def update_inherit(self, status=True, reindex=True):
"""Method Wrapper for the super method, to allow notify a
corresponding event. Needed for adding a Journalentry after a
change of the inheritance"""
# Modifying local roles needs the "Sharing page: Delegate roles"
# permission as well as "Modify portal content". However, we don't
# want to give the "Role Manager" Role "Modify portal content",
# so we circumvent the permission check here by temporarily assuming
# the owner's roles. [lgraf]
context = self.context
portal_membership = getToolByName(context, 'portal_membership')
block = not status
oldblock = bool(
getattr(aq_base(context), '__ac_local_roles_block__', False))
if block == oldblock:
return False
# store the real user
user = portal_membership.getAuthenticatedMember()
# assume the manger user security context
old_sm = getSecurityManager()
owner = getToolByName(
context, 'portal_url').getPortalObject().getWrappedOwner()
newSecurityManager(self.context, owner)
if block:
# If user has inherited local roles and removes inheritance,
# locally set roles he inherited before
# to avoid definitive lose of access (refs #11945)
context_roles = user.getRolesInContext(context)
global_roles = user.getRoles()
local_roles = [r for r in context_roles if r not in global_roles]
if local_roles:
context.manage_setLocalRoles(user.getId(), local_roles)
context.__ac_local_roles_block__ = block and True or None
# Restore the old security manager
setSecurityManager(old_sm)
if reindex:
context.reindexObjectSecurity()
if not block:
notify(LocalRolesAcquisitionActivated(self.context))
else:
notify(LocalRolesAcquisitionBlocked(self.context))
return True
def test_integration_repository_events(self):
""" Trigger every event of a repo at least one times
and check the journalentries.
"""
portal = self.layer['portal']
repo_root = createContentInContainer(
portal, 'opengever.repository.repositoryroot', 'root')
repo = createContentInContainer(
repo_root, 'opengever.repository.repositoryfolder', 'r1')
# Local roles Aquisition Blocked-Event
notify(LocalRolesAcquisitionBlocked(repo, ))
# Check
self.check_annotation(
repo_root,
action_type='Local roles Aquisition Blocked',
action_title='Local roles aquistion blocked at %s.' %
(repo.title_or_id()))
# Local roles Aquisition Activated-Event
notify(LocalRolesAcquisitionActivated(repo, ))
# Check
self.check_annotation(
repo_root,
action_type='Local roles Aquisition Activated',
action_title='Local roles aquistion activated at %s.' %
(repo.title_or_id()))
# Local roles Modified
notify(
LocalRolesModified(repo, 'old roles', (
['catman', ['Owner']],
['ratman', ['Owner', 'Reader']],
['test_user', ['Reader', 'Publisher']],
)))
# CheckLocalRolesModified
self.check_annotation(
repo_root,
action_type='Local roles modified',
action_title='Local roles modified at %s.' % (
repo.title_or_id()),
comment='ratman: sharing_dossier_reader; test_user: '******'sharing_dossier_reader, sharing_dossier_publisher')
def test_integration_repository_events(self):
""" Trigger every event of a repo at least one times
and check the journalentries.
"""
repo_root, repo = create(Builder('repository_tree'))
# Local roles Aquisition Blocked-Event
notify(
LocalRolesAcquisitionBlocked(repo, ))
# Check
self.check_annotation(
repo_root,
action_type='Local roles Aquisition Blocked',
action_title='Local roles aquistion blocked at %s.' % (
repo.title_or_id()))
# Local roles Aquisition Activated-Event
notify(
LocalRolesAcquisitionActivated(repo, ))
# Check
self.check_annotation(
repo_root,
action_type='Local roles Aquisition Activated',
action_title='Local roles aquistion activated at %s.' % (
repo.title_or_id()))
# Local roles Modified
notify(
LocalRolesModified(
repo, 'old roles',
(['catman', ['Owner']],
['ratman', ['Owner', 'Reader']],
['test_user', ['Reader', 'Publisher']])
))
# CheckLocalRolesModified
self.check_annotation(
repo_root,
action_type='Local roles modified',
action_title='Local roles modified at %s.' % (
repo.title_or_id()),
comment='ratman: sharing_dossier_reader; test_user: '******'sharing_dossier_reader, sharing_dossier_publisher')
def test_blocked_local_roles(self):
self.login(self.regular_user)
self.leaf_repofolder.reindexObject()
self.assert_index_value(False, 'blocked_local_roles', self.leaf_repofolder)
self.leaf_repofolder.__ac_local_roles_block__ = True
self.leaf_repofolder.reindexObject()
self.assert_index_value(True, 'blocked_local_roles', self.leaf_repofolder)
self.leaf_repofolder.__ac_local_roles_block__ = False
notify(LocalRolesAcquisitionActivated(self.leaf_repofolder, ))
self.assert_index_value(False, 'blocked_local_roles', self.leaf_repofolder)
self.leaf_repofolder.__ac_local_roles_block__ = True
notify(LocalRolesAcquisitionBlocked(self.leaf_repofolder, ))
self.assert_index_value(True, 'blocked_local_roles', self.leaf_repofolder)
def test_integration_dossier_events(self):
""" Trigger every event of a dossier at least one times
and check the journalentries.
