def anchor(value, item, formatter):
""" anchor method will return a html formated anchor"""
if value is None:
return u''
if type(item) is dict:
item = item['obj']
if ISuperclass.providedBy(value):
item = value
value = item.ikName
try:
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name=view)
if myAdapter is not None and canAccess(myAdapter,'render'):
url = absoluteURL(item, formatter.request) + '/' + view
return u'<a href="%s">%s</a>' % (url, value)
else:
# view = "details.html"
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name="details.html")
if myAdapter is not None and canAccess(myAdapter,'render'):
url = absoluteURL(item, formatter.request) + '/' + "details.html"
return u'<a href="%s">%s</a>' % (url, value)
else:
return u'%s' % (value)
except Exception:
return u'%s' % (value)
def getActionBotton_UpDown(item, formatter):
"""Action Buttons for Overview in Web-Browser
"""
if type(item) is dict:
item = item["obj"]
retHtml = u""
parentIsOrderd = IOrderedContainer.providedBy(item.__parent__)
resource_path = getAdapter(formatter.request, name='pics')()
if parentIsOrderd:
up_url = absoluteURL(item, formatter.request) + '/@@moveup.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='moveup.html')
if myAdapter is not None and canAccess(myAdapter,'render') and \
item.__parent__.keys()[0] != item.objectID: # not the first element
up_html = u'<a href="%s">' % (up_url) + \
u'<img alt="Up" src="%s/Up.png" /></a>' % \
(resource_path)
else:
up_html = u'<img alt="Up" src="%s/Up_gray.png" />' % \
(resource_path)
retHtml += up_html
down_url = absoluteURL(item, formatter.request) + '/@@movedown.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='movedown.html')
if myAdapter is not None and canAccess(myAdapter,'render') and \
item.__parent__.keys()[-1] != item.objectID: # not the last element
down_html = u'<a href="%s">' % (down_url) + \
u'<img alt="Down" src="%s/Down.png" /></a>' % \
(resource_path)
else:
down_html = u'<img alt="Down" src="%s/Down_gray.png" />' %\
(resource_path)
retHtml += down_html
return retHtml
def writable(self, name):
if name in self._dir:
f = IWriteFile(self._dir[name], None)
if f is not None:
return canAccess(f, 'write')
return False
d = IWriteDirectory(self.context, None)
return canAccess(d, '__setitem__')
def readable(self, name):
if name in self._dir:
f = IReadFile(self._dir[name], None)
if f is not None:
return canAccess(f, 'read')
d = IReadDirectory(self._dir[name], None)
if d is not None:
return canAccess(d, 'get')
return False
def items(self):
"""Return items to be shown in the calendar overlay.
Does not include "my calendar".
Each item is a dict with the following keys:
'title' - title of the calendar
'calendar' - the calendar object
'color1', 'color2' - colors assigned to this calendar
'id' - identifier for form controls
'checked' - was this item checked for display (either "checked" or
None)?
"""
person = IPerson(self.request.principal)
items = [((item.calendar.title, getPath(item.calendar.__parent__)),
{'title': item.calendar.title,
'id': getPath(item.calendar.__parent__),
'calendar': item.calendar,
'checked': item.show and "checked" or '',
'color1': item.color1,
'color2': item.color2})
for item in person.overlaid_calendars
if canAccess(item.calendar, '__iter__')]
items.sort()
return [i[-1] for i in items]
def __call__(self):
app = ISchoolToolApplication(None)
person = IPerson(self.request.principal, None)
if not person:
raise Unauthorized("Only logged in users can book resources.")
cal = ISchoolToolCalendar(person)
if self.request.has_key('event_id'):
event = cal.find(self.request['event_id'])
else:
start_date = self.request.get('start_date')
start_time = self.request.get('start_time')
title = self.request.get('title')
start_datetime = "%s %s" % (start_date, start_time)
start_datetime = datetime(*strptime(start_datetime,
"%Y-%m-%d %H:%M")[0:6])
start_datetime = self.timezone.localize(start_datetime)
start_datetime = start_datetime.astimezone(pytz.UTC)
duration = timedelta(seconds=int(self.request.get('duration')))
event = CalendarEvent(dtstart = start_datetime,
duration = duration,
title = title)
cal.addEvent(event)
if event:
resource = app["resources"].get(self.request['resource_id'])
if resource is not None:
resource_calendar = ISchoolToolCalendar(resource)
if not canAccess(resource_calendar, "addEvent"):
raise Unauthorized("You don't have the right to"
" book this resource!")
