def _getTempFolder(self, type_name): factory_info = self.REQUEST.get(FACTORY_INFO, {}) tempFolder = factory_info.get(type_name, None) if tempFolder: tempFolder = aq_inner(tempFolder).__of__(self) return tempFolder # make sure we can add an object of this type to the temp folder types_tool = getToolByName(self, 'portal_types') if not type_name in types_tool.TempFolder.allowed_content_types: # update allowed types for tempfolder types_tool.TempFolder.allowed_content_types=(types_tool.listContentTypes()) tempFolder = TempFolder(type_name).__of__(self) intended_parent = aq_parent(self) portal = getToolByName(self, 'portal_url').getPortalObject() folder_roles = {} # mapping from permission name to list or tuple of roles # list if perm is acquired; tuple if not n_acquired = 0 # number of permissions that are acquired # build initial folder_roles dictionary for p in intended_parent.ac_inherited_permissions(1): name, value = p[:2] p=Permission(name,value,intended_parent) roles = p.getRoles() folder_roles[name] = roles if isinstance(roles, list): n_acquired += 1 # If intended_parent is not the portal, walk up the acquisition hierarchy and # acquire permissions explicitly so we can assign the acquired version to the # temp_folder. In addition to being cumbersome, this is undoubtedly very slow. if intended_parent != portal: parent = aq_parent(aq_inner(intended_parent)) while(n_acquired and parent!=portal): n_acquired = 0 for p in parent.ac_inherited_permissions(1): name, value = p[:2] roles = folder_roles[name] if isinstance(roles, list): p=Permission(name,value,parent) aq_roles=p.getRoles() for r in aq_roles: if not r in roles: roles.append(r) if isinstance(aq_roles, list): n_acquired += 1 else: roles = tuple(roles) folder_roles[name] = roles parent = aq_parent(aq_inner(parent)) for name, roles in folder_roles.items(): tempFolder.manage_permission(name, roles, acquire=isinstance(roles, list)) factory_info[type_name] = tempFolder self.REQUEST.set(FACTORY_INFO, factory_info) return tempFolder
def permission_settings(self, permission=None): """Return user-role permission settings. If 'permission' is passed to the method then only the settings for 'permission' is returned. """ result = [] valid = self.valid_roles() indexes = range(len(valid)) ip = 0 permissions = self.ac_inherited_permissions(1) # Filter permissions if permission: permissions = [p for p in permissions if p[0] == permission] for p in permissions: name, value = p[:2] p = Permission(name, value, self) roles = p.getRoles(default=[]) d = { 'name': name, 'acquire': isinstance(roles, list) and 'CHECKED' or '', 'roles': map(lambda ir, roles=roles, valid=valid, ip=ip: { 'name': "p%dr%d" % (ip, ir), 'checked': (valid[ir] in roles) and 'CHECKED' or '', }, indexes) } ip = ip + 1 result.append(d) return result
def tryMethodCallWithTemporaryPermission(context, permission, method, method_argv, method_kw, exception): # we want to catch the explicit security check done in manage_renameObject # and bypass it. for this, we temporarily give the Copy or Move right to the # user. We assume that if the user has enough rights to pass the # "declareProtected" check around "setId", he should be really able to # rename the object. try: return method(*method_argv, **method_kw) except exception: user = getSecurityManager().getUser() user_role_list = user.getRolesInContext(context) if len(user_role_list) > 0: perm_list = context.ac_inherited_permissions() for p in perm_list: if p[0] == permission: name, value = p[:2] break else: name, value = (permission, ()) p = Permission(name,value,context) old_role_list = p.getRoles(default=[]) p.setRoles(user_role_list) result = method(*method_argv, **method_kw) p.setRoles(old_role_list) return result
def getPermissionMapping(self): """ Return the permission mapping for the parent """ ret = {} for zope_perm in self.permissions: permission = Permission(zope_perm, (), self.aq_parent) ret[zope_perm] = permission.getRoles() return ret
def permission_settings(self, permission=None): """Return user-role permission settings. If 'permission' is passed to the method then only the settings for 'permission' is returned. """ result=[] valid=self.valid_roles() indexes=range(len(valid)) ip=0 permissions = self.ac_inherited_permissions(1) # Filter permissions if permission: permissions = [p for p in permissions if p[0] == permission] for p in permissions: name, value = p[:2] p=Permission(name, value, self) roles = p.getRoles(default=[]) d={'name': name, 'acquire': isinstance(roles, list) and 'CHECKED' or '', 'roles': map( lambda ir, roles=roles, valid=valid, ip=ip: { 'name': "p%dr%d" % (ip, ir), 'checked': (valid[ir] in roles) and 'CHECKED' or '', }, indexes) } ip = ip + 1 result.append(d) return result
def resetPublishPermission(context): from AccessControl.Permission import Permission siteroot = aq_parent(context) permission = Permission("Euphorie: Publish a Survey", (), siteroot) if "CountryManager" not in permission.getRoles(default=[]): permission.setRole("CountryManager", True) log.info("Adding publish permission for country managers")
def allowed(context, permission=None): """ Roles that have `permission` and why. Returns {PERM_NAME: {'Role': (REASON, META), ..}, ..} where `REASON` in ('assigned', 'inherited'). `META` can be None or dict supplying extra info, like `source` of permission inheritance. """ out = {} all_roles = context.valid_roles() permissions = context.ac_inherited_permissions(1) if permission: permissions = [x for x in permissions if x[0] == permission] for perm in permissions: name, value = perm[:2] maps = out[name] = {} perm = Permission(name, value, context) roles = perm.getRoles(default=[]) for role in roles: maps[role] = ('assigned', None) if isinstance(roles, list): for role in set(all_roles) - set(roles): from_parent = allowed(context.aq_parent, name) parent_permission = from_parent[name].get(role) if parent_permission: reason, meta = parent_permission if reason == 'assigned': maps[role] = ('inherited', {'source': ofs_path(context.aq_parent)}) elif reason == 'inherited': maps[role] = parent_permission return out
def update(app): catalog = getattr(app, 'Catalog') brains = catalog(meta_type='Report Document') for brain in brains: doc = brain.getObject() valid_roles = doc.valid_roles() if 'Auditor' in valid_roles: permissions = doc.ac_inherited_permissions(1) for perm in permissions: name, value = perm[:2] if name == 'View': p = Permission(name, value, doc) roles = list(p.getRoles()) if 'Auditor' not in roles: roles.append('Auditor') roles = tuple(roles) try: p.setRoles(roles) print "Added Auditor to View permission for %s" % doc.absolute_url() except: print "Failed" transaction.commit()
def listPermissions(self): """ List permissions for export. o Returns a sqeuence of mappings describing locally-modified permission / role settings. Keys include: 'permission' -- the name of the permission 'acquire' -- a flag indicating whether to acquire roles from the site's container 'roles' -- the list of roles which have the permission. o Do not include permissions which both acquire and which define no local changes to the acquired policy. """ permissions = [] valid_roles = self.listRoles() for perm in self._site.ac_inherited_permissions(1): name = perm[0] p = Permission(name, perm[1], self._site) roles = p.getRoles(default=[]) acquire = isinstance(roles, list) # tuple means don't acquire roles = [r for r in roles if r in valid_roles] if roles or not acquire: permissions.append({ 'name': name, 'acquire': acquire, 'roles': roles }) return permissions
def allowed(context, permission=None): """ Roles that have `permission` and why. Returns {PERM_NAME: {'Role': (REASON, META), ..}, ..} where `REASON` in ('assigned', 'inherited'). `META` can be None or dict supplying extra info, like `source` of permission inheritance. """ out = {} all_roles = context.valid_roles() permissions = context.ac_inherited_permissions(1) if permission: permissions = [x for x in permissions if x[0] == permission] for perm in permissions: name, value = perm[:2] maps = out[name] = {} perm = Permission(name, value, context) roles = perm.getRoles(default=[]) for role in roles: maps[role] = ('assigned', None) if isinstance(roles, list): from_parent = allowed(context.aq_parent, name) for role in set(all_roles) - set(roles): parent_permission = from_parent[name].get(role) if parent_permission: reason, meta = parent_permission if reason == 'assigned': maps[role] = ('inherited', {'source': ofs_path(context.aq_parent)}) elif reason == 'inherited': maps[role] = parent_permission return out
def listPermissions( self ): """ List permissions for export. o Returns a sqeuence of mappings describing locally-modified permission / role settings. Keys include: 'permission' -- the name of the permission 'acquire' -- a flag indicating whether to acquire roles from the site's container 'roles' -- the list of roles which have the permission. o Do not include permissions which both acquire and which define no local changes to the acquired policy. """ permissions = [] valid_roles = self.listRoles() for perm in self._site.ac_inherited_permissions( 1 ): name = perm[ 0 ] p = Permission( name, perm[ 1 ], self._site ) roles = p.getRoles( default=[] ) acquire = isinstance( roles, list ) # tuple means don't acquire roles = [ r for r in roles if r in valid_roles ] roles.sort() if roles or not acquire: permissions.append( { 'name' : name , 'acquire' : acquire , 'roles' : roles } ) return permissions
def manage_doCustomize(self, folder_path, RESPONSE=None): """Makes a ZODB Based clone with the same data. Calls _createZODBClone for the actual work. """ obj = self._createZODBClone() parent = aq_parent(aq_inner(self)) # Preserve cache manager associations cachemgr_id = self.ZCacheable_getManagerId() if ( cachemgr_id and getattr(obj, 'ZCacheable_setManagerId', None) is not None ): obj.ZCacheable_setManagerId(cachemgr_id) # If there are proxy roles we preserve them proxy_roles = getattr(aq_base(self), '_proxy_roles', None) if proxy_roles is not None and isinstance(proxy_roles, tuple): obj._proxy_roles = tuple(self._proxy_roles) # Also, preserve any permission settings that might have come # from a metadata file or from fiddling in the ZMI old_info = [x[:2] for x in self.ac_inherited_permissions(1)] for old_perm, value in old_info: p = Permission(old_perm, value, self) acquired = int(isinstance(p.getRoles(default=[]), list)) rop_info = self.rolesOfPermission(old_perm) roles = [x['name'] for x in rop_info if x['selected'] != ''] try: # if obj is based on OFS.ObjectManager an acquisition context is # required for _subobject_permissions() obj.__of__(parent).manage_permission(old_perm, roles=roles, acquire=acquired) except ValueError: # The permission was invalid, never mind pass id = obj.getId() fpath = tuple( folder_path.split('/') ) portal_skins = getUtility(ISkinsTool) folder = portal_skins.restrictedTraverse(fpath) if id in folder.objectIds(): # we cant catch the badrequest so # we'll that to check before hand obj = folder._getOb(id) if RESPONSE is not None: RESPONSE.redirect('%s/manage_main?manage_tabs_message=%s' % ( obj.absolute_url(), html_quote("An object with this id already exists") )) else: folder._verifyObjectPaste(obj, validate_src=0) folder._setObject(id, obj) if RESPONSE is not None: RESPONSE.redirect('%s/%s/manage_main' % ( folder.absolute_url(), id)) if RESPONSE is not None: RESPONSE.redirect('%s/%s/manage_main' % ( folder.absolute_url(), id))
def getPermissionsWithAcquiredRoles(self): """ Return the permissions which acquire roles from their parents """ ret = [] for zope_perm in self.permissions: permission = Permission(zope_perm, (), self.aq_parent) if isinstance(permission.getRoles(), list): ret.append(zope_perm) return ret
def getPermissionMapping(self): """ Return the permission mapping for the object """ mapping = {} for permission in self.permissions: permission_object = Permission(permission, (), self.getObject()) mapping[permission] = permission_object.getRoles() return mapping
def getPermissionsWithAcquiredRoles(self): """ Return the permissions which acquire roles from their parents """ ret = [] for permission in self.permissions: permission_object = Permission(permission, (), self.getObject()) if isinstance(permission_object.getRoles(), list): ret.append(permission) return ret
def _update(self, portal): permissions = ["Naaya - Add Naaya Photo Folder", "Naaya - Add Naaya Photo Gallery"] for permission in permissions: p = Permission(permission, (), portal) if "Administrator" not in p.getRoles(): permission_add_role(portal, permission, "Administrator") self.log.debug("Added %s permission", permission) return True
def _update(self, portal): view_perm = Permission(view, (), portal) roles_with_view = view_perm.getRoles() if tuple is type(roles_with_view): self.log.debug('No need to update') else: view_perm.setRoles(tuple(roles_with_view)) self.log.debug('Removed view permission inheritance for the site') return True
def _update(self, portal): layout_tool = portal.getLayoutTool() view_perm = Permission(view, (), layout_tool) if 'Anonymous' not in view_perm.getRoles(): view_perm.setRoles(['Anonymous',]) self.log.info("View Permission set for Anonymous on portal_layout.") else: self.log.info("Already has it, nothing to do.") return True
def _update(self, portal): permission = "Naaya - Create user" p = Permission(permission, (), portal) if 'Administrator' not in p.getRoles(): permission_add_role(portal, permission, 'Administrator') permission_add_role(portal, permission, 'Anonymous') self.log.debug('Added %s permission', permission) return True
def _update(self, portal): permission = "Naaya - Create user" p = Permission(permission, (), portal) if "Administrator" not in p.getRoles(): permission_add_role(portal, permission, "Administrator") permission_add_role(portal, permission, "Anonymous") self.log.debug("Added %s permission", permission) return True
def _update(self, portal): skip_captcha_perm = Permission('Naaya - Skip Captcha', (), portal) roles_with_skip_captcha = skip_captcha_perm.getRoles() if 'Authenticated' not in roles_with_skip_captcha: roles_with_skip_captcha.append('Authenticated') skip_captcha_perm.setRoles(roles_with_skip_captcha) self.log.debug('Skip Captcha permission assigned to Authenticated') else: self.log.debug('Authenticated already has the permission') return True
def _update(self, portal): catalog = portal.getCatalogTool() for brain in catalog(approved=0): obj = brain.getObject() permission = Permission(view, (), obj) roles = permission.getRoles() if isinstance(roles, list): obj.dont_inherit_view_permission() self.log.debug("restricted view permission for %s", obj.absolute_url()) return True
def _update(self, portal): permissions = ["Naaya - Add Naaya Photo Folder", "Naaya - Add Naaya Photo Gallery"] for permission in permissions: p = Permission(permission, (), portal) if 'Administrator' not in p.getRoles(): permission_add_role(portal, permission, 'Administrator') self.log.debug('Added %s permission', permission) return True
def roles_of_permission(context, permission): """Return all roles which have the given permission on the current context.""" role_manager = IRoleManager(context) for p in role_manager.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, role_manager) roles = p.getRoles() return roles
def _update(self, portal): catalog = portal.getCatalogTool() for brain in catalog(approved=0): obj = brain.getObject() permission = Permission(view, (), obj) roles = permission.getRoles() if isinstance(roles, list): obj.dont_inherit_view_permission() self.log.debug('restricted view permission for %s', obj.absolute_url()) return True
def _update(self, portal): review_perm = Permission('Naaya - Review TalkBack Consultation', (), portal) for role in ['Administrator', 'Owner', 'Reviewer']: roles = review_perm.getRoles() if role not in roles: roles.append(role) review_perm.setRoles(roles) self.log.info("Review Permission set for %s on %s" % (role, portal.absolute_url())) return True
def set_acl_for_roles(ob, roles): permission_object = Permission(view, (), ob) current_roles = permission_object.getRoles() is_tuple = isinstance(current_roles, tuple) current_roles = list(current_roles) new_roles = set(roles + current_roles) if is_tuple: new_roles = tuple(new_roles) else: new_roles = list(new_roles) permission_object.setRoles(new_roles)
def acquiredRolesAreUsedBy(self, permission): """ """ for p in self.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, self) roles = p.getRoles() return isinstance(roles, list) and 'CHECKED' or '' raise ValueError( "The permission <em>%s</em> is invalid." % escape(permission))
def _update(self, portal): meetings = portal.getCatalogedObjects(meta_type='Naaya Meeting') for meeting in meetings: view_perm = Permission('View', (), meeting) for role in [OBSERVER_ROLE, WAITING_ROLE, PARTICIPANT_ROLE]: roles = view_perm.getRoles() if role not in roles: roles.append(role) view_perm.setRoles(roles) self.log.info("View Permission set for %s on %s" % (role, meeting.absolute_url())) return True
def acquiredRolesAreUsedBy(self, permission): """ """ for p in self.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, self) roles = p.getRoles() return isinstance(roles, list) and 'CHECKED' or '' raise ValueError("The permission <em>%s</em> is invalid." % escape(permission))
def permissionsOfRole(self, role): """Returns a role to permission mapping. """ r = [] for p in self.ac_inherited_permissions(1): name, value = p[:2] p = Permission(name, value, self) roles = p.getRoles() r.append({'name': name, 'selected': role in roles and 'SELECTED' or '', }) return r
def _update(self, portal): layout_tool = portal.getLayoutTool() view_perm = Permission(view, (), layout_tool) if 'Anonymous' not in view_perm.getRoles(): view_perm.setRoles([ 'Anonymous', ]) self.log.info( "View Permission set for Anonymous on portal_layout.") else: self.log.info("Already has it, nothing to do.") return True
def updateRolesForPermission(permission, roles, obj): '''Adds roles from list p_roles to the list of roles that are granted p_permission on p_obj.''' from AccessControl.Permission import Permission # Find existing roles that were granted p_permission on p_obj existingRoles = () for p in obj.ac_inherited_permissions(1): name, value = p[:2] if name == permission: perm = Permission(name, value, obj) existingRoles = perm.getRoles() allRoles = set(existingRoles).union(roles) obj.manage_permission(permission, tuple(allRoles), acquire=0)
def manage_acquiredPermissions(self, permissions=[]): """Change the permissions that acquire. """ for p in self.ac_inherited_permissions(1): name, value = p[:2] p = Permission(name, value, self) roles = p.getRoles() if roles is None: continue if name in permissions: p.setRoles(list(roles)) else: p.setRoles(tuple(roles))
def permissionsOfRole(self, role): """Returns a role to permission mapping. """ r = [] for p in self.ac_inherited_permissions(1): name, value = p[:2] p = Permission(name, value, self) roles = p.getRoles() r.append({ 'name': name, 'selected': role in roles and 'SELECTED' or '', }) return r
def allowMembersToAddCenter(obj): perms = [p for p in obj.ac_inherited_permissions(1) if p[0] == AddSoftwareCenter] p = perms[0] name, value = perms[0][:2] p = Permission(name, value, obj) roles = p.getRoles() if 'Member' not in roles: if type(roles) == type(()): roles = list(roles) roles.append('Member') roles = tuple(roles) else: roles.append('Member') p.setRoles(roles)
def _update(self, portal): portal_catalog = portal.getCatalogTool() set_roles = ['Administrator', 'Manager'] for brain in portal_catalog(meta_type='Naaya Forum'): forum = brain.getObject() for permission_name in (PERMISSION_MODIFY_FORUMTOPIC, PERMISSION_SKIP_CAPTCHA): perm = Permission(permission_name, (), forum) roles = perm.getRoles() if 'Manager' not in roles or 'Administrator' not in roles: perm.setRoles(list(set(roles + set_roles))) self.log.debug('Default permissions added for %s', forum.absolute_url()) return True
def _update(self, portal): permission = Permission('Naaya - Add comments for content', (), portal) roles = permission.getRoles() if 'Authenticated' in roles: self.log.debug("Portal doesn't need update") self.log.debug("Authenticated users can already add comments") return True if isinstance(roles, tuple): roles = tuple(list(roles) + ['Authenticated']) else: roles = roles + ['Authenticated'] permission.setRoles(roles) return True
def migrate_permission_settings(self): """Migrate permission settings (permission <-> role) The acquire flag is coded into the type of the sequence. If roles is a list than the roles are also acquire. If roles is a tuple the roles aren't acquired. """ oldmap = getPermissionMapping(self.old.ac_inherited_permissions(1)) newmap = getPermissionMapping(self.new.ac_inherited_permissions(1)) for key, values in oldmap.items(): old_p = Permission(key, values, self.old) old_roles = old_p.getRoles() new_values = newmap.get(key, ()) new_p = Permission(key, new_values, self.new) new_p.setRoles(old_roles)
def setUp(self): super(UserWithRolesOnlyOnFolderTestSetup, self).setUp() # get&save roles with view view_perm = Permission(view, (), self.portal) self.site_roles_with_view = view_perm.getRoles() view_perm.setRoles(('Manager')) roles = ['Administrator', 'Manager', 'Contributor'] self.auth_tool.manage_addUsersRoles(name=self.user_obj.name, roles=roles, location='/portal/info') transaction.commit() self.browser_do_login(self.user_name, self.user_password)
def rolesOfPermission(self, permission): """Returns a permission to role mapping. """ valid_roles = self.valid_roles() for p in self.ac_inherited_permissions(1): name, value = p[:2] if name == permission: p = Permission(name, value, self) roles = p.getRoles() return map(lambda role, roles=roles: { 'name': role, 'selected': role in roles and 'SELECTED' or '', }, valid_roles) raise ValueError("The permission <em>%s</em> is invalid." % escape(permission))
def modifyRolesForPermission(ob, pname, roles): ''' Modifies multiple role to permission mappings. roles is a list to acquire, a tuple to not acquire. ''' # This mimics what AccessControl/Role.py does. data = () for perm in ac_inherited_permissions(ob, 1): name, value = perm[:2] if name == pname: data = value break p = Permission(pname, data, ob) if p.getRoles() != roles: p.setRoles(roles) return 1 return 0
def _update(self, portal): view_reports_perm = Permission(PERMISSION_VIEW_REPORTS, (), portal) roles_with_view_reports = view_reports_perm.getRoles() if isinstance(roles_with_view_reports, list): acquire = 1 else: acquire = 0 if 'Anonymous' in roles_with_view_reports: corrected_roles = set(role for role in roles_with_view_reports if role != 'Anonymous') corrected_roles.update(['Administrator', 'Manager', 'Owner']) portal.manage_permission(PERMISSION_VIEW_REPORTS, list(corrected_roles), acquire=acquire) self.log.debug('Anonymous role removed from permission') else: self.log.debug('Anonymous does not have the permission') return True
def _update(self, portal): webex_perm = Permission(PERMISSION_REQUEST_WEBEX, (), portal) roles_with_webex = webex_perm.getRoles() if isinstance(roles_with_webex, list): acquire = 1 else: acquire = 0 if 'Contributor' not in roles_with_webex: roles = set(roles_with_webex) roles.update(['Administrator', 'Manager', 'Contributor']) portal.manage_permission(PERMISSION_REQUEST_WEBEX, list(roles), acquire=acquire) self.log.debug( 'Contributor added to the "Request WebEx permission"') else: self.log.debug('Contributor already has the permission') return True
def _checkSettings(self, object, permissionname, acquire=0, roles=[]): # check the roles and acquire settings for a permission on an # object are as expected happy = 0 for pstuff in object.ac_inherited_permissions(1): name, value = pstuff[:2] if name == permissionname: p = Permission(name, value, object) groles = p.getRoles(default=[]) acquired = isinstance(groles, list) expected = {} for role in roles: expected[role] = 1 got = {} for role in groles: got[role] = 1 self.assertEqual((acquire, expected), (acquired, got)) happy = 1 if not happy: raise ValueError("'%s' not found in inherited permissions." % permissionname)