def test__checkPermission(self):
from AccessControl import getSecurityManager
from AccessControl.ImplPython import ZopeSecurityPolicy
from AccessControl.Permission import Permission
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManager import setSecurityPolicy
from Products.CMFCore.utils import _checkPermission
setSecurityPolicy(ZopeSecurityPolicy())
site = self._makeSite()
newSecurityManager(None, site.acl_users.user_foo)
o = site.bar_dummy
Permission('View', (), o).setRoles(('Anonymous',))
Permission('WebDAV access', (), o).setRoles(('Authenticated',))
Permission('Manage users', (), o).setRoles(('Manager',))
eo = site.foo_dummy
eo._owner = (['acl_users'], 'all_powerful_Oz')
getSecurityManager().addContext(eo)
self.assertTrue(_checkPermission('View', o))
self.assertTrue(_checkPermission('WebDAV access', o))
self.assertFalse(_checkPermission('Manage users', o))
eo._proxy_roles = ('Authenticated',)
self.assertFalse(_checkPermission('View', o))
self.assertTrue(_checkPermission('WebDAV access', o))
self.assertFalse(_checkPermission('Manage users', o))
eo._proxy_roles = ('Manager',)
self.assertFalse(_checkPermission('View', o))
self.assertFalse(_checkPermission('WebDAV access', o))
self.assertTrue(_checkPermission('Manage users', o))
def _update(self, portal):
layout_permission = Permission(view, (), portal.portal_layout)
layout_permission.setRoles(portal.validRoles())
dyn_permission = Permission(view, (), portal.portal_dynamicproperties)
dyn_permission.setRoles(portal.validRoles())
self.log.info('Done')
return True
def migrate_permission_settings(self):
"""Migrate permission settings (permission <-> role)
The acquire flag is coded into the type of the sequence. If roles is a list
than the roles are also acquire. If roles is a tuple the roles aren't
acquired.
"""
oldmap = getPermissionMapping(self.old.ac_inherited_permissions(1))
newmap = getPermissionMapping(self.new.ac_inherited_permissions(1))
for key, values in oldmap.items():
old_p = Permission(key, values, self.old)
old_roles = old_p.getRoles()
new_values = newmap.get(key, ())
new_p = Permission(key, new_values, self.new)
new_p.setRoles(old_roles)
def setUp(self):
super(NyAccess2LevelTestCase, self).setUp()
self.perm1, self.perm2 = 'View', 'View History'
self.role1, self.role2 = 'Contributor', 'Reviewer'
addNyFolder(self.portal.info,
'testfolderparent',
contributor='admin',
submission=1)
self.testfolderparent = self.portal.info.testfolderparent
addNyFolder(self.testfolderparent,
'testfolder',
contributor='admin',
submission=1)
self.testfolder = self.testfolderparent.testfolder
# NOTE: this is *not* the way to use NyAccess. It should never
# be stored in the database. It should be set as an attribute
# to a *class*, like NyForum.
self.testfolderparent._setOb(
'ny_access',
NyAccess('ny_access', {
self.perm1: self.perm1,
self.perm2: self.perm2
}))
self.testfolder._setOb(
'ny_access',
NyAccess('ny_access', {
self.perm1: self.perm1,
self.perm2: self.perm2
}))
# default permission map
# parent folder does not inherit permissions
permission = Permission(self.perm1, (), self.testfolderparent)
permission.setRoles((self.role1, 'Manager'))
permission = Permission(self.perm2, (), self.testfolderparent)
permission.setRoles((self.role2, 'Manager'))
# child folder permissions
permission = Permission(self.perm1, (), self.testfolder)
permission.setRoles([self.role2])
permission = Permission(self.perm2, (), self.testfolder)
permission.setRoles((self.role1, 'Manager'))
transaction.commit()
def test__checkPermission(self):
o = self.site.actions_dummy
Permission('View', (), o).setRoles(('Anonymous', ))
Permission('WebDAV access', (), o).setRoles(('Authenticated', ))
Permission('Manage users', (), o).setRoles(('Manager', ))
eo = self.site.content_dummy
eo._owner = (['acl_users'], 'user_foo')
getSecurityManager().addContext(eo)
self.failUnless(_checkPermission('View', o))
self.failIf(_checkPermission('WebDAV access', o))
self.failIf(_checkPermission('Manage users', o))
eo._proxy_roles = ('Authenticated', )
self.failIf(_checkPermission('View', o))
self.failUnless(_checkPermission('WebDAV access', o))
self.failIf(_checkPermission('Manage users', o))
def permission_settings(self, permission=None):
"""Return user-role permission settings.
If 'permission' is passed to the method then only the settings for
'permission' is returned.
"""
result = []
valid = self.valid_roles()
indexes = range(len(valid))
ip = 0
permissions = self.ac_inherited_permissions(1)
# Filter permissions
if permission:
permissions = [p for p in permissions if p[0] == permission]
for p in permissions:
name, value = p[:2]
p = Permission(name, value, self)
roles = p.getRoles(default=[])
d = {
'name':
name,
'acquire':
isinstance(roles, list) and 'CHECKED' or '',
'roles':
map(lambda ir, roles=roles, valid=valid, ip=ip: {
'name': "p%dr%d" % (ip, ir),
'checked': (valid[ir] in roles) and 'CHECKED' or '',
},
indexes)
}
ip = ip + 1
result.append(d)
return result
def test_FakeExecutableObject(self):
from AccessControl import getSecurityManager
from AccessControl.ImplPython import ZopeSecurityPolicy
from AccessControl.Permission import Permission
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManager import setSecurityPolicy
from ..utils import FakeExecutableObject
setSecurityPolicy(ZopeSecurityPolicy())
site = self._makeSite()
newSecurityManager(None, site.acl_users.user_foo)
obj = site.bar_dummy
Permission('FOO', (), obj).setRoles(('FOO_ROLE',))
sm = getSecurityManager()
self.assertFalse(sm.checkPermission('FOO', obj))
eo = FakeExecutableObject(('FOO_ROLE',))
sm.addContext(eo)
try:
self.assertTrue(sm.checkPermission('FOO', obj))
finally:
sm.removeContext(eo)
self.assertFalse(sm.checkPermission('FOO', obj))
def resetPublishPermission(context):
from AccessControl.Permission import Permission
siteroot = aq_parent(context)
permission = Permission("Euphorie: Publish a Survey", (), siteroot)
if "CountryManager" not in permission.getRoles(default=[]):
permission.setRole("CountryManager", True)
log.info("Adding publish permission for country managers")
def manage_changePermissions(self, REQUEST):
"""Change all permissions settings, called by management screen.
"""
valid_roles = self.valid_roles()
indexes = range(len(valid_roles))
have = REQUEST.has_key
permissions = self.ac_inherited_permissions(1)
fails = []
for ip in range(len(permissions)):
roles = []
for ir in indexes:
if have("p%dr%d" % (ip, ir)):
roles.append(valid_roles[ir])
name, value = permissions[ip][:2]
try:
p = Permission(name, value, self)
if not have('a%d' % ip):
roles = tuple(roles)
p.setRoles(roles)
except:
fails.append(name)
if fails:
return MessageDialog(title="Warning!",
message="Some permissions had errors: " +
escape(', '.join(fails)),
action='manage_access')
return MessageDialog(title='Success!',
message='Your changes have been saved',
action='manage_access')
def test_error_for_untrashable_documents(self, browser):
trashable = create(
Builder('document').within(
self.dossier).titled(u'Trashable document'))
untrashable = create(
Builder('document').within(
self.dossier).titled(u'Untrashable document'))
# Remove trash permission from all users.
Permission('opengever.trash: Trash content', [], untrashable).setRoles(
())
transaction.commit()
data = {
'paths:list': [
'/'.join(trashable.getPhysicalPath()),
'/'.join(untrashable.getPhysicalPath())
],
'_authenticator':
createToken()
}
browser.login().open(self.dossier, view="trashed", data=data)
self.assertEquals([u'the object Trashable document trashed'],
info_messages())
self.assertEquals([u'Trashing Untrashable document is forbidden'],
error_messages())
self.assertEquals('http://nohost/plone/dossier-1#documents',
browser.url)
def listPermissions(self):
""" List permissions for export.
o Returns a sqeuence of mappings describing locally-modified
permission / role settings. Keys include:
'permission' -- the name of the permission
'acquire' -- a flag indicating whether to acquire roles from the
site's container
'roles' -- the list of roles which have the permission.
o Do not include permissions which both acquire and which define
no local changes to the acquired policy.
"""
permissions = []
valid_roles = self.listRoles()
for perm in self._site.ac_inherited_permissions(1):
name = perm[0]
p = Permission(name, perm[1], self._site)
roles = p.getRoles(default=[])
acquire = isinstance(roles, list) # tuple means don't acquire
roles = [r for r in roles if r in valid_roles]
if roles or not acquire:
permissions.append({
'name': name,
'acquire': acquire,
'roles': roles
})
return permissions
def tryMethodCallWithTemporaryPermission(context, permission, method,
method_argv, method_kw, exception):
# we want to catch the explicit security check done in manage_renameObject
# and bypass it. for this, we temporarily give the Copy or Move right to the
# user. We assume that if the user has enough rights to pass the
# "declareProtected" check around "setId", he should be really able to
# rename the object.
try:
return method(*method_argv, **method_kw)
except exception:
user = getSecurityManager().getUser()
user_role_list = user.getRolesInContext(context)
if len(user_role_list) > 0:
perm_list = context.ac_inherited_permissions()
for p in perm_list:
if p[0] == permission:
name, value = p[:2]
break
else:
name, value = (permission, ())
p = Permission(name,value,context)
old_role_list = p.getRoles(default=[])
p.setRoles(user_role_list)
result = method(*method_argv, **method_kw)
p.setRoles(old_role_list)
return result
def allowed(context, permission=None):
"""
Roles that have `permission` and why.
Returns {PERM_NAME: {'Role': (REASON, META), ..}, ..}
where `REASON` in ('assigned', 'inherited').
`META` can be None or dict supplying extra info, like `source` of
permission inheritance.
"""
out = {}
all_roles = context.valid_roles()
permissions = context.ac_inherited_permissions(1)
if permission:
permissions = [x for x in permissions if x[0] == permission]
for perm in permissions:
name, value = perm[:2]
maps = out[name] = {}
perm = Permission(name, value, context)
roles = perm.getRoles(default=[])
for role in roles:
maps[role] = ('assigned', None)
if isinstance(roles, list):
from_parent = allowed(context.aq_parent, name)
for role in set(all_roles) - set(roles):
parent_permission = from_parent[name].get(role)
if parent_permission:
reason, meta = parent_permission
if reason == 'assigned':
maps[role] = ('inherited',
{'source': ofs_path(context.aq_parent)})
elif reason == 'inherited':
maps[role] = parent_permission
return out
def _modifyPermissionMappings(ob, map):
"""
Modifies multiple role to permission mappings.
"""
# This mimics what AccessControl/Role.py does.
# Needless to say, it's crude. :-(
something_changed = 0
perm_info = _ac_inherited_permissions(ob, 1)
for name, settings in map.items():
cur_roles = rolesForPermissionOn(name, ob)
if isinstance(cur_roles, basestring):
cur_roles = [cur_roles]
else:
cur_roles = list(cur_roles)
changed = 0
for (role, allow) in settings.items():
if not allow:
if role in cur_roles:
changed = 1
cur_roles.remove(role)
else:
if role not in cur_roles:
changed = 1
cur_roles.append(role)
if changed:
data = () # The list of methods using this permission.
for perm in perm_info:
n, d = perm[:2]
if n == name:
data = d
break
p = Permission(name, data, ob)
p.setRoles(tuple(cur_roles))
something_changed = 1
return something_changed
def manage_permission_for(brain_or_object, permission, roles, acquire=0):
"""Change the settings for the given permission.
Code extracted from `IRoleManager.manage_permission`
:param brain_or_object: Catalog brain or object
:param permission: The permission to be granted
:param roles: The roles the permission to be granted to
:param acquire: Flag to acquire the permission
"""
obj = api.get_object(brain_or_object)
if isinstance(roles, basestring):
roles = [roles]
for item in obj.ac_inherited_permissions(1):
name, value = item[:2]
if name == permission:
permission = Permission(name, value, obj)
if acquire:
roles = list(roles)
else:
roles = tuple(roles)
permission.setRoles(roles)
return
# Raise an error if the permission is invalid
raise ValueError("The permission {} is invalid.".format(permission))
def manage_role(self, role_to_manage, permissions=[]):
"""Change the permissions given to the given role.
"""
for p in self.ac_inherited_permissions(1):
name, value = p[:2]
p = Permission(name, value, self)
p.setRole(role_to_manage, name in permissions)
def manage_changePermissions(self, REQUEST):
"""Change all permissions settings, called by management screen."""
valid_roles = self.valid_roles()
have = REQUEST.__contains__
permissions = self.ac_inherited_permissions(1)
fails = []
for ip in range(len(permissions)):
permission_name = permissions[ip][0]
permission_hash = _string_hash(permission_name)
roles = []
for role in valid_roles:
role_name = role
role_hash = _string_hash(role_name)
if have("permission_%srole_%s" % (permission_hash, role_hash)):
roles.append(role)
name, value = permissions[ip][:2]
try:
p = Permission(name, value, self)
if not have('acquire_%s' % permission_hash):
roles = tuple(roles)
p.setRoles(roles)
except Exception:
fails.append(name)
if fails:
raise BadRequest('Some permissions had errors: ' +
html.escape(', '.join(fails), True))
if REQUEST is not None:
return self.manage_access(REQUEST)
def getPermissionMapping(self):
""" Return the permission mapping for the object """
mapping = {}
for permission in self.permissions:
permission_object = Permission(permission, (), self.getObject())
mapping[permission] = permission_object.getRoles()
return mapping
def getPermissionsWithAcquiredRoles(self):
""" Return the permissions which acquire roles from their parents """
ret = []
for permission in self.permissions:
permission_object = Permission(permission, (), self.getObject())
if isinstance(permission_object.getRoles(), list):
ret.append(permission)
return ret
def setUp(self):
from AccessControl.SecurityManagement import newSecurityManager
from Products.CMFCore.tests.base.dummy import DummyFolder
from Products.CMFCore.tests.base.security import UserWithRoles
self.f = DummyFolder(fake_product=1)
Permission('addFoo', (), self.f).setRoles(('Manager', 'FooAdder'))
self.ti = self._makeOne('Foo', product='FooProduct', factory='addFoo')
newSecurityManager(None, UserWithRoles('FooAdder').__of__(self.f))
def _update(self, portal):
permission = "Naaya - Create user"
p = Permission(permission, (), portal)
if 'Administrator' not in p.getRoles():
permission_add_role(portal, permission, 'Administrator')
permission_add_role(portal, permission, 'Anonymous')
self.log.debug('Added %s permission', permission)
return True
def setPermissionMapping(self, mapping):
"""
Change the permission mapping for the object.
This leaves the other permissions (not in mapping.keys()) unchanged
"""
for permission in mapping:
permission_object = Permission(permission, (), self.getObject())
permission_object.setRoles(mapping[permission])
def _update(self, portal):
view_perm = Permission(view, (), portal)
roles_with_view = view_perm.getRoles()
if tuple is type(roles_with_view):
self.log.debug('No need to update')
else:
view_perm.setRoles(tuple(roles_with_view))
self.log.debug('Removed view permission inheritance for the site')
return True
def modifyPermissionMappings(ob, map):
'''
Modifies multiple role to permission mappings.
'''
# This mimics what AccessControl/Role.py does.
# Needless to say, it's crude. :-(
map = map.copy() # Safety.
for perm in ac_inherited_permissions(ob, 1):
name, value = perm[:2]
if map.has_key(name):
for (role, allow) in map[name].items():
p = Permission(name, value, ob)
p.setRole(role, allow) # Will only modify if it should.
del map[name]
if map:
for name, (role, allow) in map.items():
p = Permission(name, (), ob)
p.setRole(role, allow)
def _update(self, portal):
permissions = ["Naaya - Add Naaya Photo Folder",
"Naaya - Add Naaya Photo Gallery"]
for permission in permissions:
p = Permission(permission, (), portal)
if 'Administrator' not in p.getRoles():
permission_add_role(portal, permission, 'Administrator')
self.log.debug('Added %s permission', permission)
return True
def _update(self, portal):
skip_captcha_perm = Permission('Naaya - Skip Captcha', (), portal)
roles_with_skip_captcha = skip_captcha_perm.getRoles()
if 'Authenticated' not in roles_with_skip_captcha:
roles_with_skip_captcha.append('Authenticated')
skip_captcha_perm.setRoles(roles_with_skip_captcha)
self.log.debug('Skip Captcha permission assigned to Authenticated')
else:
self.log.debug('Authenticated already has the permission')
return True
def _update(self, portal):
catalog = portal.getCatalogTool()
for brain in catalog(approved=0):
obj = brain.getObject()
permission = Permission(view, (), obj)
roles = permission.getRoles()
if isinstance(roles, list):
obj.dont_inherit_view_permission()
self.log.debug('restricted view permission for %s',
obj.absolute_url())
return True
def set_acl_for_roles(ob, roles):
permission_object = Permission(view, (), ob)
current_roles = permission_object.getRoles()
is_tuple = isinstance(current_roles, tuple)
current_roles = list(current_roles)
new_roles = set(roles + current_roles)
if is_tuple:
new_roles = tuple(new_roles)
else:
new_roles = list(new_roles)
permission_object.setRoles(new_roles)
def roles_of_permission(context, permission):
"""Return all roles which have the given permission
on the current context."""
role_manager = IRoleManager(context)
for p in role_manager.ac_inherited_permissions(1):
name, value = p[:2]
if name == permission:
p = Permission(name, value, role_manager)
roles = p.getRoles()
return roles
def acquiredRolesAreUsedBy(self, permission):
"""
"""
for p in self.ac_inherited_permissions(1):
name, value = p[:2]
if name == permission:
p = Permission(name, value, self)
roles = p.getRoles()
return isinstance(roles, list) and 'CHECKED' or ''
raise ValueError("The permission <em>%s</em> is invalid." %
escape(permission))
