On Sun, Apr 16, 2006 at 06:35:52PM +0200, Christian Boos wrote:
> Alec Thomas wrote:
> >What about this:
> >
> > class PermissionCache(object):
> > def has_permission(self, action, resource_type=None,
> > resource_id=None):
> > def assert_permission(self, action, resource_type=None,
> > resource_id=None):
> > def permissions(self, resource_type=None, resource_id=None):
> >
> >and
> >
> > class IPermissionPolicy(Interface):
> > def check_permission(username, action, resource_type, resource_id):
> >
> >?
> >
>
> Exactly!
Righto, patch is updated with this API. It definitely feels cleaner.
Updated Deny666:
def check_permission(self, username, action, resource_type, resource_id):
if resource_type == 'ticket' and int(resource_id) == 666:
return False
return None
Updated TagPolicy:
def check_permission(self, username, action, resource_type, resource_id):
if resource_type is None: return None
if resource_type in ('wiki', 'ticket'):
from tractags.api import TagEngine
_, permission = action.lower().split('_')
tags = TagEngine(self.env).get_tags([resource_id],
tagspaces=[resource_type])
# Explicitly denied?
if ':-'.join((username, permission)) in tags:
return False
# Find all meta actions this one belongs to and make the
# appropriate tags out of them
actions = [permission] + PermissionSystem(self.env). \
get_meta_actions(action)
ptags = set([':'.join((username, p.split('_')[1].lower()))
for p in actions if
p.lower().startswith(resource_type)])
if ptags.intersection(tags):
return True
One slightly nasty bit is when finding parent meta actions from an
action (eg. WIKI_ADMIN from WIKI_VIEW), you can't explicitly tell what
resource_type the meta action is for. One solution would be to
modify/extend IPermissionRequestor to also return the resource types the
permission is applicable to, with the empty set meaning all.
Perhaps a new method:
def get_applicable_resource_types(self):
yield 'wiki'
??
> >This could almost be part of your jihad to clarify the distinction between
> >client/server related objects? :) Probably a good idea though
>
> No, actually the above was part of my TracObject jihad :)
>
> But the distinction client/server is also interesting to make there.
> Currently (i.e. in the quite aging trac-xref branch), the TracObjects
> used to
> know about their environment (self.env), but now I think it makes also sense
> that they know about the request (self.req).
I think that could lend itself to some interesting caching
opportunities. Permission caching per object, per request, for example.
--
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
