- Timestamp:
- 17 Nov 2011, 11:23:35 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup.sirp/trunk/src/waeup/sirp/applicants/securitypolicy.py
r7119 r7126 32 32 from zope.securitypolicy.principalpermission import ( 33 33 AnnotationPrincipalPermissionManager,) 34 from zope.securitypolicy.securitymap import AnnotationSecurityMap35 34 from zope.securitypolicy.settings import Allow, Deny, Unset 36 35 from waeup.sirp.applicants.interfaces import IApplicant … … 39 38 grok.context(IApplicant) 40 39 41 class ApplicantSecurityMap(AnnotationSecurityMap):42 pass43 44 40 class ApplicantPrincipalRoleManager(AnnotationPrincipalRoleManager, 45 41 grok.Adapter): 46 42 grok.provides(IPrincipalRoleManager) 43 44 #: The attribute name to lookup for additional roles 45 extra_attrib = 'course1' 46 47 #: List of role names to look for in `extra_attrib` and parents. 48 external_rolenames = ['waeup.local.ClearanceOfficer',] 49 50 #: Role to add in case one of the above roles was found. 51 additional_rolename = 'waeup.ApplicationsOfficer' 47 52 48 53 def getRolesForPrincipal(self, principal_id): … … 53 58 to the context applicant. 54 59 55 If the given principal has 'waeup.local.ClearanceOfficer'56 permissions set on the connected department, it additionally57 gets 'waeup.ApplicationsOfficer'role for the context60 If the given principal has at least one of the 61 `external_rolenames` roles granted for the external object, it 62 additionally gets `additional_rolename` role for the context 58 63 applicant. 64 65 For the additional roles the `extra_attrib` and all its parent 66 objects are looked up, because 'role inheritance' does not 67 work on that basic level of permission handling. 59 68 60 69 Some advantages of this approach: … … 71 80 - More expensive role lookups when a clearance officer wants 72 81 to see an applicant form. 82 83 This implementation is designed to be usable also for other 84 contexts than applicants. You can inherit from it and set 85 different role names to lookup/set easily via the static class 86 attributes. 73 87 """ 74 88 result = super(ApplicantPrincipalRoleManager, self … … 79 93 return result 80 94 # The principal has no local roles yet. Let's lookup the 81 # connected dept.82 course = getattr(self._context, 'course1', None)83 dept = getattr(84 getattr(course, '__parent__', None),85 '__parent__', None)86 if dept is None:87 # No deptartment, no extra roles.88 return result89 dept_roles = IPrincipalRoleManager(dept).getRolesForPrincipal(90 principal_id)91 # 'Grant' 'waeup.ApplicationsOfficer' permissions (allow, deny92 # or unset) for the passed in principal id if it has clearance93 # officer role on the connected department.94 for role_id, setting in dept_roles:95 if role_id == 'waeup.local.ClearanceOfficer':96 result.append(97 ('waeup.ApplicationsOfficer', setting))95 # connected course, dept, etc. 96 obj = getattr(self._context, self.extra_attrib, None) 97 # lookup local roles for connected course and all parent 98 # objects. This way we fake 'role inheritance'. 99 while obj is not None: 100 extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal( 101 principal_id) 102 for role_id, setting in extra_roles: 103 if role_id in self.external_rolenames: 104 # Found role in external attribute or parent 105 # thereof. 'Grant' additional role 106 # permissions (allow, deny or unset) for the 107 # passed in principal id. 108 result.append( 109 (self.additional_rolename, setting)) 110 return result 111 obj = getattr(obj, '__parent__', None) 98 112 return result
Note: See TracChangeset for help on using the changeset viewer.