def __acl__(self) -> AclType:
"""Pyramid security ACL."""
acl = []
# view:
# - all groups can be viewed by everyone
acl.append((Allow, Everyone, "view"))
# subscribe:
# - all groups can be subscribed to by logged-in users
acl.append((Allow, Authenticated, "subscribe"))
# post_topic:
# - only users with specifically-granted permission can post topics in groups
# that require permission to post
# - otherwise, all logged-in users can post
if self.requires_permission_to_post_topics:
acl.append((Allow, f"{self.group_id}:post_topic", "post_topic"))
acl.append((Deny, Everyone, "post_topic"))
acl.append((Allow, Authenticated, "post_topic"))
# wiki_page_create:
# - requires being granted the "wiki.edit" permission
acl.extend(
aces_for_permission(
required_permission="wiki.edit",
granted_permission="wiki_page_create",
group_id=self.group_id,
)
)
acl.append(DENY_ALL)
return acl
def __acl__(self) -> AclType:
"""Pyramid security ACL."""
acl = []
# view:
# - all wiki pages can be viewed by everyone
acl.append((Allow, Everyone, "view"))
acl.extend(aces_for_permission("wiki.edit", self.group_id))
acl.append(DENY_ALL)
return acl
def __acl__(self) -> AclType: # noqa
"""Pyramid security ACL."""
# deleted topics allow "general" viewing, but nothing else
if self.is_deleted:
return [(Allow, Everyone, "view"), DENY_ALL]
acl = []
# permissions that need to be granted specifically
acl.extend(aces_for_permission("topic.move", self.group_id))
acl.extend(aces_for_permission("topic.remove", self.group_id))
acl.extend(aces_for_permission("topic.lock", self.group_id))
# view:
# - everyone gets "general" viewing permission for all topics
acl.append((Allow, Everyone, "view"))
# view_author:
# - removed topics' author is only visible to author and users who can remove
# - otherwise, everyone can view the author
if self.is_removed:
acl.append((Allow, self.user_id, "view_author"))
acl.extend(
aces_for_permission(
required_permission="topic.remove",
granted_permission="view_author",
group_id=self.group_id,
)
)
acl.append((Deny, Everyone, "view_author"))
acl.append((Allow, Everyone, "view_author"))
# view_content:
# - removed topics' content is only visible to author and users who can remove
# - otherwise, everyone can view the content
if self.is_removed:
acl.append((Allow, self.user_id, "view_content"))
acl.extend(
aces_for_permission(
required_permission="topic.remove",
granted_permission="view_content",
group_id=self.group_id,
)
)
acl.append((Deny, Everyone, "view_content"))
acl.append((Allow, Everyone, "view_content"))
# vote:
# - removed topics can't be voted on by anyone
# - if voting has been closed, nobody can vote
# - otherwise, logged-in users except the author can vote
if self.is_removed:
acl.append((Deny, Everyone, "vote"))
if self.is_voting_closed:
acl.append((Deny, Everyone, "vote"))
acl.append((Deny, self.user_id, "vote"))
acl.append((Allow, Authenticated, "vote"))
# comment:
# - removed topics can only be commented on by users who can remove
# - locked topics can only be commented on by users who can lock
# - otherwise, logged-in users can comment
if self.is_removed:
acl.extend(
aces_for_permission(
required_permission="topic.remove",
granted_permission="comment",
group_id=self.group_id,
)
)
acl.append((Deny, Everyone, "comment"))
if self.is_locked:
acl.extend(
aces_for_permission(
required_permission="topic.lock",
granted_permission="comment",
group_id=self.group_id,
)
)
acl.append((Deny, Everyone, "comment"))
acl.append((Allow, Authenticated, "comment"))
# edit:
# - only text topics can be edited
# - authors can edit their own topics
# - topics by the generic/automatic user can be edited with permission
if self.is_text_type:
acl.append((Allow, self.user_id, "edit"))
if self.user_id == -1:
acl.extend(
aces_for_permission(
