def test__checkPermission(self): from AccessControl import getSecurityManager from AccessControl.ImplPython import ZopeSecurityPolicy from AccessControl.Permission import Permission from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManager import setSecurityPolicy from Products.CMFCore.utils import _checkPermission setSecurityPolicy(ZopeSecurityPolicy()) site = self._makeSite() newSecurityManager(None, site.acl_users.user_foo) o = site.bar_dummy Permission('View', (), o).setRoles(('Anonymous',)) Permission('WebDAV access', (), o).setRoles(('Authenticated',)) Permission('Manage users', (), o).setRoles(('Manager',)) eo = site.foo_dummy eo._owner = (['acl_users'], 'all_powerful_Oz') getSecurityManager().addContext(eo) self.assertTrue(_checkPermission('View', o)) self.assertTrue(_checkPermission('WebDAV access', o)) self.assertFalse(_checkPermission('Manage users', o)) eo._proxy_roles = ('Authenticated',) self.assertFalse(_checkPermission('View', o)) self.assertTrue(_checkPermission('WebDAV access', o)) self.assertFalse(_checkPermission('Manage users', o)) eo._proxy_roles = ('Manager',) self.assertFalse(_checkPermission('View', o)) self.assertFalse(_checkPermission('WebDAV access', o)) self.assertTrue(_checkPermission('Manage users', o))
def _update(self, portal): layout_permission = Permission(view, (), portal.portal_layout) layout_permission.setRoles(portal.validRoles()) dyn_permission = Permission(view, (), portal.portal_dynamicproperties) dyn_permission.setRoles(portal.validRoles()) self.log.info('Done') return True
def migrate_permission_settings(self): """Migrate permission settings (permission <-> role) The acquire flag is coded into the type of the sequence. If roles is a list than the roles are also acquire. If roles is a tuple the roles aren't acquired. """ oldmap = getPermissionMapping(self.old.ac_inherited_permissions(1)) newmap = getPermissionMapping(self.new.ac_inherited_permissions(1)) for key, values in oldmap.items(): old_p = Permission(key, values, self.old) old_roles = old_p.getRoles() new_values = newmap.get(key, ()) new_p = Permission(key, new_values, self.new) new_p.setRoles(old_roles)
def setUp(self): super(NyAccess2LevelTestCase, self).setUp() self.perm1, self.perm2 = 'View', 'View History' self.role1, self.role2 = 'Contributor', 'Reviewer' addNyFolder(self.portal.info, 'testfolderparent', contributor='admin', submission=1) self.testfolderparent = self.portal.info.testfolderparent addNyFolder(self.testfolderparent, 'testfolder', contributor='admin', submission=1) self.testfolder = self.testfolderparent.testfolder # NOTE: this is *not* the way to use NyAccess. It should never # be stored in the database. It should be set as an attribute # to a *class*, like NyForum. self.testfolderparent._setOb( 'ny_access', NyAccess('ny_access', { self.perm1: self.perm1, self.perm2: self.perm2 })) self.testfolder._setOb( 'ny_access', NyAccess('ny_access', { self.perm1: self.perm1, self.perm2: self.perm2 })) # default permission map # parent folder does not inherit permissions permission = Permission(self.perm1, (), self.testfolderparent) permission.setRoles((self.role1, 'Manager')) permission = Permission(self.perm2, (), self.testfolderparent) permission.setRoles((self.role2, 'Manager')) # child folder permissions permission = Permission(self.perm1, (), self.testfolder) permission.setRoles([self.role2]) permission = Permission(self.perm2, (), self.testfolder) permission.setRoles((self.role1, 'Manager')) transaction.commit()
def test__checkPermission(self): o = self.site.actions_dummy Permission('View', (), o).setRoles(('Anonymous', )) Permission('WebDAV access', (), o).setRoles(('Authenticated', )) Permission('Manage users', (), o).setRoles(('Manager', )) eo = self.site.content_dummy eo._owner = (['acl_users'], 'user_foo') getSecurityManager().addContext(eo) self.failUnless(_checkPermission('View', o)) self.failIf(_checkPermission('WebDAV access', o)) self.failIf(_checkPermission('Manage users', o)) eo._proxy_roles = ('Authenticated', ) self.failIf(_checkPermission('View', o)) self.failUnless(_checkPermission('WebDAV access', o)) self.failIf(_checkPermission('Manage users', o))
