[IMPROVEMENT] Add per-object permission checks #658

Author: vincent-olivert-riera

docs/user/permissions.rst

@@ -13,7 +13,7 @@ Permissions can be assigned at both the **Service** and **Project** levels.
 
 Each user or group can have at most one permission per Service or Project: **Admin**, **Editor** and **Viewer**.
 
-- **Admin**: Full control over the Service or Project, including managing permissions.
+- **Admin**: Full control over the Service or Project, including managing permissions. **Note:** Only the owner can delete the Service or Project.
 - **Editor**: Can modify the Service or Project but cannot delete it or manage permissions.
 - **Viewer**: Read-only access to the Service or Project.
 
@@ -45,12 +45,13 @@ The following table summarizes the permissions inheritance:
 | Exporter/URL/Farm/Host    | Full control   | Full control     | View             | Full control   | Full control     | View             |
 +---------------------------+----------------+------------------+------------------+----------------+------------------+------------------+
 
-*Full control: View, Create, Update, Delete, Manage Permissions*
+*Full control: View, Create, Update, Delete, Manage Permissions.* *Note: Delete Service or Project is only allowed for the owner.*
 
 **Use cases:**
 
-- User with **Service Admin** permission can manage all aspects of the Service, including its Projects and associated objects.
-- User with **Project Admin** permission can manage the specific Project and its associated objects, but cannot see or modify other Projects under the same Service. They cannot even view the parents Service's details unless they have explicit permissions on that Service.
+- User with **Service Admin** permission can manage all aspects of the Service, including its Projects and associated objects, but only the owner can delete the Service or any Project.
+- User with **Project Admin** permission can manage the specific Project and its associated objects, but only the owner can delete the Service or any Project.
+Project Admin of Project cannot also see or modify other Projects under the same Service. They cannot even view the parents Service's details unless they have explicit permissions on that Service.
 - User with **Service Viewer** permission can only view all aspects of the Service, including its Projects and associated objects, without making any changes.
 - User with **Project Viewer** permission can only view the specific Project and its associated objects, but cannot see or modify other Projects under the same Service.
 - User with **Service Editor** permission can modify the Service, its associated objects and the Projects under that Service, but cannot delete those Projects. However, they still can delete any associated objects of those Projects (such as Exporters and Farms).

promgen/forms.py

@@ -6,7 +6,6 @@
 
 from dateutil import parser
 from django import forms
-from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext as _
@@ -264,7 +263,7 @@ def get_permission_choices(input_object):
 
 def get_group_choices():
     yield ("", "")
-    for g in models.Group.objects.exclude(name=settings.PROMGEN_DEFAULT_GROUP).order_by("name"):
+    for g in models.Group.objects.order_by("name"):
         yield (g.name, g.name)
 
 

promgen/locale/ja/LC_MESSAGES/django.mo

@@ -185,12 +185,6 @@ msgstr "Actions"
 msgid "No search parameters provided."
 msgstr "検索フレーズが指定されていません"
 
-#: templates/promgen/service_detail.html:93
-#: templates/promgen/project_detail.html:101
-#: templates/promgen/farm_detail.html:71
-msgid "This is a transitional release. Even if you are able to assign roles to members, the permission checks are actually disabled. They will be enabled in the next release."
-msgstr "このリリースは移行用のリリースです。ロールをメンバーに割り当てても、権限のチェックは行われません。次のリリースで権限のチェックが有効化されます。"
-
 #: templates/promgen/permission_row.html:28
 msgid "Delete all permissions for user?"
 msgstr "ユーザーから全ての権限を削除しますか？"
@@ -337,3 +331,39 @@ msgstr "{from_user}は{to_user}に統合されました。"
 # : templates/admin/auth/user/change_list.html:7
 msgid "Merge user"
 msgstr "ユーザー統合"
+
+#: proxy.py:284
+msgid "You must specify either a project or service label."
+msgstr "プロジェクトまたはサービスラベルを指定する必要があります。"
+
+#: proxy.py:296
+msgid "You do not have permission to silence this alert."
+msgstr "このアラートを無効にする権限がありません。"
+
+#: proxy.py:390
+msgid "You do not have permission to silence alerts for the following {label}: {names}."
+msgstr "次の{label}のアラートを無効にする権限がありません: {names}。"
+
+#: proxy.py:400
+msgid "You do not have permission to silence alerts for many ({count}) {label}."
+msgstr "多くの({count}) {label}のアラートを無効にする権限がありません。"
+
+#: errors.py:20
+msgid "Silence must include a service or project matcher."
+msgstr "サイレンスにはサービスまたはプロジェクトのマッチャーを含める必要があります。"
+
+#: proxy.py:461
+msgid "You do not have permission to expire the silence that matches the following {label}: {names}."
+msgstr "次の{label}に一致するサイレンスを期限切れにする権限がありません: {names}。"
+
+#: proxy.py:472
+msgid "You do not have permission to expire the silence that matches many ({count}) {label}."
+msgstr "多くの({count}) {label}に一致するサイレンスを期限切れにする権限がありません。"
+
+#: views.py:398
+msgid "Only the service owner can delete the service."
+msgstr "サービスを削除できるのはサービスの所有者のみです。"
+
+#: views.py:418
+msgid "Only the project or the service owner can delete the project."
+msgstr "プロジェクトを削除できるのはプロジェクトまたはサービスの所有者のみです。"

