def test_deny_dublincore_view(self): """Tests the denial of dublincore view permissions to anonymous. Users who can view a folder contents page but cannot view dublin core should still be able to see the folder items' names, but not their title, modified, and created info. """ # add an item that can be viewed from the root folder obj = OrderedContainer() alsoProvides(obj, IAttributeAnnotatable) self.getRootFolder()['obj'] = obj IZopeDublinCore(obj).title = u'My object' # deny zope.app.dublincore.view to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.dublincore.view', 'zope.Anonymous') # Try both spellings just in case we are used with an older zope.dc prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous') transaction.commit() response = self.publish('/') self.assertEquals(response.getStatus(), 200) body = response.getBody() # confirm we can see the file name self.assert_(body.find('<a href="obj">obj</a>') != -1) # confirm we *cannot* see the metadata title self.assert_(body.find('My object') == -1)
def test_deny_view(self): """Tests the denial of view permissions to anonymous. This test uses the ZMI interface to deny anonymous zope.View permission to the root folder. """ # deny zope.View to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.View', 'zope.Anonymous') transaction.commit() # confirm Unauthorized when viewing root folder self.assertRaises(Unauthorized, self.publish, '/')
def change_permissions(event): if event.destination == Workflow.states.PUBLISHED: try: principal = uvcsite.utils.shorties.getPrincipal() except zope.security.interfaces.NoInteraction: return else: if not uvcsite.auth.interfaces.ICOUser.providedBy(principal): return prinper = IPrincipalPermissionManager(event.object) roleper = IRolePermissionManager(event.object) roleper.denyPermissionToRole(named(uvcsite.permissions.View), named(uvcsite.permissions.Editor)) prinper.grantPermissionToPrincipal(named(uvcsite.permissions.View), event.object.principal.id)
async def sharing_post(context, request): data = await request.json() roleperm = IRolePermissionManager(context) prinrole = IPrincipalRoleManager(context) if 'prinrole' not in data and 'roleperm' not in data: raise AttributeError('prinrole or roleperm missing') if 'prinrole' in data: for user, roles in data['prinrole'].items(): for role in roles: prinrole.assignRoleToPrincipal(role, user) if 'roleperm' in data: for role, perms in data['roleperm'].items(): for perm in perms: roleperm.grantPermissionToRole(perm, role) await notify(ObjectPermissionsModifiedEvent(context))
def __call__(self, data): auth = zope.component.getUtility(IAuthentication, context=self.context) # Add a Admin to the administrators group login = data['member.login'] admin = authentication.WebSiteMember(login, data['member.password'], data['member.firstName'], data['member.lastName'], data['member.email']) zope.event.notify(zope.lifecycleevent.ObjectCreatedEvent(admin)) auth['members'].add(admin) adminGroup = auth['groups']['groups.Administrators'] adminGroup.setPrincipals(adminGroup.principals + (admin.__name__, ), check=False) # grant permissions to roles role_manager = IRolePermissionManager(self.context) role_manager.grantPermissionToRole(permissions.MANAGESITE, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGECONTENT, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGEUSERS, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.VIEW, roles.ADMINISTRATOR) role_manager.grantPermissionToRole(permissions.MANAGECONTENT, roles.MEMBER) role_manager.grantPermissionToRole(permissions.VIEW, roles.MEMBER) # grant VIEW to unauthenticated users. prin_manager = IPrincipalPermissionManager(self.context) unauth = zope.component.queryUtility(IUnauthenticatedGroup, context=self.context) if unauth is not None: prin_manager.grantPermissionToPrincipal(permissions.VIEW, unauth.id)
def remove_edit_permission(event): if event.destination != PUBLISHED: return IRolePermissionManager(event.object).denyPermissionToRole( 'uvc.EditContent', 'uvc.Editor')
def remove_edit_permission(event): if event.destination == Workflow.states.PUBLISHED: IRolePermissionManager(event.object).denyPermissionToRole( named(uvcsite.permissions.Edit), named(uvcsite.permissions.Editor))
def unset_role_permission(self, role, permission): permission = PERM_MAP[permission] role = ROLE_MAP[role] IRolePermissionManager(self.context).unsetPermissionFromRole( permission, role)
def deny_role_permission(self, role, permission): permission = PERM_MAP[permission] role = ROLE_MAP[role] IRolePermissionManager(self.context).denyPermissionToRole( permission, role)
def grant_roles_to_permissions(obj, event): # grant roles to permissions rpm = IRolePermissionManager(obj) rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin') rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')