MCPcopy
hub / github.com/dgraph-io/dgraph / authorizeAlter

Function authorizeAlter

edgraph/access.go:663–738  ·  view source on GitHub ↗

authorizeAlter parses the Schema in the operation and authorizes the operation using the worker.AclCachePtr. It will return error if any one of the predicates specified in alter are not authorized.

(ctx context.Context, op *api.Operation)

Source from the content-addressed store, hash-verified

661// using the worker.AclCachePtr. It will return error if any one of the predicates
662// specified in alter are not authorized.
663func authorizeAlter(ctx context.Context, op *api.Operation) error {
664 if worker.Config.AclSecretKey == nil {
665 // the user has not turned on the acl feature
666 return nil
667 }
668
669 // extract the list of predicates from the operation object
670 var preds []string
671 switch {
672 case len(op.DropAttr) > 0:
673 preds = []string{op.DropAttr}
674 case op.DropOp == api.Operation_ATTR && len(op.DropValue) > 0:
675 preds = []string{op.DropValue}
676 default:
677 update, err := schema.Parse(op.Schema)
678 if err != nil {
679 return err
680 }
681
682 for _, u := range update.Preds {
683 preds = append(preds, x.ParseAttr(u.Predicate))
684 }
685 }
686 var userId string
687 var groupIds []string
688
689 // doAuthorizeAlter checks if alter of all the predicates are allowed
690 // as a byproduct, it also sets the userId, groups variables
691 doAuthorizeAlter := func() error {
692 userData, err := extractUserAndGroups(ctx)
693 if err != nil {
694 // We don't follow fail open approach anymore.
695 return status.Error(codes.Unauthenticated, err.Error())
696 }
697
698 userId = userData.userId
699 groupIds = userData.groupIds
700
701 if x.IsSuperAdmin(groupIds) {
702 // Members of guardian group are allowed to alter anything.
703 return nil
704 }
705
706 // if we get here, we know the user is not a guardian.
707 if isDropAll(op) || op.DropOp == api.Operation_DATA {
708 return errors.Errorf(
709 "only guardians are allowed to drop all data, but the current user is %s", userId)
710 }
711
712 result := authorizePreds(ctx, userData, preds, acl.Modify)
713 if len(result.blocked) > 0 {
714 var msg strings.Builder
715 for key := range result.blocked {
716 x.Check2(msg.WriteString(key))
717 x.Check2(msg.WriteString(" "))
718 }
719 return status.Errorf(codes.PermissionDenied,
720 "unauthorized to alter following predicates: %s\n", msg.String())

Callers 1

validateAlterOperationFunction · 0.85

Calls 10

ParseFunction · 0.92
ParseAttrFunction · 0.92
IsSuperAdminFunction · 0.92
Check2Function · 0.92
extractUserAndGroupsFunction · 0.85
isDropAllFunction · 0.85
authorizePredsFunction · 0.85
ErrorMethod · 0.45
ErrorfMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected