wip

2025-07-27 04:58:42 +02:00 · 2025-02-10 19:23:50 -05:00 · 2025-02-10 19:23:50 -05:00 · d84aa421d9
commit d84aa421d9
parent 303b74c458
8 changed files with 121 additions and 2 deletions
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -5,12 +5,14 @@ import logging
 from django.conf import settings
 from django.contrib.auth import logout as auth_logout
 from django.contrib.auth import authenticate, login
 from login_required import login_not_required
 from django.http import HttpResponseRedirect
 from django.shortcuts import redirect
 from urllib.parse import parse_qs, urlencode
 from djangooidc.oidc import Client
 from djangooidc import exceptions as o_e
 from registrar.decorators import grant_access
 from registrar.models import User
 from registrar.views.utility.error_views import custom_500_error_view, custom_401_error_view
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@ -200,6 +200,8 @@ MIDDLEWARE = [
    "waffle.middleware.WaffleMiddleware",
    "registrar.registrar_middleware.CheckUserProfileMiddleware",
    "registrar.registrar_middleware.CheckPortfolioMiddleware",
    # Restrict access using Opt-Out approach
    "registrar.registrar_middleware.RestrictAccessMiddleware",
 ]
 # application object used by Django's built-in servers (e.g. `runserver`)
--- a/src/registrar/decorators.py
+++ b/src/registrar/decorators.py
@ -0,0 +1,72 @@
 from functools import wraps
 from django.http import JsonResponse
 from django.core.exceptions import ObjectDoesNotExist
 from registrar.models.domain import Domain
 from registrar.models.user_domain_role import UserDomainRole
 # Constants for clarity
 ALL = "all"
 IS_SUPERUSER = "is_superuser"
 IS_STAFF = "is_staff"
 IS_DOMAIN_MANAGER = "is_domain_manager"
 def grant_access(*rules):
    """
    Allows multiple rules in a single decorator call:
    @grant_access(IS_STAFF, IS_SUPERUSER, IS_DOMAIN_MANAGER)
    or multiple stacked decorators:
    @grant_access(IS_SUPERUSER)
    @grant_access(IS_DOMAIN_MANAGER)
    """
    def decorator(view_func):
        view_func.has_explicit_access = True  # Mark as explicitly access-controlled
        existing_rules = getattr(view_func, "_access_rules", set())
        existing_rules.update(rules)  # Support multiple rules in one call
        view_func._access_rules = existing_rules  # Store rules on the function
        @wraps(view_func)
        def wrapper(request, *args, **kwargs):
            user = request.user
            # Skip authentication if @login_not_required is applied
            if getattr(view_func, "login_not_required", False):
                return view_func(request, *args, **kwargs)
            # Allow everyone if `ALL` is in rules
            if ALL in view_func._access_rules:
                return view_func(request, *args, **kwargs)
            # Ensure user is authenticated
            if not user.is_authenticated:
                return JsonResponse({"error": "Authentication required"}, status=403)
            conditions_met = []
            if IS_STAFF in view_func._access_rules:
                conditions_met.append(user.is_staff)
            if not any(conditions_met) and IS_SUPERUSER in view_func._access_rules:
                conditions_met.append(user.is_superuser)
            if not any(conditions_met) and IS_DOMAIN_MANAGER in view_func._access_rules:
                domain_id = kwargs.get('pk') or kwargs.get('domain_id')
                if not domain_id:
                    return JsonResponse({"error": "Domain ID missing"}, status=400)
                try:
                    domain = Domain.objects.get(pk=domain_id)
                    has_permission = UserDomainRole.objects.filter(
                        user=user, domain=domain
                    ).exists()
                    conditions_met.append(has_permission)
                except ObjectDoesNotExist:
                    return JsonResponse({"error": "Invalid Domain"}, status=404)
            if not any(conditions_met):
                return JsonResponse({"error": "Access Denied"}, status=403)
            return view_func(request, *args, **kwargs)
        return wrapper
    return decorator
--- a/src/registrar/registrar_middleware.py
+++ b/src/registrar/registrar_middleware.py
@ -3,9 +3,13 @@ Contains middleware used in settings.py
 """
 import logging
 import re
 from urllib.parse import parse_qs
 from django.conf import settings
 from django.urls import reverse
 from django.http import HttpResponseRedirect
 from django.http import JsonResponse
 from django.urls import resolve
 from registrar.models import User
 from waffle.decorators import flag_is_active
@ -170,3 +174,38 @@ class CheckPortfolioMiddleware:
            request.session["portfolio"] = request.user.get_first_portfolio()
        else:
            request.session["portfolio"] = request.user.get_first_portfolio()
 class RestrictAccessMiddleware:
    """ Middleware that blocks all views unless explicitly permitted """
    def __init__(self, get_response):
        self.get_response = get_response
        self.ignored_paths = [re.compile(pattern) for pattern in getattr(settings, "LOGIN_REQUIRED_IGNORE_PATHS", [])]
    def __call__(self, request):
        # Allow requests that match LOGIN_REQUIRED_IGNORE_PATHS
        if any(pattern.match(request.path) for pattern in self.ignored_paths):
            return self.get_response(request)
        # Try to resolve the view function
        try:
            resolver_match = resolve(request.path_info)
            view_func = resolver_match.func
            app_name = resolver_match.app_name  # Get app name of resolved view
        except Exception:
            return JsonResponse({"error": "Not Found"}, status=404)
        # Auto-allow Django's built-in admin views (but NOT custom /admin/* views)
        if app_name == "admin":
            return self.get_response(request)
        # Skip access restriction if the view explicitly allows unauthenticated access
        if getattr(view_func, "login_required", True) is False:
            return self.get_response(request)
        # Enforce explicit access fules for other views
        if not getattr(view_func, "has_explicit_access", False):
            return JsonResponse({"error": "Access Denied"}, status=403)
        return self.get_response(request)
--- a/src/registrar/utility/domain_cache_helper.py
+++ b/src/registrar/utility/domain_cache_helper.py
--- a/src/registrar/views/domain_requests_json.py
+++ b/src/registrar/views/domain_requests_json.py
@ -1,5 +1,6 @@
 from django.http import JsonResponse
 from django.core.paginator import Paginator
 from registrar.decorators import grant_access, ALL
 from registrar.models import DomainRequest
 from django.utils.dateformat import format
 from django.contrib.auth.decorators import login_required
@ -7,7 +8,7 @@ from django.urls import reverse
 from django.db.models import Q
-@login_required
+@grant_access(ALL)
 def get_domain_requests_json(request):
    """Given the current request,
    get all domain requests that are associated with the request user and exclude the APPROVED ones.
--- a/src/registrar/views/domains_json.py
+++ b/src/registrar/views/domains_json.py
@ -1,6 +1,7 @@
 import logging
 from django.http import JsonResponse
 from django.core.paginator import Paginator
 from registrar.decorators import grant_access, ALL
 from registrar.models import UserDomainRole, Domain, DomainInformation, User
 from django.contrib.auth.decorators import login_required
 from django.urls import reverse
@ -9,7 +10,7 @@ from django.db.models import Q
 logger = logging.getLogger(__name__)
-@login_required
+@grant_access(ALL)
 def get_domains_json(request):
    """Given the current request,
    get all domains that are associated with the UserDomainRole object"""
--- a/src/registrar/views/index.py
+++ b/src/registrar/views/index.py
@ -1,6 +1,8 @@
 from django.shortcuts import render
 from registrar.decorators import grant_access, ALL
@grant_access(ALL)
 def index(request):
    """This page is available to anyone without logging in."""
    context = {}