Exemple #1
0
    def fields(self):
        content = self.getContent()
        item = IItem(content, None)
        if item is None:
            return Fields()

        fields = Fields(IItem)

        if not canWrite(content, 'title'):
            fields = fields.omit('title')

        if not canWrite(content, 'description'):
            fields = fields.omit('description')

        return fields
Exemple #2
0
 def update(self):
     """ check for necessary permissions
     """
     for field_name in self.fields.keys():
         if not canWrite(self.context, field_name):
             print "delete: %s from %s" % (field_name, self.context)
             del self.fields[field_name]
     super(form.EditForm, self).update()
Exemple #3
0
 def canWrite(self):
     """See z3c.form.interfaces.IDataManager"""
     context = self.context
     if self.field.interface is not None:
         context = self.field.interface(context)
     if isinstance(context, Proxy):
         return canWrite(context, self.field.__name__)
     return True
Exemple #4
0
 def can_write(self):
     """Can the current user write to the attribute."""
     if canWrite(self.context, self.attribute_name):
         return True
     elif self.mutator_method_name is not None:
         # The user may not have write access on the attribute itself, but
         # the REST API may have a mutator method configured, such as
         # transitionToAssignee.
         return canAccess(self.context, self.mutator_method_name)
     else:
         return False
 def mirror_admin_widget(self):
     if canWrite(self.context, 'mirror_admin'):
         empty_value = ' Specify a mirror administrator'
     else:
         empty_value = 'None'
     return InlinePersonEditPickerWidget(
         self.context, IDistribution['mirror_admin'],
         format_link(self.context.mirror_admin, empty_value=empty_value),
         header='Change the mirror administrator',
         edit_view='+selectmirroradmins', null_display_value=empty_value,
         step_title='Select a new mirror administrator')
 def members_widget(self):
     if canWrite(self.context, 'members'):
         empty_value = ' Specify the members team'
     else:
         empty_value = 'None'
     return InlinePersonEditPickerWidget(
         self.context, IDistribution['members'],
         format_link(self.context.members, empty_value=empty_value),
         header='Change the members team', edit_view='+selectmemberteam',
         null_display_value=empty_value,
         step_title='Select a new members team')
 def driver_widget(self):
     if canWrite(self.context, 'driver'):
         empty_value = 'Specify a driver'
     else:
         empty_value = 'None'
     return InlinePersonEditPickerWidget(
         self.context, IDistribution['driver'],
         format_link(self.context.driver, empty_value=empty_value),
         header='Change driver', edit_view='+driver',
         null_display_value=empty_value,
         step_title='Select a new driver', show_create_team=True)
 def can_write(self):
     """Can the current user write to the attribute."""
     if canWrite(self.context, self.attribute_name):
         return True
     elif self.mutator_method_name is not None:
         # The user may not have write access on the attribute itself, but
         # the REST API may have a mutator method configured, such as
         # transitionToAssignee.
         return canAccess(self.context, self.mutator_method_name)
     else:
         return False
 def members_widget(self):
     if canWrite(self.context, "members"):
         empty_value = " Specify the members team"
     else:
         empty_value = "None"
     return InlinePersonEditPickerWidget(
         self.context,
         IDistribution["members"],
         format_link(self.context.members, empty_value=empty_value),
         header="Change the members team",
         edit_view="+selectmemberteam",
         null_display_value=empty_value,
         step_title="Select a new members team",
     )
 def mirror_admin_widget(self):
     if canWrite(self.context, "mirror_admin"):
         empty_value = " Specify a mirror administrator"
     else:
         empty_value = "None"
     return InlinePersonEditPickerWidget(
         self.context,
         IDistribution["mirror_admin"],
         format_link(self.context.mirror_admin, empty_value=empty_value),
         header="Change the mirror administrator",
         edit_view="+selectmirroradmins",
         null_display_value=empty_value,
         step_title="Select a new mirror administrator",
     )
 def driver_widget(self):
     if canWrite(self.context, "driver"):
         empty_value = "Specify a driver"
     else:
         empty_value = "None"
     return InlinePersonEditPickerWidget(
         self.context,
         IDistribution["driver"],
         format_link(self.context.driver, empty_value=empty_value),
         header="Change driver",
         edit_view="+driver",
         null_display_value=empty_value,
         step_title="Select a new driver",
         show_create_team=True,
     )
 def canModify(self):
     return canWrite(self.context, 'title')
Exemple #13
0
    def test_canWrite_canAccess(self):
        # the canWrite and canAccess functions are conveniences.  Often code
        # wants to check if a certain option is open to a user before
        # presenting it.  If the code relies on a certain permission, the
        # Zope 3 goal of keeping knowledge of security assertions out of the
        # code and only in the zcml assertions is broken.  Instead, ask if the
        # current user canAccess or canWrite some pertinent aspect of the
        # object.  canAccess is used for both read access on an attribute
        # and call access to methods.

