Beispiel #1
0
 def command(self):
     self._load_config()
     cmd = self.args[0] if len(self.args) else 'list'
     if cmd == 'list':
         self.list()
         return
     
     assert len(self.args) == 4, "Not enough paramters!" + RIGHTS_HELP
     cmd, subj, role, obj = self.args
     subj = self.find_subject(unicode(subj))
     role = self.ensure_role(unicode(role))
     obj = self.find_object(unicode(obj))
     if cmd == 'make':
         if isinstance(subj, model.User):
             model.add_user_to_role(subj, role, obj)
         elif isinstance(subj, model.AuthorizationGroup):
             model.add_authorization_group_to_role(subj, role, obj)
         print "made", 
     elif cmd == 'remove':
         if isinstance(subj, model.User):
             model.remove_user_from_role(subj, role, obj)
         elif isinstance(subj, model.AuthorizationGroup):
             model.remove_authorization_group_from_role(subj, role, obj)
         print "remove", 
     model.repo.commit_and_remove()
     self.print_row(subj, role, obj)
Beispiel #2
0
    def make_or_remove_roles(cls, cmd, subj, role, obj, except_on_error=False, do_commit=True):
        '''Tool to make or remove a role using the names of objects, rather
        than the actual objects.
        cmd - 'make' or 'remove'
        subj - name of subject object (e.g. 'dave-admin')
        role - name of role (e.g. 'editor')
        obj - names of an objects to apply the role to (e.g. 'river-stats' or 'all')
        '''
        from ckan import model
        log = logging.getLogger(__name__)

        subj = cls.find_subject(unicode(subj))
        role = cls.ensure_role(unicode(role))
        objs = cls.find_objects(unicode(obj))
        for obj in objs:
            try:
                if cmd == 'make':
                    if isinstance(subj, model.User):
                        model.add_user_to_role(subj, role, obj)
                    log.debug('Role made')
                elif cmd == 'remove':
                    if isinstance(subj, model.User):
                        model.remove_user_from_role(subj, role, obj)
                    log.debug('Role removed')
                else:
                    raise NotImplementedError
            except NoResultFound, e:
                log.error('Cannot find object for role %s: %s', str(e), cmd)
                if except_on_error:
                    raise RightsToolError('Cannot %s right: %s %s %s', cmd, subj, role, obj)
            log.debug(cls.get_printable_row(subj, role, obj,
                                            exists=(cmd=='make')))
Beispiel #3
0
 def command(self):
     self._load_config()
     cmd = self.args[0] if len(self.args) else 'list'
     if cmd == 'list':
         args = self.args
         if 'list' in args:
             del args[args.index('list')]
         self.list(args)
         return
     
     assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP
     cmd, subj, role, obj = self.args
     subj = self.find_subject(unicode(subj))
     role = self.ensure_role(unicode(role))
     objs = self.find_objects(unicode(obj))
     for obj in objs:
         try:
             if cmd == 'make':
                 if isinstance(subj, model.User):
                     model.add_user_to_role(subj, role, obj)
                 elif isinstance(subj, model.AuthorizationGroup):
                     model.add_authorization_group_to_role(subj, role, obj)
                 print "made", 
             elif cmd == 'remove':
                 if isinstance(subj, model.User):
                     model.remove_user_from_role(subj, role, obj)
                 elif isinstance(subj, model.AuthorizationGroup):
                     model.remove_authorization_group_from_role(subj, role, obj)
                 print "remove",
         except NoResultFound, e:
             print "! not found",
         self.print_row(subj, role, obj)
Beispiel #4
0
    def command(self):
        self._load_config()
        cmd = self.args[0] if len(self.args) else 'list'
        if cmd == 'list':
            args = self.args
            if 'list' in args:
                del args[args.index('list')]
            self.list(args)
            return

        assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP
        cmd, subj, role, obj = self.args
        subj = self.find_subject(unicode(subj))
        role = self.ensure_role(unicode(role))
        objs = self.find_objects(unicode(obj))
        for obj in objs:
            try:
                if cmd == 'make':
                    if isinstance(subj, model.User):
                        model.add_user_to_role(subj, role, obj)
                    elif isinstance(subj, model.AuthorizationGroup):
                        model.add_authorization_group_to_role(subj, role, obj)
                    print "made",
                elif cmd == 'remove':
                    if isinstance(subj, model.User):
                        model.remove_user_from_role(subj, role, obj)
                    elif isinstance(subj, model.AuthorizationGroup):
                        model.remove_authorization_group_from_role(
                            subj, role, obj)
                    print "remove",
            except NoResultFound, e:
                print "! not found",
            self.print_row(subj, role, obj)
Beispiel #5
0
        def action_save_form(users):
            # The permissions grid has been saved
            # which is a grid of checkboxes named user$role
            rpi = request.params.items()

