def get_interaction(self, request, principal='oms.anonymous'):
# TODO: we can quickly disable rest auth
# if get_config().getboolean('auth', 'enable_anonymous'):
# return None
if request.method == 'OPTIONS':
principal = 'oms.rest_options'
return new_interaction(principal)
def get_interaction(self, request, token):
# TODO: we can quickly disable rest auth
# if get_config().getboolean('auth', 'enable_anonymous'):
# return None
from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility
authenticator = getUtility(IHttpRestAuthenticationUtility)
# XXX: Maybe inject the anonymous detection logic into authenticator?
try:
principal = authenticator.get_principal(token)
except:
# Avoid that changes in format of security token will require every user
# to flush the cookies
principal = 'oms.anonymous'
# XXX: Should the token get renewed here?
if principal != 'oms.anonymous':
authenticator.renew_token(request, token)
# XXX: What's the purpose of a special principle for OPTIONS method?
if request.method == 'OPTIONS':
principal = 'oms.rest_options'
return new_interaction(principal)
def get_interaction(self, request, token):
# TODO: we can quickly disable rest auth
# if get_config().getboolean('auth', 'enable_anonymous'):
# return None
from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility
authenticator = getUtility(IHttpRestAuthenticationUtility)
# XXX: Maybe inject the anonymous detection logic into authenticator?
try:
principal = authenticator.get_principal(token)
except:
# Avoid that changes in format of security token will require every user
# to flush the cookies
principal = 'oms.anonymous'
# XXX: Should the token get renewed here?
if principal != 'oms.anonymous':
authenticator.renew_token(request, token)
# XXX: What's the purpose of a special principle for OPTIONS method?
if request.method == 'OPTIONS':
principal = 'oms.rest_options'
return new_interaction(principal)
def __init__(self, interaction=None):
self.terminal = self
self.protocol = self
self.path = ['']
self.use_security_proxy = False
if interaction is None:
auth = getUtility(IAuthentication)
self.interaction = new_interaction(auth.getPrincipal('root'))
else:
self.interaction = interaction
def preload_acl_line(path, permspec, filename='-', lineno='-'):
obj = traverse1(path[1:])
if obj is None:
log.warning('No such object: \'%s\'; file: \'%s\' line: %s', path,
filename, lineno)
return
if obj.__transient__:
log.warning(
"Transient object %s always inherits permissions from its parent",
path)
return
if permspec in ('inherit', 'noinherit'):
obj.inherit_permissions = (permspec == 'inherit')
return
auth = getUtility(IAuthentication, context=None)
interaction = new_interaction(auth.getPrincipal('root'))
with interaction:
prinrole = IPrincipalRoleManager(obj)
action_map = {
'allow': prinrole.assignRoleToPrincipal,
'deny': prinrole.removeRoleFromPrincipal,
'unset': prinrole.unsetRoleForPrincipal
}
parsedspec = permspec.strip().split(':', 3)
if len(parsedspec) < 4:
log.error(
'Format error: not all fields are specified: \'%s\' on line %s',
filename, lineno)
return
permtype, kind, principal, perms = parsedspec
if not perms:
log.warning(
'No permissions specified for object: \'%s\'; file: \'%s\' line: %s',
path, filename, lineno)
return
for perm in perms.strip().split(','):
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
log.info('%s \'%s\' on %s (%s) to \'%s\'', permtype, perm, path,
obj, principal)
action_map[permtype](role, principal)
def preload_acl_line(path, permspec, filename='-', lineno='-'):
obj = traverse1(path[1:])
if obj is None:
log.warning('No such object: \'%s\'; file: \'%s\' line: %s', path, filename, lineno)
return
if obj.__transient__:
log.warning("Transient object %s always inherits permissions from its parent", path)
return
if permspec in ('inherit', 'noinherit'):
obj.inherit_permissions = (permspec == 'inherit')
return
auth = getUtility(IAuthentication, context=None)
interaction = new_interaction(auth.getPrincipal('root'))
with interaction:
prinrole = IPrincipalRoleManager(obj)
action_map = {'allow': prinrole.assignRoleToPrincipal,
'deny': prinrole.removeRoleFromPrincipal,
'unset': prinrole.unsetRoleForPrincipal}
parsedspec = permspec.strip().split(':', 3)
if len(parsedspec) < 4:
log.error('Format error: not all fields are specified: \'%s\' on line %s', filename, lineno)
return
permtype, kind, principal, perms = parsedspec
if not perms:
log.warning('No permissions specified for object: \'%s\'; file: \'%s\' line: %s',
path, filename, lineno)
return
for perm in perms.strip().split(','):
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
log.info('%s \'%s\' on %s (%s) to \'%s\'', permtype, perm, path, obj, principal)
action_map[permtype](role, principal)
def sudo(obj):
""" System utility to elevate privileges to certain object accesses """
obj = getObject(obj) if type(obj) is Proxy else obj
return checker.proxy_factory(obj, new_interaction('root'))
def __enter__(self):
_checker = getChecker(self._obj)
self.previous_interaction = _checker.interaction
_checker.interaction = new_interaction('root')
return self._obj
def sudo(obj):
""" System utility to elevate privileges to certain object accesses """
obj = getObject(obj) if type(obj) is Proxy else obj
return checker.proxy_factory(obj, new_interaction('root'))
def __enter__(self):
_checker = getChecker(self._obj)
self.previous_interaction = _checker.interaction
_checker.interaction = new_interaction('root')
return self._obj