        # For example, consider this humble pair of class and object.
        class SomeClass(object):
            pass
        obj = SomeClass()

        # We will establish a checker for the class.  This is the standard
        # name-based checker, and works by specifying two dicts, one for read
        # and one for write.  Each item in the dictionary should be an
        # attribute name and the permission required to read or write it.

        # For these tests, the SecurityPolicy defined at the top of this file
        # is in place.  It is a stub.  Normally, the security policy would
        # have knowledge of interactions and participants, and would determine
        # on the basis of the particpants and the object if a certain permission
        # were authorized.  This stub simply says that the 'test_allowed'
        # permission is authorized and nothing else is, for any object you pass
        # it.

        # Therefore, according to the checker created here, the current
        # 'interaction' (as stubbed out in the security policy) will be allowed
        # to access and write foo, and access bar.  The interaction is
        # unauthorized for accessing baz and writing bar.  Any other access or
        # write is not merely unauthorized but forbidden--including write access
        # for baz.
        checker = Checker(
            {'foo':'test_allowed', # these are the read settings
             'bar':'test_allowed',
             'baz':'you_will_not_have_this_permission'},
            {'foo':'test_allowed', # these are the write settings
             'bar':'you_will_not_have_this_permission',
             'bing':'you_will_not_have_this_permission'})
        defineChecker(SomeClass, checker)

        # so, our hapless interaction may write and access foo...
        self.assert_(canWrite(obj, 'foo'))
        self.assert_(canAccess(obj, 'foo'))

        # ...may access, but not write, bar...
        self.assert_(not canWrite(obj, 'bar'))
        self.assert_(canAccess(obj, 'bar'))

        # ...and may access baz.
        self.assert_(not canAccess(obj, 'baz'))

        # there are no security assertions for writing or reading shazam, so
        # checking these actually raises Forbidden.  The rationale behind
        # exposing the Forbidden exception is primarily that it is usually
        # indicative of programming or configuration errors.
        self.assertRaises(Forbidden, canAccess, obj, 'shazam')
        self.assertRaises(Forbidden, canWrite, obj, 'shazam')

        # However, we special-case canWrite when an attribute has a Read
        # setting but no Write setting.  Consider the 'baz' attribute from the
        # checker above: it is readonly.  All users are forbidden to write
        # it.  This is a very reasonable configuration.  Therefore, canWrite
        # will hide the Forbidden exception if and only if there is a
        # setting for accessing the attribute.
        self.assert_(not canWrite(obj, 'baz'))

