viewvc-4intranet/lib/vcauth/forbidden/__init__.py

# -*-python-*-
#
# Copyright (C) 2006-2013 The ViewCVS Group. All Rights Reserved.
#
# By using this file, you agree to the terms and conditions set forth in
# the LICENSE.html file which can be found at the top level of the ViewVC
# distribution or at http://viewvc.org/license-1.html.
#
# For more information, visit http://viewvc.org/
#
# -----------------------------------------------------------------------
import vcauth
import vclib
import fnmatch

class ViewVCAuthorizer(vcauth.GenericViewVCAuthorizer):
  """A simple top-level module authorizer."""
  def __init__(self, username, params={}):
    forbidden = params.get('forbidden', '')
    self.forbidden = map(lambda x: x.strip(),
                         filter(None, forbidden.split(',')))

  def check_root_access(self, rootname):
    return 1

  def check_universal_access(self, rootname):
    # If there aren't any forbidden paths, we can grant universal read
    # access.  Otherwise, we make no claim.
    if not self.forbidden:
      return 1
    return None
    
  def check_path_access(self, rootname, path_parts, pathtype, rev=None):
    # No path?  No problem.
    if not path_parts:
      return 1

    # Not a directory?  We aren't interested.
    if pathtype != vclib.DIR:
      return 1

    # At this point we're looking at a directory path.
    module = path_parts[0]
    default = 1
    for pat in self.forbidden:
      if pat[0] == '!':
        default = 0
        if fnmatch.fnmatchcase(module, pat[1:]):
          return 1
      elif fnmatch.fnmatchcase(module, pat):
        return 0
    return default
Merge the authz-dev branch work into trunk. Let's let the pluggable authz subsystem go mainstream! * notes/authz-dev-TODO * lib/vcauth/* New, copied from the authz-dev branch. * viewvc.conf.dist * lib/viewvc.py * lib/query.py * lib/debug.py Merge changes from the authz-dev branch. * lib/config.py Merge changes from the authz-dev branch. Also, make 'forbidden' the default value for 'authorizer'. * docs/upgrading-howto.html Add sections about handling forbidden modules. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1623 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-04-26 00:07:13 +04:00			`# --python--`
			`#`
Bump copyright years. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@2820 8cb11bc2-c004-0410-86c3-e597b4017df7 2013-01-04 23:01:54 +04:00			`# Copyright (C) 2006-2013 The ViewCVS Group. All Rights Reserved.`
Merge the authz-dev branch work into trunk. Let's let the pluggable authz subsystem go mainstream! * notes/authz-dev-TODO * lib/vcauth/* New, copied from the authz-dev branch. * viewvc.conf.dist * lib/viewvc.py * lib/query.py * lib/debug.py Merge changes from the authz-dev branch. * lib/config.py Merge changes from the authz-dev branch. Also, make 'forbidden' the default value for 'authorizer'. * docs/upgrading-howto.html Add sections about handling forbidden modules. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1623 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-04-26 00:07:13 +04:00			`#`
			`# By using this file, you agree to the terms and conditions set forth in`
			`# the LICENSE.html file which can be found at the top level of the ViewVC`
			`# distribution or at http://viewvc.org/license-1.html.`
			`#`
			`# For more information, visit http://viewvc.org/`
			`#`
			`# -----------------------------------------------------------------------`
			`import vcauth`
* lib/vcauth/forbidden/__init__.py (): import vclib (so trying to use it later doesn't make bad stuff happen) git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1666 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-05-21 18:45:00 +04:00			`import vclib`
Merge the authz-dev branch work into trunk. Let's let the pluggable authz subsystem go mainstream! * notes/authz-dev-TODO * lib/vcauth/* New, copied from the authz-dev branch. * viewvc.conf.dist * lib/viewvc.py * lib/query.py * lib/debug.py Merge changes from the authz-dev branch. * lib/config.py Merge changes from the authz-dev branch. Also, make 'forbidden' the default value for 'authorizer'. * docs/upgrading-howto.html Add sections about handling forbidden modules. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1623 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-04-26 00:07:13 +04:00			`import fnmatch`

