[Checkins] SVN: z3c.securitytool/trunk/ commit before refactor of
principalPermissions
Daniel Blackburn
blackburnd at gmail.com
Sat Feb 16 14:39:00 EST 2008
Log message for revision 83933:
commit before refactor of principalPermissions
Changed:
U z3c.securitytool/trunk/TODO.txt
U z3c.securitytool/trunk/src/z3c/securitytool/browser/principalinfo.pt
U z3c.securitytool/trunk/src/z3c/securitytool/browser/views.py
U z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py
-=-
Modified: z3c.securitytool/trunk/TODO.txt
===================================================================
--- z3c.securitytool/trunk/TODO.txt 2008-02-16 17:31:00 UTC (rev 83932)
+++ z3c.securitytool/trunk/TODO.txt 2008-02-16 19:38:59 UTC (rev 83933)
@@ -7,25 +7,44 @@
* Add details pages for groups and roles.
* Securitymatrix should be a link instead of an onclick
+
+
+ SHOW STOPPERS
+ ===============
- SHOW STOPPERS
-===============
+ * Permissions for securitytool views cannot be zope.Public
- * Permissions for securitytool views cannot be zope.Public
+ * Fix permissionDetails
- * Be able to show permissions for context levels even if names are
- the same
+ * Specify which context the permission,group and role are attained
+ from
- * Fix permissionDetails
+
- * Specify which context the permission,group and role are attained
- from
+ PrincipalDetails
+ =================
+ * PermissionTree
+ * PermissionTree with `global settings`
+ * Directly provided permissions in effect at context level
- DONE
-===============
+ * RoleTree (Done)
+ * RoleTree with `global settings`
+ * Directly provided roles in effect at context level
+ PermissionDetails
+ =================
+
+ * Show permisisons that have a direct impact view and user
+ * Show roles that have a direct impact on view and user
+ * Link to PrincipalDetails
+
+
+
+ DONE
+==============================================================================
+
* Onclick for the fiter:
* Relative links for the root
@@ -33,3 +52,9 @@
* Specifically denied roles should be displayed with allowed roles
+ * Be able to show permissions for context levels even if names are
+ the same ( works for roles )
+
+
+
+
Modified: z3c.securitytool/trunk/src/z3c/securitytool/browser/principalinfo.pt
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/browser/principalinfo.pt 2008-02-16 17:31:00 UTC (rev 83932)
+++ z3c.securitytool/trunk/src/z3c/securitytool/browser/principalinfo.pt 2008-02-16 19:38:59 UTC (rev 83933)
@@ -23,7 +23,7 @@
<metal:block define-macro="user-details"
tal:define="permissions view/principalPermissions/permissions;
roles view/principalPermissions/roles;
- roleContext view/principalPermissions/roleContext;
+ roleTree view/principalPermissions/roleTree;
groups view/principalPermissions/groups">
<h3 tal:condition="permissions"> Directly provided
@@ -42,9 +42,9 @@
<br tal:condition="permissions">
- <h3 tal:condition="roleContext">Roles Defined in
+ <h3 tal:condition="roleTree">Roles Defined in
Context(s) for this user</h3>
- <tal:block tal:repeat="context roleContext">
+ <tal:block tal:repeat="context roleTree">
<span tal:define="curr python:context.values()[0]">
<div class="contextList"
tal:content="python: ' / '.join(curr['parentList'])"/>
@@ -55,13 +55,14 @@
</span>
</tal:block>
- <br tal:condition="roleContext">
+ <br tal:condition="roleTree">
<h3 tal:condition="roles">Permissions provided by roles</h3>
<div class="contentList" tal:condition="roles">
<div tal:repeat="role roles">
<b tal:content="role">zope.ManageSite:</b>
- <div class="contentList"
+
+ <!--div class="contentList"
tal:repeat="permission python:roles[role]">
<ul>
<li>
@@ -70,7 +71,8 @@
tal:content="permission/setting"/>
</li>
</ul>
- </div>
+ </div-->
+
<br>
</div>
Modified: z3c.securitytool/trunk/src/z3c/securitytool/browser/views.py
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/browser/views.py 2008-02-16 17:31:00 UTC (rev 83932)
+++ z3c.securitytool/trunk/src/z3c/securitytool/browser/views.py 2008-02-16 19:38:59 UTC (rev 83933)
@@ -155,6 +155,7 @@
skin = getSkin(self.request) or IBrowserRequest
principal_security = ISecurityChecker(self.context)
+
self.principalPermissions = principal_security.principalPermissions(
self.principal, skin=skin)
Modified: z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py 2008-02-16 17:31:00 UTC (rev 83932)
+++ z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py 2008-02-16 19:38:59 UTC (rev 83933)
@@ -206,22 +206,18 @@
for all interfaces provided by this context for a
`principal_id`, and of course we are only after browser views"""
- # make prinpermsetttings a self value
+ request = TestRequest()
+ applySkin(request, skin)
self.prinPermSettings = {'permissions': [],
- 'roles': {},
- 'roleContext': [],
+ 'roles': [],
+ 'roleTree': [],
'groups': {}}
- request = TestRequest()
- applySkin(request, skin)
-
principals = zapi.principals()
principal = principals.getPrincipal(principal_id)
-
ifaces = tuple(providedBy(self.context))
for iface in ifaces:
-
for view_reg in getViews(iface, IBrowserRequest):
view = self.getView(view_reg, skin)
if not view:
@@ -231,92 +227,101 @@
PrinSettings = self.policyPermissions(principal,
all_settings)
-
self.populatePrinPermSettings(PrinSettings)
-
return self.prinPermSettings
+
def populatePrinPermSettings(self,PrinSettings):
- if PrinSettings['roleContext']:
+ """ Aggregates all the values returned from the policyPermissions
+ call in principalPermissions
+ """
+
+ if PrinSettings['roleTree']:
+ self.populateRoleTree(PrinSettings)
- for items in PrinSettings['roleContext']:
- #List of dictionaries
- for key, val in items.items():
- #Loop through the keys and values
+ if PrinSettings['permissions']:
+ self.populatePrincipalPermissions(PrinSettings)
- keys = [x.keys()[0] for x in\
- self.prinPermSettings['roleContext']]
- if key not in keys:
- self.prinPermSettings\
- ['roleContext'].append({key:{}})
- self.prinPermSettings['roleContext']\
- [-1] = {key:val}
+ if PrinSettings['roles']:
+ self.populatePrincipalRoles(PrinSettings)
- parentList = val['parentList']
- parentList.reverse()
- self.prinPermSettings['roleContext'][-1]\
- [key]['parentList'] = \
- parentList
+ if PrinSettings['groups']:
+ self.prinPermSettings['groups'].update(PrinSettings['groups'])
- continue
-
- place = keys.index(key)
+ def populateRoleTree(self,PrinSettings):
+ """ This method is responsible for creating the roleTree
+ the role tree is a list of dictionaries which contain the settings
+ for each context level and role from the current context to the
+ root folder
+ """
+
+ for items in PrinSettings['roleTree']:
+ #List of dictionaries
+ for key, val in items.items():
+ keys = [x.keys()[0] for x in\
+ self.prinPermSettings['roleTree']]
+ if key not in keys:
+ # If we do not have this context, add it
+ self.prinPermSettings\
+ ['roleTree'].append({key:{}})
+ self.prinPermSettings['roleTree']\
+ [-1] = {key:val}
+
parentList = val['parentList']
parentList.reverse()
- self.prinPermSettings['roleContext'][place]\
+ self.prinPermSettings['roleTree'][-1]\
[key]['parentList'] = \
parentList
+ continue
+
+ place = keys.index(key)
+ # Each key is unique so we just get the list index to edit
+ # we keep it as a list so the order stays the same.
+ parentList = val['parentList']
+ parentList.reverse()
+ self.prinPermSettings['roleTree'][place]\
+ [key]['parentList'] = \
+ parentList
+
+ self.prinPermSettings['roleTree'][place]\
+ [key]['name'] = val['name']
+
+ roles = val['roles']
+ self.prinPermSettings['roleTree']\
+ [place][key].setdefault('roles',[])
+ for role in roles:
+ # we make sure we only add the roles we do not yet have.
