def test_checkpermission_allow(self): import ptah content = Content(acl=[DENY_ALL]) self.assertFalse(ptah.check_permission("View", content, throw=False)) self.assertTrue(ptah.check_permission(NO_PERMISSION_REQUIRED, content, throw=False))
def test_checkpermission_deny(self): import ptah content = Content(acl=[(Allow, ptah.Everyone.id, ALL_PERMISSIONS)]) self.assertTrue(ptah.check_permission("View", content, throw=False)) self.assertFalse(ptah.check_permission(ptah.NOT_ALLOWED, content, throw=False))
def cmsContent(request, app, uri=None, action='', *args): info = {} appfactory = ptah.cms.get_app_factories().get(app) if appfactory is None: raise NotFound() root = appfactory(request) request.root = root if not uri: content = root else: content = load(uri) adapters = config.registry.adapters action = adapters.lookup( (IRestActionClassifier, providedBy(content)), IRestAction, name=action, default=None) if action: request.environ['SCRIPT_NAME'] = '%s/content:%s/'%( request.environ['SCRIPT_NAME'], app) ptah.check_permission(action.permission, content, request, True) res = action.callable(content, request, *args) if not res: # pragma: no cover res = {} return res raise NotFound()
def test_checkpermission_deny(self): import ptah content = Content(acl=[(Allow, ptah.Everyone.id, ALL_PERMISSIONS)]) self.assertTrue(ptah.check_permission('View', content, throw=False)) self.assertFalse( ptah.check_permission(ptah.NOT_ALLOWED, content, throw=False))
def test_checkpermission_user(self): import ptah content = Content(acl=[(Allow, 'test-user', 'View')]) self.assertFalse(ptah.check_permission('View', content, throw=False)) ptah.auth_service.set_userid('test-user') self.assertTrue(ptah.check_permission('View', content, throw=False))
def test_checkpermission_superuser(self): import ptah from pyramid import security content = Content(acl=[(Deny, ptah.SUPERUSER_URI, security.ALL_PERMISSIONS)]) ptah.authService.set_userid(ptah.SUPERUSER_URI) self.assertTrue(ptah.check_permission("View", content)) self.assertFalse(ptah.check_permission(ptah.NOT_ALLOWED, content))
def test_checkpermission_authenticated(self): import ptah content = Content(acl=[(Allow, ptah.Authenticated.id, "View")]) self.assertFalse(ptah.check_permission("View", content, throw=False)) ptah.authService.set_userid("test-user") self.assertTrue(ptah.check_permission("View", content, throw=False))
def test_checkpermission_allow(self): import ptah content = Content(acl=[DENY_ALL]) self.assertFalse(ptah.check_permission('View', content, throw=False)) self.assertTrue( ptah.check_permission(NO_PERMISSION_REQUIRED, content, throw=False))
def test_checkpermission_superuser(self): import ptah from pyramid import security content = Content(acl=[(Deny, ptah.SUPERUSER_URI, security.ALL_PERMISSIONS)]) ptah.auth_service.set_userid(ptah.SUPERUSER_URI) self.assertTrue(ptah.check_permission('View', content)) self.assertFalse(ptah.check_permission(ptah.NOT_ALLOWED, content))
def test_checkpermission_local_roles(self): import ptah content = Content(iface=ptah.ILocalRolesAware, acl=[(Allow, "role:test", "View")]) ptah.authService.set_userid("test-user") self.assertFalse(ptah.check_permission("View", content, throw=False)) content.__local_roles__["test-user"] = ["role:test"] self.assertTrue(ptah.check_permission("View", content, throw=False))
def test_checkpermission_local_roles(self): import ptah content = Content(iface=ptah.ILocalRolesAware, acl=[(Allow, 'role:test', 'View')]) ptah.auth_service.set_userid('test-user') self.assertFalse(ptah.check_permission('View', content, throw=False)) content.__local_roles__['test-user'] = ['role:test'] self.assertTrue(ptah.check_permission('View', content, throw=False))
def test_checkpermission_local_roles(self): import ptah content = Content( iface=ptah.ILocalRolesAware, acl=[(Allow, 'role:test', 'View')]) ptah.auth_service.set_userid('test-user') self.assertFalse(ptah.check_permission('View', content, throw=False)) content.__local_roles__['test-user'] = ['role:test'] self.assertTrue(ptah.check_permission('View', content, throw=False))
def is_allowed(self, container): if not isinstance(container, Container): return False if self.permission: return ptah.check_permission(self.permission, container) return True
def containerNodeInfo(content, request, *args): """Container information""" info = nodeInfo(content, request) contents = [] for item in content.values(): if not ptah.check_permission(View, item, request): # pragma: no cover continue contents.append( OrderedDict(( ('__name__', item.__name__), ('__type__', item.__type_id__), ('__uri__', item.__uri__), ('__container__', isinstance(item, Container)), ('__link__', '%s%s/'%(request.application_url, item.__uri__)), ('title', item.title), ('description', item.description), ('created', item.created), ('modified', item.modified), ))) info['__contents__'] = contents return info
def is_allowed(self, container): if not isinstance(container, BaseContainer): return False if self.permission: return ptah.check_permission(self.permission, container) return True
def update(self): context = self.context request = self.request registry = request.registry self.deleteContent = ptah.check_permission( cms.DeleteContent, context) # cms(uri).read() # cms(uri).create(type) # cms(uri).delete() # cms(uri).update(**kwargs) # cms(uri).items(offset, limit) if self.deleteContent and 'form.buttons.remove' in request.POST: uris = self.request.POST.getall('item') for uri in uris: cms.wrap(uri).delete() self.message("Selected content items have been removed.") if 'form.buttons.rename' in request.POST: uris = self.request.POST.getall('item') print '=============', uris if 'form.buttons.cut' in request.POST: uris = self.request.POST.getall('item') print '=============', uris
def get_protocol(self, name, _marker=object()): protocol = self.protocols.get(name) if protocol is None: item = self.registry.adapters.lookup( (providedBy(self),), IProtocol, name=name) if item is not None: factory, permission = item else: factory, permission = None, None # permission if permission: if not ptah.check_permission( permission, self.request.context, self.request): factory = None self.protocols[name] = component = _marker log.warning("Permission check failed for %s"%name) if factory is not None: # shared storage storage = self.manager.storage.get(name) if storage is None: storage = {} self.manager.storage[name] = storage # create protocol = factory(self, storage) protocol.__name__ = name protocol.request = self.request protocol.on_open() self.protocols[name] = protocol return protocol if protocol is not _marker else None
def containerNodeInfo(content, request, *args): """Container information""" info = nodeInfo(content, request) contents = [] for item in content.values(): if not ptah.check_permission(View, item, request): # pragma: no cover continue contents.append( OrderedDict(( ('__name__', item.__name__), ('__type__', item.__type_id__), ('__uri__', item.__uri__), ('__container__', isinstance(item, Container)), ('__link__', '%s%s/' % (request.application_url, item.__uri__)), ('title', item.title), ('description', item.description), ('created', item.created), ('modified', item.modified), ))) info['__contents__'] = contents return info
def __getattr__(self, action): if not self._actions or action not in self._actions: raise NotFound(action) fname, permission = self._actions[action] if permission: if not ptah.check_permission(permission, self._content): raise Forbidden(action) return ActionWrapper(self._content, fname)
def check(self, context, request): if self.permission: if not ptah.check_permission( self.permission, context, request): return False if self.condition is not None: return self.condition(context, request) return True
