[Zope3-checkins] SVN: Zope3/branches/mgedmin-security/src/zope/
Replaced the context argument to
ISecurityPolicy.checkPermission with
Marius Gedminas
marius at pov.lt
Wed May 12 17:14:54 EDT 2004
Log message for revision 24611:
Replaced the context argument to ISecurityPolicy.checkPermission with
interaction.
-=-
Modified: Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/tests/test_zopepolicy.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/tests/test_zopepolicy.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/tests/test_zopepolicy.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -17,6 +17,7 @@
"""
import unittest
from zope.interface import implements
+from zope.interface.verify import verifyObject
from zope.app import zapi
from zope.app.annotation.attribute import AttributeAnnotations
@@ -46,10 +47,16 @@
from zope.app.securitypolicy.rolepermission \
import AnnotationRolePermissionManager
-class Context:
- def __init__(self, user, stack=[]):
- self.user, self.stack = user, stack
+class RequestStub:
+ def __init__(self, principal, interaction=None):
+ self.principal = principal
+ self.interaction = interaction
+
+class Interaction:
+ def __init__(self, user):
+ self.participations = [RequestStub(user, self)]
+
class Unprotected:
pass
@@ -141,27 +148,43 @@
permissions.sort()
self.assertEqual(permissions, expected)
-
def testImport(self):
from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy
+ def testInterfaces(self):
+ from zope.security.interfaces import ISecurityPolicy
+ from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy
+ verifyObject(ISecurityPolicy, ZopeSecurityPolicy())
+ def testCreateInteraction(self):
+ from zope.security.interfaces import IInteraction
+ from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy
+ i1 = ZopeSecurityPolicy().createInteraction(None)
+ verifyObject(IInteraction, i1)
+ self.assertEquals(list(i1.participations), [])
+
+ user = object()
+ rq = RequestStub(user)
+ i2 = ZopeSecurityPolicy().createInteraction(rq)
+ verifyObject(IInteraction, i2)
+ self.assertEquals(list(i2.participations), [rq])
+
def testGlobalCheckPermission(self):
self.failUnless(
- self.policy.checkPermission(self.read, None, Context(self.jim)))
+ self.policy.checkPermission(self.read, None, Interaction(self.jim)))
self.failUnless(
- self.policy.checkPermission(self.read, None, Context(self.tim)))
+ self.policy.checkPermission(self.read, None, Interaction(self.tim)))
self.failUnless(
- self.policy.checkPermission(self.write, None, Context(self.tim)))
+ self.policy.checkPermission(self.write, None, Interaction(self.tim)))
self.failIf(self.policy.checkPermission(
- self.read, None, Context(self.unknown)))
+ self.read, None, Interaction(self.unknown)))
self.failIf(self.policy.checkPermission(
- self.write, None, Context(self.unknown)))
+ self.write, None, Interaction(self.unknown)))
self.failIf(
self.policy.checkPermission(
- self.read, None, Context(self.unknown)))
+ self.read, None, Interaction(self.unknown)))
self.__assertPermissions(self.jim, ['create', 'read'])
self.__assertPermissions(self.tim, ['read', 'write'])
@@ -172,28 +195,28 @@
self.failUnless(
self.policy.checkPermission(
- self.read, None, Context(self.unknown)))
+ self.read, None, Interaction(self.unknown)))
self.__assertPermissions(self.unknown, ['read'])
principalPermissionManager.grantPermissionToPrincipal(
self.write, self.jim.id)
self.failUnless(
- self.policy.checkPermission(self.write, None, Context(self.jim)))
+ self.policy.checkPermission(self.write, None, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read', 'write'])
def testPlaylessPrincipalRole(self):
self.failIf(self.policy.checkPermission(
- self.write, None, Context(self.jim)))
+ self.write, None, Interaction(self.jim)))
principalRoleManager.assignRoleToPrincipal(
self.manager, self.jim.id)
self.failUnless(self.policy.checkPermission(
- self.write, None, Context(self.jim)))
+ self.write, None, Interaction(self.jim)))
principalRoleManager.removeRoleFromPrincipal(
self.manager, self.jim.id)
self.failIf(self.policy.checkPermission(
- self.write, None, Context(self.jim)))
+ self.write, None, Interaction(self.jim)))
def testPlayfulPrincipalRole(self):
ztapi.provideAdapter(
@@ -205,15 +228,15 @@
ob3 = TestClass(); ob3.__parent__ = ob2
self.failIf(self.policy.checkPermission(
- self.write, ob3, Context(self.jim)))
+ self.write, ob3, Interaction(self.jim)))
AnnotationPrincipalRoleManager(ob3).assignRoleToPrincipal(
self.manager, self.jim.id)
self.failUnless(self.policy.checkPermission(
- self.write, ob3, Context(self.jim)))
+ self.write, ob3, Interaction(self.jim)))
AnnotationPrincipalRoleManager(ob3).removeRoleFromPrincipal(
self.manager, self.jim.id)
self.failIf(self.policy.checkPermission(
- self.write, ob3, Context(self.jim)))
+ self.write, ob3, Interaction(self.jim)))
def testPlayfulRolePermissions(self):
@@ -227,21 +250,21 @@
ob2 = TestClass(); ob2.__parent__ = ob1
ob3 = TestClass(); ob3.__parent__ = ob2
- self.failIf(self.policy.checkPermission(test, ob3, Context(self.tim)))
+ self.failIf(self.policy.checkPermission(test, ob3, Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'write'], ob3)
ARPM(ob2).grantPermissionToRole(test, self.manager)
self.failUnless(self.policy.checkPermission(test, ob3,
- Context(self.tim)))
+ Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'test', 'write'], ob3)
- self.failIf(self.policy.checkPermission(test, ob3, Context(self.jim)))
+ self.failIf(self.policy.checkPermission(test, ob3, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read'], ob3)
ARPM(ob3).grantPermissionToRole(test, self.peon)
self.failUnless(self.policy.checkPermission(
- test, ob3, Context(self.jim)))
+ test, ob3, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read', 'test'], ob3)
@@ -249,7 +272,7 @@
principalPermissionManager.denyPermissionToPrincipal(
test, self.jim.id)
self.failIf(self.policy.checkPermission(
- test, ob3, Context(self.jim)))
+ test, ob3, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read'], ob3)
principalPermissionManager.unsetPermissionForPrincipal(
@@ -263,11 +286,11 @@
new = principalRegistry.definePrincipal('new', 'Newbie',
'Newbie User', 'new', '098')
principalRoleManager.assignRoleToPrincipal(self.arole, new.id)
- self.failUnless(self.policy.checkPermission(test, ob3, Context(new)))
+ self.failUnless(self.policy.checkPermission(test, ob3, Interaction(new)))
self.__assertPermissions(new, ['test'], ob3)
principalRoleManager.assignRoleToPrincipal(self.peon, new.id)
- self.failIf(self.policy.checkPermission(test, ob3, Context(new)))
+ self.failIf(self.policy.checkPermission(test, ob3, Interaction(new)))
self.__assertPermissions(new, ['read'], ob3)
def testPlayfulPrinciplePermissions(self):
@@ -281,30 +304,30 @@
test = definePermission('test', 'Test', '').id
- self.failIf(self.policy.checkPermission(test, ob3, Context(self.tim)))
+ self.failIf(self.policy.checkPermission(test, ob3, Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'write'], ob3)
APPM(ob2).grantPermissionToPrincipal(test, self.tim.id)
self.failUnless(self.policy.checkPermission(
- test, ob3, Context(self.tim)))
+ test, ob3, Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'test', 'write'], ob3)
APPM(ob3).denyPermissionToPrincipal(test, self.tim.id)
self.failIf(self.policy.checkPermission(
- test, ob3, Context(self.tim)))
+ test, ob3, Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'write'], ob3)
APPM(ob1).denyPermissionToPrincipal(test, self.jim.id)
APPM(ob3).grantPermissionToPrincipal(test, self.jim.id)
self.failUnless(self.policy.checkPermission(
- test, ob3, Context(self.jim)))
+ test, ob3, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read', 'test'], ob3)
APPM(ob3).unsetPermissionForPrincipal(test, self.jim.id)
self.failIf(self.policy.checkPermission(
- test, ob3, Context(self.jim)))
+ test, ob3, Interaction(self.jim)))
self.__assertPermissions(self.jim, ['create', 'read'], ob3)
# make sure placeless principal permissions override placeful ones
@@ -312,7 +335,7 @@
principalPermissionManager.denyPermissionToPrincipal(
test, self.tim.id)
self.failIf(self.policy.checkPermission(
- test, ob3, Context(self.tim)))
+ test, ob3, Interaction(self.tim)))
self.__assertPermissions(self.tim, ['read', 'write'], ob3)
Modified: Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/zopepolicy.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/zopepolicy.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/app/securitypolicy/zopepolicy.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -18,6 +18,8 @@
from zope.interface import implements
from zope.security.interfaces import ISecurityPolicy
from zope.security.management import system_user
+from zope.security.simpleinteraction import createInteraction \
+ as _createInteraction
from zope.app.location import LocationIterator
@@ -64,11 +66,14 @@
self._ownerous = ownerous
self._authenticated = authenticated
