def _to_users(self, users_perms_and_groups, ticket):
"""Finds all users contained in the list of `users_perms_and_groups`
by recursive lookup of users when a `group` is encountered.
"""
ps = PermissionSystem(self.env)
groups = ps.get_groups_dict()
def append_owners(users_perms_and_groups):
for user_perm_or_group in users_perms_and_groups:
if user_perm_or_group == 'authenticated':
owners.update({u[0] for u in self.env.get_known_users()})
elif user_perm_or_group.isupper():
perm = user_perm_or_group
for user in ps.get_users_with_permission(perm):
if perm in PermissionCache(self.env, user,
ticket.resource):
owners.add(user)
elif user_perm_or_group not in groups:
owners.add(user_perm_or_group)
else:
append_owners(groups[user_perm_or_group])
owners = set()
append_owners(users_perms_and_groups)
return sorted(owners)
def _to_users(self, users_perms_and_groups, ticket):
"""Finds all users contained in the list of `users_perms_and_groups`
by recursive lookup of users when a `group` is encountered.
"""
ps = PermissionSystem(self.env)
groups = ps.get_groups_dict()
def append_owners(users_perms_and_groups):
for user_perm_or_group in users_perms_and_groups:
if user_perm_or_group == 'authenticated':
owners.update(set(u[0] for u in self.env.get_known_users()))
elif user_perm_or_group.isupper():
perm = user_perm_or_group
for user in ps.get_users_with_permission(perm):
if perm in PermissionCache(self.env, user,
ticket.resource):
owners.add(user)
elif user_perm_or_group not in groups:
owners.add(user_perm_or_group)
else:
append_owners(groups[user_perm_or_group])
owners = set()
append_owners(users_perms_and_groups)
return sorted(owners)
def get_users(self, req, users_perms_and_groups=None):
ps = PermissionSystem(self.env)
users = map(lambda x: x[0], self.env.get_known_users())
groups = ps.get_groups_dict()
if isinstance(users_perms_and_groups, str) or isinstance(users_perms_and_groups, unicode):
users_perms_and_groups = users_perms_and_groups.split(',')
if not isinstance(users_perms_and_groups, list):
raise ValueError('users_perms_and_groups should be either str or list.')
def append_owners(users_perms_and_groups):
for user_perm_or_group in users_perms_and_groups:
if user_perm_or_group == '$USER':
owners.add(req.session.sid)
elif user_perm_or_group in users:
owners.add(user_perm_or_group)
elif user_perm_or_group == 'authenticated':
owners.update(set(u[0] for u in self.env.get_known_users()))
elif user_perm_or_group.isupper():
perm = user_perm_or_group
for user in ps.get_users_with_permission(perm):
owners.add(user)
elif user_perm_or_group not in groups:
owners.add(user_perm_or_group)
else:
append_owners(groups[user_perm_or_group])
owners = set()
append_owners(users_perms_and_groups)
return sorted(owners)
def test_grant_undefined_permission_with_permission_grant(self):
"""Undefined permission is granted without checking granter."""
ps = PermissionSystem(self.env)
ps.grant_permission('user1', 'PERMISSION_GRANT')
self.env.db_transaction("""
INSERT INTO permission VALUES ('group1', 'TEST_PERM')
""")
req = MockRequest(self.env, method='POST', authname='user1', args={
'add': True, 'subject': 'user2', 'group': 'group1'})
with self.assertRaises(RequestDone):
self.panel.render_admin_panel(req, 'general', 'perm', None)
self.assertIn('TEST_PERM',
ps.get_user_permissions('group1', undefined=True))
self.assertIn('user2', ps.get_groups_dict()['group1'])
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
target = req.args.get('target', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper() or \
target and target.isupper():
raise TracError(
_("All upper-cased tokens are reserved for "
"permission names."))
# Grant permission to subject
if 'add' in req.args and subject and action:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_("Unknown action"))
req.perm.require(action)
try:
perm.grant_permission(subject, action)
except TracError as e:
add_warning(req, e)
else:
add_notice(
req,
_(
"The subject %(subject)s has been "
"granted the permission %(action)s.",
subject=subject,
action=action))
# Add subject to group
elif 'add' in req.args and subject and group:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
req.perm.require(
action,
message=_(
"The subject %(subject)s was not added to "
"the group %(group)s because the group has "
"%(perm)s permission and users cannot grant "
"permissions they don't possess.",
subject=subject,
group=group,
perm=action))
try:
perm.grant_permission(subject, group)
except TracError as e:
add_warning(req, e)
else:
add_notice(
req,
_(
"The subject %(subject)s has been "
"added to the group %(group)s.",
subject=subject,
group=group))
# Copy permissions to subject
elif 'copy' in req.args and subject and target:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
subject_permissions = perm.get_users_dict().get(subject, [])
if not subject_permissions:
add_warning(
req,
_(
"The subject %(subject)s does not "
"have any permissions.",
subject=subject))
for action in subject_permissions:
if action not in all_actions: # plugin disabled?
