def test_deny_dublincore_view(self):
"""Tests the denial of dublincore view permissions to anonymous.
Users who can view a folder contents page but cannot view dublin core
should still be able to see the folder items' names, but not their
title, modified, and created info.
"""
# add an item that can be viewed from the root folder
obj = OrderedContainer()
alsoProvides(obj, IAttributeAnnotatable)
self.getRootFolder()['obj'] = obj
IZopeDublinCore(obj).title = u'My object'
# deny zope.app.dublincore.view to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.dublincore.view', 'zope.Anonymous')
# Try both spellings just in case we are used with an older zope.dc
prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous')
transaction.commit()
response = self.publish('/')
self.assertEquals(response.getStatus(), 200)
body = response.getBody()
# confirm we can see the file name
self.assert_(body.find('<a href="obj">obj</a>') != -1)
# confirm we *cannot* see the metadata title
self.assert_(body.find('My object') == -1)
def test_deny_view(self):
"""Tests the denial of view permissions to anonymous.
This test uses the ZMI interface to deny anonymous zope.View permission
to the root folder.
"""
# deny zope.View to zope.Anonymous
prm = IRolePermissionManager(self.getRootFolder())
prm.denyPermissionToRole('zope.View', 'zope.Anonymous')
transaction.commit()
# confirm Unauthorized when viewing root folder
self.assertRaises(Unauthorized, self.publish, '/')
def change_permissions(event):
if event.destination == Workflow.states.PUBLISHED:
try:
principal = uvcsite.utils.shorties.getPrincipal()
except zope.security.interfaces.NoInteraction:
return
else:
if not uvcsite.auth.interfaces.ICOUser.providedBy(principal):
return
prinper = IPrincipalPermissionManager(event.object)
roleper = IRolePermissionManager(event.object)
roleper.denyPermissionToRole(named(uvcsite.permissions.View),
named(uvcsite.permissions.Editor))
prinper.grantPermissionToPrincipal(named(uvcsite.permissions.View),
event.object.principal.id)
async def sharing_post(context, request):
data = await request.json()
roleperm = IRolePermissionManager(context)
prinrole = IPrincipalRoleManager(context)
if 'prinrole' not in data and 'roleperm' not in data:
raise AttributeError('prinrole or roleperm missing')
if 'prinrole' in data:
for user, roles in data['prinrole'].items():
for role in roles:
prinrole.assignRoleToPrincipal(role, user)
if 'roleperm' in data:
for role, perms in data['roleperm'].items():
for perm in perms:
roleperm.grantPermissionToRole(perm, role)
await notify(ObjectPermissionsModifiedEvent(context))
def __call__(self, data):
auth = zope.component.getUtility(IAuthentication, context=self.context)
# Add a Admin to the administrators group
login = data['member.login']
admin = authentication.WebSiteMember(login, data['member.password'],
data['member.firstName'],
data['member.lastName'],
data['member.email'])
zope.event.notify(zope.lifecycleevent.ObjectCreatedEvent(admin))
auth['members'].add(admin)
adminGroup = auth['groups']['groups.Administrators']
adminGroup.setPrincipals(adminGroup.principals + (admin.__name__, ),
check=False)
# grant permissions to roles
role_manager = IRolePermissionManager(self.context)
role_manager.grantPermissionToRole(permissions.MANAGESITE,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGECONTENT,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGEUSERS,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.VIEW,
roles.ADMINISTRATOR)
role_manager.grantPermissionToRole(permissions.MANAGECONTENT,
roles.MEMBER)
role_manager.grantPermissionToRole(permissions.VIEW, roles.MEMBER)
# grant VIEW to unauthenticated users.
prin_manager = IPrincipalPermissionManager(self.context)
unauth = zope.component.queryUtility(IUnauthenticatedGroup,
context=self.context)
if unauth is not None:
prin_manager.grantPermissionToPrincipal(permissions.VIEW,
unauth.id)
def remove_edit_permission(event):
if event.destination != PUBLISHED:
return
IRolePermissionManager(event.object).denyPermissionToRole(
'uvc.EditContent', 'uvc.Editor')
def remove_edit_permission(event):
if event.destination == Workflow.states.PUBLISHED:
IRolePermissionManager(event.object).denyPermissionToRole(
named(uvcsite.permissions.Edit), named(uvcsite.permissions.Editor))
def unset_role_permission(self, role, permission):
permission = PERM_MAP[permission]
role = ROLE_MAP[role]
IRolePermissionManager(self.context).unsetPermissionFromRole(
permission, role)
def deny_role_permission(self, role, permission):
permission = PERM_MAP[permission]
role = ROLE_MAP[role]
IRolePermissionManager(self.context).denyPermissionToRole(
permission, role)
def grant_roles_to_permissions(obj, event):
# grant roles to permissions
rpm = IRolePermissionManager(obj)
rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin')
rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')
