Return-Path: 
 <allura-commits-return-6771-apmail-incubator-allura-commits-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-allura-commits-archive@minotaur.apache.org
Delivered-To: apmail-incubator-allura-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8C28F1063B
	for <apmail-incubator-allura-commits-archive@minotaur.apache.org>;
 Thu,  3 Oct 2013 17:14:22 +0000 (UTC)
Received: (qmail 32619 invoked by uid 500); 3 Oct 2013 17:14:15 -0000
Delivered-To: apmail-incubator-allura-commits-archive@incubator.apache.org
Received: (qmail 32369 invoked by uid 500); 3 Oct 2013 17:14:14 -0000
Mailing-List: contact allura-commits-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:allura-commits-help@incubator.apache.org>
List-Unsubscribe: <mailto:allura-commits-unsubscribe@incubator.apache.org>
List-Post: <mailto:allura-commits@incubator.apache.org>
List-Id: <allura-commits.incubator.apache.org>
Reply-To: allura-dev@incubator.apache.org
Delivered-To: mailing list allura-commits@incubator.apache.org
Received: (qmail 31752 invoked by uid 99); 3 Oct 2013 17:14:08 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Oct 2013 17:14:08 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 5701490EB3A; Thu,  3 Oct 2013 17:14:06 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: johnsca@apache.org
To: allura-commits@incubator.apache.org
Date: Thu, 03 Oct 2013 17:14:14 -0000
Message-Id: <c028eb466a4845478ad07b0b708c4b92@git.apache.org>
In-Reply-To: <3d61e04a77454c30aef570f311e5901f@git.apache.org>
References: <3d61e04a77454c30aef570f311e5901f@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [09/50] git commit: [#6392] ticket:432 Reason-agnostic contains check
 for ACEs

[#6392] ticket:432 Reason-agnostic contains check for ACEs


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/394ccc3b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/394ccc3b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/394ccc3b

Branch: refs/heads/cj/6422
Commit: 394ccc3b8bd3bd951cfe8a384c2cbca14226ec9e
Parents: f47df1c
Author: Igor Bondarenko <jetmind2@gmail.com>
Authored: Wed Sep 11 15:44:11 2013 +0300
Committer: Tim Van Steenburgh <tvansteenburgh@gmail.com>
Committed: Tue Sep 24 17:36:24 2013 +0000

----------------------------------------------------------------------
 Allura/allura/app.py          |  7 ++++---
 Allura/allura/lib/security.py |  2 +-
 Allura/allura/model/types.py  | 27 +++++++++++++++++----------
 3 files changed, 22 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8218d53..a887375 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -591,7 +591,7 @@ class DefaultAdminController(BaseController):
             return redirect(request.referer)
 
         ace = model.ACE.deny(user.project_role()._id, perm, reason)
-        if ace not in self.app.acl:
+        if not model.ACL.contains(ace, self.app.acl):
             self.app.acl.append(ace)
         return redirect(request.referer)
 
@@ -599,7 +599,8 @@ class DefaultAdminController(BaseController):
     def unblock_user(self, user_id, perm):
         user = model.User.query.get(_id=ObjectId(user_id))
         ace = model.ACE.deny(user.project_role()._id, perm)
-        if ace in self.app.acl:
+        ace = model.ACL.contains(ace, self.app.acl)
+        if ace:
             self.app.acl.remove(ace)
         return redirect(request.referer)
 
@@ -625,7 +626,7 @@ class DefaultAdminController(BaseController):
             elif ace.access == model.ACE.DENY:
                 role = model.ProjectRole.query.get(_id=ace.role_id)
                 if role.name is None and role.user:
-                    block_list[ace.permission].append((role.user, getattr(ace, 'reason', None)))
+                    block_list[ace.permission].append((role.user, ace.reason))
         return dict(
             app=self.app,
             allow_config=has_access(c.project, 'admin')(),

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/lib/security.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index c992cef..bbadb1b 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -292,7 +292,7 @@ def has_access(obj, permission, user=None, project=None):
             roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
         user_role = user.project_role(project=project)
         deny_user = M.ACE.deny(user_role._id, permission)
-        if deny_user in obj.acl:
+        if M.ACL.contains(deny_user, obj.acl):
             return False
         chainable_roles = []
         for rid in roles:

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/394ccc3b/Allura/allura/model/types.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/types.py b/Allura/allura/model/types.py
index fa7b332..73c4b3b 100644
--- a/Allura/allura/model/types.py
+++ b/Allura/allura/model/types.py
@@ -31,6 +31,7 @@ class ACE(S.Object):
         super(ACE, self).__init__(
             fields=dict(
                 access=S.OneOf(self.ALLOW, self.DENY),
+                reason=S.String(),
                 role_id=S.ObjectId(),
                 permission=permission),
             **kwargs)
@@ -64,18 +65,24 @@ class ACL(S.Array):
         super(ACL, self).__init__(
             field_type=ACE(permissions), **kwargs)
 
-        def __contains__(self, ace):
-            """Test membership of ace in acl ignoring ace.reason field.
+    @classmethod
+    def contains(cls, ace, acl):
+        """Test membership of ace in acl ignoring ace.reason field.
+
+        Return actual ACE with reason filled if ace is found in acl, None otherwise
 
-            e.g. `ace in acl` test should evaluate to True with following vars:
+        e.g. `ACL.contains(ace, acl)` will return `{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}`
+        with following vars:
 
-            ace = M.ACE.deny(role_id, 'read')
-            acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
-            """
-            def clear_reason(ace):
-                return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
+        ace = M.ACE.deny(role_id, 'read')  # reason = None
+        acl = [{role_id=ObjectId(...), permission='read', access='DENY', reason='Spammer'}]
+        """
+        def clear_reason(ace):
+            return Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
 
-            ace = Object(access=ace.access, role_id=ace.role_id, permission=ace.permission)
-            return ace in map(clear_reason, self)
+        ace_without_reason = clear_reason(ace)
+        for a in acl:
+            if clear_reason(a) == ace_without_reason:
+                return a
 
 DENY_ALL = ACE.deny(EVERYONE, ALL_PERMISSIONS)