コード例 #1
0
    def _auth_with_ticket(self):
        """
        with flashupload authentication is done using a ticket
        """

        context = aq_inner(self.context)
        request = self.request
        url = context.absolute_url()

        ticket = getDataFromAllRequests(request, 'ticket')
        if ticket is None:
            raise Unauthorized('No ticket specified')

        logger.info('Authenticate using ticket, the ticket is "%s"' %
                    str(ticket))
        username = ticketmod.ticketOwner(url, ticket)
        if username is None:
            logger.info('Ticket "%s" was invalidated, cannot be used '
                        'any more.' % str(ticket))
            raise Unauthorized('Ticket is not valid')

        self.old_sm = SecurityManagement.getSecurityManager()
        user = find_user(context, username)
        SecurityManagement.newSecurityManager(self.request, user)
        logger.info('Switched to user "%s"' % username)
コード例 #2
0
 def editSyInformationProperties(self,
                                 obj,
                                 updatePeriod=None,
                                 updateFrequency=None,
                                 updateBase=None,
                                 max_items=None,
                                 REQUEST=None):
     """
     Edit syndication properties for the obj being passed in.
     These are held on the syndication_information object.
     Not Sitewide Properties.
     """
     mgr = SecurityManagement.getSecurityManager()
     if not _checkPermission(ManageProperties, obj):
         raise Unauthorized
     #import pdb; pdb.set_trace()
     syInfo = getattr(obj, 'syndication_information', None)
     if syInfo is None:
         raise 'Syndication is Disabled'
     if updatePeriod:
         syInfo.syUpdatePeriod = updatePeriod
     else:
         syInfo.syUpdatePeriod = self.syUpdatePeriod
     if updateFrequency:
         syInfo.syUpdateFrequency = updateFrequency
     else:
         syInfo.syUpdateFrequency = self.syUpdateFrequency
     if updateBase:
         syInfo.syUpdateBase = updateBase
     else:
         syInfo.syUpdateBase = self.syUpdateBase
     if max_items:
         syInfo.max_items = max_items
     else:
         syInfo.max_items = self.max_items
コード例 #3
0
def createObjectAsPortalOwner(container, type_name, id_):
    """Create an object as the portal owner"""
    info = interfaces.ITemplateTypeInfo(
        container.portal_types.getTypeInfo(type_name), None)
    if info is None:
        return
    template = info.getTemplate(container)
    if template is None:
        return
    source = Acquisition.aq_parent(Acquisition.aq_inner(template))

    sm = SecurityManagement.getSecurityManager()
    SecurityManagement.newSecurityManager(
        None,
        container.portal_url.getPortalObject().getOwner())
    result, = container.manage_pasteObjects(
        source.manage_copyObjects([template.getId()]))
    container.manage_renameObject(result['new_id'], id_)
    SecurityManagement.setSecurityManager(sm)

    added = container[id_]
    owner.changeOwnershipOf(added)
    event.notify(interfaces.TemplateCopiedEvent(added, template))

    return added
コード例 #4
0
ファイル: security.py プロジェクト: Daetalus/DocumentTemplate 
 def SecurityCalledByExecutable(md):
     """Return a boolean value indicating if this context was called
     by an executable"""
     r = (SecurityManagement.getSecurityManager().calledByExecutable())
     if r > 0:
         return r - 1
     return r
コード例 #5
0
    def __call__(self):
        """ Create a new revision folder based on an existing item """
        context_id = self.context.getId()
        parent = getMultiAdapter((self.context, self.request), name=u'plone_context_state').parent()
        try:
            uniqueid = parent.generateUniqueId('Folder')
            uniqueid = parent.invokeFactory('Folder', uniqueid)
            folderish_obj = getattr(parent, uniqueid)

            folderish_obj.setTitle(self.context.Title())

            alsoProvides(folderish_obj, IRevision)

            revision_info = IRevisionInfo(folderish_obj)
            next_code = revision_info.next_code()

            transaction.savepoint(optimistic=True)

            _move(parent, self.context, folderish_obj, context_id, next_code)

            revisionfile = getattr(folderish_obj, next_code)
            alsoProvides(revisionfile, IRevisionFile)

            _move(parent, folderish_obj, parent, uniqueid, context_id)

            newcontext = getattr(parent, context_id)
            ppw = getToolByName(newcontext, 'portal_placeful_workflow', None)
            if ppw:
                portal_type = self.context.portal_type
                priority_utility = queryUtility(IRevisionWorkflowUtility, name=portal_type)
                priority_utility = not priority_utility and queryUtility(IRevisionWorkflowUtility)
                policy_id = priority_utility and priority_utility.policy_id()
                if policy_id and ppw.isValidPolicyName(policy_id):

                    old_sm = SecurityManagement.getSecurityManager()
                    try:
                        SecurityManagement.newSecurityManager(None, SpecialUsers.system)
                        newcontext.manage_addProduct['CMFPlacefulWorkflow'].manage_addWorkflowPolicyConfig()
                        config = ppw.getWorkflowPolicyConfig(newcontext)
                        config.setPolicyIn(policy=policy_id)
                        config.setPolicyBelow(policy=policy_id, update_security=True)
                    finally:
                        SecurityManagement.setSecurityManager(old_sm)
            newcontext.reindexObject()
            newcontext.reindexObjectSecurity()
                
        except ConflictError:
            raise
        except Exception:
            view_url = getMultiAdapter((self.context, self.request), name=u'plone_context_state').view_url()
            self.request.response.redirect(view_url)
            IStatusMessage(self.request).addStatusMessage(_(u'enabled_revision_error', default=u'Error'), type='error')
        else:
            view_url = getMultiAdapter((folderish_obj, self.request), name=u'plone_context_state').view_url()
            self.request.response.redirect(view_url)
            IStatusMessage(self.request).addStatusMessage(_(u'enabled_revision_ok', default=u'Revision created correctly'), type='info')
コード例 #6
0
ファイル: ImplPython.py プロジェクト: wpjunior/proled 
def guarded_getattr(inst, name, default=_marker):
    """Retrieves an attribute, checking security in the process.

    Raises Unauthorized if the attribute is found but the user is
    not allowed to access the attribute.
    """
    if name[:1] == '_':
        raise Unauthorized, name

    # Try to get the attribute normally so that unusual
    # exceptions are caught early.
    try:
        v = getattr(inst, name)
    except AttributeError:
        if default is not _marker:
            return default
        raise

    try:
        container = v.im_self
    except AttributeError:
        container = aq_parent(aq_inner(v)) or inst

    assertion = Containers(type(container))

    if isinstance(assertion, dict):
        # We got a table that lets us reason about individual
        # attrs
        assertion = assertion.get(name)
        if assertion:
            # There's an entry, but it may be a function.
            if callable(assertion):
                return assertion(inst, name)

            # Nope, it's boolean
            return v
        raise Unauthorized, name

    if assertion:
        if callable(assertion):
            factory = assertion(name, v)
            if callable(factory):
                return factory(inst, name)
            assert factory == 1
        else:
            assert assertion == 1
        return v


    # See if we can get the value doing a filtered acquire.
    # aq_acquire will either return the same value as held by
    # v or it will return an Unauthorized raised by validate.
    validate = SecurityManagement.getSecurityManager().validate
    aq_acquire(inst, name, aq_validate, validate)
    
    return v
コード例 #7
0
ファイル: utils.py プロジェクト: madfrog2018/everydo-project 
def reorderFolderContents(folder, encodedlist, reverse=False):
    # id[]=313128&id[]=800959&id[]=304611&id[]=947600&id[]=588736&id[]=274764
    folder = folder.aq_inner
    encodedlist = encodedlist.strip()
    if not encodedlist:
        return

    ids = [id.split('=')[1] for id in encodedlist.split('&')]
    if reverse:
        ids.reverse()
    ctool = getToolByName(folder, 'portal_catalog')

    existing_ids = folder.objectIds()
    moved_ids = [id for id in ids if id not in existing_ids]
    # print moved_ids, ids, existing_ids
    if moved_ids:
        parent_path = '/'.join(folder.aq_inner.aq_parent.getPhysicalPath())
        brains = ctool(path=parent_path,
                       portal_type='TodoItem',
                       getId=moved_ids)
        for b in brains:
            o = b.getObject()
            cutted = o.aq_parent.manage_cutObjects([o.getId()])

            # 解决粘贴的时候权限的问题
            originalSecurityManager = SecurityManagement.getSecurityManager()
            username = originalSecurityManager.getUser().getUserName()
            deliverUser = User.SimpleUser(username, '', ['Manager', 'Owner'],
                                          '')
            acl_users = folder.acl_users.aq_inner
            deliverUser = deliverUser.__of__(acl_users)
            SecurityManagement.newSecurityManager(None, deliverUser)

            folder.manage_pasteObjects(cutted)

            SecurityManagement.setSecurityManager(originalSecurityManager)

    _dict = {}
    unchanged = []
    for obj in folder._objects:
        if obj['id'] not in ids:
            unchanged.append(obj)
        else:
            _dict[obj['id']] = obj

    # 注意,可能传过来了不存在的id, 在对象被删除后会发生!
    ordered = [_dict[id] for id in ids if id in _dict]
    ordered.extend(unchanged)
    folder._objects = tuple(ordered)

    # 更新索引
    for id in _dict:
        obj = getattr(folder, id)
        ctool.reindexObject(obj,
                            idxs=['getObjPositionInParent'],
                            update_metadata=1)
コード例 #8
0
    def authenticateCredentials(self, credentials):
        """ See IAuthenticationPlugin.
        """
        # Fail if authentication is not permitted for this member.  Otherwise,
        # return the result of verifying the credentials.

        orig_sm = SecurityManagement.getSecurityManager()
        try:
            SecurityManagement.newSecurityManager(None, self.getUser())
            if not SecurityManagement.getSecurityManager(
            ).checkPermission(CAN_AUTHENTICATE_PERMISSION, self):
                return None
        finally:
            SecurityManagement.setSecurityManager(orig_sm)

        if self.verifyCredentials(credentials):
            login = credentials.get('login')
            userid = self.getUserId()
            return userid, login
コード例 #9
0
ファイル: util.py プロジェクト: rpatterson/plone.app.iterate 
def adopt_system(user=SpecialUsers.system):
    """
    Execute this block of code as the system user.
    """
    old_security_manager = SecurityManagement.getSecurityManager()
    SecurityManagement.newSecurityManager(globalrequest.getRequest(), user)

    yield

    SecurityManagement.setSecurityManager(old_security_manager)
コード例 #10
0
    def authenticateCredentials(self, credentials):
        """ See IAuthenticationPlugin.
        """
        # Fail if authentication is not permitted for this member.  Otherwise,
        # return the result of verifying the credentials.

        orig_sm = SecurityManagement.getSecurityManager()
        try:
            SecurityManagement.newSecurityManager(None, self.getUser())
            if not SecurityManagement.getSecurityManager(
            ).checkPermission(CAN_AUTHENTICATE_PERMISSION, self):
                return None
        finally:
            SecurityManagement.setSecurityManager(orig_sm)

        if self.verifyCredentials(credentials):
            login = credentials.get('login')
            userid = self.getUserId()
            return userid, login
コード例 #11
0
def guarded_getattr(inst, name, default=_marker):
    """Retrieves an attribute, checking security in the process.

    Raises Unauthorized if the attribute is found but the user is
    not allowed to access the attribute.
    """
    if name[:1] == '_':
        raise Unauthorized, name

    # Try to get the attribute normally so that unusual
    # exceptions are caught early.
    try:
        v = getattr(inst, name)
    except AttributeError:
        if default is not _marker:
            return default
        raise

    try:
        container = v.im_self
    except AttributeError:
        container = aq_parent(aq_inner(v)) or inst

    assertion = Containers(type(container))

    if isinstance(assertion, dict):
        # We got a table that lets us reason about individual
        # attrs
        assertion = assertion.get(name)
        if assertion:
            # There's an entry, but it may be a function.
            if callable(assertion):
                return assertion(inst, name)

            # Nope, it's boolean
            return v
        raise Unauthorized, name

    if assertion:
        if callable(assertion):
            factory = assertion(name, v)
            if callable(factory):
                return factory(inst, name)
            assert factory == 1
        else:
            assert assertion == 1
        return v

    # See if we can get the value doing a filtered acquire.
    # aq_acquire will either return the same value as held by
    # v or it will return an Unauthorized raised by validate.
    validate = SecurityManagement.getSecurityManager().validate
    aq_acquire(inst, name, aq_validate, validate)

    return v
コード例 #12
0
 def edit_collection(self):
     provider = self.collection()
     smanager = SecurityManagement.getSecurityManager()
     allowed = smanager.checkPermission(ChangeTopics, provider)
     if allowed:
         provider = self.collection()
         if provider is not None:
             if ICollection.providedBy(provider):
                 return provider.absolute_url() + '/edit'
             return provider.absolute_url() + '/criterion_edit_form'
     return None
コード例 #13
0
ファイル: portlet.py プロジェクト: thet/collective.banner 
 def edit_collection(self):
     provider = self.collection()
     smanager = SecurityManagement.getSecurityManager()
     allowed = smanager.checkPermission(ChangeTopics, provider)
     if allowed:
         provider = self.collection()
         if provider is not None:
             if ICollection.providedBy(provider):
                 return provider.absolute_url() + '/edit'
             return provider.absolute_url() + '/criterion_edit_form'
     return None
コード例 #14
0
ファイル: utils.py プロジェクト: austgl/everydo-project 
def reorderFolderContents(folder, encodedlist, reverse=False):
    # id[]=313128&id[]=800959&id[]=304611&id[]=947600&id[]=588736&id[]=274764
    folder = folder.aq_inner
    encodedlist = encodedlist.strip()
    if not encodedlist:
        return

    ids = [id.split('=')[1] for id in encodedlist.split('&')]
    if reverse:
        ids.reverse()
    ctool = getToolByName(folder, 'portal_catalog')

    existing_ids = folder.objectIds()
    moved_ids = [id for id in ids if id not in existing_ids]
    # print moved_ids, ids, existing_ids
    if moved_ids:
        parent_path = '/'.join(folder.aq_inner.aq_parent.getPhysicalPath())
        brains = ctool(path=parent_path, 
                       portal_type='TodoItem', 
                       getId=moved_ids)
        for b in brains:
            o = b.getObject()
            cutted = o.aq_parent.manage_cutObjects([o.getId()])

