[Checkins] SVN: z3c.securitytool/trunk/src/z3c/securitytool/
roleContext added to allow user to view at what context level
the roles were either denied or allowed
Daniel Blackburn
blackburnd at gmail.com
Tue Feb 12 19:34:04 EST 2008
Log message for revision 83772:
roleContext added to allow user to view at what context level the roles were either denied or allowed
Changed:
U z3c.securitytool/trunk/src/z3c/securitytool/README.txt
U z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py
-=-
Modified: z3c.securitytool/trunk/src/z3c/securitytool/README.txt
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/README.txt 2008-02-13 00:33:27 UTC (rev 83771)
+++ z3c.securitytool/trunk/src/z3c/securitytool/README.txt 2008-02-13 00:34:04 UTC (rev 83772)
@@ -391,10 +391,11 @@
>>> pprint(first.principalPermissions('daniel') )
{'groups': {},
'permissions': [],
+ 'roleContext': {'Root Folder': [{'role': 'concord.Janitor',
+ 'setting': 'Allow'}]},
'roles': {'concord.Janitor': [{'permission': 'concord.ReadIssue',
- 'setting': 'Allow'}]}}
+ 'setting': 'Allow'}]}}
-
>>> print first.permissionDetails('daniel', None)
{'read_perm': 'zope.Public',
'groups': {},
Modified: z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py 2008-02-13 00:33:27 UTC (rev 83771)
+++ z3c.securitytool/trunk/src/z3c/securitytool/securitytool.py 2008-02-13 00:34:04 UTC (rev 83772)
@@ -18,15 +18,9 @@
from zope.securitypolicy.principalrole import principalRoleManager
from zope.securitypolicy.interfaces import Allow, Unset, Deny
-
-#from zope.app.securitypolicy.zopepolicy import settingsForObject
-
from zope.securitypolicy.interfaces import IPrincipalPermissionManager, IPrincipalRoleManager
-
-
from zope.session.interfaces import ISession
from zope.app import zapi
-
from z3c.securitytool import interfaces
class SecurityChecker(object):
@@ -39,8 +33,7 @@
def getView(self, view_reg, skin=IBrowserRequest):
"""Instantiate view from given registration and skin.
-
- Return `None` if the view isn't callable.
+ Return `None` if the view isn't callable.
"""
request = TestRequest()
applySkin(request, skin)
@@ -59,10 +52,10 @@
self.selectedPermission = selectedPermission
applySkin(request, self.skin)
+
self.viewMatrix = {}
self.viewPermMatrix = {}
self.viewRoleMatrix = {}
-
self.views = {}
self.permissions = set()
@@ -175,7 +168,6 @@
permSetting = ()
settingList = [val for name ,val in settingsForObject(viewInstance)]
-
# The settings list is an aggregate of all settings
# so we can lookup permission settings for any role
for setting in settingList:
@@ -216,6 +208,7 @@
prinPermSettings = {'permissions': [],
'roles': {},
+ 'roleContext': {},
'groups': {}}
request = TestRequest()
@@ -232,11 +225,29 @@
view = self.getView(view_reg, skin)
if not view:
continue
- all_settings = [ settings[1] for settings in
+ all_settings = [{name:val} for name,val in
settingsForObject(view) ]
PrinSettings = self.policyPermissions(principal,
all_settings)
+ try:
+ if PrinSettings['roleContext']:
+ for cont in PrinSettings['roleContext']:
+ if not prinPermSettings['roleContext'].has_key(cont):
+ prinPermSettings['roleContext'][cont] = []
+ newVal = PrinSettings['roleContext'][cont]
+ if len(newVal) > 1:
+ # if this is a list of items
+ for val in newVal:
+ if val not in prinPermSettings['roleContext'][cont]:
+ prinPermSettings['roleContext'][cont].append(
+ val)
+
+ elif newVal[0] not in prinPermSettings['roleContext'][cont]:
+ prinPermSettings['roleContext'][cont].append(newVal[0])
+ except:
+ import pdb; pdb.set_trace()
+
if PrinSettings['permissions']:
if PrinSettings['permissions'] not in \
prinPermSettings['permissions']:
@@ -257,57 +268,76 @@
""" this method recursively populates the principal permissions
dict and is only used by principalPermissions """
+ #[x for x[1] in settings]
