def anchor(value, item, formatter): """ anchor method will return a html formated anchor""" if value is None: return u'' if type(item) is dict: item = item['obj'] if ISuperclass.providedBy(value): item = value value = item.ikName try: myAdapter = zapi.queryMultiAdapter((item, formatter.request), name=view) if myAdapter is not None and canAccess(myAdapter,'render'): url = absoluteURL(item, formatter.request) + '/' + view return u'<a href="%s">%s</a>' % (url, value) else: # view = "details.html" myAdapter = zapi.queryMultiAdapter((item, formatter.request), name="details.html") if myAdapter is not None and canAccess(myAdapter,'render'): url = absoluteURL(item, formatter.request) + '/' + "details.html" return u'<a href="%s">%s</a>' % (url, value) else: return u'%s' % (value) except Exception: return u'%s' % (value)
def getActionBotton_UpDown(item, formatter): """Action Buttons for Overview in Web-Browser """ if type(item) is dict: item = item["obj"] retHtml = u"" parentIsOrderd = IOrderedContainer.providedBy(item.__parent__) resource_path = getAdapter(formatter.request, name='pics')() if parentIsOrderd: up_url = absoluteURL(item, formatter.request) + '/@@moveup.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='moveup.html') if myAdapter is not None and canAccess(myAdapter,'render') and \ item.__parent__.keys()[0] != item.objectID: # not the first element up_html = u'<a href="%s">' % (up_url) + \ u'<img alt="Up" src="%s/Up.png" /></a>' % \ (resource_path) else: up_html = u'<img alt="Up" src="%s/Up_gray.png" />' % \ (resource_path) retHtml += up_html down_url = absoluteURL(item, formatter.request) + '/@@movedown.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='movedown.html') if myAdapter is not None and canAccess(myAdapter,'render') and \ item.__parent__.keys()[-1] != item.objectID: # not the last element down_html = u'<a href="%s">' % (down_url) + \ u'<img alt="Down" src="%s/Down.png" /></a>' % \ (resource_path) else: down_html = u'<img alt="Down" src="%s/Down_gray.png" />' %\ (resource_path) retHtml += down_html return retHtml
def writable(self, name): if name in self._dir: f = IWriteFile(self._dir[name], None) if f is not None: return canAccess(f, 'write') return False d = IWriteDirectory(self.context, None) return canAccess(d, '__setitem__')
def readable(self, name): if name in self._dir: f = IReadFile(self._dir[name], None) if f is not None: return canAccess(f, 'read') d = IReadDirectory(self._dir[name], None) if d is not None: return canAccess(d, 'get') return False
def items(self): """Return items to be shown in the calendar overlay. Does not include "my calendar". Each item is a dict with the following keys: 'title' - title of the calendar 'calendar' - the calendar object 'color1', 'color2' - colors assigned to this calendar 'id' - identifier for form controls 'checked' - was this item checked for display (either "checked" or None)? """ person = IPerson(self.request.principal) items = [((item.calendar.title, getPath(item.calendar.__parent__)), {'title': item.calendar.title, 'id': getPath(item.calendar.__parent__), 'calendar': item.calendar, 'checked': item.show and "checked" or '', 'color1': item.color1, 'color2': item.color2}) for item in person.overlaid_calendars if canAccess(item.calendar, '__iter__')] items.sort() return [i[-1] for i in items]
def __call__(self): app = ISchoolToolApplication(None) person = IPerson(self.request.principal, None) if not person: raise Unauthorized("Only logged in users can book resources.") cal = ISchoolToolCalendar(person) if self.request.has_key('event_id'): event = cal.find(self.request['event_id']) else: start_date = self.request.get('start_date') start_time = self.request.get('start_time') title = self.request.get('title') start_datetime = "%s %s" % (start_date, start_time) start_datetime = datetime(*strptime(start_datetime, "%Y-%m-%d %H:%M")[0:6]) start_datetime = self.timezone.localize(start_datetime) start_datetime = start_datetime.astimezone(pytz.UTC) duration = timedelta(seconds=int(self.request.get('duration'))) event = CalendarEvent(dtstart = start_datetime, duration = duration, title = title) cal.addEvent(event) if event: resource = app["resources"].get(self.request['resource_id']) if resource is not None: resource_calendar = ISchoolToolCalendar(resource) if not canAccess(resource_calendar, "addEvent"): raise Unauthorized("You don't have the right to" " book this resource!") event.bookResource(resource) self.request.response.redirect(self.nextURL(event))
