diff --git a/roundup/security.py b/roundup/security.py --- a/roundup/security.py +++ b/roundup/security.py @@ -13,7 +13,6 @@ - klass (optional) - properties (optional) - check function (optional) - - klass_check flag (optional) The klass may be unset, indicating that this permission is not locked to a particular class. That means there may be multiple @@ -25,10 +24,5 @@ If check function is set, permission is granted only when the function returns value interpreted as boolean true. The function is called with arguments db, userid, itemid. - - If klass_check is True, the check function will be - called even if the itemid is None; allowing - check functions to operate on class-wide tests - such as searchable(). ''' def __init__(self, name='', description='', klass=None, @@ -33,9 +27,9 @@ ''' def __init__(self, name='', description='', klass=None, - properties=None, check=None, klass_check=False): + properties=None, check=None): self.name = name self.description = description self.klass = klass self.properties = properties self._properties_dict = support.TruthDict(properties) self.check = check @@ -36,10 +30,9 @@ self.name = name self.description = description self.klass = klass self.properties = properties self._properties_dict = support.TruthDict(properties) self.check = check - self.klass_check = klass_check def test(self, db, permission, classname, property, userid, itemid): if permission != self.name: @@ -54,10 +47,10 @@ return 0 # check code - if (itemid is not None or self.klass_check) and self.check is not None: + if itemid is not None and self.check is not None: if not self.check(db, userid, itemid): return 0 # we have a winner return 1 @@ -58,10 +51,10 @@ if not self.check(db, userid, itemid): return 0 # we have a winner return 1 - def searchable(self, db, userid, classname, property): + def searchable(self, classname, property): """ A Permission is searchable for the given permission if it doesn't include a check method and otherwise matches the given parameters. @@ -78,8 +71,7 @@ return 0 if self.check: - if not self.klass_check or not self.check(db, userid, None): - return 0 + return 0 return 1 @@ -95,7 +87,6 @@ if self.klass != other.klass: return 1 if self.properties != other.properties: return 1 if self.check != other.check: return 1 - if self.klass_check != other.klass_check: return 1 # match return 0 @@ -206,7 +197,7 @@ return 1 return 0 - def roleHasSearchPermission(self, userid, classname, property, *rolenames): + def roleHasSearchPermission(self, classname, property, *rolenames): """ For each of the given roles, check the permissions. Property can be a transitive property. """ @@ -235,7 +226,7 @@ except KeyError: break for perm in perms: - if perm.searchable(self.db, userid, cn, propname): + if perm.searchable(cn, propname): break else: break @@ -250,7 +241,7 @@ props = dict.fromkeys(('id', cls.labelprop(), cls.orderprop())) for p in props.iterkeys(): for perm in perms: - if perm.searchable(self.db, userid, prop.classname, p): + if perm.searchable(prop.classname, p): break else: return 0 @@ -270,8 +261,8 @@ Note that classname *and* property are mandatory arguments. Contrary to hasPermission, the search will *not* match if - there are additional item-specific constraints found on a Permission - (namely a check function without klass_check=True). + there are additional constraints (namely a search function) + on a Permission found. Concerning property, the Permission matched must have either no properties listed or the property must appear in @@ -279,7 +270,7 @@ ''' roles = [r for r in self.db.user.get_roles(userid) if r and self.role.has_key(r)] - return self.roleHasSearchPermission (userid, classname, property, *roles) + return self.roleHasSearchPermission (classname, property, *roles) def addPermission(self, **propspec): ''' Create a new Permission with the properties defined in