This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8556-breaking-removal
in repository https://gitbox.apache.org/repos/asf/allura.git
commit c68d64fd2146099937b9ec0bb9c6f4c4388f2dc3
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Wed Apr 3 14:01:41 2024 -0400
[#8556] unindent block
---
Allura/allura/lib/security.py | 111 +++++++++++++++++++++---------------------
1 file changed, 55 insertions(+), 56 deletions(-)
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index a762af965..4547b8dd5 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -346,64 +346,63 @@ def has_access(obj, permission: str, user: M.User | None
= None, project: M.Proj
DEBUG = False
- if True:
- if obj is None:
- if DEBUG:
- log.debug(f'{user} denied {permission} on {debug_obj(obj)}
({debug_obj(project)})')
- return False
- if roles is None:
- if user is None:
- user = c.user
- assert user, 'c.user should always be at least M.User.anonymous()'
- cred = Credentials.get()
- if project is None:
- if isinstance(obj, M.Neighborhood):
- project = obj.neighborhood_project
- if project is None:
- log.error('Neighborhood project missing for %s', obj)
- return False
- elif isinstance(obj, M.Project):
- project = obj.root_project
- else:
- project = getattr(obj, 'project', None) or c.project
- project = project.root_project
- roles: RoleCache = cred.user_roles(user_id=user._id,
project_id=project._id).reaching_roles
-
- # TODO: move deny logic into loop below; see ticket [#6715]
- if is_denied(obj, permission, user, project):
- if DEBUG:
- log.debug(f"{user.username} '{permission}' denied on
{debug_obj(obj)} ({debug_obj(project)})")
- return False
-
- chainable_roles = []
- for role in roles:
- for ace in obj.acl:
- if M.ACE.match(ace, role['_id'], permission):
- if ace.access == M.ACE.ALLOW:
- # access is allowed
- if DEBUG:
- log.debug(f"{user.username} '{permission}' granted
on {debug_obj(obj)} ({debug_obj(project)})")
- return True
- else:
- # access is denied for this particular role
- if DEBUG:
- log.debug(f"{user.username} '{permission}' denied
for role={role['name'] or role['_id']} (BUT continuing to see if other roles
permit) on {debug_obj(obj)} ({debug_obj(project)})")
- break
+ if obj is None:
+ if DEBUG:
+ log.debug(f'{user} denied {permission} on {debug_obj(obj)}
({debug_obj(project)})')
+ return False
+ if roles is None:
+ if user is None:
+ user = c.user
+ assert user, 'c.user should always be at least M.User.anonymous()'
+ cred = Credentials.get()
+ if project is None:
+ if isinstance(obj, M.Neighborhood):
+ project = obj.neighborhood_project
+ if project is None:
+ log.error('Neighborhood project missing for %s', obj)
+ return False
+ elif isinstance(obj, M.Project):
+ project = obj.root_project
else:
- # access neither allowed or denied, may chain to parent context
- chainable_roles.append(role)
- parent = obj.parent_security_context()
- if parent and chainable_roles:
- result = has_access(parent, permission, user=user,
project=project, roles=tuple(chainable_roles))
- elif not isinstance(obj, M.Neighborhood):
- result = has_access(project.neighborhood, 'admin', user=user)
- if not (result or isinstance(obj, M.Project)):
- result = has_access(project, 'admin', user=user)
- else:
- result = False
+ project = getattr(obj, 'project', None) or c.project
+ project = project.root_project
+ roles: RoleCache = cred.user_roles(user_id=user._id,
project_id=project._id).reaching_roles
+
+ # TODO: move deny logic into loop below; see ticket [#6715]
+ if is_denied(obj, permission, user, project):
if DEBUG:
- log.debug(f"{user.username} '{permission}' {result} from parent(s)
on {debug_obj(obj)} ({debug_obj(project)})")
- return result
+ log.debug(f"{user.username} '{permission}' denied on
{debug_obj(obj)} ({debug_obj(project)})")
+ return False
+
+ chainable_roles = []
+ for role in roles:
+ for ace in obj.acl:
+ if M.ACE.match(ace, role['_id'], permission):
+ if ace.access == M.ACE.ALLOW:
+ # access is allowed
+ if DEBUG:
+ log.debug(f"{user.username} '{permission}' granted on
{debug_obj(obj)} ({debug_obj(project)})")
+ return True
+ else:
+ # access is denied for this particular role
+ if DEBUG:
+ log.debug(f"{user.username} '{permission}' denied for
role={role['name'] or role['_id']} (BUT continuing to see if other roles
permit) on {debug_obj(obj)} ({debug_obj(project)})")
+ break
+ else:
+ # access neither allowed or denied, may chain to parent context
+ chainable_roles.append(role)
+ parent = obj.parent_security_context()
+ if parent and chainable_roles:
+ result = has_access(parent, permission, user=user, project=project,
roles=tuple(chainable_roles))
+ elif not isinstance(obj, M.Neighborhood):
+ result = has_access(project.neighborhood, 'admin', user=user)
+ if not (result or isinstance(obj, M.Project)):
+ result = has_access(project, 'admin', user=user)
+ else:
+ result = False
+ if DEBUG:
+ log.debug(f"{user.username} '{permission}' {result} from parent(s) on
{debug_obj(obj)} ({debug_obj(project)})")
+ return result
def all_allowed(obj, user_or_role=None, project=None):
