Ignore:
Timestamp:
17 Nov 2011, 11:23:35 (13 years ago)
Author:
uli
Message:
  • Remove not used security map really.
  • Redesign PrincipalRoleManager? for applicants to be better reusable and make sure the context attribute and all parents are searched for additional roles. Unfortunately, 'role inheritance' does not work on the basic level of RoleManagers? but we have to lookup parent objects ourselves to get any additional roles.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/waeup.sirp/trunk/src/waeup/sirp/applicants/securitypolicy.py

    r7119 r7126  
    3232from zope.securitypolicy.principalpermission import (
    3333    AnnotationPrincipalPermissionManager,)
    34 from zope.securitypolicy.securitymap import AnnotationSecurityMap
    3534from zope.securitypolicy.settings import Allow, Deny, Unset
    3635from waeup.sirp.applicants.interfaces import IApplicant
     
    3938grok.context(IApplicant)
    4039
    41 class ApplicantSecurityMap(AnnotationSecurityMap):
    42     pass
    43 
    4440class ApplicantPrincipalRoleManager(AnnotationPrincipalRoleManager,
    4541                                    grok.Adapter):
    4642    grok.provides(IPrincipalRoleManager)
     43
     44    #: The attribute name to lookup for additional roles
     45    extra_attrib = 'course1'
     46
     47    #: List of role names to look for in `extra_attrib` and parents.
     48    external_rolenames = ['waeup.local.ClearanceOfficer',]
     49
     50    #: Role to add in case one of the above roles was found.
     51    additional_rolename = 'waeup.ApplicationsOfficer'
    4752
    4853    def getRolesForPrincipal(self, principal_id):
     
    5358        to the context applicant.
    5459
    55         If the given principal has 'waeup.local.ClearanceOfficer'
    56         permissions set on the connected department, it additionally
    57         gets 'waeup.ApplicationsOfficer' role for the context
     60        If the given principal has at least one of the
     61        `external_rolenames` roles granted for the external object, it
     62        additionally gets `additional_rolename` role for the context
    5863        applicant.
     64
     65        For the additional roles the `extra_attrib` and all its parent
     66        objects are looked up, because 'role inheritance' does not
     67        work on that basic level of permission handling.
    5968
    6069        Some advantages of this approach:
     
    7180        - More expensive role lookups when a clearance officer wants
    7281          to see an applicant form.
     82
     83        This implementation is designed to be usable also for other
     84        contexts than applicants. You can inherit from it and set
     85        different role names to lookup/set easily via the static class
     86        attributes.
    7387        """
    7488        result = super(ApplicantPrincipalRoleManager, self
     
    7993            return result
    8094        # The principal has no local roles yet. Let's lookup the
    81         # connected dept.
    82         course = getattr(self._context, 'course1', None)
    83         dept = getattr(
    84             getattr(course, '__parent__', None),
    85             '__parent__', None)
    86         if dept is None:
    87             # No deptartment, no extra roles.
    88             return result
    89         dept_roles = IPrincipalRoleManager(dept).getRolesForPrincipal(
    90             principal_id)
    91         # 'Grant' 'waeup.ApplicationsOfficer' permissions (allow, deny
    92         # or unset) for the passed in principal id if it has clearance
    93         # officer role on the connected department.
    94         for role_id, setting in dept_roles:
    95             if role_id == 'waeup.local.ClearanceOfficer':
    96                 result.append(
    97                     ('waeup.ApplicationsOfficer', setting))
     95        # connected course, dept, etc.
     96        obj = getattr(self._context, self.extra_attrib, None)
     97        # lookup local roles for connected course and all parent
     98        # objects. This way we fake 'role inheritance'.
     99        while obj is not None:
     100            extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal(
     101                principal_id)
     102            for role_id, setting in extra_roles:
     103                if role_id in self.external_rolenames:
     104                    # Found role in external attribute or parent
     105                    # thereof. 'Grant' additional role
     106                    # permissions (allow, deny or unset) for the
     107                    # passed in principal id.
     108                    result.append(
     109                        (self.additional_rolename, setting))
     110                    return result
     111            obj = getattr(obj, '__parent__', None)
    98112        return result
Note: See TracChangeset for help on using the changeset viewer.