This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8556-breaking-removal in repository https://gitbox.apache.org/repos/asf/allura.git
commit c68d64fd2146099937b9ec0bb9c6f4c4388f2dc3 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Wed Apr 3 14:01:41 2024 -0400 [#8556] unindent block --- Allura/allura/lib/security.py | 111 +++++++++++++++++++++--------------------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py index a762af965..4547b8dd5 100644 --- a/Allura/allura/lib/security.py +++ b/Allura/allura/lib/security.py @@ -346,64 +346,63 @@ def has_access(obj, permission: str, user: M.User | None = None, project: M.Proj DEBUG = False - if True: - if obj is None: - if DEBUG: - log.debug(f'{user} denied {permission} on {debug_obj(obj)} ({debug_obj(project)})') - return False - if roles is None: - if user is None: - user = c.user - assert user, 'c.user should always be at least M.User.anonymous()' - cred = Credentials.get() - if project is None: - if isinstance(obj, M.Neighborhood): - project = obj.neighborhood_project - if project is None: - log.error('Neighborhood project missing for %s', obj) - return False - elif isinstance(obj, M.Project): - project = obj.root_project - else: - project = getattr(obj, 'project', None) or c.project - project = project.root_project - roles: RoleCache = cred.user_roles(user_id=user._id, project_id=project._id).reaching_roles - - # TODO: move deny logic into loop below; see ticket [#6715] - if is_denied(obj, permission, user, project): - if DEBUG: - log.debug(f"{user.username} '{permission}' denied on {debug_obj(obj)} ({debug_obj(project)})") - return False - - chainable_roles = [] - for role in roles: - for ace in obj.acl: - if M.ACE.match(ace, role['_id'], permission): - if ace.access == M.ACE.ALLOW: - # access is allowed - if DEBUG: - log.debug(f"{user.username} '{permission}' granted on {debug_obj(obj)} ({debug_obj(project)})") - return True - else: - # access is denied for this particular role - if DEBUG: - log.debug(f"{user.username} '{permission}' denied for role={role['name'] or role['_id']} (BUT continuing to see if other roles permit) on {debug_obj(obj)} ({debug_obj(project)})") - break + if obj is None: + if DEBUG: + log.debug(f'{user} denied {permission} on {debug_obj(obj)} ({debug_obj(project)})') + return False + if roles is None: + if user is None: + user = c.user + assert user, 'c.user should always be at least M.User.anonymous()' + cred = Credentials.get() + if project is None: + if isinstance(obj, M.Neighborhood): + project = obj.neighborhood_project + if project is None: + log.error('Neighborhood project missing for %s', obj) + return False + elif isinstance(obj, M.Project): + project = obj.root_project else: - # access neither allowed or denied, may chain to parent context - chainable_roles.append(role) - parent = obj.parent_security_context() - if parent and chainable_roles: - result = has_access(parent, permission, user=user, project=project, roles=tuple(chainable_roles)) - elif not isinstance(obj, M.Neighborhood): - result = has_access(project.neighborhood, 'admin', user=user) - if not (result or isinstance(obj, M.Project)): - result = has_access(project, 'admin', user=user) - else: - result = False + project = getattr(obj, 'project', None) or c.project + project = project.root_project + roles: RoleCache = cred.user_roles(user_id=user._id, project_id=project._id).reaching_roles + + # TODO: move deny logic into loop below; see ticket [#6715] + if is_denied(obj, permission, user, project): if DEBUG: - log.debug(f"{user.username} '{permission}' {result} from parent(s) on {debug_obj(obj)} ({debug_obj(project)})") - return result + log.debug(f"{user.username} '{permission}' denied on {debug_obj(obj)} ({debug_obj(project)})") + return False + + chainable_roles = [] + for role in roles: + for ace in obj.acl: + if M.ACE.match(ace, role['_id'], permission): + if ace.access == M.ACE.ALLOW: + # access is allowed + if DEBUG: + log.debug(f"{user.username} '{permission}' granted on {debug_obj(obj)} ({debug_obj(project)})") + return True + else: + # access is denied for this particular role + if DEBUG: + log.debug(f"{user.username} '{permission}' denied for role={role['name'] or role['_id']} (BUT continuing to see if other roles permit) on {debug_obj(obj)} ({debug_obj(project)})") + break + else: + # access neither allowed or denied, may chain to parent context + chainable_roles.append(role) + parent = obj.parent_security_context() + if parent and chainable_roles: + result = has_access(parent, permission, user=user, project=project, roles=tuple(chainable_roles)) + elif not isinstance(obj, M.Neighborhood): + result = has_access(project.neighborhood, 'admin', user=user) + if not (result or isinstance(obj, M.Project)): + result = has_access(project, 'admin', user=user) + else: + result = False + if DEBUG: + log.debug(f"{user.username} '{permission}' {result} from parent(s) on {debug_obj(obj)} ({debug_obj(project)})") + return result def all_allowed(obj, user_or_role=None, project=None):