edx-rbac 1.4.1

Library to help managing role based access controls for django apps

Overview

Library to help manage role based access controls for django services.

• See the Getting started guide to setup your development environment.

• See the How To Guide to learn about the fundamentals of edx-rbac and how to implement RBAC in your Django service.

License

The code in this repository is licensed under the AGPL 3.0 unless otherwise noted.

Please see LICENSE.txt for details.

How To Contribute

Contributions are very welcome.

Please read How To Contribute for details.

Even though they were written with edx-platform in mind, the guidelines should be followed for Open edX code in general.

PR description template should be automatically applied if you are sending PR from github interface; otherwise you can find it it at PULL_REQUEST_TEMPLATE.md

Issue report template should be automatically applied if you are sending it from github UI as well; otherwise you can find it at ISSUE_TEMPLATE.md

Reporting Security Issues

Please do not report security issues in public. Please email security@edx.org.

Getting Help

Have a question about this repository, or about Open edX in general? Please refer to this list of resources if you need any assistance.

Change Log

Unreleased

[1.4.1] - 2021-01-22

• Add a UserRoleAssignment.applies_to_all field, because explicit is better than implicit. See the ADR at docs/decisions/0002-explicit-role-assignment-wildcard.rst.

[1.4.0]

• Update PyPI token.

[1.3.3] - 2020-10-02

• Removed python_2_unicode_compatible decorator.

[1.3.2] - 2020-07-28

• PermissionRequiredForListingMixin.get_queryset() should allow falsey base_queryset properties, like an empty QuerySet object. Adds tests to verify that this is the case.

[1.3.1] - 2020-06-16

• Update get_assignments() to guard against AnonymousUsers.

• Update contexts_accessible_from_database() to use get_assignments() instead of building a “custom” QuerySet.

[1.3.0] - 2020-06-11

• Adds a PermissionRequiredForListingMixin that can be used in DRF ModelViewSets and supports a list action. This should allow list actions to return all of the elements from a base_queryset that the requesting user has access to, either via their JWT or DB-assigned roles.

• Adds/modifies utility functions that deal with permission-checking to support multiple roles and multiple contexts.

[1.2.1] - 2020-05-08

• Exposes a new utils.feature_roles_from_jwt() function, which, given a decoded JWT, will provide a mapping of feature roles to contexts/identifiers.

• Modifies utils.user_has_access_via_database() to check for multiple database role assignments for a given user and role name (i.e. uses a filter() instead of a get()).

[1.2.0] - 2020-04-30

• Removed support for django 2.0 and 2.1

• Added Support for Python 3.8

[1.1.3] - 2020-04-13

• Added check for AnonymousUser in user_has_access_via_database to prevent 500 errors.

[1.1.2] - 2020-03-27

• Added support for Django 2.0, 2.1, and 2.2.

[1.1.1] - 2020-03-02

• Fix bug in implicit role check when the same role has multiple contexts available.

[1.1.0] - 2020-02-18

• Update PermissionRequiredMixin to pass through an object to rule predicates, if self.get_permision_required exists and is callable

[1.0.5] - 2019-12-18

• Updated requirements.

[1.0.4] - 2019-12-17

• Updated utils for user with multiple contexts.

[1.0.3] - 2019-09-12

• Use functools.wraps to prevent the decorator from swallowing the view name

[1.0.2] - 2019-07-12

• store current request on thread local storage using crum.

[1.0.1] - 2019-05-27

• edx-drf-extensions version upgrade.

[1.0.0] - 2019-05-20

• Removed get_request_or_stub and get_decoded_jwt_from_request from utils.py

[0.2.1] - 2019-05-08

• edx-drf-extensions version upgrade.

[0.2.0] - 2019-04-30

• Check for JWT presence in implicit permission.

• Refactor role retrieval to remove the dependency on django models for assigning roles.

[0.1.11] - 2019-04-08

• Get JWT token from request.auth if it is not set on the cookie. This supports client credentials oauth2 flow.

[0.1.10] - 2019-04-01

• Update context checks for implicit and explicit access for all resources access.

[0.1.9] - 2019-04-01

• Adding support for checking context for implicit and explicit access.

[0.1.8] - 2019-03-22

• Adding an additional argument for the permission_required decorator

[0.1.7] - 2019-03-20

• Adding a mixin for authz permissions support.

[0.1.6] - 2019-03-19

• Adding a decorator for authz permissions support.

[0.1.5] - 2019-03-18

• Adding django admin support for models extending UserRoleAssignment.

[0.1.4] - 2019-03-07

• Adding a number of utils for roles in JWTs and the database

[0.1.3] - 2019-03-07

• Adding get_context to the UserRoleAssignment class.

[0.1.2] - 2019-03-06

• Quality fixes

[0.1.1] - 2019-03-06

• Bumping version so we get pip updated with new models we added

[0.1.0] - 2019-02-28

Added

• First release on PyPI.