150 lines
5.8 KiB
Python
150 lines
5.8 KiB
Python
#
|
|
# Copyright (c) 2011 Helmut Merz helmutm@cy55.de
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
"""
|
|
A loops-specific security policy. Intended mainly to deal with checking
|
|
concept map parents in addition to containers for collecting principal roles.
|
|
|
|
$Id$
|
|
"""
|
|
|
|
from zope.app.security.settings import Allow, Deny, Unset
|
|
from zope import component
|
|
from zope.component import adapts
|
|
from zope.cachedescriptors.property import Lazy
|
|
from zope.interface import classProvides
|
|
from zope.security.interfaces import ISecurityPolicy
|
|
from zope.security.proxy import removeSecurityProxy
|
|
from zope.securitypolicy.interfaces import IPrincipalRoleMap, IRolePermissionMap
|
|
from zope.securitypolicy.zopepolicy import ZopeSecurityPolicy
|
|
from zope.securitypolicy.zopepolicy import SettingAsBoolean, \
|
|
globalRolesForPrincipal, globalRolesForPermission
|
|
|
|
from loops.interfaces import IConcept, IResource
|
|
|
|
|
|
class LoopsSecurityPolicy(ZopeSecurityPolicy):
|
|
|
|
classProvides(ISecurityPolicy)
|
|
|
|
def cached_principal_roles(self, obj, principal, checked=None):
|
|
if checked is None:
|
|
checked = []
|
|
obj = removeSecurityProxy(obj)
|
|
cache = self.cache(obj)
|
|
try:
|
|
cache_principal_roles = cache.principal_roles
|
|
except AttributeError:
|
|
cache_principal_roles = cache.principal_roles = {}
|
|
try:
|
|
return cache_principal_roles[principal]
|
|
except KeyError:
|
|
pass
|
|
if obj is None:
|
|
roles = dict([(role, SettingAsBoolean[setting])
|
|
for (role, setting)
|
|
in globalRolesForPrincipal(principal)])
|
|
roles['zope.Anonymous'] = True # Everybody has Anonymous
|
|
cache_principal_roles[principal] = roles
|
|
return roles
|
|
roles = {}
|
|
for p in self.getParents(obj, checked):
|
|
# TODO: care for correct combination if there is more than
|
|
# one parent
|
|
if p is not None:
|
|
roles.update(self.cached_principal_roles(p, principal, checked))
|
|
if not roles:
|
|
roles = self.cached_principal_roles(None, principal, checked)
|
|
prinrole = IPrincipalRoleMap(obj, None)
|
|
if prinrole:
|
|
roles = roles.copy()
|
|
for role, setting in prinrole.getRolesForPrincipal(principal):
|
|
roles[role] = SettingAsBoolean[setting]
|
|
cache_principal_roles[principal] = roles
|
|
return roles
|
|
|
|
def cached_roles(self, obj, permission, checked=None):
|
|
if checked is None:
|
|
checked = []
|
|
obj = removeSecurityProxy(obj)
|
|
cache = self.cache(obj)
|
|
try:
|
|
cache_roles = cache.roles
|
|
except AttributeError:
|
|
cache_roles = cache.roles = {}
|
|
try:
|
|
return cache_roles[permission]
|
|
except KeyError:
|
|
pass
|
|
if obj is None:
|
|
roles = dict([(role, 1)
|
|
for (role, setting)
|
|
in globalRolesForPermission(permission)
|
|
if setting is Allow])
|
|
cache_roles[permission] = roles
|
|
return roles
|
|
roles = {}
|
|
for p in self.getParents(obj, checked):
|
|
# TODO: care for correct combination if there is more than
|
|
# one parent
|
|
if p is not None:
|
|
roles.update(self.cached_roles(p, permission, checked))
|
|
if not roles:
|
|
roles = self.cached_roles(None, permission, checked)
|
|
roleper = IRolePermissionMap(obj, None)
|
|
if roleper:
|
|
roles = roles.copy()
|
|
for role, setting in roleper.getRolesForPermission(permission):
|
|
if setting is Allow:
|
|
roles[role] = 1
|
|
elif role in roles:
|
|
del roles[role]
|
|
|
|
cache_roles[permission] = roles
|
|
return roles
|
|
|
|
def getParents(self, obj, checked):
|
|
if obj in checked: # cycle - leave the concept map
|
|
parent = getattr(obj, '__parent__', None)
|
|
return [parent]
|
|
# keep concept parents in cache
|
|
cache = self.cache(obj)
|
|
try:
|
|
parents = cache.parents
|
|
except AttributeError:
|
|
parents = []
|
|
if IConcept.providedBy(obj) or IResource.providedBy(obj):
|
|
try:
|
|
parents.append(obj.getType())
|
|
except AttributeError:
|
|
pass
|
|
except TypeError:
|
|
from logging import getLogger
|
|
getLogger('loops.security.policy').warn(
|
|
'TypeError: %s.getType: %r' % (obj, obj.getType))
|
|
#if IConcept.providedBy(obj):
|
|
# parents = [p for p in obj.getParents(noSecurityCheck=True)
|
|
# if p != obj]
|
|
#elif IResource.providedBy(obj):
|
|
# parents = [p for p in obj.getConcepts(noSecurityCheck=True)
|
|
# if p != obj]
|
|
cache.parents = parents
|
|
if not parents:
|
|
parents = [getattr(obj, '__parent__', None)]
|
|
checked.append(obj)
|
|
return parents
|