Split up RoleManager into a base class and a ZMI / request facing version in OFS.role

d561f077 · Hanno Schlichting · 520e1e69 · d561f077 · d561f077 · d561f077
Commit d561f077 authored Jun 19, 2010 by Hanno Schlichting
12 changed files
--- a/src/AccessControl/PermissionMapping.py
+++ b/src/AccessControl/PermissionMapping.py
@@ -13,7 +13,7 @@
 """Permission Mapping

 Sometimes, we need an object's permissions to be remapped to other permissions
-when the object is used in specual ways.  This is rather hard, since we
+when the object is used in special ways.  This is rather hard, since we
 need the object's ordinary permissions intact so we can manage it.
 """

@@ -32,7 +32,7 @@ from AccessControl.requestmethod import requestmethod
 class RoleManager:

    implements(IPermissionMappingSupport)
-    
+
    # XXX: No security declarations?

    def manage_getPermissionMapping(self):

--- a/src/AccessControl/Role.py
+++ b/src/AccessControl/Role.py
--- a/src/AccessControl/interfaces.py
+++ b/src/AccessControl/interfaces.py
@@ -85,9 +85,6 @@ class IOwned(Interface):
        """


-# XXX: might contain non-API methods and outdated comments;
-#      not synced with ZopeBook API Reference;
-#      based on AccessControl.PermissionMapping.RoleManager
 class IPermissionMappingSupport(Interface):

    def manage_getPermissionMapping():
@@ -107,11 +104,7 @@ class IPermissionMappingSupport(Interface):
        """


-# XXX: might contain non-API methods and outdated comments;
-#      not synced with ZopeBook API Reference;
-#      based on AccessControl.Role.RoleManager
 class IRoleManager(IPermissionMappingSupport):
-
    """An object that has configurable permissions"""

    permissionMappingPossibleValues = Attribute("""Acquired attribute""")
@@ -130,22 +123,15 @@ class IRoleManager(IPermissionMappingSupport):
        'permission' is returned.
        """

-    manage_roleForm = Attribute(""" """)
-
-    def manage_role(role_to_manage, permissions=[], REQUEST=None):
+    def manage_role(role_to_manage, permissions=[]):
        """Change the permissions given to the given role.
        """

-    manage_acquiredForm = Attribute(""" """)
-
-    def manage_acquiredPermissions(permissions=[], REQUEST=None):
+    def manage_acquiredPermissions(permissions=[]):
        """Change the permissions that acquire.
        """

-    manage_permissionForm = Attribute(""" """)
-
-    def manage_permission(permission_to_manage,
-                          roles=[], acquire=0, REQUEST=None):
+    def manage_permission(permission_to_manage, roles=[], acquire=0):
        """Change the settings for the given permission.

        If optional arg acquire is true, then the roles for the permission
@@ -153,40 +139,17 @@ class IRoleManager(IPermissionMappingSupport):
        permissions are restricted to only the designated roles.
        """

-    def manage_access(REQUEST, **kw):
-        """Return an interface for making permissions settings.
-        """
-
-    def manage_changePermissions(REQUEST):
-        """Change all permissions settings, called by management screen.
-        """
-
    def permissionsOfRole(role):
-        """Used by management screen.
+        """Returns a role to permission mapping.
        """

    def rolesOfPermission(permission):
-        """Used by management screen.
+        """Returns a permission to role mapping.
        """

    def acquiredRolesAreUsedBy(permission):
-        """Used by management screen.
        """
-
-
-    # Local roles support
-    # -------------------
-    #
-    # Local roles allow a user to be given extra roles in the context
-    # of a particular object (and its children). When a user is given
-    # extra roles in a particular object, an entry for that user is made
-    # in the __ac_local_roles__ dict containing the extra roles.
-
-    __ac_local_roles__  = Attribute(""" """)
-
-    manage_listLocalRoles = Attribute(""" """)
-
-    manage_editLocalRoles = Attribute(""" """)
+        """

    def has_local_roles():
        """
@@ -208,13 +171,13 @@ class IRoleManager(IPermissionMappingSupport):
        """
        """

-    def manage_addLocalRoles(userid, roles, REQUEST=None):
+    def manage_addLocalRoles(userid, roles):
        """Set local roles for a user."""

-    def manage_setLocalRoles(userid, roles, REQUEST=None):
+    def manage_setLocalRoles(userid, roles):
        """Set local roles for a user."""

-    def manage_delLocalRoles(userids, REQUEST=None):
+    def manage_delLocalRoles(userids):
        """Remove all local roles for a user."""