def cmsContent(request, app='', uri=None, action='', *args): name = getattr(request, 'subpath', ('content', ))[0] if ':' not in name: if not action: action = uri or '' uri = app app = '' content = None appfactory = ptahcms.get_app_factories().get(app) if appfactory is not None: root = appfactory(request) request.root = root if not uri: content = root if content is None: content = load(uri) adapters = request.registry.adapters action = adapters.lookup((IRestActionClassifier, providedBy(content)), IRestAction, name=action, default=None) if action: if app: request.environ['SCRIPT_NAME'] = '%s/content:%s/' % ( request.environ['SCRIPT_NAME'], app) else: request.environ['SCRIPT_NAME'] = '%s/content/' % ( request.environ['SCRIPT_NAME']) ptah.check_permission(action.permission, content, request, True) res = action.callable(content, request, *args) if not res: # pragma: no cover res = {} return res raise NotFound()
def cmsContent(request, app='', uri=None, action='', *args): name = getattr(request, 'subpath', ('content',))[0] if ':' not in name: if not action: action = uri or '' uri = app app = u'' content = None appfactory = ptah.cms.get_app_factories().get(app) if appfactory is not None: root = appfactory(request) request.root = root if not uri: content = root if content is None: content = load(uri) adapters = request.registry.adapters action = adapters.lookup( (IRestActionClassifier, providedBy(content)), IRestAction, name=action, default=None) if action: if app: request.environ['SCRIPT_NAME'] = '%s/content:%s/'%( request.environ['SCRIPT_NAME'], app) else: request.environ['SCRIPT_NAME'] = '%s/content/'%( request.environ['SCRIPT_NAME']) ptah.check_permission(action.permission, content, request, True) res = action.callable(content, request, *args) if not res: # pragma: no cover res = {} return res raise NotFound()
def contents(self): """ Returns public or viewable content of the container """ contents = [] for content in self.values(): if IContent.providedBy(content): if content.public or ptah.check_permission(View, content): contents.append(content) return contents
def apidocAction(content, request, *args): """api doc""" actions = [] url = request.application_url for name, action in request.registry.adapters.lookupAll( (IRestActionClassifier, providedBy(content)), IRestAction): if not ptah.check_permission(action.permission, content, request): continue actions.append( (name, action.title, OrderedDict((('name', name or 'info'), ('link', '%s%s/%s' % (url, content.__uri__, name)), ('title', action.title), ('description', action.description))))) return [action for _t, _n, action in sorted(actions)]
def apidocAction(content, request, *args): """api doc""" actions = [] url = request.application_url for name, action in request.registry.adapters.lookupAll( (IRestActionClassifier, providedBy(content)), IRestAction): if not ptah.check_permission( action.permission, content, request): continue actions.append( (name, action.title, OrderedDict( (('name', name or 'info'), ('link', '%s%s/%s'%(url, content.__uri__, name)), ('title', action.title), ('description', action.description))))) return [action for _t, _n, action in sorted(actions)]
def update(self): context = self.context request = self.request registry = request.registry self.deleteContent = ptah.check_permission( ptah.cms.DeleteContent, context) # cms(uri).read() # cms(uri).create(type) # cms(uri).delete() # cms(uri).update(**kwargs) # cms(uri).items(offset, limit) if self.deleteContent and 'form.buttons.remove' in request.POST: uris = self.request.POST.getall('item') for uri in uris: ptah.cms.wrap(uri).delete() self.message("Selected content items have been removed.")
def load(uri, permission=None): """ Load node by `uri` and initialize __parent__ attributes. Also checks permission if permissin is specified. :param uri: Node uri :param permission: Check permission on node object :type permission: Permission id or None :raise KeyError: Node with this uri is not found. :raise Forbidden: If current principal doesn't pass permission check on loaded node. """ item = ptah.resolve(uri) if item is not None: load_parents(item) if permission is not None: if not ptah.check_permission(permission, item): raise Forbidden() else: raise NotFound(uri) return item
def is_allowed(self, container): if self.permission: return ptah.check_permission(self.permission, container) return True