[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - AttributeRolePermissionManager.py:1.1.2.4.2.1 ZopeSecurityPolicy.py:1.1.2.13.2.2

Casey Duncan casey_duncan@yahoo.com
Mon, 11 Feb 2002 13:48:49 -0500


Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv9750

Modified Files:
      Tag: Zope-3x-security_defactor-branch
	AttributeRolePermissionManager.py ZopeSecurityPolicy.py 
Log Message:
Security manager *almost* working...Still failing one test when trying to get the playful RolePermission adapter. 8^/


=== Zope3/lib/python/Zope/App/Security/AttributeRolePermissionManager.py 1.1.2.4 => 1.1.2.4.2.1 ===
         pp = self._getRolePermissions()
         if pp:
-            return self.getCell( permission, role )
+            return pp.getCell( permission, role )
         else:
             return Unset
 


=== Zope3/lib/python/Zope/App/Security/ZopeSecurityPolicy.py 1.1.2.13.2.1 => 1.1.2.13.2.2 ===
     def checkPermission( self, permission, object, context ):
 
-        # The following commented code is wrong in serveral ways:
-        #
-        # 1) Anonymous is a role, not a principal
-        #
-        # 2) It's not enough for anonymous top have the needed permission
-        #    globally, since the permission may be delayed lower dowm.
-        #
-        # 3) It's really ineffecient to collect all the principals that have
-        #    a role.
-        #
-        #anon = principalRegistry.getPrincipal('Anonymous')
-        #if (permission, Allow) in getPermissionsForRole(anon):
-        #    return 1
+        print 'checking permission:', permission, object
 
         principals = { context.user : 1 }
         roles      = {}
@@ -109,8 +97,10 @@
 
         # XXX We aren't really handling multiple principals below
         for c in ContainmentIterator(object):
+            print c
             ppm = getAdapter(c, IPrincipalPermissionManager, None)
             if ppm is not None: 
+                print 'got playul principal permission adapter'
                 for principal in principals.keys():
                     setting = ppm.getSetting(permission, principal)
                     if setting is Allow:
@@ -122,6 +112,7 @@
 
             rpm = getAdapter(c, IRolePermissionManager, None)
             if rpm is not None:
+                print 'got playul role permission adapter'
                 for role in all_roles:
                     setting = rpm.getSetting(permission, role)
                     if setting == Allow:
@@ -130,30 +121,38 @@
                         return 0 # Explicit Deny on role.
                 if seen_allowed:
                     return 1 # I'm allowed by a role on the principal
+            else:
+                print 'No playful role permission adapter'
 
         # now check the dour interfaces - maybe they've got settings
         ppm = principalPermissionManager
-        if ppm is not None: 
-            for principal in principals.keys():
-                setting = ppm.getSetting(permission, principal)
-                if setting is Allow:
-                    seen_allowed = 1
-                elif setting is Deny:
-                    return 0 # Explicit deny on principal
-            if seen_allowed:
-                return 1 # If I'm allowed here... forget the rest.
+        for principal in principals.keys():
+            setting = ppm.getSetting(permission, principal)
+            if setting is Allow:
+                seen_allowed = 1
+            elif setting is Deny:
+                return 0 # Explicit deny on principal
+        if seen_allowed:
+            return 1 # If I'm allowed here... forget the rest.
 
         rpm = rolePermissionManager
-        if rpm is not None:
-            for role in all_roles:
-                setting = rpm.getSetting(permission, role)
-                if setting == Allow:
-                    seen_allowed = 1
-                if setting == Deny:
-                    return 0 # Explicit Deny on role.
+        getGlobalRoles = principalRoleManager.getRolesForPrincipal
+        for principal in principals.keys():
+            # Get the global roles for this principal always checking
+            # anonymous first
+            all_roles = [('Anonymous', Assign)] + getGlobalRoles(principal)
+            for role, role_setting in all_roles:
+                if role_setting is Assign:
+                    setting = rpm.getSetting(permission, role)
+                    if setting == Allow:
+                        seen_allowed = 1
+                    if setting == Deny:
+                        return 0 # Explicit Deny on role.
             if seen_allowed:
                 return 1 # I'm allowed by a role on the principal
 
+        print 'DENY: fell through'
+
         return 0 # Deny by default
 
 #        for p in principals.keys():
@@ -228,7 +227,7 @@
                         if not roles.has_key(role):
                             roles[role] = setting
 
-        result = []
+        result = [('Anonymous',Assign)] # Always check anonymous
         for role, setting in roles.items():
             if setting is Assign:
                 result.append(role)