src/zope/security/management.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

##############################################################################
#
# Copyright (c) 2001, 2002 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE.
#
##############################################################################
"""Default 'ISecurityManagement' and 'IInteractionManagement' implementation
"""

from zope.interface import moduleProvides

from zope.security.checker import CheckerPublic
from zope.security.interfaces import IInteractionManagement
from zope.security.interfaces import ISecurityManagement
from zope.security.interfaces import NoInteraction
from zope.security.simplepolicies import ParanoidSecurityPolicy
from zope.security._definitions import thread_local
from zope.security._definitions import system_user # API?


_defaultPolicy = ParanoidSecurityPolicy

moduleProvides(
    ISecurityManagement,
    IInteractionManagement)

#
#   ISecurityManagement implementation
#

def getSecurityPolicy():
    """Get the system default security policy."""
    return _defaultPolicy

def setSecurityPolicy(aSecurityPolicy):
    """Set the system default security policy, and return the previous
    value.

    This method should only be called by system startup code.
    It should never, for example, be called during a web request.
    """
    global _defaultPolicy

    last, _defaultPolicy = _defaultPolicy, aSecurityPolicy

    return last


#
#   IInteractionManagement implementation
#

def queryInteraction():
    return getattr(thread_local, 'interaction', None)

def getInteraction():
    """Get the current interaction."""
    try:
        return thread_local.interaction
    except AttributeError:
        raise NoInteraction

class ExistingInteraction(ValueError,
                          AssertionError, #BBB
                         ):
    pass

def newInteraction(*participations):
    """Start a new interaction."""
    if queryInteraction() is not None:
        raise ExistingInteraction("newInteraction called"
                                  " while another interaction is active.")
    thread_local.interaction = getSecurityPolicy()(*participations)

def endInteraction():
    """End the current interaction."""

    try:
        thread_local.previous_interaction = thread_local.interaction
    except AttributeError:
        # if someone does a restore later, it should be restored to not having
        # an interaction.  If there was a previous interaction from a previous
        # call to endInteraction, it should be removed.
        try:
            del thread_local.previous_interaction
        except AttributeError:
            pass
    else:
        del thread_local.interaction

def restoreInteraction():
    try:
        previous = thread_local.previous_interaction
    except AttributeError:
        try:
            del thread_local.interaction
        except AttributeError:
            pass
    else:
        thread_local.interaction = previous

def checkPermission(permission, object, interaction=None):
    """Return whether security policy allows permission on object.

    'permission' is a permission name.

    'object' is the object being accessed according to the permission.

    'interaction' is an interaction, providing access to information
    such as authenticated principals.  If it is None, the current
    interaction is used.

    checkPermission is guaranteed to return True if permission is
    CheckerPublic or None.
    """
    if permission is CheckerPublic or permission is None:
        return True
    if interaction is None:
        try:
            interaction = thread_local.interaction
        except AttributeError:
            raise NoInteraction
    return interaction.checkPermission(permission, object)


def _clear():
    global _defaultPolicy
    _defaultPolicy = ParanoidSecurityPolicy

try:
    from zope.testing.cleanup import addCleanUp
except ImportError: # pragma: no cover
    pass
else:
    addCleanUp(_clear)
    addCleanUp(endInteraction)