- def checkPermission(self, permission, object, context):
+ createInteraction = staticmethod(_createInteraction)
+
+ def checkPermission(self, permission, object, interaction):
# XXX We aren't really handling multiple principals yet
+ assert len(interaction.participations) == 1 # XXX
+ user = interaction.participations[0].principal
# mapping from principal to set of roles
- user = context.user
if user is system_user:
return True
Modified: Zope3/branches/mgedmin-security/src/zope/security/__init__.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/__init__.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/__init__.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -7,7 +7,8 @@
import zope.proxy
from zope.security.checker import CheckerPublic as _CheckerPublic
-from zope.security.management import getSecurityManager as _getSecurityManager
+from zope.security.management import getInteraction as _getInteraction
+from zope.security.management import getSecurityPolicy as _getSecurityPolicy
def checkPermission(permission, object, interaction=None):
"""Return whether security policy allows permission on object.
@@ -24,9 +25,8 @@
"""
if permission is None or permission is _CheckerPublic:
return True
- if interaction is not None:
- # XXX: transition from contexts to interactions is not complete
- raise NotImplementedError
- sm = _getSecurityManager()
- return sm.checkPermission(permission, object)
+ if interaction is None:
+ interaction = _getInteraction()
+ policy = _getSecurityPolicy()
+ return policy.checkPermission(permission, object, interaction)
Modified: Zope3/branches/mgedmin-security/src/zope/security/checker.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/checker.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/checker.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -37,7 +37,7 @@
from zope.interface.declarations import Declaration
from zope.security.interfaces import IChecker, INameBasedChecker
from zope.security.interfaces import ISecurityProxyFactory
-from zope.security.management import getSecurityManager
+from zope.security.management import getSecurityPolicy, getInteraction
from zope.security._proxy import _Proxy as Proxy, getChecker
from zope.exceptions import Unauthorized, ForbiddenAttribute, DuplicationError
@@ -143,8 +143,9 @@
if permission is not None:
if permission is CheckerPublic:
return # Public
- manager = getSecurityManager()
- if manager.checkPermission(permission, object):
+ policy = getSecurityPolicy()
+ interaction = getInteraction()
+ if policy.checkPermission(permission, object, interaction):
return
else:
__traceback_supplement__ = (TracebackSupplement, object)
@@ -159,8 +160,9 @@
if permission is not None:
if permission is CheckerPublic:
return # Public
- manager = getSecurityManager()
- if manager.checkPermission(permission, object):
+ policy = getSecurityPolicy()
+ interaction = getInteraction()
+ if policy.checkPermission(permission, object, interaction):
return
else:
__traceback_supplement__ = (TracebackSupplement, object)
@@ -303,8 +305,9 @@
if permission is not None:
if permission is CheckerPublic:
return # Public
- manager = getSecurityManager()
- if manager.checkPermission(permission, object):
+ policy = getSecurityPolicy()
+ interaction = getInteraction()
+ if policy.checkPermission(permission, object, interaction):
return
else:
__traceback_supplement__ = (TracebackSupplement, object)
@@ -320,8 +323,9 @@
if permission is not None:
if permission is CheckerPublic:
return # Public
- manager = getSecurityManager()
- if manager.checkPermission(permission, object):
+ policy = getSecurityPolicy()
+ interaction = getInteraction()
+ if policy.checkPermission(permission, object, interaction):
return
else:
__traceback_supplement__ = (TracebackSupplement, object)
@@ -337,8 +341,9 @@
if permission is not None:
if permission is CheckerPublic:
return # Public
- manager = getSecurityManager()
- if manager.checkPermission(permission, object):
+ policy = getSecurityPolicy()
+ interaction = getInteraction()
+ if policy.checkPermission(permission, object, interaction):
return
else:
__traceback_supplement__ = (TracebackSupplement, object)
Modified: Zope3/branches/mgedmin-security/src/zope/security/interfaces.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/interfaces.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/interfaces.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -199,14 +199,14 @@
ISecurityManagement.global setInteractionFactory(factory).
