def __get__(self, instance, klass):
if instance is None:
return self
protection = IProtectedObject(instance.__parent__, None)
if protection is None:
return set()
return protection.get_principals(self.__role_id)
def __acl__(self):
protected = IProtectedObject(self, None)
if protected is not None:
acl = protected.__acl__() # pylint: disable=assignment-from-no-return
if callable(acl):
acl = acl(protected)
return acl
return []
def get_granted_roles(self):
"""Get granted roles on current context or parents"""
roles = set(self._principals_by_role.keys())
if self.inherit_parent_roles:
for parent in lineage(self):
if parent in (self, self.__parent__):
continue
protection = IProtectedObject(parent, None)
if protection is not None:
roles = roles | protection.get_granted_roles()
return roles
def __set__(self, instance, value):
field = self.__field.bind(instance)
if ISet.providedBy(field): # pylint: disable=no-value-for-parameter
if value is None:
value = set()
elif isinstance(value, str):
value = set(value.split(','))
value = set(
map(lambda x: x.id
if IPrincipalInfo.providedBy(x) else x, value))
else:
value = value.id if IPrincipalInfo.providedBy(value) else value
field.validate(value)
if field.readonly:
raise ValueError("Field {0} is readonly!".format(self.__name))
protection = IProtectedObject(instance.__parent__, None)
if not IRoleProtectedObject.providedBy(protection):
raise ValueError(
"Can't use role properties on object not providing "
"IRoleProtectedObject interface!")
# pylint: disable=assignment-from-no-return
old_principals = protection.get_principals(self.__role_id)
if not isinstance(value, set):
value = {value}
added = value - old_principals
removed = old_principals - value
for principal_id in added:
protection.grant_role(self.__role_id, principal_id)
for principal_id in removed:
protection.revoke_role(self.__role_id, principal_id)
def effective_principals(self, principal_id, request=None, context=None):
"""Extratc effective principals of given principal ID"""
# add principals extracted from security plug-ins
principals = self._get_plugins_principals(principal_id)
# add context roles granted to principal
if context is None:
if request is None:
request = check_request()
context = request.context
if context is not None:
for parent in lineage(context):
protection = IProtectedObject(parent, None)
if protection is not None:
for principal in principals.copy():
principals |= set(
map(ROLE_ID.format,
protection.get_roles(principal)))
if not protection.inherit_parent_roles:
break
return principals
def get_authenticated_denied(self):
"""Get permissions denied to authenticated users"""
permissions = self.authenticated_denied or set()
if self.inherit_parent_security:
for parent in lineage(self):
if parent in (self, self.__parent__):
continue
protection = IProtectedObject(parent, None)
if protection is not None:
permissions = permissions | (
protection.authenticated_denied or set())
return permissions
def get_everyone_granted(self):
"""Get permissions granted to everyone"""
permissions = self.everyone_granted or set()
if self.inherit_parent_security:
for parent in lineage(self):
if parent in (self, self.__parent__):
continue
protection = IProtectedObject(parent, None)
if protection is not None:
permissions = permissions | (protection.everyone_granted
or set())
return permissions
def get_target(self):
"""Chat message targets getter"""
principals = {ADMIN_USER_ID}
root = self.context.request.root
protection = IProtectedObject(root, None)
if protection is not None:
principals |= protection.get_principals(SYSTEM_ADMIN_ROLE)
scheduler = get_utility(IScheduler)
protection = IProtectedObject(scheduler, None)
if protection is not None:
principals |= protection.get_principals(SCHEDULER_MANAGER_ROLE)
principals |= protection.get_principals(TASKS_MANAGER_ROLE)
return {
'principals': tuple(principals)
}
def discriminate(self, obj, default):
protected_object = IProtectedObject(obj, None)
if protected_object is None:
return default
return protected_object.get_principals(self.role_id)