def update(self): self.collator = ICollator(self.request.locale) relationships = Membership.bind(member=self.context).all().relationships group_states = self.app_states('group-membership') student_states = self.app_states('student-enrollment') schoolyears_data = {} for link_info in relationships: group = removeSecurityProxy(link_info.target) if ISection.providedBy(group) or not canAccess(group, 'title'): continue sy = ISchoolYear(group.__parent__) if sy not in schoolyears_data: schoolyears_data[sy] = [] schoolyears_data[sy].append((group, link_info)) self.schoolyears = [] for sy in sorted(schoolyears_data, key=lambda x:x.first, reverse=True): sy_info = { 'obj': sy, 'css_class': 'active' if sy is self.schoolyear else 'inactive', 'groups': [], } for group, link_info in sorted(schoolyears_data[sy], key=lambda x:self.collator.key( x[0].title)): is_students = group.__name__ == 'students' app_states = student_states if is_students else group_states states = self.group_current_states(link_info, app_states) group_info = { 'obj': group, 'title': group.title, 'states': states, } sy_info['groups'].append(group_info) self.schoolyears.append(sy_info)
def getActionBotton_Detail(item, formatter, isRequirement=False): """Action Buttons for Overview in Web-Browser """ if type(item) is dict: item = item["obj"] resource_path = getAdapter(formatter.request, name='pics')() ttid = u"details" + item.getObjectId() view_url = absoluteURL(item, formatter.request) + '/@@details.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='details.html') if myAdapter is not None and canAccess(myAdapter,'render'): view_html = u'<a href="%s">' % (view_url) + \ u'<img id="%s" alt="Info" src="%s/Info.png" /></a>' % \ (ttid, resource_path) if isRequirement and item.ikComment is not None: tooltip_text = item.ikComment.replace("\r\n", "<br />") else: tooltip_text = _(u'details of this object') else: view_html = u'<img id="%s" alt="Details" src="%s/Info_gr.png" />' % \ (ttid, resource_path) tooltip_text = _(u'viewing details is not permitted') tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \ u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \ u"context:'%s', text:'%s' });</script>" \ % (ttid, ttid, ttid, tooltip_text) return view_html + tooltip
def items(self): """Return items to be shown in the calendar overlay. Does not include "my calendar". Each item is a dict with the following keys: 'title' - title of the calendar 'calendar' - the calendar object 'color1', 'color2' - colors assigned to this calendar 'id' - identifier for form controls 'checked' - was this item checked for display (either "checked" or None)? """ person = IPerson(self.request.principal) items = [((item.calendar.title, getPath(item.calendar.__parent__)), { 'title': item.calendar.title, 'id': getPath(item.calendar.__parent__), 'calendar': item.calendar, 'checked': item.show and "checked" or '', 'color1': item.color1, 'color2': item.color2 }) for item in person.overlaid_calendars if canAccess(item.calendar, '__iter__')] items.sort() return [i[-1] for i in items]
def update(self): self.collator = ICollator(self.request.locale) groups = [ group for group in self.context.groups if (canAccess(group, 'title') and not ISection.providedBy(group)) ] schoolyears_data = {} for group in groups: sy = ISchoolYear(group.__parent__) if sy not in schoolyears_data: schoolyears_data[sy] = [] schoolyears_data[sy].append(group) self.schoolyears = [] for sy in sorted(schoolyears_data, key=lambda x: x.first, reverse=True): sy_info = { 'obj': sy, 'groups': sorted(schoolyears_data[sy], cmp=self.collator.cmp, key=lambda x: x.title) } self.schoolyears.append(sy_info)
def getActionBotton_Delete(item, formatter): """Action Buttons for Overview in Web-Browser """ if type(item) is dict: item = item["obj"] resource_path = getAdapter(formatter.request, name='pics')() ttid = u"delete" + item.getObjectId() trash_url = absoluteURL(item, formatter.request) + '/@@delete.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='delete.html') if myAdapter is not None and canAccess(myAdapter,'render') \ and item.canBeDeleted(): trash_html = u'<a href="%s">' % (trash_url) + \ u'<img id="%s" alt="Trash" src="%s/Trash.png" /></a>' % \ (ttid, resource_path) tooltip_text = _(u'delete this object') else: trash_html = u'<img id="%s" alt="Trash" src="%s/Trash_gr.png" />' % \ (ttid, resource_path) tooltip_text = _(u'deleting this object is not permitted') if not item.canBeDeleted(): tooltip_text += _(u',<br/>referenced by other objects') tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \ u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \ u"context:'%s', text:'%s' });</script>" \ % (ttid, ttid, ttid, tooltip_text) return trash_html + tooltip
