acl

def checkACL(modFuncName=None):
    def _check(f):
        @wraps(f)
        def wrapper(*args, **kwargs):
            if modFuncName is not None:
                # check mod register
                ModFunc = ModFuncRegisterModel.query\
                    .filter_by(function_name=modFuncName)\
                    .first()
                if ModFunc is None:
                    ret = {
                        'errcode': 1,
                        'errmsg': 'ModFunc not exist',
                    }
                    return jsonify(ret)

                # TODO why ModFunc exists Mod not exists?
                systemMod = ModRegisterModel.query\
                    .filter_by(id=ModFunc.mod_id)\
                    .first()
                if systemMod is None:
                    ret = {
                        'errcode': 1,
                        'errmsg': 'Mod not exist',
                    }
                    return jsonify(ret)

                # check company mod permission
                companyMod = CompanyModModel.query\
                    .filter_by(mod_id=systemMod.id)\
                    .filter_by(company_id=current_user.company_id)\
                    .first()
                if companyMod is None:
                    ret = {
                        'errcode': 2,
                        'errmsg': 'Company does not have this mod',
                    }
                    return jsonify(ret)

                # check ACL
                # list user role
                roleModel_list = CompanyUserRoleModel.query\
                    .with_entities(CompanyUserRoleModel.role_id)\
                    .filter_by(company_id=current_user.company_id)\
                    .filter_by(user_id=current_user.id)\
                    .all()
                if not roleModel_list:
                    ret = {
                        'errcode': 1,
                        'errmsg': 'Permission denied'
                    }
                    return jsonify(ret)
                roleModel_list = [item[0] for item in roleModel_list]

                # list user role acl
                permission = CompanyRoleACLModel.query\
                    .filter_by(company_id=current_user.company_id)\
                    .filter_by(modfunc_id=ModFunc.id)\
                    .filter_by(acl='allow')\
                    .filter(CompanyRoleACLModel.role_id.in_(roleModel_list))\
                    .count()

                if permission < 1:
                    ret = {
                        'errcode': 1,
                        'errmsg': 'Permission denied'
                    }
                    return jsonify(ret)
            return f(*args, **kwargs)
        return wrapper
    return _check

from basesite.configs import attachments
from basesite.models.sysModel import AttachmentsModel
def attachStorage(req, form_name=None, allow_ext=None):
    ret = []
    # TODO check req type
    # it should be flask.request

    if form_name is None:
        return ret

    uploaded_files = req.files.getlist(form_name)
    for item in uploaded_files:
        _, ext = os.path.splitext(item.filename)
        if '.' in ext:
            ext = ext[1:].lower()
        if allow_ext is not None:
            if ext not in allow_ext:
                # TODO raise exception
                return []
        filename = attachments.save(item)
        attach = AttachmentsModel(
            company_id=current_user.company_id,
            user_id=current_user.id,
            ext=ext,
            filename=item.filename,
            location=attachments.path(filename),
        )
        db.session.add(attach)
        db.session.flush()
        ret.append(attach.id)
    db.session.commit()
    return ret