promgen/locale/ja/LC_MESSAGES/django.po

@@ -5,7 +5,7 @@
 
 
 def create_group(apps, schema_editor):
-    if not settings.PROMGEN_DEFAULT_GROUP:
+    if not getattr(settings, "PROMGEN_DEFAULT_GROUP", None):
         return
 
     # Create Default Group

promgen/migrations/0003_default-group.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.11 on 2025-08-14 08:34
+
+from django.db import migrations
+
+
+def remove_group(apps, schema_editor):
+    """
+    Remove the Default group and its associated permissions.
+
+    Remove the group name which is hardcoded as "Default" in the original Promgen.
+    If the name is different in your application, you should change it
+    according to the value used in settings.PROMGEN_DEFAULT_GROUP.
+    """
+    default_group = apps.get_model("auth", "Group").objects.filter(name="Default").first()
+
+    if default_group:
+        default_group.user_set.clear()
+        default_group.permissions.clear()
+        default_group.delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("promgen", "0042_alert-notification-instrumentation"),
+    ]
+
+    operations = [migrations.RunPython(remove_group)]

promgen/migrations/0043_remove_default_group.py

@@ -1,15 +1,18 @@
 # Copyright (c) 2019 LINE Corporation
 # These sources are released under the terms of the MIT license: see LICENSE
 
+import guardian.mixins
+import guardian.utils
 from django.contrib import messages
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.auth.views import redirect_to_login
 from django.contrib.contenttypes.models import ContentType
-from django.shortcuts import get_object_or_404
+from django.http import HttpRequest
+from django.shortcuts import get_object_or_404, redirect
 from django.views.generic.base import ContextMixin
 from django.views.generic.edit import FormView
 
-from promgen import forms, models, notification
+from promgen import forms, models, notification, permissions, views
 
 
 class ContentTypeMixin:
@@ -96,3 +99,32 @@ def post(self, request, *args, **kwargs):
             else:
                 return self.form_invalid(sender_form)
         return self.form_invalid(notifier_form)
+
+
+class PromgenGuardianPermissionMixin(guardian.mixins.PermissionRequiredMixin):
+    def get_check_permission_object(self):
+        # Override this method to return the object to check permissions for
+        return self.get_object()
+
+    def check_permissions(self, request):
+        # Always allow user to view the site rule
+        if isinstance(self, views.RuleDetail) and isinstance(
+            self.get_object().content_object, models.Site
+        ):
+            return None
+
+        if not permissions.has_perm(
+            request.user,
+            self.get_required_permissions(request),
+            self.get_check_permission_object(),
+        ):
+            return self.on_perm_check_fail(request)
+
+        return None
+
+    def on_perm_check_fail(self, request: HttpRequest) -> None:
+        messages.warning(request, "You do not have permission to perform this action.")
+        referer = request.META.get("HTTP_REFERER")
+        if referer and referer != request.build_absolute_uri():
+            return redirect(referer)
+        return redirect_to_login(self.request.get_full_path())

promgen/mixins.py

@@ -1,8 +1,14 @@
 # Copyright (c) 2025 LINE Corporation
 # These sources are released under the terms of the MIT license: see LICENSE
+from django.contrib.auth.models import User
+from django.db.models import Q
 from django.utils.itercompat import is_iterable
+from guardian.shortcuts import get_objects_for_user
+from rest_framework import permissions
 from rest_framework.permissions import BasePermission
 
