{ "info": { "author": "Zope Foundation and Contributors", "author_email": "zope-dev@zope.org", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Web Environment", "Framework :: Zope3", "Intended Audience :: Developers", "License :: OSI Approved :: Zope Public License", "Natural Language :: English", "Operating System :: OS Independent", "Programming Language :: Python", "Topic :: Internet :: WWW/HTTP" ], "description": "The objectpolicy package makes it easy to override the default\nzope.securitypolicy.zopepolicy on an object by object basis.\n\n.. contents::\n\nThe objectpolicy package makes it easy to override the default\nzope.securitypolicy.zopepolicy on an object by object basis.\n\nBy default all objects use the zopepolicy. Objects that want to have\ntheir own policy should have a marker interface `IObjectPolicyMarker`\nand have an adapter to `IObjectPolicy`.\n\n------\nLevels\n------\n\nThere are two levels supported.\n\n- The low level is the SecurityMap.getCell level.\n Here are the permissions stored by principal or role.\n This works also with ZopePolicy as the security policy.\n Uses Allow, Deny, Unset values.\n Permissions descend (with ZopePolicy) to child objects or views.\n See:\n\n - IObjectPolicy.getPrincipalPermission\n - IObjectPolicy.getRolePermission\n - lowlevel.txt\n\n Installation:\n Drop the z3c.objectpolicy-configure.zcml in the instance/etc folder.\n\n- The high level is the ISecurityPolicy.checkPermission level.\n Here the permission is usually `summarized` for the principal by it's\n roles, groups and object parent/child relations.\n ZopePolicy has to be overridden by the ObjectsPolicy security policy.\n Permissions do not decend to child objects or views.\n Uses True -- access, False -- no access values.\n See:\n\n - IObjectPolicy.checkPermission\n - highlevel.txt\n\n Installation:\n Override ZopePolicy in the instance/etc/securitypolicy.zcml\n\n\n----------------------------------\nBasic Setup (for high level tests)\n----------------------------------\n\nGood but not perfect example is the `the user needs to be able to modify\nit's own properties` problem.\n\n >>> from zope import interface, component\n >>> from zope.annotation.interfaces import IAttributeAnnotatable\n >>> from zope.container.interfaces import IContained\n >>> from zope.container.contained import Contained\n >>> from z3c.objectpolicy.interfaces import IObjectPolicy\n >>> from z3c.objectpolicy.interfaces import IObjectPolicyMarker\n >>> class IPerson(interface.Interface):\n ... \"\"\"a person interface for a person class\"\"\"\n ...\n >>> class Person(Contained):\n ... interface.implements(\n ... IObjectPolicyMarker,\n ... IAttributeAnnotatable,\n ... IPerson)\n ... def __init__(self, id, name):\n ... self.id = id\n ... self.name = name\n ... self.groups = []\n ...\n >>> class otherKlass(object):\n ... #This class does NOT implement IObjectPolicyMarker\n ... interface.implements(\n ... IAttributeAnnotatable)\n ... def __init__(self, id):\n ... self.id = id\n\nThese permissions will be allowed for the principal on the Person object\nif the current principal == Person\n\n >>> ALLOW_FOR_SELF = [\"zope.View\",\n ... \"zope.app.dublincore.view\",\n ... \"zope.ManageContent\"]\n\nCounter to see how many times the adapter fires\n\n >>> TRIP_WIRE = 0\n\nThis is the custom policy adapter which determines the permission.\nWatch out, this is just a little bit different from the lowlevel example!\n\n >>> from z3c.objectpolicy.objectpolicy import DefaultObjectPolicyAdapter\n >>> class PersonPolicy(DefaultObjectPolicyAdapter):\n ... component.adapts(IPerson)\n ... interface.implements(IObjectPolicy)\n ...\n ... def __init__(self, context):\n ... #context is a Person\n ... self.context = context\n ...\n ... def checkPermission(self, manager, permissionid):\n ... #print permissionid, str(self.context)\n ... return self.checkPermissionForParticipation(manager, permissionid)\n ...\n ... def checkPermissionForParticipant(self, manager, principal, permissionid):\n ... global TRIP_WIRE\n ... TRIP_WIRE += 1\n ... if principal.id == self.context.id:\n ... #we have the same Person in the participation\n ... if permissionid in ALLOW_FOR_SELF:\n ... #we have the Person and the Permission\n ... return True\n ...