def _getSecurityParameterList(self):
result = self.__dict__.get('_cache_result', None)
if result is None:
ob = self.__ob
# For each group or user, we have a list of roles, this list
# give in this order : [roles on object, roles acquired on the parent,
# roles acquired on the parent of the parent....]
# So if we have ['-Author','Author'] we should remove the role 'Author'
# but if we have ['Author','-Author'] we have to keep the role 'Author'
localroles = {}
skip_role_set = set()
skip_role = skip_role_set.add
clear_skip_role = skip_role_set.clear
for key, role_list in mergedLocalRoles(ob).iteritems():
new_role_list = []
new_role = new_role_list.append
clear_skip_role()
for role in role_list:
if role[:1] == '-':
skip_role(role[1:])
elif role not in skip_role_set:
new_role(role)
if len(new_role_list)>0:
localroles[key] = new_role_list
portal = ob.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
getUserById = portal.acl_users.getUserById
allowed_dict = {}
# For each local role of a user:
# If the local role grants View permission, add it.
# Every addition implies 2 lines:
# user:<user_id>
# user:<user_id>:<role_id>
# A line must not be present twice in final result.
allowed_role_set = set(rolesForPermissionOn('View', ob))
# XXX the permission name is included by default for verbose
# logging of security errors, but the catalog does not need to
# index it. Unfortunately, rolesForPermissionOn does not have
# an option to disable this behavior at calling time, so
# discard it explicitly.
allowed_role_set.discard('_View_Permission')
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed_role_set.discard('Owner')
# XXX make this a method of base ?
local_roles_group_id_group_id = deepcopy(getattr(ob,
'__ac_local_roles_group_id_dict__', {}))
# If we acquire a permission, then we also want to acquire the local
# roles group ids
local_roles_container = ob
while getattr(local_roles_container, 'isRADContent', 0):
if local_roles_container._getAcquireLocalRoles():
local_roles_container = local_roles_container.aq_parent
for role_definition_group, user_and_role_list in \
getattr(local_roles_container,
'__ac_local_roles_group_id_dict__',
{}).items():
local_roles_group_id_group_id.setdefault(role_definition_group, set()
).update(user_and_role_list)
else:
break
allowed_by_local_roles_group_id = {}
allowed_by_local_roles_group_id[''] = allowed_role_set
user_role_dict = {}
user_view_permission_role_dict = {}
optimized_role_set = set()
# First parse optimized roles and build optimized_role_set
for role_definition_group, user_and_role_list in local_roles_group_id_group_id.items():
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
role_definition_group, set())
for user, role in user_and_role_list:
if role in allowed_role_set:
prefix = 'user:'******'%s:%s' % (prefix, role)))
optimized_role_set.add((user, role))
# Then parse other roles
for user, roles in localroles.iteritems():
prefix = 'user:'******'', )):
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
group, set())
if (user, role) not in optimized_role_set:
# add only if not already added to optimized_role_set to avoid polluting indexation table
group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))
# sort `allowed` principals
sorted_allowed_by_local_roles_group_id = {}
for local_roles_group_id, allowed in \
allowed_by_local_roles_group_id.items():
sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
sorted(allowed))
self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
user_role_dict,
user_view_permission_role_dict)
return result
def _getSecurityParameterList(self):
result = self.__dict__.get('_cache_result', None)
if result is None:
ob = self.__ob
# For each group or user, we have a list of roles, this list
# give in this order : [roles on object, roles acquired on the parent,
# roles acquired on the parent of the parent....]
# So if we have ['-Author','Author'] we should remove the role 'Author'
# but if we have ['Author','-Author'] we have to keep the role 'Author'
localroles = {}
skip_role_set = set()
skip_role = skip_role_set.add
clear_skip_role = skip_role_set.clear
for key, role_list in mergedLocalRoles(ob).iteritems():
new_role_list = []
new_role = new_role_list.append
clear_skip_role()
for role in role_list:
if role[:1] == '-':
skip_role(role[1:])
elif role not in skip_role_set:
new_role(role)
if new_role_list:
localroles[key] = [new_role_list, False]
portal = ob.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
for user_info in portal.acl_users.searchUsers(id=tuple(localroles), exact_match=True):
key = user_info['id']
try:
localroles[key][1] = True
except KeyError:
# We found a bug, report it but do not make indexation fail.
LOG(
'CatalogTool.IndexableObjectWrapper',
PROBLEM,
'searchUser(id=%r, exact_match=True) returned an entry with '
'id=%r. This is very likely a bugin a PAS plugin !' % (
tuple(localroles),
key,
),
)
allowed_dict = {}
# For each local role of a user:
# If the local role grants View permission, add it.
# Every addition implies 2 lines:
# user:<user_id>
# user:<user_id>:<role_id>
# A line must not be present twice in final result.
allowed_role_set = set(rolesForPermissionOn('View', ob))
# XXX the permission name is included by default for verbose
# logging of security errors, but the catalog does not need to
# index it. Unfortunately, rolesForPermissionOn does not have
# an option to disable this behavior at calling time, so
# discard it explicitly.
allowed_role_set.discard('_View_Permission')
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed_role_set.discard('Owner')
# XXX make this a method of base ?
local_roles_group_id_dict = deepcopy(getattr(ob,
'__ac_local_roles_group_id_dict__', {}))
# If we acquire a permission, then we also want to acquire the local
# roles group ids
local_roles_container = ob
while getattr(local_roles_container, 'isRADContent', 0):
if local_roles_container._getAcquireLocalRoles():
local_roles_container = local_roles_container.aq_parent
for role_definition_group, user_and_role_list in \
getattr(local_roles_container,
'__ac_local_roles_group_id_dict__',
{}).items():
local_roles_group_id_dict.setdefault(role_definition_group, set()
).update(user_and_role_list)
else:
break
allowed_by_local_roles_group_id = {}
allowed_by_local_roles_group_id[''] = allowed_role_set
optimized_role_set = set()
for role_definition_group, user_and_role_list in local_roles_group_id_dict.iteritems():
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
role_definition_group, set())
for user, role in user_and_role_list:
if role in allowed_role_set:
prefix = 'user:'******'%s:%s' % (prefix, role)))
optimized_role_set.add((user, role))
user_role_dict = {}
user_view_permission_role_dict = {}
for user, (roles, user_exists) in localroles.iteritems():
prefix = 'user:'******'', )):
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
group, set())
if is_not_in_optimised_role_set:
group_allowed_set.add(prefix)
group_allowed_set.add('%s:%s' % (prefix, role))
# sort `allowed` principals
sorted_allowed_by_local_roles_group_id = {}
for local_roles_group_id, allowed in \
allowed_by_local_roles_group_id.iteritems():
sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
sorted(allowed))
self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
user_role_dict,
user_view_permission_role_dict)
return result
def _getSecurityParameterList(self):
result = self.__dict__.get('_cache_result', None)
if result is None:
ob = self.__ob
# For each group or user, we have a list of roles, this list
# give in this order : [roles on object, roles acquired on the parent,
# roles acquired on the parent of the parent....]
# So if we have ['-Author','Author'] we should remove the role 'Author'
# but if we have ['Author','-Author'] we have to keep the role 'Author'
localroles = {}
skip_role_set = set()
skip_role = skip_role_set.add
clear_skip_role = skip_role_set.clear
for key, role_list in mergedLocalRoles(ob).iteritems():
new_role_list = []
new_role = new_role_list.append
clear_skip_role()
for role in role_list:
if role[:1] == '-':
skip_role(role[1:])
elif role not in skip_role_set:
new_role(role)
if new_role_list:
localroles[key] = [new_role_list, False]
portal = ob.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
for user_info in portal.acl_users.searchUsers(id=tuple(localroles),
exact_match=True):
key = user_info['id']
try:
localroles[key][1] = True
except KeyError:
# We found a bug, report it but do not make indexation fail.
LOG(
'CatalogTool.IndexableObjectWrapper',
PROBLEM,
'searchUser(id=%r, exact_match=True) returned an entry with '
'id=%r. This is very likely a bugin a PAS plugin !' % (
tuple(localroles),
key,
),
)
allowed_dict = {}
# For each local role of a user:
# If the local role grants View permission, add it.
# Every addition implies 2 lines:
# user:<user_id>
# user:<user_id>:<role_id>
# A line must not be present twice in final result.
allowed_role_set = set(rolesForPermissionOn('View', ob))
# XXX the permission name is included by default for verbose
# logging of security errors, but the catalog does not need to
# index it. Unfortunately, rolesForPermissionOn does not have
# an option to disable this behavior at calling time, so
# discard it explicitly.
allowed_role_set.discard('_View_Permission')
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed_role_set.discard('Owner')
# XXX make this a method of base ?
local_roles_group_id_dict = deepcopy(
getattr(ob, '__ac_local_roles_group_id_dict__', {}))
# If we acquire a permission, then we also want to acquire the local
# roles group ids
local_roles_container = ob
while getattr(local_roles_container, 'isRADContent', 0):
if local_roles_container._getAcquireLocalRoles():
local_roles_container = local_roles_container.aq_parent
for role_definition_group, user_and_role_list in \
getattr(local_roles_container,
'__ac_local_roles_group_id_dict__',
{}).items():
local_roles_group_id_dict.setdefault(
role_definition_group,
set()).update(user_and_role_list)
else:
break
allowed_by_local_roles_group_id = {}
allowed_by_local_roles_group_id[''] = allowed_role_set
optimized_role_set = set()
for role_definition_group, user_and_role_list in local_roles_group_id_dict.iteritems(
):
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
role_definition_group, set())
for user, role in user_and_role_list:
if role in allowed_role_set:
prefix = 'user:'******'%s:%s' % (prefix, role)))
optimized_role_set.add((user, role))
user_role_dict = {}
user_view_permission_role_dict = {}
for user, (roles, user_exists) in localroles.iteritems():
prefix = 'user:'******'', )):
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
group, set())
if is_not_in_optimised_role_set:
group_allowed_set.add(prefix)
group_allowed_set.add('%s:%s' % (prefix, role))
# sort `allowed` principals
sorted_allowed_by_local_roles_group_id = {}
for local_roles_group_id, allowed in \
allowed_by_local_roles_group_id.iteritems():
sorted_allowed_by_local_roles_group_id[
local_roles_group_id] = tuple(sorted(allowed))
self._cache_result = result = (
sorted_allowed_by_local_roles_group_id, user_role_dict,
user_view_permission_role_dict)
return result
def _getSecurityParameterList(self):
result = self.__dict__.get('_cache_result', None)
if result is None:
ob = self.__ob
# For each group or user, we have a list of roles, this list
# give in this order : [roles on object, roles acquired on the parent,
# roles acquired on the parent of the parent....]
# So if we have ['-Author','Author'] we should remove the role 'Author'
# but if we have ['Author','-Author'] we have to keep the role 'Author'
localroles = {}
skip_role_set = set()
skip_role = skip_role_set.add
clear_skip_role = skip_role_set.clear
for key, role_list in mergedLocalRoles(ob).iteritems():
new_role_list = []
new_role = new_role_list.append
clear_skip_role()
for role in role_list:
if role[:1] == '-':
skip_role(role[1:])
elif role not in skip_role_set:
new_role(role)
if len(new_role_list)>0:
localroles[key] = new_role_list
portal = ob.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
getUserById = portal.acl_users.getUserById
# For each local role of a user:
# If the local role grants View permission, add it.
# Every addition implies 2 lines:
# user:<user_id>
# user:<user_id>:<role_id>
# A line must not be present twice in final result.
allowed = set(rolesForPermissionOn('View', ob))
# XXX the permission name is included by default for verbose
# logging of security errors, but the catalog does not need to
# index it. Unfortunately, rolesForPermissionOn does not have
# an option to disable this behavior at calling time, so
# discard it explicitly.
allowed.discard('_View_Permission')
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed.discard('Owner')
add = allowed.add
user_role_dict = {}
user_view_permission_role_dict = {}
for user, roles in localroles.iteritems():
prefix = 'user:'******':' + role)
self._cache_result = result = (sorted(allowed), user_role_dict,
user_view_permission_role_dict)
return result
def _getSecurityParameterList(self):
result = self.__dict__.get('_cache_result', None)
if result is None:
ob = self.__ob
# For each group or user, we have a list of roles, this list
# give in this order : [roles on object, roles acquired on the parent,
# roles acquired on the parent of the parent....]
# So if we have ['-Author','Author'] we should remove the role 'Author'
# but if we have ['Author','-Author'] we have to keep the role 'Author'
localroles = {}
skip_role_set = set()
skip_role = skip_role_set.add
clear_skip_role = skip_role_set.clear
for key, role_list in mergedLocalRoles(ob).iteritems():
new_role_list = []
new_role = new_role_list.append
clear_skip_role()
for role in role_list:
if role[:1] == '-':
skip_role(role[1:])
elif role not in skip_role_set:
new_role(role)
if len(new_role_list)>0:
localroles[key] = new_role_list
portal = ob.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
getUserById = portal.acl_users.getUserById
allowed_dict = {}
# For each local role of a user:
# If the local role grants View permission, add it.
# Every addition implies 2 lines:
# user:<user_id>
# user:<user_id>:<role_id>
# A line must not be present twice in final result.
allowed_role_set = set(rolesForPermissionOn('View', ob))
# XXX the permission name is included by default for verbose
# logging of security errors, but the catalog does not need to
# index it. Unfortunately, rolesForPermissionOn does not have
# an option to disable this behavior at calling time, so
# discard it explicitly.
allowed_role_set.discard('_View_Permission')
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed_role_set.discard('Owner')
# XXX make this a method of base ?
local_roles_group_id_group_id = deepcopy(getattr(ob,
'__ac_local_roles_group_id_dict__', {}))
# If we acquire a permission, then we also want to acquire the local
# roles group ids
local_roles_container = ob
while getattr(local_roles_container, 'isRADContent', 0):
if local_roles_container._getAcquireLocalRoles():
local_roles_container = local_roles_container.aq_parent
for role_definition_group, user_and_role_list in \
getattr(local_roles_container,
'__ac_local_roles_group_id_dict__',
{}).items():
local_roles_group_id_group_id.setdefault(role_definition_group, set()
).update(user_and_role_list)
else:
break
allowed_by_local_roles_group_id = {}
allowed_by_local_roles_group_id[''] = allowed_role_set
user_role_dict = {}
user_view_permission_role_dict = {}
optimized_role_set = set()
# First parse optimized roles and build optimized_role_set
for role_definition_group, user_and_role_list in local_roles_group_id_group_id.items():
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
role_definition_group, set())
for user, role in user_and_role_list:
if role in allowed_role_set:
prefix = 'user:'******'%s:%s' % (prefix, role)))
optimized_role_set.add((user, role))
# Then parse other roles
for user, roles in localroles.iteritems():
prefix = 'user:'******'', )):
group_allowed_set = allowed_by_local_roles_group_id.setdefault(
group, set())
if (user, role) not in optimized_role_set:
# add only if not already added to optimized_role_set to avoid polluting indexation table
group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))
# sort `allowed` principals
sorted_allowed_by_local_roles_group_id = {}
for local_roles_group_id, allowed in \
allowed_by_local_roles_group_id.items():
sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
sorted(allowed))
self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
user_role_dict,
user_view_permission_role_dict)
return result
