[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - ISecurityManager.py:1.1.2.3 SecurityManager.py:1.1.2.3
Tres Seaver
tseaver@zope.com
Fri, 30 Nov 2001 21:57:10 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv21496
Modified Files:
Tag: Zope-3x-branch
ISecurityManager.py SecurityManager.py
Log Message:
- Remove fossil 'roles' argument from 'ISecurityManager.validateValue',
and rectify comment to indicate new "always raise if not allowed"
protocol.
- Refactor SecurityManager:
o Remove dependency on ZopeSecurityPolicy
o Install a "deny all" policy by default.
o Remove crufty 'thread_id' arg from ctor.
o Move redundant policy lookup into helper method, '_getPolicy'.
o Remove fossil
- Refactor SecurityManager:
o Remove dependency on ZopeSecurityPolicy
o Install a "deny all" policy by default.
o Remove crufty 'thread_id' arg from ctor.
o Move redundant policy lookup into helper method, '_getPolicy'.
o Remove fossil 'roles' argument from 'validateValue'.
- Add tests for SecurityManager's 'validate', 'validateValue', and
'checkPermission' methods, both with default (deny all) policy
and with permissive (allow all) policy.
=== Zope3/lib/python/Zope/App/Security/ISecurityManager.py 1.1.2.2 => 1.1.2.3 ===
"""
- def validateValue( value, roles ):
+ def validateValue( value ):
"""
- Validate access. This is a shortcut for the common case of
+ Validate access, raising Unauthorized if not allowed..
+
+ This is a shortcut for the common case of
validating a value without providing access information.
-
- A boolean value is returned indicating whether the value is
- accessible. An Unauthorized exception may be raised in some
- cases.
"""
def checkPermission( permission, object ):
=== Zope3/lib/python/Zope/App/Security/SecurityManager.py 1.1.2.2 => 1.1.2.3 ===
""" Default ISecurityManager implementation """
-import ZopeSecurityPolicy, os, string
+import os, string
+
+from ISecurityPolicy import ISecurityPolicy
+from Zope.Exceptions import Unauthorized
max_stack_size = 100
-_defaultPolicy = ZopeSecurityPolicy.ZopeSecurityPolicy()
+class DefaultSecurityPolicy:
+ """
+ Deny all.
+ """
+ __implements__ = ISecurityPolicy
+
+ def validate( self, name, value, context ):
+ raise Unauthorized
+
+ def checkPermission( sel, permission, object, context ):
+ return 0
+
+
+_defaultPolicy = DefaultSecurityPolicy()
def setSecurityPolicy(aSecurityPolicy):
- """Set the system default security policy.
+ """
+ Set the system default security policy.
- This method should only be caused by system startup code. It should
- never, for example, be called during a web request.
+ This method should only be caused by system startup code. It should
+ never, for example, be called during a web request.
"""
global _defaultPolicy
- last=_defaultPolicy
- _defaultPolicy=aSecurityPolicy
+ last = _defaultPolicy
+ _defaultPolicy = aSecurityPolicy
return last
from ISecurityManager import ISecurityManager
@@ -35,11 +52,22 @@
"""
__implements__ = ISecurityManager
- def __init__( self, thread_id, context ):
- self._thread_id = thread_id
+ def __init__( self, context ):
self._context = context
self._policy = None
+ def _getPolicy( self ):
+ """
+ Find current policy, or default.
+ """
+ policy = self._policy
+ if policy is None:
+ policy = _defaultPolicy
+ return policy
+
+ #
+ # ISecurityManager implementation
+ #
def validate( self, name, value ):
"""
Validate access.
@@ -54,23 +82,16 @@
accessible. An Unauthorized exception may be raised in some
cases.
"""
- policy = self._policy
- if policy is None: policy = _defaultPolicy
- return policy.validate( name, value, self._context )
+ return self._getPolicy().validate( name, value, self._context )
- def validateValue( self, value, roles ):
+ def validateValue( self, value ):
"""
Validate access. This is a shortcut for the common case of
validating a value without providing access information.
- A boolean value is returned indicating whether the value is
- accessible. An Unauthorized exception may be raised in some
- cases.
+ Raise Unauthorized if access not allowed.
"""
- policy = self._policy
- if policy is None:
- policy = _defaultPolicy
- return policy.validate( None, value, self._context )
+ return self._getPolicy().validate( None, value, self._context )
def checkPermission( self, permission, object ):
"""
@@ -83,10 +104,8 @@
object -- The object being accessed according to the permission
"""
- policy = self._policy
- if policy is None:
- policy = _defaultPolicy
- return policy.checkPermission( permission, object, self._context )
+ return self._getPolicy().checkPermission( permission, object
+ , self._context )
def addContext( self, anExecutableObject ):
"""
@@ -96,12 +115,16 @@
There is no return.
"""
stack=self._context.stack
+
if len( stack ) > max_stack_size:
raise SystemError, 'Excessive recursion'
+
stack.append( anExecutableObject )
- p=getattr( anExecutableObject, '_customSecurityPolicy', None )
- if p is not None: p=p()
- self._policy=p
+ p = getattr( anExecutableObject, '_customSecurityPolicy', None )
+
+ if p is not None:
+ p = p()
+ self._policy = p
def removeContext( self, anExecutableObject ):
"""
@@ -110,12 +133,16 @@
There is no return.
"""
stack=self._context.stack
- if not stack: return
- top=stack[-1]
+
+ if not stack:
+ return
+
+ top = stack[-1]
+
if top is anExecutableObject:
del stack[-1]
else:
- indexes=range(len(stack))
+ indexes = range(len(stack))
indexes.reverse()
for i in indexes:
top=stack[i]
@@ -126,10 +153,14 @@
return
if stack:
- top=stack[-1]
- p=getattr(top, '_customSecurityPolicy', None)
- if p is not None: p=p()
+
+ top = stack[-1]
+ p = getattr( top, '_customSecurityPolicy', None )
+
+ if p is not None:
+ p=p()
self._policy=p
+
else:
self._policy=None