def __get__(self, instance, klass): if instance is None: return self protection = IProtectedObject(instance.__parent__, None) if protection is None: return set() return protection.get_principals(self.__role_id)
def __acl__(self): protected = IProtectedObject(self, None) if protected is not None: acl = protected.__acl__() # pylint: disable=assignment-from-no-return if callable(acl): acl = acl(protected) return acl return []
def get_granted_roles(self): """Get granted roles on current context or parents""" roles = set(self._principals_by_role.keys()) if self.inherit_parent_roles: for parent in lineage(self): if parent in (self, self.__parent__): continue protection = IProtectedObject(parent, None) if protection is not None: roles = roles | protection.get_granted_roles() return roles
def __set__(self, instance, value): field = self.__field.bind(instance) if ISet.providedBy(field): # pylint: disable=no-value-for-parameter if value is None: value = set() elif isinstance(value, str): value = set(value.split(',')) value = set( map(lambda x: x.id if IPrincipalInfo.providedBy(x) else x, value)) else: value = value.id if IPrincipalInfo.providedBy(value) else value field.validate(value) if field.readonly: raise ValueError("Field {0} is readonly!".format(self.__name)) protection = IProtectedObject(instance.__parent__, None) if not IRoleProtectedObject.providedBy(protection): raise ValueError( "Can't use role properties on object not providing " "IRoleProtectedObject interface!") # pylint: disable=assignment-from-no-return old_principals = protection.get_principals(self.__role_id) if not isinstance(value, set): value = {value} added = value - old_principals removed = old_principals - value for principal_id in added: protection.grant_role(self.__role_id, principal_id) for principal_id in removed: protection.revoke_role(self.__role_id, principal_id)
def effective_principals(self, principal_id, request=None, context=None): """Extratc effective principals of given principal ID""" # add principals extracted from security plug-ins principals = self._get_plugins_principals(principal_id) # add context roles granted to principal if context is None: if request is None: request = check_request() context = request.context if context is not None: for parent in lineage(context): protection = IProtectedObject(parent, None) if protection is not None: for principal in principals.copy(): principals |= set( map(ROLE_ID.format, protection.get_roles(principal))) if not protection.inherit_parent_roles: break return principals
def get_authenticated_denied(self): """Get permissions denied to authenticated users""" permissions = self.authenticated_denied or set() if self.inherit_parent_security: for parent in lineage(self): if parent in (self, self.__parent__): continue protection = IProtectedObject(parent, None) if protection is not None: permissions = permissions | ( protection.authenticated_denied or set()) return permissions
def get_everyone_granted(self): """Get permissions granted to everyone""" permissions = self.everyone_granted or set() if self.inherit_parent_security: for parent in lineage(self): if parent in (self, self.__parent__): continue protection = IProtectedObject(parent, None) if protection is not None: permissions = permissions | (protection.everyone_granted or set()) return permissions
def get_target(self): """Chat message targets getter""" principals = {ADMIN_USER_ID} root = self.context.request.root protection = IProtectedObject(root, None) if protection is not None: principals |= protection.get_principals(SYSTEM_ADMIN_ROLE) scheduler = get_utility(IScheduler) protection = IProtectedObject(scheduler, None) if protection is not None: principals |= protection.get_principals(SCHEDULER_MANAGER_ROLE) principals |= protection.get_principals(TASKS_MANAGER_ROLE) return { 'principals': tuple(principals) }
def discriminate(self, obj, default): protected_object = IProtectedObject(obj, None) if protected_object is None: return default return protected_object.get_principals(self.role_id)