Mercurial > p > roundup > code
comparison roundup/security.py @ 2983:9614a101b68f
Stuff from the train ride this morning:
- Extend the property concept in Permissions to allow a list of properties
- Fix the cgi templating code to check the correct permission when
rendering edit fields
- A swag of changes (just the start) fixing up the customisation doc for
the new tracker layout and permissions setup
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Tue, 30 Nov 2004 08:32:57 +0000 |
| parents | 3f93d4b29620 |
| children | b9a55628a78d |
comparison
equal
deleted
inserted
replaced
| 2982:22f16d0646ce | 2983:9614a101b68f |
|---|---|
| 2 """ | 2 """ |
| 3 __docformat__ = 'restructuredtext' | 3 __docformat__ = 'restructuredtext' |
| 4 | 4 |
| 5 import weakref | 5 import weakref |
| 6 | 6 |
| 7 from roundup import hyperdb | 7 from roundup import hyperdb, support |
| 8 | 8 |
| 9 class Permission: | 9 class Permission: |
| 10 ''' Defines a Permission with the attributes | 10 ''' Defines a Permission with the attributes |
| 11 - name | 11 - name |
| 12 - description | 12 - description |
| 13 - klass (optional) | 13 - klass (optional) |
| 14 - property (optional) | 14 - properties (optional) |
| 15 - check function (optional) | 15 - check function (optional) |
| 16 | 16 |
| 17 The klass may be unset, indicating that this permission is not | 17 The klass may be unset, indicating that this permission is not |
| 18 locked to a particular class. That means there may be multiple | 18 locked to a particular class. That means there may be multiple |
| 19 Permissions for the same name for different classes. | 19 Permissions for the same name for different classes. |
| 20 | 20 |
| 21 If property name is set, permission is restricted to that | 21 If property names are set, permission is restricted to those |
| 22 property only. | 22 properties only. |
| 23 | 23 |
| 24 If check function is set, permission is granted only when | 24 If check function is set, permission is granted only when |
| 25 the function returns value interpreted as boolean true. | 25 the function returns value interpreted as boolean true. |
| 26 The function is called with arguments db, userid, itemid. | 26 The function is called with arguments db, userid, itemid. |
| 27 ''' | 27 ''' |
| 28 def __init__(self, name='', description='', klass=None, | 28 def __init__(self, name='', description='', klass=None, |
| 29 property=None, check=None): | 29 properties=None, check=None): |
| 30 self.name = name | 30 self.name = name |
| 31 self.description = description | 31 self.description = description |
| 32 self.klass = klass | 32 self.klass = klass |
| 33 self.property = property | 33 self.properties = properties |
| 34 self._properties_dict = support.TruthDict(properties) | |
| 34 self.check = check | 35 self.check = check |
| 35 | 36 |
| 36 def test(self, db, permission, classname, property, userid, itemid): | 37 def test(self, db, permission, classname, property, userid, itemid): |
| 37 if permission != self.name: | 38 if permission != self.name: |
| 38 return 0 | 39 return 0 |
| 41 if (classname is not None and self.klass is not None | 42 if (classname is not None and self.klass is not None |
| 42 and self.klass != classname): | 43 and self.klass != classname): |
| 43 return 0 | 44 return 0 |
| 44 | 45 |
| 45 # what about property? | 46 # what about property? |
| 46 if (property is not None and self.property is not None | 47 if property is not None and not self._properties_dict[property]: |
| 47 and self.property != property): | |
| 48 return 0 | 48 return 0 |
| 49 | 49 |
| 50 # check code | 50 # check code |
| 51 if self.check is not None: | 51 if self.check is not None: |
| 52 if not self.check(db, userid, itemid): | 52 if not self.check(db, userid, itemid): |
| 141 "permission" is there for the specified classname. | 141 "permission" is there for the specified classname. |
| 142 ''' | 142 ''' |
| 143 roles = self.db.user.get(userid, 'roles') | 143 roles = self.db.user.get(userid, 'roles') |
| 144 if roles is None: | 144 if roles is None: |
| 145 return 0 | 145 return 0 |
| 146 if itemid is not None and classname is None: | 146 if itemid and classname is None: |
| 147 raise ValueError, 'classname must accompany itemid' | 147 raise ValueError, 'classname must accompany itemid' |
| 148 for rolename in [x.lower().strip() for x in roles.split(',')]: | 148 for rolename in [x.lower().strip() for x in roles.split(',')]: |
| 149 if not rolename or not self.role.has_key(rolename): | 149 if not rolename or not self.role.has_key(rolename): |
| 150 continue | 150 continue |
| 151 # for each of the user's Roles, check the permissions | 151 # for each of the user's Roles, check the permissions |