[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - ZopeSecurityPolicy.py:1.1.2.13

Anthony Baxter anthony@interlink.com.au
Sat, 9 Feb 2002 17:54:30 -0500 

Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv16976

Modified Files:
      Tag: Zope-3x-branch
	ZopeSecurityPolicy.py 
Log Message:
Dour (non-playful) security now works. Woo-hoo.

Note that a couple of tests in testZSP are still commented out, as
they assume that principals, roles or permissions are strings. Naughty!



=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.12 => 1.1.2.13 ===
     def checkPermission( self, permission, object, context ):
 
-        if permission in getPermissionsForRole('Anonymous'):
+        anon = principalRegistry.getPrincipal('Anonymous')
+        if (permission, Allow) in getPermissionsForRole(anon):
             return 1
         
         principals = { context.user : 1 }
@@ -112,8 +113,6 @@
             rpm = getAdapter(c, IRolePermissionManager, None)
             if rpm is not None:
                 for role in all_roles:
-                    # XXX: As yet, role permission managers have no concept of
-                    # deny, refactor when this gets implemented 
                     setting = rpm.getSetting(permission, role)
                     if setting == Allow:
                         seen_allowed = 1
@@ -122,6 +121,29 @@
                 if seen_allowed:
                     return 1 # I'm allowed by a role on the principal
 
+        # now check the dour interfaces - maybe they've got settings
+        ppm = principalPermissionManager
+        if ppm is not None: 
+            for principal in principals.keys():
+                setting = ppm.getSetting(permission, principal)
+                if setting is Allow:
+                    seen_allowed = 1
+                elif setting is Deny:
+                    return 0 # Explicit deny on principal
+            if seen_allowed:
+                return 1 # If I'm allowed here... forget the rest.
+
+        rpm = rolePermissionManager
+        if rpm is not None:
+            for role in all_roles:
+                setting = rpm.getSetting(permission, role)
+                if setting == Allow:
+                    seen_allowed = 1
+                if setting == Deny:
+                    return 0 # Explicit Deny on role.
+            if seen_allowed:
+                return 1 # I'm allowed by a role on the principal
+
         return 0 # Deny by default
 
 #        for p in principals.keys():
@@ -133,7 +155,6 @@
 #                        del principals[p]
 #                    if r in roles:
 #                        return 1
-                
 #        return not principals
 
     #
@@ -178,11 +199,22 @@
         principals = [context.user]
         roles = {}
 
-        for c in ContainmentIterator(object):
-            prm = getAdapter(c, IPrincipalRoleManager, None)
+        if object is not None:
+            for c in ContainmentIterator(object):
+                prm = getAdapter(c, IPrincipalRoleManager, None)
+                if prm is not None:
+                    for principal in principals:
+                        for role, setting in \
+                                    prm.getRolesForPrincipal(principal):
+                            if not roles.has_key(role):
+                                roles[role] = setting
+        else:
+            # non-playful (dour) roles
+            prm = principalRoleManager
             if prm is not None:
                 for principal in principals:
-                    for role, setting in prm.getRolesForPrincipal(principal):
+                    for role, setting in \
+                                prm.getRolesForPrincipal(principal):
                         if not roles.has_key(role):
                             roles[role] = setting