Changeset 49
- Timestamp:
- 08/27/06 06:07:22 (2 years ago)
- Files:
-
- trunk/src/dm/accesscontrol.py (modified) (12 diffs)
- trunk/src/dm/exceptions.py (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/src/dm/accesscontrol.py
r48 r49 4 4 5 5 class BaseAccessController(object): 6 "Controls authorisations for named actions with protected objects." 6 """Template class for controlling access to protected objects. 7 8 Client objects will call the isAuthorised() method with keywords: 9 10 accessController.isAuthorised( 11 person=joe, actionName='Update', protectedObject=joe 12 ) 13 14 Concrete access controllers inheriting this class simply involve 15 domain objects holding grants in the access control scheme by 16 implementing the default assertAccessAuthorised() method. 17 18 Access is denied by raising the AccessNotAuthorised exception in the 19 assertAccessAuthorised() method implementation. Likewise, access is 20 authorised by raising the AccessIsAuthorised exception within this method. 21 22 To check whether an object's grants include the pertaining permission, 23 call the isPermissionGranted() method with the object's grants register 24 and test the return value for boolean truth. 25 """ 7 26 8 27 dictionary = RequiredFeature('SystemDictionary') … … 11 30 debug = RequiredFeature('Debug') 12 31 13 def isAuthorised(self, **kwds): 14 singleuseInstance = self.__class__() 15 return singleuseInstance.isAccessAuthorised(**kwds) 16 17 def isAccessAuthorised(self, person, actionName, protectedObject, **kwds): 32 def __init__(self): 18 33 self.action = None 19 34 self.person = None … … 22 37 self.protectedObject = None 23 38 self.visitor = None 24 if not actionName:25 return False26 if not protectedObject:27 return False28 self.setPerson(person)29 self.setAction(actionName) 30 self.setProtectedObject(protectedObject)39 40 def isAuthorised(self, **kwds): 41 singleUseInstance = self.__class__() 42 isAuthorised = singleUseInstance.isAccessAuthorised(**kwds) 43 return isAuthorised 44 45 def isAccessAuthorised(self, person, actionName, protectedObject): 31 46 try: 47 self.setPerson(person) 48 self.setAction(actionName) 49 self.setProtectedObject(protectedObject) 32 50 self.assertAccessAuthorised() 51 except AccessIsAuthorised, inst: 52 if self.debug: 53 self.logger.debug( 54 "Access Authorised: Person '%s' to '%s' object '%s'" % ( 55 self.person.name, 56 self.actionName, 57 self.protectedObject, 58 ) 59 ) 60 return True 33 61 except AccessNotAuthorised, inst: 34 62 self.logger.info( … … 40 68 ) 41 69 ) 42 return False 43 else: 44 if self.debug: 45 self.logger.debug( 46 "Access Authorised: Person '%s' to '%s' object '%s'" % ( 47 self.person.name, 48 self.actionName, 49 self.protectedObject, 50 ) 51 ) 52 return True 53 54 def setPerson(self, person=None): 55 if person != None: 70 return False 71 72 def setPerson(self, person): 73 if not person: 74 self.person = self.getVisitor() 75 else: 56 76 self.person = person 57 else:58 self.person = self.getVisitor()59 77 60 78 def setAction(self, actionName): 61 79 self.actionName = actionName 80 if not actionName: 81 raise AccessNotAuthorised("No action name.") 62 82 self.action = self.registry.actions[self.actionName] 63 83 64 84 def setProtectedObject(self, protectedObject): 85 if not protectedObject: 86 raise AccessNotAuthorised("No protected object.") 65 87 self.protectedObject = protectedObject 66 88 self.makeProtectedNames() … … 68 90 69 91 def assertAccessAuthorised(self): 70 raise AccessNotAuthorised("Access not authorised by default.")71 92 raise AccessNotAuthorised("Access not authorised, by default.") 93 72 94 def getPermissionObject(self): 73 95 if self.permissionObject == None: … … 75 97 self.permissionObject = permission 76 98 return self.permissionObject 77 99 100 def isPermissionGranted(self, grants): 101 return self.getPermissionObject() in grants 102 78 103 def isRoleAuthorised(self, role): 79 permission = self.getPermissionObject() 80 if permission in role.grants: 81 if self.debug: 82 msg = "Access authorised against '%s' role." % role.name 104 if self.isPermissionGranted(role.grants): 105 if self.debug: 106 msg = "Access authorised by '%s' role." % role.name 83 107 self.logger.debug(msg) 84 108 return True … … 88 112 self.logger.debug(msg) 89 113 return False 90 114 91 115 def makeProtectedNames(self): 92 116 self.protectedNames = [] … … 95 119 self.protectedNames.append(className) 96 120 else: 121 keyValue = self.protectedObject.getRegisterKeyValue() 97 122 className = self.protectedObject.