Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

A collection of security maps baseclasses

Project Description

dolmen.security.policies provides a pluggable way to handle object-level security.

>>> from zope.location import Location
>>> from zope.interface import implements
>>> from zope.annotation.interfaces import IAttributeAnnotatable
>>> class Content(Location):
...     implements(IAttributeAnnotatable)
...     def __init__(self, parent, name):
...         self.__parent__ = parent
...         self.__name__ = name
>>> class MyFolder(Location):
...     implements(IAttributeAnnotatable)
...     def __init__(self):
...         self.contents = {}
>>> folder = MyFolder()
>>> contentA = folder.contents['a'] = Content(folder, 'a')

Roles

Standard behavior

Out of the box settings

>>> from zope.securitypolicy.zopepolicy import settingsForObject
>>> pprint(settingsForObject(contentA))
[('a',
  {'principalPermissions': [], 'principalRoles': [], 'rolePermissions': []}),
 (None,
  {'principalPermissions': [], 'principalRoles': [], 'rolePermissions': []}),
 ('global settings',
  {'principalPermissions': [{'permission': 'zope.View',
                             'principal': 'zope.test',
                             'setting': PermissionSetting: Allow}],
   'principalRoles': [],
   'rolePermissions': [{'permission': 'zope.ManageContent',
                        'role': 'test.role',
                        'setting': PermissionSetting: Allow}]})]

Assign a role to the test user

>>> from zope.securitypolicy.interfaces import IPrincipalRoleManager
>>> manager = IPrincipalRoleManager(folder)
>>> manager.assignRoleToPrincipal('test.role', 'zope.test')

Test the role application

>>> from zope.securitypolicy.interfaces import IPrincipalRoleMap
>>> folder_rpm = IPrincipalRoleMap(folder)
>>> print folder_rpm.getRolesForPrincipal('zope.test')
[('test.role', PermissionSetting: Allow)]

Role inheritence

>>> pprint(settingsForObject(contentA))
[('a',
  {'principalPermissions': [], 'principalRoles': [], 'rolePermissions': []}),
 (None,
  {'principalPermissions': [],
   'principalRoles': [{'principal': 'zope.test',
                       'role': 'test.role',
                       'setting': PermissionSetting: Allow}],
   'rolePermissions': []}),
 ('global settings',
  {'principalPermissions': [{'permission': 'zope.View',
                             'principal': 'zope.test',
                             'setting': PermissionSetting: Allow}],
   'principalRoles': [],
   'rolePermissions': [{'permission': 'zope.ManageContent',
                        'role': 'test.role',
                        'setting': PermissionSetting: Allow}]})]

Additive behavior

>>> import grokcore.component as grok
>>> from grokcore.component.testing import grok_component
>>> from zope.securitypolicy.interfaces import Allow, Deny
>>> from zope.securitypolicy.securitymap import SecurityMap
>>> from dolmen.security.policies.principalrole import ExtraRoleMap
>>> from zope.securitypolicy.interfaces import IPrincipalRoleManager
>>> class MyHomefolder(Location):
...     implements(IAttributeAnnotatable)
...     def __init__(self, id):
...        self.__name__ = "%s homepage" % id
...        self.userid = id
>>> home = MyHomefolder('zope.test')
>>> pprint(settingsForObject(home)[0])
('zope.test homepage',
   {'principalPermissions': [], 'principalRoles': [], 'rolePermissions': []})
>>> class HomepageRoleManager(ExtraRoleMap):
...    grok.context(MyHomefolder)
...
...    def _compute_extra_data(self):
...        extra_map = SecurityMap()
...        extra_map.addCell('test.role', self.context.userid, Allow)
...        return extra_map
>>> from zope.component import provideAdapter
>>> from zope.securitypolicy.interfaces import (
...      IPrincipalRoleManager, IPrincipalRoleMap, IRolePermissionMap)
>>> provideAdapter(
...     HomepageRoleManager, (MyHomefolder,), IPrincipalRoleManager)
>>> provideAdapter(
...     HomepageRoleManager, (MyHomefolder,), IPrincipalRoleMap)
>>> pprint(settingsForObject(home)[0])
('zope.test homepage',
 {'principalPermissions': [],
  'principalRoles': [{'principal': 'zope.test',
                      'role': 'test.role',
                      'setting': PermissionSetting: Allow}],
  'rolePermissions': []})

Checking the permissions:

>>> from zope.security.testing import Principal, Participation
>>> from zope.security.management import newInteraction, endInteraction
>>> newInteraction(Participation(Principal('zope.test')))

>>> from zope.security import checkPermission
>>> checkPermission('zope.ManageContent', home)
True

>>> home.userid = "someone else"
>>> checkPermission('zope.ManageContent', home)
False

>>> home.userid = "zope.test"
>>> checkPermission('zope.ManageContent', home)
True

Role Permissions

We can allow/deny permissions on roles too:

>>> from dolmen.security.policies import ExtraRolePermissionMap
>>> from zope.securitypolicy.interfaces import IRolePermissionManager

>>> class HomepageRolePermissionManager(ExtraRolePermissionMap):
...    grok.context(MyHomefolder)
...
...    def _compute_extra_data(self):
...        extra_map = SecurityMap()
...        extra_map.addCell('zope.ManageContent', 'test.role', Deny)
...        return extra_map

>>> provideAdapter(
...     HomepageRolePermissionManager, (MyHomefolder,),
...     IRolePermissionManager)

>>> pprint(settingsForObject(home)[0])
('zope.test homepage',
 {'principalPermissions': [],
  'principalRoles': [{'principal': 'zope.test',
                      'role': 'test.role',
                      'setting': PermissionSetting: Allow}],
  'rolePermissions': [{'permission': 'zope.ManageContent',
                       'role': 'test.role',
                       'setting': PermissionSetting: Deny}]})

>>> checkPermission('zope.ManageContent', home)
False

>>> endInteraction()

Changelog

0.3 (2011-02-22)

  • Added base adapter for IRolePermissionManager. This allows to deny or allow permissions by role. [goschtl]

0.2 (2011-01-19)

  • Re-packaging

0.1 (2011-01-18)

  • Initial release
Release History

Release History

This version
History Node

0.3

History Node

0.2

History Node

0.1

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
dolmen.security.policies-0.3.tar.gz (5.1 kB) Copy SHA256 Checksum SHA256 Source Feb 22, 2011

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting