in modular_api/web_service/iam.py [0:0]
def filter_meta_by_deny_priority(policy: list, all_meta: dict) -> dict:
"""
Check user permissions by "Deny" rules:
1. Check if module allowed
2. Check if command in module allowed
3. Check if group allowed
4. Check if command in group allowed
5. Check if subgroup allowed
6. Check if command in subgroup allowed
"""
bd = 'body'
user_commands = copy.deepcopy(all_meta)
for module, module_content in all_meta.items():
allow_module = check_permission(policy=policy, module=module)
if not allow_module:
del user_commands[module]
continue
for item, item_content in module_content[bd].items():
if item_content.get('type') == 'group':
group = item
allow_group = check_permission(
policy=policy, module=module, group=group)
if not allow_group:
del user_commands[module][bd][group]
continue
for group_item, group_content in item_content[bd].items():
if group_content.get('type') == 'group':
subgroup = group_item
allow_subgroup = check_permission(
policy=policy, module=module,
group=group, subgroup=subgroup)
if not allow_subgroup:
del user_commands[module][bd][group][bd][subgroup]
continue
for subgroup_item, subgroup_content in group_content[
bd].items():
subgroup = group_item
cmd = subgroup_item
allow_sub_command = check_permission(
policy=policy, module=module,
group=group, subgroup=subgroup, command=cmd)
if not allow_sub_command:
del user_commands[module][bd][group][bd][subgroup][bd][cmd]
continue
else:
cmd = group_item
allow_group_command = check_permission(
policy=policy, module=module, group=group,
command=cmd)
if not allow_group_command:
del user_commands[module][bd][group][bd][cmd]
else:
cmd = item
allow_module_command = check_permission(
policy=policy, module=module, command=cmd)
if not allow_module_command:
del user_commands[module][bd][cmd]
return user_commands