[Checkins]
SVN: z3c.securitytool/trunk/src/z3c/securitytool/README.txt
- Added some more tests for the principal level permissions,
groups and
Daniel Blackburn
blackburnd at gmail.com
Mon Jan 21 08:54:04 EST 2008
Log message for revision 83059:
- Added some more tests for the principal level permissions, groups and
roles.
- Removed some of the TestBrowser tests as they are no longer needed.
Changed:
U z3c.securitytool/trunk/src/z3c/securitytool/README.txt
-=-
Modified: z3c.securitytool/trunk/src/z3c/securitytool/README.txt
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/README.txt 2008-01-21 12:12:53 UTC (rev 83058)
+++ z3c.securitytool/trunk/src/z3c/securitytool/README.txt 2008-01-21 13:54:03 UTC (rev 83059)
@@ -23,7 +23,7 @@
Desired Behavior
---------------
On the page you will be able to select the desired skin from all the
- available skin on the system. You can also trunkate the results by
+ available skins on the system. You can also trunkate the results by
selecting the permission from the filter select box.
When you click on the "Allow" or "Deny" security tool will explain
@@ -34,174 +34,175 @@
roles, groups or specifically assigned will be displayed
- >>> from pprint import pprint
- >>> import zope
- >>> from zope.interface import implements
- >>> from zope.annotation.interfaces import IAttributeAnnotatable
- >>> from zope.app.container import contained
- >>> from zope.app.folder import Folder, rootFolder
- >>> import persistent
+ >>> from pprint import pprint
+ >>> import zope
+ >>> from zope.interface import implements
+ >>> from zope.annotation.interfaces import IAttributeAnnotatable
+ >>> from zope.app.container import contained
+ >>> from zope.app.folder import Folder, rootFolder
+ >>> import persistent
+
+
+ >>> from zope.app.authentication.principalfolder import Principal
+ >>> from zope.securitypolicy.role import Role
+ >>> from zope.security.permission import Permission
+
+ >>> from zope.publisher.interfaces import IRequest
+
+ >>> from zope.component import provideAdapter
+ >>> from zope.app.testing import ztapi
+ >>> from zope.app.folder.interfaces import IFolder
+ >>> import transaction
+ >>> from zope.app import zapi
+ >>> principals = zapi.principals()
+ >>> principals._clear()
- >>> from zope.app.authentication.principalfolder import Principal
- >>> from zope.securitypolicy.role import Role
- >>> from zope.security.permission import Permission
- >>> from zope.publisher.interfaces import IRequest
-
- >>> from zope.component import provideAdapter
- >>> from zope.app.testing import ztapi
- >>> from zope.app.folder.interfaces import IFolder
- >>> import transaction
-
The news agency, the Concord Times, is implementing a new article management
system in Zope 3. In order to better understand their security situation, they
have installed z3c.security tool.
- >>> concordTimes = getRootFolder()
+ >>> concordTimes = getRootFolder()
The Concord Times site is a folder which contains a Folder per issue and each
issue contains articles.
- >>> class Issue(Folder):
- ... implements(IFolder)
- ... def __repr__(self):
- ... return '<%s %r>' %(self.__class__.__name__, self.title)
-
- >>> ztapi.provideAdapter(
- ... IRequest, IFolder,
- ... Issue)
-
- >>> class Article(contained.Contained, persistent.Persistent):
- ... implements(IAttributeAnnotatable)
- ...
- ... def __init__(self, title, text):
- ... self.title = title
- ... self.text = text
- ...
- ... def __repr__(self):
- ... return '<%s %r>' %(self.__class__.__name__, self.title)
+ >>> class Issue(Folder):
+ ... implements(IFolder)
+ ... def __repr__(self):
+ ... return '<%s %r>' %(self.__class__.__name__, self.title)
+ >>> ztapi.provideAdapter(
+ ... IRequest, IFolder,
+ ... Issue)
+
+ >>> class Article(contained.Contained, persistent.Persistent):
+ ... implements(IAttributeAnnotatable)
+ ...
+ ... def __init__(self, title, text):
+ ... self.title = title
+ ... self.text = text
+ ...
+ ... def __repr__(self):
+ ... return '<%s %r>' %(self.__class__.__name__, self.title)
+
At the Concord Times, they have only three levels of users: Editors, Writers,
and Janitors.
- >>> editor = Role('concord.Editor', 'The editors')
- >>> writer = Role('concord.Writer', 'The writers')
- >>> janitor = Role('concord.Janitor', 'The janitors')
+ >>> editor = Role('concord.Editor', 'The editors')
+ >>> writer = Role('concord.Writer', 'The writers')
+ >>> janitor = Role('concord.Janitor', 'The janitors')
In order to control who has access to the system, they define the following
necessary permissions:
-
- >>> createIssue = Permission('concord.CreateIssue','Create Issue')
- >>> publishIssue = Permission('concord.PublishIssue', 'Publish Issue')
- >>> readIssue = Permission('concord.ReadIssue', 'Read Issue')
- >>> createArticle = Permission('concord.CreateArticle', 'Create Article')
- >>> deleteArticle = Permission('concord.DeleteArticle', 'Delete Article')
+
+ >>> createIssue = Permission('concord.CreateIssue','Create Issue')
+ >>> publishIssue = Permission('concord.PublishIssue', 'Publish Issue')
+ >>> readIssue = Permission('concord.ReadIssue', 'Read Issue')
+ >>> createArticle = Permission('concord.CreateArticle', 'Create Article')
+ >>> deleteArticle = Permission('concord.DeleteArticle', 'Delete Article')
Now we need to setup the security system on the level of the news agency.
In order to assign the permissions to the roles, we must setup a role-
permission Manager, which is used to map permissions to roles.
- >>> from zope.securitypolicy.interfaces import IRolePermissionManager
- >>> rolePermManager = IRolePermissionManager(concordTimes)
+ >>> from zope.securitypolicy.interfaces import IRolePermissionManager
+ >>> rolePermManager = IRolePermissionManager(concordTimes)
Now we can use our ``rolePermManager`` to assign the roles.
Editors are the only users that are allowed to create and publish issues.
Writers and Editors may create articles, but only editors can delete them.
Everyone can read the issues.
- >>> rolePermManager.grantPermissionToRole(createIssue.id, editor.id)
- >>> rolePermManager.grantPermissionToRole(publishIssue.id, editor.id)
- >>> rolePermManager.grantPermissionToRole(readIssue.id, editor.id)
- >>> rolePermManager.grantPermissionToRole(createArticle.id, editor.id)
- >>> rolePermManager.grantPermissionToRole(deleteArticle.id, editor.id)
+ >>> rolePermManager.grantPermissionToRole(createIssue.id, editor.id)
+ >>> rolePermManager.grantPermissionToRole(publishIssue.id, editor.id)
+ >>> rolePermManager.grantPermissionToRole(readIssue.id, editor.id)
+ >>> rolePermManager.grantPermissionToRole(createArticle.id, editor.id)
+ >>> rolePermManager.grantPermissionToRole(deleteArticle.id, editor.id)
- >>> rolePermManager.grantPermissionToRole(readIssue.id, writer.id)
- >>> rolePermManager.grantPermissionToRole(createArticle.id, writer.id)
-
- >>> rolePermManager.grantPermissionToRole(readIssue.id, janitor.id)
+ >>> rolePermManager.grantPermissionToRole(readIssue.id, writer.id)
+ >>> rolePermManager.grantPermissionToRole(createArticle.id, writer.id)
+
+ >>> rolePermManager.grantPermissionToRole(readIssue.id, janitor.id)
The news agency now hires the initial set of staff members. So let's create
a principal for each hired person:
- >>> martin = Principal('martin', 'Martin')
- >>> randy = Principal('randy', 'Randy')
- >>> markus = Principal('markus', 'Markus')
- >>> daniel = Principal('daniel', 'Daniel')
- >>> stephan = Principal('stephan', 'Stephan')
+ >>> martin = Principal('martin', 'Martin')
+ >>> randy = Principal('randy', 'Randy')
+ >>> markus = Principal('markus', 'Markus')
+ >>> daniel = Principal('daniel', 'Daniel')
+ >>> stephan = Principal('stephan', 'Stephan')
Based on their positions we assign proper roles to the staff.
In order to assign roles to our staff members, we must first create a
principal-role manager.
- >>> from zope.securitypolicy.interfaces import IPrincipalRoleManager
- >>> prinRoleManager = IPrincipalRoleManager(concordTimes)
+ >>> from zope.securitypolicy.interfaces import IPrincipalRoleManager
+ >>> prinRoleManager = IPrincipalRoleManager(concordTimes)
And now we can assign the roles. At the Concord Times, Martin is an editor,
Randy and Markus are writers, and Daniel and Stephan are janitors.
