Changeset 32
- Timestamp:
- 08/22/06 16:13:51 (2 years ago)
- Files:
-
- trunk/src/dm/accesscontrol.py (modified) (4 diffs)
- trunk/src/dm/accesscontroltest.py (modified) (2 diffs)
- trunk/src/dm/command/accesscontrol.py (modified) (2 diffs)
- trunk/src/dm/command/accesscontroltest.py (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/src/dm/accesscontrol.py
r26 r32 1 from dm.ioc import *1 from dm.ioc import RequiredFeature 2 2 from dm.exceptions import * 3 from dm.command.accesscontrol import *4 3 5 4 class AbstractAccessController(object): … … 54 53 ) 55 54 return False 55 if not self.actionName in self.registry.actions: 56 if self.debug: 57 self.logger.debug( 58 "Action name '%s' not registered." % self.actionName 59 ) 60 return False 61 self.action = self.registry.actions[self.actionName] 62 if not self.action: 63 if self.debug: 64 self.logger.debug( 65 "No action for access controller." 66 ) 67 return False 56 68 if not self.protectedObject: 57 69 if self.debug: … … 67 79 68 80 def isRoleAuthorised(self, role): 69 cmd = AuthoriseAccess(role, self.actionName, self.protectedObject) 70 try: 71 cmd.execute() 72 if self.debug: 73 msg = "Access by role authorised: '%s' to '%s' with '%s'." % ( 74 role.name, self.actionName, self.protectedObject 75 ) 76 self.logger.debug(msg) 77 return True 78 except KforgeCommandError, inst: 79 if self.debug: 80 self.logger.debug(str(inst)) 81 return False 82 81 for grant in role.grants: 82 permission = grant.permission 83 if permission.action == self.action: 84 protectionObject = permission.protectionObject 85 if protectionObject.isProtector(self.protectedObject): 86 if self.debug: 87 msg = "Access by role authorised: '%s' to '%s' with '%s'." % (role.name, self.actionName, self.protectedObject) 88 self.logger.debug(msg) 89 return True 90 return False 91 83 92 84 93 class SystemAccessController(AbstractAccessController): … … 86 95 87 96 def hasAuthorisedRole(self): 88 if self.isPersonBarred( self.person):97 if self.isPersonBarred(): 89 98 return False 90 if self.isPersonAuthorised( self.person):99 if self.isPersonAuthorised(): 91 100 return True 92 101 if self.isSystemRoleAuthorised(): 93 102 return True 94 # todo: also use administration project?95 103 return False 96 104 97 def isPersonBarred(self, person): 98 cmd = IsPersonBarred( 99 person.name, self.actionName, self.protectedObject 100 ) 101 try: 102 cmd.execute() 103 if self.debug: 104 message = "Access by person barred: '%s' to '%s' with '%s'." % ( 105 person.name, self.actionName, self.protectedObject 106 ) 107 self.logger.debug(message) 108 return True 109 except KforgeCommandError, inst: 110 if self.debug: 111 self.logger.debug(str(inst)) 112 return False 113 114 def isPersonAuthorised(self, person): 115 cmd = AuthorisePersonalAccess( 116 person.name, self.actionName, self.protectedObject 117 ) 118 try: 119 cmd.execute() 120 if self.debug: 121 msg = "Access by person authorised: '%s' to '%s' with '%s'." % ( 122 person.name, self.actionName, self.protectedObject 123 ) 124 self.logger.debug(msg) 125 return True 126 except KforgeCommandError, inst: 127 if self.debug: 128 self.logger.debug(str(inst)) 129 return False 105 def isPersonBarred(self): 106 for bar in self.person.bars: 107 permission = bar.permission 108 if permission.action == self.action: 109 protectionObject = permission.protectionObject 110 if protectionObject.isProtector(self.protectedObject): 111 if self.debug: 112 msg = "Access by person barred: '%s' to '%s' with '%s'." % (self.person.name, self.actionName, self.protectedObject) 113 self.logger.debug(msg) 114 return True 115 return False 116 117 def isPersonAuthorised(self): 118 for grant in self.person.grants: 119 permission = grant.permission 120 if permission.action == self.action: 121 protectionObject = permission.protectionObject 122 if protectionObject.isProtector(self.protectedObject): 123 if self.debug: 124 msg = "Access by person authorised: '%s' to '%s' with '%s'." % (self.person.name, self.actionName, self.protectedObject) 125 self.logger.debug(msg) 126 return True 127 return False 130 128 131 129 def isSystemRoleAuthorised(self): trunk/src/dm/accesscontroltest.py
r31 r32 64 64 self.person.role = oldRole 65 65 66 def test_ personBarred(self):66 def test_isAuthorised_visitor_create_person(self): 67 67 self.person = self.registry.persons['visitor'] 68 68 self.actionName = 'Create' … … 70 70 self.ac.actionName = self.actionName 71 71 self.ac.protectedObject = self.object 72 self.failIf(self.isPersonBarred())73 72 self.failUnless(self.isAuthorised()) 74 73 75 trunk/src/dm/command/accesscontrol.py
