Mercurial > p > roundup > code
comparison roundup/security.py @ 4438:222efa59ee6c
search permissions must allow transitive properties
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Wed, 20 Oct 2010 08:58:52 +0000 |
| parents | 261c9f913ff7 |
| children | 9edbab31e2ac |
comparison
equal
deleted
inserted
replaced
| 4437:261c9f913ff7 | 4438:222efa59ee6c |
|---|---|
| 52 return 0 | 52 return 0 |
| 53 | 53 |
| 54 # we have a winner | 54 # we have a winner |
| 55 return 1 | 55 return 1 |
| 56 | 56 |
| 57 def searchable(self, db, permission, classname, property): | 57 def searchable(self, classname, property): |
| 58 """ A Permission is searchable for the given permission if it | 58 """ A Permission is searchable for the given permission if it |
| 59 doesn't include a check method and otherwise matches the | 59 doesn't include a check method and otherwise matches the |
| 60 given parameters. | 60 given parameters. |
| 61 """ | 61 """ |
| 62 if permission != self.name: | 62 if self.name not in ('View', 'Search'): |
| 63 return 0 | 63 return 0 |
| 64 | 64 |
| 65 # are we checking the correct class | 65 # are we checking the correct class |
| 66 if self.klass != classname: | 66 if self.klass != classname: |
| 67 return 0 | 67 return 0 |
| 196 userid, itemid): | 196 userid, itemid): |
| 197 return 1 | 197 return 1 |
| 198 return 0 | 198 return 0 |
| 199 | 199 |
| 200 def roleHasSearchPermission(self, rolename, classname, property): | 200 def roleHasSearchPermission(self, rolename, classname, property): |
| 201 """ for each of the user's Roles, check the permissions | 201 """ For each of the user's Roles, check the permissions. |
| 202 Property can be a transitive property. | |
| 202 """ | 203 """ |
| 203 for perm in self.role[rolename].permissions: | 204 cn = classname |
| 204 # permission match? | 205 last = None |
| 205 for p in 'View', 'Search': | 206 # Note: break from inner loop means "found" |
| 206 if perm.searchable(self.db, p, classname, property): | 207 # break from outer loop means "not found" |
| 207 return 1 | 208 for propname in property.split('.'): |
| 209 if last: | |
| 210 try: | |
| 211 cls = self.db.getclass(cn) | |
| 212 lprop = cls.getprops()[last] | |
| 213 except KeyError: | |
| 214 break | |
| 215 cn = lprop.classname | |
| 216 last = propname | |
| 217 for perm in self.role[rolename].permissions: | |
| 218 if perm.searchable(cn, propname): | |
| 219 break | |
| 220 else: | |
| 221 break | |
| 222 else: | |
| 223 return 1 | |
| 208 return 0 | 224 return 0 |
| 209 | 225 |
| 210 def hasSearchPermission(self, userid, classname, property): | 226 def hasSearchPermission(self, userid, classname, property): |
| 211 '''Look through all the Roles, and hence Permissions, and | 227 '''Look through all the Roles, and hence Permissions, and |
| 212 see if "permission" exists given the constraints of | 228 see if "permission" exists given the constraints of |