- >>> prinRoleManager.assignRoleToPrincipal(editor.id, martin.id)
- >>> prinRoleManager.assignRoleToPrincipal(writer.id, randy.id)
- >>> prinRoleManager.assignRoleToPrincipal(writer.id, markus.id)
- >>> prinRoleManager.assignRoleToPrincipal(janitor.id, daniel.id)
- >>> prinRoleManager.assignRoleToPrincipal(janitor.id, stephan.id)
+ >>> prinRoleManager.assignRoleToPrincipal(editor.id, martin.id)
+ >>> prinRoleManager.assignRoleToPrincipal(writer.id, randy.id)
+ >>> prinRoleManager.assignRoleToPrincipal(writer.id, markus.id)
+ >>> prinRoleManager.assignRoleToPrincipal(janitor.id, daniel.id)
+ >>> prinRoleManager.assignRoleToPrincipal(janitor.id, stephan.id)
Lets set up the securityPolicy objects and the corresponding
participation for our actors.
- >>> from zope.security import testing
- >>> from zope.securitypolicy import zopepolicy
-
- >>> markus_policy = zopepolicy.ZopeSecurityPolicy()
- >>> markus_part = testing.Participation(markus)
- >>> markus_policy.add(markus_part)
-
- >>> martin_policy = zopepolicy.ZopeSecurityPolicy()
- >>> martin_part = testing.Participation(martin)
- >>> martin_policy.add(martin_part)
-
- >>> randy_policy = zopepolicy.ZopeSecurityPolicy()
- >>> randy_part = testing.Participation(randy)
- >>> randy_policy.add(randy_part)
-
- >>> stephan_policy = zopepolicy.ZopeSecurityPolicy()
- >>> stephan_part = testing.Participation(stephan)
- >>> stephan_policy.add(stephan_part)
-
- >>> daniel_policy = zopepolicy.ZopeSecurityPolicy()
- >>> daniel_part = testing.Participation(daniel)
- >>> daniel_policy.add(daniel_part)
+ >>> from zope.security import testing
+ >>> from zope.securitypolicy import zopepolicy
+ >>> markus_policy = zopepolicy.ZopeSecurityPolicy()
+ >>> markus_part = testing.Participation(markus)
+ >>> markus_policy.add(markus_part)
+
+ >>> martin_policy = zopepolicy.ZopeSecurityPolicy()
+ >>> martin_part = testing.Participation(martin)
+ >>> martin_policy.add(martin_part)
+
+ >>> randy_policy = zopepolicy.ZopeSecurityPolicy()
+ >>> randy_part = testing.Participation(randy)
+ >>> randy_policy.add(randy_part)
+
+ >>> stephan_policy = zopepolicy.ZopeSecurityPolicy()
+ >>> stephan_part = testing.Participation(stephan)
+ >>> stephan_policy.add(stephan_part)
+
+ >>> daniel_policy = zopepolicy.ZopeSecurityPolicy()
+ >>> daniel_part = testing.Participation(daniel)
+ >>> daniel_policy.add(daniel_part)
+
+
+ >>> firstIssue = \
+ ... Folder()
+ >>> concordTimes['firstIssue'] = firstIssue
+ >>> concordTimes._p_changed = 1
+ >>> transaction.commit()
- >>> firstIssue = \
- ... Folder()
- >>> concordTimes['firstIssue'] = firstIssue
- >>> concordTimes._p_changed = 1
- >>> transaction.commit()
-
-
-
Randy starts to write his first article:
- >>> firstArticle = Article('A new star is born',
- ... 'A new star is born, the `The Concord Times` ...')
+ >>> firstArticle = Article('A new star is born',
+ ... 'A new star is born, the `Concord Times` ...')
TODO: add permisson settings for this context then test with
functional tests.
-
-
Markus tries to give his fellow writer some help by attempting to
create an Issue and of course cannot.
- >>> markus_policy.checkPermission(createIssue.id, concordTimes)
- False
+ >>> markus_policy.checkPermission(createIssue.id, concordTimes)
+ False
Only Martin as the editor has createIssue priveleges.
