Implement advanced permissions (#661)

Author: Dreamsorcerer

admin-js/src/App.js

@@ -6,8 +6,11 @@ import {
     NumberField, NumberInput,
     ReferenceField, ReferenceInput,
     ReferenceManyField,
-    TextField, TextInput
+    SelectInput,
+    TextField, TextInput,
+    WithRecord, required
 } from "react-admin";
+import VisibilityOffIcon from "@mui/icons-material/VisibilityOff";
 
 const _body = document.querySelector("body");
 const STATE = JSON.parse(_body.dataset.state);
@@ -94,33 +97,64 @@ function createFields(resource, name, permissions, display_only=false) {
         if ((display_only && !resource["display"].includes(field))
             || !hasPermission(`${name}.${field}.view`, permissions))
             continue;
+
         const C = COMPONENTS[state["type"]];
         if (C === undefined)
             throw Error(`Unknown component '${state["type"]}'`);
 
+        let c;
         if (state["props"]["children"]) {
             let child_fields = createFields({"fields": state["props"]["children"],
                                              "display": Object.keys(state["props"]["children"])},
                                             name, permissions);
             delete state["props"]["children"];
-            components.push(<C source={field} {...state["props"]}><Datagrid>{child_fields}</Datagrid></C>);
+            c = <C source={field} {...state["props"]}><Datagrid>{child_fields}</Datagrid></C>;
         } else {
-            components.push(<C source={field} {...state["props"]} />);
+            c = <C source={field} {...state["props"]} />;
         }
+        // Show icon if user doesn't have permission to view this field (based on filters).
+        components.push(<WithRecord label={state["props"]["label"] || field} render={
+            (record) => hasPermission(`${name}.${field}.view`, permissions, record) ? c : <VisibilityOffIcon />
+        } />);
     }
     return components;
 }
 
-function createInputs(resource, name, perm_type, permissions, create=false) {
+function createInputs(resource, name, perm_type, permissions) {
     let components = [];
+    const resource_filters = getFilters(name, perm_type, permissions);
     for (const [field, state] of Object.entries(resource["inputs"])) {
-        if ((create && !state["show_create"])
+        if ((perm_type === "add" && !state["show_create"])
             || !hasPermission(`${name}.${field}.${perm_type}`, permissions))
             continue;
-        const C = COMPONENTS[state["type"]];
-        if (C === undefined)
-            throw Error(`Unknown component '${state["type"]}'`);
-        components.push(<C source={field} {...state["props"]} />);
+
+        const fvalues = resource_filters[field];
+        if (fvalues !== undefined) {
+            // If there are filters for the resource-level permission which depend on
+            // this field, then restrict the input options to the allowed values.
+            const disabled = fvalues.length <= 1;
+            const nullable = fvalues.indexOf(null);
+            if (nullable > -1)
+                fvalues.splice(nullable, 1);
+            let choices = [];
+            for (let v of fvalues)
+                choices.push({"id": v, "name": v});
+            components.push(
+                <SelectInput source={field} choices={choices} defaultValue={nullable < 0 && fvalues[0]}
+                    validate={nullable < 0 && required()} disabled={disabled} />);
+        } else {
+            const C = COMPONENTS[state["type"]];
+            if (C === undefined)
+                throw Error(`Unknown component '${state["type"]}'`);
+            const c = <C source={field} {...state["props"]} />;
+            if (perm_type === "edit")
+                // Don't render if filters disallow editing this field.
+                components.push(<WithRecord render={
+                    (record) => hasPermission(`${name}.${field}.${perm_type}`, permissions, record) && c
+                } />);
+            else
+                components.push(c);
+        }
     }
     return components;
 }
@@ -129,7 +163,7 @@ const AiohttpList = (resource, name, permissions) => (
     <List filters={createInputs(resource, name, "view", permissions)}>
         <Datagrid rowClick="show">
             {createFields(resource, name, permissions, true)}
-            {hasPermission(`${name}.edit`, permissions) && <EditButton />}
+            <WithRecord render={(record) => hasPermission(`${name}.edit`, permissions, record) && <EditButton />} />
         </Datagrid>
     </List>
 );
@@ -153,35 +187,54 @@ const AiohttpEdit = (resource, name, permissions) => (
 const AiohttpCreate = (resource, name, permissions) => (
     <Create>
         <SimpleForm>
-            {createInputs(resource, name, "add", permissions, true)}
+            {createInputs(resource, name, "add", permissions)}
         </SimpleForm>
     </Create>
 );
 
-function hasPermission(p, permissions) {
+/** Return any filters for a given permission. */
+function getFilters(name, perm_type, permissions) {
+    let filters = permissions[`admin.${name}.${perm_type}`];
+    if (filters !== undefined)
+        return filters;
+    filters = permissions[`admin.${name}.*`];
+    return filters || {};
+}
+
+/** Return true if a user has the given permission.
+
+A record can be passed as the context parameter in order to check permission filters
+against the current record.
+*/
+function hasPermission(p, permissions, context=null) {
     const parts = ["admin", ...p.split(".")];
     const type = parts.pop();
 
     // Negative permissions.
-    for (let i=1; i < parts.length+1; ++i) {
-        let perm = [...parts.slice(0, i), type].join(".");
-        if (permissions["~" + perm] !== undefined)
-            return false;
-
-        let wildcard = [...parts.slice(0, i), "*"].join(".");
-        if (permissions["~" + wildcard] !== undefined)
-            return false;
+    for (let i=parts.length; i > 0; --i) {
+        for (let t of [type, "*"]) {
+            let perm = [...parts.slice(0, i), t].join(".");
+            if (permissions["~" + perm] !== undefined)
+                return false;
+        }
     }
 
     // Positive permissions.
-    for (let i=1; i < parts.length+1; ++i) {
-        let perm = [...parts.slice(0, i), type].join(".");
-        if (permissions[perm] !== undefined)
-            return true;
-
-        let wildcard = [...parts.slice(0, i), "*"].join(".");
-        if (permissions[wildcard] !== undefined)
-            return true;
+    for (let i=parts.length; i > 0; --i) {
+        for (let t of [type, "*"]) {
+            let perm = [...parts.slice(0, i), t].join(".");
+            if (permissions[perm] !== undefined) {
+                if (!context)
+                    return true;
+
+                let filters = permissions[perm];
+                for (let attr of Object.keys(filters)) {
+                    if (!filters[attr].includes(context[attr]))
+                        return false;
+                }
+                return true;
+            }
+        }
     }
     return false;
 }

aiohttp_admin/__init__.py

@@ -5,15 +5,14 @@
 import aiohttp_session
 from aiohttp import web
 from aiohttp.typedefs import Handler
-from aiohttp_security import AbstractAuthorizationPolicy
 from aiohttp_session.cookie_storage import EncryptedCookieStorage
 from pydantic import ValidationError, parse_obj_as
 
 from .routes import setup_resources, setup_routes
-from .security import Permissions, TokenIdentityPolicy, has_permission
+from .security import AdminAuthorizationPolicy, Permissions, TokenIdentityPolicy
 from .types import Schema, UserDetails
 
-__all__ = ("Permissions", "Schema", "UserDetails", "has_permission", "setup")
+__all__ = ("Permissions", "Schema", "UserDetails", "setup")
 __version__ = "0.1.0a0"
 
 
@@ -25,8 +24,8 @@ async def pydantic_middleware(request: web.Request, handler: Handler) -> web.Str
         raise web.HTTPBadRequest(text=e.json(), content_type="application/json")
 
 
-def setup(app: web.Application, schema: Schema, auth_policy: AbstractAuthorizationPolicy,  # type: ignore[no-any-unimported] # noqa: B950
-          *, path: str = "/admin", secret: Optional[bytes] = None) -> web.Application:
+def setup(app: web.Application, schema: Schema, *, path: str = "/admin",
+          secret: Optional[bytes] = None) -> web.Application:
     """Initialize the admin.
 
     Args:
@@ -75,6 +74,7 @@ def value(r: web.RouteDef) -> tuple[str, str]:
     admin.middlewares.append(pydantic_middleware)
     admin.on_startup.append(on_startup)
     admin["check_credentials"] = schema["security"]["check_credentials"]
+    admin["identity_callback"] = schema["security"].get("identity_callback")
     admin["state"] = {"view": schema.get("view", {})}
 
     max_age = schema["security"].get("max_age")
@@ -83,7 +83,7 @@ def value(r: web.RouteDef) -> tuple[str, str]:
         secret, max_age=max_age, httponly=True, samesite="Strict", secure=secure)
     identity_policy = TokenIdentityPolicy(storage._fernet, schema)
     aiohttp_session.setup(admin, storage)
-    aiohttp_security.setup(admin, identity_policy, auth_policy)
+    aiohttp_security.setup(admin, identity_policy, AdminAuthorizationPolicy(schema))
 
     setup_routes(admin)
     setup_resources(admin, schema)

aiohttp_admin/backends/abc.py

@@ -1,14 +1,18 @@
+import asyncio
 import json
 from abc import ABC, abstractmethod
 from datetime import datetime
 from enum import Enum
 from functools import cached_property, partial
-from typing import Any, Literal, TypedDict, Union
+from typing import Any, Literal, Optional, TypedDict, Union
 
 from aiohttp import web
-from aiohttp_security import check_permission, permits
+from aiohttp_security import authorized_userid, check_permission, permits
 from pydantic import Json, parse_obj_as
 
+from ..security import permissions_as_dict
+from ..types import FieldState, InputState
+
 Record = dict[str, object]
 
 
@@ -25,16 +29,6 @@ def default(self, o: object) -> Any:
 json_response = partial(web.json_response, dumps=partial(json.dumps, cls=Encoder))
 
 
-class FieldState(TypedDict):
-    type: str
-    props: dict[str, object]
-
-
-class InputState(FieldState):
-    # Whether to show this input in the create form.
-    show_create: bool
-
-
 class _Pagination(TypedDict):
     page: int
     perPage: int
@@ -89,10 +83,11 @@ class AbstractAdminResource(ABC):
     repr_field: str
 
     async def filter_by_permissions(self, request: web.Request, perm_type: str,
-                                    record: Record) -> Record:
+                                    record: Record, original: Optional[Record] = None) -> Record:
         """Return a filtered record containing permissible fields only."""
         return {k: v for k, v in record.items()
-                if await permits(request, f"admin.{self.name}.{k}.{perm_type}")}
+                if await permits(request, f"admin.{self.name}.{k}.{perm_type}",
+                                 context=original or record)}
 
     @abstractmethod
     async def get_list(self, params: GetListParams) -> tuple[list[Record], int]:
@@ -128,15 +123,29 @@ async def _get_list(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.view")
         query = parse_obj_as(GetListParams, request.query)
 
+        # Add filters from advanced permissions.
+        if request.app["identity_callback"]:
+            identity = await authorized_userid(request)
+            user_details = await request.app["identity_callback"](identity)
+            permissions = permissions_as_dict(user_details["permissions"])
+            filters = permissions.get(f"admin.{self.name}.view",
+                                      permissions.get(f"admin.{self.name}.*", {}))
+            for k, v in filters.items():
+                query["filter"][k] = v
+
         results, total = await self.get_list(query)
         results = [await self.filter_by_permissions(request, "view", r) for r in results]
+        results = [r for r in results if await permits(request, f"admin.{self.name}.view",
+                                                       context=r)]
         return json_response({"data": results, "total": total})
 
     async def _get_one(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.view")
         query = parse_obj_as(GetOneParams, request.query)
 
         result = await self.get_one(query)
+        if not await permits(request, f"admin.{self.name}.view", context=result):
+            raise web.HTTPForbidden()
         result = await self.filter_by_permissions(request, "view", result)
         return json_response({"data": result})
 
