Component representing a security-controlled user/app interaction
An interaction provides the necessary context to identify what security
rules should be used, and on whose behalf the action is being performed
(i.e. the principal). To determine if an access is allowed, you use the
interaction's allows() method.
To determine what set of security rules are to be applied, an
interaction supplies a permissionProtocol attribute, to which
abstract and concrete permissions will be adapted for checking. In the
simple case, IPermissionChecker is used as this permissionProtocol .
However, if one application extends a library or another application that
provides default security rules registered under IPermissionChecker ,
the new application may wish to set the permissionProtocol to a
protocols.Variation of IPermissionChecker , in order to declare
new rules that take precedence over the defaults. For example:
myRulesProtocol = protocols.Variation(IPermissionChecker)
class MyRuleSet(security.RuleSet):
# declare rules that override default rules
MyRuleSet.declareRulesFor(myRulesProtocol)
anInteracton = security.Interaction(
parentComponent,
permissionProtocol = myRulesProtocol,
user = someUser
)
The application could then check whether someUser has permissions
for various objects, using the rules defined for myRulesProtocol
(with fallback to any rules defined for IPermissionChecker ).
Methods
|
|
allows
|
|
allows
|
allows (
subject,
name=None,
permissionNeeded=NOT_GIVEN,
user=NOT_GIVEN,
)
Return true if user has permissionNeeded for subject
If user is not supplied, the interaction's user should be used. If
the permission is not supplied, subject should be adapted to
IGuardedObject in order to obtain the required permission.
Note that if subject does not support IGuardedObject , and the
required permission is not specified, then this method should always
return true when the name is None , and false otherwise. That is,
an unguarded object is accessible, but none of its attributes are.
(This is so that value objects such as numbers and strings don't need
permissions.)
This method should return a true value, or a security.Denial() with
an appropriate message value.
|
|