def check_permission(self, action, username, resource, perm): if ConfigObj is None: self.log.error('configobj package not found') return None if self.authz_file and not self.authz_mtime or \ os.path.getmtime(self.get_authz_file()) > self.authz_mtime: self.parse_authz() resource_key = self.normalise_resource(resource) self.log.debug('Checking %s on %s', action, resource_key) permissions = self.authz_permissions(resource_key, username) if permissions is None: return None # no match, can't decide elif permissions == ['']: return False # all actions are denied # FIXME: expand all permissions once for all ps = PermissionSystem(self.env) for deny, perms in groupby(permissions, key=lambda p: p.startswith('!')): if deny and action in ps.expand_actions([p[1:] for p in perms]): return False # action is explicitly denied elif action in ps.expand_actions(perms): return True # action is explicitly granted return None # no match for action, can't decide
def check_permission(self, action, username, resource, perm): if ConfigObj is None: self.log.error('configobj package not found') return None if self.authz_file and not self.authz_mtime or \ os.path.getmtime(self.get_authz_file()) > self.authz_mtime: self.parse_authz() resource_key = self.normalise_resource(resource) self.log.debug('Checking %s on %s', action, resource_key) permissions = self.authz_permissions(resource_key, username) if permissions is None: return None # no match, can't decide elif permissions == ['']: return False # all actions are denied # FIXME: expand all permissions once for all ps = PermissionSystem(self.env) for deny, perms in groupby(permissions, key=lambda p: p.startswith('!')): if deny and action in ps.expand_actions([p[1:] for p in perms]): return False # action is explicitly denied elif action in ps.expand_actions(perms): return True # action is explicitly granted return None # no match for action, can't decide
def _expand_perms(self, env): permsys = PermissionSystem(env) grant = frozenset(permsys.expand_actions(self.grant)) revoke = frozenset(permsys.expand_actions(self.revoke)) # Double check ambiguous action lists if grant & revoke: raise ValueError('Impossible to grant and revoke (%s)' % ', '.join(sorted(grant & revoke))) self.grant = grant self.revoke = revoke self._expanded = True
def _expand_perms(self, env): permsys = PermissionSystem(env) grant = frozenset(permsys.expand_actions(self.grant)) revoke = frozenset(permsys.expand_actions(self.revoke)) # Double check ambiguous action lists if grant & revoke: raise ValueError('Impossible to grant and revoke (%s)' % ', '.join(sorted(grant & revoke))) self.grant = grant self.revoke = revoke self._expanded = True
def get_relevant_permissions(self, policy, username): ps = PermissionSystem(self.env) relevant_permissions = set(self._required_permissions.itervalues()) user_permissions = self.get_all_user_permissions(policy, username) for doc_type, doc_id, permissions in user_permissions: for deny, perms in groupby(permissions, key=lambda p: p.startswith('!')): if deny: for p in ps.expand_actions([p[1:] for p in perms]): if p in relevant_permissions: yield doc_type, doc_id, p, True else: for p in ps.expand_actions(perms): if p in relevant_permissions: yield doc_type, doc_id, p, False
def get_relevant_permissions(self, policy, username): ps = PermissionSystem(self.env) relevant_permissions = set(self._required_permissions.itervalues()) user_permissions = self.get_all_user_permissions(policy, username) for doc_type, doc_id, permissions in user_permissions: for deny, perms in groupby(permissions, key=lambda p: p.startswith('!')): if deny: for p in ps.expand_actions([p[1:] for p in perms]): if p in relevant_permissions: yield doc_type, doc_id, p, True else: for p in ps.expand_actions(perms): if p in relevant_permissions: yield doc_type, doc_id, p, False
def check_permission(self, action, username, resource, perm): if not self.authz_mtime or os.path.getmtime(self.authz_file) != self.authz_mtime: self.parse_authz() resource_key = self.normalise_resource(resource) self.log.debug("Checking %s on %s", action, resource_key) permissions = self.authz_permissions(resource_key, username) if permissions is None: return None # no match, can't decide elif permissions == []: return False # all actions are denied # FIXME: expand all permissions once for all ps = PermissionSystem(self.env) for deny, perms in groupby(permissions, key=lambda p: p.startswith("!")): if deny and action in ps.expand_actions(p[1:] for p in perms): return False # action is explicitly denied elif action in ps.expand_actions(perms): return True # action is explicitly granted return None # no match for action, can't decide