prinPermSettings = {'permissions': [],
'roles': {},
+ 'roleContext': {},
'groups': {}}
principals = zapi.principals()
setting = {}
+ role_context = {}
+ perm_context = {}
+ roleList = []
+
#For each item in our list we will update the settings dict
+ #for item in settings:
+ # for key,val in item.items():
+ # if not setting.has_key(key):
+ # setting[key] = []
+ # setting[key].extend(val)
- for item in settings:
- for key,val in item.items():
- if not setting.has_key(key):
- setting[key] = []
- setting[key].extend(val)
+ for setting in settings:
+ # Here we get all the permssions for this principal
+ for prinPerms in setting.values()[0].get('principalPermissions', ()):
+ if prinPerms['principal'] == principal.id:
+ permission = prinPerms['permission']
+ _setting = prinPerms['setting'].getName()
+ mapping = {'permission': permission,
+ 'setting': _setting}
+ if not mapping in prinPermSettings['permissions']:
+ prinPermSettings['permissions'].append(mapping)
+ # Here we get all the roles for this principal
+ for prinRoles in setting.values()[0].get('principalRoles', ()):
+ if prinRoles['principal'] != principal.id:
+ continue
+ role = prinRoles['role']
- # Here we get all the permssions for this principal
- for prinPerms in setting.get('principalPermissions', ()):
- if prinPerms['principal'] == principal.id:
- permission = prinPerms['permission']
- _setting = prinPerms['setting'].getName()
- mapping = {'permission': permission,
- 'setting': _setting}
- if not mapping in prinPermSettings['permissions']:
- prinPermSettings['permissions'].append(mapping)
- # Here we get all the roles for this principal
- for prinRoles in setting.get('principalRoles', ()):
- if prinRoles['principal'] != principal.id:
- continue
- if prinRoles.get('setting','') != Allow:
- # We only want to see the role if we are granted
- # the allow permission for it
- # TODO have an else clause and show denied roles as
- # well
- continue
+ if not setting.keys()[0]:
+ key = 'Root Folder'
+ else:
+ key = setting.keys()[0]
- role = prinRoles['role']
+ if not prinPermSettings['roleContext'].has_key(key):
+ prinPermSettings['roleContext'][key] = []
- for rolePerms in setting['rolePermissions']:
- if rolePerms['role'] == role:
- permission = rolePerms['permission']
- _setting = rolePerms['setting'].getName()
- mapping = {'permission': permission,
- 'setting': _setting}
- perms = prinPermSettings['roles'].setdefault(
- role, [])
+ newVal = {'setting':prinRoles['setting'].getName(),
+ 'role':role}
+ if not newVal in prinPermSettings['roleContext'][key]:
+ prinPermSettings['roleContext'][key].append(newVal)
+
+ if prinRoles.get('setting','') != Allow:
+ # We only want to see the role if we are granted
+ # the allow permission for it
+ # TODO have an else clause and show denied roles as
+ # well
+ continue
+ for rolePerms in setting.values()[0]['rolePermissions']:
+ if rolePerms['role'] == role:
+ permission = rolePerms['permission']
+ _setting = rolePerms['setting'].getName()
+ mapping = {'permission': permission,
+ 'setting': _setting}
- if not mapping in perms:
- perms.append(mapping)
- # Here we loop through the groups and recursively call this method
- # for each one found.
+ perms = prinPermSettings['roles'].setdefault(role,[])
+
+ if not mapping in perms:
+ perms.append(mapping)
+
+ # Here we loop through the groups and recursively call this method
+ # for each one found.
for group_id in principal.groups:
group = principals.getPrincipal(group_id)
prinPermSettings['groups'][group_id] = \
@@ -315,9 +345,6 @@
return prinPermSettings
-
-
-
def permissionDetails(self, principal_id, view_name, skin=IBrowserRequest):
"""Get permission details for a given principal and view.
Includes the permissions set by the groups the principal belongs to.
More information about the Checkins
mailing list