check_permission(action,
username,
resource,
perm)
| source code
|
Check that the action can be performed by username on the resource
Note that when checking a permission on a realm resource (i.e. when
.id is None), this usually corresponds to some preliminary check
done before making a fine-grained check on some resource.
Therefore the IPermissionPolicy should be conservative and return:
True if the action can be allowed for some resources in
that realm. Later, for specific resource, the policy will be able
to return True (allow), False (deny) or None (don't decide).None if the action can not be performed for some resources.
This corresponds to situation where the policy is only interested
in returning False or None on specific resources.False if the action can not be performed for any resource in
that realm (that's a very strong decision as that will usually
prevent any fine-grained check to even happen).
Note that performing permission checks on realm resources may seem
redundant for now as the action name itself contains the realm, but
this will probably change in the future (e.g. 'VIEW' in ...).
- Parameters:
action - the name of the permissionusername - the username string or 'anonymous' if there's no
authenticated userresource - the resource on which the check applies.
Will be None, if the check is a global one and
not made on a resource in particularperm - the permission cache for that username and resource,
which can be used for doing secondary checks on other
permissions. Care must be taken to avoid recursion. - Returns:
True if action is allowed, False if action is denied,
or None if indifferent. If None is returned, the next
policy in the chain will be used, and so on.
|