def manage_getPermissionMapping(self):
ips = self.getClassAttr("propertysheets")
ips = getattr(ips, self.id)
# ugh
perms = {}
for p in self.classDefinedAndInheritedPermissions():
perms[pname(p)] = p
r = []
for p in property_sheet_permissions:
v = getattr(ips, pname(p))
r.append({"permission_name": p, "class_permission": perms.get(v, "")})
return r
def _applyAllStaticSecurity(cls):
"""
Apply static security on portal_components to ensure that nobody can
change Permissions, only 'ghost' Developer Role has Permissions to
add/modify/delete Components. Also, make these permissions read-only
thanks to 'property'.
cls is erp5.portal_type.Component Tool and not this class as this function
is called on Portal Type class when loading Componet Tool Portal Type
class
"""
from AccessControl.Permission import getPermissions, pname
for permission_name, _, _ in getPermissions():
if permission_name == 'Reset dynamic classes':
permission_function = lambda self: ('Manager', )
elif permission_name in ('Change permissions',
'Define permissions'):
permission_function = lambda self: ()
elif (permission_name.startswith('Access ')
or permission_name.startswith('View')
or permission_name == 'WebDAV access'):
permission_function = lambda self: ('Developer', 'Manager')
else:
permission_function = lambda self: ('Developer', )
setattr(cls, pname(permission_name), property(permission_function))
def _applyAllStaticSecurity(cls):
"""
Apply static security on portal_components to ensure that nobody can
change Permissions, only 'ghost' Developer Role has Permissions to
add/modify/delete Components. Also, make these permissions read-only
thanks to 'property'.
cls is erp5.portal_type.Component Tool and not this class as this function
is called on Portal Type class when loading Componet Tool Portal Type
class
"""
from AccessControl.Permission import getPermissions, pname
for permission_name, _, _ in getPermissions():
if permission_name == 'Reset dynamic classes':
permission_function = lambda self: ('Manager',)
elif permission_name in ('Change permissions', 'Define permissions'):
permission_function = lambda self: ()
elif (permission_name.startswith('Access ') or
permission_name.startswith('View') or
permission_name == 'WebDAV access'):
permission_function = lambda self: ('Developer', 'Manager')
else:
permission_function = lambda self: ('Developer',)
setattr(cls, pname(permission_name), property(permission_function))
def setDefaultRoles(permission, roles):
registered = _registeredPermissions
if permission not in registered:
registered[permission] = 1
Products.__ac_permissions__ = (
Products.__ac_permissions__ + ((permission, (), roles),))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_getPermissionMapping(self):
ips=self.getClassAttr('propertysheets')
ips=getattr(ips, self.id)
# ugh
perms={}
for p in self.classDefinedAndInheritedPermissions():
perms[pname(p)]=p
r=[]
for p in property_sheet_permissions:
v=getattr(ips, pname(p))
r.append(
{'permission_name': p,
'class_permission': perms.get(v,'')
})
return r
def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None):
"Change property sheet permissions"
ips = self.getClassAttr("propertysheets")
ips = getattr(ips, self.id)
perms = self.classDefinedAndInheritedPermissions()
for i in range(len(permission_names)):
name = permission_names[i]
p = class_permissions[i]
if p and (p not in perms):
__traceback_info__ = perms, p, i
raise ValueError, "Invalid class permission"
if name not in property_sheet_permissions:
continue
setattr(ips, pname(name), pname(p))
if REQUEST is not None:
return self.manage_security(self, REQUEST, manage_tabs_message="The permission mapping has been updated")
def setDefaultRoles(permission, roles):
'''
Sets the defaults roles for a permission.
'''
# XXX This ought to be in AccessControl.SecurityInfo.
registered = _registeredPermissions
if not registered.has_key(permission):
registered[permission] = 1
Products.__ac_permissions__=(
Products.__ac_permissions__+((permission,(),roles),))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles(permission, roles):
'''
Sets the defaults roles for a permission.
'''
# XXX This ought to be in AccessControl.SecurityInfo.
registered = _registeredPermissions
if not registered.has_key(permission):
registered[permission] = 1
Products.__ac_permissions__ = (Products.__ac_permissions__ +
((permission, (), roles), ))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_setPermissionMapping(self, permission_names=[],
class_permissions=[],
REQUEST=None):
"Change property sheet permissions"
ips=self.getClassAttr('propertysheets')
ips=getattr(ips, self.id)
perms=self.classDefinedAndInheritedPermissions()
for i in range(len(permission_names)):
name=permission_names[i]
p=class_permissions[i]
if p and (p not in perms):
__traceback_info__=perms, p, i
raise ValueError, 'Invalid class permission'
if name not in property_sheet_permissions: continue
setattr(ips, pname(name), pname(p))
if REQUEST is not None:
return self.manage_security(
self, REQUEST,
manage_tabs_message='The permission mapping has been updated')
def setDefaultRoles(permission, roles):
'''
Sets the defaults roles for a permission.
'''
if addPermission is not None:
addPermission(permission, roles)
else:
# BBB This is in AccessControl starting in Zope 2.13
import Products
registered = _registeredPermissions
if not registered.has_key(permission):
registered[permission] = 1
Products.__ac_permissions__=(
Products.__ac_permissions__+((permission,(),roles),))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def get_permission_dict():
"""Returns a dictionary mapping permission attribute name to permission.
Does not discover permissions defined in ZClass products, since that
would require access to the Zope application in the database.
"""
global _permission_dict_cache
if _permission_dict_cache is not None:
return _permission_dict_cache
res = {}
for item in Products.__ac_permissions__:
p = item[0]
attr = pname(p)
res[attr] = p
_permission_dict_cache = res
return res
def get_permission_dict():
"""Returns a dictionary mapping permission attribute name to permission.
Does not discover permissions defined in ZClass products, since that
would require access to the Zope application in the database.
"""
global _permission_dict_cache
if _permission_dict_cache is not None:
return _permission_dict_cache
res = {}
for item in Products.__ac_permissions__:
p = item[0]
attr = pname(p)
res[attr] = p
_permission_dict_cache = res
return res
def setDefaultRoles(permission, roles):
'''
Sets the defaults roles for a permission.
'''
if addPermission is not None:
addPermission(permission, roles)
else:
# BBB This is in AccessControl starting in Zope 2.13
import Products
registered = _registeredPermissions
if not registered.has_key(permission):
registered[permission] = 1
Products.__ac_permissions__ = (Products.__ac_permissions__ +
((permission, (), roles), ))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles(permission, roles):
""" Set the defaults roles for a permission.
"""
if addPermission is not None:
addPermission(permission, roles)
else:
# BBB This is in AccessControl starting in Zope 2.13
from AccessControl.Permission import _registeredPermissions
from AccessControl.Permission import pname
from AccessControl.Permission import ApplicationDefaultPermissions
import Products
registered = _registeredPermissions
if permission not in registered:
registered[permission] = 1
Products.__ac_permissions__ = (
Products.__ac_permissions__ + ((permission, (), roles),))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles( permission, roles ):
""" Set the defaults roles for a permission.
"""
if addPermission is not None:
addPermission(permission, roles)
else:
# BBB This is in AccessControl starting in Zope 2.13
from AccessControl.Permission import _registeredPermissions
from AccessControl.Permission import pname
from AccessControl.Permission import ApplicationDefaultPermissions
import Products
registered = _registeredPermissions
if not permission in registered:
registered[ permission ] = 1
Products.__ac_permissions__=(
Products.__ac_permissions__+((permission,(),roles),))
mangled = pname(permission)
setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_getPermissionMapping(self):
"""Return the permission mapping for the object
This is a list of dictionaries with:
permission_name -- The name of the native object permission
class_permission -- The class permission the permission is
mapped to.
"""
wrapper=getattr(self, '_permissionMapper', None)
if wrapper is None: wrapper=PM()
perms={}
for p in self.possible_permissions():
perms[pname(p)]=p
r=[]
a=r.append
for ac_perms in self.ac_inherited_permissions(1):
p=perms.get(getPermissionMapping(ac_perms[0], wrapper), '')
a({'permission_name': ac_perms[0], 'class_permission': p})
return r
#####################
# Newly created sites
from AccessControl.Permission import _registeredPermissions
from AccessControl.Permission import ApplicationDefaultPermissions
from AccessControl.Permission import pname
from Products.kupu.plone import permissions
mangled = pname(permissions.ManageLibraries)
if hasattr(ApplicationDefaultPermissions, mangled):
delattr(ApplicationDefaultPermissions, mangled)
if permissions.ManageLibraries in _registeredPermissions:
del _registeredPermissions[permissions.ManageLibraries]
permissions.setDefaultRoles(permissions.ManageLibraries, ("Manager", "Site Administrator"))
def deserialize(self, event, state):
local_roles = {} # { username -> [role,] }
defined_roles = [] # [role,]
proxy_roles = [] # [role,]
permission_roles = {} # { permission -> [role,] }
permission_acquired = {} # { permission -> 0 or 1 }
obj = event.obj
for decl_type, role, permission, username in state:
if decl_type == 'executable-owner':
assert not role
assert not permission
#assert username
pos = username.rfind('/')
if pos < 0:
# Default to the root folder
ufolder = ['acl_users']
uname = username
else:
ufolder = list(username[:pos].split('/'))
uname = username[pos + 1:]
assert ufolder
assert uname
obj._owner = (ufolder, uname)
elif decl_type == 'local-role':
#assert role
assert not permission
#assert username
r = local_roles.get(username)
if r is None:
r = []
local_roles[username] = r
r.append(role)
elif decl_type == 'define-role':
#assert role
assert not permission
assert not username
defined_roles.append(role)
elif decl_type == 'proxy-role':
#assert role
assert not permission
assert not username
proxy_roles.append(role)
elif decl_type == 'permission-role':
#assert role
#assert permission
assert not username
r = permission_roles.get(permission)
if r is None:
r = []
permission_roles[permission] = r
r.append(role)
if not permission_acquired.has_key(permission):
permission_acquired[permission] = 1
elif decl_type == 'permission-no-acquire':
assert not role
#assert permission
assert not username
permission_acquired[permission] = 0
else:
raise ValueError, ('declaration_type %s unknown' %
repr(decl_type))
if local_roles:
obj.__ac_local_roles__ = local_roles
if defined_roles:
defined_roles.sort()
obj.__ac_roles__ = tuple(defined_roles)
if proxy_roles:
obj._proxy_roles = tuple(proxy_roles)
for p, acquired in permission_acquired.items():
roles = permission_roles.get(p, [])
if not acquired:
roles = tuple(roles)
setattr(obj, pname(p), roles)
#####################
# Newly created sites
from AccessControl.Permission import _registeredPermissions
from AccessControl.Permission import ApplicationDefaultPermissions
from AccessControl.Permission import pname
from Products.kupu.plone import permissions
mangled = pname(permissions.ManageLibraries)
if hasattr(ApplicationDefaultPermissions, mangled):
delattr(ApplicationDefaultPermissions, mangled)
if permissions.ManageLibraries in _registeredPermissions:
del _registeredPermissions[permissions.ManageLibraries]
permissions.setDefaultRoles(
permissions.ManageLibraries,
('Manager', 'Site Administrator',)
)
def deserialize(self, event, state):
local_roles = {} # { username -> [role,] }
defined_roles = [] # [role,]
proxy_roles = [] # [role,]
permission_roles = {} # { permission -> [role,] }
permission_acquired = {} # { permission -> 0 or 1 }
obj = event.obj
for decl_type, role, permission, username in state:
if decl_type == 'executable-owner':
assert not role
assert not permission
#assert username
pos = username.rfind('/')
if pos < 0:
# Default to the root folder
ufolder = ['acl_users']
uname = username
else:
ufolder = list(username[:pos].split('/'))
uname = username[pos + 1:]
assert ufolder
assert uname
obj._owner = (ufolder, uname)
elif decl_type == 'local-role':
#assert role
assert not permission
#assert username
r = local_roles.get(username)
if r is None:
r = []
local_roles[username] = r
r.append(role)
elif decl_type == 'define-role':
#assert role
assert not permission
assert not username
defined_roles.append(role)
elif decl_type == 'proxy-role':
#assert role
assert not permission
assert not username
proxy_roles.append(role)
elif decl_type == 'permission-role':
#assert role
#assert permission
assert not username
r = permission_roles.get(permission)
if r is None:
r = []
permission_roles[permission] = r
r.append(role)
if not permission_acquired.has_key(permission):
permission_acquired[permission] = 1
elif decl_type == 'permission-no-acquire':
assert not role
#assert permission
assert not username
permission_acquired[permission] = 0
else:
raise ValueError, (
'declaration_type %s unknown' % repr(decl_type))
if local_roles:
obj.__ac_local_roles__ = local_roles
if defined_roles:
defined_roles.sort()
obj.__ac_roles__ = tuple(defined_roles)
if proxy_roles:
obj._proxy_roles = tuple(proxy_roles)
for p, acquired in permission_acquired.items():
roles = permission_roles.get(p, [])
if not acquired:
roles = tuple(roles)
setattr(obj, pname(p), roles)
def getPermissionMapping(name, obj, st=type('')):
obj=getattr(obj, 'aq_base', obj)
name=pname(name)
r=getattr(obj, name, '')
if type(r) is not st: r=''
return r
def setPermissionMapping(name, obj, v):
name=pname(name)
if v: setattr(obj, name, pname(v))
elif obj.__dict__.has_key(name): delattr(obj, name)
