Mercurial > p > roundup > code

annotate roundup/security.py @ 2670:bdf3a73dfd04

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge from maint-0-7
author Richard Jones <richard@users.sourceforge.net>
date Tue, 07 Sep 2004 10:40:15 +0000
parents 281beec48408
children 673851f3fc0c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
1 """Handle the security declarations used in Roundup trackers.
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
2 """
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
3 __docformat__ = 'restructuredtext'
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1644
diff changeset
4
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 import weakref
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
7 from roundup import hyperdb
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
9 class Permission:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
10 ''' Defines a Permission with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
11 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
12 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
13 - klass (optional)
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
14 - property (optional)
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
15 - check function (optional)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
17 The klass may be unset, indicating that this permission is not
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18 locked to a particular class. That means there may be multiple
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 Permissions for the same name for different classes.
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
20
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
21 If property name is set, permission is restricted to that
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
22 property only.
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
23
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
24 If check function is set, permission is granted only when
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
25 the function returns value interpreted as boolean true.
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
26 The function is called with arguments db, userid, itemid.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 '''
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
28 def __init__(self, name='', description='', klass=None,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
29 property=None, check=None):
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
30 self.name = name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
31 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
32 self.klass = klass
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
33 self.property = property
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
34 self.check = check
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
35
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
36 def test(self, db, permission, classname, property, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
37 if permission != self.name:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
38 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
39
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
40 # are we checking the correct class
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
41 if (classname is not None and self.klass is not None
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
42 and self.klass != classname):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
43 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
44
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
45 # what about property?
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
46 if (property is not None and self.property is not None
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
47 and self.property != property):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
48 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
49
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
50 # check code
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
51 if self.check is not None:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
52 if not self.check(db, userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
53 return 0
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
54
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
55 # we have a winner
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
56 return 1
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
57
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
58 def __repr__(self):
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
59 return '<Permission 0x%x %r,%r,%r,%r>'%(id(self), self.name,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
60 self.klass, self.property, self.check)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
62 class Role:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
63 ''' Defines a Role with the attributes
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
64 - name
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
65 - description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
66 - permissions
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
68 def __init__(self, name='', description='', permissions=None):
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
69 self.name = name.lower()
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
70 self.description = description
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
71 if permissions is None:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
72 permissions = []
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
73 self.permissions = permissions
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
74
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
75 def __repr__(self):
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
76 return '<Role 0x%x %r,%r>'%(id(self), self.name, self.permissions)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 class Security:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 def __init__(self, db):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80 ''' Initialise the permission and role classes, and add in the
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 base roles (for admin user).
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
83 self.db = weakref.proxy(db) # use a weak ref to avoid circularity
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
85 # permssions are mapped by name to a list of Permissions by class
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
86 self.permission = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
88 # roles are mapped by name to the Role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
89 self.role = {}
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 # the default Roles
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 self.addRole(name="User", description="A regular user, no privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 self.addRole(name="Admin", description="An admin user, full privs")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94 self.addRole(name="Anonymous", description="An anonymous user")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96 ee = self.addPermission(name="Edit",
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97 description="User may edit everthing")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98 self.addPermissionToRole('Admin', ee)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
99 ae = self.addPermission(name="View",
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100 description="User may access everything")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 self.addPermissionToRole('Admin', ae)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 # initialise the permissions and roles needed for the UIs
992
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
104 from roundup.cgi import client
6003d6fa02a5 new CGI frontend support
Richard Jones <richard@users.sourceforge.net>
parents: 938
diff changeset
105 client.initialiseSecurity(self)
938
62c49e259047 preparation for moving cgi modules around
Richard Jones <richard@users.sourceforge.net>
parents: 909
diff changeset
106 from roundup import mailgw
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
107 mailgw.initialiseSecurity(self)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
109 def getPermission(self, permission, classname=None):
