Mercurial > p > roundup > code
comparison doc/design.txt @ 3117:460eb0209a9e
Permissions improvements.
- have Permissions only test the check function if itemid is suppled
- modify index templates to check for row-level Permission
- more documentation of security mechanisms
- better unit tests for security mechanisms
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 28 Jan 2005 03:51:19 +0000 |
| parents | 9614a101b68f |
| children | ed97e2a85576 440f0a6a2e3c |
comparison
equal
deleted
inserted
replaced
| 3115:ece73371713c | 3117:460eb0209a9e |
|---|---|
| 1382 many Users, is quite well developed in many projects. Roundup will take | 1382 many Users, is quite well developed in many projects. Roundup will take |
| 1383 this path, and allow the multiple assignment of Roles to Users, and | 1383 this path, and allow the multiple assignment of Roles to Users, and |
| 1384 multiple Permissions to Roles. These definitions are not persistent - | 1384 multiple Permissions to Roles. These definitions are not persistent - |
| 1385 they're defined when the application initialises. | 1385 they're defined when the application initialises. |
| 1386 | 1386 |
| 1387 There will be two levels of Permission. The Class level permissions | 1387 There will be three levels of Permission. The Class level permissions |
| 1388 define logical permissions associated with all items of a particular | 1388 define logical permissions associated with all items of a particular |
| 1389 class (or all classes). The Item level permissions define logical | 1389 class (or all classes). The Item level permissions define logical |
| 1390 permissions associated with specific items by way of their user-linked | 1390 permissions associated with specific items by way of their user-linked |
| 1391 properties. | 1391 properties. The Property level permissions define logical permissions |
| 1392 associated with a specific property of an item. | |
| 1392 | 1393 |
| 1393 | 1394 |
| 1394 Access Control Interface Specification | 1395 Access Control Interface Specification |
| 1395 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 1396 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 1396 | 1397 |
| 1428 def __init__(self, db): | 1429 def __init__(self, db): |
| 1429 ''' Initialise the permission and role stores, and add in | 1430 ''' Initialise the permission and role stores, and add in |
| 1430 the base roles (for admin user). | 1431 the base roles (for admin user). |
| 1431 ''' | 1432 ''' |
| 1432 | 1433 |
| 1433 def getPermission(self, permission, classname=None): | 1434 def getPermission(self, permission, classname=None, properties=None, |
| 1434 ''' Find the Permission matching the name and for the class, | 1435 check=None): |
| 1435 if the classname is specified. | 1436 ''' Find the Permission exactly matching the name, class, |
| 1437 properties list and check function. | |
| 1436 | 1438 |
| 1437 Raise ValueError if there is no exact match. | 1439 Raise ValueError if there is no exact match. |
| 1438 ''' | 1440 ''' |
| 1439 | 1441 |
| 1440 def hasPermission(self, permission, userid, classname=None): | 1442 def hasPermission(self, permission, userid, classname=None, |
| 1443 property=None, itemid=None): | |
| 1441 ''' Look through all the Roles, and hence Permissions, and | 1444 ''' Look through all the Roles, and hence Permissions, and |
| 1442 see if "permission" is there for the specified | 1445 see if "permission" exists given the constraints of |
| 1443 classname. | 1446 classname, property and itemid. |
| 1444 ''' | 1447 |
| 1445 | 1448 If classname is specified (and only classname) then the |
| 1446 def hasItemPermission(self, classname, itemid, **propspec): | 1449 search will match if there is *any* Permission for that |
| 1447 ''' Check the named properties of the given item to see if | 1450 classname, even if the Permission has additional |
| 1448 the userid appears in them. If it does, then the user is | 1451 constraints. |
| 1449 granted this permission check. | 1452 |
| 1450 | 1453 If property is specified, the Permission matched must have |
| 1451 'propspec' consists of a set of properties and values | 1454 either no properties listed or the property must appear in |
| 1452 that must be present on the given item for access to be | 1455 the list. |
| 1453 granted. | 1456 |
| 1454 | 1457 If itemid is specified, the Permission matched must have |
| 1455 If a property is a Link, the value must match the | 1458 either no check function defined or the check function, |
| 1456 property value. If a property is a Multilink, the value | 1459 when invoked, must return a True value. |
| 1457 must appear in the Multilink list. | 1460 |
| 1461 Note that this functionality is actually implemented by the | |
| 1462 Permission.test() method. | |
| 1458 ''' | 1463 ''' |
| 1459 | 1464 |
| 1460 def addPermission(self, **propspec): | 1465 def addPermission(self, **propspec): |
| 1461 ''' Create a new Permission with the properties defined in | 1466 ''' Create a new Permission with the properties defined in |
| 1462 'propspec' | 1467 'propspec'. See the Permission class for the possible |
| 1468 keyword args. | |
| 1463 ''' | 1469 ''' |
| 1464 | 1470 |
| 1465 def addRole(self, **propspec): | 1471 def addRole(self, **propspec): |
| 1466 ''' Create a new Role with the properties defined in | 1472 ''' Create a new Role with the properties defined in |
| 1467 'propspec' | 1473 'propspec' |