event.bookResource(resource)
self.request.response.redirect(self.nextURL(event))
def update(self):
self.collator = ICollator(self.request.locale)
relationships = Membership.bind(member=self.context).all().relationships
group_states = self.app_states('group-membership')
student_states = self.app_states('student-enrollment')
schoolyears_data = {}
for link_info in relationships:
group = removeSecurityProxy(link_info.target)
if ISection.providedBy(group) or not canAccess(group, 'title'):
continue
sy = ISchoolYear(group.__parent__)
if sy not in schoolyears_data:
schoolyears_data[sy] = []
schoolyears_data[sy].append((group, link_info))
self.schoolyears = []
for sy in sorted(schoolyears_data, key=lambda x:x.first, reverse=True):
sy_info = {
'obj': sy,
'css_class': 'active' if sy is self.schoolyear else 'inactive',
'groups': [],
}
for group, link_info in sorted(schoolyears_data[sy],
key=lambda x:self.collator.key(
x[0].title)):
is_students = group.__name__ == 'students'
app_states = student_states if is_students else group_states
states = self.group_current_states(link_info, app_states)
group_info = {
'obj': group,
'title': group.title,
'states': states,
}
sy_info['groups'].append(group_info)
self.schoolyears.append(sy_info)
def getActionBotton_Detail(item, formatter, isRequirement=False):
"""Action Buttons for Overview in Web-Browser
"""
if type(item) is dict:
item = item["obj"]
resource_path = getAdapter(formatter.request, name='pics')()
ttid = u"details" + item.getObjectId()
view_url = absoluteURL(item, formatter.request) + '/@@details.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='details.html')
if myAdapter is not None and canAccess(myAdapter,'render'):
view_html = u'<a href="%s">' % (view_url) + \
u'<img id="%s" alt="Info" src="%s/Info.png" /></a>' % \
(ttid, resource_path)
if isRequirement and item.ikComment is not None:
tooltip_text = item.ikComment.replace("\r\n", "<br />")
else:
tooltip_text = _(u'details of this object')
else:
view_html = u'<img id="%s" alt="Details" src="%s/Info_gr.png" />' % \
(ttid, resource_path)
tooltip_text = _(u'viewing details is not permitted')
tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \
u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \
u"context:'%s', text:'%s' });</script>" \
% (ttid, ttid, ttid, tooltip_text)
return view_html + tooltip
def items(self):
"""Return items to be shown in the calendar overlay.
Does not include "my calendar".
Each item is a dict with the following keys:
'title' - title of the calendar
'calendar' - the calendar object
'color1', 'color2' - colors assigned to this calendar
'id' - identifier for form controls
'checked' - was this item checked for display (either "checked" or
None)?
