async def sharing_get(context, request):
roleperm = IRolePermissionMap(context)
prinperm = IPrincipalPermissionMap(context)
prinrole = IPrincipalRoleMap(context)
result = {
'local': {},
'inherit': []
}
result['local']['roleperm'] = roleperm._bycol
result['local']['prinperm'] = prinperm._bycol
result['local']['prinrole'] = prinrole._bycol
for obj in iter_parents(context):
roleperm = IRolePermissionMap(obj, None)
url_factory = query_multi_adapter((obj, request), IAbsoluteURL)
if roleperm is not None and url_factory is not None:
prinperm = IPrincipalPermissionMap(obj)
prinrole = IPrincipalRoleMap(obj)
result['inherit'].append({
'@id': url_factory(),
'roleperm': roleperm._bycol,
'prinperm': prinperm._bycol,
'prinrole': prinrole._bycol,
})
await notify(ObjectPermissionsViewEvent(context))
return result
def cached_principals(self, parent, roles, permission, level):
"""Get the roles for a specific permission.
Global + Local + Code
"""
cache = self.cache(parent)
try:
cache_principals = cache.principals
except AttributeError:
cache_principals = cache.principals = {}
try:
return cache_principals[permission]
except KeyError:
pass
if parent is None:
principals = dict([
(role, 1)
for (role,
setting) in code_principals_for_permission(permission)
if setting is Allow
])
cache_principals[permission] = principals
return principals
principals = self.cached_principals(
getattr(parent, '__parent__', None), roles, permission, 'p')
prinperm = IPrincipalPermissionMap(parent, None)
if prinperm:
principals = principals.copy()
for principal, setting in prinperm.get_principals_for_permission(
permission):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
for role in roles:
for principal, setting in prinrole.get_principals_for_role(
role):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
if level != 'o':
# Only cache on non 1rst level queries needs new way
cache_principals[permission] = principals
return principals
def cached_principals(parent: IBaseObject, roles: typing.List[str],
permission: str, level: str) -> typing.Dict[str, int]:
"""Get the roles for a specific permission.
Global + Local + Code
"""
try:
cache = parent.__volatile__.setdefault('security_cache', {})
except AttributeError:
cache = {}
try:
cache_principals = cache['principals']
except KeyError:
cache_principals = cache['principals'] = {}
try:
return cache_principals[permission + level]
except KeyError:
pass
if parent is None:
principals = dict([
(role, 1)
for (role, setting) in code_principals_for_permission(permission)
if setting is Allow
])
cache_principals[permission + level] = principals
return principals
principals = cached_principals(getattr(parent, '__parent__', None), roles,
permission, 'p')
prinperm = IPrincipalPermissionMap(parent, None)
if prinperm:
principals = principals.copy()
for principal, setting in prinperm.get_principals_for_permission(
permission):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
for role in roles:
for principal, setting in prinrole.get_principals_for_role(role):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
cache_principals[permission + level] = principals
return principals
def cached_principals(self, parent, roles, permission, level):
"""Get the roles for a specific permission.
Global + Local + Code
"""
cache = self.cache(parent)
try:
cache_principals = cache.principals
except AttributeError:
cache_principals = cache.principals = {}
try:
return cache_principals[permission]
except KeyError:
pass
if parent is None:
principals = dict(
[(role, 1)
for (role, setting) in code_principals_for_permission(permission)
if setting is Allow])
cache_principals[permission] = principals
return principals
principals = self.cached_principals(
getattr(parent, '__parent__', None),
roles,
permission, 'p')
prinperm = IPrincipalPermissionMap(parent, None)
if prinperm:
principals = principals.copy()
for principal, setting in prinperm.get_principals_for_permission(permission):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
for role in roles:
for principal, setting in prinrole.get_principals_for_role(role):
if setting is Allow:
principals[principal] = 1
elif setting is AllowSingle and level == 'o':
principals[principal] = 1
elif setting is Deny and principal in principals:
del principals[principal]
if level != 'o':
# Only cache on non 1rst level queries needs new way
cache_principals[permission] = principals
return principals
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
while ob is not None:
data = {}
result.append({getattr(ob, '__name__', None) or '(no name)': data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings]
ob = getattr(ob, '__parent__', None)
data = {}
result.append({'system': data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings]
return result
async def sharing_get(context, request):
roleperm = IRolePermissionMap(context)
prinperm = IPrincipalPermissionMap(context)
prinrole = IPrincipalRoleMap(context)
result = {"local": {}, "inherit": []}
result["local"]["roleperm"] = roleperm._bycol
result["local"]["prinperm"] = prinperm._bycol
result["local"]["prinrole"] = prinrole._bycol
for obj in iter_parents(context):
roleperm = IRolePermissionMap(obj, None)
url = get_object_url(obj, request)
if roleperm is not None and url is not None:
prinperm = IPrincipalPermissionMap(obj)
prinrole = IPrincipalRoleMap(obj)
result["inherit"].append({
"@id": url,
"roleperm": roleperm._bycol,
"prinperm": prinperm._bycol,
"prinrole": prinrole._bycol,
})
await notify(ObjectPermissionsViewEvent(context))
return result
def cached_principal_permission(self, parent, principal, groups,
permission, level):
