adhocracy_core.authorization package¶

Authorization with roles/local roles mapped to adhocracy principals.

interface IRootACMExtension[source]¶: Marker interface for extension acm of the application root.

acm_extension_adapter(context: <InterfaceClass adhocracy_core.interfaces.IResource>) → dict[source]¶: Dummy adpater to extend the root_acm.

class RoleACLAuthorizationPolicy[source]¶

Bases: pyramid.authorization.ACLAuthorizationPolicy

A authorization policy supporting creator term:local role.

permits(context: <InterfaceClass adhocracy_core.interfaces.IResource>, principals: list, permission: str) → pyramid.security.ACLPermitsResult[source]¶: Check permission for context. Read interface docstring.

set_local_roles(resource, new_local_roles: dict, registry: pyramid.registry.Registry)[source]¶

Set the local role’s mapping to new_local_roles.

Parameters:

new_local_roles (dict) –

Mapping from groupid/userid to a set of roles for the resource:

{‘system.Everyone’: {‘role:reader’}}

If the resource’s local roles and the new_local_roles differ, set the new_local_roles via setattr and send a adhocracy_core.interfaces.ILocalRolesModified to notify others. The ACL of the resource in updated with the permissions added by the local roles.

add_local_roles(resource, additional_local_roles: dict, registry: pyramid.registry.Registry)[source]¶: Add roles to existing :term:`local role’s mapping.

get_local_roles(resource) → dict[source]¶: Return the local roles of the resource.

get_local_roles_all(resource) → dict[source]¶

Return the local roles of the resource and its parents.

The creator role is ignored.

acm_to_acl(acm: dict) → [<class 'str'>][source]¶

Convert an Access Control Matrix into a pyramid ACL.

To avoid generating too many ACE, action which are None will not generate an ACE.

Permissions for principals with high priority are listed first and override succeding permissions. The order is determined by adhocracy_core.schema.ROLE_PRINCIPALS. Pricipals with higher index in this list have higher priority.

set_acms_for_app_root(event)[source]¶

Set/update :term:`acm`s for the root object of the pyramid application.

Parameters:	event – this function should be used as a subscriber for the `pyramid.interfaces.IApplicationCreated` event. That way everytime the application starts the root acm is updated.

The root_acm (root_acm_asset()) is extended by the acm returned by the adhocracy_core.authorization.IRootACMExtension adapter.

In addition all permissions are granted the god user.

create_fake_god_request(registry)[source]¶: Create a fake request issued by god.

get_acl(resource) → [][source]¶: Return the ACL of the resource.

get_acl_lineage(resource) → [][source]¶: Return ACL of the resource inclusive inherited acl.

set_acl(resource, acl: list, registry: pyramid.registry.Registry)[source]¶

Add local_roles and set the term:ACL of the resource.

Every ACE in the acl has to be a list of 3 strings. Permission given by local_role are added to the existing acl. Manually adding ACEs containing group principals is not allowed, as are used for local_role permissions.

is_password_required_to_edit(sheet: <InterfaceClass adhocracy_core.interfaces.ISheet>)[source]¶: Check if the sheets requires a password for editing.

is_password_required_to_edit_some(sheets: [<InterfaceClass adhocracy_core.interfaces.ISheet>])[source]¶: Check if some of the sheets require a password for editing.

includeme(config)[source]¶: Register adapter to extend the root acm and add authorization policy.