Mercurial > p > roundup > code

annotate roundup/security.py @ 2834:3f93d4b29620

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
uh
author Richard Jones <richard@users.sourceforge.net>
date Wed, 27 Oct 2004 05:21:14 +0000
parents 673851f3fc0c
children 9614a101b68f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
1 """Handle the security declarations used in Roundup trackers.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
2 """
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
3 __docformat__ = 'restructuredtext'
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
4
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 import weakref
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
7 from roundup import hyperdb
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
9 class Permission:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
10 ''' Defines a Permission with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
11 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
12 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
13 - klass (optional)
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
14 - property (optional)
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
15 - check function (optional)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
17 The klass may be unset, indicating that this permission is not
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18 locked to a particular class. That means there may be multiple
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 Permissions for the same name for different classes.
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
20
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
21 If property name is set, permission is restricted to that
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
22 property only.
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
23
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
24 If check function is set, permission is granted only when
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
25 the function returns value interpreted as boolean true.
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
26 The function is called with arguments db, userid, itemid.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 '''
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
28 def __init__(self, name='', description='', klass=None,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
29 property=None, check=None):
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
30 self.name = name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
31 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
32 self.klass = klass
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
33 self.property = property
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
34 self.check = check
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
35
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
36 def test(self, db, permission, classname, property, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
37 if permission != self.name:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
38 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
39
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
40 # are we checking the correct class
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
41 if (classname is not None and self.klass is not None
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
42 and self.klass != classname):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
43 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
44
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
45 # what about property?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
46 if (property is not None and self.property is not None
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
47 and self.property != property):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
48 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
49
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
50 # check code
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
51 if self.check is not None:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
52 if not self.check(db, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
53 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
54
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
55 # we have a winner
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
56 return 1
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
57
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
58 def __repr__(self):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
59 return '<Permission 0x%x %r,%r,%r,%r>'%(id(self), self.name,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
60 self.klass, self.property, self.check)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
62 class Role:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
63 ''' Defines a Role with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
64 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
65 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
66 - permissions
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
68 def __init__(self, name='', description='', permissions=None):
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
69 self.name = name.lower()
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
70 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
71 if permissions is None:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
72 permissions = []
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
73 self.permissions = permissions
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
74
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
75 def __repr__(self):
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
76 return '<Role 0x%x %r,%r>'%(id(self), self.name, self.permissions)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 class Security:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 def __init__(self, db):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80 ''' Initialise the permission and role classes, and add in the
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 base roles (for admin user).
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
83 self.db = weakref.proxy(db) # use a weak ref to avoid circularity
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
85 # permssions are mapped by name to a list of Permissions by class
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
86 self.permission = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
88 # roles are mapped by name to the Role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
89 self.role = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 # the default Roles
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 self.addRole(name="User", description="A regular user, no privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 self.addRole(name="Admin", description="An admin user, full privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94 self.addRole(name="Anonymous", description="An anonymous user")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95
2723
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
96 ce = self.addPermission(name="Create",
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
97 description="User may create everthing")
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
98 self.addPermissionToRole('Admin', ce)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 ee = self.addPermission(name="Edit",
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100 description="User may edit everthing")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 self.addPermissionToRole('Admin', ee)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
102 ae = self.addPermission(name="View",
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 description="User may access everything")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104 self.addPermissionToRole('Admin', ae)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 # initialise the permissions and roles needed for the UIs
992
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
107 from roundup.cgi import client
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
108 client.initialiseSecurity(self)
938
62c49e259047 preparation for moving cgi modules around
Richard Jones <richard@users.sourceforge.net>
parents: 909
diff changeset
109 from roundup import mailgw
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110 mailgw.initialiseSecurity(self)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
112 def getPermission(self, permission, classname=None):
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
113 ''' Find the Permission matching the name and for the class, if the
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
114 classname is specified.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
115
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
116 Raise ValueError if there is no exact match.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
117 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
118 if not self.permission.has_key(permission):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
119 raise ValueError, 'No permission "%s" defined'%permission
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
120
2834
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
121 if classname:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
122 try:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
123 self.db.getclass(classname)
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
124 except KeyError:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
125 raise ValueError, 'No class "%s" defined'%classname
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
126
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
127 # look through all the permissions of the given name
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
128 for perm in self.permission[permission]:
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
129 # if we're passed a classname, the permission must match
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
130 if perm.klass is not None and perm.klass == classname:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
131 return perm
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
132 # otherwise the permission klass must be unset
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
133 elif not perm.klass and not classname:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
134 return perm
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
135 raise ValueError, 'No permission "%s" defined for "%s"'%(permission,
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
136 classname)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
137
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
138 def hasPermission(self, permission, userid, classname=None,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
139 property=None, itemid=None):
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
140 ''' Look through all the Roles, and hence Permissions, and see if
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
141 "permission" is there for the specified classname.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
142 '''
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
143 roles = self.db.user.get(userid, 'roles')
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
144 if roles is None:
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
145 return 0
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
146 if itemid is not None and classname is None:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
147 raise ValueError, 'classname must accompany itemid'
1644
c98d20ba4445 strip whitespace from Role names so "User, Admin" will work
Richard Jones <richard@users.sourceforge.net>
parents: 1512
diff changeset
148 for rolename in [x.lower().strip() for x in roles.split(',')]:
1218
4c9882cb16a3 more docco work
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
149 if not rolename or not self.role.has_key(rolename):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
150 continue
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
151 # for each of the user's Roles, check the permissions
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
152 for perm in self.role[rolename].permissions:
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
153 # permission name match?
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
154 if perm.test(self.db, permission, classname, property,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
155 userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
156 return 1
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
157 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
158
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
159 def hasNodePermission(self, classname, nodeid, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
160 ''' Check the named properties of the given node to see if the
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
161 userid appears in them. If it does, then the user is granted
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
162 this permission check.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
163
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
164 'propspec' consists of a set of properties and values that
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
165 must be present on the given node for access to be granted.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
166
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
167 If a property is a Link, the value must match the property
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
168 value. If a property is a Multilink, the value must appear
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
169 in the Multilink list.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
170 '''
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
171 klass = self.db.getclass(classname)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
172 properties = klass.getprops()
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
173 for k,v in propspec.items():
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
174 value = klass.get(nodeid, k)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
175 if isinstance(properties[k], hyperdb.Multilink):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
176 if v not in value:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
177 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
178 else:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
179 if v != value:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
180 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
181 return 1
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
182
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
183 def addPermission(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
184 ''' Create a new Permission with the properties defined in
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
185 'propspec'
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
186 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
187 perm = Permission(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
188 self.permission.setdefault(perm.name, []).append(perm)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
189 return perm
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
190
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
191 def addRole(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
192 ''' Create a new Role with the properties defined in 'propspec'
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
193 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
194 role = Role(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
195 self.role[role.name] = role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
196 return role
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
197
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
198 def addPermissionToRole(self, rolename, permission):
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
199 ''' Add the permission to the role's permission list.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
200
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
201 'rolename' is the name of the role to add the permission to.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
202 '''
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
203 role = self.role[rolename.lower()]
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
204 role.permissions.append(permission)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
205
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
206 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/