diff options
| author | Chris McDonough <chrism@agendaless.com> | 2009-01-25 06:24:03 +0000 |
|---|---|---|
| committer | Chris McDonough <chrism@agendaless.com> | 2009-01-25 06:24:03 +0000 |
| commit | 23277531195c7d218f8d43768976e5fefb053991 (patch) | |
| tree | 56f06449cc138c40019b334775b14ad80124f5e5 /repoze/bfg/security.py | |
| parent | a81af4583238abbea7f9308397fd89fd615651a1 (diff) | |
| download | pyramid-23277531195c7d218f8d43768976e5fefb053991.tar.gz pyramid-23277531195c7d218f8d43768976e5fefb053991.tar.bz2 pyramid-23277531195c7d218f8d43768976e5fefb053991.zip | |
- Get rid of ``repoze.bfg.security.ACLAuthorizer``: the
``ACLSecurityPolicy`` now does what it did inline.
- Get rid of ``repoze.bfg.interfaces.NoAuthorizationInformation``
exception: it was used only by ``ACLAuthorizer``.
Diffstat (limited to 'repoze/bfg/security.py')
| -rw-r--r-- | repoze/bfg/security.py | 60 |
1 files changed, 24 insertions, 36 deletions
diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py index 5ad3174da..a93c88695 100644 --- a/repoze/bfg/security.py +++ b/repoze/bfg/security.py @@ -6,7 +6,6 @@ from repoze.bfg.location import lineage from repoze.bfg.interfaces import ISecurityPolicy from repoze.bfg.interfaces import IViewPermission from repoze.bfg.interfaces import IViewPermissionFactory -from repoze.bfg.interfaces import NoAuthorizationInformation Everyone = 'system.Everyone' Authenticated = 'system.Authenticated' @@ -62,37 +61,8 @@ def principals_allowed_by_permission(context, permission): return [Everyone] return policy.principals_allowed_by_permission(context, permission) -class ACLAuthorizer(object): - - def __init__(self, context): - self.context = context - - def permits(self, permission, *principals): - try: - acl = self.context.__acl__ - except AttributeError: - raise NoAuthorizationInformation - - for ace in acl: - ace_action, ace_principal, ace_permissions = ace - for principal in principals: - if ace_principal == principal: - permissions = flatten(ace_permissions) - if permission in permissions: - if ace_action == Allow: - return ACLAllowed(ace, acl, permission, principals, - self.context) - else: - return ACLDenied(ace, acl, permission, principals, - self.context) - - # default deny if no ACE matches in the ACL found - result = ACLDenied(None, acl, permission, principals, self.context) - return result - class ACLSecurityPolicy(object): implements(ISecurityPolicy) - authorizer_factory = ACLAuthorizer def __init__(self, get_principals): self.get_principals = get_principals @@ -100,14 +70,33 @@ class ACLSecurityPolicy(object): def permits(self, context, request, permission): """ Return ``ACLAllowed`` if the policy permits access, ``ACLDenied`` if not. """ - principals = self.effective_principals(request) + principals = set(self.effective_principals(request)) + for location in lineage(context): - authorizer = self.authorizer_factory(location) try: - return authorizer.permits(permission, *principals) - except NoAuthorizationInformation: + acl = location.__acl__ + except AttributeError: continue + for ace in acl: + ace_action, ace_principal, ace_permissions = ace + if ace_principal not in principals: + continue + for principal in principals: + if ace_principal == principal: + permissions = flatten(ace_permissions) + if permission in permissions: + if ace_action == Allow: + return ACLAllowed(ace, acl, permission, + principals, location) + else: + return ACLDenied(ace, acl, permission, + principals, location) + + # default deny if no ACE matches in the ACL found + result = ACLDenied(None, acl, permission, principals, location) + return result + # default deny if no ACL in lineage at all return ACLDenied(None, None, permission, principals, context) @@ -131,8 +120,7 @@ class ACLSecurityPolicy(object): acl = getattr(location, '__acl__', None) if acl is not None: allowed = {} - for ace in acl: - ace_action, ace_principal, ace_permissions = ace + for ace_action, ace_principal, ace_permissions in acl: if ace_action == Allow: ace_permissions = flatten(ace_permissions) for ace_permission in ace_permissions: |