Mercurial Repository: p/roundup/code: roundup/security.py comparison

comparison roundup/security.py @ 5196:e0732fd6a6c7

Implement props_only feature for permissions.

author	rouilj@uland
date	Sat, 18 Mar 2017 10:44:10 -0400
parents	36630a062fb5
children	1f72b73d7770

comparison

equal deleted inserted replaced

-:270003714e5f
+:e0732fd6a6c7
 __docformat__ = 'restructuredtext'
 import weakref
 from roundup import hyperdb, support
+import logging
+logger = logging.getLogger('roundup.security')
 class Permission:
 ''' Defines a Permission with the attributes
 - name
 - description
 - klass (optional)
 - properties (optional)
 - check function (optional)
+- props_only (optional, internal field is limit_perm_to_props_only)
 The klass may be unset, indicating that this permission is not
 locked to a particular class. That means there may be multiple
 Permissions for the same name for different classes.
 properties only.
 If check function is set, permission is granted only when
 the function returns value interpreted as boolean true.
 The function is called with arguments db, userid, itemid.
+When the system checks klass permission rather than the klass
+property permission (i.e. properties=None and item=None), it
+will apply any permission that matches on permission name and
+class. If the permission has a check function, the check
+function will be run. By making the permission valid only for
+properties using props_only=True the permission will be
+skipped. You can set the default value for props_only for all
+properties by calling:
+db.security.set_props_only_default()
+with a True or False value.
 '''
+limit_perm_to_props_only=False
 def __init__(self, name='', description='', klass=None,
-properties=None, check=None):
+properties=None, check=None, props_only=None):
 import inspect
 self.name = name
 self.description = description
 self.klass = klass
 self.properties = properties
 self._properties_dict = support.TruthDict(properties)
 self.check = check
+if properties is not None:
+# Set to None unless properties are defined.
+# This means that:
+# a=Property(name="Edit", klass="issue", check=dummy,
+#     props_only=True)
+# b=Property(name="Edit", klass="issue", check=dummy,
+#     props_only=False)
+# a == b will be true.
+if props_only is None:
+self.limit_perm_to_props_only = \
+Permission.limit_perm_to_props_only
+else:
+# see note on use of bool() in set_props_only_default()
+self.limit_perm_to_props_only = bool(props_only)
+else:
+self.limit_perm_to_props_only = None
 if check is None:
 self.check_version = 0
 else:
 args=inspect.getargspec(check)
 else:
 # function definition is function(db, userid, itemid, **other)
 self.check_version = 2
 def test(self, db, permission, classname, property, userid, itemid):
+''' Test permissions 5 args:
+permission - string like Edit, Register etc. Required, no wildcard.
+classname - string like issue, msg etc. Can be None to match any
+class.
+property - array of strings that are property names. Optional.
+if None this is an item or klass access check.
+userid - number that is id for user.
+itemid - id for classname. e.g. 3 in issue3. If missing this is
+a class access check, otherwies it's a object access check.
+'''
 if permission != self.name:
 return 0
 # are we checking the correct class
 if self.klass is not None and self.klass != classname:
 return 0
 # what about property?
 if property is not None and not self._properties_dict[property]:
+return 0
+# is this a props_only permission and permissions are set
+if property is None and self.properties is not None and \
+self.limit_perm_to_props_only:
 return 0
 # check code
 if itemid is not None and self.check is not None:
 if self.check_version == 1:
 if not self.check(db, userid, itemid):
 return 0
 elif self.check_version == 2:
-if not self.check(db, userid, itemid, property=property, permission=permission, classname=classname):
+if not self.check(db, userid, itemid, property=property, \
+permission=permission, classname=classname):
 return 0
 # we have a winner
 return 1
 return 1
 def __repr__(self):
-return '<Permission 0x%x %r,%r,%r,%r>'%(id(self), self.name,
+return '<Permission 0x%x %r,%r,%r,%r,%r>'%(id(self), self.name,
-self.klass, self.properties, self.check)
+self.klass, self.properties, self.check,
+self.limit_perm_to_props_only)
 def __cmp__(self, other):
 if self.name != other.name:
 return cmp(self.name, other.name)
 if self.klass != other.klass: return 1
 if self.properties != other.properties: return 1
 if self.check != other.check: return 1
+if self.limit_perm_to_props_only != \
+other.limit_perm_to_props_only: return 1
 # match
 return 0
+def __getitem__(self,index):
+return (self.name, self.klass, self.properties, self.check,
+self.limit_perm_to_props_only)[index]
 class Role:
 ''' Defines a Role with the attributes
 - name
 - description
 client.initialiseSecurity(self)
 from roundup import mailgw
 mailgw.initialiseSecurity(self)
 def getPermission(self, permission, classname=None, properties=None,
-check=None):
+check=None, props_only=None):
 ''' Find the Permission matching the name and for the class, if the
 classname is specified.
 Raise ValueError if there is no exact match.
 '''
 except KeyError:
 raise ValueError, 'No class "%s" defined'%classname
 # look through all the permissions of the given name
 tester = Permission(permission, klass=classname, properties=properties,
-check=check)
+check=check,
+props_only=props_only)
 for perm in self.permission[permission]:
 if perm == tester:
 return perm
 raise ValueError, 'No permission "%s" defined for "%s"'%(permission,
 classname)
 def hasPermission(self, permission, userid, classname=None,
 property=None, itemid=None):
 '''Look through all the Roles, and hence Permissions, and
 see if "permission" exists given the constraints of
-classname, property and itemid.
+classname, property, itemid, and props_only.
-If classname is specified (and only classname) then the
+If classname is specified (and only classname) the
-search will match if there is *any* Permission for that
+search will match:
-classname, even if the Permission has additional
-constraints.
+if there is *any* Permission for that classname, and
+that Permission was not created with props_only = True
+*NOTE* the Permission will match even if there are
+additional constraints like a check or properties and
+props_only is False. This can be unexpected. Using
+props_only = True or setting the default value to True can
+help prevent surprises.
 If property is specified, the Permission matched must have
 either no properties listed or the property must appear in
 the list.
 either no check function defined or the check function,
 when invoked, must return a True value.
 Note that this functionality is actually implemented by the
 Permission.test() method.
 '''
 if itemid and classname is None:
 raise ValueError, 'classname must accompany itemid'
 for rolename in self.db.user.get_roles(userid):
 if not rolename or (rolename not in self.role):
 '''
 role = Role(**propspec)
 self.role[role.name] = role
 return role
+def set_props_only_default(self, props_only=None):
+if props_only is not None:
+# NOTE: only valid values are True and False because these
+# will be compared as part of tuple == tuple and
+# (3,) == (True,) is False even though 3 is a True value
+# in a boolean context. So use bool() to coerce value.
+Permission.limit_perm_to_props_only = \
+bool(props_only)
 def addPermissionToRole(self, rolename, permission, classname=None,
-properties=None, check=None):
+properties=None, check=None, props_only=None):
 ''' Add the permission to the role's permission list.
 'rolename' is the name of the role to add the permission to.
 'permission' is either a Permission *or* a permission name
 is obtained by passing 'permission' and 'classname' to
 self.getPermission)
 '''
 if not isinstance(permission, Permission):
 permission = self.getPermission(permission, classname,
-properties, check)
+properties, check, props_only)
 role = self.role[rolename.lower()]
 role.permissions.append(permission)
 # Convenience methods for removing non-allowed properties from a
 # filterspec or sort/group list

Mercurial > p > roundup > code

comparison roundup/security.py @ 5196:e0732fd6a6c7