"""
person = IPerson(self.request.principal)
items = [((item.calendar.title, getPath(item.calendar.__parent__)), {
'title': item.calendar.title,
'id': getPath(item.calendar.__parent__),
'calendar': item.calendar,
'checked': item.show and "checked" or '',
'color1': item.color1,
'color2': item.color2
}) for item in person.overlaid_calendars
if canAccess(item.calendar, '__iter__')]
items.sort()
return [i[-1] for i in items]
def update(self):
self.collator = ICollator(self.request.locale)
groups = [
group for group in self.context.groups
if (canAccess(group, 'title') and not ISection.providedBy(group))
]
schoolyears_data = {}
for group in groups:
sy = ISchoolYear(group.__parent__)
if sy not in schoolyears_data:
schoolyears_data[sy] = []
schoolyears_data[sy].append(group)
self.schoolyears = []
for sy in sorted(schoolyears_data, key=lambda x: x.first,
reverse=True):
sy_info = {
'obj':
sy,
'groups':
sorted(schoolyears_data[sy],
cmp=self.collator.cmp,
key=lambda x: x.title)
}
self.schoolyears.append(sy_info)
def getActionBotton_Delete(item, formatter):
"""Action Buttons for Overview in Web-Browser
"""
if type(item) is dict:
item = item["obj"]
resource_path = getAdapter(formatter.request, name='pics')()
ttid = u"delete" + item.getObjectId()
trash_url = absoluteURL(item, formatter.request) + '/@@delete.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='delete.html')
if myAdapter is not None and canAccess(myAdapter,'render') \
and item.canBeDeleted():
trash_html = u'<a href="%s">' % (trash_url) + \
u'<img id="%s" alt="Trash" src="%s/Trash.png" /></a>' % \
(ttid, resource_path)
tooltip_text = _(u'delete this object')
else:
trash_html = u'<img id="%s" alt="Trash" src="%s/Trash_gr.png" />' % \
(ttid, resource_path)
tooltip_text = _(u'deleting this object is not permitted')
if not item.canBeDeleted():
tooltip_text += _(u',<br/>referenced by other objects')
tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \
u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \
u"context:'%s', text:'%s' });</script>" \
% (ttid, ttid, ttid, tooltip_text)
return trash_html + tooltip
def objs(self):
"""List of Content objects"""
objWithPermisson = []
# allObj = getAllUtilitiesRegisteredFor(ISuperclass)
# allObj = getAllUtilitiesRegisteredFor(Interface, context=self.context)
smFolder = self.context.getParent()
allObj = smFolder.values()
for obj in allObj:
if ISuperclass.providedBy(obj):
if canAccess(obj, 'ikName'):
myAdapter = zapi.queryMultiAdapter((obj, self.request),
name='details.html')
if myAdapter is not None and canAccess(
myAdapter, 'render'):
objWithPermisson.append(obj)
return objWithPermisson
def allowRename(self):
if IRenameNotAllowed.providedBy(self.context):
return False
container = self.context.__parent__
return (IWriteContainer.providedBy(container) and
not IContainerNamesContainer.providedBy(container) and
canAccess(container, '__setitem__'))
def getApplicationCalendar(self):
if self.user is None:
return None
app = ISchoolToolApplication(None)
calendar = ISchoolToolCalendar(app)
if not canAccess(calendar, '__iter__'):
return None
return calendar
def canAccess(self):
"""See z3c.form.interfaces.IDataManager"""
context = self.context
if self.field.interface is not None:
context = self.field.interface(context)
if isinstance(context, Proxy):
return canAccess(context, self.field.__name__)
return True
def getApplicationCalendar(self):
if self.user is None:
return None
app = ISchoolToolApplication(None)
calendar = ISchoolToolCalendar(app)
if not canAccess(calendar, '__iter__'):
return None
return calendar
def render(self):
"""Return the template with the option 'menus'"""
objWithPermisson = []
utilManager = getUtility(IUtilManager)
smFolder = utilManager.getParent()
allObj = smFolder.values()
for obj in allObj:
if ISuperclass.providedBy(obj):
if canAccess(obj, 'ikName'):
myAdapter = zapi.queryMultiAdapter((obj, self.request),
name='details.html')
if myAdapter is not None and canAccess(
myAdapter, 'render'):
objWithPermisson.append(obj)
if len(objWithPermisson) > 0:
return self.template()
else:
return u''
def objs(self):
"""List of Content objects"""
objWithPermisson = []
allObj = getAllUtilitiesRegisteredFor(ISuperclass)
for obj in allObj:
myAdapter = zapi.queryMultiAdapter((obj, self.request),
name='details.html')
if myAdapter is not None and canAccess(myAdapter, 'render'):
objWithPermisson.append(obj)
return objWithPermisson
def getResourceCalendars(self):
if self.user is None:
return []
app = ISchoolToolApplication(None)
result = []
for obj in app['resources'].values():
calendar = ISchoolToolCalendar(obj)
if canAccess(calendar, '__iter__'):
result.append(calendar)
return result
def getResourceCalendars(self):
if self.user is None:
return []
app = ISchoolToolApplication(None)
result = []
for obj in app['resources'].values():
calendar = ISchoolToolCalendar(obj)
if canAccess(calendar, '__iter__'):
result.append(calendar)
return result
def can_write(self):
"""Can the current user write to the attribute."""
