Mirrors/overte-lubosz
3
0
Fork 0
mirror of https://github.com/lubosz/overte.git synced 2025-04-23 09:33:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

code review

Browse source
This commit is contained in:
Seth Alves 2016-07-27 07:55:09 -07:00
parent b9fb4e91d6
commit 148793011d
5 changed files with 46 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
domain-server/resources/describe-settings.json
View file

@ -463,7 +463,7 @@
"span": 2
},
{
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in. Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in, as well as permissions from the previous section. Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
"span": 6
}
],
@ -639,7 +639,7 @@
"span": 1
},
{
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level permissions that might otherwise apply to that user.</p>'>?</a>",
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level or group permissions that might otherwise apply to that user.</p>'>?</a>",
"span": 6
}
],

73
domain-server/src/DomainGatekeeper.cpp
View file

@ -126,37 +126,37 @@ NodePermissions DomainGatekeeper::applyPermissionsForUser(bool isLocalUser,
if (isLocalUser) {
userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameLocalhost);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: is local user, so:" << userPerms;
#endif
#endif
}
if (verifiedUsername.isEmpty()) {
userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameAnonymous);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: unverified or no username for" << userPerms.getID() << ", so:" << userPerms;
#endif
#endif
} else {
if (_server->_settingsManager.havePermissionsForName(verifiedUsername)) {
userPerms = _server->_settingsManager.getPermissionsForName(verifiedUsername);
userPerms.setVerifiedUserName(verifiedUsername);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: specific user matches, so:" << userPerms;
#endif
#endif
} else {
userPerms.setVerifiedUserName(verifiedUsername);
// they are logged into metaverse, but we don't have specific permissions for them.
userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameLoggedIn);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: user is logged-into metaverse, so:" << userPerms;
#endif
#endif
// if this user is a friend of the domain-owner, give them friend's permissions
if (_domainOwnerFriends.contains(verifiedUsername)) {
userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameFriends);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: user is friends with domain-owner, so:" << userPerms;
#endif
#endif
}
// if this user is a known member of a group, give them the implied permissions
@ -166,10 +166,10 @@ NodePermissions DomainGatekeeper::applyPermissionsForUser(bool isLocalUser,
userPerms |= _server->_settingsManager.getPermissionsForGroup(groupID, rankID);
GroupRank rank = _server->_settingsManager.getGroupRank(groupID, rankID);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: user is in group:" << groupID << " rank:"
<< rank.name << "so:" << userPerms;
#endif
#endif
}
}
@ -182,19 +182,19 @@ NodePermissions DomainGatekeeper::applyPermissionsForUser(bool isLocalUser,
userPerms &= ~_server->_settingsManager.getForbiddensForGroup(groupID, rankID);
GroupRank rank = _server->_settingsManager.getGroupRank(groupID, rankID);
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: user is in blacklist group:" << groupID << " rank:" << rank.name
<< "so:" << userPerms;
#endif
#endif
}
}
}
}
}
#ifdef WANT_DEBUG
#ifdef WANT_DEBUG
qDebug() << "| user-permissions: final:" << userPerms;
#endif
#endif
return userPerms;
}
@ -529,7 +529,7 @@ void DomainGatekeeper::requestUserPublicKey(const QString& username) {
// public-key request for this username is already flight, not rerequesting
return;
}
_inFlightPublicKeyRequests[lowerUsername] = true;
_inFlightPublicKeyRequests += lowerUsername;
// even if we have a public key for them right now, request a new one in case it has just changed
JSONCallbackParameters callbackParams;
@ -721,35 +721,6 @@ void DomainGatekeeper::processICEPingReplyPacket(QSharedPointer<ReceivedMessage>
}
}
// void DomainGatekeeper::getGroupMemberships(const QString& username) {
// // loop through the groups mentioned on the settings page and ask if this user is in each. The replies
// // will be received asynchronously and permissions will be updated as the answers come in.
// QList<QUuid> groupIDs = _server->_settingsManager.getGroupIDs() + _server->_settingsManager.getBlacklistGroupIDs();
// // TODO -- use alternative that allows checking entire group list in one call
// foreach (QUuid groupID, groupIDs) {
// if (groupID.isNull()) {
// continue;
// }
// getIsGroupMember(username, groupID);
// }
// }
// void DomainGatekeeper::getIsGroupMember(const QString& username, const QUuid groupID) {
// JSONCallbackParameters callbackParams;
// callbackParams.jsonCallbackReceiver = this;
// callbackParams.jsonCallbackMethod = "getIsGroupMemberJSONCallback";
// callbackParams.errorCallbackReceiver = this;
// callbackParams.errorCallbackMethod = "getIsGroupMemberErrorCallback";
// const QString GET_IS_GROUP_MEMBER_PATH = "api/v1/groups/%1/members/%2";
// QString groupIDStr = groupID.toString().mid(1,36);
// DependencyManager::get<AccountManager>()->sendRequest(GET_IS_GROUP_MEMBER_PATH.arg(groupIDStr).arg(username),
// AccountManagerAuth::Required,
// QNetworkAccessManager::GetOperation, callbackParams);
// }
void DomainGatekeeper::getGroupMemberships(const QString& username) {
// loop through the groups mentioned on the settings page and ask if this user is in each. The replies
// will be received asynchronously and permissions will be updated as the answers come in.
@ -839,7 +810,7 @@ void DomainGatekeeper::getDomainOwnerFriendsListJSONCallback(QNetworkReply& requ
QJsonArray friends = jsonObject["data"].toObject()["users"].toArray();
for (int i = 0; i < friends.size(); i++) {
QString friendUserName = friends.at(i).toObject()["username"].toString();
_domainOwnerFriends[friendUserName] = true;
_domainOwnerFriends += friendUserName;
}
} else {
qDebug() << "getDomainOwnerFriendsList api call returned:" << QJsonDocument(jsonObject).toJson(QJsonDocument::Compact);
@ -859,8 +830,8 @@ void DomainGatekeeper::refreshGroupsCache() {
nodeList->eachNode([&](const SharedNodePointer& node) {
if (!node->getPermissions().isAssignment) {
// this node is an agent
QString verifiedUserName = node->getPermissions().getVerifiedUserName();
if (verifiedUserName != "") {
const QString& verifiedUserName = node->getPermissions().getVerifiedUserName();
if (verifiedUserName.isEmpty()) {
getGroupMemberships(verifiedUserName);
}
agentCount++;
@ -873,7 +844,7 @@ void DomainGatekeeper::refreshGroupsCache() {
updateNodePermissions();
#if WANT_DEBUG
#if WANT_DEBUG
_server->_settingsManager.debugDumpGroupsState();
#endif
#endif
}

