| | |
|---|
| | | |
|---|
| | | from pyramid.compat import is_nonstr_iter |
|---|
| | | |
|---|
| | | from pyramid.security import ( |
|---|
| | | ACLAllowed, |
|---|
| | | ACLDenied, |
|---|
| | | Allow, |
|---|
| | | Deny, |
|---|
| | | Everyone, |
|---|
| | | ) |
|---|
| | | from pyramid.security import ACLAllowed, ACLDenied, Allow, Deny, Everyone |
|---|
| | | |
|---|
| | | |
|---|
| | | @implementer(IAuthorizationPolicy) |
|---|
| | | class ACLAuthorizationPolicy(object): |
|---|
| | |
|---|
| | | ace_permissions = [ace_permissions] |
|---|
| | | if permission in ace_permissions: |
|---|
| | | if ace_action == Allow: |
|---|
| | | return ACLAllowed(ace, acl, permission, |
|---|
| | | principals, location) |
|---|
| | | return ACLAllowed( |
|---|
| | | ace, acl, permission, principals, location |
|---|
| | | ) |
|---|
| | | else: |
|---|
| | | return ACLDenied(ace, acl, permission, |
|---|
| | | principals, location) |
|---|
| | | return ACLDenied( |
|---|
| | | ace, acl, permission, principals, location |
|---|
| | | ) |
|---|
| | | |
|---|
| | | # default deny (if no ACL in lineage at all, or if none of the |
|---|
| | | # principals were mentioned in any ACE we found) |
|---|
| | | return ACLDenied( |
|---|
| | | '<default deny>', |
|---|
| | | acl, |
|---|
| | | permission, |
|---|
| | | principals, |
|---|
| | | context) |
|---|
| | | '<default deny>', acl, permission, principals, context |
|---|
| | | ) |
|---|
| | | |
|---|
| | | def principals_allowed_by_permission(self, context, permission): |
|---|
| | | """ Return the set of principals explicitly granted the |
|---|
| | |
|---|
| | | if ace_principal not in denied_here: |
|---|
| | | allowed_here.add(ace_principal) |
|---|
| | | if (ace_action == Deny) and (permission in ace_permissions): |
|---|
| | | denied_here.add(ace_principal) |
|---|
| | | if ace_principal == Everyone: |
|---|
| | | # clear the entire allowed set, as we've hit a |
|---|
| | | # deny of Everyone ala (Deny, Everyone, ALL) |
|---|
| | | allowed = set() |
|---|
| | | break |
|---|
| | | elif ace_principal in allowed: |
|---|
| | | allowed.remove(ace_principal) |
|---|
| | | denied_here.add(ace_principal) |
|---|
| | | if ace_principal == Everyone: |
|---|
| | | # clear the entire allowed set, as we've hit a |
|---|
| | | # deny of Everyone ala (Deny, Everyone, ALL) |
|---|
| | | allowed = set() |
|---|
| | | break |
|---|
| | | elif ace_principal in allowed: |
|---|
| | | allowed.remove(ace_principal) |
|---|
| | | |
|---|
| | | allowed.update(allowed_here) |
|---|
| | | |
|---|
