[Checkins] SVN: grok/branches/jw-define-roles-directive/src/grok/ Implement define_role directive.

Jan-Wijbrand Kolman janwijbrand at gmail.com
Thu Jul 26 04:08:50 EDT 2007 

Log message for revision 78346:
  Implement define_role directive.

Changed:
  U   grok/branches/jw-define-roles-directive/src/grok/__init__.py
  U   grok/branches/jw-define-roles-directive/src/grok/directive.py
  A   grok/branches/jw-define-roles-directive/src/grok/ftests/security/roles.py
  U   grok/branches/jw-define-roles-directive/src/grok/meta.py
  A   grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument.py
  A   grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument_fixture.py

-=-
Modified: grok/branches/jw-define-roles-directive/src/grok/__init__.py
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/__init__.py	2007-07-26 07:29:48 UTC (rev 78345)
+++ grok/branches/jw-define-roles-directive/src/grok/__init__.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -37,7 +37,7 @@
 from grok.components import Indexes
 from grok.directive import (context, name, template, templatedir, provides,
                             baseclass, global_utility, local_utility,
-                            define_permission, require, site)
+                            define_permission, define_role, require, site)
 from grok._grok import do_grok as grok  # Avoid name clash within _grok
 from grok._grok import grok_component
 from grok._grok import SubscribeDecorator as subscribe

Modified: grok/branches/jw-define-roles-directive/src/grok/directive.py
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/directive.py	2007-07-26 07:29:48 UTC (rev 78345)
+++ grok/branches/jw-define-roles-directive/src/grok/directive.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -13,7 +13,7 @@
 ##############################################################################
 """Grok directives.
 """
-
+import types
 from zope.interface.interfaces import IInterface
 
 from martian.error import GrokImportError
@@ -47,7 +47,7 @@
         if provides is None:
             provides = util.class_annotation(factory, 'grok.provides', None)
         self.provides = provides
-        
+
         if name is u'':
             name = util.class_annotation(factory, 'grok.name', u'')
         self.name = name
@@ -77,6 +77,18 @@
         self.name_in_container = name_in_container
 
 
+class DefineRoleDirective(MultipleTimesDirective):
+
+    def check_arguments(self, id, permissions):
+        if not isinstance(permissions, (types.ListType, types.TupleType)):
+            raise GrokImportError(
+                "You need to pass a list or tuple of permission ids to the "
+                "permissions argument of %s." % self.name)
+
+    def value_factory(self, id, permissions):
+        return (id, permissions)
+
+
 class RequireDirective(BaseTextDirective, SingleValue, MultipleTimesDirective):
 
     def store(self, frame, value):
@@ -93,6 +105,7 @@
             return func
         return decorator
 
+
 # Define grok directives
 name = SingleTextDirective('grok.name', ClassDirectiveContext())
 template = SingleTextDirective('grok.template', ClassDirectiveContext())
@@ -107,6 +120,7 @@
                                       ClassDirectiveContext())
 define_permission = MultipleTextDirective('grok.define_permission',
                                           ModuleDirectiveContext())
+define_role = DefineRoleDirective('grok.define_role', ModuleDirectiveContext())
 require = RequireDirective('grok.require', ClassDirectiveContext())
 site = InterfaceOrClassDirective('grok.site',
                                  ClassDirectiveContext())