			`class ViewVCAuthorizer(vcauth.GenericViewVCAuthorizer):`
			`"""A simple top-level module authorizer."""`
Merge to trunk all the changes from the 'vcauth-reorg' branch as of r1761, which see for logs. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1762 8cb11bc2-c004-0410-86c3-e597b4017df7 2008-02-06 22:22:53 +03:00			`def __init__(self, username, params={}):`
* lib/vcauth/forbidden/__init__.py (ViewVCAuthorizer.__init__): Don't assume that the 'forbidden' parameter is present. Noticed by Vairoj Arunyaangkul <va@waveman.com>. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1680 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-06-20 17:23:52 +04:00			`forbidden = params.get('forbidden', '')`
Wow. Drop a "general code cleanup" kind of bomb on the codebase. All of this is aimed at not paying the maintenance price of supporting Python versions prior to 2.4 any longer, plus a little bit of just getting dead code out of the way. * lib/compat.py Remove as unused. * bin/cvsdbadmin, * bin/loginfo-handler, * bin/make-database, * bin/svndbadmin, * lib/accept.py, * lib/blame.py, * lib/cvsdb.py, * lib/popen.py, * lib/query.py, * lib/sapi.py, * lib/vcauth/forbidden/__init__.py * lib/vcauth/forbiddenre/__init__.py, * lib/vcauth/svnauthz/__init__.py, * lib/vclib/__init__.py, * lib/vclib/ccvs/blame.py, * lib/win32popen.py, * tests/timelog.py Replace explicit import and use of the 'string' module with newer constructs. * bin/standalone.py, * lib/viewvc.py No longer use 'compat' module. Replace explicit import and use of the 'string' module with newer constructs. * lib/dbi.py Use calender.timegm() instead of compat.timegm(). * lib/vcauth/__init__.py Lose unused module imports. * lib/config.py, Replace explicit import and use of the 'string' module with newer constructs where possible. Lose old ConfigParser patch-up code for Python 1.5.1. * lib/vclib/ccvs/ccvs.py Replace explicit import and use of the 'string' module with newer constructs where possible. Import _path_join() from bincvs, and use it instead of a bunch of copy-and-pasted string join() statements throughout. * lib/vclib/ccvs/__init__.py (cvs_strptime): Moved here from the 'compat' module. * lib/vclib/ccvs/bincvs.py (): No longer use 'compat' module. Replace explicit import and use of the 'string' module with newer constructs. (_path_join): New, used now instead of a bunch of copy-and-pasted string join() statements throughout. * viewvc-install Don't use the 'compat' module any more. Also, so some rearranging of non-critical bits. * misc/: New directory. * misc/py2html.py: Moved from 'lib/py2html.py'. * misc/PyFontify.py: Moved from 'lib/PyFontify.py'. * misc/elemx/: Moved from 'elemx/'. * misc/tparse/: Moved from 'tparse/'. * tools/make-release Omit 'misc' directory from releases, too. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@2437 8cb11bc2-c004-0410-86c3-e597b4017df7 2010-09-03 20:49:52 +04:00			`self.forbidden = map(lambda x: x.strip(),`
			`filter(None, forbidden.split(',')))`
Merge to trunk all the changes from the 'vcauth-reorg' branch as of r1761, which see for logs. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1762 8cb11bc2-c004-0410-86c3-e597b4017df7 2008-02-06 22:22:53 +03:00
			`def check_root_access(self, rootname):`
			`return 1`
Fix issue 425 ("Authorization subsystem needs some optimization"). Give the 'vcauth' subsystem a way to make universal access determinations, which can seriously improve performance in situations where a user has universal read access to a repository. * lib/vcauth/__init__.py (GenericViewVCAuthorizer.check_universal_access): New skeletal function. (ViewVCAuthorizer.check_universal_access): New function. * lib/vcauth/svnauthz/__init__.py (ViewVCAuthorizer.check_universal_access), * lib/vcauth/forbidden/__init__.py (ViewVCAuthorizer.check_universal_access), * lib/vcauth/forbiddenre/__init__.py (ViewVCAuthorizer.check_universal_access) New functions. * lib/vclib/ccvs/bincvs.py (BaseCVSRepository.open): New function. * lib/vclib/svn/svn_repos.py (LocalSubversionRepository.open): Now check for universal read access. * lib/vclib/svn/svn_ra.py (RemoteSubversionRepository.open): Now check for universal read access. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@2496 8cb11bc2-c004-0410-86c3-e597b4017df7 2010-12-09 19:10:04 +03:00
			`def check_universal_access(self, rootname):`
			`# If there aren't any forbidden paths, we can grant universal read`
			`# access. Otherwise, we make no claim.`
			`if not self.forbidden:`
			`return 1`
			`return None`

Merge to trunk all the changes from the 'vcauth-reorg' branch as of r1761, which see for logs. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1762 8cb11bc2-c004-0410-86c3-e597b4017df7 2008-02-06 22:22:53 +03:00			`def check_path_access(self, rootname, path_parts, pathtype, rev=None):`
For issue #268: Merge the Authorizers' check_directory_access() and check_file_access() functions into a single check_path_access(). Most authorizers won't need to care about the distinction. * lib/vcauth/__init__.py (GenericViewVCAuthorizer.check_path_access): New, replaces ... (GenericViewVCAuthorizer.check_file_access, GenericViewVCAuthorizer.check_directory_access): ...these now-removed functions. (ViewVCAuthorizer.check_path_access): New. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/vcauth/forbidden/__init__.py (ViewVCAuthorizer.__init__): Squirrel away 'root' so we can use it ... (ViewVCAuthorizer.check_path_access): ...here. Was check_directory_access(), and now optionally checks the path's type before making the access determination. (ViewVCAuthorizer.check_file_access): Removed. * lib/vcauth/svnauthz/__init__.py (ViewVCAuthorizer.check_path_access): Was _check_path_access(). Add 'rev' parameter. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/viewvc.py (Request.run_viewvc, view_directory, _get_diff_path_parts, generate_tarball, view_revision, build_commit): Use the authorizor's check_path_access() instead of the now-removed check_directory_access() and check_file_access() functions. * lib/query.py (build_commit): Use check_path_access() instead of check_directory_access(). git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1661 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-05-16 00:18:56 +04:00			`# No path? No problem.`
Merge the authz-dev branch work into trunk. Let's let the pluggable authz subsystem go mainstream! * notes/authz-dev-TODO * lib/vcauth/* New, copied from the authz-dev branch. * viewvc.conf.dist * lib/viewvc.py * lib/query.py * lib/debug.py Merge changes from the authz-dev branch. * lib/config.py Merge changes from the authz-dev branch. Also, make 'forbidden' the default value for 'authorizer'. * docs/upgrading-howto.html Add sections about handling forbidden modules. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1623 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-04-26 00:07:13 +04:00			`if not path_parts:`
			`return 1`
For issue #268: Merge the Authorizers' check_directory_access() and check_file_access() functions into a single check_path_access(). Most authorizers won't need to care about the distinction. * lib/vcauth/__init__.py (GenericViewVCAuthorizer.check_path_access): New, replaces ... (GenericViewVCAuthorizer.check_file_access, GenericViewVCAuthorizer.check_directory_access): ...these now-removed functions. (ViewVCAuthorizer.check_path_access): New. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/vcauth/forbidden/__init__.py (ViewVCAuthorizer.__init__): Squirrel away 'root' so we can use it ... (ViewVCAuthorizer.check_path_access): ...here. Was check_directory_access(), and now optionally checks the path's type before making the access determination. (ViewVCAuthorizer.check_file_access): Removed. * lib/vcauth/svnauthz/__init__.py (ViewVCAuthorizer.check_path_access): Was _check_path_access(). Add 'rev' parameter. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/viewvc.py (Request.run_viewvc, view_directory, _get_diff_path_parts, generate_tarball, view_revision, build_commit): Use the authorizor's check_path_access() instead of the now-removed check_directory_access() and check_file_access() functions. * lib/query.py (build_commit): Use check_path_access() instead of check_directory_access(). git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1661 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-05-16 00:18:56 +04:00
Merge to trunk all the changes from the 'vcauth-reorg' branch as of r1761, which see for logs. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1762 8cb11bc2-c004-0410-86c3-e597b4017df7 2008-02-06 22:22:53 +03:00			`# Not a directory? We aren't interested.`
			`if pathtype != vclib.DIR:`
			`return 1`
For issue #268: Merge the Authorizers' check_directory_access() and check_file_access() functions into a single check_path_access(). Most authorizers won't need to care about the distinction. * lib/vcauth/__init__.py (GenericViewVCAuthorizer.check_path_access): New, replaces ... (GenericViewVCAuthorizer.check_file_access, GenericViewVCAuthorizer.check_directory_access): ...these now-removed functions. (ViewVCAuthorizer.check_path_access): New. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/vcauth/forbidden/__init__.py (ViewVCAuthorizer.__init__): Squirrel away 'root' so we can use it ... (ViewVCAuthorizer.check_path_access): ...here. Was check_directory_access(), and now optionally checks the path's type before making the access determination. (ViewVCAuthorizer.check_file_access): Removed. * lib/vcauth/svnauthz/__init__.py (ViewVCAuthorizer.check_path_access): Was _check_path_access(). Add 'rev' parameter. (ViewVCAuthorizer.check_file_access, ViewVCAuthorizer.check_directory_access): Removed. * lib/viewvc.py (Request.run_viewvc, view_directory, _get_diff_path_parts, generate_tarball, view_revision, build_commit): Use the authorizor's check_path_access() instead of the now-removed check_directory_access() and check_file_access() functions. * lib/query.py (build_commit): Use check_path_access() instead of check_directory_access(). git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1661 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-05-16 00:18:56 +04:00
Merge to trunk all the changes from the 'vcauth-reorg' branch as of r1761, which see for logs. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1762 8cb11bc2-c004-0410-86c3-e597b4017df7 2008-02-06 22:22:53 +03:00			`# At this point we're looking at a directory path.`
Merge the authz-dev branch work into trunk. Let's let the pluggable authz subsystem go mainstream! * notes/authz-dev-TODO * lib/vcauth/* New, copied from the authz-dev branch. * viewvc.conf.dist * lib/viewvc.py * lib/query.py * lib/debug.py Merge changes from the authz-dev branch. * lib/config.py Merge changes from the authz-dev branch. Also, make 'forbidden' the default value for 'authorizer'. * docs/upgrading-howto.html Add sections about handling forbidden modules. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1623 8cb11bc2-c004-0410-86c3-e597b4017df7 2007-04-26 00:07:13 +04:00			`module = path_parts[0]`
			`default = 1`
			`for pat in self.forbidden:`
			`if pat[0] == '!':`
			`default = 0`
			`if fnmatch.fnmatchcase(module, pat[1:]):`
			`return 1`
			`elif fnmatch.fnmatchcase(module, pat):`
			`return 0`
			`return default`