Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5186:36630a062fb5
Check in enhanced form for check command used by addPermission.
New form can include a **context dictionary that allows access to the
name of the property, class, and permission being checked. This
should make designing more complex permission requirements easier.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 17 Feb 2017 21:18:34 -0500 |
| parents | e8b3d3a14563 |
| children | 302e3a1a7190 |
comparison
equal
deleted
inserted
replaced
| 5185:349bef975367 | 5186:36630a062fb5 |
|---|---|
| 342 p = db.security.addPermission(name='Restore', klass='query', check=edit_query, | 342 p = db.security.addPermission(name='Restore', klass='query', check=edit_query, |
| 343 description="User is allowed to restore their queries") | 343 description="User is allowed to restore their queries") |
| 344 db.security.addPermissionToRole('User', p) | 344 db.security.addPermissionToRole('User', p) |
| 345 | 345 |
| 346 where the last three lines are the ones you need to add. | 346 where the last three lines are the ones you need to add. |
| 347 | |
| 348 Enhancement to check command for Permissions | |
| 349 -------------------------------------------- | |
| 350 | |
| 351 A new form of check function is permitted in permission definitions. | |
| 352 The three argument form is still supported and will work the same | |
| 353 as it always has (although it may be depricated in the future). | |
| 354 | |
| 355 If the check function is defined as:: | |
| 356 | |
| 357 check(db, userid, itemid, **ctx) | |
| 358 | |
| 359 the ctx variable will have the context to use when determining access | |
| 360 rights:: | |
| 361 | |
| 362 ctx['property'] the name of the property being checked or None if | |
| 363 it's a class check. | |
| 364 | |
| 365 ctx['classname'] the name of the class that is being checked | |
| 366 (issue, query ....). | |
| 367 | |
| 368 ctx['permission'] the name of the permission (e.g. View, Edit...). | |
| 369 | |
| 370 This should make defining complex permissions much easier. Consider:: | |
| 371 | |
| 372 def issue_private_access(db, userid, itemid, **ctx): | |
| 373 if not db.issue.get(itemid, 'private'): | |
| 374 # allow access to everything if not private | |
| 375 return True | |
| 376 | |
| 377 # It is a private issue hide nosy list | |
| 378 # Note that the nosy property *must* be listed | |
| 379 # in permissions argument to the addPermission | |
| 380 # definition otherwise this check command | |
| 381 # is not run. | |
| 382 if ctx['property'] == 'nosy': | |
| 383 return False # deny access to this property | |
| 384 | |
| 385 # allow access for editing, viewing etc. of the class | |
| 386 return True | |
| 387 | |
| 388 | |
| 389 e = db.security.addPermission(name='Edit', klass='issue', | |
| 390 check=issue_private_access, | |
| 391 properties=['nosy'], | |
| 392 description="Edit issue checks") | |
| 393 | |
| 394 It is suggested that you change your checks to use the ``**ctx`` | |
| 395 parameter. This is expected to be the preferred form in the future. | |
| 396 You do not need to use the ``ctx`` parameter in the function if you do | |
| 397 not need it. | |
| 347 | 398 |
| 348 Migrating from 1.5.0 to 1.5.1 | 399 Migrating from 1.5.0 to 1.5.1 |
| 349 ============================= | 400 ============================= |
| 350 | 401 |
| 351 User data visibility | 402 User data visibility |