def objs(self): """List of Content objects""" objWithPermisson = [] # allObj = getAllUtilitiesRegisteredFor(ISuperclass) # allObj = getAllUtilitiesRegisteredFor(Interface, context=self.context) smFolder = self.context.getParent() allObj = smFolder.values() for obj in allObj: if ISuperclass.providedBy(obj): if canAccess(obj, 'ikName'): myAdapter = zapi.queryMultiAdapter((obj, self.request), name='details.html') if myAdapter is not None and canAccess( myAdapter, 'render'): objWithPermisson.append(obj) return objWithPermisson
def allowRename(self): if IRenameNotAllowed.providedBy(self.context): return False container = self.context.__parent__ return (IWriteContainer.providedBy(container) and not IContainerNamesContainer.providedBy(container) and canAccess(container, '__setitem__'))
def getApplicationCalendar(self): if self.user is None: return None app = ISchoolToolApplication(None) calendar = ISchoolToolCalendar(app) if not canAccess(calendar, '__iter__'): return None return calendar
def canAccess(self): """See z3c.form.interfaces.IDataManager""" context = self.context if self.field.interface is not None: context = self.field.interface(context) if isinstance(context, Proxy): return canAccess(context, self.field.__name__) return True
def render(self): """Return the template with the option 'menus'""" objWithPermisson = [] utilManager = getUtility(IUtilManager) smFolder = utilManager.getParent() allObj = smFolder.values() for obj in allObj: if ISuperclass.providedBy(obj): if canAccess(obj, 'ikName'): myAdapter = zapi.queryMultiAdapter((obj, self.request), name='details.html') if myAdapter is not None and canAccess( myAdapter, 'render'): objWithPermisson.append(obj) if len(objWithPermisson) > 0: return self.template() else: return u''
def objs(self): """List of Content objects""" objWithPermisson = [] allObj = getAllUtilitiesRegisteredFor(ISuperclass) for obj in allObj: myAdapter = zapi.queryMultiAdapter((obj, self.request), name='details.html') if myAdapter is not None and canAccess(myAdapter, 'render'): objWithPermisson.append(obj) return objWithPermisson
def getResourceCalendars(self): if self.user is None: return [] app = ISchoolToolApplication(None) result = [] for obj in app['resources'].values(): calendar = ISchoolToolCalendar(obj) if canAccess(calendar, '__iter__'): result.append(calendar) return result
def can_write(self): """Can the current user write to the attribute.""" if canWrite(self.context, self.attribute_name): return True elif self.mutator_method_name is not None: # The user may not have write access on the attribute itself, but # the REST API may have a mutator method configured, such as # transitionToAssignee. return canAccess(self.context, self.mutator_method_name) else: return False
def anchor(value, item, formatter): """ anchor method will return a html formated anchor""" try: myAdapter = zapi.queryMultiAdapter((item, formatter.request), name=view) if myAdapter is not None and canAccess(myAdapter, 'render'): url = absoluteURL(item, formatter.request) + '/' + view return u'<a href="%s">%s</a>' % (url, value) else: return u'%s' % (value) except Exception: return u'%s' % (value)
def getApplicationCalendar(self): """Return the application calendar. Returns None if the user lacks sufficient permissions. """ user = IPerson(self.request.principal, None) if user: app = ISchoolToolApplication(None) calendar = ISchoolToolCalendar(app) if canAccess(calendar, '__iter__'): return {'title': app.title, 'selected': calendar in user.overlaid_calendars, 'calendar': calendar} return {}
def year(self): year = self.schoolyear if year is not None: return { 'title': _(u'School Year: ${year_title}', mapping={'year_title': year.title}), 'first': year.first, 'last': year.last, 'empty': not bool(tuple(year.values())), 'canModify': canAccess(year, '__delitem__'), 'addurl': absoluteURL(year, self.request) + '/add.html', 'alt': _(u'Add a new term to ${year_title}', mapping={'year_title': year.title}), }
def getApplicationCalendar(self): """Return the application calendar. Returns None if the user lacks sufficient permissions. """ user = IPerson(self.request.principal, None) if user: app = ISchoolToolApplication(None) calendar = ISchoolToolCalendar(app) if canAccess(calendar, '__iter__'): return { 'title': app.title, 'selected': calendar in user.overlaid_calendars, 'calendar': calendar } return {}
def getCalendars(self, container): """List all calendars from a given container.""" user = removeSecurityProxy(IPerson(self.request.principal, None)) if user is None: return [] app = ISchoolToolApplication(None) result = [] for obj in app[container].values(): calendar = ISchoolToolCalendar(obj) if obj is not user and canAccess(calendar, '__iter__'): result.append( {'id': obj.__name__, 'title': obj.title, 'selected': calendar in user.overlaid_calendars, 'calendar': calendar}) return sorted(result, key=lambda item: (item['title'], item['id']))
def getCalendars(self, container): """List all calendars from a given container.""" user = removeSecurityProxy(IPerson(self.request.principal, None)) if user is None: return [] app = ISchoolToolApplication(None) result = [] for obj in app[container].values(): calendar = ISchoolToolCalendar(obj) if obj is not user and canAccess(calendar, '__iter__'): result.append({ 'id': obj.__name__, 'title': obj.title, 'selected': calendar in user.overlaid_calendars, 'calendar': calendar }) return sorted(result, key=lambda item: (item['title'], item['id']))
def update(self): self.collator = ICollator(self.request.locale) groups = [ group for group in self.context.groups if (canAccess(group, 'title') and not ISection.providedBy(group))] schoolyears_data = {} for group in groups: sy = ISchoolYear(group.__parent__) if sy not in schoolyears_data: schoolyears_data[sy] = [] schoolyears_data[sy].append(group) self.schoolyears = [] for sy in sorted(schoolyears_data, key=lambda x:x.first, reverse=True): sy_info = {'obj': sy, 'groups': sorted(schoolyears_data[sy], cmp=self.collator.cmp, key=lambda x:x.title)} self.schoolyears.append(sy_info)
def getActionBotton_History(item, formatter): """Action Buttons for Overview in Web-Browser """ resource_path = getAdapter(formatter.request, name='pics')() ttid = u"history" + item.getObjectId() hist_url = absoluteURL(item, formatter.request) + '/@@history.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='history.html') if myAdapter is not None and canAccess(myAdapter, 'render'): hist_html = u'<a href="%s">' % (hist_url) + \ u'<img id="%s" alt="History" src="%s/Doc.png" /></a>' % \ (ttid, resource_path) tooltip_text = _(u'history this object') else: hist_html = u'<img id="%s" alt="History" src="%s/Doc_gr.png" />' % \ (ttid, resource_path) tooltip_text = _(u'viewing the history is not permitted') tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \ u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \ u"context:'%s', text:'%s' });</script>" \ % (ttid, ttid, ttid, tooltip_text) return hist_html + tooltip
def update(self): self.collator = ICollator(self.request.locale) relationships = Membership.bind( member=self.context).all().relationships group_states = self.app_states('group-membership') student_states = self.app_states('student-enrollment') schoolyears_data = {} for link_info in relationships: group = removeSecurityProxy(link_info.target) if ISection.providedBy(group) or not canAccess(group, 'title'): continue sy = ISchoolYear(group.__parent__) if sy not in schoolyears_data: schoolyears_data[sy] = [] schoolyears_data[sy].append((group, link_info)) self.schoolyears = [] for sy in sorted(schoolyears_data, key=lambda x: x.first, reverse=True): sy_info = { 'obj': sy, 'css_class': 'active' if sy is self.schoolyear else 'inactive', 'groups': [], } for group, link_info in sorted( schoolyears_data[sy], key=lambda x: self.collator.key(x[0].title)): is_students = group.__name__ == 'students' app_states = student_states if is_students else group_states states = self.group_current_states(link_info, app_states) group_info = { 'obj': group, 'title': group.title, 'states': states, } sy_info['groups'].append(group_info) self.schoolyears.append(sy_info)
def getActionBotton_Edit(item, formatter): """Action Buttons for Overview in Web-Browser """ if type(item) is dict: item = item["obj"] resource_path = getAdapter(formatter.request, name='pics')() ttid = u"edit" + item.getObjectId() edit_url = absoluteURL(item, formatter.request) + '/@@edit.html' myAdapter = zapi.queryMultiAdapter((item, formatter.request), name='edit.html') if myAdapter is not None and canAccess(myAdapter,'render'): edit_html = u'<a href="%s">' % (edit_url) + \ u'<img id="%s" alt="Edit" src="%s/Hand.png" /></a>' % \ (ttid, resource_path) tooltip_text = _(u'edit this object') else: edit_html = u'<img id="%s" alt="Edit" src="%s/Hand_gr.png" />' % \ (ttid, resource_path) tooltip_text = _(u'editing is not permitted') tooltip = u"<script type=\"text/javascript\">tt_%s = new YAHOO." \ u"widget.Tooltip('tt_%s', { autodismissdelay:'15000', " \ u"context:'%s', text:'%s' });</script>" \ % (ttid, ttid, ttid, tooltip_text) return edit_html + tooltip
