changeset 300:e8bd41ab7bdd

AccessControlList: do not require cfg object Giving the cfg to the ACL object caused some issues (for example, the AclTokenizer in the whoosh branch needed cfg and was part of the schema. whoosh tries to pickle the schema and that did not work for cfg). Refactored "auth_trusted" - this is now a user object attribute, so the ACL code does not need to know the list of trusted auth methods (which is still in cfg, but it shouldn't even be there). It is AccessControlList(acl_lines=[], default='', valid=None) now, you need to give the list of valid rights strings via valid param. TODO: deal with cfg.acl_rights_functions, cfg.acl_rights_contents (defaults?) Got rid of ContentACL and FunctionACL classes, they were pointless as "valid" needs to be given anyway.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 01 Aug 2011 20:08:15 +0200
parents 1e9ec607913d
children 7ed1945aeb03
files MoinMoin/_tests/__init__.py MoinMoin/app.py MoinMoin/config/default.py MoinMoin/datastruct/backends/_tests/__init__.py MoinMoin/datastruct/backends/_tests/test_wiki_groups.py MoinMoin/security/__init__.py MoinMoin/security/_tests/test_security.py MoinMoin/storage/backends/acl.py MoinMoin/user.py
diffstat 9 files changed, 28 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/_tests/__init__.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/_tests/__init__.py	Mon Aug 01 20:08:15 2011 +0200
@@ -39,6 +39,7 @@
 def become_trusted(username=u"TrustedUser"):
     """ modify flaskg.user to make the user valid and trusted, so it is in acl group Trusted """
     become_valid(username)
+    flaskg.user.auth_trusted = True
     flaskg.user.auth_method = app.cfg.auth_methods_trusted[0]
 
 
--- a/MoinMoin/app.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/app.py	Mon Aug 01 20:08:15 2011 +0200
@@ -260,6 +260,10 @@
         userobj = user.User(auth_method='invalid')
     # if we have a valid user we store it in the session
     if userobj.valid:
+        # TODO: auth_trusted should be set by the auth method (auth class
+        # could have a param where the admin could tell whether he wants to
+        # trust it)
+        userobj.auth_trusted = userobj.auth_method in app.cfg.auth_methods_trusted
         session['user.id'] = userobj.id
         session['user.auth_method'] = userobj.auth_method
         session['user.auth_attribs'] = userobj.auth_attribs
--- a/MoinMoin/config/default.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/config/default.py	Mon Aug 01 20:08:15 2011 +0200
@@ -23,7 +23,7 @@
 from MoinMoin import datastruct
 from MoinMoin.auth import MoinAuth
 from MoinMoin.util import plugins
-from MoinMoin.security import FunctionACL
+from MoinMoin.security import AccessControlList
 
 
 class CacheClass(object):
@@ -71,7 +71,7 @@
         self.cache.item_group_regexact = re.compile(u'^%s$' % self.item_group_regex, re.UNICODE)
 
         # compiled functions ACL
-        self.cache.acl_functions = FunctionACL(self, [self.acl_functions])
+        self.cache.acl_functions = AccessControlList([self.acl_functions], valid=self.acl_rights_functions)
 
         plugins._loadPluginModule(self)
 
--- a/MoinMoin/datastruct/backends/_tests/__init__.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/datastruct/backends/_tests/__init__.py	Mon Aug 01 20:08:15 2011 +0200
@@ -14,7 +14,7 @@
 from flask import current_app as app
 from flask import g as flaskg
 
-from MoinMoin.security import ContentACL
+from MoinMoin.security import AccessControlList
 from MoinMoin.datastruct import GroupDoesNotExistError
 
 
@@ -91,7 +91,7 @@
         Check user which has rights.
         """
         acl_rights = ["AdminGroup:admin,read,write"]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         for user in self.expanded_groups['AdminGroup']:
             for permission in ["read", "write", "admin"]:
@@ -103,7 +103,7 @@
         Check user which does not have rights.
         """
         acl_rights = ["AdminGroup:read,write"]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         assert u"SomeUser" not in flaskg.groups['AdminGroup']
         for permission in ["read", "write"]:
@@ -114,7 +114,7 @@
 
     def test_backend_acl_with_all(self):
         acl_rights = ["EditorGroup:read,write,admin All:read"]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         for member in self.expanded_groups[u'EditorGroup']:
             for permission in ["read", "write", "admin"]:
@@ -128,7 +128,7 @@
         assert u'NotExistingGroup' not in flaskg.groups
 
         acl_rights = ["NotExistingGroup:read,write,admin All:read"]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         assert not acl.may(u"Someone", "write")
 
--- a/MoinMoin/datastruct/backends/_tests/test_wiki_groups.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/datastruct/backends/_tests/test_wiki_groups.py	Mon Aug 01 20:08:15 2011 +0200
@@ -18,7 +18,7 @@
 from MoinMoin.datastruct.backends._tests import GroupsBackendTest
 from MoinMoin.datastruct import GroupDoesNotExistError
 from MoinMoin.config import USERGROUP
-from MoinMoin.security import ContentACL
+from MoinMoin.security import AccessControlList
 from MoinMoin.user import User
 from MoinMoin._tests import become_trusted, create_random_string_list, update_item
 