4
domain-server/src/DomainGatekeeper.h
View file

@ -102,8 +102,8 @@ private:
QHash<QString, QUuid> _connectionTokenHash;
QHash<QString, QByteArray> _userPublicKeys;
QHash<QString, bool> _inFlightPublicKeyRequests; // keep track of which we've already asked for
QHash<QString, bool> _domainOwnerFriends; // keep track of friends of the domain owner
QSet<QString> _inFlightPublicKeyRequests; // keep track of which we've already asked for
QSet<QString> _domainOwnerFriends; // keep track of friends of the domain owner
NodePermissions applyPermissionsForUser(bool isLocalUser, NodePermissions userPerms, QString verifiedUsername);
void getGroupMemberships(const QString& username);

32
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -1164,17 +1164,17 @@ QStringList DomainServerSettingsManager::getAllKnownGroupNames() {
// extract all the group names from the group-permissions and group-forbiddens settings
QSet<QString> result;
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i_permissions(_groupPermissions.get());
while (i_permissions.hasNext()) {
i_permissions.next();
NodePermissionsKey key = i_permissions.key();
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i(_groupPermissions.get());
while (i.hasNext()) {
i.next();
NodePermissionsKey key = i.key();
result += key.first;
}
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i_forbiddens(_groupForbiddens.get());
while (i_forbiddens.hasNext()) {
i_forbiddens.next();
NodePermissionsKey key = i_forbiddens.key();
QHashIterator<NodePermissionsKey, NodePermissionsPointer> j(_groupForbiddens.get());
while (j.hasNext()) {
j.next();
NodePermissionsKey key = j.key();
result += key.first;
}
@ -1186,20 +1186,20 @@ bool DomainServerSettingsManager::setGroupID(const QString& groupName, const QUu
_groupIDs[groupName.toLower()] = groupID;
_groupNames[groupID] = groupName;
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i_permissions(_groupPermissions.get());
while (i_permissions.hasNext()) {
i_permissions.next();
NodePermissionsPointer perms = i_permissions.value();
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i(_groupPermissions.get());
while (i.hasNext()) {
i.next();
NodePermissionsPointer perms = i.value();
if (perms->getID().toLower() == groupName.toLower() && !perms->isGroup()) {
changed = true;
perms->setGroupID(groupID);
}
}
QHashIterator<NodePermissionsKey, NodePermissionsPointer> i_forbiddens(_groupForbiddens.get());
while (i_forbiddens.hasNext()) {
i_forbiddens.next();
NodePermissionsPointer perms = i_forbiddens.value();
QHashIterator<NodePermissionsKey, NodePermissionsPointer> j(_groupForbiddens.get());
while (j.hasNext()) {
j.next();
NodePermissionsPointer perms = j.value();
if (perms->getID().toLower() == groupName.toLower() && !perms->isGroup()) {
changed = true;
perms->setGroupID(groupID);

8
libraries/networking/src/NodePermissions.h
View file

@ -33,17 +33,17 @@ public:
NodePermissions(const NodePermissionsKey& key) { _id = key.first.toLower(); _rankID = key.second; }
NodePermissions(QMap<QString, QVariant> perms);
QString getID() const { return _id; } // a user-name or a group-name, not verified
const QString& getID() const { return _id; } // a user-name or a group-name, not verified
void setRankID(QUuid& rankID) { _rankID = rankID; }
QUuid getRankID() const { return _rankID; }
const QUuid& getRankID() const { return _rankID; }
NodePermissionsKey getKey() const { return NodePermissionsKey(_id, _rankID); }
// the _id member isn't authenticated/verified and _username is.
void setVerifiedUserName(QString userName) { _verifiedUserName = userName.toLower(); }
QString getVerifiedUserName() const { return _verifiedUserName; }
const QString& getVerifiedUserName() const { return _verifiedUserName; }
void setGroupID(QUuid groupID) { _groupID = groupID; if (!groupID.isNull()) { _groupIDSet = true; }}
QUuid getGroupID() const { return _groupID; }
const QUuid& getGroupID() const { return _groupID; }
bool isGroup() const { return _groupIDSet; }
bool isAssignment { false };