def test_deny_dublincore_view(self):
"""Tests the denial of dublincore view permissions to anonymous.
Users who can view a folder contents page but cannot view dublin core
should still be able to see the folder items' names, but not their
title, modified, and created info.
"""
# add an item that can be viewed from the root folder
obj = OrderedContainer()
alsoProvides(obj, IAttributeAnnotatable)
self.getRootFolder()['obj'] = obj
IZopeDublinCore(obj).title = u'My object'
# deny zope.app.dublincore.view to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.dublincore.view', 'zope.Anonymous')
# Try both spellings just in case we are used with an older zope.dc
prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous')
transaction.commit()
response = self.publish('/')
self.assertEquals(response.getStatus(), 200)
body = response.getBody()
# confirm we can see the file name
self.assert_(body.find('<a href="obj">obj</a>') != -1)
# confirm we *cannot* see the metadata title
self.assert_(body.find('My object') == -1)
def invites(self, value):
roles = IRolePermissionManager(self.__parent__)
for val, role in [('member', 'group.Member'),
('manager', 'group.Manager')]:
if val in value:
roles.grantPermissionToRole('zojax.InviteGroupMember', role)
else:
roles.unsetPermissionFromRole('zojax.InviteGroupMember', role)
def joining(self, value):
roles = IRolePermissionManager(self.__parent__)
for rid in value:
role = queryUtility(IRole, rid)
if IPublicRole.providedBy(role):
roles.grantPermissionToRole('zojax.JoinGroup', rid)
else:
roles.denyPermissionToRole('zojax.JoinGroup', rid)
def test_deny_view(self):
"""Tests the denial of view permissions to anonymous.
This test uses the ZMI interface to deny anonymous zope.View permission
to the root folder.
"""
# deny zope.View to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.View', 'zope.Anonymous')
transaction.commit()
# confirm Unauthorized when viewing root folder
self.assertRaises(Unauthorized, self.publish, '/')
def test_deny_view(self):
"""Tests the denial of view permissions to anonymous.
This test uses the ZMI interface to deny anonymous zope.View permission
to the root folder.
"""
# deny zope.View to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.View', 'zope.Anonymous')
transaction.commit()
# confirm Unauthorized when viewing root folder
self.assertRaises(Unauthorized, self.publish, '/')
def change_permissions(event):
if event.destination == Workflow.states.PUBLISHED:
try:
principal = uvcsite.utils.shorties.getPrincipal()
except zope.security.interfaces.NoInteraction:
return
else:
if not uvcsite.auth.interfaces.ICOUser.providedBy(principal):
return
prinper = IPrincipalPermissionManager(event.object)
roleper = IRolePermissionManager(event.object)
roleper.denyPermissionToRole(named(uvcsite.permissions.View),
named(uvcsite.permissions.Editor))
prinper.grantPermissionToPrincipal(named(uvcsite.permissions.View),
event.object.principal.id)
async def sharing_post(context, request):
data = await request.json()
roleperm = IRolePermissionManager(context)
prinrole = IPrincipalRoleManager(context)
if 'prinrole' not in data and 'roleperm' not in data:
raise AttributeError('prinrole or roleperm missing')
if 'prinrole' in data:
for user, roles in data['prinrole'].items():
for role in roles:
prinrole.assignRoleToPrincipal(role, user)
if 'roleperm' in data:
for role, perms in data['roleperm'].items():
for perm in perms:
roleperm.grantPermissionToRole(perm, role)
await notify(ObjectPermissionsModifiedEvent(context))
def status(self, value):
context = removeAllProxies(self.context)
roleper = IRolePermissionManager(context)
if value == 4:
roleper.grantPermissionToRole('zojax.AddComment', 'zope.Anonymous')
else:
roleper.denyPermissionToRole('zojax.AddComment', 'zope.Anonymous')
if value == 3:
if IContentDiscussionAware.providedBy(context):
interface.noLongerProvides(context, IContentDiscussionAware)
else:
if not IContentDiscussionAware.providedBy(context):
interface.alsoProvides(context, IContentDiscussionAware)
discussibleAdded(context, None)
self.data.status = value
def test_deny_dublincore_view(self):
"""Tests the denial of dublincore view permissions to anonymous.
Users who can view a folder contents page but cannot view dublin core
should still be able to see the folder items' names, but not their
title, modified, and created info.
