Ignore:
Timestamp:
20 Nov 2011, 12:07:49 (13 years ago)
Author:
Henrik Bettermann
Message:

Implement securitypolicy in students package, which belongs to the base package, and inherit from this implementation.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/waeup.sirp/trunk/src/waeup/sirp/applicants/securitypolicy.py

    r7155 r7156  
    55## $Id$
    66##
    7 ## Copyright (C) 2011 Uli Fouquet
     7## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
    88## This program is free software; you can redistribute it and/or modify
    99## it under the terms of the GNU General Public License as published by
     
    3434from zope.securitypolicy.settings import Allow, Deny, Unset
    3535from waeup.sirp.applicants.interfaces import IApplicant
    36 #from waeup.sirp.students.securitypolicy import StudentPrincipalRoleManager
     36from waeup.sirp.students.securitypolicy import StudentPrincipalRoleManager
    3737
    3838# All components in here have the same context: Applicant instances
    3939grok.context(IApplicant)
    4040
    41 class ApplicantPrincipalRoleManager(AnnotationPrincipalRoleManager,
    42                                     grok.Adapter):
     41class ApplicantPrincipalRoleManager(StudentPrincipalRoleManager):
    4342
    4443    grok.provides(IPrincipalRoleManager)
     
    5352    #: Role to add in case one of the above roles was found.
    5453    additional_rolename = 'waeup.ApplicationsOfficer'
    55 
    56     def getRolesForPrincipal(self, principal_id):
    57         """Get roles for principal with id `principal_id`.
    58 
    59         Different to the default implementation, this method also
    60         takes into account local roles set on any department connected
    61         to the context applicant.
    62 
    63         If the given principal has at least one of the
    64         `external_rolenames` roles granted for the external object, it
    65         additionally gets `additional_rolename` role for the context
    66         applicant.
    67 
    68         For the additional roles the `extra_attrib` and all its parent
    69         objects are looked up, because 'role inheritance' does not
    70         work on that basic level of permission handling.
    71 
    72         Some advantages of this approach:
    73 
    74         - we don't have to store extra local roles for clearance
    75           officers in ZODB for each applicant
    76 
    77         - when local roles on a department change, we don't have to
    78           update thousands of applicants; the local role is assigned
    79           dynamically.
    80 
    81         Disadvantage:
    82 
    83         - More expensive role lookups when a clearance officer wants
    84           to see an applicant form.
    85 
    86         This implementation is designed to be usable also for other
    87         contexts than applicants. You can inherit from it and set
    88         different role names to lookup/set easily via the static class
    89         attributes.
    90         """
    91         apr_manager = AnnotationPrincipalRoleManager(self._context)
    92         result = apr_manager.getRolesForPrincipal(principal_id)
    93         if result != []:
    94             # If there are local roles defined here, no additional
    95             # lookup is done.
    96             return result
    97         # The principal has no local roles yet. Let's lookup the
    98         # connected course, dept, etc.
    99         if self.subcontainer:
    100             obj = getattr(
    101                 self._context[self.subcontainer], self.extra_attrib, None)
    102         else:
    103             obj = getattr(self._context, self.extra_attrib, None)
    104         # lookup local roles for connected course and all parent
    105         # objects. This way we fake 'role inheritance'.
    106         while obj is not None:
    107             extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal(
    108                 principal_id)
    109             for role_id, setting in extra_roles:
    110                 if role_id in self.external_rolenames:
    111                     # Found role in external attribute or parent
    112                     # thereof. 'Grant' additional role
    113                     # permissions (allow, deny or unset) for the
    114                     # passed in principal id.
    115                     result.append(
    116                         (self.additional_rolename, setting))
    117                     return result
    118             obj = getattr(obj, '__parent__', None)
    119         return result
Note: See TracChangeset for help on using the changeset viewer.