def command(self):
self._load_config()
cmd = self.args[0] if len(self.args) else 'list'
if cmd == 'list':
self.list()
return
assert len(self.args) == 4, "Not enough paramters!" + RIGHTS_HELP
cmd, subj, role, obj = self.args
subj = self.find_subject(unicode(subj))
role = self.ensure_role(unicode(role))
obj = self.find_object(unicode(obj))
if cmd == 'make':
if isinstance(subj, model.User):
model.add_user_to_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.add_authorization_group_to_role(subj, role, obj)
print "made",
elif cmd == 'remove':
if isinstance(subj, model.User):
model.remove_user_from_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.remove_authorization_group_from_role(subj, role, obj)
print "remove",
model.repo.commit_and_remove()
self.print_row(subj, role, obj)
def make_or_remove_roles(cls, cmd, subj, role, obj, except_on_error=False, do_commit=True):
'''Tool to make or remove a role using the names of objects, rather
than the actual objects.
cmd - 'make' or 'remove'
subj - name of subject object (e.g. 'dave-admin')
role - name of role (e.g. 'editor')
obj - names of an objects to apply the role to (e.g. 'river-stats' or 'all')
'''
from ckan import model
log = logging.getLogger(__name__)
subj = cls.find_subject(unicode(subj))
role = cls.ensure_role(unicode(role))
objs = cls.find_objects(unicode(obj))
for obj in objs:
try:
if cmd == 'make':
if isinstance(subj, model.User):
model.add_user_to_role(subj, role, obj)
log.debug('Role made')
elif cmd == 'remove':
if isinstance(subj, model.User):
model.remove_user_from_role(subj, role, obj)
log.debug('Role removed')
else:
raise NotImplementedError
except NoResultFound, e:
log.error('Cannot find object for role %s: %s', str(e), cmd)
if except_on_error:
raise RightsToolError('Cannot %s right: %s %s %s', cmd, subj, role, obj)
log.debug(cls.get_printable_row(subj, role, obj,
exists=(cmd=='make')))
def command(self):
self._load_config()
cmd = self.args[0] if len(self.args) else 'list'
if cmd == 'list':
args = self.args
if 'list' in args:
del args[args.index('list')]
self.list(args)
return
assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP
cmd, subj, role, obj = self.args
subj = self.find_subject(unicode(subj))
role = self.ensure_role(unicode(role))
objs = self.find_objects(unicode(obj))
for obj in objs:
try:
if cmd == 'make':
if isinstance(subj, model.User):
model.add_user_to_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.add_authorization_group_to_role(subj, role, obj)
print "made",
elif cmd == 'remove':
if isinstance(subj, model.User):
model.remove_user_from_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.remove_authorization_group_from_role(subj, role, obj)
print "remove",
except NoResultFound, e:
print "! not found",
self.print_row(subj, role, obj)
def command(self):
self._load_config()
cmd = self.args[0] if len(self.args) else 'list'
if cmd == 'list':
args = self.args
if 'list' in args:
del args[args.index('list')]
self.list(args)
return
assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP
cmd, subj, role, obj = self.args
subj = self.find_subject(unicode(subj))
role = self.ensure_role(unicode(role))
objs = self.find_objects(unicode(obj))
for obj in objs:
try:
if cmd == 'make':
if isinstance(subj, model.User):
model.add_user_to_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.add_authorization_group_to_role(subj, role, obj)
print "made",
elif cmd == 'remove':
if isinstance(subj, model.User):
model.remove_user_from_role(subj, role, obj)
elif isinstance(subj, model.AuthorizationGroup):
model.remove_authorization_group_from_role(
subj, role, obj)
print "remove",
except NoResultFound, e:
print "! not found",
self.print_row(subj, role, obj)
def action_save_form(users):
# The permissions grid has been saved
# which is a grid of checkboxes named user$role
rpi = request.params.items()
# The grid passes us a list of the users/roles that were displayed
submitted = [a for (a, b) in rpi if (b == u'submitted')]
# and also those which were checked
checked = [a for (a, b) in rpi if (b == u'on')]
# from which we can deduce true/false for each user/role
# combination that was displayed in the form
table_dict = {}
for a in submitted:
table_dict[a] = False
for a in checked:
table_dict[a] = True
# now we'll split up the user$role strings to make a dictionary
# from (user,role) to True/False, which tells us what we need to
# do.
new_user_role_dict = {}
for (ur, val) in table_dict.items():
u, r = ur.split('$')
new_user_role_dict[(u, r)] = val
# we get the current user/role assignments
# and make a dictionary of them
current_uors = model.Session.query(model.SystemRole).all()
current_users_roles = [(uor.user.name, uor.role)
for uor in current_uors if uor.user]
current_user_role_dict = {}
for (u, r) in current_users_roles:
current_user_role_dict[(u, r)] = True
# and now we can loop through our dictionary of desired states
# checking whether a change needs to be made, and if so making it
# WORRY: Here it seems that we have to check whether someone is
# already assigned a role, in order to avoid assigning it twice,
# or attempting to delete it when it doesn't exist. Otherwise
# problems occur. However this doesn't affect the index page,
# which would seem to be prone to suffer the same effect. Why
# the difference?
for ((u, r), val) in new_user_role_dict.items():
if val:
if not ((u, r) in current_user_role_dict):
model.add_user_to_role(model.User.by_name(u), r,
model.System())
else:
if ((u, r) in current_user_role_dict):
model.remove_user_from_role(model.User.by_name(u), r,
model.System())
# finally commit the change to the database
model.Session.commit()
h.flash_success(_("Changes Saved"))
def action_add_form(users):
# The user is attempting to set new roles for a named user
new_user = request.params.get('new_user_name')
# this is the list of roles whose boxes were ticked
checked_roles = [
a for (a, b) in request.params.items() if (b == u'on')
]
# this is the list of all the roles that were in the submitted
# form
submitted_roles = [
a for (a, b) in request.params.items() if (b == u'submitted')
]
# from this we can make a dictionary of the desired states
# i.e. true for the ticked boxes, false for the unticked
desired_roles = {}
for r in submitted_roles:
desired_roles[r] = False
for r in checked_roles:
desired_roles[r] = True
# again, in order to avoid either creating a role twice or
# deleting one which is non-existent, we need to get the users'
# current roles (if any)
current_uors = model.Session.query(model.SystemRole).all()
current_roles = [
uor.role for uor in current_uors
if (uor.user and uor.user.name == new_user)
]
user_object = model.User.by_name(new_user)
if user_object is None:
# The submitted user does not exist. Bail with flash
# message
h.flash_error(_('unknown user:') + str(new_user))
else:
# Whenever our desired state is different from our
# current state, change it.
for (r, val) in desired_roles.items():
if val:
if (r not in current_roles):
model.add_user_to_role(user_object, r,
model.System())
else:
if (r in current_roles):
model.remove_user_from_role(
user_object, r, model.System())
h.flash_success(_("User Added"))
# and finally commit all these changes to the database
model.Session.commit()
def remove(self):
from ckan import model
if len(self.args) < 2:
print "Need name of the user to be made sysadmin."
return
username = self.args[1]
user = model.User.by_name(unicode(username))
if not user:
print 'Error: user "%s" not found!' % username
return
model.remove_user_from_role(user, model.Role.ADMIN, model.System())
model.repo.commit_and_remove()
def remove(self):
import ckan.model as model
if len(self.args) < 2:
print 'Need name of the user to be made sysadmin.'
