def isMemberIdAllowed(self, id):
if len(id) < 1 or id == 'Anonymous User':
return 0
if not self._ALLOWED_MEMBER_ID_PATTERN.match(id):
return 0
pas = getToolByName(self, 'acl_users')
if IPluggableAuthService.providedBy(pas):
results = pas.searchPrincipals(id=id, exact_match=True)
if results:
return 0
else:
for parent in aq_chain(self):
if hasattr(aq_base(parent), "acl_users"):
parent = parent.acl_users
if IPluggableAuthService.providedBy(parent):
if parent.searchPrincipals(id=id,
exact_match=True):
return 0
# When email addresses are used as logins, we need to check
# if there are any users with the requested login.
props = getToolByName(self, 'portal_properties').site_properties
if props.use_email_as_login:
results = pas.searchUsers(name=id, exact_match=True)
if results:
return 0
else:
membership = getToolByName(self, 'portal_membership')
if membership.getMemberById(id) is not None:
return 0
groups = getToolByName(self, 'portal_groups')
if groups.getGroupById(id) is not None:
return 0
return 1
def isMemberIdAllowed(self, id):
if len(id) < 1 or id == 'Anonymous User':
return 0
if not self._ALLOWED_MEMBER_ID_PATTERN.match(id):
return 0
pas = getToolByName(self, 'acl_users')
if IPluggableAuthService.providedBy(pas):
results = pas.searchPrincipals(id=id, exact_match=True)
if results:
return 0
else:
for parent in aq_chain(self):
if hasattr(aq_base(parent), "acl_users"):
parent = parent.acl_users
if IPluggableAuthService.providedBy(parent):
if parent.searchPrincipals(id=id,
exact_match=True):
return 0
# When email addresses are used as logins, we need to check
# if there are any users with the requested login.
props = getToolByName(self, 'portal_properties').site_properties
if props.use_email_as_login:
results = pas.searchUsers(name=id, exact_match=True)
if results:
return 0
else:
membership = getToolByName(self, 'portal_membership')
if membership.getMemberById(id) is not None:
return 0
groups = getToolByName(self, 'portal_groups')
if groups.getGroupById(id) is not None:
return 0
return 1
def canWriteProperty(self, prop_name):
"""True iff the member/group property named in 'prop_name'
can be changed.
"""
if not IPluggableAuthService.providedBy(self._tool.acl_users):
# not PAS; Memberdata is writable
return self._memberdataHasProperty(prop_name)
else:
# it's PAS
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
if not sheets:
return self._memberdataHasProperty(prop_name)
for sheet in sheets:
if not sheet.hasProperty(prop_name):
continue
if IMutablePropertySheet.providedBy(sheet):
# BBB for plugins implementing an older version of
# IMutablePropertySheet
if hasattr(sheet, 'canWriteProperty'):
return sheet.canWriteProperty(user, prop_name)
return True
else:
break # shadowed by read-only
return False
def canWriteProperty(self, prop_name):
"""True iff the member/group property named in 'prop_name'
can be changed.
"""
if not IPluggableAuthService.providedBy(self.acl_users):
# not PAS; Memberdata is writable
return self._memberdataHasProperty(prop_name)
else:
# it's PAS
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
if not sheets:
return self._memberdataHasProperty(prop_name)
for sheet in sheets:
if not sheet.hasProperty(prop_name):
continue
if IMutablePropertySheet.providedBy(sheet):
# BBB for plugins implementing an older version of
# IMutablePropertySheet
if hasattr(sheet, 'canWriteProperty'):
return sheet.canWriteProperty(user, prop_name)
return True
else:
break # shadowed by read-only
return False
def pas_fixup(self):
from Products.PluggableAuthService.PluggableAuthService \
import _PLUGIN_TYPE_INFO
pas = getToolByName(self, 'acl_users')
if not IPluggableAuthService.providedBy(pas):
logger.debug('PAS UF not found, skipping PAS fixup.')
return
plugins = pas['plugins']
plugin_types = list(set(plugins._plugin_types))
for key, id, title, description in _PLUGIN_TYPE_INFO:
if key in plugin_types:
logger.debug("Plugin type '%s' already registered." % id)
continue
logger.debug("Plugin type '%s' was not registered." % id)
plugin_types.append(key)
plugins._plugin_type_info[key] = {
'id': id,
'title': title,
'description': description,
}
# Make it ordered
plugin_types.sort()
# Re-assign because it's a non-persistent property.
plugins._plugin_types = plugin_types
def addAutoUserMakerPASPlugin(context):
"""Find the nearest acl_users and adds and activates an Auto User Maker.
