Python mergedLocalRoles Exemples

Exemple #1

Fichier : CatalogTool.py Projet : alvsgithub/erp5

    def _getSecurityParameterList(self):
      result = self.__dict__.get('_cache_result', None)
      if result is None:
        ob = self.__ob
        # For each group or user, we have a list of roles, this list
        # give in this order : [roles on object, roles acquired on the parent,
        # roles acquired on the parent of the parent....]
        # So if we have ['-Author','Author'] we should remove the role 'Author'
        # but if we have ['Author','-Author'] we have to keep the role 'Author'
        localroles = {}
        skip_role_set = set()
        skip_role = skip_role_set.add
        clear_skip_role = skip_role_set.clear
        for key, role_list in mergedLocalRoles(ob).iteritems():
          new_role_list = []
          new_role = new_role_list.append
          clear_skip_role()
          for role in role_list:
            if role[:1] == '-':
              skip_role(role[1:])
            elif role not in skip_role_set:
              new_role(role)
          if len(new_role_list)>0:
            localroles[key] = new_role_list

        portal = ob.getPortalObject()
        role_dict = dict(portal.portal_catalog.getSQLCatalog().\
                                              getSQLCatalogRoleKeysList())
        getUserById = portal.acl_users.getUserById

        allowed_dict = {}

        # For each local role of a user:
        #   If the local role grants View permission, add it.
        # Every addition implies 2 lines:
        #   user:<user_id>
        #   user:<user_id>:<role_id>
        # A line must not be present twice in final result.
        allowed_role_set = set(rolesForPermissionOn('View', ob))
        # XXX the permission name is included by default for verbose
        # logging of security errors, but the catalog does not need to
        # index it. Unfortunately, rolesForPermissionOn does not have
        # an option to disable this behavior at calling time, so
        # discard it explicitly.
        allowed_role_set.discard('_View_Permission')
        # XXX Owner is hardcoded, in order to prevent searching for user on the
        # site root.
        allowed_role_set.discard('Owner')

        # XXX make this a method of base ?
        local_roles_group_id_group_id = deepcopy(getattr(ob,
          '__ac_local_roles_group_id_dict__', {}))

        # If we acquire a permission, then we also want to acquire the local
        # roles group ids
        local_roles_container = ob
        while getattr(local_roles_container, 'isRADContent', 0):
          if local_roles_container._getAcquireLocalRoles():
            local_roles_container = local_roles_container.aq_parent
            for role_definition_group, user_and_role_list in \
                getattr(local_roles_container,
                        '__ac_local_roles_group_id_dict__',
                        {}).items():
              local_roles_group_id_group_id.setdefault(role_definition_group, set()
                ).update(user_and_role_list)
          else:
            break

        allowed_by_local_roles_group_id = {}
        allowed_by_local_roles_group_id[''] = allowed_role_set

        user_role_dict = {}
        user_view_permission_role_dict = {}
        optimized_role_set = set()
        # First parse optimized roles and build optimized_role_set
        for role_definition_group, user_and_role_list in local_roles_group_id_group_id.items():
          group_allowed_set = allowed_by_local_roles_group_id.setdefault(
            role_definition_group, set())
          for user, role in user_and_role_list:
            if role in allowed_role_set:
              prefix = 'user:'******'%s:%s' % (prefix, role)))
              optimized_role_set.add((user, role))

        # Then parse other roles
        for user, roles in localroles.iteritems():
          prefix = 'user:'******'', )):
                group_allowed_set = allowed_by_local_roles_group_id.setdefault(
                  group, set())
                if (user, role) not in optimized_role_set:
                  # add only if not already added to optimized_role_set to avoid polluting indexation table
                  group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))

        # sort `allowed` principals
        sorted_allowed_by_local_roles_group_id = {}
        for local_roles_group_id, allowed in \
                allowed_by_local_roles_group_id.items():
          sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
            sorted(allowed))

        self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
                                       user_role_dict,
                                       user_view_permission_role_dict)
      return result

Exemple #2

Fichier : CatalogTool.py Projet : ccwalkerjm/erp5

    def _getSecurityParameterList(self):
      result = self.__dict__.get('_cache_result', None)
      if result is None:
        ob = self.__ob
        # For each group or user, we have a list of roles, this list
        # give in this order : [roles on object, roles acquired on the parent,
        # roles acquired on the parent of the parent....]
        # So if we have ['-Author','Author'] we should remove the role 'Author'
        # but if we have ['Author','-Author'] we have to keep the role 'Author'
        localroles = {}
        skip_role_set = set()
        skip_role = skip_role_set.add
        clear_skip_role = skip_role_set.clear
        for key, role_list in mergedLocalRoles(ob).iteritems():
          new_role_list = []
          new_role = new_role_list.append
          clear_skip_role()
          for role in role_list:
            if role[:1] == '-':
              skip_role(role[1:])
            elif role not in skip_role_set:
              new_role(role)
          if new_role_list:
            localroles[key] = [new_role_list, False]