def canModify(self): return canAccess(self.container, '__delitem__')
def canAccess(self): (name, context) = self._name_and_context() if isinstance(context, Proxy): return canAccess(context, name) return True
def test_cannot_setBranch(self): sourcepackage = self.factory.makeSourcePackage() self.failIf( canAccess(sourcepackage, 'setBranch'), "setBranch should only be available to admins and uploaders")
def test_canWrite_canAccess(self): # the canWrite and canAccess functions are conveniences. Often code # wants to check if a certain option is open to a user before # presenting it. If the code relies on a certain permission, the # Zope 3 goal of keeping knowledge of security assertions out of the # code and only in the zcml assertions is broken. Instead, ask if the # current user canAccess or canWrite some pertinent aspect of the # object. canAccess is used for both read access on an attribute # and call access to methods. # For example, consider this humble pair of class and object. class SomeClass(object): pass obj = SomeClass() # We will establish a checker for the class. This is the standard # name-based checker, and works by specifying two dicts, one for read # and one for write. Each item in the dictionary should be an # attribute name and the permission required to read or write it. # For these tests, the SecurityPolicy defined at the top of this file # is in place. It is a stub. Normally, the security policy would # have knowledge of interactions and participants, and would determine # on the basis of the particpants and the object if a certain permission # were authorized. This stub simply says that the 'test_allowed' # permission is authorized and nothing else is, for any object you pass # it. # Therefore, according to the checker created here, the current # 'interaction' (as stubbed out in the security policy) will be allowed # to access and write foo, and access bar. The interaction is # unauthorized for accessing baz and writing bar. Any other access or # write is not merely unauthorized but forbidden--including write access # for baz. checker = Checker( {'foo':'test_allowed', # these are the read settings 'bar':'test_allowed', 'baz':'you_will_not_have_this_permission'}, {'foo':'test_allowed', # these are the write settings 'bar':'you_will_not_have_this_permission', 'bing':'you_will_not_have_this_permission'}) defineChecker(SomeClass, checker) # so, our hapless interaction may write and access foo... self.assert_(canWrite(obj, 'foo')) self.assert_(canAccess(obj, 'foo')) # ...may access, but not write, bar... self.assert_(not canWrite(obj, 'bar')) self.assert_(canAccess(obj, 'bar')) # ...and may access baz. self.assert_(not canAccess(obj, 'baz')) # there are no security assertions for writing or reading shazam, so # checking these actually raises Forbidden. The rationale behind # exposing the Forbidden exception is primarily that it is usually # indicative of programming or configuration errors. self.assertRaises(Forbidden, canAccess, obj, 'shazam') self.assertRaises(Forbidden, canWrite, obj, 'shazam') # However, we special-case canWrite when an attribute has a Read # setting but no Write setting. Consider the 'baz' attribute from the # checker above: it is readonly. All users are forbidden to write # it. This is a very reasonable configuration. Therefore, canWrite # will hide the Forbidden exception if and only if there is a # setting for accessing the attribute. self.assert_(not canWrite(obj, 'baz')) # The reverse is not true at the moment: an unusal case like the # write-only 'bing' attribute will return a boolean for canWrite, # but canRead will simply raise a Forbidden exception, without checking # write settings. self.assert_(not canWrite(obj, 'bing')) self.assertRaises(Forbidden, canAccess, obj, 'bing')
