Mercurial > p > roundup > code

annotate roundup/security.py @ 3179:88dbe6b3d891

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge removal of rcsv
author Richard Jones <richard@users.sourceforge.net>
date Tue, 15 Feb 2005 00:23:30 +0000
parents 460eb0209a9e
children 75dc225613cc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
1 """Handle the security declarations used in Roundup trackers.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
2 """
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
3 __docformat__ = 'restructuredtext'
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
4
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 import weakref
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
7 from roundup import hyperdb, support
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
9 class Permission:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
10 ''' Defines a Permission with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
11 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
12 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
13 - klass (optional)
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
14 - properties (optional)
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
15 - check function (optional)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
17 The klass may be unset, indicating that this permission is not
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18 locked to a particular class. That means there may be multiple
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 Permissions for the same name for different classes.
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
20
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
21 If property names are set, permission is restricted to those
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
22 properties only.
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
23
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
24 If check function is set, permission is granted only when
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
25 the function returns value interpreted as boolean true.
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
26 The function is called with arguments db, userid, itemid.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 '''
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
28 def __init__(self, name='', description='', klass=None,
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
29 properties=None, check=None):
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
30 self.name = name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
31 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
32 self.klass = klass
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
33 self.properties = properties
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
34 self._properties_dict = support.TruthDict(properties)
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
35 self.check = check
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
36
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
37 def test(self, db, permission, classname, property, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
38 if permission != self.name:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
39 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
40
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
41 # are we checking the correct class
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
42 if (classname is not None and self.klass is not None
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
43 and self.klass != classname):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
44 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
45
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
46 # what about property?
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
47 if property is not None and not self._properties_dict[property]:
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
48 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
49
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
50 # check code
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
51 if itemid is not None and self.check is not None:
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
52 if not self.check(db, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
53 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
54
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
55 # we have a winner
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
56 return 1
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
57
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
58 def __repr__(self):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
59 return '<Permission 0x%x %r,%r,%r,%r>'%(id(self), self.name,
3115
ece73371713c fix Permission.__repr__()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2991
diff changeset
60 self.klass, self.properties, self.check)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
62 def __cmp__(self, other):
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
63 if self.name != other.name:
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
64 return cmp(self.name, other.name)
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
65
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
66 if self.klass != other.klass: return 1
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
67 if self.properties != other.properties: return 1
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
68 if self.check != other.check: return 1
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
69
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
70 # match
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
71 return 0
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
72
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
73 class Role:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
74 ''' Defines a Role with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
75 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
76 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
77 - permissions
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
79 def __init__(self, name='', description='', permissions=None):
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
80 self.name = name.lower()
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
81 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
82 if permissions is None:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
83 permissions = []
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
84 self.permissions = permissions
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
85
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
86 def __repr__(self):
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
87 return '<Role 0x%x %r,%r>'%(id(self), self.name, self.permissions)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 class Security:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 def __init__(self, db):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 ''' Initialise the permission and role classes, and add in the
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 base roles (for admin user).
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
94 self.db = weakref.proxy(db) # use a weak ref to avoid circularity
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
96 # permssions are mapped by name to a list of Permissions by class
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
97 self.permission = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
99 # roles are mapped by name to the Role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
100 self.role = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102 # the default Roles
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 self.addRole(name="User", description="A regular user, no privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104 self.addRole(name="Admin", description="An admin user, full privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105 self.addRole(name="Anonymous", description="An anonymous user")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106
2723
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
107 ce = self.addPermission(name="Create",
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
108 description="User may create everthing")
673851f3fc0c admin needs create too
Richard Jones <richard@users.sourceforge.net>
parents: 2652
diff changeset
109 self.addPermissionToRole('Admin', ce)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110 ee = self.addPermission(name="Edit",
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111 description="User may edit everthing")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112 self.addPermissionToRole('Admin', ee)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
113 ae = self.addPermission(name="View",
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
114 description="User may access everything")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115 self.addPermissionToRole('Admin', ae)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
117 # initialise the permissions and roles needed for the UIs
992
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
118 from roundup.cgi import client
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
119 client.initialiseSecurity(self)
938
62c49e259047 preparation for moving cgi modules around
Richard Jones <richard@users.sourceforge.net>
parents: 909
diff changeset
120 from roundup import mailgw
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121 mailgw.initialiseSecurity(self)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
123 def getPermission(self, permission, classname=None, properties=None,
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
124 check=None):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
125 ''' Find the Permission matching the name and for the class, if the
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
126 classname is specified.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
127
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
128 Raise ValueError if there is no exact match.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
129 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
130 if not self.permission.has_key(permission):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
131 raise ValueError, 'No permission "%s" defined'%permission
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
132
2834
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
133 if classname:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
134 try:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
135 self.db.getclass(classname)
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
136 except KeyError:
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
137 raise ValueError, 'No class "%s" defined'%classname
Richard Jones <richard@users.sourceforge.net>
parents: 2723
diff changeset
138
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
139 # look through all the permissions of the given name
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
140 tester = Permission(permission, klass=classname, properties=properties,
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
141 check=check)
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
142 for perm in self.permission[permission]:
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
143 if perm == tester:
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
144 return perm
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
145 raise ValueError, 'No permission "%s" defined for "%s"'%(permission,
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
146 classname)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
147
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
148 def hasPermission(self, permission, userid, classname=None,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
149 property=None, itemid=None):
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
150 '''Look through all the Roles, and hence Permissions, and
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
151 see if "permission" exists given the constraints of
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
152 classname, property and itemid.