def permission_settings(self, permission=None): """Return user-role permission settings. If 'permission' is passed to the method then only the settings for 'permission' is returned. """ result = [] valid = self.valid_roles() indexes = range(len(valid)) ip = 0 permissions = self.ac_inherited_permissions(1) # Filter permissions if permission: permissions = [p for p in permissions if p[0] == permission] for p in permissions: name, value = p[:2] p = Permission(name, value, self) roles = p.getRoles(default=[]) d = { 'name': name, 'acquire': isinstance(roles, list) and 'CHECKED' or '', 'roles': map(lambda ir, roles=roles, valid=valid, ip=ip: { 'name': "p%dr%d" % (ip, ir), 'checked': (valid[ir] in roles) and 'CHECKED' or '', }, indexes) } ip = ip + 1 result.append(d) return result
def test_FakeExecutableObject(self): from AccessControl import getSecurityManager from AccessControl.ImplPython import ZopeSecurityPolicy from AccessControl.Permission import Permission from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManager import setSecurityPolicy from ..utils import FakeExecutableObject setSecurityPolicy(ZopeSecurityPolicy()) site = self._makeSite() newSecurityManager(None, site.acl_users.user_foo) obj = site.bar_dummy Permission('FOO', (), obj).setRoles(('FOO_ROLE',)) sm = getSecurityManager() self.assertFalse(sm.checkPermission('FOO', obj)) eo = FakeExecutableObject(('FOO_ROLE',)) sm.addContext(eo) try: self.assertTrue(sm.checkPermission('FOO', obj)) finally: sm.removeContext(eo) self.assertFalse(sm.checkPermission('FOO', obj))
def resetPublishPermission(context): from AccessControl.Permission import Permission siteroot = aq_parent(context) permission = Permission("Euphorie: Publish a Survey", (), siteroot) if "CountryManager" not in permission.getRoles(default=[]): permission.setRole("CountryManager", True) log.info("Adding publish permission for country managers")
def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """ valid_roles = self.valid_roles() indexes = range(len(valid_roles)) have = REQUEST.has_key permissions = self.ac_inherited_permissions(1) fails = [] for ip in range(len(permissions)): roles = [] for ir in indexes: if have("p%dr%d" % (ip, ir)): roles.append(valid_roles[ir]) name, value = permissions[ip][:2] try: p = Permission(name, value, self) if not have('a%d' % ip): roles = tuple(roles) p.setRoles(roles) except: fails.append(name) if fails: return MessageDialog(title="Warning!", message="Some permissions had errors: " + escape(', '.join(fails)), action='manage_access') return MessageDialog(title='Success!', message='Your changes have been saved', action='manage_access')
def test_error_for_untrashable_documents(self, browser): trashable = create( Builder('document').within( self.dossier).titled(u'Trashable document')) untrashable = create( Builder('document').within( self.dossier).titled(u'Untrashable document')) # Remove trash permission from all users. Permission('opengever.trash: Trash content', [], untrashable).setRoles( ()) transaction.commit() data = { 'paths:list': [ '/'.join(trashable.getPhysicalPath()), '/'.join(untrashable.getPhysicalPath()) ], '_authenticator': createToken() } browser.login().open(self.dossier, view="trashed", data=data) self.assertEquals([u'the object Trashable document trashed'], info_messages()) self.assertEquals([u'Trashing Untrashable document is forbidden'], error_messages()) self.assertEquals('http://nohost/plone/dossier-1#documents', browser.url)
def listPermissions(self): """ List permissions for export. o Returns a sqeuence of mappings describing locally-modified permission / role settings. Keys include: 'permission' -- the name of the permission 'acquire' -- a flag indicating whether to acquire roles from the site's container 'roles' -- the list of roles which have the permission. o Do not include permissions which both acquire and which define no local changes to the acquired policy. """ permissions = [] valid_roles = self.listRoles() for perm in self._site.ac_inherited_permissions(1): name = perm[0] p = Permission(name, perm[1], self._site) roles = p.getRoles(default=[]) acquire = isinstance(roles, list) # tuple means don't acquire roles = [r for r in roles if r in valid_roles] if roles or not acquire: permissions.append({ 'name': name, 'acquire': acquire, 'roles': roles }) return permissions
def tryMethodCallWithTemporaryPermission(context, permission, method, method_argv, method_kw, exception): # we want to catch the explicit security check done in manage_renameObject # and bypass it. for this, we temporarily give the Copy or Move right to the # user. We assume that if the user has enough rights to pass the # "declareProtected" check around "setId", he should be really able to # rename the object. try: return method(*method_argv, **method_kw) except exception: user = getSecurityManager().getUser() user_role_list = user.getRolesInContext(context) if len(user_role_list) > 0: perm_list = context.ac_inherited_permissions() for p in perm_list: if p[0] == permission: name, value = p[:2] break else: name, value = (permission, ()) p = Permission(name,value,context) old_role_list = p.getRoles(default=[]) p.setRoles(user_role_list) result = method(*method_argv, **method_kw) p.setRoles(old_role_list) return result
def allowed(context, permission=None): """ Roles that have `permission` and why. Returns {PERM_NAME: {'Role': (REASON, META), ..}, ..} where `REASON` in ('assigned', 'inherited'). `META` can be None or dict supplying extra info, like `source` of permission inheritance. """ out = {} all_roles = context.valid_roles() permissions = context.ac_inherited_permissions(1) if permission: permissions = [x for x in permissions if x[0] == permission] for perm in permissions: name, value = perm[:2] maps = out[name] = {} perm = Permission(name, value, context) roles = perm.getRoles(default=[]) for role in roles: maps[role] = ('assigned', None) if isinstance(roles, list): from_parent = allowed(context.aq_parent, name) for role in set(all_roles) - set(roles): parent_permission = from_parent[name].get(role) if parent_permission: reason, meta = parent_permission if reason == 'assigned': maps[role] = ('inherited', {'source': ofs_path(context.aq_parent)}) elif reason == 'inherited': maps[role] = parent_permission return out
def _modifyPermissionMappings(ob, map): """ Modifies multiple role to permission mappings. """ # This mimics what AccessControl/Role.py does. # Needless to say, it's crude. :-( something_changed = 0 perm_info = _ac_inherited_permissions(ob, 1) for name, settings in map.items(): cur_roles = rolesForPermissionOn(name, ob) if isinstance(cur_roles, basestring): cur_roles = [cur_roles] else: cur_roles = list(cur_roles) changed = 0 for (role, allow) in settings.items(): if not allow: if role in cur_roles: changed = 1 cur_roles.remove(role) else: if role not in cur_roles: changed = 1 cur_roles.append(role) if changed: data = () # The list of methods using this permission. for perm in perm_info: n, d = perm[:2] if n == name: data = d break p = Permission(name, data, ob) p.setRoles(tuple(cur_roles)) something_changed = 1 return something_changed
def manage_permission_for(brain_or_object, permission, roles, acquire=0): """Change the settings for the given permission. Code extracted from `IRoleManager.manage_permission` :param brain_or_object: Catalog brain or object :param permission: The permission to be granted :param roles: The roles the permission to be granted to :param acquire: Flag to acquire the permission """ obj = api.get_object(brain_or_object) if isinstance(roles, basestring): roles = [roles] for item in obj.ac_inherited_permissions(1): name, value = item[:2] if name == permission: permission = Permission(name, value, obj) if acquire: roles = list(roles) else: roles = tuple(roles) permission.setRoles(roles) return # Raise an error if the permission is invalid raise ValueError("The permission {} is invalid.".format(permission))
def manage_role(self, role_to_manage, permissions=[]): """Change the permissions given to the given role. """ for p in self.ac_inherited_permissions(1): name, value = p[:2] p = Permission(name, value, self) p.setRole(role_to_manage, name in permissions)
def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen.""" valid_roles = self.valid_roles() have = REQUEST.__contains__ permissions = self.ac_inherited_permissions(1) fails = [] for ip in range(len(permissions)): permission_name = permissions[ip][0] permission_hash = _string_hash(permission_name) roles = [] for role in valid_roles: role_name = role role_hash = _string_hash(role_name) if have("permission_%srole_%s" % (permission_hash, role_hash)): roles.append(role) name, value = permissions[ip][:2] try: p = Permission(name, value, self) if not have('acquire_%s' % permission_hash): roles = tuple(roles) p.setRoles(roles) except Exception: fails.append(name) if fails: raise BadRequest('Some permissions had errors: ' + html.escape(', '.join(fails), True)) if REQUEST is not None: return self.manage_access(REQUEST)
def getPermissionMapping(self): """ Return the permission mapping for the object """ mapping = {} for permission in self.permissions: permission_object = Permission(permission, (), self.getObject()) mapping[permission] = permission_object.getRoles() return mapping
def getPermissionsWithAcquiredRoles(self): """ Return the permissions which acquire roles from their parents """ ret = [] for permission in self.permissions: permission_object = Permission(permission, (), self.getObject()) if isinstance(permission_object.getRoles(), list): ret.append(permission) return ret
def setUp(self): from AccessControl.SecurityManagement import newSecurityManager from Products.CMFCore.tests.base.dummy import DummyFolder from Products.CMFCore.tests.base.security import UserWithRoles self.f = DummyFolder(fake_product=1) Permission('addFoo', (), self.f).setRoles(('Manager', 'FooAdder')) self.ti = self._makeOne('Foo', product='FooProduct', factory='addFoo') newSecurityManager(None, UserWithRoles('FooAdder').__of__(self.f))
def _update(self, portal): permission = "Naaya - Create user" p = Permission(permission, (), portal) if 'Administrator' not in p.getRoles(): permission_add_role(portal, permission, 'Administrator') permission_add_role(portal, permission, 'Anonymous') self.log.debug('Added %s permission', permission) return True
def setPermissionMapping(self, mapping): """ Change the permission mapping for the object. This leaves the other permissions (not in mapping.keys()) unchanged """ for permission in mapping: permission_object = Permission(permission, (), self.getObject()) permission_object.setRoles(mapping[permission])
def _update(self, portal): view_perm = Permission(view, (), portal) roles_with_view = view_perm.getRoles() if tuple is type(roles_with_view): self.log.debug('No need to update') else: view_perm.setRoles(tuple(roles_with_view)) self.log.debug('Removed view permission inheritance for the site') return True
def modifyPermissionMappings(ob, map): ''' Modifies multiple role to permission mappings. ''' # This mimics what AccessControl/Role.py does. # Needless to say, it's crude. :-( map = map.copy() # Safety. for perm in ac_inherited_permissions(ob, 1): name, value = perm[:2] if map.has_key(name): for (role, allow) in map[name].items(): p = Permission(name, value, ob) p.setRole(role, allow) # Will only modify if it should. del map[name] if map: for name, (role, allow) in map.items(): p = Permission(name, (), ob) p.setRole(role, allow)
def _update(self, portal): permissions = ["Naaya - Add Naaya Photo Folder", "Naaya - Add Naaya Photo Gallery"] for permission in permissions: p = Permission(permission, (), portal) if 'Administrator' not in p.getRoles(): permission_add_role(portal, permission, 'Administrator') self.log.debug('Added %s permission', permission) return True
def _update(self, portal): skip_captcha_perm = Permission('Naaya - Skip Captcha', (), portal) roles_with_skip_captcha = skip_captcha_perm.getRoles() if 'Authenticated' not in roles_with_skip_captcha: roles_with_skip_captcha.append('Authenticated') skip_captcha_perm.setRoles(roles_with_skip_captcha) self.log.debug('Skip Captcha permission assigned to Authenticated') else: self.log.debug('Authenticated already has the permission') return True
def _update(self, portal): catalog = portal.getCatalogTool() for brain in catalog(approved=0): obj = brain.getObject() permission = Permission(view, (), obj) roles = permission.getRoles() if isinstance(roles, list): obj.dont_inherit_view_permission() self.log.debug('restricted view permission for %s', obj.absolute_url()) return True
def set_acl_for_roles(ob, roles): permission_object = Permission(view, (), ob) current_roles = permission_object.getRoles() is_tuple = isinstance(current_roles, tuple) current_roles = list(current_roles) new_roles = set(roles + current_roles) if is_tuple: new_roles = tuple(new_roles) else: new_roles = list(new_roles) permission_object.setRoles(new_roles)
def roles_of_permission(context, permission): """Return all roles which have the given permission on the current context.""" role_manager = IRoleManager(context) for p in role_manager.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, role_manager) roles = p.getRoles() return roles
def acquiredRolesAreUsedBy(self, permission): """ """ for p in self.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, self) roles = p.getRoles() return isinstance(roles, list) and 'CHECKED' or '' raise ValueError("The permission <em>%s</em> is invalid." % escape(permission))