[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - ZopeSecurityPolicy.py:1.1.2.3
Tres Seaver
tseaver@zope.com
Wed, 28 Nov 2001 15:59:26 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv8843
Modified Files:
Tag: Zope-3x-branch
ZopeSecurityPolicy.py
Log Message:
- Remove a YAGNI violation (stubbed out placeful role lookup).
- Add note about an (apparent) OnceAndOnlyOnce violation.
=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.2 => 1.1.2.3 ===
from Zope.Exceptions import Unauthorized
-from Zope.ContextWrapper import getinnercontext
from PermissionRegistry import rolesForPermission
_notfound = []
@@ -33,22 +32,22 @@
Two optional keyword arguments may be provided:
ownerous -- Untrusted users can create code
- (e.g. Python scripts or templates),
- so check that code owners can access resources.
- The argument must have a truth value.
- The default is true.
+ (e.g. Python scripts or templates),
+ so check that code owners can access resources.
+ The argument must have a truth value.
+ The default is true.
authenticated -- Allow access to resources based on the
- privaledges of the authenticated user.
- The argument must have a truth value.
- The default is true.
-
- This (somewhat experimental) option can be set
- to false on sites that allow only public
- (unauthenticated) access. An anticipated
- scenario is a ZEO configuration in which some
- clients allow only public access and other
- clients allow full management.
+ privaledges of the authenticated user.
+ The argument must have a truth value.
+ The default is true.
+
+ This (somewhat experimental) option can be set
+ to false on sites that allow only public
+ (unauthenticated) access. An anticipated
+ scenario is a ZEO configuration in which some
+ clients allow only public access and other
+ clients allow full management.
"""
self._ownerous=ownerous
@@ -87,6 +86,11 @@
if permission is None:
raise Unauthorized, "Can't find permission for %s" % name
+ #
+ # Note that the following two checks duplicate 'checkPermission';
+ # we don't just call it, because our contract is to raise an
+ # information-laden exception if the checks fail.
+ #
roles = self._aggregateRolesFor( permission, value )
if not roles:
@@ -137,21 +141,16 @@
"""
return getattr( value, '__permission__', None )
- def _listAggregatedRolesFor( self, permission, wrapped ):
+ def _listRolesFor( self, permission, object ):
"""
- Crawl the context of 'wrapped' and return an accumulated
+ Crawl the context of 'object' and return an accumulated
list of all roles which have 'permission'.
+
+ Note that we don't (yet) use 'object' to search for
+ placeful permission-role bindings.
"""
role_set = {}
- # Check placeful roles by walking the inner context chain.
- while wrapped is not None:
-
- for role in self._listRolesFor( permission, wrapped ):
- role_set[ role ] = 1
-
- wrapped = getinnercontext( wrapped )
-
# Add "global" roles for permission here
for role in rolesForPermission( permission ):
role_set[ role ] = 1
@@ -160,9 +159,3 @@
roles.sort()
return tuple( roles )
-
- def _listRolesFor( self, permission, unwrapped ):
- """
- Return a list of roles which have 'permission' on 'unwrapped'.
- """
- return () # TODO: find placeful roles