[05/20] git commit: [#6392] ticket:432 Reason-agnostic contains check for ACEs

[tv...@apache.org]

[#6392] ticket:432 Reason-agnostic contains check for ACEs


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/394ccc3b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/394ccc3b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/394ccc3b

Branch: refs/heads/master
Commit: 394ccc3b8bd3bd951cfe8a384c2cbca14226ec9e
Parents: f47df1c
Author: Igor Bondarenko <je...@gmail.com>
Authored: Wed Sep 11 15:44:11 2013 +0300
Committer: Tim Van Steenburgh <tv...@gmail.com>
Committed: Tue Sep 24 17:36:24 2013 +0000

----------------------------------------------------------------------
 Allura/allura/app.py          |  7 ++++---
 Allura/allura/lib/security.py |  2 +-
 Allura/allura/model/types.py  | 27 +++++++++++++++++----------
 3 files changed, 22 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8218d53..a887375 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -591,7 +591,7 @@ class DefaultAdminController(BaseController):
             return redirect(request.referer)
 
         ace = model.ACE.deny(user.project_role()._id, perm, reason)
-        if ace not in self.app.acl:
+        if not model.ACL.contains(ace, self.app.acl):
             self.app.acl.append(ace)
         return redirect(request.referer)
 
@@ -599,7 +599,8 @@ class DefaultAdminController(BaseController):
     def unblock_user(self, user_id, perm):
         user = model.User.query.get(_id=ObjectId(user_id))
         ace = model.ACE.deny(user.project_role()._id, perm)
-        if ace in self.app.acl:
+        ace = model.ACL.contains(ace, self.app.acl)
+        if ace:
             self.app.acl.remove(ace)
         return redirect(request.referer)
 
@@ -625,7 +626,7 @@ class DefaultAdminController(BaseController):
             elif ace.access == model.ACE.DENY:
                 role = model.ProjectRole.query.get(_id=ace.role_id)
                 if role.name is None and role.user:
-                    block_list[ace.permission].append((role.user, getattr(ace, 'reason', None)))
+                    block_list[ace.permission].append((role.user, ace.reason))
         return dict(
             app=self.app,
             allow_config=has_access(c.project, 'admin')(),

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/lib/security.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index c992cef..bbadb1b 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -292,7 +292,7 @@ def has_access(obj, permission, user=None, project=None):
             roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
         user_role = user.project_role(project=project)
         deny_user = M.ACE.deny(user_role._id, permission)
-        if deny_user in obj.acl:
+        if M.ACL.contains(deny_user, obj.acl):
             return False
         chainable_roles = []
         for rid in roles:

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/model/types.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/types.py b/Allura/allura/model/types.py
index fa7b332..73c4b3b 100644
--- a/Allura/allura/model/types.py
+++ b/Allura/allura/model/types.py
@@ -31,6 +31,7 @@ class ACE(S.Object):
         super(ACE, self).__init__(
             fields=dict(
                 access=S.OneOf(self.ALLOW, self.DENY),
+                reason=S.String(),
                 role_id=S.ObjectId(),
                 permission=permission),
             **kwargs)
@@ -64,18 +65,24 @@ class ACL(S.Array):
         super(ACL, self).__init__(
             field_type=ACE(permissions), **kwargs)
 
-        def __contains__(self, ace):
-            """Test membership of ace in acl ignoring ace.reason field.
+    @classmethod
+    def contains(cls, ace, acl):
+        """Test membership of ace in acl ignoring ace.reason field.
+
+        Return actual ACE with reason filled if ace is found in acl, None otherwise
 
-            e.g. `ace in acl` test should evaluate to True with following vars:
+        e.g. `ACL.contains(ace, acl)` will return `{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}`
+        with following vars:
 
-            ace = M.ACE.deny(role_id, 'read')
-            acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
-            """
-            def clear_reason(ace):
-                return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
+        ace = M.ACE.deny(role_id, 'read')  # reason = None
+        acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
+        """
+        def clear_reason(ace):
+            return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
 
-            ace = Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
-            return ace in map(clear_reason, self)
+        ace_without_reason = clear_reason(ace)
+        for a in acl:
+            if clear_reason(a) == ace_without_reason:
+                return a
 
 DENY_ALL = ACE.deny(EVERYONE, ALL_PERMISSIONS)