Return a 1-tuple with the new Auto User Maker as its only element."""
acl_users = getattr(context, 'acl_users', None)
if acl_users is None:
raise LookupError("No acl_users can be acquired or otherwise found.")
pas = IPluggableAuthService(acl_users, None)
if pas is None:
raise ValueError(
"The nearest acl_users object is not a PluggableAuthService.")
pluginId = _firstIdOfClass(acl_users, ApacheAuthPluginHandler)
if not pluginId:
pluginId = 'AutoUserMakerPASPlugin'
setup = acl_users.manage_addProduct[pluginId]
setup.manage_addAutoUserMaker(pluginId, 'AutoUserMakerPAS Plugin')
plugins = acl_users.plugins
for interface in [IAuthenticationPlugin, IExtractionPlugin]:
plugins.activatePlugin(interface, pluginId)
return pas[pluginId]
def getProperty(self, id, default=_marker):
"""PAS-specific method to fetch a user's properties. Looks
through the ordered property sheets.
"""
sheets = None
if not IPluggableAuthService.providedBy(self.acl_users):
return BaseMemberData.getProperty(self, id)
else:
# It's a PAS! Whee!
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
# we won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
return BaseMemberData.getProperty(self, id, default)
# If we made this far, we found a PAS and some property sheets.
for sheet in sheets:
if sheet.hasProperty(id):
# Return the first one that has the property.
value = sheet.getProperty(id)
if isinstance(value, unicode):
# XXX Temporarily work around the fact that
# property sheets blindly store and return
# unicode. This is sub-optimal and should be
# dealed with at the property sheets level by
# using Zope's converters.
return value.encode('utf-8')
return value
# Couldn't find the property in the property sheets. Try to
# delegate back to the base implementation.
return BaseMemberData.getProperty(self, id, default)
def login(self):
"""Set a cookie and redirect to the url that we tried to
authenticate against originally.
Override standard login method to avoid calling
'return response.redirect(came_from)' as there is additional
processing to ignore known bad come_from templates at
login_next.cpy script.
"""
request = self.REQUEST
response = request['RESPONSE']
password = request.get('__ac_password', '')
user = getSecurityManager().getUser()
login = user.getUserName()
user_pas = aq_parent(user)
if IPluggableAuthService.providedBy(user_pas):
# Delegate to the users own PAS if possible
user_pas.updateCredentials(request, response, login, password)
else:
# User does not originate from a PAS user folder, so lets try
# to do our own thing.
# XXX Perhaps we should do nothing here; test with pure User
# Folder!
pas_instance = self._getPAS()
if pas_instance is not None:
pas_instance.updateCredentials(request, response, login,
password)
def _get_pas(self, location=None):
if location is None:
location = self.get_root()
pas = getattr(location, 'acl_users')
if not IPluggableAuthService.providedBy(pas):
return None
return pas
def login(self):
"""Set a cookie and redirect to the url that we tried to
authenticate against originally.
Override standard login method to avoid calling
'return response.redirect(came_from)' as there is additional
processing to ignore known bad come_from templates at
login_next.cpy script.
Note that this is the version from Plone 3.3.6, which has a
fix compared to Plone 3.1.7 that is important to us: it uses
getUserName (so the login name) instead of the __ac_name to
update the credentials of the user.
