1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
'''
Created on Apr 5, 2011
@author: leifj
'''
from django.db import models
from django.db.models.fields import CharField, DateTimeField
from django.contrib.auth.models import Group, User
from django.db.models.fields.related import ForeignKey
class AccessControlEntry(models.Model):
group = ForeignKey(Group,related_name='+',blank=True,null=True)
user = ForeignKey(User,related_name='+',blank=True,null=True)
permission = CharField(max_length=256)
modify_time = DateTimeField(auto_now=True)
create_time = DateTimeField(auto_now_add=True)
def __unicode__(self):
return "%s can %s" % (self.group.__unicode__(),self.permission)
class Meta:
unique_together = (('group','permission'),('user','permission'))
def allow(object,ug,permission):
if not hasattr(object,'acl'):
raise Exception,"no acl property"
if isinstance(ug, Group):
return allow_group(object,ug,permission)
elif isinstance(ug,User):
return allow_user(object,ug,permission)
elif isinstance(ug,str):
if ug == 'anyone':
ace = object.acl.filter(group=None,permission=permission)
if not ace:
ace = AccessControlEntry.objects.create(group=None,user=None,permission=permission)
object.acl.append(ace)
else:
raise Exception,"Don't know how to allow %s to do stuff" % repr(ug)
def deny(object,ug,permission):
if not hasattr(object,'acl'):
raise Exception,"no acl property"
if isinstance(ug, Group):
return deny_group(object,ug,permission)
elif isinstance(ug,User):
return deny_user(object,ug,permission)
elif isinstance(ug,str):
if ug == 'anyone':
ace = object.acl.filter(user=None,group=None,permission=permission)
if ace:
object.acl.remove(ace)
else:
raise Exception,"Don't know how to allow %s to do stuff" % repr(ug)
def acl(object):
if not hasattr(object,'acl'):
raise Exception,"no acl property"
acl = object.acl
if not acl:
acl = []
return acl
def allow_user(object,user,permission):
ace = object.acl.filter(user=user,permission=permission)
if not ace:
ace = AccessControlEntry.objects.create(user=user,permission=permission)
object.acl.append(ace)
def deny_user(object,user,permission):
ace = object.acl.filter(user=user,permission=permission)
if ace:
object.acl.remove(ace)
def allow_group(object,group,permission):
ace = object.acl.filter(group=group,permission=permission)
if not ace:
ace = AccessControlEntry.objects.create(group=group,permission=permission)
object.acl.append(ace)
def deny_group(object,group,permission):
ace = object.acl.filter(group=group,permission=permission)
if ace:
object.acl.remove(ace)
def is_allowed(object,user,permission):
if not hasattr(object,'acl'):
raise Exception,"no acl property"
# XXX use more sql here
for ace in object.acl.filter(permission=permission):
if not ace.group or ace.group in user.groups or user == ace.user:
return True
return False
|
