[Checkins] SVN: z3c.securitytool/trunk/src/z3c/securitytool/demoSetup.py Updated demoSetup.py to test the inheritance of group permissions

[Daniel Blackburn]

Log message for revision 87049:
  Updated demoSetup.py to test the inheritance of group permissions 

Changed:
  U   z3c.securitytool/trunk/src/z3c/securitytool/demoSetup.py

-=-
Modified: z3c.securitytool/trunk/src/z3c/securitytool/demoSetup.py
===================================================================
--- z3c.securitytool/trunk/src/z3c/securitytool/demoSetup.py	2008-05-29 17:49:13 UTC (rev 87048)
+++ z3c.securitytool/trunk/src/z3c/securitytool/demoSetup.py	2008-05-29 17:51:32 UTC (rev 87049)
@@ -34,7 +34,7 @@
         # Lets get the list of all principals on the system.
         sysPrincipals = zapi.principals()
         principals = [x.id for x in sysPrincipals.getPrincipals('')
-                      if x.id not in ['group1','group2','randy']]
+                      if x.id not in ['zope.group1','zope.group2','zope.randy']]
 
 # Here is where we begin to set the permissions for the root context level
         roleManager = IPrincipalRoleManager(root)
@@ -45,16 +45,21 @@
 
         group1  = sysPrincipals.getPrincipal('zope.group1')
         group2  = sysPrincipals.getPrincipal('zope.group2')
+        
         daniel  = sysPrincipals.getPrincipal('zope.daniel')
         randy  = sysPrincipals.getPrincipal('zope.randy')
 
-
-        daniel.groups.append('zope.group1')
-        group1.groups.append('zope.group2')
-
+        # We add group1 and group2 to Randy to make sure that the
+        # allow permission overrides the Deny permission at the
+        # same level.
         randy.groups.append('zope.group1')
         randy.groups.append('zope.group2')
 
+
+        # We add randy as a group to daniel with a subgroup
+        # of group1 and and group2
+        daniel.groups.append('zope.randy')
+
         
         roleManager.assignRoleToPrincipal('zope.Writer', 'zope.daniel')
         roleManager.assignRoleToPrincipal('zope.Writer', 'zope.stephan')
@@ -68,6 +73,17 @@
                                               principal)
 
 
+# Now at the root level we will deny all the permissions to group2 and
+# Allow all the permissions to group 1
+        for perm in ['concord.DeleteIssue', 'concord.CreateIssue',
+                     'concord.ReadIssue', 'concord.CreateArticle',
+                     'concord.DeleteArticle', 'concord.PublishIssue']:
+                     
+            permManager.denyPermissionToPrincipal(perm, group1.id)
+            permManager.grantPermissionToPrincipal(perm,group2.id)
+
+
+
 # Here is where we begin to set the permissions for the context level of
 # Folder1.
         roleManager = IPrincipalRoleManager(root['Folder1'])
@@ -84,16 +100,7 @@
             permManager.grantPermissionToPrincipal('concord.CreateArticle',
                                               principal)
 
-        permManager.denyPermissionToPrincipal('concord.DeleteIssue',
-                                              group1.id)
-        permManager.denyPermissionToPrincipal('concord.CreateIssue',
-                                              group1.id)
 
-        permManager.grantPermissionToPrincipal('concord.DeleteIssue',
-                                              group2.id)
-        permManager.grantPermissionToPrincipal('concord.CreateIssue',
-                                              group2.id)
-
 # Here is where we begin to set the permissions for the context level of
 # /root/Folder1/Folder2.
         roleManager = IPrincipalRoleManager(root['Folder1']['Folder2'])