\n ... #no Person or Permission found\n ... #return the Z3 default permissions\n ... return super(PersonPolicy, self).checkPermissionForParticipant(\n ... manager, principal, permissionid)\n ...\n >>> component.provideAdapter(PersonPolicy)\n\nInstall the ObjectPolicy, setup for testing.\n\n >>> from z3c.objectpolicy.objectpolicy import ObjectPrincipalPermissionManager\n >>> from z3c.objectpolicy.objectpolicy import ObjectRolePermissionManager\n >>> from z3c.objectpolicy.objectpolicy import ObjectPolicy\n\n >>> component.provideAdapter(ObjectPrincipalPermissionManager)\n >>> component.provideAdapter(ObjectRolePermissionManager)\n\n >>> bela = Person('b-id', 'bela')\n >>> joe = Person('j-id', 'joe')\n\n >>> class Participation:\n ... interaction = None\n >>> participation = Participation()\n >>> participation.principal = joe\n >>> import zope.security.management\n >>> oldPolicy = zope.security.management.setSecurityPolicy(ObjectPolicy)\n >>> zope.security.management.endInteraction()\n >>> zope.security.management.newInteraction(participation)\n >>> interaction = zope.security.management.getInteraction()\n\nLet's see a simple permission check\n-----------------------------------\n\n`joe` has `ManageContent` access to `joe` without granting any permission\n\n >>> interaction.checkPermission('zope.ManageContent', joe)\n True\n >>> TRIP_WIRE\n 1\n\n`joe` has no `SomePermission` access to `joe` because that's not listed\nin ALLOW_FOR_SELF\n\n >>> interaction.checkPermission('myapp.SomePermission', joe)\n False\n >>> TRIP_WIRE\n 2\n\n`joe` has NO `ManageContent` access to `bela`\n\n >>> interaction.checkPermission('zope.ManageContent', bela)\n False\n >>> TRIP_WIRE\n 3\n\n >>> from zope.securitypolicy.interfaces import IPrincipalPermissionManager\n >>> prinperBela = IPrincipalPermissionManager(bela)\n >>> prinperJoe = IPrincipalPermissionManager(joe)\n >>> prinperBela.grantPermissionToPrincipal('zope.ManageContent', 'j-id')\n\nWhen we grant permission `joe` to `bela`,\n`joe` has `ManageContent` access to `bela`\n\n >>> interaction.checkPermission('zope.ManageContent', bela)\n True\n >>> TRIP_WIRE\n 4\n\nGranting permission works for any arbitrary permission also\n\n >>> prinperJoe.grantPermissionToPrincipal('myapp.SomePermission', 'j-id')\n >>> interaction.checkPermission('myapp.SomePermission', joe)\n True\n >>> TRIP_WIRE\n 5\n\nObjects without IObjectPolicyMarker behave as before.\nWithout granting -- no permission\n\n >>> otherObject = otherKlass('o-id')\n >>> prinperOther = IPrincipalPermissionManager(otherObject)\n >>> interaction.checkPermission('zope.ManageContent', otherObject)\n False\n >>> TRIP_WIRE\n 5\n\n >>> prinperOther.grantPermissionToPrincipal('zope.ManageContent', 'j-id')\n >>> interaction.checkPermission('zope.ManageContent', otherObject)\n True\n >>> TRIP_WIRE\n 5\n\nCheck what's up when the marker is there, but no adapter\n\n >>> class otherKlassWOadapter(object):\n ... #This class does NOT implement IObjectPolicyMarker\n ... interface.implements(\n ... IAttributeAnnotatable,\n ... IObjectPolicyMarker)\n ... def __init__(self, id):\n ... self.id = id\n\n >>> otherObjectWO = otherKlassWOadapter('oa-id')\n >>> interaction.checkPermission('zope.ManageContent', otherObjectWO)\n False\n\nNo permission, maybe something should be written to the log?\n\nNow a more complicated, parent-child setup\n------------------------------------------\n\n >>> from zope.container.sample import SampleContainer\n >>> from zope.location.location import locate\n >>> class IPersonContainer(interface.Interface):\n ... \"\"\"a person container interface\"\"\"\n ...\n >>> class PersonContainer(SampleContainer):\n ... interface.implements(\n ... IAttributeAnnotatable,\n ... IPersonContainer)\n ... def __init__(self, id):\n ... self.id = id\n ... super(PersonContainer, self).__init__()\n ...\n >>> class BrowserView(object):\n ... interface.implements(\n ... IContained)\n ...