You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by tv...@apache.org on 2013/09/24 19:37:02 UTC
[05/20] git commit: [#6392] ticket:432 Reason-agnostic contains check
for ACEs
[#6392] ticket:432 Reason-agnostic contains check for ACEs
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/394ccc3b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/394ccc3b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/394ccc3b
Branch: refs/heads/master
Commit: 394ccc3b8bd3bd951cfe8a384c2cbca14226ec9e
Parents: f47df1c
Author: Igor Bondarenko <je...@gmail.com>
Authored: Wed Sep 11 15:44:11 2013 +0300
Committer: Tim Van Steenburgh <tv...@gmail.com>
Committed: Tue Sep 24 17:36:24 2013 +0000
----------------------------------------------------------------------
Allura/allura/app.py | 7 ++++---
Allura/allura/lib/security.py | 2 +-
Allura/allura/model/types.py | 27 +++++++++++++++++----------
3 files changed, 22 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8218d53..a887375 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -591,7 +591,7 @@ class DefaultAdminController(BaseController):
return redirect(request.referer)
ace = model.ACE.deny(user.project_role()._id, perm, reason)
- if ace not in self.app.acl:
+ if not model.ACL.contains(ace, self.app.acl):
self.app.acl.append(ace)
return redirect(request.referer)
@@ -599,7 +599,8 @@ class DefaultAdminController(BaseController):
def unblock_user(self, user_id, perm):
user = model.User.query.get(_id=ObjectId(user_id))
ace = model.ACE.deny(user.project_role()._id, perm)
- if ace in self.app.acl:
+ ace = model.ACL.contains(ace, self.app.acl)
+ if ace:
self.app.acl.remove(ace)
return redirect(request.referer)
@@ -625,7 +626,7 @@ class DefaultAdminController(BaseController):
elif ace.access == model.ACE.DENY:
role = model.ProjectRole.query.get(_id=ace.role_id)
if role.name is None and role.user:
- block_list[ace.permission].append((role.user, getattr(ace, 'reason', None)))
+ block_list[ace.permission].append((role.user, ace.reason))
return dict(
app=self.app,
allow_config=has_access(c.project, 'admin')(),
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/lib/security.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index c992cef..bbadb1b 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -292,7 +292,7 @@ def has_access(obj, permission, user=None, project=None):
roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
user_role = user.project_role(project=project)
deny_user = M.ACE.deny(user_role._id, permission)
- if deny_user in obj.acl:
+ if M.ACL.contains(deny_user, obj.acl):
return False
chainable_roles = []
for rid in roles:
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/model/types.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/types.py b/Allura/allura/model/types.py
index fa7b332..73c4b3b 100644
--- a/Allura/allura/model/types.py
+++ b/Allura/allura/model/types.py
@@ -31,6 +31,7 @@ class ACE(S.Object):
super(ACE, self).__init__(
fields=dict(
access=S.OneOf(self.ALLOW, self.DENY),
+ reason=S.String(),
role_id=S.ObjectId(),
permission=permission),
**kwargs)
@@ -64,18 +65,24 @@ class ACL(S.Array):
super(ACL, self).__init__(
field_type=ACE(permissions), **kwargs)
- def __contains__(self, ace):
- """Test membership of ace in acl ignoring ace.reason field.
+ @classmethod
+ def contains(cls, ace, acl):
+ """Test membership of ace in acl ignoring ace.reason field.
+
+ Return actual ACE with reason filled if ace is found in acl, None otherwise
- e.g. `ace in acl` test should evaluate to True with following vars:
+ e.g. `ACL.contains(ace, acl)` will return `{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}`
+ with following vars:
- ace = M.ACE.deny(role_id, 'read')
- acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
- """
- def clear_reason(ace):
- return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
+ ace = M.ACE.deny(role_id, 'read') # reason = None
+ acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
+ """
+ def clear_reason(ace):
+ return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
- ace = Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
- return ace in map(clear_reason, self)
+ ace_without_reason = clear_reason(ace)
+ for a in acl:
+ if clear_reason(a) == ace_without_reason:
+ return a
DENY_ALL = ACE.deny(EVERYONE, ALL_PERMISSIONS)