if canWrite(self.context, self.attribute_name):
return True
elif self.mutator_method_name is not None:
# The user may not have write access on the attribute itself, but
# the REST API may have a mutator method configured, such as
# transitionToAssignee.
return canAccess(self.context, self.mutator_method_name)
else:
return False
def can_write(self):
"""Can the current user write to the attribute."""
if canWrite(self.context, self.attribute_name):
return True
elif self.mutator_method_name is not None:
# The user may not have write access on the attribute itself, but
# the REST API may have a mutator method configured, such as
# transitionToAssignee.
return canAccess(self.context, self.mutator_method_name)
else:
return False
def anchor(value, item, formatter):
""" anchor method will return a html formated anchor"""
try:
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name=view)
if myAdapter is not None and canAccess(myAdapter, 'render'):
url = absoluteURL(item, formatter.request) + '/' + view
return u'<a href="%s">%s</a>' % (url, value)
else:
return u'%s' % (value)
except Exception:
return u'%s' % (value)
def getApplicationCalendar(self):
"""Return the application calendar.
Returns None if the user lacks sufficient permissions.
"""
user = IPerson(self.request.principal, None)
if user:
app = ISchoolToolApplication(None)
calendar = ISchoolToolCalendar(app)
if canAccess(calendar, '__iter__'):
return {'title': app.title,
'selected': calendar in user.overlaid_calendars,
'calendar': calendar}
return {}
def year(self):
year = self.schoolyear
if year is not None:
return {
'title': _(u'School Year: ${year_title}',
mapping={'year_title': year.title}),
'first': year.first,
'last': year.last,
'empty': not bool(tuple(year.values())),
'canModify': canAccess(year, '__delitem__'),
'addurl': absoluteURL(year, self.request) + '/add.html',
'alt': _(u'Add a new term to ${year_title}',
mapping={'year_title': year.title}),
}
def getApplicationCalendar(self):
"""Return the application calendar.
Returns None if the user lacks sufficient permissions.
"""
user = IPerson(self.request.principal, None)
if user:
app = ISchoolToolApplication(None)
calendar = ISchoolToolCalendar(app)
if canAccess(calendar, '__iter__'):
return {
'title': app.title,
'selected': calendar in user.overlaid_calendars,
'calendar': calendar
}
return {}
def getCalendars(self, container):
"""List all calendars from a given container."""
user = removeSecurityProxy(IPerson(self.request.principal, None))
if user is None:
return []
app = ISchoolToolApplication(None)
result = []
for obj in app[container].values():
calendar = ISchoolToolCalendar(obj)
if obj is not user and canAccess(calendar, '__iter__'):
result.append(
{'id': obj.__name__,
'title': obj.title,
'selected': calendar in user.overlaid_calendars,
'calendar': calendar})
return sorted(result, key=lambda item: (item['title'], item['id']))
def getCalendars(self, container):
"""List all calendars from a given container."""
