
8083 @optional_auth
@@ -102,6 +105,7 @@ def post(self):
102105 "query" : query ,
103106 "state" : state
104107 }
108+ permitted_group = args .get ('permitted_group' , None )
105109
106110 # Insert into databse
107111 db_engine , users_table , permalinks_table , user_permalink_table , user_bookmark_table = db_conn ()
@@ -114,15 +118,15 @@ def post(self):
114118 expires = (datetime .date .today () + delta ).strftime (r"%Y-%m-%d" )
115119
116120 sql = sql_text ("""
117- INSERT INTO {table} (key, data, date, expires)
118- VALUES (:key, :data, :date, :expires)
121+ INSERT INTO {table} (key, data, date, expires, permitted_group )
122+ VALUES (:key, :data, :date, :expires, :permitted_group )
119123 """ .format (table = permalinks_table ))
120124
121125 attempts = 0
122126 while attempts < 100 :
123127 try :
124128 with db_engine .begin () as connection :
125- connection .execute (sql , {"key" : hexdigest , "data" : datastr , "date" : date , "expires" : expires })
129+ connection .execute (sql , {"key" : hexdigest , "data" : datastr , "date" : date , "expires" : expires , "permitted_group" : permitted_group })
126130 break
127131 except :
128132 pass
@@ -158,17 +162,29 @@ def get(self):
158162 args = resolvepermalink_parser .parse_args ()
159163 key = args ['key' ]
160164 data = {}
165+ permitted_group = None
161166 db_engine , users_table , permalinks_table , user_permalink_table , user_bookmark_table = db_conn ()
162167 sql = sql_text ("""
163- SELECT data
168+ SELECT data, permitted_group
164169 FROM {table}
165170 WHERE key = :key AND (expires IS NULL OR expires >= CURRENT_DATE)
166171 """ .format (table = permalinks_table ))
167172 try :
168173 with db_engine .connect () as connection :
169- data = json .loads (connection .execute (sql , {"key" : key }).mappings ().first ()["data" ])
174+ result = connection .execute (sql , {"key" : key }).mappings ().first ()
175+ data = json .loads (result ["data" ])
176+ permitted_group = result ["permitted_group" ]
170177 except :
171178 pass
179+ if permitted_group :
180+ app .logger .debug ("Permalink %s is restricted to group %s" % (key , permitted_group ))
181+ username = get_username (get_identity ())
182+ tenant = tenant_handler .tenant ()
183+ reader = PermissionsReader (tenant , app .logger )
184+ groups = reader .permissions ['user_groups' ].get (username , [])
185+ if permitted_group not in groups :
186+ app .logger .debug ("User %s is not in group %s, returning empty response" % (username , permitted_group ))
187+ return jsonify ({})
172188 return jsonify (data )
173189
174190
0 commit comments