| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- from functools import wraps
-
- from flask_login import current_user # type: ignore
- from sqlalchemy.orm import Session
- from werkzeug.exceptions import Forbidden
-
- from extensions.ext_database import db
- from models.account import TenantPluginPermission
-
-
- def plugin_permission_required(
- install_required: bool = False,
- debug_required: bool = False,
- ):
- def interceptor(view):
- @wraps(view)
- def decorated(*args, **kwargs):
- user = current_user
- tenant_id = user.current_tenant_id
-
- with Session(db.engine) as session:
- permission = (
- session.query(TenantPluginPermission)
- .filter(
- TenantPluginPermission.tenant_id == tenant_id,
- )
- .first()
- )
-
- if not permission:
- # no permission set, allow access for everyone
- return view(*args, **kwargs)
-
- if install_required:
- if permission.install_permission == TenantPluginPermission.InstallPermission.NOBODY:
- raise Forbidden()
- if permission.install_permission == TenantPluginPermission.InstallPermission.ADMINS:
- if not user.is_admin_or_owner:
- raise Forbidden()
- if permission.install_permission == TenantPluginPermission.InstallPermission.EVERYONE:
- pass
-
- if debug_required:
- if permission.debug_permission == TenantPluginPermission.DebugPermission.NOBODY:
- raise Forbidden()
- if permission.debug_permission == TenantPluginPermission.DebugPermission.ADMINS:
- if not user.is_admin_or_owner:
- raise Forbidden()
- if permission.debug_permission == TenantPluginPermission.DebugPermission.EVERYONE:
- pass
-
- return view(*args, **kwargs)
-
- return decorated
-
- return interceptor
|
