343 return |
343 return |
344 |
344 |
345 for checker_name, args in self[access_type]: |
345 for checker_name, args in self[access_type]: |
346 self.check(use_cache, checker_name, django_args, args) |
346 self.check(use_cache, checker_name, django_args, args) |
347 |
347 |
348 def checkMembership(self, action, prefix, status, django_args): |
348 def hasMembership(self, roles, django_args): |
349 """Checks whether the user has access to the specified status. |
349 """Checks whether the user has access to any of the specified roles. |
350 |
350 |
351 Args: |
351 Args: |
352 action: the action that was performed (e.g., 'read') |
352 roles: a list of roles to check |
353 prefix: the prefix, determines what access set is used |
353 """ |
354 status: the access status (e.g., 'public') |
354 |
355 django_args: the django args to pass on to the checkers |
|
356 """ |
|
357 |
|
358 checker = rights_logic.Checker(prefix) |
|
359 roles = checker.getMembership(status) |
|
360 |
|
361 message_fmt = DEF_NEED_MEMBERSHIP_MSG_FMT % { |
|
362 'action': action, |
|
363 'prefix': prefix, |
|
364 'status': status, |
|
365 } |
|
366 |
|
367 # try to see if they belong to any of the roles, if not, raise an |
|
368 # access violation for the specified action, prefix and status. |
|
369 for role in roles: |
355 for role in roles: |
370 try: |
356 try: |
371 checker_name, args = self.normalizeChecker(self.MEMBERSHIP[role]) |
357 checker_name, args = self.normalizeChecker(self.MEMBERSHIP[role]) |
372 self.doCheck(checker_name, django_args, args) |
358 self.doCheck(checker_name, django_args, args) |
373 # the check passed, we can stop now |
359 # the check passed, we can stop now |
374 break |
360 return True |
375 except out_of_band.Error: |
361 except out_of_band.Error: |
376 continue |
362 continue |
377 else: |
363 |
|
364 return False |
|
365 |
|
366 @allowDeveloper |
|
367 def checkMembership(self, action, prefix, status, django_args): |
|
368 """Checks whether the user has access to the specified status. |
|
369 |
|
370 Args: |
|
371 action: the action that was performed (e.g., 'read') |
|
372 prefix: the prefix, determines what access set is used |
|
373 status: the access status (e.g., 'public') |
|
374 django_args: the django args to pass on to the checkers |
|
375 """ |
|
376 |
|
377 checker = rights_logic.Checker(prefix) |
|
378 roles = checker.getMembership(status) |
|
379 |
|
380 message_fmt = DEF_NEED_MEMBERSHIP_MSG_FMT % { |
|
381 'action': action, |
|
382 'prefix': prefix, |
|
383 'status': status, |
|
384 } |
|
385 |
|
386 # try to see if they belong to any of the roles, if not, raise an |
|
387 # access violation for the specified action, prefix and status. |
|
388 if not self.hasMembership(roles, django_args): |
378 raise out_of_band.AccessViolation(message_fmt) |
389 raise out_of_band.AccessViolation(message_fmt) |
379 |
|
380 |
390 |
381 def allow(self, django_args): |
391 def allow(self, django_args): |
382 """Never raises an alternate HTTP response. (an access no-op, basically). |
392 """Never raises an alternate HTTP response. (an access no-op, basically). |
383 |
393 |
384 Args: |
394 Args: |