user = removeSecurityProxy(IPerson(self.request.principal, None))
if user is None:
return []
app = ISchoolToolApplication(None)
result = []
for obj in app[container].values():
calendar = ISchoolToolCalendar(obj)
if obj is not user and canAccess(calendar, '__iter__'):
result.append({
'id': obj.__name__,
'title': obj.title,
'selected': calendar in user.overlaid_calendars,
'calendar': calendar
})
return sorted(result, key=lambda item: (item['title'], item['id']))
def update(self):
self.collator = ICollator(self.request.locale)
groups = [
group for group in self.context.groups
if (canAccess(group, 'title') and
not ISection.providedBy(group))]
schoolyears_data = {}
for group in groups:
sy = ISchoolYear(group.__parent__)
if sy not in schoolyears_data:
schoolyears_data[sy] = []
schoolyears_data[sy].append(group)
self.schoolyears = []
for sy in sorted(schoolyears_data, key=lambda x:x.first, reverse=True):
sy_info = {'obj': sy,
'groups': sorted(schoolyears_data[sy],
cmp=self.collator.cmp,
key=lambda x:x.title)}
self.schoolyears.append(sy_info)
def getActionBotton_History(item, formatter):
"""Action Buttons for Overview in Web-Browser
"""
resource_path = getAdapter(formatter.request, name='pics')()
ttid = u"history" + item.getObjectId()
hist_url = absoluteURL(item, formatter.request) + '/@@history.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='history.html')
if myAdapter is not None and canAccess(myAdapter, 'render'):
hist_html = u'<a href="%s">' % (hist_url) + \
u'<img id="%s" alt="History" src="%s/Doc.png" /></a>' % \
(ttid, resource_path)
tooltip_text = _(u'history this object')
else:
hist_html = u'<img id="%s" alt="History" src="%s/Doc_gr.png" />' % \
(ttid, resource_path)
tooltip_text = _(u'viewing the history is not permitted')
tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \
u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \
u"context:'%s', text:'%s' });</script>" \
% (ttid, ttid, ttid, tooltip_text)
return hist_html + tooltip
def update(self):
self.collator = ICollator(self.request.locale)
relationships = Membership.bind(
member=self.context).all().relationships
group_states = self.app_states('group-membership')
student_states = self.app_states('student-enrollment')
schoolyears_data = {}
for link_info in relationships:
group = removeSecurityProxy(link_info.target)
if ISection.providedBy(group) or not canAccess(group, 'title'):
continue
sy = ISchoolYear(group.__parent__)
if sy not in schoolyears_data:
schoolyears_data[sy] = []
schoolyears_data[sy].append((group, link_info))
self.schoolyears = []
for sy in sorted(schoolyears_data, key=lambda x: x.first,
reverse=True):
sy_info = {
'obj': sy,
'css_class': 'active' if sy is self.schoolyear else 'inactive',
'groups': [],
}
for group, link_info in sorted(
schoolyears_data[sy],
key=lambda x: self.collator.key(x[0].title)):
is_students = group.__name__ == 'students'
app_states = student_states if is_students else group_states
states = self.group_current_states(link_info, app_states)
group_info = {
'obj': group,
'title': group.title,
'states': states,
}
sy_info['groups'].append(group_info)
self.schoolyears.append(sy_info)
def getActionBotton_Edit(item, formatter):
"""Action Buttons for Overview in Web-Browser
"""
if type(item) is dict:
item = item["obj"]
resource_path = getAdapter(formatter.request, name='pics')()
ttid = u"edit" + item.getObjectId()
edit_url = absoluteURL(item, formatter.request) + '/@@edit.html'
myAdapter = zapi.queryMultiAdapter((item, formatter.request),
name='edit.html')
if myAdapter is not None and canAccess(myAdapter,'render'):
edit_html = u'<a href="%s">' % (edit_url) + \
u'<img id="%s" alt="Edit" src="%s/Hand.png" /></a>' % \
(ttid, resource_path)
tooltip_text = _(u'edit this object')
else:
edit_html = u'<img id="%s" alt="Edit" src="%s/Hand_gr.png" />' % \
(ttid, resource_path)
tooltip_text = _(u'editing is not permitted')
tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \
u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \
u"context:'%s', text:'%s' });</script>" \
% (ttid, ttid, ttid, tooltip_text)
return edit_html + tooltip
def canModify(self):
return canAccess(self.container, '__delitem__')
def canAccess(self):
(name, context) = self._name_and_context()
if isinstance(context, Proxy):
return canAccess(context, name)
return True
def test_cannot_setBranch(self):
sourcepackage = self.factory.makeSourcePackage()
self.failIf(
canAccess(sourcepackage, 'setBranch'),
"setBranch should only be available to admins and uploaders")
def test_canWrite_canAccess(self):