# Compute the permission, if any, for the principal.
cache = self.cache(parent)
try:
# We need to caches for first level and Allow Single
if level == 'o':
cache_prin = cache.prino
else:
cache_prin = cache.prin
except AttributeError:
if level == 'o':
cache_prin = cache.prino = {}
else:
cache_prin = cache.prin = {}
cache_prin_per = cache_prin.get(principal)
if not cache_prin_per:
cache_prin_per = cache_prin[principal] = {}
try:
return cache_prin_per[permission]
except KeyError:
pass
# We reached the end of the recursive we check global / local
if parent is None:
# We check the global configuration of the user and groups
prinper = self._global_permissions_for(principal, permission)
if prinper is not None:
cache_prin_per[permission] = prinper
return prinper
# If we did not found the permission for the user look at code
prinper = SettingAsBoolean[code_principal_permission_setting(
permission, principal, None)]
# Now look for the group ids
if prinper is None:
for group in groups:
prinper = SettingAsBoolean[
code_principal_permission_setting(
permission, group, None)]
if prinper is not None:
continue
cache_prin_per[permission] = prinper
return prinper
# Get the local map of the permissions
# As we want to quit as soon as possible we check first locally
prinper_map = IPrincipalPermissionMap(parent, None)
if prinper_map is not None:
prinper = level_setting_as_boolean(
level, prinper_map.get_setting(permission, principal, None))
if prinper is None:
for group in groups:
prinper = level_setting_as_boolean(
level, prinper_map.get_setting(permission, group,
None))
if prinper is not None:
# Once we conclude we exit
# May happen that first group Deny and second
# allows which will result on Deny for the first
break
if prinper is not None:
return prinper
# Find the permission recursivelly set to a user
parent = getattr(parent, '__parent__', None)
prinper = self.cached_principal_permission(parent, principal, groups,
permission, 'p')
cache_prin_per[permission] = prinper
return prinper
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
locked_permissions = []
while ob is not None:
data = {}
result.append({getattr(ob, "__name__", None) or "(no name)": data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data["prinperm"] = [{
"principal": pr,
"permission": p,
"setting": s
} for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data["prinrole"] = [{
"principal": p,
"role": r,
"setting": s
} for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data["roleperm"] = [{
"permission": p,
"role": r,
"setting": s
} for (p, r, s) in settings if p not in locked_permissions]
inherit_permissions = IInheritPermissionMap(ob)
if inherit_permissions is not None:
settings = inherit_permissions.get_locked_permissions()
data["perminhe"] = []
for (p, s) in settings:
if s is Deny:
locked_permissions.append(p)
data["perminhe"].append({"permission": p, "setting": s})
ob = getattr(ob, "__parent__", None)
data = {}
result.append({"system": data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data["prinperm"] = [{
"principal": pr,
"permission": p,
"setting": s
} for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data["prinrole"] = [{
"principal": p,
"role": r,
"setting": s
} for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data["roleperm"] = [{
"permission": p,
"role": r,
"setting": s
} for (p, r, s) in settings if p not in locked_permissions]
return result
def cached_principal_permission(
self, parent, principal, groups, permission, level):
# Compute the permission, if any, for the principal.
cache = self.cache(parent)
try:
# We need to caches for first level and Allow Single
if level == 'o':
cache_prin = cache.prino
else:
cache_prin = cache.prin
except AttributeError:
if level == 'o':
cache_prin = cache.prino = {}
else:
cache_prin = cache.prin = {}
cache_prin_per = cache_prin.get(principal)
if not cache_prin_per:
cache_prin_per = cache_prin[principal] = {}
try:
return cache_prin_per[permission]
except KeyError:
pass
# We reached the end of the recursive we check global / local
if parent is None:
# We check the global configuration of the user and groups
prinper = self._global_permissions_for(principal, permission)
if prinper is not None:
cache_prin_per[permission] = prinper
return prinper
# If we did not found the permission for the user look at code
prinper = SettingAsBoolean[
code_principal_permission_setting(permission, principal, None)]
# Now look for the group ids
if prinper is None:
for group in groups:
prinper = SettingAsBoolean[
code_principal_permission_setting(
permission, group, None)]
if prinper is not None:
continue
cache_prin_per[permission] = prinper
return prinper
# Get the local map of the permissions
# As we want to quit as soon as possible we check first locally
prinper_map = IPrincipalPermissionMap(parent, None)
if prinper_map is not None:
prinper = level_setting_as_boolean(
level, prinper_map.get_setting(permission, principal, None))
if prinper is None:
for group in groups:
prinper = level_setting_as_boolean(
level,
prinper_map.get_setting(permission, group, None))
if prinper is not None:
# Once we conclude we exit
# May happen that first group Deny and second
# allows which will result on Deny for the first
break
if prinper is not None:
return prinper
# Find the permission recursivelly set to a user
parent = getattr(parent, '__parent__', None)
prinper = self.cached_principal_permission(
parent, principal, groups, permission, 'p')
cache_prin_per[permission] = prinper
return prinper
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
locked_permissions = []
while ob is not None:
data = {}
result.append({getattr(ob, '__name__', None) or '(no name)': data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings if p not in locked_permissions]
inherit_permissions = IInheritPermissionMap(ob)
if inherit_permissions is not None:
settings = inherit_permissions.get_locked_permissions()
data['perminhe'] = []
for (p, s) in settings:
if s is Deny:
locked_permissions.append(p)
data['perminhe'].append({'permission': p, 'setting': s})
ob = getattr(ob, '__parent__', None)
data = {}
result.append({'system': data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings if p not in locked_permissions]
return result