    #------------------------------------------------------------
@@ -235,30 +198,6 @@ class IRoleManager(IPermissionMappingSupport):
        """Return list of user-defined roles.
        """

-    def manage_defined_roles(submit=None, REQUEST=None):
-        """Called by management screen.
-        """
-
-    def _addRole(role, REQUEST=None):
-        """
-        """
-
-    def _delRoles(roles, REQUEST=None):
-        """
-        """
-
-    def _has_user_defined_role(role):
-        """
-        """
-
-    def manage_editRoles(REQUEST, acl_type='A', acl_roles=[]):
-        """
-        """
-
-    def _setRoles(acl_type, acl_roles):
-        """
-        """
-
    def possible_permissions():
        """
        """

--- a/src/AccessControl/tests/testRole.py
+++ b/src/AccessControl/tests/testRole.py
@@ -5,10 +5,10 @@ class TestRoleManager(unittest.TestCase):

    def test_interfaces(self):
        from AccessControl.interfaces import IRoleManager
-        from AccessControl.Role import RoleManager
+        from AccessControl.Role import BaseRoleManager
        from zope.interface.verify import verifyClass

-        verifyClass(IRoleManager, RoleManager)
+        verifyClass(IRoleManager, BaseRoleManager)


 def test_suite():

--- a/src/AccessControl/dtml/access.dtml
+++ b/src/AccessControl/dtml/access.dtml
--- a/src/AccessControl/dtml/acquiredEdit.dtml
+++ b/src/AccessControl/dtml/acquiredEdit.dtml
--- a/src/AccessControl/dtml/editLocalRoles.dtml
+++ b/src/AccessControl/dtml/editLocalRoles.dtml
--- a/src/AccessControl/dtml/listLocalRoles.dtml
+++ b/src/AccessControl/dtml/listLocalRoles.dtml
--- a/src/AccessControl/dtml/permissionEdit.dtml
+++ b/src/AccessControl/dtml/permissionEdit.dtml
--- a/src/AccessControl/dtml/reportUserPermissions.dtml
+++ b/src/AccessControl/dtml/reportUserPermissions.dtml
--- a/src/AccessControl/dtml/roleEdit.dtml
+++ b/src/AccessControl/dtml/roleEdit.dtml
--- a/src/OFS/role.py
+++ b/src/OFS/role.py
+##############################################################################
+#
+# Copyright (c) 2002 Zope Foundation and Contributors.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+"""Access control support
+"""
+from cgi import escape
+
+from App.Dialogs import MessageDialog
+from App.special_dtml import DTMLFile
+
+from AccessControl import ClassSecurityInfo
+from AccessControl.class_init import InitializeClass
+from AccessControl.Role import BaseRoleManager
+from AccessControl.Role import reqattr
+from AccessControl.Permission import Permission
+from AccessControl.Permissions import change_permissions
+from AccessControl.requestmethod import requestmethod
+
+
+class RoleManager(BaseRoleManager):
+    """An object that has configurable permissions"""
+
+    security = ClassSecurityInfo()
+
+    manage_options=(
+        {'label': 'Security', 'action': 'manage_access'},
+        )
+
+    security.declareProtected(change_permissions, 'manage_roleForm')
+    manage_roleForm=DTMLFile('dtml/roleEdit', globals(),
+                             management_view='Security')
+
+    security.declareProtected(change_permissions, 'manage_role')
+    @requestmethod('POST')
+    def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
+        """Change the permissions given to the given role.
+        """
+        BaseRoleManager.manage_role(
+            self, role_to_manage, permissions=permissions)
+        if REQUEST is not None:
+            return self.manage_access(REQUEST)
+
+    security.declareProtected(change_permissions, 'manage_acquiredForm')
+    manage_acquiredForm=DTMLFile('dtml/acquiredEdit', globals(),
+                                 management_view='Security')
+
+    security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+    @requestmethod('POST')
+    def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
+        """Change the permissions that acquire.
+        """
+        BaseRoleManager.manage_acquiredPermissions(
+            self, permissions=permissions)
+        if REQUEST is not None:
+            return self.manage_access(REQUEST)
+
+    security.declareProtected(change_permissions, 'manage_permissionForm')
+    manage_permissionForm=DTMLFile('dtml/permissionEdit', globals(),
+                                   management_view='Security')
+
+    security.declareProtected(change_permissions, 'manage_permission')
+    @requestmethod('POST')
+    def manage_permission(self, permission_to_manage,
+                          roles=[], acquire=0, REQUEST=None):
+        """Change the settings for the given permission.
+
+        If optional arg acquire is true, then the roles for the permission
+        are acquired, in addition to the ones specified, otherwise the
+        permissions are restricted to only the designated roles.
+        """
+        BaseRoleManager.manage_permission(
+            self, permission_to_manage, roles=roles, acquire=acquire)
+        if REQUEST is not None:
+            return self.manage_access(REQUEST)
+
+    _normal_manage_access=DTMLFile('dtml/access', globals())
+    manage_reportUserPermissions=DTMLFile(
+        'dtml/reportUserPermissions', globals())
+
+    security.declareProtected(change_permissions, 'manage_access')
+    def manage_access(self, REQUEST, **kw):
+        """Return an interface for making permissions settings.