@@ -145,14 +154,17 @@ async def _get_many(self, request: web.Request) -> web.Response:
         query = parse_obj_as(GetManyParams, request.query)
 
         results = await self.get_many(query)
-        results = [await self.filter_by_permissions(request, "view", r) for r in results]
+        results = [await self.filter_by_permissions(request, "view", r) for r in results
+                   if await permits(request, f"admin.{self.name}.view", context=r)]
         return json_response({"data": results})
 
     async def _create(self, request: web.Request) -> web.Response:
-        await check_permission(request, f"admin.{self.name}.add")
         query = parse_obj_as(CreateParams, request.query)
-        for k in query["data"]:
-            await check_permission(request, f"admin.{self.name}.{k}.add")
+        await check_permission(request, f"admin.{self.name}.add", context=query["data"])
+        for k, v in query["data"].items():
+            if v is not None:
+                await check_permission(request, f"admin.{self.name}.{k}.add",
+                                       context=query["data"])
 
         result = await self.create(query)
         result = await self.filter_by_permissions(request, "view", result)
@@ -161,8 +173,22 @@ async def _create(self, request: web.Request) -> web.Response:
     async def _update(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.edit")
         query = parse_obj_as(UpdateParams, request.query)
-        # Filter because react-admin still sends fields without an input component.
-        query["data"] = await self.filter_by_permissions(request, "edit", query["data"])
+
+        # Check original record is allowed by permission filters.
+        original = await self.get_one({"id": query["id"]})
+        if not await permits(request, f"admin.{self.name}.edit", context=original):
+            raise web.HTTPForbidden()
+
+        # Filter rather than forbid because react-admin still sends fields without an
+        # input component. The query may not be the complete dict though, so we must
+        # pass original for testing.
+        query["data"] = await self.filter_by_permissions(request, "edit", query["data"], original)
+        # Check new values are allowed by permission filters.
+        if not await permits(request, f"admin.{self.name}.edit", context=query["data"]):
+            raise web.HTTPForbidden()
+
+        if not query["data"]:
+            raise web.HTTPBadRequest(reason="No allowed fields to change.")
 
         result = await self.update(query)
         result = await self.filter_by_permissions(request, "view", result)
@@ -172,6 +198,10 @@ async def _delete(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.delete")
         query = parse_obj_as(DeleteParams, request.query)
 
+        original = await self.get_one({"id": query["id"]})
+        if not await permits(request, f"admin.{self.name}.delete", context=original):
+            raise web.HTTPForbidden()
+
         result = await self.delete(query)
         result = await self.filter_by_permissions(request, "view", result)
         return json_response({"data": result})
@@ -180,6 +210,12 @@ async def _delete_many(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.delete")
         query = parse_obj_as(DeleteManyParams, request.query)
 
+        originals = await self.get_many(query)
+        allowed = await asyncio.gather(*(permits(request, f"admin.{self.name}.delete",
+                                                 context=r) for r in originals))
+        if not all(allowed):
+            raise web.HTTPForbidden()
+
         ids = await self.delete_many(query)
         return json_response({"data": ids})
 

aiohttp_admin/backends/sqlalchemy.py

@@ -27,7 +27,8 @@
 
 def create_filters(columns: sa.ColumnCollection[str, sa.Column[object]],
                    filters: dict[str, object]) -> Iterator[ExpressionElementRole[Any]]:
-    return (columns[k].ilike(f"%{v}%") if isinstance(v, str) else columns[k] == v
+    return (columns[k].in_(v) if isinstance(v, list)
+            else columns[k].ilike(f"%{v}%") if isinstance(v, str) else columns[k] == v
             for k, v in filters.items())