self.log.warning(
"Skipped granting %s to %s: "
"permission unavailable.", action, target)
else:
if action not in req.perm:
add_warning(
req,
_(
"The permission %(action)s was "
"not granted to %(subject)s "
"because users cannot grant "
"permissions they don't possess.",
action=action,
subject=subject))
continue
try:
perm.grant_permission(target, action)
except PermissionExistsError:
pass
else:
add_notice(
req,
_(
"The subject %(subject)s has "
"been granted the permission "
"%(action)s.",
subject=target,
action=action))
req.redirect(req.href.admin(cat, page))
# Remove permissions action
elif 'remove' in req.args and 'sel' in req.args:
req.perm('admin', 'general/perm').require('PERMISSION_REVOKE')
for key in req.args.getlist('sel'):
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req,
_("The selected permissions have been "
"revoked."))
req.redirect(req.href.admin(cat, page))
return 'admin_perms.html', {
'actions': all_actions,
'allowed_actions': [a for a in all_actions if a in req.perm],
'perms': perm.get_users_dict(),
'groups': perm.get_groups_dict(),
'unicode_to_base64': unicode_to_base64
}
def render_admin_panel(self, req, cat, page, path_info):
perm = PermissionSystem(self.env)
all_permissions = perm.get_all_permissions()
all_actions = perm.get_actions()
if req.method == 'POST':
subject = req.args.get('subject', '').strip()
target = req.args.get('target', '').strip()
action = req.args.get('action')
group = req.args.get('group', '').strip()
if subject and subject.isupper() or \
group and group.isupper() or \
target and target.isupper():
raise TracError(_("All upper-cased tokens are reserved for "
"permission names."))
# Grant permission to subject
if req.args.get('add') and subject and action:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
if action not in all_actions:
raise TracError(_("Unknown action"))
req.perm.require(action)
if (subject, action) not in all_permissions:
perm.grant_permission(subject, action)
add_notice(req, _("The subject %(subject)s has been "
"granted the permission %(action)s.",
subject=subject, action=action))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _("The permission %(action)s was already "
"granted to %(subject)s.",
action=action, subject=subject))
# Add subject to group
elif req.args.get('add') and subject and group:
req.perm('admin', 'general/perm').require('PERMISSION_GRANT')
for action in perm.get_user_permissions(group):
if not action in all_actions: # plugin disabled?
self.env.log.warn("Adding %s to group %s: "
"Permission %s unavailable, skipping perm check.",
subject, group, action)
else:
req.perm.require(action,
message=_("The subject %(subject)s was not added "
"to the group %(group)s because the "
"group has %(perm)s permission and "
"users cannot grant permissions they "
"don't possess.", subject=subject,
group=group, perm=action))
if (subject, group) not in all_permissions:
perm.grant_permission(subject, group)
add_notice(req, _("The subject %(subject)s has been added "
"to the group %(group)s.",
subject=subject, group=group))
req.redirect(req.href.admin(cat, page))
else:
add_warning(req, _("The subject %(subject)s was already "
"added to the group %(group)s.",
subject=subject, group=group))
# Copy permissions to subject
elif req.args.get('copy') and subject and target:
req.perm.require('PERMISSION_GRANT')
subject_permissions = [i[1] for i in all_permissions
if i[0] == subject and
i[1].isupper()]
if not subject_permissions:
add_warning(req,_("The subject %(subject)s does not "
"have any permissions.",
subject=subject))
for action in subject_permissions:
if (target, action) in all_permissions:
continue
if not action in all_actions: # plugin disabled?
self.env.log.warn("Skipped granting %s to %s: "
"permission unavailable.",
action, target)
else:
if action not in req.perm:
add_warning(req,
_("The permission %(action)s was "
"not granted to %(subject)s "
"because users cannot grant "
"permissions they don't possess.",
action=action, subject=subject))
continue
perm.grant_permission(target, action)
add_notice(req, _("The subject %(subject)s has "
"been granted the permission "
"%(action)s.",
subject=target, action=action))
req.redirect(req.href.admin(cat, page))
# Remove permissions action
elif req.args.get('remove') and req.args.get('sel'):
req.perm('admin', 'general/perm').require('PERMISSION_REVOKE')
sel = req.args.get('sel')
sel = sel if isinstance(sel, list) else [sel]
for key in sel:
subject, action = key.split(':', 1)
subject = unicode_from_base64(subject)
action = unicode_from_base64(action)
if (subject, action) in perm.get_all_permissions():
perm.revoke_permission(subject, action)
add_notice(req, _("The selected permissions have been "
"revoked."))
req.redirect(req.href.admin(cat, page))
return 'admin_perms.html', {
'actions': all_actions,
'perms': perm.get_users_dict(),
'groups': perm.get_groups_dict(),
'unicode_to_base64': unicode_to_base64
}
