def check_permission(self, trac_environment_id, permission, check_username):
"""
Helper class for the GlobalPermissionPolicy.check_permission,
which checks also the resource, unlike this.
Checks permission for the user in the trac environment.
"""
# Disable completely features by appending actions into this list
restricted_features = ['REPORT_CREATE', 'REPORT_SQL_VIEW']
if permission in restricted_features:
return False
# Get user in question
user = get_userstore().getUser(check_username)
store = CQDEUserGroupStore(trac_environment_id)
superusers = CQDESuperUserStore.instance()
# If there is no user then there is no need for permission check
if not user:
return False
# Check if user is a superuser
if superusers.is_superuser(user.username):
return True
# Get all groups and users
user_groups = store.get_all_user_groups()
group_perms = store.get_all_group_permissions()
organization_groups = store.get_all_organization_groups()
# List groups that have the permission
groups = []
for group, perm in group_perms:
# NOTE: Also extend the meta permissions into list
perms = [perm] + self.meta_perms.get(perm, [])
if permission in perms:
groups.append(group)
users = get_special_users(user.username)
users.append(user.username)
# See if user is in one of the groups
for username, group in user_groups:
if username in users:
if group in groups:
return True
# See if user's organization is in one of the groups
org_store = CQDEOrganizationStore.instance()
for org, group in organization_groups:
org_id = org_store.get_organization_id(org)
if org_id in user.organization_keys:
if group in groups:
return True
if conf.ldap_groups_enabled:
# TODO: do not use CQDEAuthenticationStore to check this, the information should
# be available from User object (add if not!)
# See if any ldap groups are allowed in environment
from multiproject.core.authentication import CQDEAuthenticationStore
auth_store = CQDEAuthenticationStore.instance()
is_ldap_account = auth_store.is_ldap(user.authentication_key)
trac_environment_ldapgroups = store.get_all_trac_environment_ldap_groups()
if is_ldap_account and trac_environment_ldapgroups:
# See if user belongs to any of the allowed ldap groups
ldapuser_store = conf.getAuthenticationStore()
user_ldapgroups = ldapuser_store.getGroups(user.username)
for ldapgroup, group in trac_environment_ldapgroups:
if ldapgroup in user_ldapgroups:
if group in groups:
return True
return False
def get_participated_projects(self, user, by_organization=False, by_ldap=False,
public_only=False):
"""
Get those projects that user has participated. Optionally can list by organization,
or by public status.
:param User user: User object
:param boolean by_organization: List projects by organization
:param boolean public_only: Get public projects as well
:returns: List of Project objects
"""
# Anonymous does not have organization
if not user.organization_keys:
by_organization = False
and_anon_condition= ''
union_all_organization_condition = ''
union_all_ldap_condition = ''
perm_ids = ', '.join([str(safe_int(get_permission_id(action)))
for action in ('TEAM_VIEW',)])
if public_only:
# fetch anonymous user id
# FIXME: Would be nice if we didn't have to do this all the time
anon = get_userstore().getUser('anonymous')
if not anon:
conf.log.warning("Error in get_participated_projects: No anonymous user obtained!")
raise TracError("Error while fetching user's projects.")
and_anon_condition = """
AND EXISTS
(SELECT group.trac_environment_key
FROM `group`
INNER JOIN user_group ON user_group.group_key = group.group_id
INNER JOIN group_permission ON group.group_id = group_permission.group_key
WHERE user_group.user_key = {anon_id}
AND group.trac_environment_key = projects.trac_environment_key
AND group_permission.permission_key IN ({perm_ids})
)
""".format(anon_id = safe_int(anon.id), perm_ids = perm_ids)
if by_organization:
# See if the user has access into projects through organizations
union_all_organization_condition += """
UNION ALL
SELECT group.trac_environment_key
FROM `trac_admin`.`group`
INNER JOIN organization_group ON organization_group.group_key = group.group_id
WHERE organization_group.organization_key IN({organization_ids})
""".format(organization_ids =
', '.join([str(safe_int(org_id)) for org_id in user.organization_keys]))
if by_ldap and conf.ldap_groups_enabled:
# See if any ldap groups are allowed in environment
auth_store = CQDEAuthenticationStore.instance()
is_ldap_account = auth_store.is_ldap(user.authentication_key)
if is_ldap_account:
# See if user belongs to any of the allowed ldap groups
ldapuser_store = conf.getAuthenticationStore()
user_ldapgroups = ldapuser_store.getGroups(user.username)
if user_ldapgroups:
union_all_ldap_condition = """
UNION ALL
SELECT group.trac_environment_key
FROM `trac_admin`.`group`
INNER JOIN ldapgroup_group ON ldapgroup_group.group_key = group.group_id
INNER JOIN ldapgroup ON ldapgroup.ldapgroup_id = ldapgroup_group.ldapgroup_key
WHERE ldapgroup.ldapgroup_name IN ({ldapgroup_names})
""".format(ldapgroup_names =
', '.join(["'{0}'".format(safe_string(group)) for group in user_ldapgroups]))
query = """
SELECT projects.* FROM projects
WHERE projects.trac_environment_key IN (
SELECT group.trac_environment_key
FROM `trac_admin`.`group`
INNER JOIN user_group ON user_group.group_key = group.group_id
WHERE user_group.user_key = {user_id}
{union_all_organization}
{union_all_ldap}
)
{and_anon}
ORDER BY projects.project_name ASC
""".format(user_id = safe_int(user.id),
union_all_organization = union_all_organization_condition,
union_all_ldap = union_all_ldap_condition,
and_anon = and_anon_condition)
conf.log.debug("queried participated projects with %s" % query)
projects = self.queryProjectObjects(query)
return projects
