Changeset 7156 for main/waeup.sirp/trunk/src/waeup/sirp/applicants
- Timestamp:
- 20 Nov 2011, 12:07:49 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup.sirp/trunk/src/waeup/sirp/applicants/securitypolicy.py
r7155 r7156 5 5 ## $Id$ 6 6 ## 7 ## Copyright (C) 2011 Uli Fouquet 7 ## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann 8 8 ## This program is free software; you can redistribute it and/or modify 9 9 ## it under the terms of the GNU General Public License as published by … … 34 34 from zope.securitypolicy.settings import Allow, Deny, Unset 35 35 from waeup.sirp.applicants.interfaces import IApplicant 36 #from waeup.sirp.students.securitypolicy import StudentPrincipalRoleManager36 from waeup.sirp.students.securitypolicy import StudentPrincipalRoleManager 37 37 38 38 # All components in here have the same context: Applicant instances 39 39 grok.context(IApplicant) 40 40 41 class ApplicantPrincipalRoleManager(AnnotationPrincipalRoleManager, 42 grok.Adapter): 41 class ApplicantPrincipalRoleManager(StudentPrincipalRoleManager): 43 42 44 43 grok.provides(IPrincipalRoleManager) … … 53 52 #: Role to add in case one of the above roles was found. 54 53 additional_rolename = 'waeup.ApplicationsOfficer' 55 56 def getRolesForPrincipal(self, principal_id):57 """Get roles for principal with id `principal_id`.58 59 Different to the default implementation, this method also60 takes into account local roles set on any department connected61 to the context applicant.62 63 If the given principal has at least one of the64 `external_rolenames` roles granted for the external object, it65 additionally gets `additional_rolename` role for the context66 applicant.67 68 For the additional roles the `extra_attrib` and all its parent69 objects are looked up, because 'role inheritance' does not70 work on that basic level of permission handling.71 72 Some advantages of this approach:73 74 - we don't have to store extra local roles for clearance75 officers in ZODB for each applicant76 77 - when local roles on a department change, we don't have to78 update thousands of applicants; the local role is assigned79 dynamically.80 81 Disadvantage:82 83 - More expensive role lookups when a clearance officer wants84 to see an applicant form.85 86 This implementation is designed to be usable also for other87 contexts than applicants. You can inherit from it and set88 different role names to lookup/set easily via the static class89 attributes.90 """91 apr_manager = AnnotationPrincipalRoleManager(self._context)92 result = apr_manager.getRolesForPrincipal(principal_id)93 if result != []:94 # If there are local roles defined here, no additional95 # lookup is done.96 return result97 # The principal has no local roles yet. Let's lookup the98 # connected course, dept, etc.99 if self.subcontainer:100 obj = getattr(101 self._context[self.subcontainer], self.extra_attrib, None)102 else:103 obj = getattr(self._context, self.extra_attrib, None)104 # lookup local roles for connected course and all parent105 # objects. This way we fake 'role inheritance'.106 while obj is not None:107 extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal(108 principal_id)109 for role_id, setting in extra_roles:110 if role_id in self.external_rolenames:111 # Found role in external attribute or parent112 # thereof. 'Grant' additional role113 # permissions (allow, deny or unset) for the114 # passed in principal id.115 result.append(116 (self.additional_rolename, setting))117 return result118 obj = getattr(obj, '__parent__', None)119 return result
Note: See TracChangeset for help on using the changeset viewer.