define permissions in views directly

src/ahriman/core/auth/auth.py

@@ -33,16 +33,11 @@ from ahriman.models.user_access import UserAccess
 class Auth:
     """
     helper to deal with user authorization
-    :ivar allowed_paths: URI paths which can be accessed without authorization
-    :ivar allowed_paths_groups: URI paths prefixes which can be accessed without authorization
+    :ivar allow_read_only: allow read only access to the index page
     :ivar enabled: indicates if authorization is enabled
-    :cvar ALLOWED_PATHS: URI paths which can be accessed without authorization, predefined
-    :cvar ALLOWED_PATHS_GROUPS: URI paths prefixes which can be accessed without authorization, predefined
+    :ivar max_age: session age in seconds. It will be used for both client side and server side checks
     """
 
-    ALLOWED_PATHS = {"/", "/index.html"}
-    ALLOWED_PATHS_GROUPS = {"/static", "/user-api"}
-
     def __init__(self, configuration: Configuration, provider: AuthSettings = AuthSettings.Disabled) -> None:
         """
         default constructor
@@ -52,10 +47,7 @@ class Auth:
         self.logger = logging.getLogger("http")
 
         self.allow_read_only = configuration.getboolean("auth", "allow_read_only")
-        self.allowed_paths = set(configuration.getlist("auth", "allowed_paths", fallback=[]))
-        self.allowed_paths.update(self.ALLOWED_PATHS)
-        self.allowed_paths_groups = set(configuration.getlist("auth", "allowed_paths_groups", fallback=[]))
-        self.allowed_paths_groups.update(self.ALLOWED_PATHS_GROUPS)
+
         self.enabled = provider.is_enabled
         self.max_age = configuration.getint("auth", "max_age", fallback=7 * 24 * 3600)
 
@@ -115,19 +107,6 @@ class Auth:
         del username, password
         return True
 
-    async def is_safe_request(self, uri: Optional[str], required: UserAccess) -> bool:
-        """
-        check if requested path are allowed without authorization
-        :param uri: request uri
-        :param required: required access level
-        :return: True in case if this URI can be requested without authorization and False otherwise
-        """
-        if required == UserAccess.Read and self.allow_read_only:
-            return True  # in case if read right requested and allowed in options
-        if not uri:
-            return False  # request without context is not allowed
-        return uri in self.allowed_paths or any(uri.startswith(path) for path in self.allowed_paths_groups)
-
     async def known_username(self, username: Optional[str]) -> bool:  # pylint: disable=no-self-use
         """
         check if user is known

src/ahriman/models/user_access.py

@@ -23,9 +23,11 @@ from enum import Enum
 class UserAccess(Enum):
     """
     web user access enumeration
-    :cvar Read: user can read status page
+    :cvar Safe: user can access the page without authorization, should not be user for user configuration
+    :cvar Read: user can read the page
     :cvar Write: user can modify task and package list
     """
 
+    Safe = "safe"
     Read = "read"
     Write = "write"

src/ahriman/web/middlewares/auth_handler.py

@@ -19,10 +19,12 @@
 #
 import aiohttp_security  # type: ignore
 import base64
+import types
 
 from aiohttp import web
 from aiohttp.web import middleware, Request
 from aiohttp.web_response import StreamResponse
+from aiohttp.web_urldispatcher import StaticResource
 from aiohttp_session import setup as setup_session  # type: ignore
 from aiohttp_session.cookie_storage import EncryptedCookieStorage  # type: ignore
 from cryptography import fernet
@@ -72,20 +74,22 @@ class AuthorizationPolicy(aiohttp_security.AbstractAuthorizationPolicy):  # type
         return await self.validator.verify_access(user.username, permission, context)
 
 
-def auth_handler(validator: Auth) -> MiddlewareType:
+def auth_handler() -> MiddlewareType:
     """
     authorization and authentication middleware
-    :param validator: authorization module instance
     :return: built middleware
     """
     @middleware
     async def handle(request: Request, handler: HandlerType) -> StreamResponse:
-        if request.method in ("GET", "HEAD", "OPTIONS"):
-            permission = UserAccess.Read
+        permission_method = getattr(handler, "get_permission", None)
+        if permission_method is not None:
+            permission = await permission_method(request)
+        elif isinstance(handler, types.MethodType):  # additional wrapper for static resources
+            handler_instance = getattr(handler, "__self__", None)
+            permission = UserAccess.Safe if isinstance(handler_instance, StaticResource) else UserAccess.Write
         else:
             permission = UserAccess.Write
-
-        if not await validator.is_safe_request(request.path, permission):
+        if permission != UserAccess.Safe:
             await aiohttp_security.check_permission(request, permission, request.path)
 
         return await handler(request)
@@ -109,6 +113,6 @@ def setup_auth(application: web.Application, validator: Auth) -> web.Application
     identity_policy = aiohttp_security.SessionIdentityPolicy()
 
     aiohttp_security.setup(application, identity_policy, authorization_policy)
-    application.middlewares.append(auth_handler(validator))
+    application.middlewares.append(auth_handler())
 
     return application

src/ahriman/web/views/base.py

@@ -17,13 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import View
-from typing import Any, Dict, List, Optional
+from __future__ import annotations
+
+from aiohttp.web import Request, View
+from typing import Any, Dict, List, Optional, Type
 
 from ahriman.core.auth.auth import Auth
 from ahriman.core.configuration import Configuration
 from ahriman.core.spawn import Spawn
 from ahriman.core.status.watcher import Watcher
+from ahriman.models.user_access import UserAccess
 
 
 class BaseView(View):
@@ -63,6 +66,16 @@ class BaseView(View):
         validator: Auth = self.request.app["validator"]
         return validator
 
