oxutils 0.1.6__py3-none-any.whl → 0.1.12__py3-none-any.whl

oxutils/permissions/caches.py

@@ -0,0 +1,19 @@
+from django.conf import settings
+
+
+
+CACHE_CHECK_PERMISSION = getattr(settings, 'CACHE_CHECK_PERMISSION', False)
+
+if CACHE_CHECK_PERMISSION:
+    from cacheops import cached_as
+    from .models import Grant
+    from .utils import check
+
+    @cached_as(Grant, timeout=60*5)
+    def cache_check(user, scope, actions, group = None, **context):
+        return check(user, scope, actions, group, **context)
+else:
+    from .utils import check
+
+    def cache_check(user, scope, actions, group = None, **context):
+        return check(user, scope, actions, group, **context)

oxutils/permissions/checks.py

@@ -0,0 +1,188 @@
+"""
+Django system checks for permissions configuration.
+
+Example configuration in settings.py:
+
+    ACCESS_MANAGER_SCOPE = "access"
+    ACCESS_MANAGER_GROUP = "manager"  # or None
+    ACCESS_MANAGER_CONTEXT = {}
+
+    CACHE_CHECK_PERMISSION = False
+    
+    ACCESS_SCOPES = [
+        "users",
+        "articles",
+        "comments"
+    ]
+    
+    PERMISSION_PRESET = {
+        "roles": [...],
+        "group": [...],
+        "role_grants": [...]
+    }
+"""
+
+from django.conf import settings
+from django.core.checks import Error, Warning, register, Tags
+
+
+@register(Tags.security)
+def check_permission_settings(app_configs, **kwargs):
+    """
+    Validate permission-related settings.
+    
+    Checks:
+    - ACCESS_MANAGER_SCOPE is defined
+    - ACCESS_MANAGER_GROUP is defined (can be None)
+    - ACCESS_MANAGER_CONTEXT is defined
+    - ACCESS_SCOPES is defined
+    - PERMISSION_PRESET is defined
+    - ACCESS_MANAGER_SCOPE exists in ACCESS_SCOPES
+    - ACCESS_MANAGER_GROUP exists in PERMISSION_PRESET groups (if not None)
+    """
+    errors = []
+    
+    # Check ACCESS_MANAGER_SCOPE
+    if not hasattr(settings, 'ACCESS_MANAGER_SCOPE'):
+        errors.append(
+            Error(
+                'ACCESS_MANAGER_SCOPE is not defined',
+                hint='Add ACCESS_MANAGER_SCOPE = "access" to your settings',
+                id='permissions.E001',
+            )
+        )
+    
+    # Check ACCESS_MANAGER_GROUP
+    if not hasattr(settings, 'ACCESS_MANAGER_GROUP'):
+        errors.append(
+            Error(
+                'ACCESS_MANAGER_GROUP is not defined',
+                hint='Add ACCESS_MANAGER_GROUP = "manager" or None to your settings',
+                id='permissions.E002',
+            )
+        )
+    
+    # Check ACCESS_MANAGER_CONTEXT
+    if not hasattr(settings, 'ACCESS_MANAGER_CONTEXT'):
+        errors.append(
+            Error(
+                'ACCESS_MANAGER_CONTEXT is not defined',
+                hint='Add ACCESS_MANAGER_CONTEXT = {} to your settings',
+                id='permissions.E003',
+            )
+        )
+    
+    # Check ACCESS_SCOPES
+    if not hasattr(settings, 'ACCESS_SCOPES'):
+        errors.append(
+            Error(
+                'ACCESS_SCOPES is not defined',
+                hint='Add ACCESS_SCOPES = ["users", "articles", ...] to your settings',
+                id='permissions.E004',
+            )
+        )
+    else:
+        # Validate ACCESS_SCOPES is a list
+        if not isinstance(settings.ACCESS_SCOPES, list):
+            errors.append(
+                Error(
+                    'ACCESS_SCOPES must be a list',
+                    hint='Set ACCESS_SCOPES = ["users", "articles", ...]',
+                    id='permissions.E005',
+                )
+            )
+    
+    # Check PERMISSION_PRESET
+    if not hasattr(settings, 'PERMISSION_PRESET'):
+        errors.append(
+            Warning(
+                'PERMISSION_PRESET is not defined',
+                hint='Add PERMISSION_PRESET dict to your settings or use load_permission_preset',
+                id='permissions.W001',
+            )
+        )
+    else:
+        # Validate PERMISSION_PRESET structure
+        preset = settings.PERMISSION_PRESET
+        if not isinstance(preset, dict):
+            errors.append(
+                Error(
+                    'PERMISSION_PRESET must be a dictionary',
+                    id='permissions.E006',