# the canWrite and canAccess functions are conveniences. Often code
# wants to check if a certain option is open to a user before
# presenting it. If the code relies on a certain permission, the
# Zope 3 goal of keeping knowledge of security assertions out of the
# code and only in the zcml assertions is broken. Instead, ask if the
# current user canAccess or canWrite some pertinent aspect of the
# object. canAccess is used for both read access on an attribute
# and call access to methods.
# For example, consider this humble pair of class and object.
class SomeClass(object):
pass
obj = SomeClass()
# We will establish a checker for the class. This is the standard
# name-based checker, and works by specifying two dicts, one for read
# and one for write. Each item in the dictionary should be an
# attribute name and the permission required to read or write it.
# For these tests, the SecurityPolicy defined at the top of this file
# is in place. It is a stub. Normally, the security policy would
# have knowledge of interactions and participants, and would determine
# on the basis of the particpants and the object if a certain permission
# were authorized. This stub simply says that the 'test_allowed'
# permission is authorized and nothing else is, for any object you pass
# it.
# Therefore, according to the checker created here, the current
# 'interaction' (as stubbed out in the security policy) will be allowed
# to access and write foo, and access bar. The interaction is
# unauthorized for accessing baz and writing bar. Any other access or
# write is not merely unauthorized but forbidden--including write access
# for baz.
checker = Checker(
{'foo':'test_allowed', # these are the read settings
'bar':'test_allowed',
'baz':'you_will_not_have_this_permission'},
{'foo':'test_allowed', # these are the write settings
'bar':'you_will_not_have_this_permission',
'bing':'you_will_not_have_this_permission'})
defineChecker(SomeClass, checker)
# so, our hapless interaction may write and access foo...
self.assert_(canWrite(obj, 'foo'))
self.assert_(canAccess(obj, 'foo'))
# ...may access, but not write, bar...
self.assert_(not canWrite(obj, 'bar'))
self.assert_(canAccess(obj, 'bar'))
# ...and may access baz.
self.assert_(not canAccess(obj, 'baz'))
# there are no security assertions for writing or reading shazam, so
# checking these actually raises Forbidden. The rationale behind
# exposing the Forbidden exception is primarily that it is usually
# indicative of programming or configuration errors.
self.assertRaises(Forbidden, canAccess, obj, 'shazam')
self.assertRaises(Forbidden, canWrite, obj, 'shazam')
# However, we special-case canWrite when an attribute has a Read
# setting but no Write setting. Consider the 'baz' attribute from the
# checker above: it is readonly. All users are forbidden to write
# it. This is a very reasonable configuration. Therefore, canWrite
# will hide the Forbidden exception if and only if there is a
# setting for accessing the attribute.
self.assert_(not canWrite(obj, 'baz'))
# The reverse is not true at the moment: an unusal case like the
# write-only 'bing' attribute will return a boolean for canWrite,
# but canRead will simply raise a Forbidden exception, without checking
# write settings.
self.assert_(not canWrite(obj, 'bing'))
self.assertRaises(Forbidden, canAccess, obj, 'bing')
def test_canWrite_canAccess(self):
# the canWrite and canAccess functions are conveniences. Often code
# wants to check if a certain option is open to a user before
# presenting it. If the code relies on a certain permission, the
# Zope 3 goal of keeping knowledge of security assertions out of the
# code and only in the zcml assertions is broken. Instead, ask if the
# current user canAccess or canWrite some pertinent aspect of the
# object. canAccess is used for both read access on an attribute
# and call access to methods.
# For example, consider this humble pair of class and object.
class SomeClass(object):
pass
obj = SomeClass()