"""
request = self.REQUEST
response = request['RESPONSE']
password = request.get('__ac_password', '')
user = getSecurityManager().getUser()
login = user.getUserName()
user_pas = aq_parent(user)
if IPluggableAuthService.providedBy(user_pas):
# Delegate to the users own PAS if possible
user_pas.updateCredentials(request, response, login, password)
else:
# User does not originate from a PAS user folder, so lets
# try to do our own thing. XXX Perhaps we should do
# nothing here; test with pure User Folder!
pas_instance = self._getPAS()
if pas_instance is not None:
pas_instance.updateCredentials(request, response, login,
password)
def migrate_root_uf(self):
# Acquire parent user folder.
parent = self.getPhysicalRoot()
uf = getToolByName(parent, 'acl_users')
if IPluggableAuthService.providedBy(uf):
# It's a PAS already, fixup if needed.
pas_fixup(parent)
# Configure Challenge Chooser plugin if available
challenge_chooser_setup(parent)
return
if not uf.meta_type == 'User Folder':
# It's not a standard User Folder at the root. Nothing we can do.
return
# It's a standard User Folder, replace it.
replace_acl_users(parent)
# Get the new uf
uf = getToolByName(parent, 'acl_users')
pas = uf.manage_addProduct['PluggableAuthService']
plone_pas = uf.manage_addProduct['PlonePAS']
# Setup authentication plugins
setupAuthPlugins(parent, pas, plone_pas,
deactivate_basic_reset=False,
deactivate_cookie_challenge=True)
# Activate *all* interfaces for user manager. IUserAdder is not
# activated for some reason by default.
activatePluginInterfaces(parent, 'users')
# Configure Challenge Chooser plugin if available
challenge_chooser_setup(parent)
def getProperty(self, id, default=_marker):
"""PAS-specific method to fetch a user's properties. Looks
through the ordered property sheets.
"""
sheets = None
if not IPluggableAuthService.providedBy(self.acl_users):
return BaseMemberData.getProperty(self, id)
else:
# It's a PAS! Whee!
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
# we won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
return BaseMemberData.getProperty(self, id, default)
# If we made this far, we found a PAS and some property sheets.
for sheet in sheets:
if sheet.hasProperty(id):
# Return the first one that has the property.
value = sheet.getProperty(id)
if isinstance(value, unicode):
# XXX Temporarily work around the fact that
# property sheets blindly store and return
# unicode. This is sub-optimal and should be
# dealed with at the property sheets level by
# using Zope's converters.
return value.encode('utf-8')
return value
# Couldn't find the property in the property sheets. Try to
# delegate back to the base implementation.
return BaseMemberData.getProperty(self, id, default)
def _deletePortrait(self, member_id):
" remove member_id's portrait "
if IPluggableAuthService.providedBy(self.acl_users):
plugins = self._getPlugins()
portrait_managers = plugins.listPlugins(IPortraitManagementPlugin)
for mid, manager in portrait_managers:
manager.deletePortrait(member_id)
def _setPortrait(self, portrait, member_id):
" store portrait which must be a raw image in _portrais "
if IPluggableAuthService.providedBy(self.acl_users):
plugins = self._getPlugins()
portrait_managers = plugins.listPlugins(IPortraitManagementPlugin)
for mid, manager in portrait_managers:
manager.setPortrait(portrait, member_id)
def pas_fixup(self):
from Products.PluggableAuthService.PluggableAuthService \
import _PLUGIN_TYPE_INFO
pas = getToolByName(self, 'acl_users')
if not IPluggableAuthService.providedBy(pas):
logger.debug('PAS UF not found, skipping PAS fixup.')
return
plugins = pas['plugins']
plugin_types = list(set(plugins._plugin_types))
for key, id, title, description in _PLUGIN_TYPE_INFO:
if key in plugin_types:
logger.debug("Plugin type '%s' already registered." % id)
continue
logger.debug("Plugin type '%s' was not registered." % id)
plugin_types.append(key)
plugins._plugin_type_info[key] = {
'id': id,
'title': title,
'description': description,
}
# Make it ordered
plugin_types.sort()
# Re-assign because it's a non-persistent property.
plugins._plugin_types = plugin_types
def login(self):
"""Set a cookie and redirect to the url that we tried to
authenticate against originally.
Override standard login method to avoid calling
'return response.redirect(came_from)' as there is additional
processing to ignore known bad come_from templates at
login_next.cpy script.