            # 解决粘贴的时候权限的问题
            originalSecurityManager = SecurityManagement.getSecurityManager()
            username = originalSecurityManager.getUser().getUserName()
            deliverUser = User.SimpleUser(username,'', ['Manager', 'Owner'], '')
            acl_users = folder.acl_users.aq_inner
            deliverUser = deliverUser.__of__(acl_users)
            SecurityManagement.newSecurityManager(None, deliverUser)

            folder.manage_pasteObjects(cutted) 

            SecurityManagement.setSecurityManager(originalSecurityManager)

    _dict = {}
    unchanged = []
    for obj in folder._objects:
        if obj['id'] not in ids:
            unchanged.append(obj)
        else:
            _dict[obj['id']] = obj

    # 注意,可能传过来了不存在的id, 在对象被删除后会发生!
    ordered = [_dict[id] for id in ids if id in _dict]
    ordered.extend(unchanged)
    folder._objects = tuple(ordered)
    
    # 更新索引
    for id in _dict:
        obj = getattr(folder, id)
        ctool.reindexObject(obj, idxs=['getObjPositionInParent'], update_metadata=1)
コード例 #15
0
ファイル: security.py プロジェクト: Daetalus/DocumentTemplate 
    def SecurityCheckPermission(md, permission, object):
        """Check whether the security context allows the given permission on
        the given object.

        Arguments:

        permission -- A permission name

        object -- The object being accessed according to the permission
        """
        return (SecurityManagement.getSecurityManager().checkPermission(
            permission, object))
コード例 #16
0
 def create_folder(self, context, id, title=''):
     old_sm = SecurityManagement.getSecurityManager()
     SecurityManagement.newSecurityManager(None, SpecialUsers.system)
     try:
         folder = api.content.create(type=self.action.folderish_type,
                                     id=id,
                                     title=title,
                                     container=context)
         for transition in self.action.transitions:
             api.content.transition(obj=folder, transition=transition)
     finally:
         SecurityManagement.setSecurityManager(old_sm)
     return folder
コード例 #17
0
 def create_folder(self, context, id, title=''):
     old_sm = SecurityManagement.getSecurityManager()
     SecurityManagement.newSecurityManager(None, SpecialUsers.system)
     try:
         folder = api.content.create(type=self.action.folderish_type,
                                     id=id,
                                     title=title,
                                     container=context)
         for transition in self.action.transitions:
             api.content.transition(obj=folder,
                                    transition=transition)
     finally:
         SecurityManagement.setSecurityManager(old_sm)
     return folder
コード例 #18
0
def notifyAboutReview(ob, event):
    # 仅当文件或者图片(File/Image)的时候,才发送
    if ob.getPortalTypeName() not in ['File', 'Image']:
        return

    # 仅当处于提交、审核通过、拒绝的时候才通知
    mtool = getToolByName(ob, 'portal_membership')
    userid = mtool.getAuthenticatedMember().getId()

    operation = ''
    if event.action.endswith('submit'):
        operation = 'submit'
    elif event.action.endswith('publish'):
        operation = 'publish'
    elif event.action.endswith('reject'):
        operation = 'reject'
    # 工作流就是这样定义的, 下面逻辑没错!
    elif event.action.endswith('retract') and ob.Creator() != userid:
        operation = 'reject'
    else:
        return

    #  必须在项目中
    if hasattr(ob, 'getProject'):
        project = ob.getProject().aq_inner

        acl_users = getToolByName(project, 'acl_users')

        oe = IOrganizedEmployess(project.teams)
        all_members = oe.get_all_people()

        members = []
        if operation == 'submit':
            # 只有Administrator或者Reviewer才能收到邮件
            # userids = ob.users_with_local_role('Administrator') + ob.users_with_local_role('Reviewer')
            originalSecurityManager = SecurityManagement.getSecurityManager()
            for member in all_members:
                user = acl_users.getUserById(member.getId())
                if user is not None:
                    # 模拟那个用户来登录
                    SecurityManagement.newSecurityManager(None, user)
                if mtool.checkPermission('Review portal content', ob):
                    members.append(member)
            SecurityManagement.setSecurityManager(originalSecurityManager)
        else:
            member = mtool.getMemberById(ob.Creator())
            if member:
                members.append(member)

        sendNotification(ob, members, operation)
コード例 #19
0
ファイル: files.py プロジェクト: austgl/everydo-project 
def notifyAboutReview(ob, event):
    # 仅当文件或者图片(File/Image)的时候,才发送
    if ob.getPortalTypeName() not in ['File', 'Image']:
        return

    # 仅当处于提交、审核通过、拒绝的时候才通知
    mtool = getToolByName(ob, 'portal_membership')
    userid = mtool.getAuthenticatedMember().getId()

    operation = ''
    if event.action.endswith('submit'):
        operation = 'submit'
    elif event.action.endswith('publish'):
        operation = 'publish'
    elif event.action.endswith('reject'):
        operation = 'reject'
    # 工作流就是这样定义的, 下面逻辑没错!
    elif event.action.endswith('retract') and ob.Creator() != userid:
        operation = 'reject'
    else:
        return

    #  必须在项目中
    if hasattr(ob, 'getProject'):
        project = ob.getProject().aq_inner 

        acl_users = getToolByName(project, 'acl_users')

        oe = IOrganizedEmployess(project.teams)
        all_members = oe.get_all_people() 

        members = []
        if operation == 'submit':
            # 只有Administrator或者Reviewer才能收到邮件
            # userids = ob.users_with_local_role('Administrator') + ob.users_with_local_role('Reviewer')
            originalSecurityManager = SecurityManagement.getSecurityManager()
            for member in all_members:
                user = acl_users.getUserById(member.getId())
                if user is not None: 
                    # 模拟那个用户来登录
                    SecurityManagement.newSecurityManager(None, user)
                if mtool.checkPermission('Review portal content', ob):
                    members.append(member)
            SecurityManagement.setSecurityManager(originalSecurityManager)
        else:
           member = mtool.getMemberById(ob.Creator())
           if member:
               members.append(member)

        sendNotification(ob, members, operation)
コード例 #20
0
    def setContentCategory(self, obj, new_cat_id):
        cutted = obj.aq_inner.aq_parent.manage_cutObjects(obj.getId())
        new_cat = getattr(self.context, new_cat_id).aq_inner

        # 解决权限的问题
        originalSecurityManager = SecurityManagement.getSecurityManager()
        username = originalSecurityManager.getUser().getUserName()
        deliverUser = User.SimpleUser(username, '', ['Manager', 'Owner'], '')
        acl_users = obj.acl_users.aq_inner
        deliverUser = deliverUser.__of__(acl_users)
        SecurityManagement.newSecurityManager(None, deliverUser)

        new_cat.manage_pasteObjects(cutted)

        SecurityManagement.setSecurityManager(originalSecurityManager)
        return getattr(new_cat, obj.getId())
コード例 #21
0
ファイル: adapters.py プロジェクト: austgl/everydo-project 
    def setContentCategory(self, obj, new_cat_id):
        cutted = obj.aq_inner.aq_parent.manage_cutObjects(obj.getId())
        new_cat = getattr(self.context, new_cat_id).aq_inner

        # 解决权限的问题
        originalSecurityManager = SecurityManagement.getSecurityManager()
        username = originalSecurityManager.getUser().getUserName()
        deliverUser = User.SimpleUser(username,'', ['Manager', 'Owner'], '')
        acl_users = obj.acl_users.aq_inner
        deliverUser = deliverUser.__of__(acl_users)
        SecurityManagement.newSecurityManager(None, deliverUser)

        new_cat.manage_pasteObjects(cutted)

        SecurityManagement.setSecurityManager(originalSecurityManager)
        return getattr(new_cat, obj.getId())
コード例 #22
0
    def kss_obj_delete(self, selector='.kssDeletionRegion'):

        obj = self.context.aq_inner
        if obj.getPortalTypeName() == 'Discussion Item':
            parent = obj.inReplyTo()
            if parent is not None:
                portal_discussion = getUtility(IDiscussionTool)
                talkback = portal_discussion.getDiscussionFor(parent)
            else:
                talkback = obj.aq_parent

            # remove the discussion item
            talkback.deleteReply(str(obj.getId()))

        else:
            # 被锁定时先解锁
            if HAS_LOCKING:
                lockable = ILockable(obj)
                if lockable.locked():
                    lockable.unlock()

            parent = obj.aq_parent
            # archetypes的manage_delObjects会检查每个item的删除权限
            originalSecurityManager = SecurityManagement.getSecurityManager()
            SecurityManagement.newSecurityManager(
                None, User.SimpleUser('admin', '', ('Manager', ), ''))
            parent.manage_delObjects(str(obj.getId()))
            SecurityManagement.setSecurityManager(originalSecurityManager)

        if selector.startswith('redirect2'):
            # 跳转到某个地址
            # 需要定义 # class="kssattr-delSelector-redirect2http://test.everydo.com"
            redirect2url = selector[len('redirect2'):]
            self.getCommandSet('zopen').redirect(url=redirect2url)
        else:
            core = self.getCommandSet('core')
            effects = self.getCommandSet('effects')
            selector = core.getParentNodeSelector(selector)
            # effects.effect(selector, 'fade')

            core.deleteNode(selector)

        self.getCommandSet('plone').issuePortalMessage(
            translate(_(u'Deleted.'), default="Deleted.",
                      context=self.request),
            translate(_(u'Info'), default="Info", context=self.request))
        return self.render()
コード例 #23
0
ファイル: kssview.py プロジェクト: austgl/everydo-project 
    def kss_obj_delete(self, selector='.kssDeletionRegion'):

        obj = self.context.aq_inner
        if obj.getPortalTypeName() == 'Discussion Item':
            parent = obj.inReplyTo()
            if parent is not None:
                portal_discussion = getUtility(IDiscussionTool)
                talkback = portal_discussion.getDiscussionFor(parent)
            else:
                talkback = obj.aq_parent

            # remove the discussion item
            talkback.deleteReply( str(obj.getId()) )

        else:
            # 被锁定时先解锁
            if HAS_LOCKING:
                lockable = ILockable(obj)
                if lockable.locked():
                    lockable.unlock()

            parent = obj.aq_parent
            # archetypes的manage_delObjects会检查每个item的删除权限
            originalSecurityManager = SecurityManagement.getSecurityManager()
            SecurityManagement.newSecurityManager(None, User.SimpleUser('admin','',('Manager',), ''))
            parent.manage_delObjects(str(obj.getId()))
            SecurityManagement.setSecurityManager(originalSecurityManager)

        if selector.startswith('redirect2'):
            # 跳转到某个地址
            # 需要定义 # class="kssattr-delSelector-redirect2http://test.everydo.com"
            redirect2url = selector[len('redirect2'):]
            self.getCommandSet('zopen').redirect(url=redirect2url)
        else:
            core = self.getCommandSet('core')
            effects = self.getCommandSet('effects')
            selector = core.getParentNodeSelector(selector)
            # effects.effect(selector, 'fade')

            core.deleteNode(selector)

        self.getCommandSet('plone').issuePortalMessage(
                translate(_(u'Deleted.'), default="Deleted.", context=self.request), 
                translate(_(u'Info'), default="Info", context=self.request))
        return self.render()
コード例 #24
0
ファイル: base.py プロジェクト: rpatterson/plone.app.iterate 
    def _copyBaseline(self, container):
        # copy the context from source to the target container
        source_container = aq_parent(aq_inner(self.context))

        with util.adopt_system():
            clipboard = source_container.manage_copyObjects(
                [self.context.getId()])
            result = container.manage_pasteObjects(clipboard)

        # get a reference to the working copy
        target_id = result[0]['new_id']
        target = container._getOb(target_id)

        security_manager = SecurityManagement.getSecurityManager()
        target.manage_addLocalRoles(security_manager.getUser().getId(),
                                    ('iterate: Check out initiator', ))

        return target
コード例 #25
0
    def test_add_portlet_fails_with_anonymous(self):
        portal = self.layer['portal']
        request = self.layer['request']

        request.environ['HTTP_X_BRIDGE_ORIGIN'] = 'client-one'
        request.form['path'] = '@@watcher-feed?uid=567891234'

        sm = SecurityManagement.getSecurityManager()
        SecurityManagement.noSecurityManager()

        try:
            view = queryMultiAdapter((portal, request),
                                     name='add-watcher-portlet')
            with self.assertRaises(Exception) as cm:
                view()
            self.assertEqual(str(cm.exception), 'Could not find userid.')

        finally:
            SecurityManagement.setSecurityManager(sm)
コード例 #26
0
    def deleteTeam(self, selector):

        obj = self.context.aq_inner
        parent = obj.aq_parent
        team_id = obj.getId()
        originalSecurityManager = SecurityManagement.getSecurityManager()
        SecurityManagement.newSecurityManager(
            None, User.SimpleUser('admin', '', ('Manager', ), ''))
        parent.manage_delObjects(str(team_id))
        SecurityManagement.setSecurityManager(originalSecurityManager)
        core = self.getCommandSet('core')
        selector = core.getParentNodeSelector(selector)
        core.deleteNode(selector)
        containner = parent.aq_parent

        teamidstr = ".teamitemroot-" + team_id + "-" + \
                    containner.getId()
        teamselector = core.getSelector("css", teamidstr)
        core.deleteNode(teamselector)

        containner.manage_delLocalRoles([team_id + '-' + \
                containner.getId()])
        containner.reindexObjectSecurity()

        for item in ['messages', 'files', 'todos', 'milestones',\
                     'writeboards', 'chatroom', 'time']:
            obj = containner.unrestrictedTraverse(item)
            obj.manage_delLocalRoles([team_id + '-' + \
                    containner.getId()])
            obj.reindexObjectSecurity()

            if item in ['messages', 'files']:
                for i in obj.contentValues():
                    i.manage_delLocalRoles([team_id + '-' + \
                            containner.getId()])
                    i.reindexObjectSecurity()

        self.getCommandSet('plone').issuePortalMessage(
            translate(_(u'Deleted.'), default="Deleted.",
                      context=self.request),
            translate(_(u'Info'), default="Info", context=self.request))
        return self.render()
コード例 #27
0
ファイル: browser.py プロジェクト: a25kk/stv2 
    def __call__(self):
        ticket = self.request.form.get('ticket',None)
        if ticket is None:
            # we cannot set post headers in flash, so get the
            # querystring manually
            qs = self.request.get('QUERY_STRING','ticket=')
            ticket = qs.split('=')[-1] or None

        logger.debug('Ticket being used is "%s"' % str(ticket))

        if ticket is None:
            raise Unauthorized('No ticket specified')

        context = utils.non_view_context(self.context)
        url = absoluteURL(context, self.request)
        username = ticketmod.ticketOwner(url, ticket)
        if username is None:
            logger.warn('Ticket "%s" was invalidated, cannot be used '
                        'any more.' % str(ticket))
            raise Unauthorized('Ticket is not valid')

        old_sm = SecurityManagement.getSecurityManager()
        user = utils.find_user(context, username)
        SecurityManagement.newSecurityManager(self.request, user)
        logger.debug('Switched to user "%s"' % username)

        ticketmod.invalidateTicket(url,ticket)
        if self.request.form.get('Filedata', None) is None:
            # flash sends a emtpy form in a pre request in flash version 8.0
            return ""
        fileUpload = self.request.form['Filedata']
        fileName = self.request.form['Filename']
        contentType = self.request.form.get('Content-Type',None)
        factory = IFileFactory(self.context)
        f = factory(fileName, contentType, fileUpload)

        event.notify(FlashUploadedEvent(f))
        result = "filename=%s" %f.getId()

        SecurityManagement.setSecurityManager(old_sm)

        return result
コード例 #28
0
ファイル: security.py プロジェクト: Daetalus/DocumentTemplate 
    def SecurityValidate(md, inst, parent, name, value):
        """Validate access.

        Arguments:

        accessed -- the object that was being accessed

        container -- the object the value was found in

        name -- The name used to access the value

        value -- The value retrieved though the access.

        The arguments may be provided as keyword arguments. Some of these
        arguments may be ommitted, however, the policy may reject access
        in some cases when arguments are ommitted.  It is best to provide
        all the values possible.
        """
        return (SecurityManagement.getSecurityManager().validate(
            inst, parent, name, value))
コード例 #29
0
ファイル: kssview.py プロジェクト: austgl/everydo-project 
    def deleteTeam(self, selector):

        obj = self.context.aq_inner
        parent = obj.aq_parent
        team_id = obj.getId()
        originalSecurityManager = SecurityManagement.getSecurityManager()
        SecurityManagement.newSecurityManager(None, User.SimpleUser('admin','',('Manager',), ''))
        parent.manage_delObjects(str(team_id))
        SecurityManagement.setSecurityManager(originalSecurityManager)
        core = self.getCommandSet('core')
        selector = core.getParentNodeSelector(selector)
        core.deleteNode(selector)
        containner = parent.aq_parent

        teamidstr = ".teamitemroot-" + team_id + "-" + \
                    containner.getId()
        teamselector = core.getSelector("css", teamidstr)
        core.deleteNode(teamselector)

        containner.manage_delLocalRoles([team_id + '-' + \
                containner.getId()])
        containner.reindexObjectSecurity()

        for item in ['messages', 'files', 'todos', 'milestones',\
                     'writeboards', 'chatroom', 'time']:
            obj = containner.unrestrictedTraverse(item)
            obj.manage_delLocalRoles([team_id + '-' + \
                    containner.getId()])
            obj.reindexObjectSecurity()

            if item in ['messages', 'files']:
                for i in obj.contentValues():
                    i.manage_delLocalRoles([team_id + '-' + \
                            containner.getId()])
                    i.reindexObjectSecurity()