def test_canWrite_canAccess(self): # the canWrite and canAccess functions are conveniences. Often code # wants to check if a certain option is open to a user before # presenting it. If the code relies on a certain permission, the # Zope 3 goal of keeping knowledge of security assertions out of the # code and only in the zcml assertions is broken. Instead, ask if the # current user canAccess or canWrite some pertinent aspect of the # object. canAccess is used for both read access on an attribute # and call access to methods. # For example, consider this humble pair of class and object. class SomeClass(object): pass obj = SomeClass() # We will establish a checker for the class. This is the standard # name-based checker, and works by specifying two dicts, one for read # and one for write. Each item in the dictionary should be an # attribute name and the permission required to read or write it. # For these tests, the SecurityPolicy defined at the top of this file # is in place. It is a stub. Normally, the security policy would # have knowledge of interactions and participants, and would determine # on the basis of the particpants and the object if a certain permission # were authorized. This stub simply says that the 'test_allowed' # permission is authorized and nothing else is, for any object you pass # it. # Therefore, according to the checker created here, the current # 'interaction' (as stubbed out in the security policy) will be allowed # to access and write foo, and access bar. The interaction is # unauthorized for accessing baz and writing bar. Any other access or # write is not merely unauthorized but forbidden--including write access # for baz. checker = Checker( { 'foo': 'test_allowed', # these are the read settings 'bar': 'test_allowed', 'baz': 'you_will_not_have_this_permission' }, { 'foo': 'test_allowed', # these are the write settings 'bar': 'you_will_not_have_this_permission', 'bing': 'you_will_not_have_this_permission' }) defineChecker(SomeClass, checker) # so, our hapless interaction may write and access foo... self.assert_(canWrite(obj, 'foo')) self.assert_(canAccess(obj, 'foo')) # ...may access, but not write, bar... self.assert_(not canWrite(obj, 'bar')) self.assert_(canAccess(obj, 'bar')) # ...and may access baz. self.assert_(not canAccess(obj, 'baz')) # there are no security assertions for writing or reading shazam, so # checking these actually raises Forbidden. The rationale behind # exposing the Forbidden exception is primarily that it is usually # indicative of programming or configuration errors. self.assertRaises(Forbidden, canAccess, obj, 'shazam') self.assertRaises(Forbidden, canWrite, obj, 'shazam') # However, we special-case canWrite when an attribute has a Read # setting but no Write setting. Consider the 'baz' attribute from the # checker above: it is readonly. All users are forbidden to write # it. This is a very reasonable configuration. Therefore, canWrite # will hide the Forbidden exception if and only if there is a # setting for accessing the attribute. self.assert_(not canWrite(obj, 'baz')) # The reverse is not true at the moment: an unusal case like the # write-only 'bing' attribute will return a boolean for canWrite, # but canRead will simply raise a Forbidden exception, without checking # write settings. self.assert_(not canWrite(obj, 'bing')) self.assertRaises(Forbidden, canAccess, obj, 'bing')
def authorized(self, result): obj = result.object() defaultview = getDefaultViewName(obj, self.request) view = queryMultiAdapter((ProxyFactory(obj), self.request), name=defaultview) return canAccess(view, "__call__")
def getPersons(self): return [member for member in self.context.members if canAccess(member, 'title')]
def canModify(self): return canAccess(self.context.__parent__, '__delitem__')
def can_delete(self): container = self.context.__parent__ if not IWriteContainer.providedBy(container): raise NotImplementedError() return canAccess(container, '__delitem__')
def canAccess(self): """See z3c.form.interfaces.IDataManager""" context = self.adapted_context if isinstance(context, Proxy): return canAccess(context, self.field.__name__) return True
def traverse(self, name, furtherPath=()): """XXX""" return [item for item in self.context if canAccess(item, name)]
def traverse(self, name, furtherPath=()): """Returns True if self.context.(name) can be accessed.""" return canAccess(self.context, name)
def render(self): # This check is necessary because the user can be a leader # of the context group, which gives him schooltool.edit on it if canAccess(self.context.__parent__, '__delitem__'): if self.renderable_items: return super(GroupManageActionsLinks, self).render()
def canDisplay(self, attr_name): """ object can and should be displayed """ return canAccess(self.context, attr_name)
def render(self): # This check is necessary because the user can be a leader # of the context course, which gives him schooltool.edit on it if canAccess(self.context.__parent__, '__delitem__'): return super(CourseActionsLinks, self).render()