+    @classmethod
+    async def get_permission(cls: Type[BaseView], request: Request) -> UserAccess:
+        """
+        retrieve user permission from the request
+        :param request: request object
+        :return: extracted permission
+        """
+        permission: UserAccess = getattr(cls, f"{request.method.upper()}_PERMISSION", UserAccess.Write)
+        return permission
+
     async def extract_data(self, list_keys: Optional[List[str]] = None) -> Dict[str, Any]:
         """
         extract json data from either json or form data

src/ahriman/web/views/index.py

@@ -24,12 +24,15 @@ from typing import Any, Dict
 from ahriman import version
 from ahriman.core.auth.helpers import authorized_userid
 from ahriman.core.util import pretty_datetime
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class IndexView(BaseView):
     """
     root view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
 
     It uses jinja2 templates for report generation, the following variables are allowed:
 
@@ -58,6 +61,8 @@ class IndexView(BaseView):
         version - ahriman version, string, required
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Safe
+
     @aiohttp_jinja2.template("build-status.jinja2")
     async def get(self) -> Dict[str, Any]:
         """

src/ahriman/web/views/service/add.py

@@ -19,14 +19,18 @@
 #
 from aiohttp.web import HTTPFound, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class AddView(BaseView):
     """
     add package web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         add new package

src/ahriman/web/views/service/reload_auth.py

@@ -17,18 +17,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import Response
-from aiohttp.web_exceptions import HTTPNoContent
+from aiohttp.web import HTTPNoContent, Response
 
 from ahriman.core.auth.auth import Auth
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class ReloadAuthView(BaseView):
     """
     reload authentication module web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         reload authentication module. No parameters supported here

src/ahriman/web/views/service/remove.py

@@ -19,14 +19,18 @@
 #
 from aiohttp.web import HTTPFound, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class RemoveView(BaseView):
     """
     remove package web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         remove existing packages

src/ahriman/web/views/service/search.py

@@ -22,14 +22,19 @@ import aur  # type: ignore
 from aiohttp.web import Response, json_response
 from typing import Callable, Iterator
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class SearchView(BaseView):
     """
     AUR search web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         search packages in AUR

src/ahriman/web/views/status/ahriman.py

@@ -20,14 +20,21 @@
 from aiohttp.web import HTTPNoContent, Response, json_response
 
 from ahriman.models.build_status import BuildStatusEnum
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class AhrimanView(BaseView):
     """
     service status web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+    POST_PERMISSION = UserAccess.Write
+
     async def get(self) -> Response:
         """
         get current service status

src/ahriman/web/views/status/package.py

@@ -22,14 +22,22 @@ from aiohttp.web import HTTPNoContent, HTTPNotFound, Response, json_response
 from ahriman.core.exceptions import UnknownPackage
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.models.package import Package
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class PackageView(BaseView):
     """
     package base specific web view
+    :cvar DELETE_PERMISSION: delete permissions of self
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    DELETE_PERMISSION = POST_PERMISSION = UserAccess.Write
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         get current package base status

src/ahriman/web/views/status/packages.py

@@ -19,14 +19,21 @@
 #
 from aiohttp.web import HTTPNoContent, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class PackagesView(BaseView):
     """
     global watcher view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+    POST_PERMISSION = UserAccess.Write
+
     async def get(self) -> Response:
         """
         get current packages status

src/ahriman/web/views/status/status.py

@@ -22,14 +22,19 @@ from aiohttp.web import Response, json_response
 from ahriman import version
 from ahriman.models.counters import Counters
 from ahriman.models.internal_status import InternalStatus
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class StatusView(BaseView):
     """
     web service status web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         get current service status

src/ahriman/web/views/user/login.py

@@ -20,6 +20,7 @@
 from aiohttp.web import HTTPFound, HTTPMethodNotAllowed, HTTPUnauthorized, Response
 
 from ahriman.core.auth.helpers import remember
+from ahriman.models.user_access import UserAccess
 from ahriman.models.user_identity import UserIdentity
 from ahriman.web.views.base import BaseView
 
@@ -27,8 +28,12 @@ from ahriman.web.views.base import BaseView
 class LoginView(BaseView):
     """
     login endpoint view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = POST_PERMISSION = UserAccess.Safe
+
     async def get(self) -> Response:
         """
         OAuth2 response handler

src/ahriman/web/views/user/logout.py

@@ -20,14 +20,18 @@
 from aiohttp.web import HTTPFound, Response
 
 from ahriman.core.auth.helpers import check_authorized, forget
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class LogoutView(BaseView):
     """
     logout endpoint view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Safe
+
     async def post(self) -> Response:
         """
         logout user from the service. No parameters supported here