Package s3 :: Module s3aaa :: Class S3Permission
[frames] | no frames]

Class S3Permission

source code

object --+
         |
        S3Permission

S3 Class to handle permissions

Instance Methods
 
__init__(self, auth, tablename=None)
Constructor, invoked by AuthS3.__init__
source code
 
clear_cache(self)
Clear any cached permissions or accessible-queries
source code
 
check_settings(self)
Check whether permission-relevant settings have changed during the request, and clear the cache if so.
source code
 
define_table(self, migrate=True, fake_migrate=False)
Define permissions table, invoked by AuthS3.define_tables()
source code
 
update_acl(self, group, c=None, f=None, t=None, record=None, oacl=None, uacl=None, entity=None, delete=False)
Update an ACL
source code
 
delete_acl(self, group, c=None, f=None, t=None, record=None, entity=None)
Delete an ACL
source code
 
get_owners(self, table, record)
Get the entity/group/user owning a record
source code
 
is_owner(self, table, record, owners=None, strict=False)
Check whether the current user owns the record
source code
 
owner_query(self, table, user, use_realm=True, realm=None, no_realm=None)
Returns a query to select the records in table owned by user
source code
 
realm_query(self, table, entities)
Returns a query to select the records owned by one of the entities.
source code
 
permitted_realms(self, tablename, method="read")
Returns a list of the realm entities which a user can access for the given table.
source code
 
approved(self, table, record, approved=True)
Check whether a record has been approved or not
source code
 
unapproved(self, table, record)
Check whether a record has not been approved yet
source code
 
has_permission(self, method, c=None, f=None, t=None, record=None)
Check permission to access a record with method
source code
 
accessible_query(self, method, table, c=None, f=None, deny=True)
Returns a query to select the accessible records for method in table.
source code
 
accessible_url(self, c=None, f=None, p=None, t=None, a=None, args=None, vars=None, anchor="", extension=None, env=None)
Return a URL only if accessible by the user, otherwise False - used for Navigation Items
source code
 
fail(self)
Action upon insufficient permissions
source code
 
applicable_acls(self, racl, realms=None, delegations=None, c=None, f=None, t=None, entity=None)
Find all applicable ACLs for the specified situation for the specified realms and delegations
source code
 
page_restricted(self, c=None, f=None)
Checks whether a page is restricted (=whether ACLs are to be applied)
source code
 
table_restricted(self, t=None)
Check whether access to a table is restricted
source code
 
hidden_modules(self)
List of modules to hide from the main menu
source code
 
ownership_required(self, method, table, c=None, f=None)
Checks whether ownership can be required to access records in this table (this may not apply to every record in this table).
source code
 
forget(self, table=None, record_id=None)
Remove any cached permissions for a record.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
requires_approval(cls, table)
Check whether record approval is required for a table
source code
 
set_default_approver(cls, table, force=False)
Set the default approver for new records in table
source code
Class Variables
  TABLENAME = "s3_permission"
  CREATE = 0x0001
  READ = 0x0002
  UPDATE = 0x0004
  DELETE = 0x0008
  REVIEW = 0x0010
  APPROVE = 0x0020
  PUBLISH = 0x0040
  ALL = CREATE | READ | UPDATE | DELETE | REVIEW | APPROVE | PUB...
  NONE = 0x0000
  PERMISSION_OPTS = OrderedDict([[CREATE, "CREATE"], [READ, "REA...
  METHODS = Storage({"create": CREATE, "read": READ, "update": U...
  required_acl = lambda self, methods:
  most_permissive = lambda self, acl:
  most_restrictive = lambda self, acl:
Properties

Inherited from object: __class__

Method Details

__init__(self, auth, tablename=None)
(Constructor)

source code 

Constructor, invoked by AuthS3.__init__

Parameters:
  • auth - the AuthS3 instance
  • tablename - the name for the permissions table
Overrides: object.__init__

clear_cache(self)

source code 

Clear any cached permissions or accessible-queries

check_settings(self)

source code 

Check whether permission-relevant settings have changed during the request, and clear the cache if so.

define_table(self, migrate=True, fake_migrate=False)

source code 

Define permissions table, invoked by AuthS3.define_tables()

update_acl(self, group, c=None, f=None, t=None, record=None, oacl=None, uacl=None, entity=None, delete=False)

source code 

Update an ACL

Parameters:
  • group - the ID or UID of the auth_group this ACL applies to
  • c - the controller
  • f - the function
  • t - the tablename
  • record - the record (as ID or Row with ID)
  • oacl - the ACL for the owners of the specified record(s)
  • uacl - the ACL for all other users
  • entity - restrict this ACL to the records owned by this entity (pe_id), specify "any" for any entity
  • delete - delete the ACL instead of updating it

delete_acl(self, group, c=None, f=None, t=None, record=None, entity=None)

source code 

Delete an ACL

Parameters:
  • group - the ID or UID of the auth_group this ACL applies to
  • c - the controller
  • f - the function
  • t - the tablename
  • record - the record (as ID or Row with ID)
  • entity - restrict this ACL to the records owned by this entity (pe_id), specify "any" for any entity

get_owners(self, table, record)

source code 

Get the entity/group/user owning a record

Parameters:
  • table - the table
  • record - the record ID (or the Row, if already loaded)
Returns:
tuple of (realm_entity, owner_group, owner_user)

Note: if passing a Row, it must contain all available ownership fields (id, owned_by_user, owned_by_group, realm_entity), otherwise the record will be re-loaded by this function.

is_owner(self, table, record, owners=None, strict=False)

source code 

Check whether the current user owns the record

Parameters:
  • table - the table or tablename
  • record - the record ID (or the Row if already loaded)
  • owners - override the actual record owners by a tuple (realm_entity, owner_group, owner_user)
Returns:
True if the current user owns the record, else False

owner_query(self, table, user, use_realm=True, realm=None, no_realm=None)

source code 

Returns a query to select the records in table owned by user

Parameters:
  • table - the table
  • user - the current auth.user (None for not authenticated)
  • use_realm - use realms
  • realm - limit owner access to these realms
  • no_realm - don't include these entities in role realms
Returns:
a web2py Query instance, or None if no query can be constructed

realm_query(self, table, entities)

source code 

Returns a query to select the records owned by one of the entities.

