work in progress: loops security policy, now checking concept/recource type as parent
git-svn-id: svn://svn.cy55.de/Zope3/src/loops/trunk@3180 fd906abe-77d9-0310-91a1-e0d9ade77398
This commit is contained in:
helmutm
parent
cf666c3bc3
commit
8ef18c8b59
3 changed files with 68 additions and 18 deletions
|
|
@ -24,14 +24,12 @@
|
|||
<zope:subscriber handler="loops.security.common.grantAcquiredSecurity" />
|
||||
<zope:subscriber handler="loops.security.common.revokeAcquiredSecurity" />
|
||||
|
||||
<browser:page name="permissions.html" for="*"
|
||||
class=".perm.PermissionView"
|
||||
<browser:page
|
||||
for="zope.annotation.interfaces.IAnnotatable"
|
||||
name="permissions.html"
|
||||
permission="zope.Security"
|
||||
template="manage_permissionform.pt"
|
||||
permission="zope.Security" />
|
||||
|
||||
<browser:menuItem for="*" action="@@permissions.html"
|
||||
menu="zmi_actions" title="Edit Permissions"
|
||||
filter="python: context.__name__ not in ('views', 'concepts', 'resources')"
|
||||
permission="zope.Security" />
|
||||
class=".perm.PermissionView"
|
||||
menu="zmi_actions" title="Edit Permissions" />
|
||||
|
||||
</configure>
|
||||
|
|
|
|||
|
|
@ -24,7 +24,8 @@
|
|||
<div tal:define="permId view/permissionId;
|
||||
perm view/permission;">
|
||||
<form>
|
||||
<select name="permission_to_manage">
|
||||
<select name="permission_to_manage"
|
||||
onChange="submit()">
|
||||
<option tal:repeat="pId view/getPermissions"
|
||||
tal:attributes="value pId;
|
||||
selected python: pId == permId"
|
||||
|
|
|
|||
|
|
@ -23,9 +23,11 @@ concept map parents in addition to containers for collecting principal roles.
|
|||
$Id$
|
||||
"""
|
||||
|
||||
from zope.app.securitypolicy.interfaces import IPrincipalRoleMap
|
||||
from zope.app.security.settings import Allow, Deny, Unset
|
||||
from zope.app.securitypolicy.interfaces import IPrincipalRoleMap, IRolePermissionMap
|
||||
from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy
|
||||
from zope.app.securitypolicy.zopepolicy import SettingAsBoolean, globalRolesForPrincipal
|
||||
from zope.app.securitypolicy.zopepolicy import SettingAsBoolean, \
|
||||
globalRolesForPrincipal, globalRolesForPermission
|
||||
from zope import component
|
||||
from zope.component import adapts
|
||||
from zope.cachedescriptors.property import Lazy
|
||||
|
|
@ -66,13 +68,54 @@ class LoopsSecurityPolicy(ZopeSecurityPolicy):
|
|||
# one parent
|
||||
if p is not None:
|
||||
roles.update(self.cached_principal_roles(p, principal, checked))
|
||||
if not roles:
|
||||
roles = self.cached_principal_roles(None, principal, checked)
|
||||
prinrole = IPrincipalRoleMap(obj, None)
|
||||
if prinrole:
|
||||
roles = roles.copy()
|
||||
for role, setting in prinrole.getRolesForPrincipal(principal):
|
||||
roles[role] = SettingAsBoolean[setting]
|
||||
cache_principal_roles[principal] = roles
|
||||
#print '***', roles
|
||||
return roles
|
||||
|
||||
def cached_roles(self, obj, permission, checked=None):
|
||||
if checked is None:
|
||||
checked = []
|
||||
obj = removeSecurityProxy(obj)
|
||||
cache = self.cache(obj)
|
||||
try:
|
||||
cache_roles = cache.roles
|
||||
except AttributeError:
|
||||
cache_roles = cache.roles = {}
|
||||
try:
|
||||
return cache_roles[permission]
|
||||
except KeyError:
|
||||
pass
|
||||
if obj is None:
|
||||
roles = dict([(role, 1)
|
||||
for (role, setting)
|
||||
in globalRolesForPermission(permission)
|
||||
if setting is Allow])
|
||||
cache_roles[permission] = roles
|
||||
return roles
|
||||
roles = {}
|
||||
for p in self.getParents(obj, checked):
|
||||
# TODO: care for correct combination if there is more than
|
||||
# one parent
|
||||
if p is not None:
|
||||
roles.update(self.cached_roles(p, permission, checked))
|
||||
if not roles:
|
||||
roles = self.cached_roles(None, permission, checked)
|
||||
roleper = IRolePermissionMap(obj, None)
|
||||
if roleper:
|
||||
roles = roles.copy()
|
||||
for role, setting in roleper.getRolesForPermission(permission):
|
||||
if setting is Allow:
|
||||
roles[role] = 1
|
||||
elif role in roles:
|
||||
del roles[role]
|
||||
|
||||
cache_roles[permission] = roles
|
||||
return roles
|
||||
|
||||
def getParents(self, obj, checked):
|
||||
|
|
@ -85,12 +128,20 @@ class LoopsSecurityPolicy(ZopeSecurityPolicy):
|
|||
parents = cache.parents
|
||||
except AttributeError:
|
||||
parents = []
|
||||
if IConcept.providedBy(obj):
|
||||
parents = [p for p in obj.getParents(noSecurityCheck=True)
|
||||
if p != obj]
|
||||
elif IResource.providedBy(obj):
|
||||
parents = [p for p in obj.getConcepts(noSecurityCheck=True)
|
||||
if p != obj]
|
||||
try:
|
||||
parents.append(obj.getType())
|
||||
except AttributeError:
|
||||
pass
|
||||
except TypeError:
|
||||
from logging import getLogger
|
||||
getLogger('loops.security.policy').warn(
|
||||
'TypeError: %s.getType: %r' % (obj, obj.getType))
|
||||
#if IConcept.providedBy(obj):
|
||||
# parents = [p for p in obj.getParents(noSecurityCheck=True)
|
||||
# if p != obj]
|
||||
#elif IResource.providedBy(obj):
|
||||
# parents = [p for p in obj.getConcepts(noSecurityCheck=True)
|
||||
# if p != obj]
|
||||
cache.parents = parents
|
||||
if not parents:
|
||||
parents = [getattr(obj, '__parent__', None)]
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue