[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - ZopeSecurityPolicy.py:1.1.2.3

Tres Seaver tseaver@zope.com
Wed, 28 Nov 2001 15:59:26 -0500


Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv8843

Modified Files:
      Tag: Zope-3x-branch
	ZopeSecurityPolicy.py 
Log Message:


 - Remove a YAGNI violation (stubbed out placeful role lookup).

 - Add note about an (apparent) OnceAndOnlyOnce violation.


=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.2 => 1.1.2.3 ===
 
 from Zope.Exceptions import Unauthorized
-from Zope.ContextWrapper import getinnercontext
 from PermissionRegistry import rolesForPermission
 
 _notfound = []
@@ -33,22 +32,22 @@
             Two optional keyword arguments may be provided:
 
             ownerous -- Untrusted users can create code
-                        (e.g. Python scripts or templates),
-                        so check that code owners can access resources.
-                        The argument must have a truth value.
-                        The default is true.
+                (e.g. Python scripts or templates),
+                so check that code owners can access resources.
+                The argument must have a truth value.
+                The default is true.
 
             authenticated -- Allow access to resources based on the
-                        privaledges of the authenticated user.  
-                        The argument must have a truth value.
-                        The default is true.
-
-                        This (somewhat experimental) option can be set
-                        to false on sites that allow only public
-                        (unauthenticated) access. An anticipated
-                        scenario is a ZEO configuration in which some
-                        clients allow only public access and other
-                        clients allow full management.
+                privaledges of the authenticated user.  
+                The argument must have a truth value.
+                The default is true.
+
+                This (somewhat experimental) option can be set
+                to false on sites that allow only public
+                (unauthenticated) access. An anticipated
+                scenario is a ZEO configuration in which some
+                clients allow only public access and other
+                clients allow full management.
         """
         
         self._ownerous=ownerous
@@ -87,6 +86,11 @@
         if permission is None:
             raise Unauthorized, "Can't find permission for %s" % name
 
+        #
+        #   Note that the following two checks duplicate 'checkPermission';
+        #   we don't just call it, because our contract is to raise an
+        #   information-laden exception if the checks fail.
+        #
         roles = self._aggregateRolesFor( permission, value )
 
         if not roles:
@@ -137,21 +141,16 @@
         """
         return getattr( value, '__permission__', None )
     
-    def _listAggregatedRolesFor( self, permission, wrapped ):
+    def _listRolesFor( self, permission, object ):
         """
-            Crawl the context of 'wrapped' and return an accumulated
+            Crawl the context of 'object' and return an accumulated
             list of all roles which have 'permission'.
+
+            Note that we don't (yet) use 'object' to search for
+            placeful permission-role bindings.
         """
         role_set = {}
 
-        # Check placeful roles by walking the inner context chain.
-        while wrapped is not None:
-
-            for role in self._listRolesFor( permission, wrapped ):
-                role_set[ role ] = 1
-            
-            wrapped = getinnercontext( wrapped )
-        
         # Add "global" roles for permission here
         for role in rolesForPermission( permission ):
             role_set[ role ] = 1
@@ -160,9 +159,3 @@
         roles.sort()
 
         return tuple( roles )
-
-    def _listRolesFor( self, permission, unwrapped ):
-        """
-            Return a list of roles which have 'permission' on 'unwrapped'.
-        """
-        return ()   # TODO:  find placeful roles