diff --git a/core/authentication/__init__.py b/core/authentication/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/core/authentication/migrations/0001_initial.py b/core/authentication/migrations/0001_initial.py new file mode 100644 index 0000000..d659962 --- /dev/null +++ b/core/authentication/migrations/0001_initial.py @@ -0,0 +1,67 @@ +# Generated by Django 4.2.7 on 2023-12-11 21:10 + +from django.conf import settings +import django.contrib.auth.models +import django.contrib.auth.validators +from django.db import migrations, models +import django.db.models.deletion +import django.utils.timezone + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ('auth', '0012_alter_user_first_name_max_length'), + ('inventory', '0001_initial'), + ] + + operations = [ + migrations.CreateModel( + name='ExtendedUser', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('password', models.CharField(max_length=128, verbose_name='password')), + ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')), + ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')), + ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')), + ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')), + ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')), + ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')), + ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')), + ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')), + ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')), + ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.group', verbose_name='groups')), + ], + options={ + 'verbose_name': 'Extended user', + 'verbose_name_plural': 'Extended users', + }, + managers=[ + ('objects', django.contrib.auth.models.UserManager()), + ], + ), + migrations.CreateModel( + name='EventPermission', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='inventory.event')), + ('permission', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='auth.permission')), + ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)), + ], + options={ + 'unique_together': {('user', 'permission', 'event')}, + }, + ), + migrations.AddField( + model_name='extendeduser', + name='permissions', + field=models.ManyToManyField(through='authentication.EventPermission', to='auth.permission'), + ), + migrations.AddField( + model_name='extendeduser', + name='user_permissions', + field=models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.permission', verbose_name='user permissions'), + ), + ] diff --git a/core/authentication/migrations/0002_authtokeneventpermissions_extendedauthtoken_and_more.py b/core/authentication/migrations/0002_authtokeneventpermissions_extendedauthtoken_and_more.py new file mode 100644 index 0000000..383aafd --- /dev/null +++ b/core/authentication/migrations/0002_authtokeneventpermissions_extendedauthtoken_and_more.py @@ -0,0 +1,45 @@ +# Generated by Django 4.2.7 on 2023-12-11 21:11 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('inventory', '0001_initial'), + ('knox', '0008_remove_authtoken_salt'), + ('authentication', '0001_initial'), + ] + + operations = [ + migrations.CreateModel( + name='AuthTokenEventPermissions', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='inventory.event')), + ('permission', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='authentication.eventpermission')), + ], + ), + migrations.CreateModel( + name='ExtendedAuthToken', + fields=[ + ('authtoken_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='knox.authtoken')), + ('permissions', models.ManyToManyField(through='authentication.AuthTokenEventPermissions', to='authentication.eventpermission')), + ], + options={ + 'verbose_name': 'Extended auth token', + 'verbose_name_plural': 'Extended auth tokens', + }, + bases=('knox.authtoken',), + ), + migrations.AddField( + model_name='authtokeneventpermissions', + name='token', + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='authentication.extendedauthtoken'), + ), + migrations.AlterUniqueTogether( + name='authtokeneventpermissions', + unique_together={('token', 'permission', 'event')}, + ), + ] diff --git a/core/authentication/migrations/0003_groups.py b/core/authentication/migrations/0003_groups.py new file mode 100644 index 0000000..c8f299d --- /dev/null +++ b/core/authentication/migrations/0003_groups.py @@ -0,0 +1,33 @@ +# Generated by Django 4.2.7 on 2023-11-26 00:16 + +from django.conf import settings +from django.db import migrations +from django.contrib.auth.models import Permission, Group + + +class Migration(migrations.Migration): + + dependencies = [ + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ('authentication', '0002_authtokeneventpermissions_extendedauthtoken_and_more'), + ('tickets', '0001_initial'), + ] + + def create_groups(apps, schema_editor): + admins = Group.objects.create(name='Admin') + orga = Group.objects.create(name='Orga') + team = Group.objects.create(name='Team') + users = Group.objects.create(name='User') + admins.permissions.add(*Permission.objects.all()) + users.permissions.add(*Permission.objects.filter(codename__in= + ['view_item', 'add_item', 'change_item', 'match_item'])) + team.permissions.add(*Permission.objects.filter(codename__in= + ['delete_item', 'view_issuethread', 'add_issuethread', + 'change_issuethread', 'delete_issuethread', 'send_mail']), + *users.permissions.all()) + orga.permissions.add(*Permission.objects.filter(codename__in=['add_event']), + *team.permissions.all()) + + operations = [ + migrations.RunPython(create_groups), + ] diff --git a/core/authentication/migrations/0004_legacy_user.py b/core/authentication/migrations/0004_legacy_user.py new file mode 100644 index 0000000..1ed0456 --- /dev/null +++ b/core/authentication/migrations/0004_legacy_user.py @@ -0,0 +1,19 @@ +from django.conf import settings +from django.db import migrations + +from authentication.models import ExtendedUser + + +class Migration(migrations.Migration): + dependencies = [ + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ('authentication', '0003_groups'), + ] + + def create_legacy_user(apps, schema_editor): + ExtendedUser.objects.create_user(settings.LEGACY_USER_NAME, 'mail@' + settings.MAIL_DOMAIN, + settings.LEGACY_USER_PASSWORD) + + operations = [ + migrations.RunPython(create_legacy_user) + ] diff --git a/core/authentication/migrations/0005_alter_eventpermission_event_and_more.py b/core/authentication/migrations/0005_alter_eventpermission_event_and_more.py new file mode 100644 index 0000000..85258af --- /dev/null +++ b/core/authentication/migrations/0005_alter_eventpermission_event_and_more.py @@ -0,0 +1,26 @@ +# Generated by Django 4.2.7 on 2023-12-13 16:28 + +from django.conf import settings +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('inventory', '0001_initial'), + ('authentication', '0004_legacy_user'), + ] + + operations = [ + migrations.AlterField( + model_name='eventpermission', + name='event', + field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='inventory.event'), + ), + migrations.AlterField( + model_name='eventpermission', + name='user', + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='event_permissions', to=settings.AUTH_USER_MODEL), + ), + ] diff --git a/core/authentication/migrations/__init__.py b/core/authentication/migrations/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/core/authentication/models.py b/core/authentication/models.py new file mode 100644 index 0000000..0de8e6a --- /dev/null +++ b/core/authentication/models.py @@ -0,0 +1,62 @@ +from django.db import models +from django.contrib.auth.models import Permission, AbstractUser +from knox.models import AuthToken + +from inventory.models import Event + + +class ExtendedUser(AbstractUser): + permissions = models.ManyToManyField(Permission, through='EventPermission', through_fields=('user', 'permission')) + + class Meta: + verbose_name = 'Extended user' + verbose_name_plural = 'Extended users' + + def get_permissions(self): + if self.is_superuser: + for permission in Permission.objects.all(): + yield "*:" + permission.codename + for permission in self.user_permissions.all(): + yield "*:" + permission.codename + for group in self.groups.all(): + for permission in group.permissions.all(): + yield "*:" + permission.codename + for permission in self.event_permissions.all(): + yield permission.event.slug + ":" + permission.permission.codename + + def has_event_perm(self, event, permission): + if self.is_superuser: + return True + permissions = set(self.get_permissions()) + if "*:" + permission in permissions: + return True + if event.slug + ":" + permission in permissions: + return True + return False + + +class ExtendedAuthToken(AuthToken): + permissions = models.ManyToManyField('EventPermission', through='AuthTokenEventPermissions', + through_fields=('token', 'permission')) + + class Meta: + verbose_name = 'Extended auth token' + verbose_name_plural = 'Extended auth tokens' + + +class EventPermission(models.Model): + user = models.ForeignKey(ExtendedUser, on_delete=models.CASCADE, related_name='event_permissions') + permission = models.ForeignKey(Permission, on_delete=models.CASCADE) + event = models.ForeignKey(Event, on_delete=models.CASCADE, null=True, blank=True) + + class Meta: + unique_together = ('user', 'permission', 'event') + + +class AuthTokenEventPermissions(models.Model): + token = models.ForeignKey(ExtendedAuthToken, on_delete=models.CASCADE) + permission = models.ForeignKey(EventPermission, on_delete=models.CASCADE) + event = models.ForeignKey(Event, on_delete=models.CASCADE) + + class Meta: + unique_together = ('token', 'permission', 'event')