+ if role not in \
+ self.prinPermSettings['roleTree'][place]\
+ [key]['roles']:
+ self.prinPermSettings['roleTree'][place]\
+ [key]['roles'].append(role)
+
+ def populatePrincipalPermissions(self,PrinSettings):
+ if PrinSettings['permissions'] not in \
+ self.prinPermSettings['permissions']:
+ self.prinPermSettings['permissions'].append(
+ PrinSettings['permissions'])
- self.prinPermSettings['roleContext'][place]\
- [key]['name'] = val['name']
+ def populatePrincipalRoles(self,PrinSettings):
+ #print PrinSettings['roles']
+ #self.prinPermSettings['roles'].update(PrinSettings['roles'])
+ for role in PrinSettings['roles']:
+ if role not in self.prinPermSettings['roles']:
+ self.prinPermSettings['roles'].append(role)
- roles = val['roles']
- self.prinPermSettings['roleContext']\
- [place][key].setdefault('roles',[])
- for role in roles:
- if role not in \
- self.prinPermSettings['roleContext'][place]\
- [key]['roles']:
- self.prinPermSettings['roleContext'][place]\
- [key]['roles'].append(role)
-
- if PrinSettings['permissions']:
- if PrinSettings['permissions'] not in \
- self.prinPermSettings['permissions']:
- self.prinPermSettings['permissions'].append(
- PrinSettings['permissions'])
-
- if PrinSettings['roles']:
- #print PrinSettings['roles']
- #self.prinPermSettings['roles'].update(PrinSettings['roles'])
- for role in PrinSettings['roles']:
- if not self.prinPermSettings['roles'].has_key(role):
- self.prinPermSettings['roles'][role] = \
- PrinSettings['roles'][role]
-
- if PrinSettings['groups']:
- self.prinPermSettings['groups'].update(PrinSettings['groups'])
-
-
-
# TODO: Rename
def policyPermissions(self, principal, settings):
""" this method recursively populates the principal permissions
dict and is only used by principalPermissions """
- #[x for x[1] in settings]
prinPermSettings = {'permissions': [],
'roles': {},
- 'roleContext': [],
+ 'roleTree': [],
'groups': {}}
principals = zapi.principals()
- setting = {}
- role_context = {}
- perm_context = {}
- roleList = []
-
#For each item in our list we will update the settings dict
#for item in settings:
# for key,val in item.items():
@@ -324,87 +329,94 @@
# setting[key] = []
# setting[key].extend(val)
- try:
- for setting in settings:
- for name, item in setting.items():
-
- # Here we get all the permssions for this principal
- for prinPerms in item.get('principalPermissions', ()):
- if prinPerms['principal'] == principal.id:
- permission = prinPerms['permission']
- _setting = prinPerms['setting'].getName()
+ for setting in settings:
+ for name, item in setting.items():
+
+ # Here we get all the permssions for this principal
+ for prinPerms in item.get('principalPermissions', ()):
+ if prinPerms['principal'] == principal.id:
+ permission = prinPerms['permission']
+ _setting = prinPerms['setting'].getName()
+ mapping = {'permission': permission,
+ 'setting': _setting}
+ if not mapping in prinPermSettings['permissions']:
+ prinPermSettings['permissions'].append(mapping)
+ # Here we get all the roles for this principal
+ for prinRoles in item.get('principalRoles', ()):
+ if prinRoles['principal'] != principal.id:
+ continue
+
+ role = prinRoles['role']
+
+ contextName = name and name or 'Root Folder'
+ # Now we will build the roleTree object to display
+ # the levels and settings for all roles assigned to this
+ # principal.
+
+ parentList = item.get('parentList',None)
+ if parentList:
+ key = item.get('uid')
+ if not prinPermSettings['roleTree']:
+ prinPermSettings['roleTree'].append({
+ key:{}})
+ prinPermSettings['roleTree'][-1]\
+ [key]['roles'] = []
+
+ keys = [x.keys()[0] for x in\
+ prinPermSettings['roleTree']]
+
+ if key not in keys:
+ prinPermSettings['roleTree'].append({
+ key:{}})
+ prinPermSettings['roleTree'][-1]\
+ [key]['roles'] = []
+
+ prinPermSettings['roleTree'][-1]\
+ [key]['parentList'] = parentList
+
+ prinPermSettings['roleTree'][-1]\
+ [key]['name'] = contextName
+
+ newVal = {'setting':prinRoles['setting'].getName(),
+ 'role':role}
+
+ if newVal not in prinPermSettings['roleTree'][-1]\
+ [key]['roles']:
+ prinPermSettings['roleTree'][-1][key]\
+ ['roles'].append(newVal)
+
+ if prinRoles['setting'] == Deny:
+ try:
+ # Here we see if we have added a security setting with
+ # this role before, if it is now denied we remove it.