        portal = ob.getPortalObject()
        role_dict = dict(portal.portal_catalog.getSQLCatalog().\
                                              getSQLCatalogRoleKeysList())
        for user_info in portal.acl_users.searchUsers(id=tuple(localroles), exact_match=True):
          key = user_info['id']
          try:
            localroles[key][1] = True
          except KeyError:
            # We found a bug, report it but do not make indexation fail.
            LOG(
              'CatalogTool.IndexableObjectWrapper',
              PROBLEM,
              'searchUser(id=%r, exact_match=True) returned an entry with '
              'id=%r. This is very likely a bugin a PAS plugin !' % (
                tuple(localroles),
                key,
              ),
            )

        allowed_dict = {}

        # For each local role of a user:
        #   If the local role grants View permission, add it.
        # Every addition implies 2 lines:
        #   user:<user_id>
        #   user:<user_id>:<role_id>
        # A line must not be present twice in final result.
        allowed_role_set = set(rolesForPermissionOn('View', ob))
        # XXX the permission name is included by default for verbose
        # logging of security errors, but the catalog does not need to
        # index it. Unfortunately, rolesForPermissionOn does not have
        # an option to disable this behavior at calling time, so
        # discard it explicitly.
        allowed_role_set.discard('_View_Permission')
        # XXX Owner is hardcoded, in order to prevent searching for user on the
        # site root.
        allowed_role_set.discard('Owner')

        # XXX make this a method of base ?
        local_roles_group_id_dict = deepcopy(getattr(ob,
          '__ac_local_roles_group_id_dict__', {}))

        # If we acquire a permission, then we also want to acquire the local
        # roles group ids
        local_roles_container = ob
        while getattr(local_roles_container, 'isRADContent', 0):
          if local_roles_container._getAcquireLocalRoles():
            local_roles_container = local_roles_container.aq_parent
            for role_definition_group, user_and_role_list in \
                getattr(local_roles_container,
                        '__ac_local_roles_group_id_dict__',
                        {}).items():
              local_roles_group_id_dict.setdefault(role_definition_group, set()
                ).update(user_and_role_list)
          else:
            break

        allowed_by_local_roles_group_id = {}
        allowed_by_local_roles_group_id[''] = allowed_role_set

        optimized_role_set = set()
        for role_definition_group, user_and_role_list in local_roles_group_id_dict.iteritems():
          group_allowed_set = allowed_by_local_roles_group_id.setdefault(
            role_definition_group, set())
          for user, role in user_and_role_list:
            if role in allowed_role_set:
              prefix = 'user:'******'%s:%s' % (prefix, role)))
              optimized_role_set.add((user, role))
        user_role_dict = {}
        user_view_permission_role_dict = {}
        for user, (roles, user_exists) in localroles.iteritems():
          prefix = 'user:'******'', )):
                group_allowed_set = allowed_by_local_roles_group_id.setdefault(
                  group, set())
                if is_not_in_optimised_role_set:
                  group_allowed_set.add(prefix)
                  group_allowed_set.add('%s:%s' % (prefix, role))

        # sort `allowed` principals
        sorted_allowed_by_local_roles_group_id = {}
        for local_roles_group_id, allowed in \
                allowed_by_local_roles_group_id.iteritems():
          sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
            sorted(allowed))

        self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
                                       user_role_dict,
                                       user_view_permission_role_dict)
      return result

Exemple #3

    def _getSecurityParameterList(self):
        result = self.__dict__.get('_cache_result', None)
        if result is None:
            ob = self.__ob
            # For each group or user, we have a list of roles, this list
            # give in this order : [roles on object, roles acquired on the parent,
            # roles acquired on the parent of the parent....]
            # So if we have ['-Author','Author'] we should remove the role 'Author'
            # but if we have ['Author','-Author'] we have to keep the role 'Author'
            localroles = {}
            skip_role_set = set()
            skip_role = skip_role_set.add
            clear_skip_role = skip_role_set.clear
            for key, role_list in mergedLocalRoles(ob).iteritems():
                new_role_list = []
                new_role = new_role_list.append
                clear_skip_role()
                for role in role_list:
                    if role[:1] == '-':
                        skip_role(role[1:])
                    elif role not in skip_role_set:
                        new_role(role)
                if new_role_list:
                    localroles[key] = [new_role_list, False]