\n\nThe layout is:\n users(PersonContainer)\n jack(Person)\n editJack(BrowserView)\n jane(Person)\n editJane(BrowserView)\n\n >>> users = PersonContainer('users')\n >>> jack = Person('jack-id','jack')\n >>> users['jack'] = jack\n >>> locate(jack, users, 'jack')\n >>> jane = Person('jane-id','jane')\n >>> users['jane'] = jane\n >>> locate(jane, users, 'jane')\n\n >>> editJack = BrowserView()\n >>> locate(editJack, jack, None)\n >>> editJane = BrowserView()\n >>> locate(editJane, jane, None)\n\n >>> prinperUsers = IPrincipalPermissionManager(users)\n >>> prinperJack = IPrincipalPermissionManager(jack)\n >>> prinperJane = IPrincipalPermissionManager(jane)\n\n >>> participation = Participation()\n\nThe principal acting is jack\n\n >>> participation.principal = jack\n >>> zope.security.management.endInteraction()\n >>> zope.security.management.newInteraction(participation)\n >>> interaction = zope.security.management.getInteraction()\n\nWhen we don't grant permission, only jack has permission to itself and to it's\neditView.\n\n >>> interaction.checkPermission('zope.ManageContent', users)\n False\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n False\n >>> interaction.checkPermission('zope.ManageContent', jane)\n False\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n False\n\nWhen we grant jane permission, jack still has the same.\n\n >>> prinperUsers.grantPermissionToPrincipal('zope.ManageContent', 'jane-id')\n >>> interaction.checkPermission('zope.ManageContent', users)\n False\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n False\n >>> interaction.checkPermission('zope.ManageContent', jane)\n False\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n False\n\nWhen we grant jack permission, he will have permission for the whole pack.\n\n >>> prinperUsers.grantPermissionToPrincipal('zope.ManageContent', 'jack-id')\n >>> interaction.checkPermission('zope.ManageContent', users)\n True\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n True\n >>> interaction.checkPermission('zope.ManageContent', jane)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n True\n\n\nCleanup\n-------\n\nWe clean up the changes we made in these examples:\n\n >>> zope.security.management.endInteraction()\n >>> ignore = zope.security.management.setSecurityPolicy(oldPolicy)\n\n\n---------------------------------\nBasic Setup (for low level tests)\n---------------------------------\n\nGood but not perfect example is the `the user needs to be able to modify\nit's own properties` problem.\n\n >>> from zope import interface, component\n >>> from zope.annotation.interfaces import IAttributeAnnotatable\n >>> from zope.container.interfaces import IContained\n >>> from zope.container.contained import Contained\n >>> from z3c.objectpolicy.interfaces import IObjectPolicy\n >>> from z3c.objectpolicy.interfaces import IObjectPolicyMarker\n >>> class IPerson(interface.Interface):\n ... \"\"\"a person interface for a person class\"\"\"\n ...\n >>> class Person(Contained):\n ... interface.implements(\n ... IObjectPolicyMarker,\n ... IAttributeAnnotatable,\n ... IPerson)\n ... def __init__(self, id, name):\n ... self.id = id\n ... self.name = name\n ... self.groups = []\n ...\n >>> class otherKlass(object):\n ... #This class does NOT implement IObjectPolicyMarker\n ... interface.implements(\n ... IAttributeAnnotatable)\n ... def __init__(self, id):\n ... self.id = id\n\nThese permissions will be allowed for the principal on the Person object\nif the current principal == Person\n\n >>> ALLOW_FOR_SELF = [\"zope.View\",\n ... \"zope.app.dublincore.view\",\n ... \"zope.ManageContent\"]\n\nCounter to see how many times the adapter fires\n\n >>> TRIP_WIRE = 0\n\nThis is the custom policy adapter which determines the permission.\n\n >>> from zope.securitypolicy.interfaces import Allow, Deny, Unset\n >>> from z3c.objectpolicy.objectpolicy import DefaultObjectPolicyAdapter\n >>> class PersonPolicy(DefaultObjectPolicyAdapter):\n ... component.adapts(IPerson)\n ... interface.implements(IObjectPolicy)\n ...\n ... def __init__(self, context):\n ... #context is a Person\n ... self.context = context\n ...\n ... def getPrincipalPermission(self, manager, permissionid, principalid, default):\n ... global TRIP_WIRE\n ... TRIP_WIRE += 1\n ... if principalid == self.context.id:\n ... #we have the same Person in the participation\n ... if permissionid in ALLOW_FOR_SELF:\n ... #we have the Person and the Permission\n ... return Allow\n ...