"""
portal = self.layer['portal']
# Add-Event
dossier = createContentInContainer(
portal, 'opengever.dossier.businesscasedossier', 'd1')
self.check_object_added(
dossier,
'Dossier added',
'Dossier added: %s' % dossier.title_or_id(),
)
# Modified-Event
notify(ObjectModifiedEvent(dossier))
# Check
self.check_annotation(dossier,
action_type='Dossier modified',
action_title='Dossier modified: %s' %
(dossier.title_or_id()))
# Get the workflow for the dossier to test the ActionSucceededEvent
wftool = getToolByName(dossier, 'portal_workflow')
workflow = wftool.get('simple_publication_workflow')
# Action-Succeeded-Event
notify(
ActionSucceededEvent(
dossier,
workflow,
'publish',
'published',
))
# Check
self.check_annotation(
dossier,
action_type='Dossier state changed',
action_title='Dossier state changed to published')
# Local roles Aquisition Blocked-Event
notify(LocalRolesAcquisitionBlocked(dossier, ))
# Check
self.check_annotation(dossier,
action_type='Local roles Aquisition Blocked',
action_title='Local roles aquistion blocked.')
# Local roles Aquisition Activated-Event
notify(LocalRolesAcquisitionActivated(dossier, ))
# Check
self.check_annotation(dossier,
action_type='Local roles Aquisition Activated',
action_title='Local roles aquistion activated.')
# Local roles Modified
notify(
LocalRolesModified(dossier, 'old roles', (
['catman', ['Owner']],
['ratman', ['Owner', 'Reader']],
['test_user', ['Reader', 'Publisher']],
)))
# CheckLocalRolesModified
self.check_annotation(
dossier,
action_type='Local roles modified',
action_title='Local roles modified.',
comment='ratman: sharing_dossier_reader; test_user: '******'sharing_dossier_reader, sharing_dossier_publisher')
def update_inherit(self, status=True, reindex=True):
"""Method Wrapper for the super method, to allow notify a
corresponding event. Needed for adding a Journalentry after a
change of the inheritance
"""
user = api.user.get_current()
is_administrator = user.has_role('Administrator') or user.has_role(
'Manager')
# Modifying local roles needs the "Sharing page: Delegate roles"
# permission as well as "Modify portal content". However, we don't
# want to give the "Role Manager" Role "Modify portal content",
# so we circumvent the permission check here by temporarily assuming
# the owner's roles. [lgraf]
context = self.context
portal_membership = getToolByName(context, 'portal_membership')
block = not status
oldblock = bool(
getattr(aq_base(context), '__ac_local_roles_block__', False))
if block == oldblock:
return False
# store the real user
user = portal_membership.getAuthenticatedMember()
# assume the manger user security context
old_sm = getSecurityManager()
owner = getToolByName(
context, 'portal_url').getPortalObject().getWrappedOwner()
newSecurityManager(self.context, owner)
if block and not is_administrator:
# If user has inherited local roles and removes inheritance,
# locally set roles he inherited before
# to avoid definitive lose of access (refs #11945)
# For administrators and managers we skip those fallback, because
# the access for those users is ensured by the global roles. So we
# can avoid local_roles assigned to a specific users, which we say
# should not be used usually.
context_roles = user.getRolesInContext(context)
global_roles = user.getRoles()
local_roles = [r for r in context_roles if r not in global_roles]
if local_roles:
assignment = SharingRoleAssignment(user.getId(), local_roles)
RoleAssignmentManager(
self.context).add_or_update_assignment(assignment)
context.__ac_local_roles_block__ = True if block else None
# Restore the old security manager
setSecurityManager(old_sm)
if reindex:
context.reindexObjectSecurity()
if not block:
notify(LocalRolesAcquisitionActivated(self.context))
else:
notify(LocalRolesAcquisitionBlocked(self.context))
return True