            portal = ob.getPortalObject()
            role_dict = dict(portal.portal_catalog.getSQLCatalog().\
                                                  getSQLCatalogRoleKeysList())
            for user_info in portal.acl_users.searchUsers(id=tuple(localroles),
                                                          exact_match=True):
                key = user_info['id']
                try:
                    localroles[key][1] = True
                except KeyError:
                    # We found a bug, report it but do not make indexation fail.
                    LOG(
                        'CatalogTool.IndexableObjectWrapper',
                        PROBLEM,
                        'searchUser(id=%r, exact_match=True) returned an entry with '
                        'id=%r. This is very likely a bugin a PAS plugin !' % (
                            tuple(localroles),
                            key,
                        ),
                    )

            allowed_dict = {}

            # For each local role of a user:
            #   If the local role grants View permission, add it.
            # Every addition implies 2 lines:
            #   user:<user_id>
            #   user:<user_id>:<role_id>
            # A line must not be present twice in final result.
            allowed_role_set = set(rolesForPermissionOn('View', ob))
            # XXX the permission name is included by default for verbose
            # logging of security errors, but the catalog does not need to
            # index it. Unfortunately, rolesForPermissionOn does not have
            # an option to disable this behavior at calling time, so
            # discard it explicitly.
            allowed_role_set.discard('_View_Permission')
            # XXX Owner is hardcoded, in order to prevent searching for user on the
            # site root.
            allowed_role_set.discard('Owner')

            # XXX make this a method of base ?
            local_roles_group_id_dict = deepcopy(
                getattr(ob, '__ac_local_roles_group_id_dict__', {}))

            # If we acquire a permission, then we also want to acquire the local
            # roles group ids
            local_roles_container = ob
            while getattr(local_roles_container, 'isRADContent', 0):
                if local_roles_container._getAcquireLocalRoles():
                    local_roles_container = local_roles_container.aq_parent
                    for role_definition_group, user_and_role_list in \
                        getattr(local_roles_container,
                                '__ac_local_roles_group_id_dict__',
                                {}).items():
                        local_roles_group_id_dict.setdefault(
                            role_definition_group,
                            set()).update(user_and_role_list)
                else:
                    break

            allowed_by_local_roles_group_id = {}
            allowed_by_local_roles_group_id[''] = allowed_role_set

            optimized_role_set = set()
            for role_definition_group, user_and_role_list in local_roles_group_id_dict.iteritems(
            ):
                group_allowed_set = allowed_by_local_roles_group_id.setdefault(
                    role_definition_group, set())
                for user, role in user_and_role_list:
                    if role in allowed_role_set:
                        prefix = 'user:'******'%s:%s' % (prefix, role)))
                        optimized_role_set.add((user, role))
            user_role_dict = {}
            user_view_permission_role_dict = {}
            for user, (roles, user_exists) in localroles.iteritems():
                prefix = 'user:'******'', )):
                            group_allowed_set = allowed_by_local_roles_group_id.setdefault(
                                group, set())
                            if is_not_in_optimised_role_set:
                                group_allowed_set.add(prefix)
                                group_allowed_set.add('%s:%s' % (prefix, role))

            # sort `allowed` principals
            sorted_allowed_by_local_roles_group_id = {}
            for local_roles_group_id, allowed in \
                    allowed_by_local_roles_group_id.iteritems():
                sorted_allowed_by_local_roles_group_id[
                    local_roles_group_id] = tuple(sorted(allowed))

            self._cache_result = result = (
                sorted_allowed_by_local_roles_group_id, user_role_dict,
                user_view_permission_role_dict)
        return result

Exemple #4

Fichier : CatalogTool.py Projet : smetsjp/erp5

    def _getSecurityParameterList(self):
      result = self.__dict__.get('_cache_result', None)
      if result is None:
        ob = self.__ob
        # For each group or user, we have a list of roles, this list
        # give in this order : [roles on object, roles acquired on the parent,
        # roles acquired on the parent of the parent....]
        # So if we have ['-Author','Author'] we should remove the role 'Author'
        # but if we have ['Author','-Author'] we have to keep the role 'Author'
        localroles = {}
        skip_role_set = set()
        skip_role = skip_role_set.add
        clear_skip_role = skip_role_set.clear
        for key, role_list in mergedLocalRoles(ob).iteritems():
          new_role_list = []
          new_role = new_role_list.append
          clear_skip_role()
          for role in role_list:
            if role[:1] == '-':
              skip_role(role[1:])
            elif role not in skip_role_set:
              new_role(role)
          if len(new_role_list)>0:
            localroles[key] = new_role_list

        portal = ob.getPortalObject()
        role_dict = dict(portal.portal_catalog.getSQLCatalog().\
                                              getSQLCatalogRoleKeysList())
        getUserById = portal.acl_users.getUserById

