incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject [1/5] git commit: [#6709] Misc performance improvements
Date Thu, 26 Sep 2013 18:13:41 GMT
Updated Branches:
  refs/heads/cj/6692 cee549119 -> 65157663f (forced update)


[#6709] Misc performance improvements

- Skip ACE deny check in has_access() if anonymous
- Correct the has_access docstring for recent changes
- Add index for ProjectRole lookups by_name(). Existing project_id index
  was being used, but still had to scan all roles for the project.

Signed-off-by: Tim Van Steenburgh <tvansteenburgh@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/a17ae4a2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/a17ae4a2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/a17ae4a2

Branch: refs/heads/cj/6692
Commit: a17ae4a23c9431b4935e3bd4305795529a14b5ca
Parents: 2d5a6ab
Author: Tim Van Steenburgh <tvansteenburgh@gmail.com>
Authored: Wed Sep 25 16:06:37 2013 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Wed Sep 25 20:14:33 2013 +0000

----------------------------------------------------------------------
 Allura/allura/lib/security.py | 25 +++++++++++++++++--------
 Allura/allura/model/auth.py   |  4 ++--
 2 files changed, 19 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/a17ae4a2/Allura/allura/lib/security.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index bbadb1b..a211ae2 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -245,6 +245,9 @@ def has_access(obj, permission, user=None, project=None):
 
     - First, all the roles for a user in the given project context are computed.
 
+    - If the given object's ACL contains a DENY for this permission on this
+      user's project role, return False and deny access.
+
     - Next, for each role, the given object's ACL is examined linearly. If an ACE
       is found which matches the permission and user, and that ACE ALLOWs access,
       then the function returns True and access is permitted. If the ACE DENYs
@@ -265,10 +268,15 @@ def has_access(obj, permission, user=None, project=None):
       obj.parent_security_context(). If the parent_security_context is None, then
       the function returns False and access is denied.
 
-    The effect of this processing is that if *any* role for the user is ALLOWed
-    access via a linear traversal of the ACLs, then access is allowed. All of the
-    users roles must either be explicitly DENYed or processing terminate with no
-    matches to DENY access to the resource.
+    The effect of this processing is that:
+
+      1. If the user's project_role is DENYed, access is denied (e.g. if the user
+         has been blocked for a permission on a specific tool).
+
+      2. Else, if *any* role for the user is ALLOWed access via a linear
+         traversal of the ACLs, then access is allowed.
+
+      3. Otherwise, DENY access to the resource.
     '''
     from allura import model as M
     def predicate(obj=obj, user=user, project=project, roles=None):
@@ -290,10 +298,11 @@ def has_access(obj, permission, user=None, project=None):
                     project = getattr(obj, 'project', None) or c.project
                     project = project.root_project
             roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
-        user_role = user.project_role(project=project)
-        deny_user = M.ACE.deny(user_role._id, permission)
-        if M.ACL.contains(deny_user, obj.acl):
-            return False
+        if user != M.User.anonymous():
+            user_role = user.project_role(project=project)
+            deny_user = M.ACE.deny(user_role._id, permission)
+            if M.ACL.contains(deny_user, obj.acl):
+                return False
         chainable_roles = []
         for rid in roles:
             for ace in obj.acl:

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/a17ae4a2/Allura/allura/model/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/auth.py b/Allura/allura/model/auth.py
index b048ce6..cb15398 100644
--- a/Allura/allura/model/auth.py
+++ b/Allura/allura/model/auth.py
@@ -727,8 +727,8 @@ class ProjectRole(MappedClass):
         unique_indexes = [ ('user_id', 'project_id', 'name') ]
         indexes = [
             ('user_id',),
-            ('project_id',),
-            ('roles',)
+            ('project_id', 'name'), # used in ProjectRole.by_name()
+            ('roles',),
             ]
 
     _id = FieldProperty(S.ObjectId)


Mime
View raw message