[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - IPrincipalPermissionMap.py:1.3 IPrincipalRoleMap.py:1.3 IRolePermissionMap.py:1.3 Settings.py:1.4 ZopeSecurityPolicy.py:1.4
Jim Fulton
jim@zope.com
Tue, 2 Jul 2002 15:49:09 -0400
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv3863/lib/python/Zope/App/Security
Modified Files:
IPrincipalPermissionMap.py IPrincipalRoleMap.py
IRolePermissionMap.py Settings.py ZopeSecurityPolicy.py
Log Message:
Added a utility function in the ZopeSecurityPolicy module to get the
permissions held by a principal. This is needed to implement the
granting policy described in
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/Zope3SecurityModel
Also removed the special security settings "Assign" and "Remove" and
switched code to the "Allow" and "Deny" instead.
=== Zope3/lib/python/Zope/App/Security/IPrincipalPermissionMap.py 1.2 => 1.3 ===
def getPrincipalsForPermission(permission_id):
- """Return the list of (principal_id, setting) tuples that describe
+ """Get the principas that have a permission.
+
+ Return the list of (principal_id, setting) tuples that describe
security assertions for this permission.
If no principals have been set for this permission, then the empty
@@ -28,7 +30,9 @@
"""
def getPermissionsForPrincipal(principal_id):
- """Return the list of (permission, setting) tuples that describe
+ """Get the permissions granted to a principal.
+
+ Return the list of (permission, setting) tuples that describe
security assertions for this principal.
If no permissions have been set for this principal, then the empty
@@ -36,12 +40,19 @@
"""
def getSetting(permission_id, principal_id):
- """Get the setting (Allow/Deny/Unset) for a given permission and
+ """Get the setting for a permission and principal.
+
+ Get the setting (Allow/Deny/Unset) for a given permission and
principal.
"""
def getPrincipalsAndPermissions():
- """Get the principal security assertions here in the form
+ """Get all principal permission settings.
+
+ Get the principal security assertions here in the form
of a list of three tuple containing
(permission id, principal id, setting)
"""
+
+
+
=== Zope3/lib/python/Zope/App/Security/IPrincipalRoleMap.py 1.2 => 1.3 ===
def getPrincipalsForRole(role_id):
- """Return the list of (principal, setting) who have been assigned or
+ """Get the principals that have been granted a role.
+
+ Return the list of (principal, setting) who have been assigned or
removed from a role.
If no principals have been assigned this role,
@@ -28,7 +30,9 @@
"""
def getRolesForPrincipal(principal_id):
- """Return the list of (role, setting) assigned or removed from
+ """Get the roles granted to a principal.
+
+ Return the list of (role, setting) assigned or removed from
this principal.
If no roles have been assigned to
@@ -40,7 +44,11 @@
"""
def getPrincipalsAndRoles():
- """Return all the principal/role combinations along with the
- setting for each combination.
+ """Get all settings.
+
+ Return all the principal/role combinations along with the
+ setting for each combination as a sequence of tuples with the
+ role, principal, and setting, in that order.
+
"""
=== Zope3/lib/python/Zope/App/Security/IRolePermissionMap.py 1.2 => 1.3 ===
def getPermissionsForRole(role_id):
- """Return a sequence of (permission id, setting) tuples for the given
+ """Get the premissions granted to a role.
+
+ Return a sequence of (permission id, setting) tuples for the given
role.
If no permissions have been granted to this
@@ -29,7 +31,9 @@
"""
def getRolesForPermission(permission_id):
- """Return a sequence of (role id, setting) tuples for the given
+ """Get the roles that have a permission.
+
+ Return a sequence of (role id, setting) tuples for the given
permission.
If no roles have been granted this permission, then the empty list is
@@ -42,8 +46,11 @@
If there is no setting, Unset is returned
"""
- def getPrincipalsAndRoles():
+ def getRolesAndPermissions():
"""Return a sequence of (principal_id, role_id, setting) here.
+
+ The settings are returned as a sequence of permission, role,
+ setting tuples.
If no principal/role assertions have been made here, then the empty
list is returned.