        # For each local role of a user:
        #   If the local role grants View permission, add it.
        # Every addition implies 2 lines:
        #   user:<user_id>
        #   user:<user_id>:<role_id>
        # A line must not be present twice in final result.
        allowed = set(rolesForPermissionOn('View', ob))
        # XXX the permission name is included by default for verbose
        # logging of security errors, but the catalog does not need to
        # index it. Unfortunately, rolesForPermissionOn does not have
        # an option to disable this behavior at calling time, so
        # discard it explicitly.
        allowed.discard('_View_Permission')
        # XXX Owner is hardcoded, in order to prevent searching for user on the
        # site root.
        allowed.discard('Owner')
        add = allowed.add
        user_role_dict = {}
        user_view_permission_role_dict = {}
        for user, roles in localroles.iteritems():
          prefix = 'user:'******':' + role)

        self._cache_result = result = (sorted(allowed), user_role_dict,
                                       user_view_permission_role_dict)
      return result

Exemple #5

Fichier : CatalogTool.py Projet : Elbagoury/erp5

    def _getSecurityParameterList(self):
      result = self.__dict__.get('_cache_result', None)
      if result is None:
        ob = self.__ob
        # For each group or user, we have a list of roles, this list
        # give in this order : [roles on object, roles acquired on the parent,
        # roles acquired on the parent of the parent....]
        # So if we have ['-Author','Author'] we should remove the role 'Author'
        # but if we have ['Author','-Author'] we have to keep the role 'Author'
        localroles = {}
        skip_role_set = set()
        skip_role = skip_role_set.add
        clear_skip_role = skip_role_set.clear
        for key, role_list in mergedLocalRoles(ob).iteritems():
          new_role_list = []
          new_role = new_role_list.append
          clear_skip_role()
          for role in role_list:
            if role[:1] == '-':
              skip_role(role[1:])
            elif role not in skip_role_set:
              new_role(role)
          if len(new_role_list)>0:
            localroles[key] = new_role_list

        portal = ob.getPortalObject()
        role_dict = dict(portal.portal_catalog.getSQLCatalog().\
                                              getSQLCatalogRoleKeysList())
        getUserById = portal.acl_users.getUserById

        allowed_dict = {}

        # For each local role of a user:
        #   If the local role grants View permission, add it.
        # Every addition implies 2 lines:
        #   user:<user_id>
        #   user:<user_id>:<role_id>
        # A line must not be present twice in final result.
        allowed_role_set = set(rolesForPermissionOn('View', ob))
        # XXX the permission name is included by default for verbose
        # logging of security errors, but the catalog does not need to
        # index it. Unfortunately, rolesForPermissionOn does not have
        # an option to disable this behavior at calling time, so
        # discard it explicitly.
        allowed_role_set.discard('_View_Permission')
        # XXX Owner is hardcoded, in order to prevent searching for user on the
        # site root.
        allowed_role_set.discard('Owner')

        # XXX make this a method of base ?
        local_roles_group_id_group_id = deepcopy(getattr(ob,
          '__ac_local_roles_group_id_dict__', {}))

        # If we acquire a permission, then we also want to acquire the local
        # roles group ids
        local_roles_container = ob
        while getattr(local_roles_container, 'isRADContent', 0):
          if local_roles_container._getAcquireLocalRoles():
            local_roles_container = local_roles_container.aq_parent
            for role_definition_group, user_and_role_list in \
                getattr(local_roles_container,
                        '__ac_local_roles_group_id_dict__',
                        {}).items():
              local_roles_group_id_group_id.setdefault(role_definition_group, set()
                ).update(user_and_role_list)
          else:
            break

        allowed_by_local_roles_group_id = {}
        allowed_by_local_roles_group_id[''] = allowed_role_set

        user_role_dict = {}
        user_view_permission_role_dict = {}
        optimized_role_set = set()
        # First parse optimized roles and build optimized_role_set
        for role_definition_group, user_and_role_list in local_roles_group_id_group_id.items():
          group_allowed_set = allowed_by_local_roles_group_id.setdefault(
            role_definition_group, set())
          for user, role in user_and_role_list:
            if role in allowed_role_set:
              prefix = 'user:'******'%s:%s' % (prefix, role)))
              optimized_role_set.add((user, role))

        # Then parse other roles
        for user, roles in localroles.iteritems():
          prefix = 'user:'******'', )):
                group_allowed_set = allowed_by_local_roles_group_id.setdefault(
                  group, set())
                if (user, role) not in optimized_role_set:
                  # add only if not already added to optimized_role_set to avoid polluting indexation table
                  group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))

        # sort `allowed` principals
        sorted_allowed_by_local_roles_group_id = {}
        for local_roles_group_id, allowed in \
                allowed_by_local_roles_group_id.items():
          sorted_allowed_by_local_roles_group_id[local_roles_group_id] = tuple(
            sorted(allowed))

        self._cache_result = result = (sorted_allowed_by_local_roles_group_id,
                                       user_role_dict,
                                       user_view_permission_role_dict)
      return result