def check_permission(self, trac_environment_id, permission, check_username): """ Helper class for the GlobalPermissionPolicy.check_permission, which checks also the resource, unlike this. Checks permission for the user in the trac environment. """ # Disable completely features by appending actions into this list restricted_features = ['REPORT_CREATE', 'REPORT_SQL_VIEW'] if permission in restricted_features: return False # Get user in question user = get_userstore().getUser(check_username) store = CQDEUserGroupStore(trac_environment_id) superusers = CQDESuperUserStore.instance() # If there is no user then there is no need for permission check if not user: return False # Check if user is a superuser if superusers.is_superuser(user.username): return True # Get all groups and users user_groups = store.get_all_user_groups() group_perms = store.get_all_group_permissions() organization_groups = store.get_all_organization_groups() # List groups that have the permission groups = [] for group, perm in group_perms: # NOTE: Also extend the meta permissions into list perms = [perm] + self.meta_perms.get(perm, []) if permission in perms: groups.append(group) users = get_special_users(user.username) users.append(user.username) # See if user is in one of the groups for username, group in user_groups: if username in users: if group in groups: return True # See if user's organization is in one of the groups org_store = CQDEOrganizationStore.instance() for org, group in organization_groups: org_id = org_store.get_organization_id(org) if org_id in user.organization_keys: if group in groups: return True if conf.ldap_groups_enabled: # TODO: do not use CQDEAuthenticationStore to check this, the information should # be available from User object (add if not!) # See if any ldap groups are allowed in environment from multiproject.core.authentication import CQDEAuthenticationStore auth_store = CQDEAuthenticationStore.instance() is_ldap_account = auth_store.is_ldap(user.authentication_key) trac_environment_ldapgroups = store.get_all_trac_environment_ldap_groups() if is_ldap_account and trac_environment_ldapgroups: # See if user belongs to any of the allowed ldap groups ldapuser_store = conf.getAuthenticationStore() user_ldapgroups = ldapuser_store.getGroups(user.username) for ldapgroup, group in trac_environment_ldapgroups: if ldapgroup in user_ldapgroups: if group in groups: return True return False
def get_participated_projects(self, user, by_organization=False, by_ldap=False, public_only=False): """ Get those projects that user has participated. Optionally can list by organization, or by public status. :param User user: User object :param boolean by_organization: List projects by organization :param boolean public_only: Get public projects as well :returns: List of Project objects """ # Anonymous does not have organization if not user.organization_keys: by_organization = False and_anon_condition= '' union_all_organization_condition = '' union_all_ldap_condition = '' perm_ids = ', '.join([str(safe_int(get_permission_id(action))) for action in ('TEAM_VIEW',)]) if public_only: # fetch anonymous user id # FIXME: Would be nice if we didn't have to do this all the time anon = get_userstore().getUser('anonymous') if not anon: conf.log.warning("Error in get_participated_projects: No anonymous user obtained!") raise TracError("Error while fetching user's projects.") and_anon_condition = """ AND EXISTS (SELECT group.trac_environment_key FROM `group` INNER JOIN user_group ON user_group.group_key = group.group_id INNER JOIN group_permission ON group.group_id = group_permission.group_key WHERE user_group.user_key = {anon_id} AND group.trac_environment_key = projects.trac_environment_key AND group_permission.permission_key IN ({perm_ids}) ) """.format(anon_id = safe_int(anon.id), perm_ids = perm_ids) if by_organization: # See if the user has access into projects through organizations union_all_organization_condition += """ UNION ALL SELECT group.trac_environment_key FROM `trac_admin`.`group` INNER JOIN organization_group ON organization_group.group_key = group.group_id WHERE organization_group.organization_key IN({organization_ids}) """.format(organization_ids = ', '.join([str(safe_int(org_id)) for org_id in user.organization_keys])) if by_ldap and conf.ldap_groups_enabled: # See if any ldap groups are allowed in environment auth_store = CQDEAuthenticationStore.instance() is_ldap_account = auth_store.is_ldap(user.authentication_key) if is_ldap_account: # See if user belongs to any of the allowed ldap groups ldapuser_store = conf.getAuthenticationStore() user_ldapgroups = ldapuser_store.getGroups(user.username) if user_ldapgroups: union_all_ldap_condition = """ UNION ALL SELECT group.trac_environment_key FROM `trac_admin`.`group` INNER JOIN ldapgroup_group ON ldapgroup_group.group_key = group.group_id INNER JOIN ldapgroup ON ldapgroup.ldapgroup_id = ldapgroup_group.ldapgroup_key WHERE ldapgroup.ldapgroup_name IN ({ldapgroup_names}) """.format(ldapgroup_names = ', '.join(["'{0}'".format(safe_string(group)) for group in user_ldapgroups])) query = """ SELECT projects.* FROM projects WHERE projects.trac_environment_key IN ( SELECT group.trac_environment_key FROM `trac_admin`.`group` INNER JOIN user_group ON user_group.group_key = group.group_id WHERE user_group.user_key = {user_id} {union_all_organization} {union_all_ldap} ) {and_anon} ORDER BY projects.project_name ASC """.format(user_id = safe_int(user.id), union_all_organization = union_all_organization_condition, union_all_ldap = union_all_ldap_condition, and_anon = and_anon_condition) conf.log.debug("queried participated projects with %s" % query) projects = self.queryProjectObjects(query) return projects