FrontPage
»
ZPublisherSecurity
»
UserAuthorization
Once a user has been identified, it needs to be authorized to perform an action.
AccessControl?/ImplPython?.py contains the Python implementation of SecurityManager?
- User.py validate(request, auth, roles):
# at this stage, roles as already been established in ZPublisher?/BaseRequest?.py roles =getattr(object,
__roles__
, UNSPECIFIED_ROLES)- def validate(object, container, name, value, roles):
# We found a user and the user wasn't the emergency user. # We need to authorize the user against the published object. if self.authorize(user, a, c, n, v, roles): ...
- def authorize(user, object, container, name, value, roles)
- getSecurityManager().validate()
- For more information about SecurityManager? see http://www.zope.org/Members/jim/ZopeSecurity/SecurityManager/wikipage_view
- ImplPython?/SecurityManager?.validate
- self._policy.validate(object, container, name, value, self._context, roles)
- Note that ZopeSecurityPolicy?.py is empty. All the logic is in AccessControl?/ImplPython?.py
- ImplyPython?/ZopeSecurityPolicy?.validate
- The simplest case uses:
context.user.allowed(value, roles)
- which calls User.py/BasicUser?.allowed
- def allowed(object, object_roles):
Matches user.getRoles() with object.__roles__ user_roles = user.getRoles() for role in object_roles: if role in user_roles: # see note about _check_context below if self._check_context(object): return 1
- The simplest case uses:
- _check_context
- Check that
object
exists in the acquisition context of the parent of the acl_users object containing this user, to prevent "stealing" access through acquisition tricks.
- Check that
- self._policy.validate(object, container, name, value, self._context, roles)
- getSecurityManager().validate()
- def validate(object, container, name, value, roles):
# Return true if in context, false if not or if context # cannot be determined (object is not wrapped).