"""
request = self.REQUEST
response = request['RESPONSE']
login = request.get('__ac_name', '')
password = request.get('__ac_password', '')
user = getSecurityManager().getUser()
user_pas = user.aq_parent
if IPluggableAuthService.providedBy(user_pas):
# Delegate to the users own PAS if possible
user_pas.updateCredentials(request, response, login, password)
else:
# User does not originate from a PAS user folder, so lets try
# to do our own thing.
# XXX Perhaps we should do nothing here; test with pure User Folder!
pas_instance = self._getPAS()
if pas_instance is not None:
pas_instance.updateCredentials(request, response, login, password)
def isMemberIdAllowed(self, id):
if len(id) < 1 or id == 'Anonymous User':
return 0
if not self._ALLOWED_MEMBER_ID_PATTERN.match(id):
return 0
pas = getToolByName(self, 'acl_users')
if IPluggableAuthService.providedBy(pas):
results = pas.searchPrincipals(id=id, exact_match=True)
if results:
return 0
else:
for parent in aq_chain(self):
if hasattr(aq_base(parent), "acl_users"):
parent = parent.acl_users
if IPluggableAuthService.providedBy(parent):
if parent.searchPrincipals(id=id,
exact_match=True):
return 0
# When email addresses are used as logins, we need to check
# if there are any users with the requested login.
props = getToolByName(self, 'portal_properties').site_properties
if props.use_email_as_login:
results = pas.searchUsers(name=id, exact_match=True)
if results:
# return 0
# *********************
# Check if domain is ok
# *********************
from allowed.domains.interfaces import IAllowedDomainsSettings
from plone.registry.interfaces import IRegistry
registry = getUtility(IRegistry)
settings = registry.forInterface(IAllowedDomainsSettings)
# Assume validation has ensured there is a @ in the id
if id.split('@')[1] in settings.allowed_domains:
return 0
# *********************
else:
membership = getToolByName(self, 'portal_membership')
if membership.getMemberById(id) is not None:
return 0
groups = getToolByName(self, 'portal_groups')
if groups.getGroupById(id) is not None:
return 0
return 1
def __init__(self, context):
self.context = context
self.tool = getToolByName(self.context, 'portal_membership', None)
self.fieldnames = []
# for compatibility with Plone 2.0 (import next only on instance init)
from Products.PluggableAuthService.interfaces.authservice import IPluggableAuthService
self.compatible = IPluggableAuthService.providedBy(self.context.acl_users)
self.is_compatible()
def isMemberIdAllowed(self, id):
if len(id) < 1 or id == 'Anonymous User':
return 0
if not self._ALLOWED_MEMBER_ID_PATTERN.match(id):
return 0
pas = getToolByName(self, 'acl_users')
if IPluggableAuthService.providedBy(pas):
results = pas.searchPrincipals(id=id, exact_match=True)
if results:
return 0
else:
for parent in aq_chain(self):
if hasattr(aq_base(parent), "acl_users"):
parent = parent.acl_users
if IPluggableAuthService.providedBy(parent):
if parent.searchPrincipals(id=id, exact_match=True):