        self.getCommandSet('plone').issuePortalMessage(
                translate(_(u'Deleted.'), default="Deleted.", context=self.request),
                translate(_(u'Info'), default="Info", context=self.request))
        return self.render()
コード例 #30
0
    def _auth_with_ticket(self):
        """
        with flashupload authentication is done using a ticket
        """

        context = aq_inner(self.context)
        request = self.request
        url = context.absolute_url()

        ticket = getDataFromAllRequests(request, "ticket")
        if ticket is None:
            raise Unauthorized("No ticket specified")

        logger.info('Authenticate using ticket, the ticket is "%s"' % str(ticket))
        username = ticketmod.ticketOwner(url, ticket)
        if username is None:
            logger.info('Ticket "%s" was invalidated, cannot be used ' "any more." % str(ticket))
            raise Unauthorized("Ticket is not valid")

        self.old_sm = SecurityManagement.getSecurityManager()
        user = find_user(context, username)
        SecurityManagement.newSecurityManager(self.request, user)
        logger.info('Switched to user "%s"' % username)
コード例 #31
0
ファイル: SyndicationTool.py プロジェクト: goschtl/zope 
 def editSyInformationProperties(self, obj
                                , updatePeriod=None
                                , updateFrequency=None
                                , updateBase=None
                                , max_items=None
                                , REQUEST=None
                                ):
     """
     Edit syndication properties for the obj being passed in.
     These are held on the syndication_information object.
     Not Sitewide Properties.
     """
     mgr = SecurityManagement.getSecurityManager()
     if not mgr.checkPermission( ManageProperties, obj ):
         raise Unauthorized
     #import pdb; pdb.set_trace()
     syInfo = getattr(obj, 'syndication_information',
                      None)
     if syInfo is None:
         raise 'Syndication is Disabled'
     if updatePeriod:
         syInfo.syUpdatePeriod = updatePeriod
     else:
         syInfo.syUpdatePeriod = self.syUpdatePeriod
     if updateFrequency:
         syInfo.syUpdateFrequency = updateFrequency
     else:
         syInfo.syUpdateFrequency = self.syUpdateFrequency
     if updateBase:
         syInfo.syUpdateBase = updateBase
     else:
         syInfo.syUpdateBase = self.syUpdateBase
     if max_items:
         syInfo.max_items = max_items
     else:
         syInfo.max_items = self.max_items
コード例 #32
0
ファイル: account.py プロジェクト: socialplanning/opencore 
    def handle_delete(self):
        mship = getToolByName(self.context, 'portal_membership')
        user_to_delete = self.viewed_member_info['id']
        old_manager = SecurityManagement.getSecurityManager()
        current_user = old_manager.getUser().getId()

        from opencore.interfaces.event import MemberDeletedEvent

        notify(MemberDeletedEvent(
                self.context.portal_memberdata[user_to_delete]))

        # To avoid blocking while we traverse the entire contents of the site,
        # we quickly delete the member and their own content...
        if current_user == user_to_delete:
            # Normally, users don't have permission to delete users.
            # Make an exception for deleting yourself.
            superuser = UnrestrictedUser('superuser', '', [], [])
            SecurityManagement.newSecurityManager(self.request, superuser)
            mship.deleteMembers([user_to_delete], delete_memberareas=True,
                                delete_localroles=False)
            SecurityManagement.setSecurityManager(old_manager)
            self.context.acl_users.logout(self.request)
        else:
            # Otherwise, rely on normal access controls.  This will
            # allow site admins (and only site admins) to delete
            # anybody.
            mship.deleteMembers([user_to_delete], delete_memberareas=True,
                                delete_localroles=False)
        portal_url = getToolByName(self.context, 'portal_url')()
        self.addPortalStatusMessage(
            _(u'psm_account_deleted',
              u"Account '${deleted_user_id}' has been permanently deleted.",
              mapping={u'deleted_user_id': user_to_delete}
              )
            )
        return self.redirect(portal_url)
コード例 #33
0
ファイル: viewlets.py プロジェクト: djay/collective.carousel 
 def canSeeEditLink(self, provider):
     smanager = SecurityManagement.getSecurityManager()
     return smanager.checkPermission(ChangeTopics, provider)
コード例 #34
0
ファイル: security.py プロジェクト: Daetalus/DocumentTemplate 
 def SecurityGetUser(md):
     """Gen the current authenticated user"""
     return (SecurityManagement.getSecurityManager().getUser())
コード例 #35
0
 def canSeeEditLink(self):
     provider = self.collection()
     smanager = SecurityManagement.getSecurityManager()
     return smanager.checkPermission(ChangeTopics, provider)