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
153
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
154 If classname is specified (and only classname) then the
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
155 search will match if there is *any* Permission for that
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
156 classname, even if the Permission has additional
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
157 constraints.
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
158
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
159 If property is specified, the Permission matched must have
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
160 either no properties listed or the property must appear in
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
161 the list.
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
162
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
163 If itemid is specified, the Permission matched must have
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
164 either no check function defined or the check function,
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
165 when invoked, must return a True value.
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
166
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
167 Note that this functionality is actually implemented by the
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
168 Permission.test() method.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
169 '''
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
170 roles = self.db.user.get(userid, 'roles')
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
171 if roles is None:
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
172 return 0
2983
9614a101b68f Stuff from the train ride this morning:
Richard Jones <richard@users.sourceforge.net>
parents: 2834
diff changeset
173 if itemid and classname is None:
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
174 raise ValueError, 'classname must accompany itemid'
1644
c98d20ba4445 strip whitespace from Role names so "User, Admin" will work
Richard Jones <richard@users.sourceforge.net>
parents: 1512
diff changeset
175 for rolename in [x.lower().strip() for x in roles.split(',')]:
1218
4c9882cb16a3 more docco work
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
176 if not rolename or not self.role.has_key(rolename):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
177 continue
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
178 # for each of the user's Roles, check the permissions
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
179 for perm in self.role[rolename].permissions:
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
180 # permission match?
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
181 if perm.test(self.db, permission, classname, property,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
182 userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
183 return 1
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
184 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
185
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
186 def addPermission(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
187 ''' Create a new Permission with the properties defined in
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
188 'propspec'. See the Permission class for the possible
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
189 keyword args.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
190 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
191 perm = Permission(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
192 self.permission.setdefault(perm.name, []).append(perm)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
193 return perm
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
194
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
195 def addRole(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
196 ''' Create a new Role with the properties defined in 'propspec'
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
197 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
198 role = Role(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
199 self.role[role.name] = role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
200 return role
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
201
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
202 def addPermissionToRole(self, rolename, permission, classname=None,
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
203 properties=None, check=None):
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
204 ''' Add the permission to the role's permission list.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
205
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
206 'rolename' is the name of the role to add the permission to.
2991
b9a55628a78d more doc fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2983
diff changeset
207
b9a55628a78d more doc fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2983
diff changeset
208 'permission' is either a Permission *or* a permission name
3115
ece73371713c fix Permission.__repr__()
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2991
diff changeset
209 accompanied by 'classname' (thus in the second case a Permission
2991
b9a55628a78d more doc fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2983
diff changeset
210 is obtained by passing 'permission' and 'classname' to
b9a55628a78d more doc fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2983
diff changeset
211 self.getPermission)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
212 '''
2991
b9a55628a78d more doc fixes
Richard Jones <richard@users.sourceforge.net>
parents: 2983
diff changeset
213 if not isinstance(permission, Permission):
3117
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
214 permission = self.getPermission(permission, classname,
460eb0209a9e Permissions improvements.
Richard Jones <richard@users.sourceforge.net>
parents: 3115
diff changeset
215 properties, check)
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
216 role = self.role[rolename.lower()]
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
217 role.permissions.append(permission)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
218
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
219 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/