return 0
# When email addresses are used as logins, we need to check
# if there are any users with the requested login.
props = getToolByName(self, 'portal_properties').site_properties
if props.use_email_as_login:
results = pas.searchUsers(name=id, exact_match=True)
if results:
# return 0
# *********************
# Check if domain is ok
# *********************
from allowed.domains.interfaces import IAllowedDomainsSettings
from plone.registry.interfaces import IRegistry
registry = getUtility(IRegistry)
settings = registry.forInterface(IAllowedDomainsSettings)
# Assume validation has ensured there is a @ in the id
if id.split('@')[1] in settings.allowed_domains:
return 0
# *********************
else:
membership = getToolByName(self, 'portal_membership')
if membership.getMemberById(id) is not None:
return 0
groups = getToolByName(self, 'portal_groups')
if groups.getGroupById(id) is not None:
return 0
return 1
def _getPortrait(self, member_id):
"return member_id's portrait if you can "
if IPluggableAuthService.providedBy(self.acl_users):
plugins = self._getPlugins()
portrait_managers = plugins.listPlugins(IPortraitManagementPlugin)
for mid, manager in portrait_managers:
result = manager.getPortrait(member_id)
if result is not None:
return result
def __init__(self, context):
self.context = context
self.tool = getToolByName(self.context, 'portal_memberdata')
self.membrane_tool = getToolByName(self.context, 'membrane_tool', None)
self.fieldnames = []
# for compatibility with Plone 2.0 (import next only on instance init)
from Products.PluggableAuthService.interfaces.authservice import IPluggableAuthService
from Products.remember.interfaces import IRememberMembraneTool
self.compatible = IPluggableAuthService.providedBy(self.context.acl_users) and self.membrane_tool and IRememberMembraneTool.providedBy(self.membrane_tool)
self.is_compatible()
def install_pas_plugin(context):
uf_parent = aq_inner(context)
while True:
uf = getToolByName(uf_parent, "acl_users")
if IPluggableAuthService.providedBy(uf) and "jwt_auth" not in uf:
plugin = JWTAuthenticationPlugin("jwt_auth")
uf._setObject(plugin.getId(), plugin)
plugin = uf["jwt_auth"]
plugin.manage_activateInterfaces(
["IAuthenticationPlugin", "IExtractionPlugin"])
if uf_parent is uf_parent.getPhysicalRoot():
break
uf_parent = aq_parent(uf_parent)
def setMemberProperties(self, mapping, force_local=0):
"""PAS-specific method to set the properties of a
member. Ignores 'force_local', which is not reliably present.
"""
sheets = None
# We could pay attention to force_local here...
if not IPluggableAuthService.providedBy(self.acl_users):
# Defer to base impl in absence of PAS, a PAS user, or
# property sheets
return BaseMemberData.setMemberProperties(self, mapping)
else:
# It's a PAS! Whee!
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
# We won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
# Defer to base impl if we have a PAS but no property
# sheets.
return BaseMemberData.setMemberProperties(self, mapping)
# If we got this far, we have a PAS and some property sheets.
# XXX track values set to defer to default impl
# property routing?
modified = False
for k, v in mapping.items():
if v == None:
continue
for sheet in sheets:
if not sheet.hasProperty(k):
continue
if IMutablePropertySheet.providedBy(sheet):
sheet.setProperty(user, k, v)
modified = True
else:
break
# raise RuntimeError, ("Mutable property provider "
# "shadowed by read only provider")
if modified:
self.notifyModified()
# Genweb: Updated by patch
notify(PropertiesUpdated(user, mapping))
def setMemberProperties(self, mapping, force_local=0):
""" PAS-specific method to set the properties of a
member. Ignores 'force_local', which is not reliably present.
"""
sheets = None
# We could pay attention to force_local here...
if not IPluggableAuthService.providedBy(self.acl_users):
# Defer to base impl in absence of PAS, a PAS user, or
# property sheets
return BaseMemberData.setMemberProperties(self, mapping)
else:
# It's a PAS! Whee!
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
# We won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
# Defer to base impl if we have a PAS but no property
# sheets.
return BaseMemberData.setMemberProperties(self, mapping)
# If we got this far, we have a PAS and some property sheets.
# XXX track values set to defer to default impl
# property routing?
modified = False
for k, v in mapping.items():
if v is None:
continue
for sheet in sheets:
if not sheet.hasProperty(k):
continue
if IMutablePropertySheet.providedBy(sheet):
sheet.setProperty(user, k, v)
modified = True
else:
break
# raise RuntimeError, ("Mutable property provider "
# "shadowed by read only provider")
if modified:
self.notifyModified()
# Genweb: Updated by patch
notify(PropertiesUpdated(user, mapping))
def setMemberProperties(self, mapping, force_local=0, force_empty=False):
"""PAS-specific method to set the properties of a
member. Ignores 'force_local', which is not reliably present.
