[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - ZopeSecurityPolicy.py:1.1.2.9
Jim Fulton
jim@zope.com
Wed, 26 Dec 2001 15:35:42 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv32597
Modified Files:
Tag: Zope-3x-branch
ZopeSecurityPolicy.py
Log Message:
Reworked basic access checks
=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.8 => 1.1.2.9 ===
from types import StringType, TupleType
-from Zope.Exceptions import Unauthorized
-from RolePermissionMap import getRolesForPermission
+from Zope.Exceptions import Unauthorized, Forbidden
-_notfound = []
-_what_not_even_god_should_do = ()
-
-AnonymousRole = ( 'Anonymous', )
+from Zope.App.Security.PermissionRegistry import permissionRegistry
+from Zope.App.Security.PrincipalRegistry import principalRegistry
+from Zope.App.Security.RoleRegistry import roleRegistry
+from Zope.App.Security.PrincipalPermissionManager \
+ import principalPermissionManager
+from Zope.App.Security.RolePermissionManager import rolePermissionManager
+from Zope.App.Security.PrincipalRoleManager import principalRoleManager
+
+getPermissionsForPrincipal = principalPermissionManager.getPermissionsForPrincipal
+getPermissionsForRole = rolePermissionManager.getPermissionsForRole
+getRolesForPrincipal = principalRoleManager.getRolesForPrincipal
class ZopeSecurityPolicy:
@@ -61,41 +67,31 @@
, value
, context
):
- raise Unauthorized, "Jim & Guido were here"
- if not self._allowName( name ):
- raise Unauthorized, "Name '%s' is not allowed" % name
-
- permission = self._findPermission( value )
-
- if permission is None:
- raise Unauthorized, "Can't find permission for %s" % name
-
- #
- # Note that the following two checks duplicate 'checkPermission';
- # we don't just call it, because our contract is to raise an
- # information-laden exception if the checks fail.
- #
- roles = self._listRolesFor( permission, value )
-
- if not roles:
- raise Unauthorized, "No roles have permission %s" % permission
-
- allowed = context.user.allowed( value, roles )
-
- if not allowed:
- raise Unauthorized, \
- ( "Principal '%s' does not have permission, %s"
- "(user would need one of the following roles: %s)"
- % ( permission
- , context.user.getTitle()
- , string.join( roles, ',' )
- )
- )
+
+ try: permission=value.__permission__
+ except AttributeError:
+ raise Forbidden(name, value, 'No permission set')
+
+ if self.checkPermission(permission, value, context):
+ return
+ raise Unauthorized(permission, name, value)
def checkPermission( self, permission, object, context ):
- roles = self._aggregateRolesFor( permission, object )
- return context.user.allowed( object, roles )
+ if permission in getPermissionsForRole('Anonymous'):
+ return 1
+
+ principals = { context.user : 1 }
+
+ for p in principals.keys():
+ if permission in getPermissionsForPrincipal(p):
+ del principals[p]
+ else:
+ for r in getRolesForPrincipal(p):
+ if permission in getPermissionsForRole(r):
+ del principals[p]
+
+ return not principals
#
# Helper methods
@@ -130,3 +126,6 @@
roles.sort()
return tuple( roles )
+
+zopeSecurityPolicy=ZopeSecurityPolicy()
+