src/zope/security/management.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

##############################################################################
#
# Copyright (c) 2001, 2002 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE.
#
##############################################################################
"""
Default :class:`zope.security.interfaces.ISecurityManagement` and
:class:`zope.security.interfaces.IInteractionManagement` implementation.

Note that this module itself provides those interfaces.
"""

from zope.interface import moduleProvides

from zope.security.checker import CheckerPublic
from zope.security.interfaces import IInteractionManagement
from zope.security.interfaces import ISecurityManagement
from zope.security.interfaces import NoInteraction
from zope.security.simplepolicies import ParanoidSecurityPolicy
from zope.security._definitions import thread_local
from zope.security._definitions import system_user


__all__ = [
    'system_user',
    'getSecurityPolicy',
    'setSecurityPolicy',
    'queryInteraction',
    'getInteraction',
    'ExistingInteraction',
    'newInteraction',
    'endInteraction',
    'restoreInteraction',
    'checkPermission',
]

_defaultPolicy = ParanoidSecurityPolicy

moduleProvides(
    ISecurityManagement,
    IInteractionManagement)

#
#   ISecurityManagement implementation
#


def getSecurityPolicy():
    """Get the system default security policy."""
    return _defaultPolicy


def setSecurityPolicy(aSecurityPolicy):
    """Set the system default security policy, and return the previous
    value.

    This method should only be called by system startup code.
    It should never, for example, be called during a web request.
    """
    global _defaultPolicy

    last, _defaultPolicy = _defaultPolicy, aSecurityPolicy

    return last


#
#   IInteractionManagement implementation
#

def queryInteraction():
    """Return a current interaction, if there is one."""
    return getattr(thread_local, 'interaction', None)


def getInteraction():
    """Get the current interaction."""
    try:
        return thread_local.interaction
    except AttributeError:
        raise NoInteraction


class ExistingInteraction(ValueError,
                          AssertionError,  # BBB
                          ):
    """
    The exception that :func:`newInteraction` will raise if called
    during an existing interaction.
    """


def newInteraction(*participations):
    """Start a new interaction."""
    if queryInteraction() is not None:
        raise ExistingInteraction("newInteraction called"
                                  " while another interaction is active.")
    thread_local.interaction = getSecurityPolicy()(*participations)


def endInteraction():
    """End the current interaction."""

    try:
        thread_local.previous_interaction = thread_local.interaction
    except AttributeError:
        # if someone does a restore later, it should be restored to not having
        # an interaction.  If there was a previous interaction from a previous
        # call to endInteraction, it should be removed.
        try:
            del thread_local.previous_interaction
        except AttributeError:
            pass
    else:
        del thread_local.interaction


def restoreInteraction():
    try:
        previous = thread_local.previous_interaction
    except AttributeError:
        try:
            del thread_local.interaction
        except AttributeError:
            pass
    else:
        thread_local.interaction = previous


def checkPermission(permission, object, interaction=None):
    """Return whether security policy allows permission on object.

    :param str permission: A permission name.
    :param object: The object being accessed according to the permission.
    :param interaction: An interaction, providing access to information
        such as authenticated principals.  If it is None, the current
        interaction is used.
    :return: A boolean value. ``checkPermission`` is guaranteed to
        return ``True`` if *permission* is
        :data:`zope.security.checker.CheckerPublic` or ``None``.
    :raise NoInteraction: If there is no current interaction and no
        interaction argument was given.
    """
    if permission is CheckerPublic or permission is None:
        return True
    if interaction is None:
        try:
            interaction = thread_local.interaction
        except AttributeError:
            raise NoInteraction
    return interaction.checkPermission(permission, object)


def _clear():
    global _defaultPolicy
    _defaultPolicy = ParanoidSecurityPolicy


try:
    from zope.testing.cleanup import addCleanUp
except ImportError:  # pragma: no cover
    pass
else:
    addCleanUp(_clear)
    addCleanUp(endInteraction)