+ del prinPermSettings['roles'][role]
+ except KeyError:
+ pass
+ continue
+ elif prinRoles['setting'] == Allow:
+ # We only want to append the role if it is Allowed
+ if not prinPermSettings['roles'].has_key(role):
+ prinPermSettings['roles'][role] = prinRoles
+
+ for rolePerms in item['rolePermissions']:
+ # Here we get the permissions provided by each role
+ if rolePerms['role'] == role:
+ permission = rolePerms['permission']
+ _setting = rolePerms['setting'].getName()
mapping = {'permission': permission,
'setting': _setting}
- if not mapping in prinPermSettings['permissions']:
- prinPermSettings['permissions'].append(mapping)
- # Here we get all the roles for this principal
- for prinRoles in item.get('principalRoles', ()):
- if prinRoles['principal'] != principal.id:
- continue
-
- role = prinRoles['role']
-
- contextName = name and name or 'Root Folder'
-
- parentList = item.get('parentList',None)
- if parentList:
- key = item.get('uid')
- if not prinPermSettings['roleContext']:
- prinPermSettings['roleContext'].append({
- key:{}})
- prinPermSettings['roleContext'][-1]\
- [key]['roles'] = []
-
- keys = [x.keys()[0] for x in\
- prinPermSettings['roleContext']]
-
- if key not in keys:
- prinPermSettings['roleContext'].append({
- key:{}})
- prinPermSettings['roleContext'][-1]\
- [key]['roles'] = []
-
- prinPermSettings['roleContext'][-1]\
- [key]['parentList'] = parentList
-
- prinPermSettings['roleContext'][-1]\
- [key]['name'] = contextName
-
- newVal = {'setting':prinRoles['setting'].getName(),
- 'role':role}
-
- if newVal not in prinPermSettings['roleContext'][-1]\
- [key]['roles']:
- prinPermSettings['roleContext'][-1][key]\
- ['roles'].append(newVal)
-
- if prinRoles.get('setting','') != Allow:
- # We only want to see the role if we are granted
- # the allow permission for it
- # TODO have an else clause and show denied roles as
- # well
- continue
-
- for rolePerms in item['rolePermissions']:
-
- if rolePerms['role'] == role:
- permission = rolePerms['permission']
- _setting = rolePerms['setting'].getName()
- mapping = {'permission': permission,
- 'setting': _setting}
- perms = prinPermSettings['roles'].setdefault(role,[])
-
- if not mapping in perms:
- perms.append(mapping)
-
- # Here we loop through the groups and recursively call this method
- # for each one found.
- for group_id in principal.groups:
- group = principals.getPrincipal(group_id)
- prinPermSettings['groups'][group_id] = \
- self.policyPermissions(group, settings)
- except:
- import pdb; pdb.set_trace()
+
+
+ if not role in prinPermSettings['roles']:
+ prinPermSettings['roles'].append({role:mapping})
+
+ # Here we loop through the groups and recursively call this method
+ # for each one found.
+ for group_id in principal.groups:
+ group = principals.getPrincipal(group_id)
+ prinPermSettings['groups'][group_id] = \
+ self.policyPermissions(group, settings)
+
return prinPermSettings
def permissionDetails(self, principal_id, view_name, skin=IBrowserRequest):
@@ -428,10 +440,10 @@
# Here we want to aggregate all the rolePermissions in one place
rolePermissions = []
if not settings:
- return {'read_perm':'zope.Public','permissions': [],'roles': {},'groups': {}}
+ return {'read_perm':'zope.Public','permissions': [],'roles': [],'groups': {}}
if read_perm is None:
- prinPermSettings = {'permissions': [],'roles': {},'groups': {}}
+ prinPermSettings = {'permissions': [],'roles': [],'groups': {}}
read_perm ='zope.Public'
else:
for name,setting in settings:
@@ -613,10 +625,11 @@
data['uid'] = data['parentList'][0]+"_" + \
str(len(data['parentList']))
+ # Here we need to add the parentlist and uid to display it properly
+ # in the roleTree and in the permissionTree
result[-1][1]['parentList'] = ['Root Folder']
- result[-1][1]['uid'] = 'Root Folder'
+ result[-1][1]['uid'] = 'Root Folder'
-
data = {}
result.append(('global settings', data))
@@ -636,5 +649,9 @@
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings]
+ data['parentList'] = ['global settings']
+ data['uid'] = 'global settings'
+
+
return result
More information about the Checkins
mailing list