TMSS-1218: move permission logging to debug level

3cff27ce · Jörn Künsemöller · b662d4c6 · 3cff27ce · 3cff27ce
Commit 3cff27ce authored 3 years ago by Jörn Künsemöller
--- a/SAS/TMSS/backend/src/tmss/authentication_backends.py
+++ b/SAS/TMSS/backend/src/tmss/authentication_backends.py
@@ -55,13 +55,13 @@ class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):
                        logger.error('could not handle entitlement=%s because no system role / group exists that matches the entitlement role=%s' % (entitlement, role_name))
            except Exception as e:
                logger.error('could not handle entitlement=%s because of exception=%s' % (entitlement, e))
-        logger.info("### assigned groups=%s to user=%s" % (groups, user))
+        logger.info("assigned groups=%s to user=%s" % (groups, user))
        user.groups.set(groups)
        user.save()

    def create_user(self, claims):
        user = super(TMSSOIDCAuthenticationBackend, self).create_user(claims)
-        logger.info('### create user=%s claims=%s' % (user, claims))
+        logger.info('create user=%s claims=%s' % (user, claims))
        # take some more user details from claims  # todo: check GDPR compliance!
        user.first_name = claims.get('given_name', user.first_name)
        user.last_name = claims.get('family_name', user.last_name)
@@ -72,7 +72,7 @@ class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):
        return user

    def update_user(self, user, claims):
-        logger.info('### update user=%s claims=%s' % (user, claims))
+        logger.info('update user=%s claims=%s' % (user, claims))
        self._set_user_project_roles_from_claims(user, claims)
        self._set_user_system_roles_from_claims(user, claims)
        return user
--- a/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/permissions.py
+++ b/SAS/TMSS/backend/src/tmss/tmssapp/viewsets/permissions.py
@@ -65,8 +65,8 @@ class IsProjectMember(drf_permissions.DjangoObjectPermissions):
        # GET detail, PATCH, and DELETE
        # we always have permission as superuser (e.g. in test environment, where a regular user is created to test permission specifically)
        if request.user.is_superuser:
-            logger.info("IsProjectMember: User=%s is superuser. Not enforcing project permissions!" % request.user)
-            logger.info('### IsProjectMember.has_object_permission %s %s True' % (request._request, request.method))
+            logger.debug("IsProjectMember: User=%s is superuser. Not enforcing project permissions!" % request.user)
+            logger.debug('IsProjectMember.has_object_permission %s %s True' % (request._request, request.method))
            return True

        # todo: do we want to restrict access for that as well? Then we add it to the ProjectPermission model, but it seems cumbersome...?
@@ -96,8 +96,8 @@ class IsProjectMember(drf_permissions.DjangoObjectPermissions):
            if related_project:
                if project_role['project'] == related_project.name and \
                        models.ProjectRole.objects.get(value=project_role['role']) in permitted_project_roles:
-                    logger.info('user=%s is permitted to access object=%s' % (request.user, obj))
-                    logger.info('### IsProjectMember.has_object_permission %s %s True' % (request._request, request.method))
+                    logger.debug('user=%s is permitted to access object=%s' % (request.user, obj))
+                    logger.debug('IsProjectMember.has_object_permission %s %s True' % (request._request, request.method))
                    return True
            else:
                logger.error("No project property on object %s, so cannot check project permission." % obj)
@@ -109,8 +109,8 @@ class IsProjectMember(drf_permissions.DjangoObjectPermissions):
                    logger.warning("'%s' is a Template and action is '%s' so granting object access nonetheless." % (obj, view.action))
                    return True

-        logger.info('User=%s is not permitted to access object=%s with related project=%s since it requires one of project_roles=%s' % (request.user, obj, related_project, permitted_project_roles))
-        logger.info('### IsProjectMember.has_object_permission %s False' % (request._request))
+        logger.debug('User=%s is not permitted to access object=%s with related project=%s since it requires one of project_roles=%s' % (request.user, obj, related_project, permitted_project_roles))
+        logger.debug('IsProjectMember.has_object_permission %s False' % (request._request))
        return False

    def has_permission(self, request, view):
@@ -231,7 +231,7 @@ class IsProjectMemberFilterBackend(drf_filters.BaseFilterBackend):

        # we don't filer for superuser (e.g. in test environment, where a regular user is created to test filtering specifically)
        if request.user.is_superuser:
-            logger.info("IsProjectMemberFilterBackend: User=%s is superuser. Not enforcing project permissions!" % request.user)
+            logger.debug("IsProjectMemberFilterBackend: User=%s is superuser. Not enforcing project permissions!" % request.user)
            return queryset

        # determine what project roles a user has