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
110 ''' Find the Permission matching the name and for the class, if the
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
111 classname is specified.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
112
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
113 Raise ValueError if there is no exact match.
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
114 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
115 if not self.permission.has_key(permission):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
116 raise ValueError, 'No permission "%s" defined'%permission
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
117
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
118 # look through all the permissions of the given name
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
119 for perm in self.permission[permission]:
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
120 # if we're passed a classname, the permission must match
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
121 if perm.klass is not None and perm.klass == classname:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
122 return perm
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
123 # otherwise the permission klass must be unset
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
124 elif not perm.klass and not classname:
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
125 return perm
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
126 raise ValueError, 'No permission "%s" defined for "%s"'%(permission,
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
127 classname)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
128
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
129 def hasPermission(self, permission, userid, classname=None,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
130 property=None, itemid=None):
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 ''' Look through all the Roles, and hence Permissions, and see if
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132 "permission" is there for the specified classname.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133 '''
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
134 roles = self.db.user.get(userid, 'roles')
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
135 if roles is None:
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
136 return 0
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
137 if itemid is not None and classname is None:
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
138 raise ValueError, 'classname must accompany itemid'
1644
c98d20ba4445 strip whitespace from Role names so "User, Admin" will work
Richard Jones <richard@users.sourceforge.net>
parents: 1512
diff changeset
139 for rolename in [x.lower().strip() for x in roles.split(',')]:
1218
4c9882cb16a3 more docco work
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
140 if not rolename or not self.role.has_key(rolename):
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
141 continue
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
142 # for each of the user's Roles, check the permissions
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
143 for perm in self.role[rolename].permissions:
909
ef9c759c243e Fix to hasPermission, thanks Stefan Seefeld.
Richard Jones <richard@users.sourceforge.net>
parents: 908
diff changeset
144 # permission name match?
2649
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
145 if perm.test(self.db, permission, classname, property,
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
146 userid, itemid):
1df7d4a41da4 Buncha stuff (sorry about the large checkin):
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
147 return 1
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
148 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
149
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
150 def hasNodePermission(self, classname, nodeid, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
151 ''' Check the named properties of the given node to see if the
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
152 userid appears in them. If it does, then the user is granted
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
153 this permission check.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
154
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
155 'propspec' consists of a set of properties and values that
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
156 must be present on the given node for access to be granted.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
157
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
158 If a property is a Link, the value must match the property
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
159 value. If a property is a Multilink, the value must appear
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
160 in the Multilink list.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
161 '''
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
162 klass = self.db.getclass(classname)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
163 properties = klass.getprops()
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
164 for k,v in propspec.items():
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
165 value = klass.get(nodeid, k)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
166 if isinstance(properties[k], hyperdb.Multilink):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
167 if v not in value:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
168 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
169 else:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
170 if v != value:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
171 return 0
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
172 return 1
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
173
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
174 def addPermission(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
175 ''' Create a new Permission with the properties defined in
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
176 'propspec'
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
177 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
178 perm = Permission(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
179 self.permission.setdefault(perm.name, []).append(perm)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
180 return perm
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
181
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
182 def addRole(self, **propspec):
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
183 ''' Create a new Role with the properties defined in 'propspec'
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
184 '''
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
185 role = Role(**propspec)
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
186 self.role[role.name] = role
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
187 return role
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
188
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
189 def addPermissionToRole(self, rolename, permission):
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
190 ''' Add the permission to the role's permission list.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
191
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
192 'rolename' is the name of the role to add the permission to.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
193 '''
1512
9b93d140b8e6 role names made case insensitive
Andrey Lebedev <kedder@users.sourceforge.net>
parents: 1218
diff changeset
194 role = self.role[rolename.lower()]
908
a8d80ffe37cc Removed the unnecessary volatiledb and the related complications.
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
195 role.permissions.append(permission)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
196
2652
281beec48408 add note about new functionality to Permission class docstring;
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2649
diff changeset
197 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/