__class__.__name__ 98 keyValue = self.protectedObject.getRegisterKeyValue()99 self.protectedNames.append( className + "." + str(keyValue))123 instanceName = className + "." + str(keyValue) 124 self.protectedNames.append(instanceName) 100 125 self.protectedNames.append(className) 101 126 if not self.protectedNames: … … 115 140 self.visitor = self.registry.persons[visitorName] 116 141 return self.visitor 117 142 118 143 def isPersonNotVisitor(self): 119 144 return self.person.name != self.getVisitor().name 120 145 121 146 122 147 class SystemAccessController(BaseAccessController): 123 "Introduces person al role, person system role, and visitor system role."148 "Introduces person role, and person system role to access controller." 124 149 125 150 def assertAccessAuthorised(self): 151 if self.isSystemRoleAuthorised(): 152 raise AccessIsAuthorised 153 if self.isPersonalRoleAuthorised(): 154 raise AccessIsAuthorised 155 super(SystemAccessController, self).assertAccessAuthorised() 156 157 def isSystemRoleAuthorised(self): 158 if self.isPersonAuthorisedOnSystem(): 159 return True 160 if self.isPersonNotVisitor(): # To avoid repetition. 161 if self.isVisitorAuthorisedOnSystem(): 162 return True 163 return False 164 165 def isPersonalRoleAuthorised(self): 126 166 if self.isPersonBarred(): 127 raise AccessNotAuthorised( 128 "Access barred to person." 129 ) 167 raise AccessNotAuthorised("Access barred to person.") 130 168 if self.isPersonAuthorisedPersonally(): 131 return 132 if self.isPersonAuthorisedOnSystem(): 133 return 134 if self.isPersonNotVisitor() and self.isVisitorBarred(): 135 raise AccessNotAuthorised( 136 "Access barred to visitor person." 137 ) 138 if self.isPersonNotVisitor() and self.isVisitorAuthorisedOnSystem(): 139 return 140 super(SystemAccessController, self).assertAccessAuthorised() 141 169 return True 170 if self.isPersonNotVisitor(): # To avoid repetition. 171 if self.isVisitorBarred(): 172 raise AccessNotAuthorised("Access barred to visitor person.") 173 if self.isVisitorAuthorisedPersonally(): 174 return True 175 return False 176 142 177 def isPersonBarred(self): 143 permission = self.getPermissionObject() 144 if self.person in permission.personalBars: 178 if self.isPermissionGranted(self.person.bars): 145 179 if self.debug: 146 180 msg = "Access personally barred." … … 152 186 self.logger.debug(msg) 153 187 return False 154 188 155 189 def isVisitorBarred(self): 156 permission = self.getPermissionObject() 157 if self.getVisitor() in permission.personalBars: 190 if self.isPermissionGranted(self.getVisitor().bars): 158 191 if self.debug: 159 192 msg = "Access barred to visitor." … … 165 198 self.logger.debug(msg) 166 199 return False 167 200 168 201 def isPersonAuthorisedPersonally(self): 169 permission = self.getPermissionObject() 170 if self.person in permission.personalGrants: 171 if self.debug: 172 msg = "Access personally authorised" 173 self.logger.debug(msg) 174 return True 175 else: 176 if self.debug: 177 msg = "Access not personally authorised" 178 self.logger.debug(msg) 179 return False 180 202 if self.isPermissionGranted(self.person.grants): 203 if self.debug: 204 msg = "Access personally authorised to person." 205 self.logger.debug(msg) 206 return True 207 else: 208 if self.debug: 209 msg = "Access not personally authorised to person." 210 self.logger.debug(msg) 211 return False 212 213 def isVisitorAuthorisedPersonally(self): 214 if self.isPermissionGranted(self.getVisitor().grants): 215 if self.debug: 216 msg = "Access personally authorised to visitor." 217 self.logger.debug(msg) 218 return True 219 else: 220 if self.debug: 221 msg = "Access not personally authorised to visitor." 222 self.logger.debug(msg) 223 return False 224 181 225 def isPersonAuthorisedOnSystem(self): 182 226 systemRole = self.getPersonSystemRole() 183 if self.is RoleAuthorised(systemRole):227 if self.isPermissionGranted(systemRole.grants): 184 228 if self.debug: 185 229 msg = "Access authorised by person's system role." … … 194 238 def isVisitorAuthorisedOnSystem(self): 195 239 systemRole = self.getVisitorSystemRole() 196 if self.is RoleAuthorised(systemRole):240 if self.isPermissionGranted(systemRole.grants): 197 241 if self.debug: 198 242 msg = "Access authorised by visitor's system role." trunk/src/dm/exceptions.py
r48 r49 8 8 9 9 class AccessControlException(DmException): 10 pass 11 12 class AccessIsAuthorised(AccessControlException): 10 13 pass 11 14
