incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject [28/50] git commit: put in some TODO pointers to #6715
Date Thu, 03 Oct 2013 17:14:33 GMT
put in some TODO pointers to #6715


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/182a724a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/182a724a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/182a724a

Branch: refs/heads/cj/6422
Commit: 182a724a261e63dddbd71273cac435f232321b38
Parents: 7fc8966
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
Authored: Fri Sep 27 19:45:27 2013 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Fri Sep 27 19:45:27 2013 +0000

----------------------------------------------------------------------
 Allura/allura/lib/security.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/182a724a/Allura/allura/lib/security.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index 4e917b6..2a1a827 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -246,7 +246,8 @@ def has_access(obj, permission, user=None, project=None):
     - First, all the roles for a user in the given project context are computed.
 
     - If the given object's ACL contains a DENY for this permission on this
-      user's project role, return False and deny access.
+      user's project role, return False and deny access.  TODO: make ACL order
+      matter instead of doing DENY first; see ticket [#6715]
 
     - Next, for each role, the given object's ACL is examined linearly. If an ACE
       is found which matches the permission and user, and that ACE ALLOWs access,
@@ -298,12 +299,15 @@ def has_access(obj, permission, user=None, project=None):
                     project = getattr(obj, 'project', None) or c.project
                     project = project.root_project
             roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
+
+        # TODO: move deny logic into loop below; see ticket [#6715]
         if user != M.User.anonymous():
             user_role = M.ProjectRole.by_user(user, project)
             if user_role:
                 deny_user = M.ACE.deny(user_role._id, permission)
                 if M.ACL.contains(deny_user, obj.acl):
                     return False
+
         chainable_roles = []
         for rid in roles:
             for ace in obj.acl:


Mime
View raw message