in Allura/allura/app.py [0:0]
def update(self, card=None, **kw):
"""Handle POST to update permissions for the Application.
"""
old_acl = self.app.config.acl
self.app.config.acl = []
for args in card:
perm = args['id']
new_group_ids = args.get('new', [])
del_group_ids = []
group_ids = args.get('value', [])
if isinstance(new_group_ids, str):
new_group_ids = [new_group_ids]
if isinstance(group_ids, str):
group_ids = [group_ids]
for acl in old_acl:
if (acl['permission'] == perm
and str(acl['role_id']) not in group_ids
and acl['access'] != model.ACE.DENY):
del_group_ids.append(str(acl['role_id']))
def get_role(_id):
return model.ProjectRole.query.get(_id=ObjectId(_id))
groups = list(map(get_role, group_ids))
new_groups = list(map(get_role, new_group_ids))
del_groups = list(map(get_role, del_group_ids))
def group_names(groups):
return ', '.join((role.name or '<Unnamed>') for role in groups if role)
if new_groups or del_groups:
model.AuditLog.log('updated "{}" permission: "{}" => "{}" for {}'.format(
perm,
group_names(groups + del_groups),
group_names(groups + new_groups),
self.app.config.options['mount_point']))
role_ids = list(map(ObjectId, group_ids + new_group_ids))
self.app.config.acl += [
model.ACE.allow(r, perm) for r in role_ids]
# Add all ACEs for user roles back
for ace in old_acl:
if (ace.permission == perm) and (ace.access == model.ACE.DENY):
self.app.config.acl.append(ace)
g.post_event('project_menu_updated') # since 'read' permission changes can affect what is visible in menu
redirect(six.ensure_text(request.referer or '/'))