required_permission="topic.edit_by_generic_user",
granted_permission="edit",
group_id=self.group_id,
)
)
# delete:
# - only the author can delete
acl.append((Allow, self.user_id, "delete"))
# tag:
# - allow tagging by the author, and users specifically granted permission
acl.append((Allow, self.user_id, "tag"))
acl.extend(aces_for_permission("topic.tag", self.group_id))
# bookmark:
# - logged-in users can bookmark topics
acl.append((Allow, Authenticated, "bookmark"))
# ignore:
# - logged-in users can ignore topics
acl.append((Allow, Authenticated, "ignore"))
# edit_title:
# - allow users to edit their own topic's title for the first 5 minutes
# - otherwise, only if granted permission specifically
if self.age < timedelta(minutes=5):
acl.append((Allow, self.user_id, "edit_title"))
acl.extend(aces_for_permission("topic.edit_title", self.group_id))
# edit_link:
# - only if granted specifically, only on link topics
if self.is_link_type:
acl.extend(aces_for_permission("topic.edit_link", self.group_id))
acl.append(DENY_ALL)
return acl
def _principals_granted_permission(permission, group_id):
aces = aces_for_permission(permission, group_id)
return set([ace[1] for ace in aces if ace[0] == Allow])
def __acl__(self) -> AclType:
"""Pyramid security ACL."""
# nobody has any permissions on deleted comments
if self.is_deleted:
return [DENY_ALL]
acl = []
acl.extend(
aces_for_permission("comment.view_labels", self.topic.group_id))
acl.extend(aces_for_permission("comment.remove", self.topic.group_id))
# view:
# - removed comments can only be viewed by the author, and users with remove
# permission
# - otherwise, everyone can view
if self.is_removed:
acl.append((Allow, self.user_id, "view"))
acl.extend(
aces_for_permission(
required_permission="comment.remove",
granted_permission="view",
group_id=self.topic.group_id,
))
acl.append((Deny, Everyone, "view"))
acl.append((Allow, Everyone, "view"))
# view exemplary reasons:
# - only author gets shown the reasons ("view_labels" does this too)
acl.append((Allow, self.user_id, "view_exemplary_reasons"))
# vote:
# - removed comments can't be voted on by anyone
# - if voting has been closed, nobody can vote
# - otherwise, logged-in users except the author can vote
if self.is_removed:
acl.append((Deny, Everyone, "vote"))
if self.is_voting_closed:
acl.append((Deny, Everyone, "vote"))
acl.append((Deny, self.user_id, "vote"))
acl.append((Allow, Authenticated, "vote"))
# label:
# - removed comments can't be labeled by anyone
# - otherwise, people with the "comment.label" permission other than the author
if self.is_removed:
acl.append((Deny, Everyone, "label"))
acl.append((Deny, self.user_id, "label"))
acl.extend(aces_for_permission("comment.label", self.topic.group_id))
# reply:
# - removed comments can only be replied to by users who can remove
# - if the topic is locked, only users that can lock the topic can reply
# - otherwise, logged-in users can reply
if self.is_removed:
acl.extend(
aces_for_permission(
required_permission="comment.remove",
granted_permission="reply",
group_id=self.topic.group_id,
))
acl.append((Deny, Everyone, "reply"))
if self.topic.is_locked:
lock_principals = principals_allowed_by_permission(
self.topic, "lock")
acl.extend([(Allow, principal, "reply")
for principal in lock_principals])
acl.append((Deny, Everyone, "reply"))
acl.append((Allow, Authenticated, "reply"))
# edit:
# - only the author can edit
acl.append((Allow, self.user_id, "edit"))
# delete:
# - only the author can delete
acl.append((Allow, self.user_id, "delete"))
# mark_read:
# - logged-in users can mark comments read
acl.append((Allow, Authenticated, "mark_read"))
# bookmark:
# - logged-in users can bookmark comments
acl.append((Allow, Authenticated, "bookmark"))
acl.append(DENY_ALL)
return acl