def command(self): self._load_config() cmd = self.args[0] if len(self.args) else 'list' if cmd == 'list': self.list() return assert len(self.args) == 4, "Not enough paramters!" + RIGHTS_HELP cmd, subj, role, obj = self.args subj = self.find_subject(unicode(subj)) role = self.ensure_role(unicode(role)) obj = self.find_object(unicode(obj)) if cmd == 'make': if isinstance(subj, model.User): model.add_user_to_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.add_authorization_group_to_role(subj, role, obj) print "made", elif cmd == 'remove': if isinstance(subj, model.User): model.remove_user_from_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.remove_authorization_group_from_role(subj, role, obj) print "remove", model.repo.commit_and_remove() self.print_row(subj, role, obj)
def make_or_remove_roles(cls, cmd, subj, role, obj, except_on_error=False, do_commit=True): '''Tool to make or remove a role using the names of objects, rather than the actual objects. cmd - 'make' or 'remove' subj - name of subject object (e.g. 'dave-admin') role - name of role (e.g. 'editor') obj - names of an objects to apply the role to (e.g. 'river-stats' or 'all') ''' from ckan import model log = logging.getLogger(__name__) subj = cls.find_subject(unicode(subj)) role = cls.ensure_role(unicode(role)) objs = cls.find_objects(unicode(obj)) for obj in objs: try: if cmd == 'make': if isinstance(subj, model.User): model.add_user_to_role(subj, role, obj) log.debug('Role made') elif cmd == 'remove': if isinstance(subj, model.User): model.remove_user_from_role(subj, role, obj) log.debug('Role removed') else: raise NotImplementedError except NoResultFound, e: log.error('Cannot find object for role %s: %s', str(e), cmd) if except_on_error: raise RightsToolError('Cannot %s right: %s %s %s', cmd, subj, role, obj) log.debug(cls.get_printable_row(subj, role, obj, exists=(cmd=='make')))
def command(self): self._load_config() cmd = self.args[0] if len(self.args) else 'list' if cmd == 'list': args = self.args if 'list' in args: del args[args.index('list')] self.list(args) return assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP cmd, subj, role, obj = self.args subj = self.find_subject(unicode(subj)) role = self.ensure_role(unicode(role)) objs = self.find_objects(unicode(obj)) for obj in objs: try: if cmd == 'make': if isinstance(subj, model.User): model.add_user_to_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.add_authorization_group_to_role(subj, role, obj) print "made", elif cmd == 'remove': if isinstance(subj, model.User): model.remove_user_from_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.remove_authorization_group_from_role(subj, role, obj) print "remove", except NoResultFound, e: print "! not found", self.print_row(subj, role, obj)
def command(self): self._load_config() cmd = self.args[0] if len(self.args) else 'list' if cmd == 'list': args = self.args if 'list' in args: del args[args.index('list')] self.list(args) return assert len(self.args) == 4, "Not enough parameters!" + RIGHTS_HELP cmd, subj, role, obj = self.args subj = self.find_subject(unicode(subj)) role = self.ensure_role(unicode(role)) objs = self.find_objects(unicode(obj)) for obj in objs: try: if cmd == 'make': if isinstance(subj, model.User): model.add_user_to_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.add_authorization_group_to_role(subj, role, obj) print "made", elif cmd == 'remove': if isinstance(subj, model.User): model.remove_user_from_role(subj, role, obj) elif isinstance(subj, model.AuthorizationGroup): model.remove_authorization_group_from_role( subj, role, obj) print "remove", except NoResultFound, e: print "! not found", self.print_row(subj, role, obj)
def action_save_form(users): # The permissions grid has been saved # which is a grid of checkboxes named user$role rpi = request.params.items() # The grid passes us a list of the users/roles that were displayed submitted = [a for (a, b) in rpi if (b == u'submitted')] # and also those which were checked checked = [a for (a, b) in rpi if (b == u'on')] # from which we can deduce true/false for each user/role # combination that was displayed in the form table_dict = {} for a in submitted: table_dict[a] = False for a in checked: table_dict[a] = True # now we'll split up the user$role strings to make a dictionary # from (user,role) to True/False, which tells us what we need to # do. new_user_role_dict = {} for (ur, val) in table_dict.items(): u, r = ur.split('$') new_user_role_dict[(u, r)] = val # we get the current user/role assignments # and make a dictionary of them current_uors = model.Session.query(model.SystemRole).all() current_users_roles = [(uor.user.name, uor.role) for uor in current_uors if uor.user] current_user_role_dict = {} for (u, r) in current_users_roles: current_user_role_dict[(u, r)] = True # and now we can loop through our dictionary of desired