+        """
+        return apply(self._normal_manage_access, (), kw)
+
+    security.declareProtected(change_permissions, 'manage_changePermissions')
+    @requestmethod('POST')
+    def manage_changePermissions(self, REQUEST):
+        """Change all permissions settings, called by management screen.
+        """
+        valid_roles=self.valid_roles()
+        indexes=range(len(valid_roles))
+        have=REQUEST.has_key
+        permissions=self.ac_inherited_permissions(1)
+        fails = []
+        for ip in range(len(permissions)):
+            roles = []
+            for ir in indexes:
+                if have("p%dr%d" % (ip, ir)):
+                    roles.append(valid_roles[ir])
+            name, value = permissions[ip][:2]
+            try:
+                p = Permission(name, value, self)
+                if not have('a%d' % ip):
+                    roles=tuple(roles)
+                p.setRoles(roles)
+            except:
+                fails.append(name)
+
+        if fails:
+            return MessageDialog(title="Warning!",
+                                 message="Some permissions had errors: "
+                                   + escape(', '.join(fails)),
+                                 action='manage_access')
+        return MessageDialog(
+            title = 'Success!',
+            message = 'Your changes have been saved',
+            action = 'manage_access')
+
+    security.declareProtected(change_permissions, 'manage_listLocalRoles')
+    manage_listLocalRoles=DTMLFile('dtml/listLocalRoles', globals(),
+                                   management_view='Security')
+
+    security.declareProtected(change_permissions, 'manage_editLocalRoles')
+    manage_editLocalRoles=DTMLFile('dtml/editLocalRoles', globals(),
+                                   management_view='Security')
+
+    security.declareProtected(change_permissions, 'manage_addLocalRoles')
+    @requestmethod('POST')
+    def manage_addLocalRoles(self, userid, roles, REQUEST=None):
+        """Set local roles for a user."""
+        BaseRoleManager.manage_addLocalRoles(self, userid, roles)
+        if REQUEST is not None:
+            stat='Your changes have been saved.'
+            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
+    security.declareProtected(change_permissions, 'manage_setLocalRoles')
+    @requestmethod('POST')
+    def manage_setLocalRoles(self, userid, roles, REQUEST=None):
+        """Set local roles for a user."""
+        BaseRoleManager.manage_setLocalRoles(self, userid, roles)
+        if REQUEST is not None:
+            stat='Your changes have been saved.'
+            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
+    security.declareProtected(change_permissions, 'manage_delLocalRoles')
+    @requestmethod('POST')
+    def manage_delLocalRoles(self, userids, REQUEST=None):
+        """Remove all local roles for a user."""
+        BaseRoleManager.manage_delLocalRoles(self, userids)
+        if REQUEST is not None:
+            stat='Your changes have been saved.'
+            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
+    security.declareProtected(change_permissions, 'manage_defined_roles')
+    def manage_defined_roles(self, submit=None, REQUEST=None):
+        """Called by management screen.
+        """
+
+        if submit=='Add Role':
+            role=reqattr(REQUEST, 'role').strip()
+            return self._addRole(role, REQUEST)
+
+        if submit=='Delete Role':
+            roles=reqattr(REQUEST, 'roles')
+            return self._delRoles(roles, REQUEST)
+
+        return self.manage_access(REQUEST)
+
+    @requestmethod('POST')
+    def _addRole(self, role, REQUEST=None):
+        if not role:
+            return MessageDialog(
+                   title='Incomplete',
+                   message='You must specify a role name',
+                   action='manage_access')
+        if role in self.__ac_roles__:
+            return MessageDialog(
+                   title='Role Exists',
+                   message='The given role is already defined',
+                   action='manage_access')
+        data = list(self.__ac_roles__)
+        data.append(role)
+        self.__ac_roles__=tuple(data)
+        if REQUEST is not None:
+            return self.manage_access(REQUEST)
+
+    @requestmethod('POST')
+    def _delRoles(self, roles, REQUEST=None):
+        if not roles:
+            return MessageDialog(
+                   title='Incomplete',
+                   message='You must specify a role name',
+                   action='manage_access')
+        data = list(self.__ac_roles__)
+        for role in roles:
+            try:
+                data.remove(role)
+            except:
+                pass
+        self.__ac_roles__ = tuple(data)
+        if REQUEST is not None:
+            return self.manage_access(REQUEST)
+
+    def _has_user_defined_role(self, role):
+        return role in self.__ac_roles__
+
+    # Compatibility names only!!
+
+    smallRolesWidget=selectedRoles=aclAChecked=aclPChecked=aclEChecked=''
+    validRoles=BaseRoleManager.valid_roles
+
+    def manage_editRoles(self, REQUEST, acl_type='A', acl_roles=[]):
+        pass
+
+    def _setRoles(self, acl_type, acl_roles):
+        pass
+
+InitializeClass(RoleManager)