r2 r32 1 1 from dm.command import Command 2 import dm.command.person3 2 from dm.exceptions import * 4 3 … … 38 37 if protectionObject.isProtector(self.protectedObject): 39 38 self.grant = grant 40 return True41 return False42 43 44 class AuthoriseAccess(AccessControlCommand):45 "General role based authorise access command."46 47 def execute(self):48 super(AuthoriseAccess, self).execute()49 if not self.findGrant():50 error = "No grant on role '%s' to '%s' object '%s'." % (51 self.role.name, self.action.name, self.protectedObject52 )53 self.raiseError(error)54 55 56 class PersonalAccessControlCommand(Command):57 "General person based authorise access command."58 59 def __init__(self, personName=None, actionName=None, protectedObject=None):60 super(PersonalAccessControlCommand, self).__init__(61 personName=personName,62 actionName=actionName,63 protectedObject=protectedObject64 )65 self.personName = personName66 self.actionName = actionName67 self.protectedObject = protectedObject68 69 def execute(self):70 super(PersonalAccessControlCommand, self).execute()71 self.validateInput()72 73 def validateInput(self):74 if not self.personName:75 raise KforgeCommandError("No person name.")76 else:77 self.person = self.registry.persons[self.personName]78 if not self.actionName:79 raise KforgeCommandError("No action name.")80 else:81 self.action = self.registry.actions[self.actionName]82 if not self.protectedObject:83 raise KforgeCommandError("No protectedObject.")84 85 86 class AuthorisePersonalAccess(PersonalAccessControlCommand):87 88 def __init__(self, *args, **kwds):89 super(AuthorisePersonalAccess, self).__init__(*args, **kwds)90 self.grant = None91 92 def execute(self):93 super(AuthorisePersonalAccess, self).execute()94 if not self.findGrant():95 error = "No grant on person '%s' to '%s' object '%s'." % (96 self.person.name, self.action.name, self.protectedObject97 )98 self.raiseError(error)99 100 def findGrant(self):101 for grant in self.person.grants:102 permission = grant.permission103 if permission.action == self.action:104 protectionObject = permission.protectionObject105 if protectionObject.isProtector(self.protectedObject):106 self.grant = grant107 return True108 return False109 110 111 class IsPersonBarred(PersonalAccessControlCommand):112 113 def __init__(self, *args, **kwds):114 super(IsPersonBarred, self).__init__(*args, **kwds)115 self.bar = None116 117 def execute(self):118 super(IsPersonBarred, self).execute()119 if not self.findBar():120 error = "No bar on person '%s' to '%s' object '%s'." % (121 self.person.name, self.action.name, self.protectedObject122 )123 self.raiseError(error)124 125 def findBar(self):126 for bar in self.person.bars:127 permission = bar.permission128 if permission.action == self.action:129 protectionObject = permission.protectionObject130 if protectionObject.isProtector(self.protectedObject):131 self.bar = bar132 39 return True 133 40 return False trunk/src/dm/command/accesscontroltest.py
r12 r32 6 6 def suite(): 7 7 suites = [ 8 unittest.makeSuite(TestAuthoriseAccess),9 unittest.makeSuite(TestAuthorisePersonalAccess),10 8 unittest.makeSuite(TestGrantAccess), 11 9 unittest.makeSuite(TestRevokeAccess), … … 56 54 return bar 57 55 return None 58 59 60 class TestAuthoriseAccess(TestAccessControlCommand):61 62 def setUp(self):63 super(TestAuthoriseAccess, self).setUp()64 self.setRole('Developer')65 self.setAction('Read')66 self.setProtectedObject('Person')67 68 def test_execute_no_role(self):69 cmd = AuthoriseAccess(70 None, self.actionName, self.protectedObject71 72 )73 self.failUnlessRaises(KforgeCommandError, cmd.execute)74 75 def test_execute_no_action(self):76 self.action = None77 cmd = AuthoriseAccess(78 self.roleName, '', self.protectedObject79 )80 self.failUnlessRaises(KforgeCommandError, cmd.execute)81 82 def test_execute_no_protectedObject(self):83 self.protectedObject = None84 cmd = AuthoriseAccess(85 self.roleName, self.actionName86 )87 self.failUnlessRaises(KforgeCommandError, cmd.execute)88 89 def test_execute_error(self):90 self.setRole('Visitor')91 self.setAction('Delete')92 self.setProtectedObject('Person')93 cmd = AuthoriseAccess(94 self.role, self.actionName, self.protectedObject95 )96 self.failUnlessRaises(KforgeCommandError, cmd.execute)97 98 def test_execute(self):99 cmd = AuthoriseAccess(100 self.role, self.actionName, self.protectedObject101 )102 cmd.execute()103 104 105 class TestAuthorisePersonalAccess(TestAccessControlCommand):106 107 def setUp(self):108 super(TestAuthorisePersonalAccess, self).setUp()109 self.personName = ''110 self.person = None111 112 def setPerson(self, name):113 self.personName = name114 self.person = self.registry.roles[name]115 56 116 57