+                )
+            )
+        else:
+            # Check required keys
+            required_keys = ['roles', 'group', 'role_grants']
+            for key in required_keys:
+                if key not in preset:
+                    errors.append(
+                        Error(
+                            f'PERMISSION_PRESET is missing required key: {key}',
+                            hint=f'Add "{key}" key to PERMISSION_PRESET',
+                            id=f'permissions.E007',
+                        )
+                    )
+    
+    # Cross-validation: ACCESS_MANAGER_SCOPE in ACCESS_SCOPES
+    if (hasattr(settings, 'ACCESS_MANAGER_SCOPE') and 
+        hasattr(settings, 'ACCESS_SCOPES') and 
+        isinstance(settings.ACCESS_SCOPES, list)):
+        
+        if settings.ACCESS_MANAGER_SCOPE not in settings.ACCESS_SCOPES:
+            errors.append(
+                Error(
+                    f'ACCESS_MANAGER_SCOPE "{settings.ACCESS_MANAGER_SCOPE}" is not in ACCESS_SCOPES',
+                    hint=f'Add "{settings.ACCESS_MANAGER_SCOPE}" to ACCESS_SCOPES list',
+                    id='permissions.E008',
+                )
+            )
+    
+    # Cross-validation: ACCESS_MANAGER_GROUP in PERMISSION_PRESET groups
+    if (hasattr(settings, 'ACCESS_MANAGER_GROUP') and 
+        settings.ACCESS_MANAGER_GROUP is not None and
+        hasattr(settings, 'PERMISSION_PRESET') and
+        isinstance(settings.PERMISSION_PRESET, dict) and
+        'group' in settings.PERMISSION_PRESET):
+        
+        group_slugs = [g.get('slug') for g in settings.PERMISSION_PRESET.get('group', [])]
+        
+        if settings.ACCESS_MANAGER_GROUP not in group_slugs:
+            errors.append(
+                Error(
+                    f'ACCESS_MANAGER_GROUP "{settings.ACCESS_MANAGER_GROUP}" is not in PERMISSION_PRESET groups',
+                    hint=f'Add a group with slug "{settings.ACCESS_MANAGER_GROUP}" to PERMISSION_PRESET["group"]',
+                    id='permissions.E009',
+                )
+            )
+    
+    # Validate ACCESS_MANAGER_CONTEXT is a dict
+    if hasattr(settings, 'ACCESS_MANAGER_CONTEXT'):
+        if not isinstance(settings.ACCESS_MANAGER_CONTEXT, dict):
+            errors.append(
+                Error(
+                    'ACCESS_MANAGER_CONTEXT must be a dictionary',
+                    hint='Set ACCESS_MANAGER_CONTEXT = {}',
+                    id='permissions.E010',
+                )
+            )
+    
+    # Check CACHE_CHECK_PERMISSION and cacheops dependency
+    if hasattr(settings, 'CACHE_CHECK_PERMISSION') and settings.CACHE_CHECK_PERMISSION:
+        if not hasattr(settings, 'INSTALLED_APPS'):
+            errors.append(
+                Error(
+                    'INSTALLED_APPS is not defined',
+                    id='permissions.E011',
+                )
+            )
+        elif 'cacheops' not in settings.INSTALLED_APPS:
+            errors.append(
+                Error(
+                    'CACHE_CHECK_PERMISSION is True but cacheops is not in INSTALLED_APPS',
+                    hint='Add "cacheops" to INSTALLED_APPS or set CACHE_CHECK_PERMISSION = False',
+                    id='permissions.E012',
+                )
+            )
+    
+    return errors

oxutils/permissions/controllers.py

@@ -0,0 +1,344 @@
+from typing import List, Optional
+from django.conf import settings
+from django.http import HttpRequest
+from ninja_extra import (
+    api_controller,
+    ControllerBase,
+    http_get,
+    http_post,
+    http_put,
+    http_delete,
+    paginate,
+)
+from ninja_extra.permissions import IsAuthenticated
+from ninja_extra.pagination import PageNumberPaginationExtra, PaginatedResponseSchema
+from . import schemas
+from .models import Role, Group, RoleGrant, Grant
+from .services import PermissionService
+from .perms import access_manager
+from oxutils.exceptions import NotFoundException, ValidationException
+
+
+
+
+@api_controller(
+    "/access",
+    permissions=[
+        IsAuthenticated & access_manager('r')
+    ]
+)
+class PermissionController(ControllerBase):
+    """
+    Contrôleur pour la gestion des permissions, rôles et groupes.
