from fnmatch import fnmatch
+"""
+ A General-purpose ACL mechanism.
+
+ [allow | deny] <type_of_object> <text_pattern>\r
+\r
+ "allow all" and "deny all" are shorthand for allowing or denying all objects.\r
+ Lines are executed from top to bottom until a match was found, typical\r
+ iptables style. An implicit 'deny all' exists at the bottom of the list.\r
+\r
+ For example,\r
+ allow site Max Planck Institute\r
+ deny site Arizona\r
+ allow region US\r
+ deny user scott@onlab.us\r
+ allow user *@onlab.us
+"""
+
class AccessControlList:
def __init__(self, aclText=None):
self.rules = []
lines.append( " ".join(rule) )
return ";\n".join(lines)
- def test(self, user):
+ def test(self, user, site=None):
for rule in self.rules:
if self.match_rule(rule, user):
return rule[0]
return "deny"
- def match_rule(self, rule, user):
+ def match_rule(self, rule, user, site=None):
(action, object, pattern) = rule
+ if (site==None):
+ site = user.site
+
if (object == "site"):
- if fnmatch(user.site.name, pattern):
+ if fnmatch(site.name, pattern):
return True
elif (object == "user"):
if fnmatch(user.email, pattern):
if __name__ == '__main__':
+ # self-test
+
class fakesite:
def __init__(self, siteName):
self.name = siteName
return Sliver.select_by_user(request.user)
def formfield_for_foreignkey(self, db_field, request=None, **kwargs):
- field = super(SliverInline, self).formfield_for_foreignkey(db_field, request, **kwargs)
-
if db_field.name == 'deploymentNetwork':
- kwargs['queryset'] = Deployment.select_by_user(request.user)
+ kwargs['queryset'] = Deployment.select_by_acl(request.user)
+
+ field = super(SliverInline, self).formfield_for_foreignkey(db_field, request, **kwargs)
return field