--- a/Allura/allura/model/project.py
+++ b/Allura/allura/model/project.py
@@ -23,6 +23,7 @@
from .session import project_doc_session, project_orm_session
from .neighborhood import Neighborhood
from .auth import ProjectRole
+from .types import ACL, ACE
from filesystem import File
@@ -78,14 +79,8 @@
database=FieldProperty(S.Deprecated)
database_uri=FieldProperty(str)
is_root=FieldProperty(bool)
- acl = FieldProperty({
- 'create':[S.ObjectId], # create subproject
- 'read':[S.ObjectId], # read project
- 'update':[S.ObjectId], # update project metadata
- 'delete':[S.ObjectId], # delete project, subprojects
- 'tool':[S.ObjectId], # install/delete/configure tools
- 'security':[S.ObjectId], # update ACL, roles
- })
+ acl = FieldProperty(ACL(permissions=[
+ 'read', 'update', 'admin', 'create']))
neighborhood_invitations=FieldProperty([S.ObjectId])
neighborhood = RelationProperty(Neighborhood)
app_configs = RelationProperty('AppConfig')
@@ -97,6 +92,9 @@
ordinal = FieldProperty(int, if_missing=0)
database_configured = FieldProperty(bool, if_missing=True)
_extra_tool_status = FieldProperty([str])
+
+ def parent_security_context(self):
+ return self.parent_project
@classmethod
def default_database_uri(cls, shortname):
@@ -213,14 +211,12 @@
return ProjectCategory.query.find(dict(_id=self.category_id)).first()
def roleids_with_permission(self, name):
- roles = []
+ roles = set()
for p in self.parent_iter():
- for roleid in p.acl[name]:
- roles.append(roleid)
- for roleid in self.acl[name]:
- if roleid not in roles:
- roles.append(roleid)
- return roles
+ for ace in p.acl:
+ if ace.permission == name and ace.access == ACE.alllow:
+ roles.add(ace.role_id)
+ return list(roles)
def sitemap(self):
from allura.app import SitemapEntry
@@ -309,8 +305,7 @@
cfg = AppConfig(
project_id=self._id,
tool_name=ep.name,
- options=options,
- acl=dict((p,[]) for p in App.permissions))
+ options=options)
app = App(self, cfg)
with h.push_config(c, project=self, app=app):
session(cfg).flush()
@@ -408,13 +403,14 @@
# Setup subroles
role_admin.roles = [ role_developer._id ]
role_developer.roles = [ role_member._id ]
- self.acl['create'] = [ role_admin._id ]
- self.acl['read'] = [ role_admin._id, role_developer._id, role_member._id,
- role_anon._id ]
- self.acl['update'] = [ role_admin._id ]
- self.acl['delete'] = [ role_admin._id ]
- self.acl['tool'] = [ role_admin._id ]
- self.acl['security'] = [ role_admin._id ]
+ self.acl = [
+ ACE.allow(role_admin._id, 'create'),
+ ACE.allow(role_admin._id, 'update'),
+ ACE.allow(role_admin._id, 'admin'),
+ ACE.allow(role_admin._id, 'read'),
+ ACE.allow(role_developer._id, 'read'),
+ ACE.allow(role_member._id, 'read'),
+ ACE.allow(role_anon._id, 'read')]
for user in users:
pr = user.project_role()
pr.roles = [ role_admin._id, role_developer._id, role_member._id ]
@@ -454,8 +450,10 @@
project = RelationProperty(Project, via='project_id')
discussion = RelationProperty('Discussion', via='discussion_id')
- # acl[permission] = [ role1, role2, ... ]
- acl = FieldProperty({str:[S.ObjectId]})
+ acl = FieldProperty(ACL())
+
+ def parent_security_context(self):
+ return None
def load(self):
"""
@@ -481,19 +479,3 @@
def breadcrumbs(self):
return self.project.breadcrumbs() + [
(self.options.mount_point, self.url()) ]
-
- def grant_permission(self, permission, role=None):
- from . import auth
- if role is None: role = c.user
- if not isinstance(role, auth.ProjectRole):
- role = role.project_role()
- if role._id not in self.acl[permission]:
- self.acl[permission].append(role._id)
-
- def revoke_permission(self, permission, role=None):
- from . import auth
- if role is None: role = c.user
- if not isinstance(role, auth.ProjectRole):
- role = role.project_role()
- if role._id in self.acl[permission]:
- self.acl[permission].remove(role._id)