+    """
+    service = PermissionService()
+
+    @http_get('/scopes', response=List[str])
+    def list_scopes(self):
+        return getattr(settings, 'ACCESS_SCOPES', [])
+
+    @http_get("/roles", response=PaginatedResponseSchema[schemas.RoleSchema])
+    @paginate(PageNumberPaginationExtra, page_size=20)
+    def list_roles(self):
+        """
+        Liste tous les rôles.
+        """
+        return self.service.get_roles()
+
+    @http_get("/roles/{role_slug}", response=schemas.RoleSchema)
+    def get_role(self, role_slug: str):
+        """
+        Récupère un rôle par son slug.
+        """
+        return self.service.get_role(role_slug)
+
+    # Groupes
+    @http_post(
+        "/groups", 
+        response=schemas.GroupSchema,
+        permissions=[
+            IsAuthenticated & access_manager('w')
+        ]
+    )
+    def create_group(self, group_data: schemas.GroupCreateSchema):
+        """
+        Crée un nouveau groupe de rôles.
+        """
+        return self.service.create_group(group_data)
+
+    @http_get(
+        "/groups", 
+        response=PaginatedResponseSchema[schemas.GroupSchema],
+    )
+    @paginate(PageNumberPaginationExtra, page_size=20)
+    def list_groups(self):
+        """
+        Liste tous les groupes de rôles.
+        """
+        return Group.objects.all()
+
+    @http_get(
+        "/groups/{group_slug}", 
+        response=schemas.GroupSchema,
+    )
+    def get_group(self, group_slug: str):
+        """
+        Récupère un groupe par son slug.
+        """
+        try:
+            return Group.objects.get(slug=group_slug)
+        except Group.DoesNotExist:
+            raise NotFoundException("Groupe non trouvé")
+
+    @http_put(
+        "/groups/{group_slug}", 
+        response=schemas.GroupSchema,
+        permissions=[
+            IsAuthenticated & access_manager('ru')
+        ]
+    )
+    def update_group(self, group_slug: str, group_data: schemas.GroupUpdateSchema):
+        """
+        Met à jour un groupe existant.
+        """
+        try:
+            group = Group.objects.get(slug=group_slug)
+            
+            # Mise à jour des champs simples
+            for field, value in group_data.dict(exclude_unset=True, exclude={"roles"}).items():
+                setattr(group, field, value)
+            
+            # Mise à jour des rôles si fournis
+            if group_data.roles is not None:
+                roles = Role.objects.filter(slug__in=group_data.roles)
+                group.roles.set(roles)
+            
+            group.save()
+            return group
+        except Group.DoesNotExist:
+            raise NotFoundException("Groupe non trouvé")
+        except Exception as e:
+            raise ValidationException(str(e))
+
+    @http_delete(
+        "/groups/{group_slug}", 
+        response={
+            "204": None
+        },
+        permissions=[
+            IsAuthenticated & access_manager('d')
+        ]
+    )
+    def delete_group(self, group_slug: str):
+        """
+        Supprime un groupe.