\n ... #no Person or Permission found\n ... #return the Z3 default permissions\n ... return super(PersonPolicy, self).getPrincipalPermission(\n ... manager, permissionid, principalid, default)\n ...\n >>> component.provideAdapter(PersonPolicy)\n\nInstall the ObjectPolicy, setup for testing.\n\n >>> from z3c.objectpolicy.objectpolicy import ObjectPrincipalPermissionManager\n >>> from z3c.objectpolicy.objectpolicy import ObjectRolePermissionManager\n\n >>> component.provideAdapter(ObjectPrincipalPermissionManager)\n >>> component.provideAdapter(ObjectRolePermissionManager)\n\n >>> bela = Person('b-id', 'bela')\n >>> joe = Person('j-id', 'joe')\n\n >>> class Participation:\n ... interaction = None\n >>> participation = Participation()\n >>> participation.principal = joe\n >>> import zope.security.management\n >>> from zope.securitypolicy.zopepolicy import ZopeSecurityPolicy\n >>> oldPolicy = zope.security.management.setSecurityPolicy(ZopeSecurityPolicy)\n >>> zope.security.management.endInteraction()\n >>> zope.security.management.newInteraction(participation)\n >>> interaction = zope.security.management.getInteraction()\n\nLet's see a simple permission check\n-----------------------------------\n\n`joe` has `ManageContent` access to `joe` without granting any permission\n\n >>> interaction.checkPermission('zope.ManageContent', joe)\n True\n >>> TRIP_WIRE\n 1\n\n`joe` has no `SomePermission` access to `joe` because that's not listed\nin ALLOW_FOR_SELF\n\n >>> interaction.checkPermission('myapp.SomePermission', joe)\n False\n >>> TRIP_WIRE\n 2\n\n`joe` has NO `ManageContent` access to `bela`\n\n >>> interaction.checkPermission('zope.ManageContent', bela)\n False\n >>> TRIP_WIRE\n 3\n\n >>> from zope.securitypolicy.interfaces import IPrincipalPermissionManager\n >>> prinperBela = IPrincipalPermissionManager(bela)\n >>> prinperJoe = IPrincipalPermissionManager(joe)\n >>> prinperBela.grantPermissionToPrincipal('zope.ManageContent', 'j-id')\n\nWhen we grant permission `joe` to `bela`,\n`joe` has `ManageContent` access to `bela`\n\n >>> interaction.checkPermission('zope.ManageContent', bela)\n True\n >>> TRIP_WIRE\n 4\n\nGranting permission works for any arbitrary permission also\n\n >>> prinperJoe.grantPermissionToPrincipal('myapp.SomePermission', 'j-id')\n >>> interaction.checkPermission('myapp.SomePermission', joe)\n True\n >>> TRIP_WIRE\n 5\n\nObjects without IObjectPolicyMarker behave as before.\nWithout granting -- no permission\n\n >>> otherObject = otherKlass('o-id')\n >>> prinperOther = IPrincipalPermissionManager(otherObject)\n >>> interaction.checkPermission('zope.ManageContent', otherObject)\n False\n >>> TRIP_WIRE\n 5\n\n >>> prinperOther.grantPermissionToPrincipal('zope.ManageContent', 'j-id')\n >>> interaction.checkPermission('zope.ManageContent', otherObject)\n True\n >>> TRIP_WIRE\n 5\n\nCheck what's up when the marker is there, but no adapter\n\n >>> class otherKlassWOadapter(object):\n ... #This class does NOT implement IObjectPolicyMarker\n ... interface.implements(\n ... IAttributeAnnotatable,\n ... IObjectPolicyMarker)\n ... def __init__(self, id):\n ... self.id = id\n\n >>> otherObjectWO = otherKlassWOadapter('oa-id')\n >>> interaction.checkPermission('zope.ManageContent', otherObjectWO)\n False\n\nNo permission, maybe something should be written to the log?\n\nNow a more complicated, parent-child setup\n------------------------------------------\n\n >>> from zope.container.sample import SampleContainer\n >>> from zope.location.location import locate\n >>> class IPersonContainer(interface.Interface):\n ... \"\"\"a person container interface\"\"\"\n ...\n >>> class PersonContainer(SampleContainer):\n ... interface.implements(\n ... IAttributeAnnotatable,\n ... IPersonContainer)\n ... def __init__(self, id):\n ... self.id = id\n ... super(PersonContainer, self).__init__()\n ...\n >>> class BrowserView(object):\n ... interface.implements(\n ... IContained)\n ...