Added "local roles" - the ability to give a user extra roles in the context of...

Added "local roles" - the ability to give a user extra roles in the context of a particular object and its subobjects.

lib/python/AccessControl/Role.py

@@ -84,7 +84,7 @@
 ##############################################################################
 """Access control support"""
 
-__version__='$Revision: 1.24 $'[11:-2]
+__version__='$Revision: 1.25 $'[11:-2]
 
 
 from Globals import HTMLFile, MessageDialog, Dictionary
@@ -92,6 +92,7 @@ from string import join, strip, split, find
 from Acquisition import Implicit
 import Globals
 from Permission import Permission
+from Common import aq_base
 
 ListType=type([])
 
@@ -107,12 +108,16 @@ class RoleManager:
           'manage_changePermissions', 'permissionsOfRole',
           'rolesOfPermission', 'acquiredRolesAreUsedBy',
           'manage_defined_roles',
+          'manage_listLocalRoles', 'manage_editLocalRoles',
+          'manage_setLocalRoles',  'manage_delLocalRoles',
           )),
         ('View management screens', ('manage_access',)),
         )
    
     __ac_roles__=('Manager', 'Anonymous')
 
+
+
     #------------------------------------------------------------
 
     def ac_inherited_permissions(self, all=0):
@@ -276,8 +281,76 @@ class RoleManager:
         raise 'Invalid Permission', (
             "The permission <em>%s</em> is invalid." % permission)
 
-            
-            
+
+    # Local roles support
+    # -------------------
+    #
+    # Local roles allow a user to be given extra roles in the context
+    # of a particular object (and its children). When a user is given
+    # extra roles in a particular object, an entry for that user is made
+    # in the __ac_local_roles__ dict containing the extra roles.
+    
+    __ac_local_roles__={}
+
+    manage_listLocalRoles=HTMLFile('listLocalRoles', globals())
+    manage_editLocalRoles=HTMLFile('editLocalRoles', globals())
+
+    def has_local_roles(self):
+        return len(self.__ac_local_roles__)
+
+    def get_local_roles(self):
+        dict=self.__ac_local_roles__
+        keys=dict.keys()
+        keys.sort()
+        info=[]
+        for key in keys:
+            info.append((key, dict[key]))
+        return info
+
+    def get_valid_userids(self):
+        item=self
+        dict={}
+        while 1:
+            if hasattr(aq_base(item), 'acl_users') and \
+               hasattr(item.acl_users, 'user_names'):
+                for name in item.acl_users.user_names():
+                    dict[name]=1
+            if not hasattr(item, 'aq_parent'):
+                break
+            item=item.aq_parent
+        keys=dict.keys()
+        keys.sort()
+        return keys
+
+    def get_local_roles_for_userid(self, userid):
+        return self.__ac_local_roles__.get(userid, [])
+
+    def manage_setLocalRoles(self, userid, roles, REQUEST=None):
+        """Set local roles for a user."""
+        if not roles:
+            raise ValueError, 'One or more roles must be given!'
+        if not self.validate_roles(roles):
+            raise ValueError, 'Invalid role given.'
+        dict=self.__ac_local_roles__
+        dict[userid]=roles
+        self.__ac_local_roles__=dict
+        if REQUEST is not None:
+            stat='Your changes have been saved.'
+            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
+    def manage_delLocalRoles(self, userids, REQUEST=None):
+        """Remove all local roles for a user."""
+        dict=self.__ac_local_roles__
+        for userid in userids:
+            if dict.has_key(userid):
+                del dict[userid]
+        self.__ac_local_roles__=dict
+        if REQUEST is not None:
+            stat='Your changes have been saved.'
+            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
+
+
 
     #------------------------------------------------------------
 
@@ -366,6 +439,9 @@ class RoleManager:
         self.__ac_roles__=tuple(data)
         return self.manage_access(self, REQUEST)
 
+
+
+
     def _delRoles(self, roles, REQUEST):
         if not roles:
             return MessageDialog(

lib/python/AccessControl/User.py

@@ -84,7 +84,7 @@
 ##############################################################################
 """Access control package"""
 
