[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - AttributeRolePermissionManager.py:1.1.2.4.2.1 ZopeSecurityPolicy.py:1.1.2.13.2.2
Casey Duncan
casey_duncan@yahoo.com
Mon, 11 Feb 2002 13:48:49 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv9750
Modified Files:
Tag: Zope-3x-security_defactor-branch
AttributeRolePermissionManager.py ZopeSecurityPolicy.py
Log Message:
Security manager *almost* working...Still failing one test when trying to get the playful RolePermission adapter. 8^/
=== Zope3/lib/python/Zope/App/Security/AttributeRolePermissionManager.py 1.1.2.4 => 1.1.2.4.2.1 ===
pp = self._getRolePermissions()
if pp:
- return self.getCell( permission, role )
+ return pp.getCell( permission, role )
else:
return Unset
=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.13.2.1 => 1.1.2.13.2.2 ===
def checkPermission( self, permission, object, context ):
- # The following commented code is wrong in serveral ways:
- #
- # 1) Anonymous is a role, not a principal
- #
- # 2) It's not enough for anonymous top have the needed permission
- # globally, since the permission may be delayed lower dowm.
- #
- # 3) It's really ineffecient to collect all the principals that have
- # a role.
- #
- #anon = principalRegistry.getPrincipal('Anonymous')
- #if (permission, Allow) in getPermissionsForRole(anon):
- # return 1
+ print 'checking permission:', permission, object
principals = { context.user : 1 }
roles = {}
@@ -109,8 +97,10 @@
# XXX We aren't really handling multiple principals below
for c in ContainmentIterator(object):
+ print c
ppm = getAdapter(c, IPrincipalPermissionManager, None)
if ppm is not None:
+ print 'got playul principal permission adapter'
for principal in principals.keys():
setting = ppm.getSetting(permission, principal)
if setting is Allow:
@@ -122,6 +112,7 @@
rpm = getAdapter(c, IRolePermissionManager, None)
if rpm is not None:
+ print 'got playul role permission adapter'
for role in all_roles:
setting = rpm.getSetting(permission, role)
if setting == Allow:
@@ -130,30 +121,38 @@
return 0 # Explicit Deny on role.
if seen_allowed:
return 1 # I'm allowed by a role on the principal
+ else:
+ print 'No playful role permission adapter'
# now check the dour interfaces - maybe they've got settings
ppm = principalPermissionManager
- if ppm is not None:
- for principal in principals.keys():
- setting = ppm.getSetting(permission, principal)
- if setting is Allow:
- seen_allowed = 1
- elif setting is Deny:
- return 0 # Explicit deny on principal
- if seen_allowed:
- return 1 # If I'm allowed here... forget the rest.
+ for principal in principals.keys():
+ setting = ppm.getSetting(permission, principal)
+ if setting is Allow:
+ seen_allowed = 1
+ elif setting is Deny:
+ return 0 # Explicit deny on principal
+ if seen_allowed:
+ return 1 # If I'm allowed here... forget the rest.
rpm = rolePermissionManager
- if rpm is not None:
- for role in all_roles:
- setting = rpm.getSetting(permission, role)
- if setting == Allow:
- seen_allowed = 1
- if setting == Deny:
- return 0 # Explicit Deny on role.
+ getGlobalRoles = principalRoleManager.getRolesForPrincipal
+ for principal in principals.keys():
+ # Get the global roles for this principal always checking
+ # anonymous first
+ all_roles = [('Anonymous', Assign)] + getGlobalRoles(principal)
+ for role, role_setting in all_roles:
+ if role_setting is Assign:
+ setting = rpm.getSetting(permission, role)
+ if setting == Allow:
+ seen_allowed = 1
+ if setting == Deny:
+ return 0 # Explicit Deny on role.
if seen_allowed:
return 1 # I'm allowed by a role on the principal
+ print 'DENY: fell through'
+
return 0 # Deny by default
# for p in principals.keys():
@@ -228,7 +227,7 @@
if not roles.has_key(role):
roles[role] = setting
- result = []
+ result = [('Anonymous',Assign)] # Always check anonymous
for role, setting in roles.items():
if setting is Assign:
result.append(role)