"""
sheets = None
# We could pay attention to force_local here...
if not IPluggableAuthService.providedBy(self._tool.acl_users):
# Defer to base impl in absence of PAS, a PAS user, or
# property sheets
return BaseMemberAdapter.setMemberProperties(self, mapping)
else:
# It's a PAS! Whee!
user = self.getUser()
sheets = getattr(user, 'getOrderedPropertySheets', lambda: None)()
# We won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
# Defer to base impl if we have a PAS but no property
# sheets.
return BaseMemberAdapter.setMemberProperties(self, mapping)
# If we got this far, we have a PAS and some property sheets.
# XXX track values set to defer to default impl
# property routing?
modified = False
for k, v in mapping.items():
if v is None and not force_empty:
continue
for sheet in sheets:
if not sheet.hasProperty(k):
continue
if IMutablePropertySheet.providedBy(sheet):
sheet.setProperty(user, k, v)
modified = True
else:
break
if modified:
self.notifyModified()
# Trigger PropertiesUpdated event when member properties are updated,
# excluding user login events
if not set(mapping.keys()) & set(('login_time', 'last_login_time')):
notify(PropertiesUpdated(self, mapping))
def canWriteProperty(self, prop_name):
"""True iff the group property named in 'prop_name'
can be changed.
"""
# this looks almost exactly like in memberdata. refactor?
if not IPluggableAuthService.providedBy(self.acl_users):
# not PAS; Groupdata is writable
return self._groupdataHasProperty(prop_name)
else:
# it's PAS
group = self.getGroup()
sheets = getattr(group, 'getOrderedPropertySheets', lambda: [])()
for sheet in sheets:
if not sheet.hasProperty(prop_name):
continue
if IMutablePropertySheet.providedBy(sheet):
return 1
else:
break # shadowed by read-only
return 0
def isMemberIdAllowed(self, id):
if len(id) < 1 or id == 'Anonymous User':
return 0
if not self._ALLOWED_MEMBER_ID_PATTERN.match( id ):
return 0
pas = getToolByName(self, 'acl_users')
if IPluggableAuthService.providedBy(pas):
results = pas.searchPrincipals(id=id, exact_match=True)
if results:
return 0
else:
membership = getToolByName(self, 'portal_membership')
if membership.getMemberById(id) is not None:
return 0
groups = getToolByName(self, 'portal_groups')
if groups.getGroupById(id) is not None:
return 0
return 1
def canWriteProperty(self, prop_name):
"""True iff the group property named in 'prop_name'
can be changed.
"""
# this looks almost exactly like in memberdata. refactor?
if not IPluggableAuthService.providedBy(self.acl_users):
# not PAS; Groupdata is writable
return self._groupdataHasProperty(prop_name)
else:
# it's PAS
group = self.getGroup()
sheets = getattr(group, 'getOrderedPropertySheets', lambda: [])()
for sheet in sheets:
if not sheet.hasProperty(prop_name):
continue
if IMutablePropertySheet.providedBy(sheet):
return 1
else:
break # shadowed by read-only
return 0
def addShibbolethPermissions(context):
"""Find the nearest acl_users and adds and activates an ShibbolethPermissions.
Return a 1-tuple with the new ShibbolethPermissions as its only element."""
acl_users = getattr(context, 'acl_users', None)
if acl_users is None:
raise LookupError("No acl_users can be acquired or otherwise found.")
pas = IPluggableAuthService(acl_users, None)
if pas is None:
raise ValueError(
"The nearest acl_users object is not a PluggableAuthService.")
pluginId = _firstIdOfClass(acl_users, ShibbolethPermissionsHandler)
if not pluginId:
pluginId = 'ShibbolethPermissions'
setup = acl_users.manage_addProduct[pluginId]
setup.manage_addShibbolethPermissions(pluginId,
'ShibbolethPermissions')
return pas[pluginId]
def deleteMemberData(self, member_id, REQUEST=None):
""" Delete member data of specified member.