+        """
+        try:
+            group = Group.objects.get(slug=group_slug)
+            group.delete()
+            return None
+        except Group.DoesNotExist:
+            raise NotFoundException("Groupe non trouvé")
+
+    # Rôles des utilisateurs
+    @http_post(
+        "/users/assign-role",
+        response=schemas.RoleSchema,
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def assign_role_to_user(self, data: schemas.AssignRoleSchema, request: HttpRequest):
+        """
+        Assigne un rôle à un utilisateur.
+        """
+        return self.service.assign_role_to_user(
+            user_id=data.user_id,
+            role_slug=data.role,
+            by_user=request.user if request.user.is_authenticated else None
+        )
+
+    @http_post(
+        "/users/revoke-role", 
+        response={
+            "204": None
+        },
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def revoke_role_from_user(self, data: schemas.RevokeRoleSchema):
+        """
+        Révoque un rôle d'un utilisateur.
+        """
+        self.service.revoke_role_from_user(
+            user_id=data.user_id,
+            role_slug=data.role
+        )
+        return None
+
+    @http_post(
+        "/users/assign-group",
+        response=List[schemas.RoleSchema],
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def assign_group_to_user(self, data: schemas.AssignGroupSchema, request: HttpRequest):
+        """
+        Assigne un groupe de rôles à un utilisateur.
+        """
+        return self.service.assign_group_to_user(
+            user_id=data.user_id,
+            group_slug=data.group,
+            by_user=request.user if request.user.is_authenticated else None
+        )
+
+    @http_post(
+        "/users/revoke-group", 
+        response={
+            "204": None
+        },
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def revoke_group_from_user(self, data: schemas.RevokeGroupSchema):
+        """
+        Révoque un groupe de rôles d'un utilisateur.
+        """
+        self.service.revoke_group_from_user(
+            user_id=data.user_id,
+            group_slug=data.group
+        )
+        return None
+
+    @http_post(
+        "/groups/{group_slug}/sync", 
+        response=schemas.GroupSyncResponseSchema,
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def sync_group(self, group_slug: str):
+        """
+        Synchronise les grants de tous les utilisateurs d'un groupe.
+        À appeler après modification des RoleGrants ou des rôles du groupe.
+        """
+        return self.service.sync_group(group_slug)
+
+    # Grants
+    @http_post(
+        "/grants", 
+        response=schemas.GrantSchema,
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def create_grant(self, grant_data: schemas.GrantCreateSchema):
+        """
+        Crée une nouvelle permission personnalisée pour un utilisateur.
+        """
+        return self.service.create_grant(grant_data)
+
+    @http_get(
+        "/grants", 
+        response=PaginatedResponseSchema[schemas.GrantSchema],
+    )
+    @paginate(PageNumberPaginationExtra, page_size=20)
+    def list_grants(self, user_id: Optional[int] = None, role: Optional[str] = None):
+        """
+        Liste les grants, avec filtrage optionnel par utilisateur et/ou rôle.
+        """
+        queryset = Grant.objects.all()
+        if user_id:
+            queryset = queryset.filter(user_id=user_id)
+        if role:
+            queryset = queryset.filter(role__slug=role)
+        return queryset
+
+    @http_put(
+        "/grants/{grant_id}", 
+        response=schemas.GrantSchema,
+        permissions=[
+            IsAuthenticated & access_manager('ru')
+        ]
+    )
+    def update_grant(self, grant_id: int, grant_data: schemas.GrantUpdateSchema):
+        """
+        Met à jour une permission personnalisée.
+        """
+        return self.service.update_grant(grant_id, grant_data)
+
+    @http_delete(
+        "/grants/{grant_id}",
+        response={
+            "204": None
+        },
+        permissions=[
+            IsAuthenticated & access_manager('d')
+        ]
+    )
+    def delete_grant(self, grant_id: int):
+        """
+        Supprime une permission personnalisée.
+        """
+        self.service.delete_grant(grant_id)
+        return None
+
+    # Role Grants
+    @http_post(
+        "/role-grants", 
+        response=schemas.RoleGrantSchema,
+        permissions=[
+            IsAuthenticated & access_manager('rw')
+        ]
+    )
+    def create_role_grant(self, grant_data: schemas.RoleGrantCreateSchema):
+        """
+        Crée une nouvelle permission pour un rôle.
