[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security - AttributeRolePermissionManager.py:1.1.2.3 IRolePermissionManager.py:1.1.2.4 IRolePermissionMap.py:1.1.2.5 RolePermissionManager.py:1.1.2.6

Anthony Baxter anthony@interlink.com.au
Sat, 9 Feb 2002 17:10:00 -0500


Update of /cvs-repository/Zope3/lib/python/Zope/App/Security
In directory cvs.zope.org:/tmp/cvs-serv5429

Modified Files:
      Tag: Zope-3x-branch
	AttributeRolePermissionManager.py IRolePermissionManager.py 
	IRolePermissionMap.py RolePermissionManager.py 
Log Message:
Updated RolePermission interfaces, code and testsuites to new standard,
as with PrincipalPermission and PrincipalRole. All test cases pass, but
this is largely because the testZSP script isn't very thorough ;)

This code allows Permissions to be explicitly denied to a Role.



=== Zope3/lib/python/Zope/App/Security/AttributeRolePermissionManager.py 1.1.2.2 => 1.1.2.3 ===
 from Zope.ComponentArchitecture import getService
 
-from IRolePermissionManager import IRolePermissionManager
+from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
+from Zope.App.Security.LocalSecurityMap import LocalSecurityMap
+from Zope.App.Security.Settings import Allow, Deny, Unset
 
 class  AttributeRolePermissionManager:
     """
@@ -29,73 +31,51 @@
     def __init__(self, context):
         self._context = context
 
-    # Implementation methods for interface
-    # Zope.App.Security.IRolePermissionManager
-
-    def getPermissionsForRole(self, role):
-        '''See interface IRolePermissionMap'''
-        try:
-            rp = self._context.__role_permissions__
-        except AttributeError:
-            return ()
-        return rp.get(role, ())
+    def grantPermissionToRole( self, permission, role ):
+        ''' See the interface IRolePermissionManager '''
+        pp = self._getRolePermissions(create=1)
+        pp.addCell( permission, role, Allow )
+        self._context._p_changed = 1
+
+    def denyPermissionToRole( self, permission, role ):
+        ''' See the interface IRolePermissionManager '''
+        pp = self._getRolePermissions(create=1)
+        pp.addCell( permission, role, Deny )
+        self._context._p_changed = 1
+
+    def unsetPermissionForRole( self, permission, role ):
+        ''' See the interface IRolePermissionManager '''
+        pp = self._getRolePermissions()
+        # Only unset if there is a security map, otherwise, we're done
+        if pp:
+            pp.delCell( permission, role )
+            self._context._p_changed = 1
 
-    def getRolesForPermission(self, permission):
+    def getRolesForPermission( self, permission ):
         '''See interface IRolePermissionMap'''
-        try:
-            rp = self._context.__role_permissions__
-        except AttributeError:
-            return ()
-
-        r = []
-        for role, permissions in rp.items():
-            if permission in permissions:
-                r.append(role)
-
-        return r
+        pp = self._getRolePermissions()
+        if pp:
+            return pp.getRow( permission )
+        else:
+            return []
 
-    def getPermissionAcquired(self, permission):
+    def getPermissionsForRole( self, role ):
         '''See interface IRolePermissionMap'''
-        # punt for now
-        return 1
+        pp = self._getRolePermissions()
+        if pp:
+            return pp.getCol( role )
+        else:
+            return []
 
-    def retractPermissionFromRole(self, permission, role):
-        '''See interface IRolePermissionMap'''
-        rp = getattr(self._context, '__role_permissions__', None)
-        if rp:
-            permissions = rp.get(role, ())
-            if permission in permissions:
-                permissions.remove(permission)
-        
-    def grantPermissionToRole(self, permission, role):
-        '''See interface IRolePermissionMap'''
-        permissionService = getService(self._context,
-                                       'PermissionService')
-        p = permissionService.getPermission(permission)
-        if p is None:
-            raise ValueError('Invalid Permission')
-
-        roleService = getService(self._context,
-                                 'RoleService')
-        r = roleService.getRole(role)
-        if r is None:
-            raise ValueError('Invalid Role')
-        
+    def _getRolePermissions(self, create=0):
+        """ Get the role permission map stored in the context, optionally
+            creating one if necessary """
         try:
-            rp = self._context.__role_permissions__
+            return self._context.__role_permissions__
         except AttributeError:
-            rp = self._context.__role_permissions__ = {}
+            if create:
+                pp = self._context.__role_permissions__ = \
+                    LocalSecurityMap()
+                return pp
+        return None
 
-        try:
-            permissions = rp[role]
-        except KeyError:
-            rp[role] = [ permission ]
-            self._context._p_changed = 1
-        else:
-            if permission not in permissions:
-                permissions.append(permission)
-                self._context._p_changed = 1
-
-    def setPermissionAcquired(self, permission, flag):
-        '''See interface IRolePermissionMap'''
-        raise TypeError('Unimplemented')


=== Zope3/lib/python/Zope/App/Security/IRolePermissionManager.py 1.1.2.3 => 1.1.2.4 ===
         """Bind the permission to the role.
 
-        permission must be a permission id
-        role must be a role id
+        permission must be an IPermission
+        role must be an IRole
         """
 
-    def retractPermissionFromRole(permission, role):
-        """remove the binding of the permission to the role"""
+    def denyPermissionToRole(permission, role):
+        """Deny the permission to the role
 
-    def setPermissionAcquired(permission, flag):
-        """Set a flag indicating whether permission settings are acquired.
+        permission must be an IPermission
+        role must be an IRole
+        """
+
+    def unsetPermissionFromRole(permission, role):
+        """Clear the setting of the permission to the role.
 
-        Permission settings are acquired by default.
+        permission must be an IPermission
+        role must be an IRole
         """


=== Zope3/lib/python/Zope/App/Security/IRolePermissionMap.py 1.1.2.4 => 1.1.2.5 ===
         """
 
-    def getPermissionAcquired(permission):
-        """Return a flag indicating whether permission settings are acquired.
+    def getSetting(permission, role):
+        """Return a sequence of roles for the given permission.
+
+        permission must be an IPermission.  role must be an IRole.
+        If no roles have been granted this permission, then the empty 
+        list is returned.
+        """
+
+    def getPrincipalsAndRoles():
+        """Return a sequence of (principals, role, setting) here.
+
+        If no principal/role assertions have been made here, then the empty 
+        list is returned.
         """


=== Zope3/lib/python/Zope/App/Security/RolePermissionManager.py 1.1.2.5 => 1.1.2.6 ===
 """Mappings between roles and permissions."""
 
-from Zope.App.Security.SecurityMap import SecurityMap
+from Zope.App.Security.LocalSecurityMap import LocalSecurityMap
+from Zope.App.Security.Settings import Allow, Deny
 from Zope.App.Security.IRolePermissionManager import IRolePermissionManager
 
 
-class RolePermissionManager(SecurityMap):
+class RolePermissionManager(LocalSecurityMap):
     """Mappings between roles and permissions."""
 
     __implements__ = IRolePermissionManager
@@ -25,33 +26,23 @@
 
     def grantPermissionToRole( self, permission, role ):
         '''See interface IRolePermissionMap'''
-        self.addCell( permission, role )
+        self.addCell( permission, role, Allow )
 
-    def retractPermissionFromRole( self, permission, role ):
+    def denyPermissionToRole( self, permission, role ):
+        '''See interface IRolePermissionMap'''
+        self.addCell( permission, role, Deny )
+
+    def unsetPermissionForRole( self, permission, role ):
         '''See interface IRolePermissionMap'''
         self.delCell( permission, role )
 
     def getRolesForPermission( self, permission ):
         '''See interface IRolePermissionMap'''
-        return self.getColumnsForRow( permission )
+        return self.getRow( permission )
 
     def getPermissionsForRole( self, role ):
         '''See interface IRolePermissionMap'''
-        return self.getRowsForColumn( role )
-
-    def setPermissionAcquired(self, permission, flag):
-        '''See interface IRolePermissionMap'''
-        self._nonacquiredperms[permission] = flag
-
-    def getPermissionAcquired(self, permission):
-        '''See interface IRolePermissionMap'''
-        return self._nonacquiredperms.get(permission, 1)
-
-    # Override _clear() so we can add the extra little acquired permission
-    # mapping.
-    def _clear(self):
-        SecurityMap._clear(self)
-        self._nonacquiredperms = {}
+        return self.getCol( role )
 
 # Permissions are our rows, and roles are our columns
 rolePermissionManager = RolePermissionManager()