states # checking whether a change needs to be made, and if so making it # WORRY: Here it seems that we have to check whether someone is # already assigned a role, in order to avoid assigning it twice, # or attempting to delete it when it doesn't exist. Otherwise # problems occur. However this doesn't affect the index page, # which would seem to be prone to suffer the same effect. Why # the difference? for ((u, r), val) in new_user_role_dict.items(): if val: if not ((u, r) in current_user_role_dict): model.add_user_to_role(model.User.by_name(u), r, model.System()) else: if ((u, r) in current_user_role_dict): model.remove_user_from_role(model.User.by_name(u), r, model.System()) # finally commit the change to the database model.Session.commit() h.flash_success(_("Changes Saved"))
def action_add_form(users): # The user is attempting to set new roles for a named user new_user = request.params.get('new_user_name') # this is the list of roles whose boxes were ticked checked_roles = [ a for (a, b) in request.params.items() if (b == u'on') ] # this is the list of all the roles that were in the submitted # form submitted_roles = [ a for (a, b) in request.params.items() if (b == u'submitted') ] # from this we can make a dictionary of the desired states # i.e. true for the ticked boxes, false for the unticked desired_roles = {} for r in submitted_roles: desired_roles[r] = False for r in checked_roles: desired_roles[r] = True # again, in order to avoid either creating a role twice or # deleting one which is non-existent, we need to get the users' # current roles (if any) current_uors = model.Session.query(model.SystemRole).all() current_roles = [ uor.role for uor in current_uors if (uor.user and uor.user.name == new_user) ] user_object = model.User.by_name(new_user) if user_object is None: # The submitted user does not exist. Bail with flash # message h.flash_error(_('unknown user:') + str(new_user)) else: # Whenever our desired state is different from our # current state, change it. for (r, val) in desired_roles.items(): if val: if (r not in current_roles): model.add_user_to_role(user_object, r, model.System()) else: if (r in current_roles): model.remove_user_from_role( user_object, r, model.System()) h.flash_success(_("User Added")) # and finally commit all these changes to the database model.Session.commit()
def remove(self): from ckan import model if len(self.args) < 2: print "Need name of the user to be made sysadmin." return username = self.args[1] user = model.User.by_name(unicode(username)) if not user: print 'Error: user "%s" not found!' % username return model.remove_user_from_role(user, model.Role.ADMIN, model.System()) model.repo.commit_and_remove()
def remove(self): import ckan.model as model if len(self.args) < 2: print 'Need name of the user to be made sysadmin.' return username = self.args[1] user = model.User.by_name(unicode(username)) if not user: print 'Error: user "%s" not found!' % username return model.remove_user_from_role(user, model.Role.ADMIN, model.System()) model.repo.commit_and_remove()
def action_add_form(users): # The user is attempting to set new roles for a named user new_user = request.params.get('new_user_name') # this is the list of roles whose boxes were ticked checked_roles = [a for (a, b) in request.params.items() if (b == u'on')] # this is the list of all the roles that were in the submitted # form submitted_roles = [a for (a, b) in request.params.items() if (b == u'submitted')] # from this we can make a dictionary of the desired states # i.e. true for the ticked boxes, false for the unticked desired_roles = {} for r in submitted_roles: desired_roles[r] = False for r in checked_roles: desired_roles[r] = True # again, in order to avoid either creating a role twice or # deleting one which is non-existent, we need to get the users' # current roles (if any) current_uors = model.Session.query(model.SystemRole).all() current_roles = [uor.role for uor in current_uors if (uor.user and uor.user.name == new_user)] user_object = model.User.by_name(new_user) if user_object is None: # The submitted user does not exist. Bail with flash # message h.flash_error(_('unknown user:') + str(new_user)) else: # Whenever our desired state is different from our # current state, change it. for (r, val) in desired_roles.items(): if val: if (r not in current_roles): model.add_user_to_role(user_object, r, model.System()) else: if (r in current_roles): model.remove_user_from_role(user_object, r, model.System()) h.flash_success(_("User Added")) # and finally commit all these changes to the database model.Session.commit()
def test_3_add_twice_remove_twice(self): tester = model.User.by_name(u'tester') war = model.Package.by_name(u'warandpeace') def tester_roles(): return [x.role \ for x in model.Session.query(model.PackageRole).all() \ if x.user and x.user.name=='tester' and x.package.name==u'warandpeace'] assert len(tester_roles()) == 0, "wrong number of roles for tester" model.add_user_to_role(tester, model.Role.ADMIN, war) model.repo.commit_and_remove() assert len(tester_roles()) == 1, "wrong number of roles for tester" model.add_user_to_role(tester, model.Role.ADMIN, war) model.repo.commit_and_remove() assert len(tester_roles()) == 1, "wrong number of roles for tester" model.remove_user_from_role(tester, model.Role.ADMIN, war) assert len(tester_roles()) == 0, "wrong number of roles for tester" model.remove_user_from_role(tester, model.Role.ADMIN, war) assert len(tester_roles()) == 0, "wrong number of roles for tester"
def set_roles(self, user_name, drupal_roles): '''Sets CKAN user roles based on the drupal roles. Restricted to sysadmin. Publishing roles initially imported during migration from Drupal. Example drupal_roles: ['package admin', 'publisher admin', 'authenticated user', 'publishing user'] where sysadmin roles are: 3 'administrator' - total control 11 'package admin' - admin of datasets 'publisher admin' - admin of publishers other roles: 'publishing user' - anyone who has registered - includes spammers ''' from ckan import model from ckan.authz import Authorizer needs_commit = False user = model.User.by_name(user_name) # Sysadmin or not log.debug('User roles in Drupal: %r', drupal_roles) should_be_sysadmin = bool( set(('administrator', 'package admin', 'publisher admin')) & set(drupal_roles)) is_sysadmin = Authorizer().is_sysadmin(user) if should_be_sysadmin and not is_sysadmin: # Make user a sysadmin model.add_user_to_role(user, model.Role.ADMIN, model.System()) log.info('User made a sysadmin: %s', user_name) needs_commit = True elif not should_be_sysadmin and is_sysadmin: # Stop user being a sysadmin model.remove_user_from_role(user, model.Role.ADMIN, model.System()) log.info('User now not a sysadmin: %s', user_name) needs_commit = True if needs_commit: model.repo.commit_and_remove()
def set_roles(self, user_name, drupal_roles): '''Sets CKAN user roles based on the drupal roles. Restricted to sysadmin. Publishing roles initially imported during migration from Drupal. Example drupal_roles: ['package admin', 'publisher admin', 'authenticated user', 'publishing user'] where sysadmin roles are: 3 'administrator' - total control 11 'package admin' - admin of datasets 'publisher admin' - admin of publishers other roles: 'publishing user' - anyone who has registered - includes spammers ''' from ckan import model from ckan.authz import Authorizer needs_commit = False user = model.User.by_name(user_name) # Sysadmin or not log.debug('User roles in Drupal: %r', drupal_roles) should_be_sysadmin = bool(set(('administrator', 'package admin', 'publisher admin')) & set(drupal_roles)) is_sysadmin = Authorizer().is_sysadmin(user) if should_be_sysadmin and not is_sysadmin: # Make user a sysadmin model.add_user_to_role(user, model.Role.ADMIN, model.System()) log.info('User made a sysadmin: %s', user_name) needs_commit = True elif not should_be_sysadmin and is_sysadmin: # Stop user being a sysadmin model.remove_user_from_role(user, model.Role.ADMIN, model.System()) log.info('User now not a sysadmin: %s', user_name) needs_commit = True if needs_commit: model.repo.commit_and_remove()
def action_save_form(users): # The permissions grid has been saved # which is a grid of checkboxes named user$role rpi = request.params.items() # The grid passes us a list of the users/roles that were displayed submitted = [a for (a, b) in rpi if (b == u'submitted')] # and also those which were checked checked = [a for (a, b) in rpi if (b == u'on')] # from which we can deduce true/false for each user/role # combination that was displayed in the form table_dict = {} for a in submitted: table_dict[a] = False for a in checked: table_dict[a] = True # now we'll split up the user$role strings to make a dictionary # from (user,role) to True/False, which tells us what we need to # do. new_user_role_dict = {} for (ur, val) in table_dict.items(): u, r = ur.split('$') new_user_role_dict[(u, r)] = val # we get the current user/role assignments # and make a dictionary of them current_uors = model.Session.query(model.SystemRole).all() current_users_roles = [(uor.user.name, uor.role) for uor in current_uors if uor.user] current_user_role_dict = {} for (u, r) in current_users_roles: current_user_role_dict[(u, r)] = True # and now we can loop through our dictionary of desired states # checking whether a change needs to be made, and if so making it # WORRY: Here it seems that we have to check whether someone is # already assigned a role, in order to avoid assigning it twice, # or attempting to delete it when it doesn't exist. Otherwise # problems occur. However this doesn't affect the index page, # which would seem to be prone to suffer the same effect. Why # the difference? for ((u, r), val) in new_user_role_dict.items(): if val: if not ((u, r) in current_user_role_dict): model.add_user_to_role( model.User.by_name(u), r, model.System()) else: if ((u, r) in current_user_role_dict): model.remove_user_from_role( model.User.by_name(u), r, model.System()) # finally commit the change to the database model.Session.commit() h.flash_success(_("Changes Saved"))
def _add_user_object_role(self, users_or_authz_groups, current_uors, domain_object): ''' current_uors: in order to avoid either creating a role twice or deleting one which is non-existent, we need to get the users' current roles (if any) ''' # The user is attempting to set new roles for a named user new_user = request.params.get('new_user_name') # this is the list of roles whose boxes were ticked checked_roles = [ a for (a,b) in request.params.items() if (b == u'on')] # this is the list of all the roles that were in the submitted form submitted_roles = [ a for (a,b) in request.params.items() if (b == u'submitted')] # from this we can make a dictionary of the desired states # i.e. true for the ticked boxes, false for the unticked desired_roles = {} for r in submitted_roles: desired_roles[r]=False for r in checked_roles: desired_roles[r]=True if users_or_authz_groups=='users': current_roles = [uor.role for uor in current_uors if ( uor.user and uor.user.name == new_user )] user_object = model.User.by_name(new_user) if user_object==None: # The submitted user does not exist. Bail with flash message h.flash_error(_('unknown user:'******'authz_groups': current_roles = [uor.role for uor in current_uors if ( uor.authorized_group and uor.authorized_group.name == new_user )] user_object = model.AuthorizationGroup.by_name(new_user) if user_object==None: # The submitted user does not exist. Bail with flash message h.flash_error(_('unknown authorization group:') + str (new_user)) else: # Whenever our desired state is different from our current state, change it. for (r,val) in desired_roles.items(): if val: if (r not in current_roles): model.add_authorization_group_to_role(user_object, r, domain_object) else: if (r in current_roles): model.remove_authorization_group_from_role(user_object, r, domain_object) h.flash_success(_("Authorization Group Added")) else: assert False, "shouldn't be here" # and finally commit all these changes to the database model.repo.commit_and_remove()
def _update_user_object_roles(self, users_or_authz_groups, current_uors, domain_object): '''Update user object roles for this object. :param domain_object: the domain object for whom we are adding the user object role. ''' # The permissions grid has been saved # which is a grid of checkboxes named user$role rpi = request.params.items() # The grid passes us a list of the users/roles that were displayed submitted = [ a for (a,b) in rpi if (b == u'submitted')] # and also those which were checked checked = [ a for (a,b) in rpi if (b == u'on')] # from which we can deduce true/false for each user/role combination # that was displayed in the form table_dict={} for a in submitted: table_dict[a]=False for a in checked: table_dict[a]=True # now we'll split up the user$role strings to make a dictionary from # (user,role) to True/False, which tells us what we need to do. new_user_role_dict={} for (ur,val) in table_dict.items(): u,r = ur.split('$') new_user_role_dict[(u,r)] = val if users_or_authz_groups=='users': current_users_roles = [( uor.user.name, uor.role) for uor in current_uors if uor.user] elif users_or_authz_groups=='authz_groups': current_users_roles = [( uor.authorized_group.name, uor.role) for uor in current_uors if uor.authorized_group] else: assert False, "shouldn't be here" current_user_role_dict={} for (u,r) in current_users_roles: current_user_role_dict[(u,r)]=True # and now we can loop through our dictionary of desired states # checking whether a change needs to be made, and if so making it # Here we check whether someone is already assigned a role, in order # to avoid assigning it twice, or attempting to delete it when it # doesn't exist. Otherwise problems can occur. if users_or_authz_groups=='users': for ((u,r), val) in new_user_role_dict.items(): if val: if not ((u,r) in current_user_role_dict): model.add_user_to_role(model.User.by_name(u),r,domain_object) else: if ((u,r) in current_user_role_dict): model.remove_user_from_role(model.User.by_name(u),r,domain_object) elif users_or_authz_groups=='authz_groups': for ((u,r), val) in new_user_role_dict.items(): if val: if not ((u,r) in current_user_role_dict): model.add_authorization_group_to_role(model.AuthorizationGroup.by_name(u),r,domain_object) else: if ((u,r) in current_user_role_dict): model.remove_authorization_group_from_role(model.AuthorizationGroup.by_name(u),r,domain_object) else: assert False, "shouldn't be here" # finally commit the change to the database model.repo.commit_and_remove() h.flash_success(_("Changes Saved"))