- >>> martin_policy.checkPermission(createIssue.id, concordTimes)
- True
+ >>> martin_policy.checkPermission(createIssue.id, concordTimes)
+ True
This is not yet complete. But this is the proper way to connect.
@@ -221,45 +222,79 @@
[u'firstIssue']
-Our issue was added to the root folder as we can see by printing @@contents.html
- >>> manager.open('http://localhost:8080/@@contents.html')
- >>> print manager.contents
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <BLANKLINE>
- ...
- <td>
- <input type="checkbox"
- class="noborder slaveBox"
- name="ids:list" id="firstIssue"
- value="firstIssue" />
- </td>
- ...
- </html>
- <BLANKLINE>
- <BLANKLINE>
+-----------------
+Okay, Now lets see what security tool thinks the user has assigned for
+roles, permissions and groups.
-TODO: Make this a real test.
- >>> manager.open('http://localhost:8080/@@vum.html')
- >>> print manager.contents
- <html>
- <head>
- <link type="text/css" rel="stylesheet" media="all"
- ...
- </body>
- </html>
- <BLANKLINE>
+TODO: Find out why I cannot access the principals without defining Principal
-TODO: make this a valid test we are looking for permission
-settings provided in the test appear on the html page.
- >>> manager.open('http://localhost:8080/firstIssue/pd.html?principal='
- ... + 'zope.sample_manager&view=addSiteManager.html"')
+ >>> from z3c.securitytool.interfaces import ISecurityChecker
+ >>> principals = zapi.principals()
+ >>> first = ISecurityChecker(firstIssue)
+
- >>> print manager.contents
- <html>
- <head>
- ...
- </html>
- <BLANKLINE>
+As we can see below securitytool tells us that daniel and stephanonly has
+ReadIssue given by the concord.Janitor Role
+ >>> daniel = principals.definePrincipal('daniel','daniel','daniel')
+ >>> pprint(first.principalPermissions('daniel') )
+ {'groups': {},
+ 'permissions': [],
+ 'roles': {'concord.Janitor': [{'permission': 'concord.ReadIssue',
+ 'setting': 'Allow'}]}}
+
+ >>> principals._clear()
+ >>> stephan = principals.definePrincipal('stephan','stephan','stephan')
+ >>> pprint(first.principalPermissions('stephan') )
+ {'groups': {},
+ 'permissions': [],
+ 'roles': {'concord.Janitor': [{'permission': 'concord.ReadIssue',
+ 'setting': 'Allow'}]}}
+
+
+We can see here that Randy has the role concord.Writer which is
+allowed to perform the concord.createArticle actions.
+ >>> principals._clear()
+ >>> randy = principals.definePrincipal('randy','randy','randy')
+ >>> pprint(first.principalPermissions('randy') )
+ {'groups': {},
+ 'permissions': [],
+ 'roles': {'concord.Writer': [{'permission': 'concord.CreateArticle',
+ 'setting': 'Allow'},
+ {'permission': 'concord.ReadIssue',
+ 'setting': 'Allow'}]}}
+
+
+We can see here that Markus has the role concord.Writer which is
+allowed to perform the concord.createArticle actions.
+ >>> principals._clear()
+ >>> markus = principals.definePrincipal('markus','markus','markus')
+ >>> pprint(first.principalPermissions('markus') )
+ {'groups': {},
+ 'permissions': [],
+ 'roles': {'concord.Writer': [{'permission': 'concord.CreateArticle',
+ 'setting': 'Allow'},
+ {'permission': 'concord.ReadIssue',
+ 'setting': 'Allow'}]}}
+
+
+We can see here that Martin has the role concord.Editor which is
+allowed to perform all the actions for the Concord Times
+ >>> principals._clear()
+ >>> martin = principals.definePrincipal('martin','martin','martin')
+ >>> pprint(first.principalPermissions('martin') )
+ {'groups': {},
+ 'permissions': [],
+ 'roles': {'concord.Editor': [{'permission': 'concord.PublishIssue',
+ 'setting': 'Allow'},
+ {'permission': 'concord.CreateArticle',
+ 'setting': 'Allow'},
+ {'permission': 'concord.ReadIssue',
+ 'setting': 'Allow'},
+ {'permission': 'concord.CreateIssue',
+ 'setting': 'Allow'},
+ {'permission': 'concord.DeleteArticle',
+ 'setting': 'Allow'}]}}
+
More information about the Checkins
mailing list