+from promgen import models
+
 
 class PromgenModelPermissions(BasePermission):
     """
@@ -41,3 +47,153 @@ def has_permission(self, request, view):
             return any(request.user.has_perm(perm) for perm in perm_list)
         else:
             return all(request.user.has_perm(perm) for perm in perm_list)
+
+
+class ReadOnlyForAuthenticatedUserOrIsSuperuser(BasePermission):
+    """
+    Customize Django REST Framework's base permission class to only allow read-only access for
+    authenticated users and full access for superusers.
+    """
+
+    def has_permission(self, request, view):
+        if request.user.is_superuser:
+            return True
+        return bool(
+            request.user
+            and request.user.is_authenticated
+            and request.method in permissions.SAFE_METHODS
+        )
+
+
+def get_check_permission_objects(obj):
+    # Because we only define permission codes for Service, Group, and Project,
+    # we need to map other objects to these.
+    if isinstance(obj, (models.Service, models.Group)):
+        return [obj]
+    if isinstance(obj, models.Project):
+        return [obj, obj.service]
+    if isinstance(obj, (models.Exporter, models.URL, models.Farm)):
+        return [obj.project, obj.project.service]
+    if isinstance(obj, models.Host):
+        return [obj.farm.project, obj.farm.project.service]
+    if isinstance(obj, (models.Rule, models.Sender)):
+        content_obj = getattr(obj, "content_object", None)
+        if isinstance(content_obj, models.Project):
+            return [content_obj, content_obj.service]
+        elif content_obj is not None:
+            return [content_obj]
+    return None
+
+
+def has_perm(user: User, perms: list[str], obj) -> bool:
+    # Superusers always have permission
+    if user.is_active and user.is_superuser:
+        return True
+
+    check_permission_objects = get_check_permission_objects(obj)
+    if not check_permission_objects:
+        return False
+
+    for check_obj in check_permission_objects:
+        # If the check_obj is the user itself, return True.
+        # Otherwise, check permissions.
+        # This also returns True if the user belongs to a Group that has the permission.
+        has_permission = user == check_obj or any(user.has_perm(perm, check_obj) for perm in perms)
+        if has_permission:
+            return True
+    return False
+
+
+def get_objects_for_user_with_perms(user: User, perms: list[str], klass):
+    """
+    Wrapper around guardian.shortcuts.get_objects_for_user to get objects
+    for a user with specific permissions.
+
+    Some important parameters are set according to Promgen's permission model:
+    - any_perm=True: Return objects that match any of the specified permissions.
+    - use_groups=True: Consider permissions assigned via both user and group of users.
+    - accept_global_perms=False: Do not consider global permissions for objects.
+
+    Args:
+        user (User): The user for whom to retrieve objects.
+        perms (list[str]): List of permission codenames to check.
+        klass (Model, optional): The model class to filter objects.
+
+    Returns:
+        QuerySet: A queryset of objects the user has the specified permissions for.
+
+    """
+    return get_objects_for_user(
+        user,
+        perms,
+        any_perm=True,
+        use_groups=True,
+        accept_global_perms=False,
+        klass=klass,
+    )
+
+
+def get_accessible_services_for_user(user: User):
+    return get_objects_for_user_with_perms(
+        user, ["service_admin", "service_editor", "service_viewer"], klass=models.Service
+    )
+
+
+def get_accessible_projects_for_user(user: User):
+    services = get_accessible_services_for_user(user)
+    projects = get_objects_for_user_with_perms(
+        user, ["project_admin", "project_editor", "project_viewer"], klass=models.Project
+    )
+    return models.Project.objects.filter(Q(pk__in=projects) | Q(service__in=services))
+
+
+def get_accessible_groups_for_user(user: User):
+    return get_objects_for_user_with_perms(
+        user, ["group_admin", "group_member"], klass=models.Group
+    )
+
+
+def get_editable_services_for_user(user: User):
+    return get_objects_for_user_with_perms(
+        user, ["service_admin", "service_editor"], klass=models.Service
+    )
+
+
+def get_editable_projects_for_user(user: User):
+    services = get_editable_services_for_user(user)
+    projects = get_objects_for_user_with_perms(
+        user, ["project_admin", "project_editor"], klass=models.Project
+    )
+    return models.Project.objects.filter(Q(pk__in=projects) | Q(service__in=services))
+
+
+def get_highest_role(user: User, obj):
+    """
+    Determine the highest role a user has for a given object.
+
+    Roles are determined based on the following hierarchy:
+    - ADMIN: service_admin, project_admin, group_admin
+    - EDIT: service_editor, project_editor
+    - VIEW: service_viewer, project_viewer, group_member
+    """
+
+    # Superusers always have ADMIN permission
+    if user.is_active and user.is_superuser:
+        return "ADMIN"
+
+    check_permission_objects = get_check_permission_objects(obj)
+    if not check_permission_objects:
+        return None
+
+    role_perms = [
+        ("ADMIN", ["service_admin", "project_admin", "group_admin"]),
+        ("EDIT", ["service_editor", "project_editor"]),
+        ("VIEW", ["service_viewer", "project_viewer", "group_member"]),
+    ]
+
+    for role, perms in role_perms:
+        for check_obj in check_permission_objects:
+            if any(user.has_perm(perm, check_obj) for perm in perms):
+                return role
+
+    return None