Back to index

moin  1.9.0~rc2
Public Member Functions | Public Attributes | Static Public Attributes | Private Member Functions
MoinMoin.security.AccessControlList Class Reference

List of all members.

Public Member Functions

def __init__
def may
def getString
def __eq__
def __ne__

Public Attributes

 acl
 acl_lines

Static Public Attributes

list special_users = ["All", "Known", "Trusted"]

Private Member Functions

def _addLine
def _special_All
def _special_Known
def _special_Trusted

Detailed Description

Access Control List

Control who may do what on or with a wiki page.

Syntax of an ACL string:

    [+|-]User[,User,...]:[right[,right,...]] [[+|-]SomeGroup:...] ...
    ... [[+|-]Known:...] [[+|-]All:...]

    "User" is a user name and triggers only if the user matches. Up
    to version 1.2 only WikiNames were supported, as of version 1.3,
    any name can be used in acl lines, including name with spaces
    using esoteric languages.

    "SomeGroup" is a page name matching cfg.page_group_regex with
     some lines in the form " * Member", defining the group members.

    "Known" is a group containing all valid / known users.

    "All" is a group containing all users (Known and Anonymous users).

    "right" may be an arbitrary word like read, write, delete, admin.
    Only words in cfg.acl_validrights are accepted, others are
    ignored. It is allowed to specify no rights, which means that no
    rights are given.

How ACL is processed

    When some user is trying to access some ACL-protected resource,
    the ACLs will be processed in the order they are found. The first
    matching ACL will tell if the user has access to that resource
    or not.

    For example, the following ACL tells that SomeUser is able to
    read and write the resources protected by that ACL, while any
    member of SomeGroup (besides SomeUser, if part of that group)
    may also admin that, and every other user is able to read it.

        SomeUser:read,write SomeGroup:read,write,admin All:read

    In this example, SomeUser can read and write but can not admin,
    revert or delete pages. Rights that are NOT specified on the
    right list are automatically set to NO.

Using Prefixes

    To make the system more flexible, there are also two modifiers:
    the prefixes "+" and "-".

        +SomeUser:read -OtherUser:write

    The acl line above will grant SomeUser read right, and OtherUser
    write right, but will NOT block automatically all other rights
    for these users. For example, if SomeUser ask to write, the
    above acl line does not define if he can or can not write. He
    will be able to write if acl_rights_before or acl_rights_after
    allow this (see configuration options).

    Using prefixes, this acl line:

        SomeUser:read,write SomeGroup:read,write,admin All:read

    Can be written as:

        -SomeUser:admin SomeGroup:read,write,admin All:read

    Or even:

        +All:read -SomeUser:admin SomeGroup:read,write,admin

    Notice that you probably will not want to use the second and
    third examples in ACL entries of some page. They are very
    useful on the moin configuration entries though.

   Configuration options

   cfg.acl_rights_default
       It is is ONLY used when no other ACLs are given.
       Default: "Known:read,write,delete All:read,write",

   cfg.acl_rights_before
       When the page has ACL entries, this will be inserted BEFORE
       any page entries.
       Default: ""

   cfg.acl_rights_after
       When the page has ACL entries, this will be inserted AFTER
       any page entries.
       Default: ""

   cfg.acl_rights_valid
       These are the acceptable (known) rights (and the place to
       extend, if necessary).
       Default: ["read", "write", "delete", "admin"]

Definition at line 157 of file __init__.py.


Constructor & Destructor Documentation

def MoinMoin.security.AccessControlList.__init__ (   self,
  cfg,
  lines = [] 
)
Initialize an ACL, starting from <nothing>.

Definition at line 256 of file __init__.py.

00256 
00257     def __init__(self, cfg, lines=[]):
00258         """Initialize an ACL, starting from <nothing>.
00259         """
00260         if lines:
00261             self.acl = [] # [ ('User', {"read": 0, ...}), ... ]
00262             self.acl_lines = []
00263             for line in lines:
00264                 self._addLine(cfg, line)
00265         else:
00266             self.acl = None
00267             self.acl_lines = None


Member Function Documentation

def MoinMoin.security.AccessControlList.__eq__ (   self,
  other 
)

Definition at line 368 of file __init__.py.

00368 
00369     def __eq__(self, other):
00370         return self.acl_lines == other.acl_lines

Here is the caller graph for this function:

def MoinMoin.security.AccessControlList.__ne__ (   self,
  other 
)

Definition at line 371 of file __init__.py.

00371 
00372     def __ne__(self, other):
00373         return self.acl_lines != other.acl_lines
00374 

def MoinMoin.security.AccessControlList._addLine (   self,
  cfg,
  aclstring,
  remember = 1 
) [private]
Add another ACL line

This can be used in multiple subsequent calls to process longer lists.

@param cfg: current config
@param aclstring: acl string from page or cfg
@param remember: should add the line to self.acl_lines

Definition at line 268 of file __init__.py.

