def permits(self, context, principals, permission): """ Return an instance of :class:`pyramid.security.ACLAllowed` instance if the policy permits access, return an instance of :class:`pyramid.security.ACLDenied` if not.""" acl = '<No ACL found on any object in resource lineage>' for location in lineage(context): try: acl = location.__acl__ except AttributeError: continue if acl and callable(acl): acl = acl() for ace in acl: ace_action, ace_principal, ace_permissions = ace if ace_principal in principals: if not is_nonstr_iter(ace_permissions): ace_permissions = [ace_permissions] if permission in ace_permissions: if ace_action == Allow: return ACLAllowed(ace, acl, permission, principals, location) else: return ACLDenied(ace, acl, permission, principals, location) # default deny (if no ACL in lineage at all, or if none of the # principals were mentioned in any ACE we found) return ACLDenied('<default deny>', acl, permission, principals, context)
def permits(self, context, principals, permission): """ Return an instance of :class:`pyramid.security.ACLAllowed` if the ACL allows access a user with the given principals, return an instance of :class:`pyramid.security.ACLDenied` if not. When checking if principals are allowed, the security policy consults the ``context`` for an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context's parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies. During this processing, if any :data:`pyramid.security.Deny` ACE is found matching any principal in ``principals``, stop processing by returning an :class:`pyramid.security.ACLDenied` instance (equals ``False``) immediately. If any :data:`pyramid.security.Allow` ACE is found matching any principal, stop processing by returning an :class:`pyramid.security.ACLAllowed` instance (equals ``True``) immediately. If we exhaust the context's :term:`lineage`, and no ACE has explicitly permitted or denied access, return an instance of :class:`pyramid.security.ACLDenied` (equals ``False``). """ acl = '<No ACL found on any object in resource lineage>' for location in lineage(context): try: acl = location.__acl__ except AttributeError: continue if acl and callable(acl): acl = acl() for ace in acl: ace_action, ace_principal, ace_permissions = ace if ace_principal in principals: if not is_nonstr_iter(ace_permissions): ace_permissions = [ace_permissions] if permission in ace_permissions: if ace_action == Allow: return ACLAllowed( ace, acl, permission, principals, location ) else: return ACLDenied( ace, acl, permission, principals, location ) # default deny (if no ACL in lineage at all, or if none of the # principals were mentioned in any ACE we found) return ACLDenied( '<default deny>', acl, permission, principals, context )
def permits(self, context, principals, permission): if not permission or permission == NO_PERMISSION_REQUIRED: return True if permission == NOT_ALLOWED: return ACLDenied('<NOT ALLOWED permission>', None, permission, principals, context) if SUPERUSER_URI in principals or \ auth_service.get_effective_userid() == SUPERUSER_URI: return ACLAllowed('Superuser', None, permission, principals, context) return super(PtahAuthorizationPolicy, self).permits(context, principals, permission)
def permits(self, context, principals, permission): print('KFHLogACLAuthorizationPolicy.permits()', principals) for ace in self.acl: ace_action, ace_principal, ace_permissions = ace if ace_principal in principals: if permission in ace_permissions: if ace_action == Allow: return ACLAllowed(ace, self.acl, permission, principals, context) else: return ACLDenied(ace, self.acl, permission, principals, context) return ACLDenied('<default deny>', self.acl, permission, principals, context)
def permits(self, context, principals, permission): is_allowed = False if permission is not INES_POLICY: if not is_nonstr_iter(permission): permission = [permission] elif ALL_PERMISSIONS is permission: permission = [permission] for permission_value in permission: in_principals = (permission_value in principals or permission_value == ALL_PERMISSIONS) if getattr(permission_value, '__deny__', False): if in_principals: is_allowed = False break else: is_allowed = True elif in_principals: is_allowed = True else: request = getattr(context, 'request', None) if request: application = getattr(request.applications, self.application_name) is_allowed = bool( application.permits(context.request.application_name, context.request.matched_route.name, context.request.method, principals)) if is_allowed: return ACLAllowed('<allowed>', '<ACL found>', permission, principals, context) else: return ACLDenied('<deny>', '<No permission>', permission, principals, context)