cco/loops
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

work in progress: loops security policy, now checking concept/recource type as parent

Browse source 
git-svn-id: svn://svn.cy55.de/Zope3/src/loops/trunk@3180 fd906abe-77d9-0310-91a1-e0d9ade77398
This commit is contained in:
helmutm 2009-01-27 12:04:06 +00:00
parent cf666c3bc3
commit 8ef18c8b59
3 changed files with 68 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
security/configure.zcml
View file

@ -24,14 +24,12 @@
<zope:subscriber handler="loops.security.common.grantAcquiredSecurity" /> <zope:subscriber handler="loops.security.common.grantAcquiredSecurity" />
<zope:subscriber handler="loops.security.common.revokeAcquiredSecurity" /> <zope:subscriber handler="loops.security.common.revokeAcquiredSecurity" />
<browser:page name="permissions.html" for="*" <browser:page
class=".perm.PermissionView" for="zope.annotation.interfaces.IAnnotatable"
name="permissions.html"
permission="zope.Security"
template="manage_permissionform.pt" template="manage_permissionform.pt"
permission="zope.Security" /> class=".perm.PermissionView"
menu="zmi_actions" title="Edit Permissions" />
<browser:menuItem for="*" action="@@permissions.html"
menu="zmi_actions" title="Edit Permissions"
filter="python: context.__name__ not in ('views', 'concepts', 'resources')"
permission="zope.Security" />
</configure> </configure>

3
security/manage_permissionform.pt
View file

@ -24,7 +24,8 @@
<div tal:define="permId view/permissionId; <div tal:define="permId view/permissionId;
perm view/permission;"> perm view/permission;">
<form> <form>
<select name="permission_to_manage"> <select name="permission_to_manage"
onChange="submit()">
<option tal:repeat="pId view/getPermissions" <option tal:repeat="pId view/getPermissions"
tal:attributes="value pId; tal:attributes="value pId;
selected python: pId == permId" selected python: pId == permId"

69
security/policy.py
View file

@ -23,9 +23,11 @@ concept map parents in addition to containers for collecting principal roles.
$Id$ $Id$
""" """
from zope.app.securitypolicy.interfaces import IPrincipalRoleMap from zope.app.security.settings import Allow, Deny, Unset
from zope.app.securitypolicy.interfaces import IPrincipalRoleMap, IRolePermissionMap
from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy from zope.app.securitypolicy.zopepolicy import ZopeSecurityPolicy
from zope.app.securitypolicy.zopepolicy import SettingAsBoolean, globalRolesForPrincipal from zope.app.securitypolicy.zopepolicy import SettingAsBoolean, \
globalRolesForPrincipal, globalRolesForPermission
from zope import component from zope import component
from zope.component import adapts from zope.component import adapts
from zope.cachedescriptors.property import Lazy from zope.cachedescriptors.property import Lazy
@ -66,13 +68,54 @@ class LoopsSecurityPolicy(ZopeSecurityPolicy):
# one parent # one parent
if p is not None: if p is not None:
roles.update(self.cached_principal_roles(p, principal, checked)) roles.update(self.cached_principal_roles(p, principal, checked))
if not roles:
roles = self.cached_principal_roles(None, principal, checked)
prinrole = IPrincipalRoleMap(obj, None) prinrole = IPrincipalRoleMap(obj, None)
if prinrole: if prinrole:
roles = roles.copy() roles = roles.copy()
for role, setting in prinrole.getRolesForPrincipal(principal): for role, setting in prinrole.getRolesForPrincipal(principal):
roles[role] = SettingAsBoolean[setting] roles[role] = SettingAsBoolean[setting]
cache_principal_roles[principal] = roles cache_principal_roles[principal] = roles
#print '***', roles return roles
def cached_roles(self, obj, permission, checked=None):
if checked is None:
checked = []
obj = removeSecurityProxy(obj)
cache = self.cache(obj)
try:
cache_roles = cache.roles
except AttributeError:
cache_roles = cache.roles = {}
try:
return cache_roles[permission]
except KeyError:
pass
if obj is None:
roles = dict([(role, 1)
for (role, setting)
in globalRolesForPermission(permission)
if setting is Allow])
cache_roles[permission] = roles
return roles
roles = {}
for p in self.getParents(obj, checked):
# TODO: care for correct combination if there is more than
# one parent
if p is not None:
roles.update(self.cached_roles(p, permission, checked))
if not roles:
roles = self.cached_roles(None, permission, checked)
roleper = IRolePermissionMap(obj, None)
if roleper:
roles = roles.copy()
for role, setting in roleper.getRolesForPermission(permission):
if setting is Allow:
roles[role] = 1
elif role in roles:
del roles[role]
cache_roles[permission] = roles
return roles return roles
def getParents(self, obj, checked): def getParents(self, obj, checked):
@ -85,12 +128,20 @@ class LoopsSecurityPolicy(ZopeSecurityPolicy):
parents = cache.parents parents = cache.parents
except AttributeError: except AttributeError:
parents = [] parents = []
if IConcept.providedBy(obj): try:
parents = [p for p in obj.getParents(noSecurityCheck=True) parents.append(obj.getType())
if p != obj] except AttributeError:
elif IResource.providedBy(obj): pass
parents = [p for p in obj.getConcepts(noSecurityCheck=True) except TypeError:
if p != obj] from logging import getLogger
getLogger('loops.security.policy').warn(
'TypeError: %s.getType: %r' % (obj, obj.getType))
#if IConcept.providedBy(obj):
# parents = [p for p in obj.getParents(noSecurityCheck=True)
# if p != obj]
#elif IResource.providedBy(obj):
# parents = [p for p in obj.getConcepts(noSecurityCheck=True)
# if p != obj]
cache.parents = parents cache.parents = parents
if not parents: if not parents:
parents = [getattr(obj, '__parent__', None)] parents = [getattr(obj, '__parent__', None)]