            # The grid passes us a list of the users/roles that were displayed
            submitted = [a for (a, b) in rpi if (b == u'submitted')]
            # and also those which were checked
            checked = [a for (a, b) in rpi if (b == u'on')]

            # from which we can deduce true/false for each user/role
            # combination that was displayed in the form
            table_dict = {}
            for a in submitted:
                table_dict[a] = False
            for a in checked:
                table_dict[a] = True

            # now we'll split up the user$role strings to make a dictionary
            # from (user,role) to True/False, which tells us what we need to
            # do.
            new_user_role_dict = {}
            for (ur, val) in table_dict.items():
                u, r = ur.split('$')
                new_user_role_dict[(u, r)] = val

            # we get the current user/role assignments
            # and make a dictionary of them
            current_uors = model.Session.query(model.SystemRole).all()
            current_users_roles = [(uor.user.name, uor.role)
                                   for uor in current_uors if uor.user]

            current_user_role_dict = {}
            for (u, r) in current_users_roles:
                current_user_role_dict[(u, r)] = True

            # and now we can loop through our dictionary of desired states
            # checking whether a change needs to be made, and if so making it

            # WORRY: Here it seems that we have to check whether someone is
            # already assigned a role, in order to avoid assigning it twice,
            # or attempting to delete it when it doesn't exist. Otherwise
            # problems occur. However this doesn't affect the index page,
            # which would seem to be prone to suffer the same effect. Why
            # the difference?

            for ((u, r), val) in new_user_role_dict.items():
                if val:
                    if not ((u, r) in current_user_role_dict):
                        model.add_user_to_role(model.User.by_name(u), r,
                                               model.System())
                else:
                    if ((u, r) in current_user_role_dict):
                        model.remove_user_from_role(model.User.by_name(u), r,
                                                    model.System())

            # finally commit the change to the database
            model.Session.commit()
            h.flash_success(_("Changes Saved"))
Beispiel #6
0
        def action_add_form(users):
            # The user is attempting to set new roles for a named user
            new_user = request.params.get('new_user_name')
            # this is the list of roles whose boxes were ticked
            checked_roles = [
                a for (a, b) in request.params.items() if (b == u'on')
            ]
            # this is the list of all the roles that were in the submitted
            # form
            submitted_roles = [
                a for (a, b) in request.params.items() if (b == u'submitted')
            ]

            # from this we can make a dictionary of the desired states
            # i.e. true for the ticked boxes, false for the unticked
            desired_roles = {}
            for r in submitted_roles:
                desired_roles[r] = False
            for r in checked_roles:
                desired_roles[r] = True

            # again, in order to avoid either creating a role twice or
            # deleting one which is non-existent, we need to get the users'
            # current roles (if any)

            current_uors = model.Session.query(model.SystemRole).all()

            current_roles = [
                uor.role for uor in current_uors
                if (uor.user and uor.user.name == new_user)
            ]
            user_object = model.User.by_name(new_user)
            if user_object is None:
                # The submitted user does not exist. Bail with flash
                # message
                h.flash_error(_('unknown user:') + str(new_user))
            else:
                # Whenever our desired state is different from our
                # current state, change it.
                for (r, val) in desired_roles.items():
                    if val:
                        if (r not in current_roles):
                            model.add_user_to_role(user_object, r,
                                                   model.System())
                    else:
                        if (r in current_roles):
                            model.remove_user_from_role(
                                user_object, r, model.System())
                h.flash_success(_("User Added"))

            # and finally commit all these changes to the database
            model.Session.commit()
Beispiel #7
0
    def remove(self):
        from ckan import model

        if len(self.args) < 2:
            print "Need name of the user to be made sysadmin."
            return
        username = self.args[1]

        user = model.User.by_name(unicode(username))
        if not user:
            print 'Error: user "%s" not found!' % username
            return
        model.remove_user_from_role(user, model.Role.ADMIN, model.System())
        model.repo.commit_and_remove()
Beispiel #8
0
Datei: cli.py Projekt: arkka/ckan
    def remove(self):
        import ckan.model as model

        if len(self.args) < 2:
            print 'Need name of the user to be made sysadmin.'
            return
        username = self.args[1]

        user = model.User.by_name(unicode(username))
        if not user:
            print 'Error: user "%s" not found!' % username
            return
        model.remove_user_from_role(user, model.Role.ADMIN, model.System())
        model.repo.commit_and_remove()
Beispiel #9
0
        def action_add_form(users):
            # The user is attempting to set new roles for a named user
            new_user = request.params.get('new_user_name')
            # this is the list of roles whose boxes were ticked
            checked_roles = [a for (a, b) in request.params.items()
                             if (b == u'on')]
            # this is the list of all the roles that were in the submitted
            # form
            submitted_roles = [a for (a, b) in request.params.items()
                               if (b == u'submitted')]

