Security

Security for every operation is managed against three definitions (in order of priority):

  • Local
  • Global
  • Code

Locally can be defined:

  • A user/group has a permission in this object but not children
  • A user/group has a permission in this object and its children
  • A user/group is forbidden permission in this object and its children
  • A user/group has a role on this object but not its children
  • A user/group has a role on this object and its children
  • A user/group is forbidden a role on this object and its children
  • A role has a permission on this object and its children
  • A role has a permission on this object and its children
  • A role is forbidden permission in this object and its children

Globally:

  • A user/group has this Role
  • A user/group has this Permission

Code:

  • A user/group has this Role
  • A user/group has this Permission
  • A Role has this Permission

Roles

There are two kind of roles: Global and Local. The ones that are defined to be local can't be used globally and vice-versa. On indexing, the global roles are the ones that are indexed for security in addition to the flat user/group information from each resource.

Python helper functions


# Code to get the global roles that have access_content to an object
from guillotina.security.utils import get_roles_with_access_content
get_roles_with_access_content(obj)

# Code to get the user list that have access content to an object
from guillotina.security.utils import get_principals_with_access_content
get_principals_with_access_content(obj)


# Code to get all the security info
from guillotina.security.utils import settings_for_object
settings_for_object(obj)

# Code to get the Interaction object ( security object )
from guillotina.interfaces import IInteraction

interaction = IInteraction(request)

# Get the list of global roles for a user and some groups
interaction.global_principal_roles(principal, groups)

# Get if the authenticated user has permission on a object
interaction.check_permission(permission, obj)

REST APIs

Get all the endpoints and their security

[GET] APPLICATION_URL/@apidefinition (you need guillotina.GetContainers permission)

Get the security info for a resource (with inherited info)

[GET] RESOURCE/@sharing (you need guillotina.SeePermissions permission)

Modify the local roles/permission for a resource

[POST] RESOURCE/@sharing (you need guillotina.ChangePermissions permission)

{
"prinperm": [
  {
    "principal": "foobar",
    "permission": "guillotina.ModifyContent",
    "setting": "Allow"
  }
],
"prinrole": [
  {
    "principal": "foobar",
    "role": "guillotina.Owner",
    "setting": "Allow"
  }
],
"roleperm": [
  {
    "permission": "guillotina.ModifyContent",
    "role": "guillotina.Member",
    "setting": "Allow"
  }
]
}

The different types are:

  • Allow: you set it on the resource and the children will inherit
  • Deny: you set it on the resource and the children will inherit
  • AllowSingle: you set it on the resource and the children will not inherit
  • Unset: you remove the setting