Added: grok/branches/jw-define-roles-directive/src/grok/ftests/security/roles.py
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/ftests/security/roles.py	                        (rev 0)
+++ grok/branches/jw-define-roles-directive/src/grok/ftests/security/roles.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -0,0 +1,89 @@
+"""
+  >>> import grok
+  >>> grok.grok('grok.ftests.security.roles')
+
+Viewing a protected view with insufficient privileges will yield
+Unauthorized:
+
+  >>> from zope.testbrowser.testing import Browser
+  >>> browser = Browser()
+  >>> browser.open("http://localhost/@@cavepainting")
+  Traceback (most recent call last):
+  HTTPError: HTTP Error 401: Unauthorized
+  >>> browser.open("http://localhost/@@editcavepainting")
+  Traceback (most recent call last):
+  HTTPError: HTTP Error 401: Unauthorized
+  >>> browser.open("http://localhost/@@erasecavepainting")
+  Traceback (most recent call last):
+  HTTPError: HTTP Error 401: Unauthorized
+
+When we log in (e.g. as a manager), we can access the views just fine:
+
+  >>> from zope.app.securitypolicy.principalrole import principalRoleManager
+  >>> principalRoleManager.assignRoleToPrincipal(
+  ...    'grok.PaintingOwner', 'zope.mgr')
+  >>> browser.addHeader('Authorization', 'Basic mgr:mgrpw')
+  >>> browser.handleErrors = False
+  >>> browser.open("http://localhost/@@cavepainting")
+  >>> print browser.contents
+  What a beautiful painting.
+
+  >>> browser.open("http://localhost/@@editcavepainting")
+  >>> print browser.contents
+  Let's make it even prettier.
+
+  >>> browser.open("http://localhost/@@erasecavepainting")
+  >>> print browser.contents
+  Oops, mistake, let's erase it.
+
+  >>> browser.open("http://localhost/@@approvecavepainting")
+  Traceback (most recent call last):
+  ...
+  Unauthorized: (<grok.ftests.security.roles.ApproveCavePainting object at ...>,
+  '__call__', 'grok.ApprovePainting')
+
+"""
+
+import grok
+import zope.interface
+
+grok.define_permission('grok.ViewPainting')
+grok.define_permission('grok.EditPainting')
+grok.define_permission('grok.ErasePainting')
+grok.define_permission('grok.ApprovePainting')
+
+grok.define_role(
+    'grok.PaintingOwner',
+    ('grok.ViewPainting', 'grok.EditPainting', 'grok.ErasePainting'))
+
+class CavePainting(grok.View):
+
+    grok.context(zope.interface.Interface)
+    grok.require('grok.ViewPainting')
+
+    def render(self):
+        return 'What a beautiful painting.'
+
+class EditCavePainting(grok.View):
+
+    grok.context(zope.interface.Interface)
+    grok.require('grok.EditPainting')
+
+    def render(self):
+        return 'Let\'s make it even prettier.'
+
+class EraseCavePainting(grok.View):
+
+    grok.context(zope.interface.Interface)
+    grok.require('grok.ErasePainting')
+
+    def render(self):
+        return 'Oops, mistake, let\'s erase it.'
+
+class ApproveCavePainting(grok.View):
+
+    grok.context(zope.interface.Interface)
+    grok.require('grok.ApprovePainting')
+
+    def render(self):
+        return 'Painting owners cannot approve their paintings.'

Modified: grok/branches/jw-define-roles-directive/src/grok/meta.py
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/meta.py	2007-07-26 07:29:48 UTC (rev 78345)
+++ grok/branches/jw-define-roles-directive/src/grok/meta.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -23,6 +23,9 @@
 from zope.publisher.interfaces.xmlrpc import IXMLRPCRequest
 from zope.security.permission import Permission
 from zope.security.interfaces import IPermission
+from zope.app.securitypolicy.role import Role
+from zope.app.securitypolicy.rolepermission import rolePermissionManager
+
 from zope.annotation.interfaces import IAnnotations
 
 from zope.app.publisher.xmlrpc import MethodPublisher
@@ -509,6 +512,20 @@
         return True
 
 
+class DefineRoleGrokker(martian.GlobalGrokker):
+
+    priority = 1500
+
+    def grok(self, name, module, context, module_info, templates):
+        role_infos = module_info.getAnnotation('grok.define_role', [])
+        for role_id, permissions in role_infos:
+            component.provideUtility(
+                Role(role_id, title=role_id), name=role_id)
+            for permission in permissions:
+                rolePermissionManager.grantPermissionToRole(permission, role_id)
+        return True
+
+
 class AnnotationGrokker(martian.ClassGrokker):
     component_class = grok.Annotation
 

Copied: grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument.py (from rev 78343, grok/branches/jw-define-roles-directive/src/grok/tests/security/view_decorator.py)
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument.py	                        (rev 0)
+++ grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -0,0 +1,12 @@
+"""
+The grok.define_role needs a sequence of permission ids::
+
+  >>> grok.grok('grok.tests.security.wrong_permissions_argument_fixture')
+  Traceback (most recent call last):
+  GrokImportError: You need to pass a list or tuple of permission ids to
+  the permissions argument of grok.define_role.
+
+
+"""
+
+import grok

Added: grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument_fixture.py
===================================================================
--- grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument_fixture.py	                        (rev 0)
+++ grok/branches/jw-define-roles-directive/src/grok/tests/security/wrong_permissions_argument_fixture.py	2007-07-26 08:08:47 UTC (rev 78346)
@@ -0,0 +1,2 @@
+import grok
+grok.define_role('caveman.Firemaker', 'use.Matches')

More information about the Checkins mailing list