            # from this we can make a dictionary of the desired states
            # i.e. true for the ticked boxes, false for the unticked
            desired_roles = {}
            for r in submitted_roles:
                desired_roles[r] = False
            for r in checked_roles:
                desired_roles[r] = True

            # again, in order to avoid either creating a role twice or
            # deleting one which is non-existent, we need to get the users'
            # current roles (if any)

            current_uors = model.Session.query(model.SystemRole).all()


            current_roles = [uor.role for uor in current_uors
                             if (uor.user and uor.user.name == new_user)]
            user_object = model.User.by_name(new_user)
            if user_object is None:
                # The submitted user does not exist. Bail with flash
                # message
                h.flash_error(_('unknown user:') + str(new_user))
            else:
                # Whenever our desired state is different from our
                # current state, change it.
                for (r, val) in desired_roles.items():
                    if val:
                        if (r not in current_roles):
                            model.add_user_to_role(user_object, r,
                                                   model.System())
                    else:
                        if (r in current_roles):
                            model.remove_user_from_role(user_object, r,
                                                        model.System())
                h.flash_success(_("User Added"))

            # and finally commit all these changes to the database
            model.Session.commit()
Beispiel #10
0
    def test_3_add_twice_remove_twice(self):
        tester = model.User.by_name(u'tester')
        war = model.Package.by_name(u'warandpeace')

        def tester_roles():
            return [x.role \
             for x in model.Session.query(model.PackageRole).all() \
             if x.user and x.user.name=='tester' and x.package.name==u'warandpeace']
          
        assert len(tester_roles()) == 0, "wrong number of roles for tester"
        model.add_user_to_role(tester, model.Role.ADMIN, war)
        model.repo.commit_and_remove()
        assert len(tester_roles()) == 1, "wrong number of roles for tester"
        model.add_user_to_role(tester, model.Role.ADMIN, war)
        model.repo.commit_and_remove()

        assert len(tester_roles()) == 1, "wrong number of roles for tester"
        model.remove_user_from_role(tester, model.Role.ADMIN, war)
        assert len(tester_roles()) == 0, "wrong number of roles for tester"
        model.remove_user_from_role(tester, model.Role.ADMIN, war)
        assert len(tester_roles()) == 0, "wrong number of roles for tester"
Beispiel #11
0
    def test_3_add_twice_remove_twice(self):
        tester = model.User.by_name(u'tester')
        war = model.Package.by_name(u'warandpeace')

        def tester_roles():
            return [x.role \
             for x in model.Session.query(model.PackageRole).all() \
             if x.user and x.user.name=='tester' and x.package.name==u'warandpeace']

        assert len(tester_roles()) == 0, "wrong number of roles for tester"
        model.add_user_to_role(tester, model.Role.ADMIN, war)
        model.repo.commit_and_remove()
        assert len(tester_roles()) == 1, "wrong number of roles for tester"
        model.add_user_to_role(tester, model.Role.ADMIN, war)
        model.repo.commit_and_remove()

        assert len(tester_roles()) == 1, "wrong number of roles for tester"
        model.remove_user_from_role(tester, model.Role.ADMIN, war)
        assert len(tester_roles()) == 0, "wrong number of roles for tester"
        model.remove_user_from_role(tester, model.Role.ADMIN, war)
        assert len(tester_roles()) == 0, "wrong number of roles for tester"
Beispiel #12
0
    def set_roles(self, user_name, drupal_roles):
        '''Sets CKAN user roles based on the drupal roles.

        Restricted to sysadmin. Publishing roles initially imported during migration from
        Drupal.