00268 
00269     def _addLine(self, cfg, aclstring, remember=1):
00270         """ Add another ACL line
00271 
00272         This can be used in multiple subsequent calls to process longer lists.
00273 
00274         @param cfg: current config
00275         @param aclstring: acl string from page or cfg
00276         @param remember: should add the line to self.acl_lines
00277         """
00278 
00279         # Remember lines
00280         if remember:
00281             self.acl_lines.append(aclstring)
00282 
00283         # Iterate over entries and rights, parsed by acl string iterator
00284         acliter = ACLStringIterator(cfg.acl_rights_valid, aclstring)
00285         for modifier, entries, rights in acliter:
00286             if entries == ['Default']:
00287                 self._addLine(cfg, cfg.acl_rights_default, remember=0)
00288             else:
00289                 for entry in entries:
00290                     rightsdict = {}
00291                     if modifier:
00292                         # Only user rights are added to the right dict.
00293                         # + add rights with value of 1
00294                         # - add right with value of 0
00295                         for right in rights:
00296                             rightsdict[right] = (modifier == '+')
00297                     else:
00298                         # All rights from acl_rights_valid are added to the
00299                         # dict, user rights with value of 1, and other with
00300                         # value of 0
00301                         for right in cfg.acl_rights_valid:
00302                             rightsdict[right] = (right in rights)
00303                     self.acl.append((entry, rightsdict))

Here is the call graph for this function:

Here is the caller graph for this function:

def MoinMoin.security.AccessControlList._special_All (   self,
  request,
  name,
  dowhat,
  rightsdict 
) [private]

Definition at line 345 of file __init__.py.

00345 
00346     def _special_All(self, request, name, dowhat, rightsdict):
00347         return rightsdict.get(dowhat)

def MoinMoin.security.AccessControlList._special_Known (   self,
  request,
  name,
  dowhat,
  rightsdict 
) [private]
check if user <name> is known to us,
    that means that there is a valid user account present.
    works for subscription emails.

Definition at line 348 of file __init__.py.

00348 
00349     def _special_Known(self, request, name, dowhat, rightsdict):
00350         """ check if user <name> is known to us,
00351             that means that there is a valid user account present.
00352             works for subscription emails.
00353         """
00354         if user.getUserId(request, name): # is a user with this name known?
00355             return rightsdict.get(dowhat)
00356         return None

def MoinMoin.security.AccessControlList._special_Trusted (   self,
  request,
  name,
  dowhat,
  rightsdict 
) [private]
check if user <name> is known AND has logged in using a trusted
    authentication method.
    Does not work for subsription emails that should be sent to <user>,
    as he is not logged in in that case.

Definition at line 357 of file __init__.py.

00357 
00358     def _special_Trusted(self, request, name, dowhat, rightsdict):
00359         """ check if user <name> is known AND has logged in using a trusted
00360             authentication method.
00361             Does not work for subsription emails that should be sent to <user>,
00362             as he is not logged in in that case.
00363         """
00364         if (request.user.name == name and
00365             request.user.auth_method in request.cfg.auth_methods_trusted):
00366             return rightsdict.get(dowhat)
00367         return None

def MoinMoin.security.AccessControlList.getString (   self,
  b = '#acl ',
  e = '\n' 
)
print the acl strings we were fed with

Definition at line 337 of file __init__.py.

00337 
00338     def getString(self, b='#acl ', e='\n'):
00339         """print the acl strings we were fed with"""
00340         if self.acl_lines:
00341             acl_lines = ''.join(["%s%s%s" % (b, l, e) for l in self.acl_lines])
00342         else:
00343             acl_lines = ''
00344         return acl_lines

def MoinMoin.security.AccessControlList.may (   self,
  request,
  name,
  dowhat 
)
May <name> <dowhat>? Returns boolean answer.

    Note: this check does NOT include the acl_rights_before / _after ACL,
  but it WILL use acl_rights_default if there is no (page) ACL.

Definition at line 304 of file __init__.py.

00304 
00305     def may(self, request, name, dowhat):
00306         """ May <name> <dowhat>? Returns boolean answer.
00307 
00308             Note: this check does NOT include the acl_rights_before / _after ACL,
00309                   but it WILL use acl_rights_default if there is no (page) ACL.
00310         """
00311         if self.acl is None: # no #acl used on Page
00312             acl = request.cfg.cache.acl_rights_default.acl
00313         else: # we have a #acl on the page (self.acl can be [] if #acl is empty!)
00314             acl = self.acl
00315 
00316         groups = request.groups
00317 
00318         allowed = None
00319         for entry, rightsdict in acl:
00320             if entry in self.special_users:
00321                 handler = getattr(self, "_special_"+entry, None)
00322                 allowed = handler(request, name, dowhat, rightsdict)
00323             elif entry in groups:
00324                 if name in groups[entry]:
00325                     allowed = rightsdict.get(dowhat)
00326                 else:
00327                     for special in self.special_users:
00328                         if special in entry:
00329                             handler = getattr(self, "_special_" + special, None)
00330                             allowed = handler(request, name, dowhat, rightsdict)
00331                             break # order of self.special_users is important
00332             elif entry == name:
00333                 allowed = rightsdict.get(dowhat)
00334             if allowed is not None:
00335                 return allowed
00336         return allowed # should be None


Member Data Documentation

Definition at line 260 of file __init__.py.

Definition at line 261 of file __init__.py.

list MoinMoin.security.AccessControlList.special_users = ["All", "Known", "Trusted"] [static]

Definition at line 254 of file __init__.py.


The documentation for this class was generated from the following file: