B ` @sddlZddlmZddlmZddlmZddlmZe 4e dddl m Z mZmZmZmZmZmZWdQRXeZeZeZeZGdd d eZGd d d e Z Gd d d eZeZeeefZeeGdddZGdddZdS)N) implementer)IAuthorizationPolicy)lineage)is_nonstr_iterignore) ACLAllowed ACLDeniedAllowAllPermissionsList AuthenticatedDenyEveryonec@s eZdZdS)r N)__name__ __module__ __qualname__rr]/home/kop/projects/devel/pgwui/test_venv/lib/python3.7/site-packages/pyramid/authorization.pyr !sr c@s eZdZdS)rN)rrrrrrrr%src@s eZdZdS)rN)rrrrrrrr)src@s(eZdZdZddZddZddZdS) ACLAuthorizationPolicyaHAn :term:`authorization policy` which consults an :term:`ACL` object attached to a :term:`context` to determine authorization information about a :term:`principal` or multiple principals. This class is a wrapper around :class:`.ACLHelper`, refer to that class for more detailed documentation. Objects of this class implement the :class:`pyramid.interfaces.IAuthorizationPolicy` interface. .. deprecated:: 2.0 Authorization policies have been deprecated by the new security system. See :ref:`upgrading_auth_20` for more information. cCs t|_dS)N) ACLHelperhelper)selfrrr__init__CszACLAuthorizationPolicy.__init__cCs|j|||S)zReturn an instance of :class:`pyramid.authorization.ACLAllowed` instance if the policy permits access, return an instance of :class:`pyramid.authorization.ACLDenied` if not.)rpermits)rcontext principals permissionrrrrFszACLAuthorizationPolicy.permitscCs|j||S)zReturn the set of principals explicitly granted the permission named ``permission`` according to the ACL directly attached to the ``context`` as well as inherited ACLs based on the :term:`lineage`.)r principals_allowed_by_permission)rrrrrrrMsz7ACLAuthorizationPolicy.principals_allowed_by_permissionN)rrr__doc__rrrrrrrr1src@s eZdZdZddZddZdS)raXA helper for use with constructing a :term:`security policy` which consults an :term:`ACL` object attached to a :term:`context` to determine authorization information about a :term:`principal` or multiple principals. If the context is part of a :term:`lineage`, the context's parents are consulted for ACL information too. c Csd}xt|D]}y |j}Wntk r2wYnX|rFt|rF|}x\|D]T}|\}}} ||krLt| sp| g} || krL|tkrt|||||St|||||SqLWqWtd||||S)aGReturn an instance of :class:`pyramid.authorization.ACLAllowed` if the ACL allows access a user with the given principals, return an instance of :class:`pyramid.authorization.ACLDenied` if not. When checking if principals are allowed, the security policy consults the ``context`` for an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context's parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies. During this processing, if any :data:`pyramid.authorization.Deny` ACE is found matching any principal in ``principals``, stop processing by returning an :class:`pyramid.authorization.ACLDenied` instance (equals ``False``) immediately. If any :data:`pyramid.authorization.Allow` ACE is found matching any principal, stop processing by returning an :class:`pyramid.authorization.ACLAllowed` instance (equals ``True``) immediately. If we exhaust the context's :term:`lineage`, and no ACE has explicitly permitted or denied access, return an instance of :class:`pyramid.authorization.ACLDenied` (equals ``False``). z0z)r__acl__AttributeErrorcallablerr rr) rrrracllocationZace ace_action ace_principalace_permissionsrrrr`s*    zACLHelper.permitsc Cst}xttt|D]}y |j}Wntk r<wYnXt}t}|r\t|r\|}x|D]x\}} } t| sz| g} |tkr|| kr| |kr| | |t krb|| krb| | | t krt}Pqb| |krb| | qbW| |qW|S)a,Return the set of principals explicitly granted the permission named ``permission`` according to the ACL directly attached to the ``context`` as well as inherited ACLs based on the :term:`lineage`. When computing principals allowed by a permission, we compute the set of principals that are explicitly granted the ``permission`` in the provided ``context``. We do this by walking 'up' the object graph *from the root* to the context. During this walking process, if we find an explicit :data:`pyramid.authorization.Allow` ACE for a principal that matches the ``permission``, the principal is included in the allow list. However, if later in the walking process that principal is mentioned in any :data:`pyramid.authorization.Deny` ACE for the permission, the principal is removed from the allow list. If a :data:`pyramid.authorization.Deny` to the principal :data:`pyramid.authorization.Everyone` is encountered during the walking process that matches the ``permission``, the allow list is cleared for all principals encountered in previous ACLs. The walking process ends after we've processed the any ACL directly attached to ``context``; a set of principals is returned. )setreversedlistrrrr rr addr r removeupdate) rrrallowedr"r!Z allowed_hereZ denied_herer#r$r%rrrrs2    z*ACLHelper.principals_allowed_by_permissionN)rrrrrrrrrrrWs:r)warningsZzope.interfacerZpyramid.interfacesrZpyramid.locationrZ pyramid.utilrcatch_warnings simplefilterZpyramid.securityrZ _ACLAllowedrZ _ACLDeniedr r Z_AllPermissionsListr r r ZALL_PERMISSIONSZDENY_ALLrrrrrrs$      .  &