39 @implementer(IRoleProtectedObject) |
39 @implementer(IRoleProtectedObject) |
40 class RoleProtectedObject(Persistent): |
40 class RoleProtectedObject(Persistent): |
41 """Base class for object protected by roles""" |
41 """Base class for object protected by roles""" |
42 |
42 |
43 inherit_parent_security = FieldProperty(IRoleProtectedObject['inherit_parent_security']) |
43 inherit_parent_security = FieldProperty(IRoleProtectedObject['inherit_parent_security']) |
44 _everyone_permission = FieldProperty(IRoleProtectedObject['everyone_permission']) |
44 _everyone_permissions = FieldProperty(IRoleProtectedObject['everyone_permissions']) |
45 _authenticated_permission = FieldProperty(IRoleProtectedObject['authenticated_permission']) |
45 _authenticated_permissions = FieldProperty(IRoleProtectedObject['authenticated_permissions']) |
46 inherit_parent_roles = FieldProperty(IRoleProtectedObject['inherit_parent_roles']) |
46 inherit_parent_roles = FieldProperty(IRoleProtectedObject['inherit_parent_roles']) |
47 |
47 |
48 def __init__(self): |
48 def __init__(self): |
49 self._principals_by_role = PersistentDict() |
49 self._principals_by_role = PersistentDict() |
50 self._roles_by_principal = PersistentDict() |
50 self._roles_by_principal = PersistentDict() |
51 |
51 |
52 @property |
52 @property |
53 def everyone_permission(self): |
53 def everyone_permissions(self): |
54 permission = self._everyone_permission |
54 permissions = self._everyone_permissions |
55 if permission is None and self.inherit_parent_security: |
55 if (not permissions) and self.inherit_parent_security: |
56 for parent in lineage(self): |
56 for parent in lineage(self): |
57 if parent in (self, self.__parent__): |
57 if parent in (self, self.__parent__): |
58 continue |
58 continue |
59 protection = IProtectedObject(parent, None) |
59 protection = IProtectedObject(parent, None) |
60 if protection is not None: |
60 if protection is not None: |
61 permission = protection.everyone_permission |
61 permissions = protection.everyone_permissions |
62 if permission is not None: |
62 if permissions: |
63 break |
63 break |
64 return permission |
64 return permissions |
65 |
65 |
66 @everyone_permission.setter |
66 @everyone_permissions.setter |
67 def everyone_permission(self, value): |
67 def everyone_permissions(self, value): |
68 self._everyone_permission = value |
68 self._everyone_permissions = value |
69 |
69 |
70 @property |
70 @property |
71 def authenticated_permission(self): |
71 def authenticated_permissions(self): |
72 permission = self._authenticated_permission |
72 permissions = self._authenticated_permissions |
73 if permission is None and self.inherit_parent_security: |
73 if (not permissions) and self.inherit_parent_security: |
74 for parent in lineage(self): |
74 for parent in lineage(self): |
75 if parent in (self, self.__parent__): |
75 if parent in (self, self.__parent__): |
76 continue |
76 continue |
77 protection = IProtectedObject(parent, None) |
77 protection = IProtectedObject(parent, None) |
78 if protection is not None: |
78 if protection is not None: |
79 permission = protection.authenticated_permission |
79 permissions = protection.authenticated_permissions |
80 if permission is not None: |
80 if permissions: |
81 break |
81 break |
82 return permission |
82 return permissions |
83 |
83 |
84 @authenticated_permission.setter |
84 @authenticated_permissions.setter |
85 def authenticated_permission(self, value): |
85 def authenticated_permissions(self, value): |
86 self._authenticated_permission = value |
86 self._authenticated_permissions = value |
87 |
87 |
88 def grant_role(self, role_id, principal_ids): |
88 def grant_role(self, role_id, principal_ids): |
89 registry = check_request().registry |
89 registry = check_request().registry |
90 if IRole.providedBy(role_id): |
90 if IRole.providedBy(role_id): |
91 role_id = role_id.id |
91 role_id = role_id.id |
148 @request_property(key=None) |
148 @request_property(key=None) |
149 def __acl__(self): |
149 def __acl__(self): |
150 # always grant all permissions to system manager |
150 # always grant all permissions to system manager |
151 result = [(Allow, 'system:admin', ALL_PERMISSIONS)] |
151 result = [(Allow, 'system:admin', ALL_PERMISSIONS)] |
152 # grant permission to everyone and authenticated |
152 # grant permission to everyone and authenticated |
153 if self.everyone_permission: |
153 if self.everyone_permissions: |
154 result.append((Allow, Everyone, self.everyone_permission)) |
154 result.append((Allow, Everyone, self.everyone_permissions)) |
155 if self.authenticated_permission: |
155 if self.authenticated_permissions: |
156 result.append((Allow, Authenticated, self.authenticated_permission)) |
156 result.append((Allow, Authenticated, self.authenticated_permissions)) |
157 # grant access to all roles permissions |
157 # grant access to all roles permissions |
158 for role_id in self._principals_by_role.keys(): |
158 for role_id in self._principals_by_role.keys(): |
159 role = query_utility(IRole, role_id) |
159 role = query_utility(IRole, role_id) |
160 if role is not None: |
160 if role is not None: |
161 result.append((Allow, 'role:{0}'.format(role_id), role.permissions)) |
161 result.append((Allow, 'role:{0}'.format(role_id), role.permissions)) |