def test_deny_dublincore_view(self): """Tests the denial of dublincore view permissions to anonymous. Users who can view a folder contents page but cannot view dublin core should still be able to see the folder items' names, but not their title, modified, and created info. """ # add an item that can be viewed from the root folder obj = OrderedContainer() alsoProvides(obj, IAttributeAnnotatable) self.getRootFolder()['obj'] = obj IZopeDublinCore(obj).title = u'My object' # deny zope.app.dublincore.view to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.dublincore.view', 'zope.Anonymous') # Try both spellings just in case we are used with an older zope.dc prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous') transaction.commit() response = self.publish('/') self.assertEquals(response.getStatus(), 200) body = response.getBody() # confirm we can see the file name self.assert_(body.find('<a href="obj">obj</a>') != -1) # confirm we *cannot* see the metadata title self.assert_(body.find('My object') == -1)
def invites(self, value): roles = IRolePermissionManager(self.__parent__) for val, role in [('member', 'group.Member'), ('manager', 'group.Manager')]: if val in value: roles.grantPermissionToRole('zojax.InviteGroupMember', role) else: roles.unsetPermissionFromRole('zojax.InviteGroupMember', role)
def joining(self, value): roles = IRolePermissionManager(self.__parent__) for rid in value: role = queryUtility(IRole, rid) if IPublicRole.providedBy(role): roles.grantPermissionToRole('zojax.JoinGroup', rid) else: roles.denyPermissionToRole('zojax.JoinGroup', rid)
def test_deny_view(self): """Tests the denial of view permissions to anonymous. This test uses the ZMI interface to deny anonymous zope.View permission to the root folder. """ # deny zope.View to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.View', 'zope.Anonymous') transaction.commit() # confirm Unauthorized when viewing root folder self.assertRaises(Unauthorized, self.publish, '/')
def change_permissions(event): if event.destination == Workflow.states.PUBLISHED: try: principal = uvcsite.utils.shorties.getPrincipal() except zope.security.interfaces.NoInteraction: return else: if not uvcsite.auth.interfaces.ICOUser.providedBy(principal): return prinper = IPrincipalPermissionManager(event.object) roleper = IRolePermissionManager(event.object) roleper.denyPermissionToRole(named(uvcsite.permissions.View), named(uvcsite.permissions.Editor)) prinper.grantPermissionToPrincipal(named(uvcsite.permissions.View), event.object.principal.id)
async def sharing_post(context, request): data = await request.json() roleperm = IRolePermissionManager(context) prinrole = IPrincipalRoleManager(context) if 'prinrole' not in data and 'roleperm' not in data: raise AttributeError('prinrole or roleperm missing') if 'prinrole' in data: for user, roles in data['prinrole'].items(): for role in roles: prinrole.assignRoleToPrincipal(role, user) if 'roleperm' in data: for role, perms in data['roleperm'].items(): for perm in perms: roleperm.grantPermissionToRole(perm, role) await notify(ObjectPermissionsModifiedEvent(context))
def status(self, value): context = removeAllProxies(self.context) roleper = IRolePermissionManager(context) if value == 4: roleper.grantPermissionToRole('zojax.AddComment', 'zope.Anonymous') else: roleper.denyPermissionToRole('zojax.AddComment', 'zope.Anonymous') if value == 3: if IContentDiscussionAware.providedBy(context): interface.noLongerProvides(context, IContentDiscussionAware) else: if not IContentDiscussionAware.providedBy(context): interface.alsoProvides(context, IContentDiscussionAware) discussibleAdded(context, None) self.data.status = value
def remove_edit_permission(event): if event.destination != PUBLISHED: return IRolePermissionManager(event.object).denyPermissionToRole( 'uvc.EditContent', 'uvc.Editor')
def __call__(self, data): auth = zope.component.getUtility(IAuthentication, context=self.context) # Add a Admin to the administrators group login = data['member.login'] admin = authentication.WebSiteMember(login, data['member.password'], data['member.firstName'], data['member.lastName'], data['member.email']) zope.event.notify(zope.lifecycleevent.ObjectCreatedEvent(admin)) auth['members'].add(admin) adminGroup = auth['groups']['groups.Administrators'] adminGroup.setPrincipals(adminGroup.principals + (admin.__name__, ), check=False) # grant permissions to roles role_manager = IRolePermissionManager(self.context) role_manager.grantPermissionToRole(permissions.MANAGESITE, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGECONTENT, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGEUSERS, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.VIEW, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGECONTENT, roles.MEMBER) role_manager.grantPermissionToRole(permissions.VIEW, roles.MEMBER) # grant VIEW to unauthenticated users. prin_manager = IPrincipalPermissionManager(self.context) unauth = zope.component.queryUtility(IUnauthenticatedGroup, context=self.context) if unauth is not None: prin_manager.grantPermissionToPrincipal(permissions.VIEW, unauth.id)
def remove_edit_permission(event): if event.destination == Workflow.states.PUBLISHED: IRolePermissionManager(event.object).denyPermissionToRole( named(uvcsite.permissions.Edit), named(uvcsite.permissions.Editor))
def __call__(self, data): portal = self.context # create site manager try: sm = portal.getSiteManager() except: sm = None if sm is None: sm = LocalSiteManager(portal) portal.setSiteManager(sm) setSite(portal) if 'system' not in sm: system = SiteManagementFolder() event.notify(ObjectCreatedEvent(system)) sm['system'] = system else: system = sm['system'] # IIntId utility if 'ids' not in system: ids = component.createObject('zope.app.intid.IntIds') event.notify(ObjectCreatedEvent(ids)) system['ids'] = ids else: system['ids'].__init__() ids = system['ids'] sm.registerUtility(system['ids'], IIntIds) ids.register(portal) # Principal Annotations if 'principalannotations' not in system: pa = component.createObject('zope.app.PrincipalAnnotationUtility') event.notify(ObjectCreatedEvent(pa)) system['principalannotations'] = pa sm.registerUtility(pa, IPrincipalAnnotationUtility) # session data container configlet = sm.getUtility(IConfiglet, 'system.session') configlet.sessiontype = 'ram' # set password password = sm.getUtility(IConfiglet, 'principals.password') password.passwordManager = 'MD5' # set site timezone fomratter = sm.getUtility(IConfiglet, 'system.formatter') fomratter.timezone = u'UTC' # set portal access to open manager = IPrincipalPermissionManager(portal) everyone = sm.queryUtility(IEveryoneGroup) if everyone is not None: manager.grantPermissionToPrincipal( 'zojax.AccessPortal', everyone.id) authenticated = sm.queryUtility(IAuthenticatedGroup) if authenticated is not None: manager.unsetPermissionForPrincipal( 'zojax.AccessPortal', authenticated.id) # setup default role roles = sm.getUtility(IPortalRoles) if 'site.member' not in roles: role = PortalRole(title = u'Site Member') event.notify(ObjectCreatedEvent(role)) roles['site.member'] = role roleId = role.id sm.getUtility(IDefaultPortalRole).roles = [role.id] roleperm = IRolePermissionManager(portal) for permId in ('zojax.PersonalContent', 'zojax.PersonalSpace', 'zojax.forum.addMessage', 'zojax.forum.addTopic', 'zojax.SubmitBlogPost', 'zojax.SubmitDocuments', 'zojax.forum.SubmitTopic', 'zojax.SubmitPhoto', 'zojax.contenttype.SubmitNewsItem',): roleperm.grantPermissionToRole(permId, roleId) # install catalog sm.getUtility(IConfiglet, 'system.catalog').install() # install workspaces portal.workspaces = ('overview', 'people', 'news', 'documents') event.notify(ObjectModifiedEvent(portal)) setSite(None)
def deny_role_permission(self, role, permission): permission = PERM_MAP[permission] role = ROLE_MAP[role] IRolePermissionManager(self.context).denyPermissionToRole( permission, role)
def grant_roles_to_permissions(obj, event): # grant roles to permissions rpm = IRolePermissionManager(obj) rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin') rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')
def init_application(event): application = event.object if not IDatashackle.providedBy(application): # no datashackle grok application return # Site needs to be setted manually at this point. # Otherwise the framework does not notify the catalog to index the newly # created propertyform setSite(application) configfolder = Folder() configfolder.title = _(u'Configuration') application['configuration'] = configfolder # Deny view, edit permission to role dolmen.Owner (which is the default role for our restricted users). role_permission = IRolePermissionManager(configfolder) role_permission.denyPermissionToRole('dolmen.content.View', 'dolmen.Owner') #role_permission.grantPermissionToRole('dolmen.content.View', 'zope.Manager') role_permission.denyPermissionToRole('dolmen.content.Edit', 'dolmen.Owner') #role_permission.grantPermissionToRole('dolmen.content.Edit', 'zope.Manager') metaconfig = Folder() metaconfig.title = _(u'Meta configuration') configfolder['meta'] = metaconfig ignore_enumeration(metaconfig, 'zope.Everybody') #users = Users() #users.title = _(u'Users') #configfolder['users'] = users set_ = GenericSet() set_.title = u'p2_model' set_.plan_identifier = 'p2_model' set_.table_identifier = 'p2_model' set_.table_key_field = 'plan_identifier' metaconfig['p2_model'] = set_ set_ = GenericSet() set_.title = u'p2_form' set_.plan_identifier = 'p2_form' set_.table_identifier = 'p2_form' set_.table_key_field = 'form_identifier' metaconfig['p2_form'] = set_ archetypes = GenericSet() archetypes.title = _(u'p2_archetype') archetypes.plan_identifier = 'p2_archetype' archetypes.table_identifier = 'p2_archetype' archetypes.table_key_field = 'id' metaconfig['p2_archetypes'] = archetypes linkageforms = GenericSet() linkageforms.title = u'p2_linkage' linkageforms.plan_identifier = 'p2_linkage' linkageforms.table_identifier = 'p2_linkage' linkageforms.table_key_field = 'id' metaconfig['p2_linkage'] = linkageforms set_ = GenericSet() set_.title = u'p2_relation' set_.plan_identifier = 'p2_relation' set_.table_identifier = 'p2_relation' set_.table_key_field = 'id' metaconfig['p2_relation'] = set_ widget = GenericSet() widget.title = u'p2_widget' widget.plan_identifier = 'p2_widget' widget.table_identifier = 'p2_widget' widget.table_key_field = 'widget_identifier' metaconfig['p2_widget'] = widget set_ = GenericSet() set_.title = u'p2_span' set_.plan_identifier = 'p2_span' set_.table_identifier = 'p2_span' set_.table_key_field = 'span_identifier' metaconfig['p2_span'] = set_ set_ = GenericSet() set_.title = u'p2_span_embeddedform' set_.plan_identifier = 'p2_span_embeddedform' set_.table_identifier = 'p2_span_embeddedform' set_.table_key_field = 'span_identifier' metaconfig['p2_span_embeddedform'] = set_ set_ = GenericSet() set_.title = u'p2_span_fileupload' set_.plan_identifier = 'p2_span_fileupload' set_.table_identifier = 'p2_span_fileupload' set_.table_key_field = 'span_identifier' metaconfig['p2_span_fileupload'] = set_ set_ = GenericSet() set_.title = u'p2_span_alphanumeric' set_.plan_identifier = 'p2_span_alphanumeric' set_.table_identifier = 'p2_span_alphanumeric' set_.table_key_field = 'span_identifier' metaconfig['p2_span_alphanumeric'] = set_ set_ = GenericSet() set_.title = u'p2_span_checkbox' set_.plan_identifier = 'p2_span_checkbox' set_.table_identifier = 'p2_span_checkbox' set_.table_key_field = 'span_identifier' metaconfig['p2_span_checkbox'] = set_ set_ = GenericSet() set_.title = u'p2_span_dropdown' set_.plan_identifier = 'p2_span_dropdown' set_.table_identifier = 'p2_span_dropdown' set_.table_key_field = 'span_identifier' metaconfig['p2_span_dropdown'] = set_ set_ = GenericSet() set_.title = u'p2_countries' set_.plan_identifier = 'p2_countries' set_.table_identifier = 'p2_country' set_.table_key_field = 'id' metaconfig['p2_span_countries'] = set_
def unset_role_permission(self, role, permission): permission = PERM_MAP[permission] role = ROLE_MAP[role] IRolePermissionManager(self.context).unsetPermissionFromRole( permission, role)