+        """
+        return self.service.create_role_grant(grant_data)
+
+    @http_get(
+        "/role-grants", 
+        response=PaginatedResponseSchema[schemas.RoleGrantSchema],
+    )
+    @paginate(PageNumberPaginationExtra, page_size=20)
+    def list_role_grants(self, role: Optional[str] = None):
+        """
+        Liste les permissions de rôles, avec filtrage optionnel par rôle.
+        """
+        queryset = RoleGrant.objects.select_related('role').all()
+        if role:
+            queryset = queryset.filter(role__slug=role)
+        return queryset
+
+    @http_put(
+        "/role-grants/{grant_id}", 
+        response=schemas.RoleGrantSchema,
+        permissions=[
+            IsAuthenticated & access_manager('ru')
+        ]
+    )
+    def update_role_grant(self, grant_id: int, grant_data: schemas.RoleGrantUpdateSchema):
+        """
+        Met à jour une permission de rôle.
+        """
+        return self.service.update_role_grant(grant_id, grant_data)
+
+    @http_delete(
+        "/role-grants/{grant_id}/", 
+        response={
+            "204": None
+        },
+        permissions=[
+            IsAuthenticated & access_manager('d')
+        ]
+    )
+    def delete_role_grant(self, grant_id: int):
+        """
+        Supprime une permission de rôle.
+        """
+        self.service.delete_role_grant(grant_id)
+        return None

oxutils/permissions/exceptions.py

@@ -0,0 +1,60 @@
+from django.utils.translation import gettext_lazy as _
+from oxutils.exceptions import (
+    APIException,
+    NotFoundException,
+    ValidationException,
+    DuplicateEntryException,
+    PermissionDeniedException,
+    ExceptionCode
+)
+
+
+class RoleNotFoundException(NotFoundException):
+    """Exception levée quand un rôle n'est pas trouvé."""
+    default_detail = _('Le rôle demandé n\'existe pas')
+
+
+class GroupNotFoundException(NotFoundException):
+    """Exception levée quand un groupe n'est pas trouvé."""
+    default_detail = _('Le groupe demandé n\'existe pas')
+
+
+class GrantNotFoundException(NotFoundException):
+    """Exception levée quand un grant n'est pas trouvé."""
+    default_detail = _('Le grant demandé n\'existe pas')
+
+
+class RoleGrantNotFoundException(NotFoundException):
+    """Exception levée quand un role grant n'est pas trouvé."""
+    default_detail = _('Le role grant demandé n\'existe pas')
+
+
+class RoleAlreadyAssignedException(DuplicateEntryException):
+    """Exception levée quand un rôle est déjà assigné à un utilisateur."""
+    default_detail = _('Ce rôle est déjà assigné à l\'utilisateur')
+
+
+class GroupAlreadyAssignedException(DuplicateEntryException):
+    """Exception levée quand un groupe est déjà assigné à un utilisateur."""
+    default_detail = _('Ce groupe est déjà assigné à l\'utilisateur')
+
+
+class InvalidActionsException(ValidationException):
+    """Exception levée quand des actions invalides sont fournies."""
+    default_detail = _('Les actions fournies sont invalides')
+
+
+class InsufficientPermissionsException(PermissionDeniedException):
+    """Exception levée quand l'utilisateur n'a pas les permissions suffisantes."""
+    default_code = ExceptionCode.INSUFFICIENT_PERMISSIONS
+    default_detail = _('Permissions insuffisantes pour effectuer cette action')
+
+
+class RoleGrantConflictException(DuplicateEntryException):
+    """Exception levée quand un role grant existe déjà pour ce rôle et scope."""
+    default_detail = _('Un role grant existe déjà pour ce rôle et ce scope')
+
+
+class GrantConflictException(DuplicateEntryException):
+    """Exception levée quand un grant existe déjà pour cet utilisateur et scope."""
+    default_detail = _('Un grant existe déjà pour cet utilisateur et ce scope')