Parameters:
  • table - the table
  • entities - list of entities
Returns:
a web2py Query instance, or None if no query can be constructed

permitted_realms(self, tablename, method="read")

source code 

Returns a list of the realm entities which a user can access for the given table.

Parameters:
  • tablename - the tablename
  • method - the method
Returns:
a list of pe_ids or None (for no restriction)

approved(self, table, record, approved=True)

source code 

Check whether a record has been approved or not

Parameters:
  • table - the table
  • record - the record or record ID
  • approved - True = check if approved, False = check if unapproved

unapproved(self, table, record)

source code 

Check whether a record has not been approved yet

Parameters:
  • table - the table
  • record - the record or record ID

requires_approval(cls, table)
Class Method

source code 

Check whether record approval is required for a table

Parameters:
  • table - the table (or tablename)

set_default_approver(cls, table, force=False)
Class Method

source code 

Set the default approver for new records in table

Parameters:
  • table - the table
  • force - whether to force approval for tables which require manual approval

has_permission(self, method, c=None, f=None, t=None, record=None)

source code 

Check permission to access a record with method

Parameters:
  • method - the access method (string)
  • c - the controller name (falls back to current request)
  • f - the function name (falls back to current request)
  • t - the table or tablename
  • record - the record or record ID (None for any record)

accessible_query(self, method, table, c=None, f=None, deny=True)

source code 

Returns a query to select the accessible records for method in table.

Parameters:
  • method - the method as string or a list of methods (AND)
  • table - the database table or table name
  • c - controller name (falls back to current request)
  • f - function name (falls back to current request)

accessible_url(self, c=None, f=None, p=None, t=None, a=None, args=None, vars=None, anchor="", extension=None, env=None)

source code 

Return a URL only if accessible by the user, otherwise False
- used for Navigation Items

@param c: the controller
@param f: the function
@param p: the permission (defaults to READ)
@param t: the tablename (defaults to <c>_<f>)
@param a: the application name
@param args: the URL arguments
@param vars: the URL variables
@param anchor: the anchor (#) of the URL
@param extension: the request format extension
@param env: the environment

fail(self)

source code 

Action upon insufficient permissions

applicable_acls(self, racl, realms=None, delegations=None, c=None, f=None, t=None, entity=None)

source code 

Find all applicable ACLs for the specified situation for the specified realms and delegations

Parameters:
  • racl - the required ACL
  • realms - the realms
  • delegations - the delegations
  • c - the controller name, falls back to current request
  • f - the function name, falls back to current request
  • t - the tablename
  • entity - the realm entity
Returns:
None for no ACLs defined (allow), [] for no ACLs applicable (deny), or list of applicable ACLs

page_restricted(self, c=None, f=None)

source code 

Checks whether a page is restricted (=whether ACLs are to be applied)

Parameters:
  • c - controller name
  • f - function name

table_restricted(self, t=None)

source code 

Check whether access to a table is restricted

Parameters:
  • t - the table name or Table

hidden_modules(self)

source code 

List of modules to hide from the main menu

ownership_required(self, method, table, c=None, f=None)

source code 

Checks whether ownership can be required to access records in this table (this may not apply to every record in this table).

Parameters:
  • method - the method as string or a list of methods (AND)
  • table - the database table or table name
  • c - controller name (falls back to current request)
  • f - function name (falls back to current request)

forget(self, table=None, record_id=None)

source code 

Remove any cached permissions for a record. This can be necessary in methods which change the status of the record (e.g. approval).

Parameters:
  • table - the table
  • record_id - the record ID

Class Variable Details

TABLENAME

Value:
"s3_permission"

CREATE

Value:
0x0001

READ

Value:
0x0002

UPDATE

Value:
0x0004

DELETE

Value:
0x0008

REVIEW

Value:
0x0010

APPROVE

Value:
0x0020

PUBLISH

Value:
0x0040

ALL

Value:
CREATE | READ | UPDATE | DELETE | REVIEW | APPROVE | PUBLISH

NONE

Value:
0x0000

PERMISSION_OPTS

Value:
OrderedDict([[CREATE, "CREATE"], [READ, "READ"], [UPDATE, "UPDATE"], [\
DELETE, "DELETE"], [REVIEW, "REVIEW"], [APPROVE, "APPROVE"],])

METHODS

Value:
Storage({"create": CREATE, "read": READ, "update": UPDATE, "delete": D\
ELETE, "map": READ, "report": READ, "timeplot": READ, "import": CREATE\
, "review": REVIEW, "approve": APPROVE, "reject": APPROVE, "publish": \
PUBLISH,})

required_acl

Value:
lambda self, methods:

most_permissive

Value:
lambda self, acl:

most_restrictive

Value:
lambda self, acl: