def cmsContent(request, app, uri=None, action='', *args): info = {} appfactory = ptah.cms.Factories.get(app) if appfactory is None: raise NotFound() root = appfactory(request) request.root = root if not uri: content = root else: content = load(uri) adapters = config.registry.adapters action = adapters.lookup( (IRestActionClassifier, providedBy(content)), IRestAction, name=action, default=None) if action: request.environ['SCRIPT_NAME'] = '%s/content:%s/'%( request.environ['SCRIPT_NAME'], app) ptah.checkPermission(action.permission, content, request, True) res = action.callable(content, request, *args) if not res: # pragma: no cover res = {} return res raise NotFound()
def test_checkpermission_deny(self): import ptah content = Content(acl=[(Allow, ptah.Everyone.id, ALL_PERMISSIONS)]) self.assertTrue(ptah.checkPermission('View', content, throw=False)) self.assertFalse(ptah.checkPermission( ptah.NOT_ALLOWED, content, throw=False))
def test_checkpermission_allow(self): import ptah content = Content(acl=[DENY_ALL]) self.assertFalse(ptah.checkPermission('View', content, throw=False)) self.assertTrue(ptah.checkPermission( NO_PERMISSION_REQUIRED, content, throw=False))
def test_checkpermission_authenticated(self): import ptah content = Content(acl=[(Allow, ptah.Authenticated.id, 'View')]) self.assertFalse(ptah.checkPermission('View', content, throw=False)) ptah.authService.set_userid('test-user') self.assertTrue(ptah.checkPermission('View', content, throw=False))
def test_checkpermission_superuser(self): import ptah from pyramid import security content = Content( acl=[(Deny, ptah.SUPERUSER_URI, security.ALL_PERMISSIONS)]) ptah.authService.set_userid(ptah.SUPERUSER_URI) self.assertTrue(ptah.checkPermission('View', content)) self.assertFalse(ptah.checkPermission(ptah.NOT_ALLOWED, content))
def test_checkpermission_local_roles(self): import ptah content = Content( iface=ptah.ILocalRolesAware, acl=[(Allow, 'role:test', 'View')]) ptah.authService.set_userid('test-user') self.assertFalse(ptah.checkPermission('View', content, throw=False)) content.__local_roles__['test-user'] = ['role:test'] self.assertTrue(ptah.checkPermission('View', content, throw=False))
def containerNodeInfo(content, request, *args): """Container information""" info = nodeInfo(content, request) contents = [] for item in content.values(): if not ptah.checkPermission(View, item, request): # pragma: no cover continue contents.append( OrderedDict(( ('__name__', item.__name__), ('__type__', item.__type_id__), ('__uri__', item.__uri__), ('__container__', isinstance(item, Container)), ('__link__', '%s%s/'%(request.application_url, item.__uri__)), ('title', item.title), ('description', item.description), ('created', item.created), ('modified', item.modified), ))) info['__contents__'] = contents return info
def isAllowed(self, container): if not isinstance(container, Container): return False if self.permission: return ptah.checkPermission(self.permission, container) return True
def link_view(context, request): """ This is a default view for a Link model. If you have permission to edit it it will display the form. If you do not have ability to edit it; you will be redirected. """ can_edit = ptah.checkPermission(ptahcms.ModifyContent, context) if can_edit: vform = ptah.form.DisplayForm(context, request) # needs better UI vform.fields = Link.__type__.fieldset vform.content = { 'title': context.title, 'description': context.description, 'href': context.href} vform.update() # the below render() would display form html without enclosing layout #return vform.render() """ this should render the display form with layout applied The layout is the "wrapping HTML" e.g. ptahcms.app layout you see at http://localhost:8080/ """ layout = view.query_layout(request, context) return layout(vform.render()) raise HTTPFound(location=context.href)
def update(self): context = self.context request = self.request registry = request.registry self.deleteContent = ptah.checkPermission( cms.DeleteContent, context) # cms(uri).read() # cms(uri).create(type) # cms(uri).delete() # cms(uri).update(**kwargs) # cms(uri).items(offset, limit) if self.deleteContent and 'form.buttons.remove' in request.POST: uris = self.request.POST.getall('item') for uri in uris: cms.wrap(uri).delete() self.message("Selected content items have been removed.") if 'form.buttons.rename' in request.POST: uris = self.request.POST.getall('item') print '=============', uris if 'form.buttons.cut' in request.POST: uris = self.request.POST.getall('item') print '=============', uris
def check(self, context, request): if self.permission: if not ptah.checkPermission(self.permission, context, request): return False if self.condition is not None: return self.condition(context, request) return True
def __getattr__(self, action): if not self._actions or action not in self._actions: raise NotFound(action) fname, permission = self._actions[action] if permission: if not ptah.checkPermission(permission, self._content): raise Forbidden(action) return ActionWrapper(self._content, fname)
def apidocAction(content, request, *args): """api doc""" actions = [] url = request.application_url for name, action in config.registry.adapters.lookupAll( (IRestActionClassifier, providedBy(content)), IRestAction): if not ptah.checkPermission( action.permission, content, request): continue actions.append( (name, action.title, OrderedDict( (('name', name or 'info'), ('link', '%s%s/%s'%(url, content.__uri__, name)), ('title', action.title), ('description', action.description))))) actions.sort() return [action for _t, _n, action in actions]
def load(uri, permission=None): """ Load node by `uri` and initialize __parent__ attributes. Also checks permission if permissin is specified. :param uri: Node uri :param permission: Check permission on node object :type permission: Permission id or None :raise KeyError: Node with this uri is not found. :raise Forbidden: If current principal doesn't pass permission check on loaded node. """ item = ptah.resolve(uri) if item is not None: load_parents(item) if permission is not None: if not ptah.checkPermission(permission, item): raise Forbidden() else: raise NotFound(uri) return item