=== Zope3/lib/python/Zope/App/Security/Settings.py 1.3 => 1.4 ===
'Unset constant that denotes no setting for permission and role')
-Assign = PermissionSetting('Assign',
- 'Explicit assign setting for roles')
-
-Remove = PermissionSetting('Remove',
- 'Explicit remove setting for roles')
=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.3 => 1.4 ===
from Zope.Exceptions import Unauthorized, Forbidden
from Zope.Security.ISecurityPolicy import ISecurityPolicy
-from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
+from Zope.App.Security.IRolePermissionManager \
+ import IRolePermissionManager, IRolePermissionMap
from Zope.App.Security.IPrincipalPermissionManager \
- import IPrincipalPermissionManager
+ import IPrincipalPermissionManager, IPrincipalPermissionMap
from Zope.App.Security.IPrincipalRoleManager \
- import IPrincipalRoleManager
+ import IPrincipalRoleManager, IPrincipalRoleMap
from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
from Zope.App.Security.Registries.PermissionRegistry import permissionRegistry
from Zope.App.Security.Registries.PrincipalRegistry import principalRegistry
@@ -36,9 +37,7 @@
import rolePermissionManager
from Zope.App.Security.Grants.Global.PrincipalRoleManager \
import principalRoleManager
-from Zope.App.Security.Settings import Allow, Deny, Assign, Remove, Unset
-
-from types import StringType, StringTypes, TupleType, ListType, IntType, MethodType, NoneType
+from Zope.App.Security.Settings import Allow, Deny
getPermissionsForPrincipal = \
principalPermissionManager.getPermissionsForPrincipal
@@ -88,7 +87,8 @@
# Check the placeful principal permissions and aggregate the
# Roles in this context
for c in ContainmentIterator(object):
- ppm = queryAdapter(c, IPrincipalPermissionManager, None, globalContext)
+ ppm = queryAdapter(c, IPrincipalPermissionManager, None,
+ globalContext)
if ppm is not None:
for principal in principals.keys():
setting = ppm.getSetting(permission, principal)
@@ -103,7 +103,7 @@
for role, setting in prm.getRolesForPrincipal(principal):
if not (role in roles):
roles[role] = 1
- if setting is Assign:
+ if setting is Allow:
assigned_roles[role] = 1
# now check the global principal permissions
@@ -121,7 +121,7 @@
for role, setting in global_roles:
if not (role in roles):
roles[role] = 1
- if setting is Assign:
+ if setting is Allow:
assigned_roles[role] = 1
# Check the placeful role permissions, checking anonymous first
@@ -140,8 +140,8 @@
# Last, check if there are any global role settings
getSetting = rolePermissionManager.getSetting
for principal in principals.keys():
- for role, role_setting in [('Anonymous', Assign)] + global_roles:
- if role_setting is Assign:
+ for role, role_setting in [('Anonymous', Allow)] + global_roles:
+ if role_setting is Allow:
setting = getSetting(permission, role)
if setting == Allow:
seen_allow = 1 # Flag allow and continue
@@ -151,6 +151,69 @@
return 1 # Allow on global role
return 0 # Deny by default
+
+
+
+def permissionsOfPrincipal(principal, object):
+ permissions = {}
+ roles = {'Anonymous': Allow} # Everyone has anonymous
+ role_permissions = {}
+ orig = object
+
+ # Make two passes.
+
+ # First, collect what we know about the principal:
+ for object in ContainmentIterator(orig):
+
+ # Copy specific principal permissions
+ prinper = queryAdapter(object, IPrincipalPermissionMap)
+ if prinper is not None:
+ for permission, setting in prinper.getPermissionsForPrincipal(
+ principal):
+ if permission not in permissions:
+ permissions[permission] = setting
+
+ # Collect principal roles
+ prinrole = queryAdapter(object, IPrincipalRoleMap)
+ if prinrole is not None:
+ for role, setting in prinrole.getRolesForPrincipal(principal):
+ if role not in roles:
+ roles[role] = setting
+
+ # get global principal permissions
+ for permission, setting in getPermissionsForPrincipal(principal):
+ if permission not in permissions:
+ permissions[permission] = setting
+
+ # get glolbal principal roles
+ for role, setting in getRolesForPrincipal(principal):
+ if role not in roles:
+ roles[role] = setting
+
+ # Second, update permissions using principal
+ for object in ContainmentIterator(orig):
+
+ # Collect role permissions
+ roleper = queryAdapter(object, IRolePermissionMap)
+ if roleper is not None:
+ for perm, role, setting in roleper.getRolesAndPermissions():
+ if role in roles and perm not in permissions:
+ permissions[perm] = setting
+
+
+ for perm, role, setting in (
+ rolePermissionManager.getRolesAndPermissions()):
+ if role in roles and perm not in permissions:
+ permissions[perm] = setting
+
+
+ result = [permission
+ for permission in permissions
+ if permissions[permission] is Allow]
+
+ return result
+
+
zopeSecurityPolicy=ZopeSecurityPolicy()