\n\nThe layout is:\n users(PersonContainer)\n jack(Person)\n editJack(BrowserView)\n jane(Person)\n editJane(BrowserView)\n\n >>> users = PersonContainer('users')\n >>> jack = Person('jack-id','jack')\n >>> users['jack'] = jack\n >>> locate(jack, users, 'jack')\n >>> jane = Person('jane-id','jane')\n >>> users['jane'] = jane\n >>> locate(jane, users, 'jane')\n\n >>> editJack = BrowserView()\n >>> locate(editJack, jack, None)\n >>> editJane = BrowserView()\n >>> locate(editJane, jane, None)\n\n >>> prinperUsers = IPrincipalPermissionManager(users)\n >>> prinperJack = IPrincipalPermissionManager(jack)\n >>> prinperJane = IPrincipalPermissionManager(jane)\n\n >>> participation = Participation()\n\nThe principal acting is jack\n\n >>> participation.principal = jack\n >>> zope.security.management.endInteraction()\n >>> zope.security.management.newInteraction(participation)\n >>> interaction = zope.security.management.getInteraction()\n\nWhen we don't grant permission, only jack has permission to itself and to it's\neditView.\n\n >>> interaction.checkPermission('zope.ManageContent', users)\n False\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n True\n >>> interaction.checkPermission('zope.ManageContent', jane)\n False\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n False\n\nWhen we grant jane permission, jack still has the same.\n\n >>> prinperUsers.grantPermissionToPrincipal('zope.ManageContent', 'jane-id')\n >>> interaction.checkPermission('zope.ManageContent', users)\n False\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n True\n >>> interaction.checkPermission('zope.ManageContent', jane)\n False\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n False\n\nWhen we grant jack permission, he will have permission for the whole pack.\n\n >>> prinperUsers.grantPermissionToPrincipal('zope.ManageContent', 'jack-id')\n >>> interaction.checkPermission('zope.ManageContent', users)\n True\n >>> interaction.checkPermission('zope.ManageContent', jack)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJack)\n True\n >>> interaction.checkPermission('zope.ManageContent', jane)\n True\n >>> interaction.checkPermission('zope.ManageContent', editJane)\n True\n\n\nCleanup\n-------\n\nWe clean up the changes we made in these examples:\n\n >>> zope.security.management.endInteraction()\n >>> ignore = zope.security.management.setSecurityPolicy(oldPolicy)\n\n\n-------\nCHANGES\n-------\n\n0.1 (2010-08-10)\n----------------\n\n- Initial release.", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://cheeseshop.python.org/pypi/z3c.objectpolicy", "keywords": "zope3 z3c objectpolicy", "license": "ZPL 2.1", "maintainer": null, "maintainer_email": null, "name": "z3c.objectpolicy", "package_url": "https://pypi.org/project/z3c.objectpolicy/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/z3c.objectpolicy/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://cheeseshop.python.org/pypi/z3c.objectpolicy" }, "release_url": "https://pypi.org/project/z3c.objectpolicy/0.1/", "requires_dist": null, "requires_python": null, "summary": "objectpolicy for Zope3", "version": "0.1" }, "last_serial": 802058, "releases": { "0.1": [ { "comment_text": "", "digests": { "md5": "b6bda9a4b499fdb65799eb861c22ba41", "sha256": "be202c5b8e1798d3981b3108f8f35ae4d6cce10b8dee30c5f902a88ce7a7abc7" }, "downloads": -1, "filename": "z3c.objectpolicy-0.1.tar.gz", "has_sig": false, "md5_digest": "b6bda9a4b499fdb65799eb861c22ba41", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16237, "upload_time": "2010-08-10T08:18:00", "url": "https://files.pythonhosted.org/packages/e8/99/26e87f3ec2c63ea86f9db6078fda12ac3497062af17494dd1c7f4bcc3ebb/z3c.objectpolicy-0.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "b6bda9a4b499fdb65799eb861c22ba41", "sha256": "be202c5b8e1798d3981b3108f8f35ae4d6cce10b8dee30c5f902a88ce7a7abc7" }, "downloads": -1, "filename": "z3c.objectpolicy-0.1.tar.gz", "has_sig": false, "md5_digest": "b6bda9a4b499fdb65799eb861c22ba41", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16237, "upload_time": "2010-08-10T08:18:00", "url": "https://files.pythonhosted.org/packages/e8/99/26e87f3ec2c63ea86f9db6078fda12ac3497062af17494dd1c7f4bcc3ebb/z3c.objectpolicy-0.1.tar.gz" } ] }