return
username = self.args[1]
user = model.User.by_name(unicode(username))
if not user:
print 'Error: user "%s" not found!' % username
return
model.remove_user_from_role(user, model.Role.ADMIN, model.System())
model.repo.commit_and_remove()
def action_add_form(users):
# The user is attempting to set new roles for a named user
new_user = request.params.get('new_user_name')
# this is the list of roles whose boxes were ticked
checked_roles = [a for (a, b) in request.params.items()
if (b == u'on')]
# this is the list of all the roles that were in the submitted
# form
submitted_roles = [a for (a, b) in request.params.items()
if (b == u'submitted')]
# from this we can make a dictionary of the desired states
# i.e. true for the ticked boxes, false for the unticked
desired_roles = {}
for r in submitted_roles:
desired_roles[r] = False
for r in checked_roles:
desired_roles[r] = True
# again, in order to avoid either creating a role twice or
# deleting one which is non-existent, we need to get the users'
# current roles (if any)
current_uors = model.Session.query(model.SystemRole).all()
current_roles = [uor.role for uor in current_uors
if (uor.user and uor.user.name == new_user)]
user_object = model.User.by_name(new_user)
if user_object is None:
# The submitted user does not exist. Bail with flash
# message
h.flash_error(_('unknown user:') + str(new_user))
else:
# Whenever our desired state is different from our
# current state, change it.
for (r, val) in desired_roles.items():
if val:
if (r not in current_roles):
model.add_user_to_role(user_object, r,
model.System())
else:
if (r in current_roles):
model.remove_user_from_role(user_object, r,
model.System())
h.flash_success(_("User Added"))
# and finally commit all these changes to the database
model.Session.commit()
def test_3_add_twice_remove_twice(self):
tester = model.User.by_name(u'tester')
war = model.Package.by_name(u'warandpeace')
def tester_roles():
return [x.role \
for x in model.Session.query(model.PackageRole).all() \
if x.user and x.user.name=='tester' and x.package.name==u'warandpeace']
assert len(tester_roles()) == 0, "wrong number of roles for tester"
model.add_user_to_role(tester, model.Role.ADMIN, war)
model.repo.commit_and_remove()
assert len(tester_roles()) == 1, "wrong number of roles for tester"
model.add_user_to_role(tester, model.Role.ADMIN, war)
model.repo.commit_and_remove()
assert len(tester_roles()) == 1, "wrong number of roles for tester"
model.remove_user_from_role(tester, model.Role.ADMIN, war)
assert len(tester_roles()) == 0, "wrong number of roles for tester"
model.remove_user_from_role(tester, model.Role.ADMIN, war)
assert len(tester_roles()) == 0, "wrong number of roles for tester"
def test_3_add_twice_remove_twice(self):
tester = model.User.by_name(u'tester')
war = model.Package.by_name(u'warandpeace')
def tester_roles():
return [x.role \
for x in model.Session.query(model.PackageRole).all() \
if x.user and x.user.name=='tester' and x.package.name==u'warandpeace']
assert len(tester_roles()) == 0, "wrong number of roles for tester"
model.add_user_to_role(tester, model.Role.ADMIN, war)
model.repo.commit_and_remove()
assert len(tester_roles()) == 1, "wrong number of roles for tester"
model.add_user_to_role(tester, model.Role.ADMIN, war)
model.repo.commit_and_remove()
assert len(tester_roles()) == 1, "wrong number of roles for tester"
model.remove_user_from_role(tester, model.Role.ADMIN, war)
assert len(tester_roles()) == 0, "wrong number of roles for tester"
model.remove_user_from_role(tester, model.Role.ADMIN, war)
assert len(tester_roles()) == 0, "wrong number of roles for tester"
def set_roles(self, user_name, drupal_roles):
'''Sets CKAN user roles based on the drupal roles.
Restricted to sysadmin. Publishing roles initially imported during migration from
Drupal.
Example drupal_roles:
['package admin', 'publisher admin', 'authenticated user', 'publishing user']
where sysadmin roles are:
3 'administrator' - total control
11 'package admin' - admin of datasets
'publisher admin' - admin of publishers
other roles:
'publishing user' - anyone who has registered - includes spammers
'''
from ckan import model
from ckan.authz import Authorizer
needs_commit = False
user = model.User.by_name(user_name)
# Sysadmin or not
log.debug('User roles in Drupal: %r', drupal_roles)
should_be_sysadmin = bool(
set(('administrator', 'package admin', 'publisher admin'))
& set(drupal_roles))
is_sysadmin = Authorizer().is_sysadmin(user)
if should_be_sysadmin and not is_sysadmin:
# Make user a sysadmin
model.add_user_to_role(user, model.Role.ADMIN, model.System())
log.info('User made a sysadmin: %s', user_name)
needs_commit = True
elif not should_be_sysadmin and is_sysadmin:
# Stop user being a sysadmin
model.remove_user_from_role(user, model.Role.ADMIN, model.System())
log.info('User now not a sysadmin: %s', user_name)
needs_commit = True
if needs_commit:
model.repo.commit_and_remove()
def set_roles(self, user_name, drupal_roles):
'''Sets CKAN user roles based on the drupal roles.
