changeset 2191:fc90d8319bba

Add hierarchical ACLs, clean the module doc string of MoinMoin.security.
author Alexander Schremmer <alex AT alexanderweb DOT de>
date Mon, 30 Apr 2007 17:27:34 +0200
parents a34d054835d3
children ab895b8095c4
files MoinMoin/config/multiconfig.py MoinMoin/security/__init__.py
diffstat 2 files changed, 62 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Mon Apr 30 16:34:09 2007 +0200
+++ b/MoinMoin/config/multiconfig.py	Mon Apr 30 17:27:34 2007 +0200
@@ -212,6 +212,7 @@
     acl_rights_before = u""
     acl_rights_after = u""
     acl_rights_valid = ['read', 'write', 'delete', 'revert', 'admin']
+    acl_hierarchic = False
 
     actions_excluded = [] # ['DeletePage', 'AttachFile', 'RenamePage', 'test', ]
     allow_xslt = False
--- a/MoinMoin/security/__init__.py	Mon Apr 30 16:34:09 2007 +0200
+++ b/MoinMoin/security/__init__.py	Mon Apr 30 17:27:34 2007 +0200
@@ -12,8 +12,10 @@
     and I mean the class, not an instance of it!
 
     @copyright: 2000-2004 Juergen Hermann <jh@web.de>
-    @copyright: 2003 by Thomas Waldmann, http://linuxwiki.de/ThomasWaldmann
-    @copyright: 2003 by Gustavo Niemeyer, http://moin.conectiva.com.br/GustavoNiemeyer
+                2003 by Thomas Waldmann, http://linuxwiki.de/ThomasWaldmann
+                2003 by Gustavo Niemeyer, http://moin.conectiva.com.br/GustavoNiemeyer
+                2005 by Oliver Graf
+                2007 by Alexander Schremmer
     @license: GNU GPL, see COPYING for details.
 """
 
@@ -26,6 +28,9 @@
 #############################################################################
 
 def _check(request, pagename, user, right):
+    if request.cfg.acl_hierarchic:
+        return _checkHierarchicly(request, pagename, user, right)
+
     if request.page is not None and pagename == request.page.page_name:
         p = request.page # reuse is good
     else:
@@ -33,6 +38,60 @@
     acl = p.getACL(request) # this will be fast in a reused page obj
     return acl.may(request, user, right)
 
+    
+def _checkHierarchicly(request, pagename, username, attr):
+    """ Get permission by transversing page hierarchy
+
+    We check each page in the hierarchy. We start
+    with the deepest page and recurse to the top of the tree. If one of those 
+    permits, True is returned. 
+
+    This method should not be called by users, use __getattr__
+    instead. 
+
+    @param request: the current request object
+    @param pagename: pagename to get permission from
+    @param username: the user name
+    @param attr: the attribute to check
+
+    @rtype: bool
+    @return: True if you have permission or False
+    """
+    from MoinMoin.Page import Page
+
+    # Use page hierarchy
+    pages = pagename.split('/')
+
+    # check before
+    allowed = request.cfg.cache.acl_rights_before.may(request, username, attr)
+    if allowed is not None:
+        return allowed
+    
+    # Get permission
+    some_acl = False
+    for i in range(len(pages), 0, -1):
+        # Create the next pagename in the hierarchy
+        # starting with the leave, going to the root
+        name = '/'.join(pages[:i])
+        # Get page acl and ask for permission
+        acl = Page(request, name).getACL(request)
+        if acl.acl:
+            some_acl = True
+            allowed = acl.may(request, username, attr)
+            if allowed is not None:
+                return allowed
+    if not some_acl:
+        allowed = request.cfg.cache.acl_rights_default.may(request, username, attr)
+        if allowed is not None:
+            return allowed
+
+    # check after
+    allowed = request.cfg.cache.acl_rights_after.may(request, username, attr)
+    if allowed is not None:
+        return allowed
+
+    return False
+
 
 class Permissions:
     """ Basic interface for user permissions and system policy.
@@ -57,7 +116,6 @@
     def __init__(self, user):
         self.name = user.name
         self.request = user._request
-        self.user = user
 
     def save(self, editor, newtext, rev, **kw):
         """ Check whether user may save a page.