"""
- def checkPermission(permission, object, context): # XXX: will change
+ def checkPermission(permission, object, interaction):
"""Return whether security context allows permission on object.
Arguments:
permission -- A permission name
object -- The object being accessed according to the permission
- context -- A SecurityContext, which provides access to information
- such as the context stack and AUTHENTICATED_USER.
+ interaction -- An interaction, which provides access to information
+ such as authenticated principals.
"""
Modified: Zope3/branches/mgedmin-security/src/zope/security/manager.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/manager.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/manager.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -89,8 +89,9 @@
object -- The object being accessed according to the permission
"""
+ from zope.security.management import getInteraction # this is temporary
return self._getPolicy().checkPermission(permission, object,
- self._context)
+ getInteraction())
def pushExecutable(self, anExecutableObject):
"""Push an ExecutableObject onto the manager's stack, and
Modified: Zope3/branches/mgedmin-security/src/zope/security/simplepolicies.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/simplepolicies.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/simplepolicies.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -16,12 +16,12 @@
$Id: simplepolicies.py,v 1.6 2004/02/20 20:42:12 srichter Exp $
"""
+from zope.interface import implements
from zope.security.interfaces import ISecurityPolicy
from zope.security.management import system_user
from zope.security.simpleinteraction import createInteraction \
as _createInteraction
import zope.security.checker
-from zope.interface import implements
class ParanoidSecurityPolicy:
"""Deny all access."""
@@ -29,21 +29,26 @@
createInteraction = staticmethod(_createInteraction)
- def checkPermission(self, permission, object, context):
+ def checkPermission(self, permission, object, interaction):
if permission is zope.security.checker.CheckerPublic:
return True
- if (context.user is system_user # no user
- and not context.stack # no untrusted code
- ):
+
+ if interaction is None:
+ return False
+
+ users = [p.principal for p in interaction.participations]
+ if len(users) == 1 and users[0] is system_user:
return True # Nobody not to trust!
return False
+
class PermissiveSecurityPolicy:
"""Allow all access."""
implements(ISecurityPolicy)
createInteraction = staticmethod(_createInteraction)
- def checkPermission(self, permission, object, context):
+ def checkPermission(self, permission, object, interaction):
return True
+
Modified: Zope3/branches/mgedmin-security/src/zope/security/tests/test_checker.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/tests/test_checker.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/tests/test_checker.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -34,7 +34,7 @@
class SecurityPolicy:
implements(ISecurityPolicy)
- def checkPermission(self, permission, object, context):
+ def checkPermission(self, permission, object, interaction):
'See ISecurityPolicy'
return permission == 'test_allowed'
@@ -45,7 +45,7 @@
self._checked = []
self.permissions = {}
- def checkPermission(self, permission, object, context):
+ def checkPermission(self, permission, object, interaction):
'See ISecurityPolicy'
self._checked.append(permission)
return self.permissions.get(permission, True)
Modified: Zope3/branches/mgedmin-security/src/zope/security/tests/test_management.py
===================================================================
--- Zope3/branches/mgedmin-security/src/zope/security/tests/test_management.py 2004-05-12 21:07:55 UTC (rev 24610)
+++ Zope3/branches/mgedmin-security/src/zope/security/tests/test_management.py 2004-05-12 21:14:54 UTC (rev 24611)
@@ -183,15 +183,13 @@
def checkPermission(s, p, o, i):
self.assert_(p is permission)
self.assert_(o is obj)
-## XXX: transition from security contexts to interactions is not complete
-## self.assert_(i is getInteraction() or i is interaction)
+ self.assert_(i is getInteraction() or i is interaction)
return i is interaction
setSecurityPolicy(PolicyStub())
newInteraction(None)
self.assertEquals(checkPermission(permission, obj), False)
-## XXX: transition from security contexts to interactions is not complete
-## self.assertEquals(checkPermission(permission, obj, interaction), True)
+ self.assertEquals(checkPermission(permission, obj, interaction), True)
def test_suite():
More information about the Zope3-Checkins
mailing list