Restricted to sysadmin. Publishing roles initially imported during migration from
Drupal.
Example drupal_roles:
['package admin', 'publisher admin', 'authenticated user', 'publishing user']
where sysadmin roles are:
3 'administrator' - total control
11 'package admin' - admin of datasets
'publisher admin' - admin of publishers
other roles:
'publishing user' - anyone who has registered - includes spammers
'''
from ckan import model
from ckan.authz import Authorizer
needs_commit = False
user = model.User.by_name(user_name)
# Sysadmin or not
log.debug('User roles in Drupal: %r', drupal_roles)
should_be_sysadmin = bool(set(('administrator', 'package admin', 'publisher admin')) & set(drupal_roles))
is_sysadmin = Authorizer().is_sysadmin(user)
if should_be_sysadmin and not is_sysadmin:
# Make user a sysadmin
model.add_user_to_role(user, model.Role.ADMIN, model.System())
log.info('User made a sysadmin: %s', user_name)
needs_commit = True
elif not should_be_sysadmin and is_sysadmin:
# Stop user being a sysadmin
model.remove_user_from_role(user, model.Role.ADMIN, model.System())
log.info('User now not a sysadmin: %s', user_name)
needs_commit = True
if needs_commit:
model.repo.commit_and_remove()
def action_save_form(users):
# The permissions grid has been saved
# which is a grid of checkboxes named user$role
rpi = request.params.items()
# The grid passes us a list of the users/roles that were displayed
submitted = [a for (a, b) in rpi if (b == u'submitted')]
# and also those which were checked
checked = [a for (a, b) in rpi if (b == u'on')]
# from which we can deduce true/false for each user/role
# combination that was displayed in the form
table_dict = {}
for a in submitted:
table_dict[a] = False
for a in checked:
table_dict[a] = True
# now we'll split up the user$role strings to make a dictionary
# from (user,role) to True/False, which tells us what we need to
# do.
new_user_role_dict = {}
for (ur, val) in table_dict.items():
u, r = ur.split('$')
new_user_role_dict[(u, r)] = val
# we get the current user/role assignments
# and make a dictionary of them
current_uors = model.Session.query(model.SystemRole).all()
current_users_roles = [(uor.user.name, uor.role)
for uor in current_uors
if uor.user]
current_user_role_dict = {}
for (u, r) in current_users_roles:
current_user_role_dict[(u, r)] = True
# and now we can loop through our dictionary of desired states
# checking whether a change needs to be made, and if so making it
# WORRY: Here it seems that we have to check whether someone is
# already assigned a role, in order to avoid assigning it twice,
# or attempting to delete it when it doesn't exist. Otherwise
# problems occur. However this doesn't affect the index page,
# which would seem to be prone to suffer the same effect. Why
# the difference?
for ((u, r), val) in new_user_role_dict.items():
if val:
if not ((u, r) in current_user_role_dict):
model.add_user_to_role(
model.User.by_name(u), r,
model.System())
else:
if ((u, r) in current_user_role_dict):
model.remove_user_from_role(
model.User.by_name(u), r,
model.System())
# finally commit the change to the database
model.Session.commit()
h.flash_success(_("Changes Saved"))
def _add_user_object_role(self, users_or_authz_groups, current_uors, domain_object):
'''
current_uors: in order to avoid either creating a role twice or deleting one which is
non-existent, we need to get the users' current roles (if any)
'''
# The user is attempting to set new roles for a named user
new_user = request.params.get('new_user_name')
# this is the list of roles whose boxes were ticked
checked_roles = [ a for (a,b) in request.params.items() if (b == u'on')]
# this is the list of all the roles that were in the submitted form
submitted_roles = [ a for (a,b) in request.params.items() if (b == u'submitted')]
# from this we can make a dictionary of the desired states
# i.e. true for the ticked boxes, false for the unticked
desired_roles = {}
for r in submitted_roles:
desired_roles[r]=False
for r in checked_roles:
desired_roles[r]=True
if users_or_authz_groups=='users':
current_roles = [uor.role for uor in current_uors if ( uor.user and uor.user.name == new_user )]
user_object = model.User.by_name(new_user)
if user_object==None:
# The submitted user does not exist. Bail with flash message
h.flash_error(_('unknown user:'******'authz_groups':
current_roles = [uor.role for uor in current_uors if ( uor.authorized_group and uor.authorized_group.name == new_user )]
user_object = model.AuthorizationGroup.by_name(new_user)
if user_object==None:
# The submitted user does not exist. Bail with flash message
h.flash_error(_('unknown authorization group:') + str (new_user))
else:
# Whenever our desired state is different from our current state, change it.
for (r,val) in desired_roles.items():
if val:
if (r not in current_roles):
model.add_authorization_group_to_role(user_object,
r, domain_object)
else:
if (r in current_roles):
model.remove_authorization_group_from_role(user_object,
r, domain_object)
h.flash_success(_("Authorization Group Added"))
else:
assert False, "shouldn't be here"
# and finally commit all these changes to the database
model.repo.commit_and_remove()
def _update_user_object_roles(self, users_or_authz_groups, current_uors, domain_object):
'''Update user object roles for this object.
:param domain_object: the domain object for whom we are adding the user
object role.
'''
# The permissions grid has been saved
# which is a grid of checkboxes named user$role
rpi = request.params.items()
# The grid passes us a list of the users/roles that were displayed
submitted = [ a for (a,b) in rpi if (b == u'submitted')]
# and also those which were checked
checked = [ a for (a,b) in rpi if (b == u'on')]
# from which we can deduce true/false for each user/role combination
# that was displayed in the form
table_dict={}
for a in submitted:
table_dict[a]=False
for a in checked:
table_dict[a]=True
# now we'll split up the user$role strings to make a dictionary from
# (user,role) to True/False, which tells us what we need to do.
new_user_role_dict={}
for (ur,val) in table_dict.items():
u,r = ur.split('$')
new_user_role_dict[(u,r)] = val
if users_or_authz_groups=='users':
current_users_roles = [( uor.user.name, uor.role) for uor in current_uors if uor.user]
elif users_or_authz_groups=='authz_groups':
current_users_roles = [( uor.authorized_group.name, uor.role) for uor in current_uors if uor.authorized_group]
else:
assert False, "shouldn't be here"
current_user_role_dict={}
for (u,r) in current_users_roles:
current_user_role_dict[(u,r)]=True
# and now we can loop through our dictionary of desired states
# checking whether a change needs to be made, and if so making it
# Here we check whether someone is already assigned a role, in order
# to avoid assigning it twice, or attempting to delete it when it
# doesn't exist. Otherwise problems can occur.
if users_or_authz_groups=='users':
for ((u,r), val) in new_user_role_dict.items():
if val:
if not ((u,r) in current_user_role_dict):
model.add_user_to_role(model.User.by_name(u),r,domain_object)
else:
if ((u,r) in current_user_role_dict):
model.remove_user_from_role(model.User.by_name(u),r,domain_object)
elif users_or_authz_groups=='authz_groups':
for ((u,r), val) in new_user_role_dict.items():
if val:
if not ((u,r) in current_user_role_dict):
model.add_authorization_group_to_role(model.AuthorizationGroup.by_name(u),r,domain_object)
else:
if ((u,r) in current_user_role_dict):
model.remove_authorization_group_from_role(model.AuthorizationGroup.by_name(u),r,domain_object)
else:
assert False, "shouldn't be here"
# finally commit the change to the database
model.repo.commit_and_remove()
h.flash_success(_("Changes Saved"))