        # The reverse is not true at the moment: an unusal case like the
        # write-only 'bing' attribute will return a boolean for canWrite,
        # but canRead will simply raise a Forbidden exception, without checking
        # write settings.
        self.assert_(not canWrite(obj, 'bing'))
        self.assertRaises(Forbidden, canAccess, obj, 'bing')
Exemple #14
0
def hasEditableFields(group):
    for name in getFieldNames(group.__schema__):
        if canWrite(group, name):
            return True

    return False
Exemple #15
0
 def canWrite(self):
     """See z3c.form.interfaces.IDataManager"""
     context = self.adapted_context
     if isinstance(context, Proxy):
         return canWrite(context, self.field.__name__)
     return True
Exemple #16
0
 def traverse(self, name, furtherPath=()):
     """Returns True if self.context.(name) can be changed."""
     return canWrite(self.context, name)
Exemple #17
0
 def canWrite(self):
     (name, context) = self._name_and_context()
     if isinstance(context, Proxy):
         return canWrite(context, name)
     return True
Exemple #18
0
 def canWrite(self):
     (name, context) = self._name_and_context()
     if isinstance(context, Proxy):
         return canWrite(context, name)
     return True
    def test_canWrite_canAccess(self):
        # the canWrite and canAccess functions are conveniences.  Often code
        # wants to check if a certain option is open to a user before
        # presenting it.  If the code relies on a certain permission, the
        # Zope 3 goal of keeping knowledge of security assertions out of the
        # code and only in the zcml assertions is broken.  Instead, ask if the
        # current user canAccess or canWrite some pertinent aspect of the
        # object.  canAccess is used for both read access on an attribute
        # and call access to methods.

        # For example, consider this humble pair of class and object.
        class SomeClass(object):
            pass

        obj = SomeClass()

        # We will establish a checker for the class.  This is the standard
        # name-based checker, and works by specifying two dicts, one for read
        # and one for write.  Each item in the dictionary should be an
        # attribute name and the permission required to read or write it.

        # For these tests, the SecurityPolicy defined at the top of this file
        # is in place.  It is a stub.  Normally, the security policy would
        # have knowledge of interactions and participants, and would determine
        # on the basis of the particpants and the object if a certain permission
        # were authorized.  This stub simply says that the 'test_allowed'
        # permission is authorized and nothing else is, for any object you pass
        # it.

        # Therefore, according to the checker created here, the current
        # 'interaction' (as stubbed out in the security policy) will be allowed
        # to access and write foo, and access bar.  The interaction is
        # unauthorized for accessing baz and writing bar.  Any other access or
        # write is not merely unauthorized but forbidden--including write access
        # for baz.
        checker = Checker(
            {
                'foo': 'test_allowed',  # these are the read settings
                'bar': 'test_allowed',
                'baz': 'you_will_not_have_this_permission'
            },
            {
                'foo': 'test_allowed',  # these are the write settings
                'bar': 'you_will_not_have_this_permission',
                'bing': 'you_will_not_have_this_permission'
            })
        defineChecker(SomeClass, checker)

        # so, our hapless interaction may write and access foo...
        self.assert_(canWrite(obj, 'foo'))
        self.assert_(canAccess(obj, 'foo'))

        # ...may access, but not write, bar...
        self.assert_(not canWrite(obj, 'bar'))
        self.assert_(canAccess(obj, 'bar'))

        # ...and may access baz.
        self.assert_(not canAccess(obj, 'baz'))

        # there are no security assertions for writing or reading shazam, so
        # checking these actually raises Forbidden.  The rationale behind
        # exposing the Forbidden exception is primarily that it is usually
        # indicative of programming or configuration errors.
        self.assertRaises(Forbidden, canAccess, obj, 'shazam')
        self.assertRaises(Forbidden, canWrite, obj, 'shazam')

        # However, we special-case canWrite when an attribute has a Read
        # setting but no Write setting.  Consider the 'baz' attribute from the
        # checker above: it is readonly.  All users are forbidden to write
        # it.  This is a very reasonable configuration.  Therefore, canWrite
        # will hide the Forbidden exception if and only if there is a
        # setting for accessing the attribute.
        self.assert_(not canWrite(obj, 'baz'))

        # The reverse is not true at the moment: an unusal case like the
        # write-only 'bing' attribute will return a boolean for canWrite,
        # but canRead will simply raise a Forbidden exception, without checking
        # write settings.
        self.assert_(not canWrite(obj, 'bing'))
        self.assertRaises(Forbidden, canAccess, obj, 'bing')