@@ -110,7 +110,7 @@
         update_item(u'NewGroup', 0, {USERGROUP: ["ExampleUser"]}, DATA)
 
         acl_rights = ["NewGroup:read,write"]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         has_rights_before = acl.may(u"AnotherUser", "read")
 
--- a/MoinMoin/security/__init__.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/security/__init__.py	Mon Aug 01 20:08:15 2011 +0200
@@ -169,12 +169,12 @@
 
     special_users = ["All", "Known", "Trusted"] # order is important
 
-    def __init__(self, cfg, lines=[], default='', valid=None):
-        """ Initialize an ACL, starting from <nothing>. """
+    def __init__(self, lines=[], default='', valid=None):
+        """ Initialize an ACL, starting from <nothing>.
+        """
         assert valid is not None
         self.acl_rights_valid = valid
         self.default = default
-        self.auth_methods_trusted = cfg.auth_methods_trusted
         assert isinstance(lines, (list, tuple))
         if lines:
             self.acl = [] # [ ('User', {"read": 0, ...}), ... ]
@@ -270,8 +270,7 @@
             Does not work for subsription emails that should be sent to <user>,
             as he is not logged in in that case.
         """
-        if (flaskg.user.name == name and
-            flaskg.user.auth_method in self.auth_methods_trusted):
+        if flaskg.user.name == name and flaskg.user.auth_trusted:
             return rightsdict.get(dowhat)
         return None
 
@@ -282,30 +281,6 @@
         return self.acl_lines != other.acl_lines
 
 
-class ContentACL(AccessControlList):
-    """
-    Content AccessControlList
-
-    Uses cfg.acl_rights_contents if no list of valid rights is explicitly given.
-    """
-    def __init__(self, cfg, lines=[], default='', valid=None):
-        if valid is None:
-            valid = cfg.acl_rights_contents
-        super(ContentACL, self).__init__(cfg, lines, default, valid)
-
-
-class FunctionACL(AccessControlList):
-    """
-    Function AccessControlList
-
-    Uses cfg.acl_rights_functions if no list of valid rights is explicitly given.
-    """
-    def __init__(self, cfg, lines=[], default='', valid=None):
-        if valid is None:
-            valid = cfg.acl_rights_functions
-        super(FunctionACL, self).__init__(cfg, lines, default, valid)
-
-
 class ACLStringIterator(object):
     """ Iterator for acl string
 
--- a/MoinMoin/security/_tests/test_security.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/security/_tests/test_security.py	Mon Aug 01 20:08:15 2011 +0200
@@ -12,7 +12,7 @@
 
 from flask import current_app as app
 
-from MoinMoin.security import ContentACL, ACLStringIterator
+from MoinMoin.security import AccessControlList, ACLStringIterator
 
 from MoinMoin.user import User
 from MoinMoin.config import ACL
@@ -218,7 +218,7 @@
             "BadGuy:  "
             "All:read  "
             ]
-        acl = ContentACL(app.cfg, acl_rights)
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
 
         # Should apply these rights:
         users = (
--- a/MoinMoin/storage/backends/acl.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/storage/backends/acl.py	Mon Aug 01 20:08:15 2011 +0200
@@ -47,7 +47,7 @@
 from flask import current_app as app
 from flask import g as flaskg
 
-from MoinMoin.security import ContentACL
+from MoinMoin.security import AccessControlList
 
 from MoinMoin.storage import Item, NewRevision, StoredRevision
 from MoinMoin.storage.error import NoSuchItemError, NoSuchRevisionError, AccessDeniedError
@@ -85,10 +85,10 @@
         self.cfg = cfg
         self.backend = backend
         self.hierarchic = hierarchic
-        self.valid = valid
-        self.before = ContentACL(cfg, [before], default=default, valid=valid)
-        self.default = ContentACL(cfg, [default], default=default, valid=valid)
-        self.after = ContentACL(cfg, [after], default=default, valid=valid)
+        self.valid = valid if valid is not None else cfg.acl_rights_contents
+        self.before = AccessControlList([before], default=default, valid=self.valid)
+        self.default = AccessControlList([default], default=default, valid=self.valid)
+        self.after = AccessControlList([after], default=default, valid=self.valid)
 
     def __getattr__(self, attr):
         # Attributes that this backend does not define itself are just looked
@@ -176,7 +176,7 @@
             # do not use default acl here
             acls = []
         default = self.default.default
-        return ContentACL(self.cfg, tuple(acls), default=default, valid=self.valid)
+        return AccessControlList(tuple(acls), default=default, valid=self.valid)
 
     def _may(self, itemname, right, username=None):
         """ Check if username may have <right> access on item <itemname>.
--- a/MoinMoin/user.py	Fri Jul 29 00:34:24 2011 +0200
+++ b/MoinMoin/user.py	Mon Aug 01 20:08:15 2011 +0200
@@ -399,7 +399,8 @@
     def persistent_items(self):
         """ items we want to store into the user profile """
         nonpersistent_keys = ['id', 'valid', 'may', 'auth_username',
-                              'password', 'password2', 'auth_method', 'auth_attribs',
+                              'password', 'password2',
+                              'auth_method', 'auth_attribs', 'auth_trusted',
                              ]
         return [(key, value) for key, value in vars(self).items()
                     if key not in nonpersistent_keys and key[0] != '_' and value is not None]