in src/services/rbac_service.py [0:0]
def resolve_payload(self, permission: Permission) -> TenantsAccessPayload:
"""
Builds TenantsAccessPayload for the given permission considering all
the policies. Then this payload can be used inside handlers
:return:
"""
if not permission.depends_on_tenant:
# you should not need this payload for handlers that do not
# depend on tenants. So I even not try to resolve
return TenantsAccessPayload.build_denying_all()
names, flag = set(), True # starting state, allowed for no-one
for policy in self._allow_policies:
if not policy.touches(permission):
continue
# does touch
if policy.contains_all_tenants:
flag = False
names.clear()
else: # todo can be optimized slightly
if flag:
names.update(policy.tenants)
else:
names.difference_update(policy.tenants)
for policy in self._deny_policies:
if not policy.touches(permission):
continue
# does touch
if policy.contains_all_tenants:
flag = True
names.clear()
else: # todo can be optimized slightly
if flag:
names.difference_update(policy.tenants)
else:
names.update(policy.tenants)
return TenantsAccessPayload(tuple(names), flag)