"""
# add an item that can be viewed from the root folder
obj = OrderedContainer()
alsoProvides(obj, IAttributeAnnotatable)
self.getRootFolder()['obj'] = obj
IZopeDublinCore(obj).title = u'My object'
# deny zope.app.dublincore.view to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.dublincore.view', 'zope.Anonymous')
# Try both spellings just in case we are used with an older zope.dc
prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous')
transaction.commit()
response = self.publish('/')
self.assertEquals(response.getStatus(), 200)
body = response.getBody()
# confirm we can see the file name
self.assert_(body.find('<a href="obj">obj</a>') != -1)
# confirm we *cannot* see the metadata title
self.assert_(body.find('My object') == -1)
def remove_edit_permission(event):
if event.destination != PUBLISHED:
return
IRolePermissionManager(event.object).denyPermissionToRole(
'uvc.EditContent', 'uvc.Editor')
def __call__(self, data):
auth = zope.component.getUtility(IAuthentication, context=self.context)
# Add a Admin to the administrators group
login = data['member.login']
admin = authentication.WebSiteMember(login, data['member.password'],
data['member.firstName'],
data['member.lastName'],
data['member.email'])
zope.event.notify(zope.lifecycleevent.ObjectCreatedEvent(admin))
auth['members'].add(admin)
adminGroup = auth['groups']['groups.Administrators']
adminGroup.setPrincipals(adminGroup.principals + (admin.__name__, ),
check=False)
# grant permissions to roles
role_manager = IRolePermissionManager(self.context)
role_manager.grantPermissionToRole(permissions.MANAGESITE,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGECONTENT,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGEUSERS,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.VIEW,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGECONTENT,
roles.MEMBER)
role_manager.grantPermissionToRole(permissions.VIEW, roles.MEMBER)
# grant VIEW to unauthenticated users.
prin_manager = IPrincipalPermissionManager(self.context)
unauth = zope.component.queryUtility(IUnauthenticatedGroup,
context=self.context)
if unauth is not None:
prin_manager.grantPermissionToPrincipal(permissions.VIEW,
unauth.id)
def remove_edit_permission(event):
if event.destination == Workflow.states.PUBLISHED:
IRolePermissionManager(event.object).denyPermissionToRole(
named(uvcsite.permissions.Edit), named(uvcsite.permissions.Editor))
def __call__(self, data):
portal = self.context
# create site manager
try:
sm = portal.getSiteManager()
except:
sm = None
if sm is None:
sm = LocalSiteManager(portal)
portal.setSiteManager(sm)
setSite(portal)
if 'system' not in sm:
system = SiteManagementFolder()
event.notify(ObjectCreatedEvent(system))
sm['system'] = system
else:
system = sm['system']
# IIntId utility
if 'ids' not in system:
ids = component.createObject('zope.app.intid.IntIds')
event.notify(ObjectCreatedEvent(ids))
system['ids'] = ids
else:
system['ids'].__init__()
ids = system['ids']
sm.registerUtility(system['ids'], IIntIds)
ids.register(portal)
# Principal Annotations
if 'principalannotations' not in system:
pa = component.createObject('zope.app.PrincipalAnnotationUtility')
event.notify(ObjectCreatedEvent(pa))
system['principalannotations'] = pa
sm.registerUtility(pa, IPrincipalAnnotationUtility)
# session data container
configlet = sm.getUtility(IConfiglet, 'system.session')
configlet.sessiontype = 'ram'
# set password
password = sm.getUtility(IConfiglet, 'principals.password')
password.passwordManager = 'MD5'
# set site timezone
fomratter = sm.getUtility(IConfiglet, 'system.formatter')
fomratter.timezone = u'UTC'
# set portal access to open
manager = IPrincipalPermissionManager(portal)
everyone = sm.queryUtility(IEveryoneGroup)
if everyone is not None:
manager.grantPermissionToPrincipal(
'zojax.AccessPortal', everyone.id)
authenticated = sm.queryUtility(IAuthenticatedGroup)
if authenticated is not None:
manager.unsetPermissionForPrincipal(
'zojax.AccessPortal', authenticated.id)
# setup default role
roles = sm.getUtility(IPortalRoles)
if 'site.member' not in roles:
role = PortalRole(title = u'Site Member')
event.notify(ObjectCreatedEvent(role))
roles['site.member'] = role
roleId = role.id
sm.getUtility(IDefaultPortalRole).roles = [role.id]
roleperm = IRolePermissionManager(portal)
for permId in ('zojax.PersonalContent', 'zojax.PersonalSpace',
'zojax.forum.addMessage', 'zojax.forum.addTopic',
'zojax.SubmitBlogPost', 'zojax.SubmitDocuments',
'zojax.forum.SubmitTopic', 'zojax.SubmitPhoto',
'zojax.contenttype.SubmitNewsItem',):
roleperm.grantPermissionToRole(permId, roleId)
# install catalog
sm.getUtility(IConfiglet, 'system.catalog').install()
# install workspaces
portal.workspaces = ('overview', 'people', 'news', 'documents')
event.notify(ObjectModifiedEvent(portal))
setSite(None)
def deny_role_permission(self, role, permission):
permission = PERM_MAP[permission]
role = ROLE_MAP[role]
IRolePermissionManager(self.context).denyPermissionToRole(
permission, role)
def grant_roles_to_permissions(obj, event):
# grant roles to permissions
rpm = IRolePermissionManager(obj)
rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin')
rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')
def init_application(event):
application = event.object
if not IDatashackle.providedBy(application):
# no datashackle grok application
return
# Site needs to be setted manually at this point.
# Otherwise the framework does not notify the catalog to index the newly
# created propertyform
setSite(application)
configfolder = Folder()
configfolder.title = _(u'Configuration')
application['configuration'] = configfolder
# Deny view, edit permission to role dolmen.Owner (which is the default role for our restricted users).
role_permission = IRolePermissionManager(configfolder)
role_permission.denyPermissionToRole('dolmen.content.View', 'dolmen.Owner')
#role_permission.grantPermissionToRole('dolmen.content.View', 'zope.Manager')
role_permission.denyPermissionToRole('dolmen.content.Edit', 'dolmen.Owner')
#role_permission.grantPermissionToRole('dolmen.content.Edit', 'zope.Manager')
metaconfig = Folder()
metaconfig.title = _(u'Meta configuration')
configfolder['meta'] = metaconfig
ignore_enumeration(metaconfig, 'zope.Everybody')
#users = Users()
#users.title = _(u'Users')
#configfolder['users'] = users
set_ = GenericSet()
set_.title = u'p2_model'
set_.plan_identifier = 'p2_model'
set_.table_identifier = 'p2_model'
set_.table_key_field = 'plan_identifier'
metaconfig['p2_model'] = set_
set_ = GenericSet()
set_.title = u'p2_form'
set_.plan_identifier = 'p2_form'
set_.table_identifier = 'p2_form'
set_.table_key_field = 'form_identifier'
metaconfig['p2_form'] = set_
archetypes = GenericSet()
archetypes.title = _(u'p2_archetype')
archetypes.plan_identifier = 'p2_archetype'
archetypes.table_identifier = 'p2_archetype'
archetypes.table_key_field = 'id'
metaconfig['p2_archetypes'] = archetypes
linkageforms = GenericSet()
linkageforms.title = u'p2_linkage'
linkageforms.plan_identifier = 'p2_linkage'
linkageforms.table_identifier = 'p2_linkage'
linkageforms.table_key_field = 'id'
metaconfig['p2_linkage'] = linkageforms
set_ = GenericSet()
set_.title = u'p2_relation'
set_.plan_identifier = 'p2_relation'
set_.table_identifier = 'p2_relation'
set_.table_key_field = 'id'
metaconfig['p2_relation'] = set_
widget = GenericSet()
widget.title = u'p2_widget'
widget.plan_identifier = 'p2_widget'
widget.table_identifier = 'p2_widget'
widget.table_key_field = 'widget_identifier'
metaconfig['p2_widget'] = widget
set_ = GenericSet()
set_.title = u'p2_span'
set_.plan_identifier = 'p2_span'
set_.table_identifier = 'p2_span'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span'] = set_
set_ = GenericSet()
set_.title = u'p2_span_embeddedform'
set_.plan_identifier = 'p2_span_embeddedform'
set_.table_identifier = 'p2_span_embeddedform'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span_embeddedform'] = set_
set_ = GenericSet()
set_.title = u'p2_span_fileupload'
set_.plan_identifier = 'p2_span_fileupload'
set_.table_identifier = 'p2_span_fileupload'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span_fileupload'] = set_
set_ = GenericSet()
set_.title = u'p2_span_alphanumeric'
set_.plan_identifier = 'p2_span_alphanumeric'
set_.table_identifier = 'p2_span_alphanumeric'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span_alphanumeric'] = set_
set_ = GenericSet()
set_.title = u'p2_span_checkbox'
set_.plan_identifier = 'p2_span_checkbox'
set_.table_identifier = 'p2_span_checkbox'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span_checkbox'] = set_
set_ = GenericSet()
set_.title = u'p2_span_dropdown'
set_.plan_identifier = 'p2_span_dropdown'
set_.table_identifier = 'p2_span_dropdown'
set_.table_key_field = 'span_identifier'
metaconfig['p2_span_dropdown'] = set_
set_ = GenericSet()
set_.title = u'p2_countries'
set_.plan_identifier = 'p2_countries'
set_.table_identifier = 'p2_country'
set_.table_key_field = 'id'
metaconfig['p2_span_countries'] = set_
def unset_role_permission(self, role, permission):
permission = PERM_MAP[permission]
role = ROLE_MAP[role]
IRolePermissionManager(self.context).unsetPermissionFromRole(
permission, role)
def grant_roles_to_permissions(obj, event):
# grant roles to permissions
rpm = IRolePermissionManager(obj)
rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin')
rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')
