def permits(self, context, principals, permission):
""" Return an instance of
:class:`pyramid.security.ACLAllowed` instance if the policy
permits access, return an instance of
:class:`pyramid.security.ACLDenied` if not."""
acl = '<No ACL found on any object in resource lineage>'
for location in lineage(context):
try:
acl = location.__acl__
except AttributeError:
continue
if acl and callable(acl):
acl = acl()
for ace in acl:
ace_action, ace_principal, ace_permissions = ace
if ace_principal in principals:
if not is_nonstr_iter(ace_permissions):
ace_permissions = [ace_permissions]
if permission in ace_permissions:
if ace_action == Allow:
return ACLAllowed(ace, acl, permission, principals,
location)
else:
return ACLDenied(ace, acl, permission, principals,
location)
# default deny (if no ACL in lineage at all, or if none of the
# principals were mentioned in any ACE we found)
return ACLDenied('<default deny>', acl, permission, principals,
context)
def permits(self, context, principals, permission):
""" Return an instance of :class:`pyramid.security.ACLAllowed` if the
ACL allows access a user with the given principals, return an instance
of :class:`pyramid.security.ACLDenied` if not.
When checking if principals are allowed, the security policy consults
the ``context`` for an ACL first. If no ACL exists on the context, or
one does exist but the ACL does not explicitly allow or deny access for
any of the effective principals, consult the context's parent ACL, and
so on, until the lineage is exhausted or we determine that the policy
permits or denies.
During this processing, if any :data:`pyramid.security.Deny`
ACE is found matching any principal in ``principals``, stop
processing by returning an
:class:`pyramid.security.ACLDenied` instance (equals
``False``) immediately. If any
:data:`pyramid.security.Allow` ACE is found matching any
principal, stop processing by returning an
:class:`pyramid.security.ACLAllowed` instance (equals
``True``) immediately. If we exhaust the context's
:term:`lineage`, and no ACE has explicitly permitted or denied
access, return an instance of
:class:`pyramid.security.ACLDenied` (equals ``False``).
"""
acl = '<No ACL found on any object in resource lineage>'
for location in lineage(context):
try:
acl = location.__acl__
except AttributeError:
continue
if acl and callable(acl):
acl = acl()
for ace in acl:
ace_action, ace_principal, ace_permissions = ace
if ace_principal in principals:
if not is_nonstr_iter(ace_permissions):
ace_permissions = [ace_permissions]
if permission in ace_permissions:
if ace_action == Allow:
return ACLAllowed(
ace, acl, permission, principals, location
)
else:
return ACLDenied(
ace, acl, permission, principals, location
)
# default deny (if no ACL in lineage at all, or if none of the
# principals were mentioned in any ACE we found)
return ACLDenied(
'<default deny>', acl, permission, principals, context
)
def permits(self, context, principals, permission):
if not permission or permission == NO_PERMISSION_REQUIRED:
return True
if permission == NOT_ALLOWED:
return ACLDenied('<NOT ALLOWED permission>', None, permission,
principals, context)
if SUPERUSER_URI in principals or \
auth_service.get_effective_userid() == SUPERUSER_URI:
return ACLAllowed('Superuser', None, permission, principals,
context)
return super(PtahAuthorizationPolicy,
self).permits(context, principals, permission)
def permits(self, context, principals, permission):
print('KFHLogACLAuthorizationPolicy.permits()', principals)
for ace in self.acl:
ace_action, ace_principal, ace_permissions = ace
if ace_principal in principals:
if permission in ace_permissions:
if ace_action == Allow:
return ACLAllowed(ace, self.acl, permission,
principals, context)
else:
return ACLDenied(ace, self.acl, permission, principals,
context)
return ACLDenied('<default deny>', self.acl, permission, principals,
context)
def permits(self, context, principals, permission):
is_allowed = False
if permission is not INES_POLICY:
if not is_nonstr_iter(permission):
permission = [permission]
elif ALL_PERMISSIONS is permission:
permission = [permission]
for permission_value in permission:
in_principals = (permission_value in principals
or permission_value == ALL_PERMISSIONS)
if getattr(permission_value, '__deny__', False):
if in_principals:
is_allowed = False
break
else:
is_allowed = True
elif in_principals:
is_allowed = True
else:
request = getattr(context, 'request', None)
if request:
application = getattr(request.applications,
self.application_name)
is_allowed = bool(
application.permits(context.request.application_name,
context.request.matched_route.name,
context.request.method, principals))
if is_allowed:
return ACLAllowed('<allowed>', '<ACL found>', permission,
principals, context)
else:
return ACLDenied('<deny>', '<No permission>', permission,
principals, context)