        Example drupal_roles:
        ['package admin', 'publisher admin', 'authenticated user', 'publishing user']
        where sysadmin roles are:
               3   'administrator' - total control
               11  'package admin' - admin of datasets
                   'publisher admin' - admin of publishers
        other roles:
                   'publishing user' - anyone who has registered - includes spammers
        '''
        from ckan import model
        from ckan.authz import Authorizer
        needs_commit = False
        user = model.User.by_name(user_name)

        # Sysadmin or not
        log.debug('User roles in Drupal: %r', drupal_roles)
        should_be_sysadmin = bool(
            set(('administrator', 'package admin', 'publisher admin'))
            & set(drupal_roles))
        is_sysadmin = Authorizer().is_sysadmin(user)
        if should_be_sysadmin and not is_sysadmin:
            # Make user a sysadmin
            model.add_user_to_role(user, model.Role.ADMIN, model.System())
            log.info('User made a sysadmin: %s', user_name)
            needs_commit = True
        elif not should_be_sysadmin and is_sysadmin:
            # Stop user being a sysadmin
            model.remove_user_from_role(user, model.Role.ADMIN, model.System())
            log.info('User now not a sysadmin: %s', user_name)
            needs_commit = True
        if needs_commit:
            model.repo.commit_and_remove()
Beispiel #13
0
    def set_roles(self, user_name, drupal_roles):
        '''Sets CKAN user roles based on the drupal roles.

        Restricted to sysadmin. Publishing roles initially imported during migration from
        Drupal.
        
        Example drupal_roles:
        ['package admin', 'publisher admin', 'authenticated user', 'publishing user']
        where sysadmin roles are:
               3   'administrator' - total control
               11  'package admin' - admin of datasets
                   'publisher admin' - admin of publishers
        other roles:
                   'publishing user' - anyone who has registered - includes spammers
        '''
        from ckan import model
        from ckan.authz import Authorizer
        needs_commit = False
        user = model.User.by_name(user_name)

        # Sysadmin or not
        log.debug('User roles in Drupal: %r', drupal_roles)
        should_be_sysadmin = bool(set(('administrator', 'package admin', 'publisher admin')) & set(drupal_roles))
        is_sysadmin = Authorizer().is_sysadmin(user)
        if should_be_sysadmin and not is_sysadmin:
            # Make user a sysadmin
            model.add_user_to_role(user, model.Role.ADMIN, model.System())
            log.info('User made a sysadmin: %s', user_name)
            needs_commit = True
        elif not should_be_sysadmin and is_sysadmin:
            # Stop user being a sysadmin
            model.remove_user_from_role(user, model.Role.ADMIN, model.System())
            log.info('User now not a sysadmin: %s', user_name)
            needs_commit = True
        if needs_commit:
            model.repo.commit_and_remove()
Beispiel #14
0
        def action_save_form(users):
            # The permissions grid has been saved
            # which is a grid of checkboxes named user$role
            rpi = request.params.items()

            # The grid passes us a list of the users/roles that were displayed
            submitted = [a for (a, b) in rpi if (b == u'submitted')]
            # and also those which were checked
            checked = [a for (a, b) in rpi if (b == u'on')]

            # from which we can deduce true/false for each user/role
            # combination that was displayed in the form
            table_dict = {}
            for a in submitted:
                table_dict[a] = False
            for a in checked:
                table_dict[a] = True

            # now we'll split up the user$role strings to make a dictionary
            # from (user,role) to True/False, which tells us what we need to
            # do.
            new_user_role_dict = {}
            for (ur, val) in table_dict.items():
                u, r = ur.split('$')
                new_user_role_dict[(u, r)] = val

            # we get the current user/role assignments
            # and make a dictionary of them
            current_uors = model.Session.query(model.SystemRole).all()
            current_users_roles = [(uor.user.name, uor.role)
                                   for uor in current_uors
                                   if uor.user]

            current_user_role_dict = {}
            for (u, r) in current_users_roles:
                current_user_role_dict[(u, r)] = True

            # and now we can loop through our dictionary of desired states
            # checking whether a change needs to be made, and if so making it

            # WORRY: Here it seems that we have to check whether someone is
            # already assigned a role, in order to avoid assigning it twice,
            # or attempting to delete it when it doesn't exist. Otherwise
            # problems occur. However this doesn't affect the index page,
            # which would seem to be prone to suffer the same effect. Why
            # the difference?


            for ((u, r), val) in new_user_role_dict.items():
                if val:
                    if not ((u, r) in current_user_role_dict):
                        model.add_user_to_role(
                            model.User.by_name(u), r,
                            model.System())
                else:
                    if ((u, r) in current_user_role_dict):
                        model.remove_user_from_role(
                            model.User.by_name(u), r,
                            model.System())

