opensourceprojects.eu / osp-allura / Diff of /Allura/allura/lib/security.py

Diff of /Allura/allura/lib/security.py [7d1739] .. [61328f]

Switch to unified view


...
      then the function returns True and access is permitted. If the ACE DENYs
      access, then that role is removed from further consideration.

    - If the obj is not a Neighborhood and the given user has the 'admin'
      permission on the current neighborhood, then the function returns True and
      access is allowed.

    - If the obj is not a Project and the given user has the 'admin'
      permission on the current project, then the function returns True and
      access is allowed.

    - If none of the ACEs on the object ALLOW access, and there are no more roles
      to be considered, then the function returns False and access is denied.

...
        if parent and chainable_roles:
            result = has_access(parent, permission, user=user, project=project)(
                roles=tuple(chainable_roles))
        elif not isinstance(obj, M.Neighborhood):
            result = has_access(project.neighborhood, 'admin', user=user)()
            if not (result or isinstance(obj, M.Project)):
                result = has_access(project, 'admin', user=user)()
        else:
            result = False
        # log.info('%s: %s', txt, result)
        return result
    return TruthyCallable(predicate)

	a/Allura/allura/lib/security.py		b/Allura/allura/lib/security.py
	...		...
216	then the function returns True and access is permitted. If the ACE DENYs	216	then the function returns True and access is permitted. If the ACE DENYs
217	access, then that role is removed from further consideration.	217	access, then that role is removed from further consideration.
218		218
219	- If the obj is not a Neighborhood and the given user has the 'admin'	219	- If the obj is not a Neighborhood and the given user has the 'admin'
220	permission on the current neighborhood, then the function returns True and	220	permission on the current neighborhood, then the function returns True and
		221	access is allowed.
		222
		223	- If the obj is not a Project and the given user has the 'admin'
		224	permission on the current project, then the function returns True and
221	access is allowed.	225	access is allowed.
222		226
223	- If none of the ACEs on the object ALLOW access, and there are no more roles	227	- If none of the ACEs on the object ALLOW access, and there are no more roles
224	to be considered, then the function returns False and access is denied.	228	to be considered, then the function returns False and access is denied.
225		229
	...		...
267	if parent and chainable_roles:	271	if parent and chainable_roles:
268	result = has_access(parent, permission, user=user, project=project)(	272	result = has_access(parent, permission, user=user, project=project)(
269	roles=tuple(chainable_roles))	273	roles=tuple(chainable_roles))
270	elif not isinstance(obj, M.Neighborhood):	274	elif not isinstance(obj, M.Neighborhood):
271	result = has_access(project.neighborhood, 'admin', user=user)()	275	result = has_access(project.neighborhood, 'admin', user=user)()
		276	if not (result or isinstance(obj, M.Project)):
		277	result = has_access(project, 'admin', user=user)()
272	else:	278	else:
273	result = False	279	result = False
274	# log.info('%s: %s', txt, result)	280	# log.info('%s: %s', txt, result)
275	return result	281	return result
276	return TruthyCallable(predicate)	282	return TruthyCallable(predicate)