in modular_api/web_service/iam.py [0:0]
def check_permission(policy: list, module: str, command=None, group=None,
subgroup=None, atype: str = 'default') -> bool:
"""
1. Check user permissions by "Deny" rules
2. Check user permissions by "Allow" rules
"""
policy = policy_sort(policy)
module = f'{module}@'
denied = policy[DENY]
allowed = policy[ALLOW]
# ===== check DENIED =====
for value in denied:
if value.startswith('/*@'):
return False
if f'{module}*' in denied:
return False
if f'{module}{command}' in denied:
return False
if f'{module}{group}:*' in denied:
return False
if f'{module}{group}:{command}' in denied:
return False
if f'{module}{group}/{subgroup}:*' in denied:
return False
if f'{module}{group}/{subgroup}:{command}' in denied:
return False
# ====== check ALLOWED =====
for value in allowed:
if value.startswith('/*@'):
return True
allow_map = {
"entire_module": check_entire_module,
"module": check_module_present,
"entire_group": check_entire_group,
"group": check_in_group,
"entire_subgroup": check_entire_subgroup,
"subgroup": check_in_subgroup,
"root_command": check_root_command,
"group_command": check_group_command,
"subgroup_command": check_subgroup_command
}
verifier = allow_map.get(atype)
if verifier:
return verifier(allowed, module, command, group, subgroup)
return True