"""
if IPluggableAuthService.providedBy(self.acl_users):
# It's a PAS! Whee!
# XXX: can we safely assume that user name == member_id
plugins = self._getPlugins()
prop_managers = plugins.listPlugins(IPropertiesPlugin)
for mid, prop_manager in prop_managers:
# Not all PropertiesPlugins support user deletion
try:
prop_manager.deleteUser(member_id)
except AttributeError:
pass
# we won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
members = self._members
if member_id in members:
del members[member_id]
return 1
else:
return 0
def pas_fixup(self, out):
from Products.PluggableAuthService.PluggableAuthService import _PLUGIN_TYPE_INFO, PluggableAuthService
pas = getToolByName(self, "acl_users")
if not IPluggableAuthService.providedBy(pas):
print >> out, "PAS UF not found, skipping PAS fixup"
return
plugins = pas["plugins"]
plugin_types = list(Set(plugins._plugin_types))
for key, id, title, description in _PLUGIN_TYPE_INFO:
if key in plugin_types:
print >> out, "Plugin type '%s' already registered." % id
continue
print >> out, "Plugin type '%s' was not registered." % id
plugin_types.append(key)
plugins._plugin_type_info[key] = {"id": id, "title": title, "description": description}
# Make it ordered
plugin_types.sort()
# Re-assign because it's a non-persistent property.
plugins._plugin_types = plugin_types
def deleteMemberData(self, member_id, REQUEST=None):
""" Delete member data of specified member.
"""
if IPluggableAuthService.providedBy(self.acl_users):
# It's a PAS! Whee!
# XXX: can we safely assume that user name == member_id
plugins = self._getPlugins()
prop_managers = plugins.listPlugins(IPropertiesPlugin)
for mid, prop_manager in prop_managers:
# Not all PropertiesPlugins support user deletion
try:
prop_manager.deleteUser(member_id)
except AttributeError:
pass
# we won't always have PlonePAS users, due to acquisition,
# nor are guaranteed property sheets
members = self._members
if member_id in members:
del members[member_id]
return 1
else:
return 0
def setGroupProperties(self, mapping):
"""PAS-specific method to set the properties of a group.
"""
sheets = None
if not IPluggableAuthService.providedBy(self.acl_users):
# Defer to base impl in absence of PAS, a PAS group, or
# property sheets
return self._gruf_setGroupProperties(mapping)
else:
# It's a PAS! Whee!
group = self.getGroup()
sheets = getattr(group, 'getOrderedPropertySheets', lambda: [])()
# We won't always have PlonePAS groups, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
# Defer to base impl if we have a PAS but no property
# sheets.
return self._gruf_setGroupProperties(mapping)
# If we got this far, we have a PAS and some property sheets.
# XXX track values set to defer to default impl
# property routing?
modified = False
for k, v in mapping.items():
for sheet in sheets:
if not sheet.hasProperty(k):
continue
if IMutablePropertySheet.providedBy(sheet):
sheet.setProperty(group, k, v)
modified = True
else:
raise RuntimeError, ("Mutable property provider "
"shadowed by read only provider")
if modified:
self.notifyModified()
def migrate_root_uf(self):
# Acquire parent user folder.
parent = self.getPhysicalRoot()
uf = getToolByName(parent, 'acl_users')
if IPluggableAuthService.providedBy(uf):
# It's a PAS already, fixup if needed.
pas_fixup(parent)
# Configure Challenge Chooser plugin if available
challenge_chooser_setup(parent)
return
if not uf.meta_type == 'User Folder':
# It's not a standard User Folder at the root. Nothing we can do.
return
# It's a standard User Folder, replace it.
replace_acl_users(parent)
# Get the new uf
uf = getToolByName(parent, 'acl_users')
pas = uf.manage_addProduct['PluggableAuthService']
plone_pas = uf.manage_addProduct['PlonePAS']
# Setup authentication plugins
setupAuthPlugins(parent,
pas,
plone_pas,
deactivate_basic_reset=False,
deactivate_cookie_challenge=True)
# Activate *all* interfaces for user manager. IUserAdder is not
# activated for some reason by default.
activatePluginInterfaces(parent, 'users')
# Configure Challenge Chooser plugin if available
challenge_chooser_setup(parent)
def setGroupProperties(self, mapping):
"""PAS-specific method to set the properties of a group.