            # finally commit the change to the database
            model.Session.commit()
            h.flash_success(_("Changes Saved"))
Beispiel #15
0
    def _add_user_object_role(self, users_or_authz_groups, current_uors, domain_object):
        '''
        current_uors: in order to avoid either creating a role twice or deleting one which is
        non-existent, we need to get the users' current roles (if any)
        '''
        # The user is attempting to set new roles for a named user
        new_user = request.params.get('new_user_name')
        # this is the list of roles whose boxes were ticked
        checked_roles = [ a for (a,b) in request.params.items() if (b == u'on')]
        # this is the list of all the roles that were in the submitted form
        submitted_roles = [ a for (a,b) in request.params.items() if (b == u'submitted')]

        # from this we can make a dictionary of the desired states
        # i.e. true for the ticked boxes, false for the unticked
        desired_roles = {}
        for r in submitted_roles:
            desired_roles[r]=False
        for r in checked_roles:
            desired_roles[r]=True

        if users_or_authz_groups=='users':
            current_roles = [uor.role for uor in current_uors if ( uor.user and uor.user.name == new_user )]
            user_object = model.User.by_name(new_user)
            if user_object==None:
                # The submitted user does not exist. Bail with flash message
                h.flash_error(_('unknown user:'******'authz_groups':
            current_roles = [uor.role for uor in current_uors if ( uor.authorized_group and uor.authorized_group.name == new_user )]
            user_object = model.AuthorizationGroup.by_name(new_user)
            if user_object==None:
                # The submitted user does not exist. Bail with flash message
                h.flash_error(_('unknown authorization group:') + str (new_user))
            else:
                # Whenever our desired state is different from our current state, change it.
                for (r,val) in desired_roles.items():
                    if val:
                        if (r not in current_roles):
                            model.add_authorization_group_to_role(user_object,
                                    r, domain_object)
                    else:
                        if (r in current_roles):
                            model.remove_authorization_group_from_role(user_object,
                                    r, domain_object)
                h.flash_success(_("Authorization Group Added"))

        else:
            assert False, "shouldn't be here"

        # and finally commit all these changes to the database
        model.repo.commit_and_remove()
Beispiel #16
0
    def _update_user_object_roles(self, users_or_authz_groups, current_uors, domain_object):
        '''Update user object roles for this object.

        :param domain_object: the domain object for whom we are adding the user
        object role.
        '''
        # The permissions grid has been saved
        # which is a grid of checkboxes named user$role
        rpi = request.params.items()

        # The grid passes us a list of the users/roles that were displayed
        submitted = [ a for (a,b) in rpi if (b == u'submitted')]
        # and also those which were checked
        checked = [ a for (a,b) in rpi if (b == u'on')]

        # from which we can deduce true/false for each user/role combination
        # that was displayed in the form
        table_dict={}
        for a in submitted:
            table_dict[a]=False
        for a in checked:
            table_dict[a]=True

        # now we'll split up the user$role strings to make a dictionary from 
        # (user,role) to True/False, which tells us what we need to do.
        new_user_role_dict={}
        for (ur,val) in table_dict.items():
            u,r = ur.split('$')
            new_user_role_dict[(u,r)] = val
           
        if users_or_authz_groups=='users':
            current_users_roles = [( uor.user.name, uor.role) for uor in current_uors if uor.user]
        elif users_or_authz_groups=='authz_groups':
            current_users_roles = [( uor.authorized_group.name, uor.role) for uor in current_uors if uor.authorized_group]        
        else:
            assert False, "shouldn't be here"

        current_user_role_dict={}
        for (u,r) in current_users_roles:
            current_user_role_dict[(u,r)]=True

        # and now we can loop through our dictionary of desired states
        # checking whether a change needs to be made, and if so making it

        # Here we check whether someone is already assigned a role, in order
        # to avoid assigning it twice, or attempting to delete it when it
        # doesn't exist. Otherwise problems can occur.
        if users_or_authz_groups=='users':
            for ((u,r), val) in new_user_role_dict.items():
                if val:
                    if not ((u,r) in current_user_role_dict):
                        model.add_user_to_role(model.User.by_name(u),r,domain_object)
                else:
                    if ((u,r) in current_user_role_dict):
                        model.remove_user_from_role(model.User.by_name(u),r,domain_object)
        elif users_or_authz_groups=='authz_groups':
            for ((u,r), val) in new_user_role_dict.items():
                if val:
                    if not ((u,r) in current_user_role_dict):
                        model.add_authorization_group_to_role(model.AuthorizationGroup.by_name(u),r,domain_object)
                else:
                    if ((u,r) in current_user_role_dict):
                        model.remove_authorization_group_from_role(model.AuthorizationGroup.by_name(u),r,domain_object)
        else:
            assert False, "shouldn't be here"

        # finally commit the change to the database
        model.repo.commit_and_remove()
        h.flash_success(_("Changes Saved"))