def testModifyRolesForPermission(self): modifyRolesForPermission(self.ob, 'View', ['Manager']) modifyRolesForPermission( self.ob, 'View management screens', ['Member']) self.assertEqual(self.ob._View_Permission, ['Manager']) self.assertEqual( self.ob._View_management_screens_Permission, ['Member'])
def testModifyRolesForPermission(self): modifyRolesForPermission(self.ob, 'View', ['Manager']) modifyRolesForPermission(self.ob, 'View management screens', ['Member']) self.assertEqual(self.ob._View_Permission, ['Manager']) self.assertEqual(self.ob._View_management_screens_Permission, ['Member'])
def updateRoleMappingsFor(self, ob): """Changes the object permissions according to the current state. """ changed = 0 sdef = self._getWorkflowStateOf(ob) if sdef is None: return 0 # Update the role -> permission map. if self.permissions: for p in self.permissions: roles = [] if sdef.permission_roles is not None: roles = sdef.permission_roles.get(p, roles) if modifyRolesForPermission(ob, p, roles): changed = 1 # Update the group -> role map. groups = self.getGroups() managed_roles = self.getRoles() if groups and managed_roles: for group in groups: roles = () if sdef.group_roles is not None: roles = sdef.group_roles.get(group, ()) if modifyRolesForGroup(ob, group, roles, managed_roles): changed = 1 return changed
def updateRoleMappingsFor(self, ob): """Changes the object permissions according to the current state. """ changed = 0 sdef = self._getWorkflowStateOf(ob) if sdef is None: return 0 # Update the role -> permission map. if self.permissions: for p in self.permissions: roles = [] if sdef.permission_roles is not None: roles = sdef.permission_roles.get(p, roles) if modifyRolesForPermission(ob, p, roles): changed = 1 # Update the group -> role map. groups = self.getGroups() managed_roles = self.getRoles() if groups and managed_roles: for group in groups: roles = () if sdef.group_roles is not None: roles = sdef.group_roles.get(group, ()) if modifyRolesForGroup(ob, group, roles, managed_roles): changed = 1 return changed
def setCommentType(self, data): field = self.getField('commentType') field.set(self, data) data = field.get(self) # After cleanup # Apply permissions according to type view_roles = None for atype in Comment.types: if data == atype.getId(): view_roles = atype.getViewRoles() break if view_roles is None: return for view_perm in (permissions.AccessContentsInformation, permissions.View): modifyRolesForPermission(self, view_perm, view_roles )# if roles is a tuple, this means not to acquire # Only owner can modify this modifyRolesForPermission(self,permissions.ModifyPortalContent,('Owner',))
def updateRoleMappingsFor(self, ob): ''' Changes the object permissions according to the current state. ''' changed = 0 sdef = self._getWorkflowStateOf(ob) tool = aq_parent(aq_inner(self)) other_workflow_list = \ [x for x in tool.getWorkflowsFor(ob) if x.id != self.id and isinstance(x,DCWorkflowDefinition)] other_data_list = [] for other_workflow in other_workflow_list: other_sdef = other_workflow._getWorkflowStateOf(ob) if other_sdef is not None and other_sdef.permission_roles is not None: other_data_list.append((other_workflow, other_sdef)) # Be carefull, permissions_roles should not change # from list to tuple or vice-versa. (in modifyRolesForPermission, # list means acquire roles, tuple means do not acquire) if sdef is not None and self.permissions: for p in self.permissions: roles = [] refused_roles = [] role_type = 'list' other_role_type_list = [] if sdef.permission_roles is not None: roles = sdef.permission_roles.get(p, roles) if type(roles) is type(()): role_type = 'tuple' roles = list(roles) # We will check that each role is activated # in each DCWorkflow for other_workflow, other_sdef in other_data_list: if p in other_workflow.permissions: other_roles = other_sdef.permission_roles.get(p, []) if type(other_roles) is type(()): other_role_type_list.append('tuple') else: other_role_type_list.append('list') for role in roles: if role not in other_roles: refused_roles.append(role) for role in refused_roles: if role in roles: roles.remove(role) if role_type == 'tuple' and ((not other_role_type_list) or ('list' not in other_role_type_list)): #If at least, one of other workflows manage security and for all are role_type are tuple roles = tuple(roles) if modifyRolesForPermission(ob, p, roles): changed = 1 return changed
def updateRoleMappingsFor(self, ob): """ Changes the object permissions according to the current state. """ changed = 0 sdef = self._getWorkflowStateOf(ob) tool = aq_parent(aq_inner(self)) other_workflow_list = [ x for x in tool.getWorkflowsFor(ob) if x.id != self.id and isinstance(x, DCWorkflowDefinition) ] other_data_list = [] for other_workflow in other_workflow_list: other_sdef = other_workflow._getWorkflowStateOf(ob) if other_sdef is not None and other_sdef.permission_roles is not None: other_data_list.append((other_workflow, other_sdef)) # Be carefull, permissions_roles should not change # from list to tuple or vice-versa. (in modifyRolesForPermission, # list means acquire roles, tuple means do not acquire) if sdef is not None and self.permissions: for p in self.permissions: roles = [] refused_roles = [] role_type = "list" other_role_type_list = [] if sdef.permission_roles is not None: roles = sdef.permission_roles.get(p, roles) if type(roles) is type(()): role_type = "tuple" roles = list(roles) # We will check that each role is activated # in each DCWorkflow for other_workflow, other_sdef in other_data_list: if p in other_workflow.permissions: other_roles = other_sdef.permission_roles.get(p, []) if type(other_roles) is type(()): other_role_type_list.append("tuple") else: other_role_type_list.append("list") for role in roles: if role not in other_roles: refused_roles.append(role) for role in refused_roles: if role in roles: roles.remove(role) if role_type == "tuple" and ((not other_role_type_list) or ("list" not in other_role_type_list)): # If at least, one of other workflows manage security and for all are role_type are tuple roles = tuple(roles) if modifyRolesForPermission(ob, p, roles): changed = 1 return changed
def initialize_bise_checkout(context): """ A GenericSetup import handler. """ if context.readDataFile('bise.country.txt') is None: return site = context.getSite() # create checkout-folder # assign ICountryFolder to folders in /countries cf = createContentInContainer(site, 'Folder', title='Checkout folder') logger.info("Created /checkout-folder") # We grant "Add portal content" permission on the checkout-folder perm = 'Add portal content' pm = set(getPermissionMapping(perm, cf, st=tuple)) pm.update(['Contributor', 'Reviewer', 'Editor', 'Manager', 'Owner']) modifyRolesForPermission(cf, perm, tuple(pm)) for name in ['countries']: setup_country_folder(site.restrictedTraverse(name))
def remap_workflow(context, type_ids, chain, state_map={}): """Change the workflow for each type in type_ids to use the workflow chain given. state_map is a dictionary of old state names to new ones. States that are not found will be remapped to the default state of the new workflow. """ if chain is None: chain = '(Default)' portal_workflow = getToolByName(context, 'portal_workflow') default_chain = portal_workflow.getDefaultChain() chains_by_type = dict(portal_workflow.listChainOverrides()) # Build a dictionary of type id -> chain before we made changes old_chains = dict([(t, chains_by_type.get(t, default_chain)) for t in type_ids]) # Work out which permissions were managed by the old chain, but not # by the new chain. This may vary by type id. # Update the workflow chain in portal_workflows. # XXX: There is no decent API for this it seems :-( if chain == '(Default)': cbt = portal_workflow._chains_by_type for type_id in type_ids: if type_id in cbt: del cbt[type_id] else: portal_workflow.setChainForPortalTypes(type_ids, chain) # Now remap, and fix permissions # For each portal type, work out which workflows were controlling them # before, and which permissions were in that, which are not in the new # chain. These permissions need to be reset to 'Acquire'. chain_workflows = {} new_chain_permissions = set() permissions_to_reset = {} if chain == '(Default)': chain = default_chain for c in chain: if c not in chain_workflows: chain_workflows[c] = getattr(portal_workflow, c) for permission in chain_workflows[c].permissions: new_chain_permissions.add(permission) for typeid, oc in old_chains.items(): if oc == '(Default)': oc = default_chain permissions_to_reset[typeid] = set() for c in oc: if c not in chain_workflows: chain_workflows[c] = getattr(portal_workflow, c) for permission in chain_workflows[c].permissions: if permission not in new_chain_permissions: permissions_to_reset[typeid].add(permission) portal_catalog = getToolByName(context, 'portal_catalog') # Then update the state of each remapped_count = 0 threshold_count = 0 for brain in portal_catalog(portal_type=type_ids): obj = brain.getObject() portal_type = brain.portal_type # If there are permissions to reset to acquire, do so now for permission in permissions_to_reset[brain.portal_type]: # A list makes it acquire ... if it was a tuple, it wouldn't modifyRolesForPermission(obj, permission, []) # Work out what, if any, the previous state of the object was if len(chain) > 0: old_chain = old_chains[portal_type] old_wf = None if len(old_chain) > 0: old_wf = chain_workflows[old_chain[0]] old_state = None if old_wf is not None: old_status = portal_workflow.getStatusOf(old_wf.getId(), obj) if old_status is not None: old_state = old_status.get('review_state', None) # Now add a transition for new_wf_name in chain: new_wf = chain_workflows[new_wf_name] new_status = { 'action': None, 'actor': None, 'comments': 'State remapped from control panel', 'review_state': state_map.get(old_state, new_wf.initial_state), 'time': DateTime() } portal_workflow.setStatusOf(new_wf_name, obj, new_status) # Trigger any automatic transitions, or else just make sure the role mappings are right auto_transition = new_wf._findAutomaticTransition( obj, new_wf._getWorkflowStateOf(obj)) if auto_transition is not None: new_wf._changeStateOf(obj, auto_transition) else: new_wf.updateRoleMappingsFor(obj) obj.reindexObject(idxs=['allowedRolesAndUsers', 'review_state']) remapped_count += 1 threshold_count += 1 if threshold_count > SAVE_THRESHOLD: transaction.savepoint() threshold_count = 0 return remapped_count
def hide(self, doc): modifyRolesForPermission(doc, 'View', ('Manager', 'Owner'))
def remap_workflow(context, type_ids, chain, state_map={}): """Change the workflow for each type in type_ids to use the workflow chain given. state_map is a dictionary of old state names to new ones. States that are not found will be remapped to the default state of the new workflow. """ if chain is None: chain = '(Default)' portal_workflow = getToolByName(context, 'portal_workflow') default_chain = portal_workflow.getDefaultChain() chains_by_type = dict(portal_workflow.listChainOverrides()) # Build a dictionary of type id -> chain before we made changes old_chains = dict([(t, chains_by_type.get(t, default_chain)) for t in type_ids]) # Work out which permissions were managed by the old chain, but not # by the new chain. This may vary by type id. # Update the workflow chain in portal_workflows. # XXX: There is no decent API for this it seems :-( if chain == '(Default)': cbt = portal_workflow._chains_by_type for type_id in type_ids: if type_id in cbt: del cbt[type_id] else: portal_workflow.setChainForPortalTypes(type_ids, chain) # Now remap, and fix permissions # For each portal type, work out which workflows were controlling them # before, and which permissions were in that, which are not in the new # chain. These permissions need to be reset to 'Acquire'. chain_workflows = {} new_chain_permissions = set() permissions_to_reset = {} if chain == '(Default)': chain = default_chain for c in chain: if c not in chain_workflows: chain_workflows[c] = getattr(portal_workflow, c) for permission in chain_workflows[c].permissions: new_chain_permissions.add(permission) for typeid, oc in old_chains.items(): if oc == '(Default)': oc = default_chain permissions_to_reset[typeid] = set() for c in oc: if c not in chain_workflows: chain_workflows[c] = getattr(portal_workflow, c) for permission in chain_workflows[c].permissions: if permission not in new_chain_permissions: permissions_to_reset[typeid].add(permission) portal_catalog = getToolByName(context, 'portal_catalog') # Then update the state of each remapped_count = 0 threshold_count = 0 for brain in portal_catalog(portal_type=type_ids): obj = brain.getObject() portal_type = brain.portal_type # If there are permissions to reset to acquire, do so now for permission in permissions_to_reset[brain.portal_type]: # A list makes it acquire ... if it was a tuple, it wouldn't modifyRolesForPermission(obj, permission, []) # Work out what, if any, the previous state of the object was if len(chain) > 0: old_chain = old_chains[portal_type] old_wf = None if len(old_chain) > 0: old_wf = chain_workflows[old_chain[0]] old_state = None if old_wf is not None: old_status = portal_workflow.getStatusOf(old_wf.getId(), obj) if old_status is not None: old_state = old_status.get('review_state', None) # Now add a transition for new_wf_name in chain: new_wf = chain_workflows[new_wf_name] new_status = {'action': None, 'actor': None, 'comments': 'State remapped from control panel', 'review_state': state_map.get(old_state, new_wf.initial_state), 'time': DateTime()} portal_workflow.setStatusOf(new_wf_name, obj, new_status) # Trigger any automatic transitions, or else just make sure the role mappings are right auto_transition = new_wf._findAutomaticTransition(obj, new_wf._getWorkflowStateOf(obj)) if auto_transition is not None: new_wf._changeStateOf(obj, auto_transition) else: new_wf.updateRoleMappingsFor(obj) obj.reindexObject(idxs=['allowedRolesAndUsers', 'review_state']) remapped_count += 1 threshold_count += 1 if threshold_count > SAVE_THRESHOLD: transaction.savepoint() threshold_count = 0 return remapped_count