-__version__='$Revision: 1.71 $'[11:-2]
+__version__='$Revision: 1.72 $'[11:-2]
 
 import Globals, App.Undo, socket, regex
 from Globals import HTMLFile, MessageDialog, Persistent, PersistentMapping
@@ -129,6 +129,24 @@ class BasicUser(Implicit):
         """Return the list of roles assigned to a user."""
         raise NotImplemented
 
+    def getRolesInContext(self, object):
+        """Return the list of roles assigned to the user,
+           including local roles assigned in context of
+           the passed in object."""
+        name=self.getUserName()
+        roles=self.getRoles()
+        local={}
+        while 1:
+            if hasattr(object, '__ac_local_roles__'):
+                for r in object.__ac_local_roles__.get(name, []):
+                    local[r]=1
+            if not hasattr(object, 'aq_parent'):
+                break
+            object=object.aq_parent
+        joined=rolejoin(roles, local.keys())
+        return joined
+
+
     def getDomains(self):
         """Return the list of domain restrictions for a user"""
         raise NotImplemented
@@ -163,28 +181,12 @@ class BasicUser(Implicit):
                 parent=parent.aq_parent
             else: return r
 
-    def allowed(self,parent,roles=None):
-        """Check wether the user has access to parent
-
-        assuming that parent.__roles__ is the given roles.
-        """
-        usr_roles=self.getRoles()
-        try:
-            if roles is None or 'Anonymous' in roles:
-                return 1
-        except:
-            l=[]
-            ob=roles
-            while 1:
-                if hasattr(ob, 'id'):
-                    id=ob.id
-                else: id='?'
-                l.append('%s: %s' % (id, `ob`))
-                if not hasattr(ob, 'aq_parent'):
-                    break
-                ob=ob.aq_parent
-            raise 'spam', `l`
-
+    def allowed(self, parent, roles=None):
+        """Check whether the user has access to parent, assuming that
+           parent.__roles__ is the given roles."""
+        if roles is None or 'Anonymous' in roles:
+            return 1
+        usr_roles=self.getRolesInContext(parent)
         for role in roles:
             if role in usr_roles:
                 if (hasattr(self,'aq_parent') and
@@ -208,7 +210,7 @@ class BasicUser(Implicit):
             if roles is None or 'Anonymous' in roles: return 1
             while 'Shared' in roles: roles.remove('Shared')
             return self.allowed(parent,roles)
-            
+
         return None
 
     hasRole=allowed
@@ -677,7 +679,15 @@ def manage_addUserFolder(self,dtself=None,REQUEST=None,**ignored):
 
 
 
-
+def rolejoin(roles, other):
+    dict={}
+    for role in roles:
+        dict[role]=1
+    for role in other:
+        dict[role]=1
+    roles=dict.keys()
+    roles.sort()
+    return roles
 
 addr_match=regex.compile('[0-9\.\*]*').match
 host_match=regex.compile('[A-Za-z0-9\.\*]*').match

lib/python/AccessControl/access.dtml

@@ -10,7 +10,10 @@
 <P>
 The listing below shows the current security settings for this item. 
 Permissions are rows and roles are columns.  Checkboxes are used to
-indicate where roles are assigned permissions.
+indicate where roles are assigned permissions. You can also assign 
+<strong><a href="manage_listLocalRoles">local roles</a></strong> to 
+users, which give users extra roles in the context of this object and 
+its subobjects.
 </P>
 <P>  
 When a role is assigned to a permission, users with the given role
@@ -20,9 +23,11 @@ then the containing objects's permission settings are used. Note: the
 acquired permission settings may be augmented by selecting Roles for
 a permission in addition to selecting to acquire permissions.
 </P>
-<P>You can define new Roles by using the <EM>User defined roles</EM>
-form below.</P>
 
+<P>
+You can define new Roles by using the <EM>User defined roles</EM>
+form below.<
+/P>
 