"""
sheets = None
if not IPluggableAuthService.providedBy(self.acl_users):
# Defer to base impl in absence of PAS, a PAS group, or
# property sheets
return self._gruf_setGroupProperties(mapping)
else:
# It's a PAS! Whee!
group = self.getGroup()
sheets = getattr(group, 'getOrderedPropertySheets', lambda: [])()
# We won't always have PlonePAS groups, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
# Defer to base impl if we have a PAS but no property
# sheets.
return self._gruf_setGroupProperties(mapping)
# If we got this far, we have a PAS and some property sheets.
# XXX track values set to defer to default impl
# property routing?
modified = False
for k, v in list(mapping.items()):
for sheet in sheets:
if not sheet.hasProperty(k):
continue
if IMutablePropertySheet.providedBy(sheet):
sheet.setProperty(group, k, v)
modified = True
else:
raise RuntimeError("Mutable property provider "
"shadowed by read only provider")
if modified:
self.notifyModified()
def getProperty(self, id, default=_marker):
"""PAS-specific method to fetch a group's properties. Looks
through the ordered property sheets.
"""
sheets = None
if not IPluggableAuthService.providedBy(self.acl_users):
return BaseGroupData.getProperty(self, id)
else:
# It's a PAS! Whee!
group = self.getGroup()
sheets = getattr(group, 'getOrderedPropertySheets', lambda: None)()
# we won't always have PlonePAS groups, due to acquisition,
# nor are guaranteed property sheets
if not sheets:
return BaseGroupData.getProperty(self, id)
# If we made this far, we found a PAS and some property sheets.
for sheet in sheets:
if sheet.hasProperty(id):
# Return the first one that has the property.
return sheet.getProperty(id)
# Couldn't find the property in the property sheets. Try to
# delegate back to the base implementation.
return BaseGroupData.getProperty(self, id, default)
def test_installed(self):
self.failUnless(IPluggableAuthService.providedBy(self.acl_users))
def __init__(self, context):
self.context = context
self.tool = getToolByName(self.context, 'portal_membership', None)
self.fieldnames = []
self.compatible = IPluggableAuthService.providedBy(self.context.acl_users)
self.is_compatible()
def install(self):
out = StringIO()
portal = getToolByName(self, "portal_url").getPortalObject()
uf = getToolByName(self, "acl_users")
EXISTING_UF = "acl_users" in portal.objectIds()
EXISTING_PAS = IPluggableAuthService.providedBy(uf)
if EXISTING_PAS:
# Fix possible missing PAS plugins registration.
pas_fixup(self, out)
# Register PAS Plugin Types
registerPluginTypes(uf)
ldap_ufs, ldap_gf = None, None
userdata = groupdata = memberships = ()
if not EXISTING_UF:
userdata = grabUserData(portal, out)
addPAS(portal, out)
elif not EXISTING_PAS:
# We've got a existing user folder, but it's not a PAS
# instance.
goForMigration(portal, out)
userdata = grabUserData(portal, out)
groupdata, memberships = grabGroupData(portal, out)
ldap_ufs, ldap_gf = grabLDAPFolders(portal, out)
if (ldap_ufs or ldap_gf) and not CAN_LDAP:
raise Exception, (
"LDAPUserFolders present, but LDAPMultiPlugins "
"not present. To successfully auto-migrate, "
"the LDAPMultiPlugins product must be installed. "
"(%s, %s):%s" % (ldap_ufs, ldap_gf, CAN_LDAP)
)
replaceUserFolder(portal, out)
# Configure Challenge Chooser plugin if available
challenge_chooser_setup(self, out)
configurePlonePAS(portal, out)
setupTools(portal, out)
if EXISTING_UF and CAN_LDAP and ldap_gf is not None and ldap_ufs is not None:
restoreLDAP(portal, out, ldap_ufs, ldap_gf)
if not EXISTING_PAS:
restoreUserData(portal, out, userdata)
restoreGroupData(portal, out, groupdata, memberships)
# XXX Why do we need to do this?
migrate_root_uf(self, out)
print >> out, "\nSuccessfully installed %s." % config.PROJECTNAME
return out.getvalue()
def test_installed(self):
self.assertTrue(IPluggableAuthService.providedBy(self.acl_users))
def test_installed(self):
self.assertTrue(IPluggableAuthService.providedBy(self.acl_users))