Re: [Trac-dev] Generic per-object permission patch

Sun, 16 Apr 2006 06:44:33 -0700 

Okay, I've changed tack yet again after some discussion with Noah on IRC.

    http://swapoff.org/files/new-perms.diff
    http://swapoff.org/files/new-perms-core.diff

This patch is much less intrusive, and cleaner. The permission cache
methods are thus:

    def has_permission(self, action, resource=None):
    def has_some_permission(self, action):
    def assert_permission(self, action, resource=None):
    def assert_some_permission(self, action):
    def permissions(self): # TODO Remove the need for this. Only used in 
templates I believe?

All the resource ACL cruft has been removed. This can now be implemented
by plugins implementing the newly added IPermissionPolicy interface:

    class IPermissionPolicy(Interface):
        """ An extension point interface for enforcing permission policies. """

        def check_permission(username, action, resource):
            """ Does the user have permission to perform the given action on the
            resource? Must return True for allow, False for deny, or None if
            indifferent. `resource` can be None, indicating that action can be
            applied to any resource. """

        def check_some_permission(username, action):
            """ Determine whether the user has any permission to perform action 
at
            all. Same return semantics as check_permission() """

The existing IPermissionStore system has been re-implemented on top of
this interface.

Here's an example IPermissionPolicy implementation that blocks access to
ticket 666, for obvious reasons:

    from trac.core import *
    from trac.perm import IPermissionPolicy

    class Deny666(Component):
        implements(IPermissionPolicy)

        def check_permission(self, username, action, resource):
            self.env.log.debug("This is the Devil's work")
            if resource is not None and action.startswith('TICKET_') and \
                    int(resource) == 666:
                return False

        def check_some_permission(self, username, action):
            pass

And the configuration required to ensure the policies are applied in
the correct order:

    [interfaces]
    ipermissionpolicy = Deny666,DefaultPermissionPolicy

-- 
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev

Reply via email to