 <style type="text/css">
 <!--

lib/python/AccessControl/editLocalRoles.dtml

+<html>
+<head>
+<title>Manage Local Roles</title>
+</head>
+<body bgcolor="#FFFFFF" link="#000099" vlink="#555555" alink="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#endif-->
+
+<p>
+<strong>Local roles</strong> allow you to give particular users extra roles 
+in the context of this object, in addition to the roles they already have. 
+</p>
+
+<p>
+To change the local roles for this user, select the extra roles this 
+user should have in the context of this object and click the <em>Change</em> 
+button.
+</p>
+
+<form action="manage_setLocalRoles" method="POST">
+<table cellspacing="2" border="0">
+<tr>
+  <td align="left" valign="top">
+  <strong>User</strong>
+  <br>
+  <!--#var userid-->
+  </td>
+
+  <td align="left" valign="top">
+  <strong>Roles</strong>
+  <br>
+  <input type="hidden" name="userid" value="<!--#var userid-->">
+<!--#with "_(user_roles=get_local_roles_for_userid(userid))"-->
+  <select name="roles:list" size="5" multiple>
+<!--#in valid_roles--><!--#if 
+"_vars['sequence-item'] not in ('Anonymous', 'Shared')"-->
+<option value="<!--#var sequence-item-->"<!--#if 
+"_['sequence-item'] in user_roles"--> selected<!--#endif-->><!--#var 
+sequence-item-->
+<!--#endif-->
+<!--#endin-->
+  </select>
+<!--#/with-->
+  </td>
+</tr>
+<tr>
+  <td align="left" valign="top">
+  <input type="submit" value="Change">
+  </td>
+  <td></td>
+</tr>
+</table>
+</form>
+
+</body>
+</html>

lib/python/AccessControl/listLocalRoles.dtml

+<html>
+<head>
+<title>Manage Local Roles</title>
+</head>
+<body bgcolor="#FFFFFF" link="#000099" vlink="#555555" alink="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#endif-->
+
+<!--#if stat-->
+<hr>
+<font color="red"><!--#var stat--></font>
+<hr>
+<!--#endif-->
+
+<p>
+<strong>Local roles</strong> allow you to give particular users extra roles 
+in the context of this object, in addition to the roles they already have. 
+
+<!--#if has_local_roles-->
+<br>
+The following users have been given local roles. To modify the local roles 
+given to a particular user, click on the name of the user. To remove all 
+local roles from a user, select the checkbox next to the name of the user 
+and click the <em>Remove</em> button.
+</p>
+<form action="manage_delLocalRoles" method="POST">
+<table cellspacing="2" border="0">
+<!--#in get_local_roles-->
+<tr>
+  <td align="left" valign="top">
+  <input type="checkbox" name="userids:list" value="<!--#var sequence-key-->">
+  </td>
+  <td align="left" valign="top">
+  <a href="manage_editLocalRoles?userid=<!--#var sequence-key 
+   fmt="url-quote"-->"><!--#var sequence-key--></a> (<!--#in 
+   sequence-item--><!--#var sequence-item--><!--#unless 
+   sequence-end-->, <!--#/unless--><!--#endin-->)
+  </td>
+</tr>
+<!--#endin-->
+<tr>
+  <td align="left" valign="top">
+  </td>
+  <td align="left" valign="top">
+  <input type="submit" value="Remove">
+  </td>
+</tr>
+</table>
+</form>
+<!--#endif-->
+
+<p>
+To give a user extra roles when accessing this object (and its children), 
+select a user from the <em>User</em> list below, select the extra 
+roles that should be given to that user from the <em>Roles</em> list.
+
+<form action="manage_setLocalRoles" method="POST">
+<table cellspacing="2" border="0">
+<tr>
+  <td align="left" valign="top">
+  <strong>User</strong>
+  <br>
+  <select name="userid" size="5">
+  <!--#in get_valid_userids-->
+  <option value="<!--#var sequence-item-->"><!--#var sequence-item-->
+  <!--#endin-->
+  </select>
+  </td>
+
+  <td align="left" valign="top">
+  <strong>Roles</strong>
+  <br>
+  <select name="roles:list" size="5" multiple>
+<!--#in valid_roles--><!--#if 
+"_vars['sequence-item'] not in ('Anonymous', 'Shared')"-->
+<option value="<!--#var sequence-item-->"><!--#var sequence-item-->
+<!--#endif-->
+<!--#endin-->
+  </select>
+  </td>
+</tr>
+<tr>
+  <td align="left" valign="top">
+  <input type="submit" value="Add">
+  </td>
+  <td></td>
+</tr>
+</table>
+</form>
+
+
+
+
+</body>
+</html>