async def sharing_get(context, request):
roleperm = IRolePermissionMap(context)
prinperm = IPrincipalPermissionMap(context)
prinrole = IPrincipalRoleMap(context)
result = {
'local': {},
'inherit': []
}
result['local']['roleperm'] = roleperm._bycol
result['local']['prinperm'] = prinperm._bycol
result['local']['prinrole'] = prinrole._bycol
for obj in iter_parents(context):
roleperm = IRolePermissionMap(obj, None)
url_factory = query_multi_adapter((obj, request), IAbsoluteURL)
if roleperm is not None and url_factory is not None:
prinperm = IPrincipalPermissionMap(obj)
prinrole = IPrincipalRoleMap(obj)
result['inherit'].append({
'@id': url_factory(),
'roleperm': roleperm._bycol,
'prinperm': prinperm._bycol,
'prinrole': prinrole._bycol,
})
await notify(ObjectPermissionsViewEvent(context))
return result
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
while ob is not None:
data = {}
result.append({getattr(ob, '__name__', None) or '(no name)': data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings]
ob = getattr(ob, '__parent__', None)
data = {}
result.append({'system': data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings]
return result
def cached_roles(parent: IBaseObject, permission: str,
level: str) -> typing.Dict[str, int]:
"""
Get the roles for a specific permission.
Global + Local + Code
"""
try:
cache = parent.__volatile__.setdefault('security_cache', {})
except AttributeError:
cache = {}
try:
cache_roles = cache['roles']
except KeyError:
cache_roles = cache['roles'] = {}
try:
return cache_roles[permission + level]
except KeyError:
pass
if parent is None:
roles = dict([(role, 1)
for (role,
setting) in code_roles_for_permission(permission)
if setting is Allow])
cache_roles[permission + level] = roles
return roles
perminhe = IInheritPermissionMap(parent, None)
if perminhe is None or perminhe.get_inheritance(permission) is Allow:
roles = cached_roles(getattr(parent, '__parent__', None), permission,
'p')
else:
# We don't apply global permissions also
# Its dangerous as may lead to an object who nobody can see
roles = dict()
roleper = IRolePermissionMap(parent, None)
if roleper:
roles = roles.copy()
for role, setting in roleper.get_roles_for_permission(permission):
if setting is Allow:
roles[role] = 1
elif setting is AllowSingle and level == 'o':
roles[role] = 1
elif setting is Deny and role in roles:
del roles[role]
cache_roles[permission + level] = roles
return roles
def cached_roles(self, parent, permission, level):
"""Get the roles for a specific permission.
Global + Local + Code
"""
cache = self.cache(parent)
try:
cache_roles = cache.roles
except AttributeError:
cache_roles = cache.roles = {}
try:
return cache_roles[permission]
except KeyError:
pass
if parent is None:
roles = dict([
(role, 1)
for (role, setting) in code_roles_for_permission(permission)
if setting is Allow
])
cache_roles[permission] = roles
return roles
perminhe = IInheritPermissionMap(parent, None)
if perminhe is None or perminhe.get_inheritance(permission) is Allow:
roles = self.cached_roles(getattr(parent, '__parent__', None),
permission, 'p')
else:
# We don't apply global permissions also
# Its dangerous as may lead to an object who nobody can see
roles = dict()
roleper = IRolePermissionMap(parent, None)
if roleper:
roles = roles.copy()
for role, setting in roleper.get_roles_for_permission(permission):
if setting is Allow:
roles[role] = 1
elif setting is AllowSingle and level == 'o':
roles[role] = 1
elif setting is Deny and role in roles:
del roles[role]
if level != 'o':
# Only cache on non 1rst level queries needs new way
cache_roles[permission] = roles
return roles
def cached_roles(self, parent, permission, level):
"""Get the roles for a specific permission.
Global + Local + Code
"""
cache = self.cache(parent)
try:
cache_roles = cache.roles
except AttributeError:
cache_roles = cache.roles = {}
try:
return cache_roles[permission]
except KeyError:
pass
if parent is None:
roles = dict(
[(role, 1)
for (role, setting) in code_roles_for_permission(permission)
if setting is Allow])
cache_roles[permission] = roles
return roles
perminhe = IInheritPermissionMap(parent, None)
if perminhe is None or perminhe.get_inheritance(permission) is Allow:
roles = self.cached_roles(
getattr(parent, '__parent__', None),
permission, 'p')
else:
# We don't apply global permissions also
# Its dangerous as may lead to an object who nobody can see
roles = dict()
roleper = IRolePermissionMap(parent, None)
if roleper:
roles = roles.copy()
for role, setting in roleper.get_roles_for_permission(permission):
if setting is Allow:
roles[role] = 1
elif setting is AllowSingle and level == 'o':
roles[role] = 1
elif setting is Deny and role in roles:
del roles[role]
if level != 'o':
# Only cache on non 1rst level queries needs new way
cache_roles[permission] = roles
return roles
def cached_roles(self, parent, permission, level):
"""Get the roles for a specific permission.
Global + Local + Code
"""
cache = self.cache(parent)
try:
cache_roles = cache.roles
except AttributeError:
cache_roles = cache.roles = {}
try:
return cache_roles[permission]
except KeyError:
pass
if parent is None:
roles = dict([
(role, 1)
for (role, setting) in code_roles_for_permission(permission)
if setting is Allow
])
cache_roles[permission] = roles
return roles
roles = self.cached_roles(getattr(parent, '__parent__', None),
permission, 'p')
roleper = IRolePermissionMap(parent, None)
if roleper:
roles = roles.copy()
for role, setting in roleper.get_roles_for_permission(permission):
if setting is Allow:
roles[role] = 1
elif setting is AllowSingle and level == 'o':
roles[role] = 1
elif setting is Deny and role in roles:
del roles[role]
if level != 'o':
# Only cache on non 1rst level queries needs new way
cache_roles[permission] = roles
return roles
async def sharing_get(context, request):
roleperm = IRolePermissionMap(context)
prinperm = IPrincipalPermissionMap(context)
prinrole = IPrincipalRoleMap(context)
result = {"local": {}, "inherit": []}
result["local"]["roleperm"] = roleperm._bycol
result["local"]["prinperm"] = prinperm._bycol
result["local"]["prinrole"] = prinrole._bycol
for obj in iter_parents(context):
roleperm = IRolePermissionMap(obj, None)
url = get_object_url(obj, request)
if roleperm is not None and url is not None:
prinperm = IPrincipalPermissionMap(obj)
prinrole = IPrincipalRoleMap(obj)
result["inherit"].append({
"@id": url,
"roleperm": roleperm._bycol,
"prinperm": prinperm._bycol,
"prinrole": prinrole._bycol,
})
await notify(ObjectPermissionsViewEvent(context))
return result
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
locked_permissions = []
while ob is not None:
data = {}
result.append({getattr(ob, "__name__", None) or "(no name)": data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data["prinperm"] = [{
"principal": pr,
"permission": p,
"setting": s
} for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data["prinrole"] = [{
"principal": p,
"role": r,
"setting": s
} for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data["roleperm"] = [{
"permission": p,
"role": r,
"setting": s
} for (p, r, s) in settings if p not in locked_permissions]
inherit_permissions = IInheritPermissionMap(ob)
if inherit_permissions is not None:
settings = inherit_permissions.get_locked_permissions()
data["perminhe"] = []
for (p, s) in settings:
if s is Deny:
locked_permissions.append(p)
data["perminhe"].append({"permission": p, "setting": s})
ob = getattr(ob, "__parent__", None)
data = {}
result.append({"system": data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data["prinperm"] = [{
"principal": pr,
"permission": p,
"setting": s
} for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data["prinrole"] = [{
"principal": p,
"role": r,
"setting": s
} for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data["roleperm"] = [{
"permission": p,
"role": r,
"setting": s
} for (p, r, s) in settings if p not in locked_permissions]
return result
def settings_for_object(ob):
"""Analysis tool to show all of the grants to a process
"""
result = []
locked_permissions = []
while ob is not None:
data = {}
result.append({getattr(ob, '__name__', None) or '(no name)': data})
principal_permissions = IPrincipalPermissionMap(ob, None)
if principal_permissions is not None:
settings = principal_permissions.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
principal_roles = IPrincipalRoleMap(ob, None)
if principal_roles is not None:
settings = principal_roles.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
role_permissions = IRolePermissionMap(ob, None)
if role_permissions is not None:
settings = role_permissions.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings if p not in locked_permissions]
inherit_permissions = IInheritPermissionMap(ob)
if inherit_permissions is not None:
settings = inherit_permissions.get_locked_permissions()
data['perminhe'] = []
for (p, s) in settings:
if s is Deny:
locked_permissions.append(p)
data['perminhe'].append({'permission': p, 'setting': s})
ob = getattr(ob, '__parent__', None)
data = {}
result.append({'system': data})
settings = principal_permission_manager.get_principals_and_permissions()
settings.sort()
data['prinperm'] = [
{'principal': pr, 'permission': p, 'setting': s}
for (p, pr, s) in settings]
settings = principal_role_manager.get_principals_and_roles()
data['prinrole'] = [
{'principal': p, 'role': r, 'setting': s}
for (r, p, s) in settings]
settings = role_permission_manager.get_roles_and_permissions()
data['roleperm'] = [
{'permission': p, 'role': r, 'setting': s}
for (p, r, s) in settings if p not in locked_permissions]
return result
