Cleaned up object perms

2026-01-26 23:55:58 +00:00
parent 9cf782ffd6
commit 56caa194ec
9 changed files with 109 additions and 26 deletions
--- a/app/apps/access/admin.py
+++ b/app/apps/access/admin.py
@@ -22,6 +22,9 @@ class AccessRequestAdmin(GuardedModelAdmin):
        "requester",
        "server",
        "status",
+        "request_shell",
+        "request_logs",
+        "request_users",
        "requested_at",
        "expires_at",
        "decided_by",
@@ -50,6 +53,9 @@ class AccessRequestAdmin(GuardedModelAdmin):
                            "server",
                            "status",
                            "reason",
+                            "request_shell",
+                            "request_logs",
+                            "request_users",
                            "expires_at",
                        )
                    },
@@ -64,6 +70,9 @@ class AccessRequestAdmin(GuardedModelAdmin):
                        "server",
                        "status",
                        "reason",
+                        "request_shell",
+                        "request_logs",
+                        "request_users",
                        "expires_at",
                    )
                },
--- a/app/apps/access/migrations/0002_remove_delete_permission.py
+++ b/app/apps/access/migrations/0002_remove_delete_permission.py
@@ -0,0 +1,37 @@
+from django.db import migrations, models
+
+
+def remove_delete_accessrequest_perm(apps, schema_editor):
+    Permission = apps.get_model("auth", "Permission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+    try:
+        content_type = ContentType.objects.get(app_label="access", model="accessrequest")
+    except ContentType.DoesNotExist:
+        return
+    Permission.objects.filter(content_type=content_type, codename="delete_accessrequest").delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("access", "0001_initial"),
+        ("auth", "__latest__"),
+        ("contenttypes", "__latest__"),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_delete_accessrequest_perm, migrations.RunPython.noop),
+        migrations.AlterModelOptions(
+            name="accessrequest",
+            options={
+                "verbose_name": "Access request",
+                "verbose_name_plural": "Access requests",
+                "default_permissions": ("add", "view", "change"),
+                "indexes": [
+                    models.Index(fields=["status", "requested_at"], name="acc_req_status_req_idx"),
+                    models.Index(fields=["server", "status"], name="acc_req_server_status_idx"),
+                ],
+                "ordering": ["-requested_at"],
+            },
+        ),
+    ]
--- a/app/apps/access/migrations/0003_access_request_options.py
+++ b/app/apps/access/migrations/0003_access_request_options.py
@@ -0,0 +1,26 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("access", "0002_remove_delete_permission"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accessrequest",
+            name="request_shell",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="accessrequest",
+            name="request_logs",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="accessrequest",
+            name="request_users",
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/app/apps/access/models.py
+++ b/app/apps/access/models.py
@@ -28,6 +28,9 @@ class AccessRequest(models.Model):
        max_length=16, choices=Status.choices, default=Status.PENDING, db_index=True
    )
    reason = models.TextField(blank=True)
+    request_shell = models.BooleanField(default=False)
+    request_logs = models.BooleanField(default=False)
+    request_users = models.BooleanField(default=False)
    requested_at = models.DateTimeField(default=timezone.now, editable=False)
    decided_at = models.DateTimeField(null=True, blank=True)
    expires_at = models.DateTimeField(null=True, blank=True)
@@ -42,6 +45,7 @@ class AccessRequest(models.Model):
    class Meta:
        verbose_name = "Access request"
        verbose_name_plural = "Access requests"
+        default_permissions = ("add", "view", "change")
        indexes = [
            models.Index(fields=["status", "requested_at"], name="acc_req_status_req_idx"),
            models.Index(fields=["server", "status"], name="acc_req_server_status_idx"),
--- a/app/apps/access/signals.py
+++ b/app/apps/access/signals.py
@@ -16,11 +16,7 @@ def assign_access_request_perms(sender, instance: AccessRequest, created: bool,
        return
    if instance.requester_id:
        user = instance.requester
-        for perm in (
-            "access.view_accessrequest",
-            "access.change_accessrequest",
-            "access.delete_accessrequest",
-        ):
+        for perm in ("access.view_accessrequest", "access.change_accessrequest"):
            assign_perm(perm, user, instance)
    assign_default_object_permissions(instance)
    sync_server_view_perm(instance)
--- a/app/apps/core/management/commands/sync_object_perms.py
+++ b/app/apps/core/management/commands/sync_object_perms.py
@@ -20,7 +20,6 @@ class Command(BaseCommand):
                for perm in (
                    "access.view_accessrequest",
                    "access.change_accessrequest",
-                    "access.delete_accessrequest",
                ):
                    assign_perm(perm, access_request.requester, access_request)
                assign_default_object_permissions(access_request)
--- a/app/apps/core/rbac.py
+++ b/app/apps/core/rbac.py
@@ -5,11 +5,9 @@ from guardian.shortcuts import assign_perm
 from ninja.errors import HttpError

 ROLE_ADMIN = "administrator"
-ROLE_OPERATOR = "operator"
-ROLE_AUDITOR = "auditor"
 ROLE_USER = "user"

-ROLE_ORDER = (ROLE_ADMIN, ROLE_OPERATOR, ROLE_AUDITOR, ROLE_USER)
+ROLE_ORDER = (ROLE_ADMIN, ROLE_USER)
 ROLE_ALL = ROLE_ORDER
 ROLE_ALIASES = {"admin": ROLE_ADMIN}
 ROLE_INPUTS = tuple(sorted(set(ROLE_ORDER) | set(ROLE_ALIASES.keys())))
@@ -20,21 +18,7 @@ def _model_perms(app_label: str, model: str, actions: list[str]) -> list[str]:

 ROLE_PERMISSIONS = {
    ROLE_ADMIN: [],
-    ROLE_OPERATOR: [
-        *_model_perms("servers", "server", ["view"]),
-        *_model_perms("access", "accessrequest", ["add", "view", "change", "delete"]),
-        *_model_perms("keys", "sshkey", ["add", "view", "change", "delete"]),
-        *_model_perms("telemetry", "telemetryevent", ["add", "view"]),
-        *_model_perms("audit", "auditlog", ["view"]),
-        *_model_perms("audit", "auditeventtype", ["view"]),
-        *_model_perms("auth", "user", ["add", "view"]),
-    ],
-    ROLE_AUDITOR: [
-        *_model_perms("audit", "auditlog", ["view"]),
-        *_model_perms("audit", "auditeventtype", ["view"]),
-    ],
    ROLE_USER: [
-        *_model_perms("servers", "server", ["view"]),
        *_model_perms("access", "accessrequest", ["add"]),
        *_model_perms("keys", "sshkey", ["add"]),
    ],
@@ -132,9 +116,6 @@ def set_user_role(user, role: str) -> str:
    if canonical == ROLE_ADMIN:
        user.is_staff = True
        user.is_superuser = True
-    elif canonical in {ROLE_OPERATOR, ROLE_AUDITOR}:
-        user.is_staff = True
-        user.is_superuser = False
    else:
        user.is_staff = False
        user.is_superuser = False