# We will establish a checker for the class. This is the standard
# name-based checker, and works by specifying two dicts, one for read
# and one for write. Each item in the dictionary should be an
# attribute name and the permission required to read or write it.
# For these tests, the SecurityPolicy defined at the top of this file
# is in place. It is a stub. Normally, the security policy would
# have knowledge of interactions and participants, and would determine
# on the basis of the particpants and the object if a certain permission
# were authorized. This stub simply says that the 'test_allowed'
# permission is authorized and nothing else is, for any object you pass
# it.
# Therefore, according to the checker created here, the current
# 'interaction' (as stubbed out in the security policy) will be allowed
# to access and write foo, and access bar. The interaction is
# unauthorized for accessing baz and writing bar. Any other access or
# write is not merely unauthorized but forbidden--including write access
# for baz.
checker = Checker(
{
'foo': 'test_allowed', # these are the read settings
'bar': 'test_allowed',
'baz': 'you_will_not_have_this_permission'
},
{
'foo': 'test_allowed', # these are the write settings
'bar': 'you_will_not_have_this_permission',
'bing': 'you_will_not_have_this_permission'
})
defineChecker(SomeClass, checker)
# so, our hapless interaction may write and access foo...
self.assert_(canWrite(obj, 'foo'))
self.assert_(canAccess(obj, 'foo'))
# ...may access, but not write, bar...
self.assert_(not canWrite(obj, 'bar'))
self.assert_(canAccess(obj, 'bar'))
# ...and may access baz.
self.assert_(not canAccess(obj, 'baz'))
# there are no security assertions for writing or reading shazam, so
# checking these actually raises Forbidden. The rationale behind
# exposing the Forbidden exception is primarily that it is usually
# indicative of programming or configuration errors.
self.assertRaises(Forbidden, canAccess, obj, 'shazam')
self.assertRaises(Forbidden, canWrite, obj, 'shazam')
# However, we special-case canWrite when an attribute has a Read
# setting but no Write setting. Consider the 'baz' attribute from the
# checker above: it is readonly. All users are forbidden to write
# it. This is a very reasonable configuration. Therefore, canWrite
# will hide the Forbidden exception if and only if there is a
# setting for accessing the attribute.
self.assert_(not canWrite(obj, 'baz'))
# The reverse is not true at the moment: an unusal case like the
# write-only 'bing' attribute will return a boolean for canWrite,
# but canRead will simply raise a Forbidden exception, without checking
# write settings.
self.assert_(not canWrite(obj, 'bing'))
self.assertRaises(Forbidden, canAccess, obj, 'bing')
def test_cannot_setBranch(self):
sourcepackage = self.factory.makeSourcePackage()
self.failIf(
canAccess(sourcepackage, 'setBranch'),
"setBranch should only be available to admins and uploaders")
def authorized(self, result):
obj = result.object()
defaultview = getDefaultViewName(obj, self.request)
view = queryMultiAdapter((ProxyFactory(obj), self.request),
name=defaultview)
return canAccess(view, "__call__")
def getPersons(self):
return [member for member in self.context.members
if canAccess(member, 'title')]
def canModify(self):
return canAccess(self.context.__parent__, '__delitem__')
def canAccess(self):
(name, context) = self._name_and_context()
if isinstance(context, Proxy):
return canAccess(context, name)
return True
def can_delete(self):
container = self.context.__parent__
if not IWriteContainer.providedBy(container):
raise NotImplementedError()
return canAccess(container, '__delitem__')
def canAccess(self):
"""See z3c.form.interfaces.IDataManager"""
context = self.adapted_context
if isinstance(context, Proxy):
return canAccess(context, self.field.__name__)
return True
def canModify(self):
return canAccess(self.context.__parent__, '__delitem__')
def traverse(self, name, furtherPath=()):
"""XXX"""
return [item for item in self.context
if canAccess(item, name)]
def traverse(self, name, furtherPath=()):
"""Returns True if self.context.(name) can be accessed."""
return canAccess(self.context, name)
def render(self):
# This check is necessary because the user can be a leader
# of the context group, which gives him schooltool.edit on it
if canAccess(self.context.__parent__, '__delitem__'):
if self.renderable_items:
return super(GroupManageActionsLinks, self).render()
def authorized(self, result):
obj = result.object()
defaultview = getDefaultViewName(obj, self.request)
view = queryMultiAdapter((ProxyFactory(obj), self.request),
name=defaultview)
return canAccess(view, "__call__")
def canDisplay(self, attr_name):
""" object can and should be displayed
"""
return canAccess(self.context, attr_name)
def render(self):
# This check is necessary because the user can be a leader
# of the context course, which gives him schooltool.edit on it
if canAccess(self.context.__parent__, '__delitem__'):
return super(CourseActionsLinks, self).render()
