def update(self, **data):
cn = '%s-%s' % (self.mnr, data.get('az'))
self.um.updUser(**data)
for role in self.__parent__.values():
principal_roles = IPrincipalRoleManager(role)
principal_roles.removeRoleFromPrincipal('uvc.Editor', cn)
for role in data.get('rollen'):
principal_roles = IPrincipalRoleManager(self.__parent__[role])
principal_roles.assignRoleToPrincipal('uvc.Editor', cn)
def set_acl(self,
obj,
inherit,
allow_perms,
deny_perms,
del_perms,
recursive=False):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
obj.inherit_permissions = inherit
def mod_perm(what, setter, p):
kind, principal, perms = p.split(':')
if not perms:
return
prin = auth.getPrincipal(principal)
if isinstance(prin, Group) and kind == 'u':
self.write(
"No such user '%s', it's a group, perhaps you mean 'g:%s:%s'\n"
% (principal, principal, perms))
return
elif type(prin) is User and kind == 'g':
self.write(
"No such group '%s', it's a user (%s), perhaps you mean 'u:%s:%s'\n"
% (principal, prin, principal, perms))
return
for perm in perms.strip():
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
self.write("%s permission '%s', principal '%s'\n" %
(what, role, principal))
setter(role, principal)
def apply_perms(prinrole):
for p in allow_perms or []:
mod_perm("Allowing", prinrole.assignRoleToPrincipal, p)
for p in deny_perms or []:
mod_perm("Denying", prinrole.removeRoleFromPrincipal, p)
for p in del_perms or []:
mod_perm("Unsetting", prinrole.unsetRoleForPrincipal, p)
apply_perms(prinrole)
seen = [obj]
if recursive and IContainer.providedBy(obj):
for sobj in obj.listcontent():
if follow_symlinks(sobj) not in seen:
prinrole = IPrincipalRoleManager(sobj)
sobj.inherit_permissions = inherit
seen.append(follow_symlinks(sobj))
apply_perms(prinrole)
def applyPermissionsForExistentCoUsers(factory):
site = grok.getSite()
hfm = IHomeFolderManager(site)
principal = factory.object
master_id = IMasterUser(principal).id
if hfm.get(master_id) is None:
hfm.create(IMasterUser(principal).id)
homefolder = principal.homefolder #IHomeFolder(principal)
if homefolder is None:
return
um = getUtility(IUserManagement)
user = um.getUser(principal.id)
if not user:
return
rollen = user['rollen']
if user['az'] != '00':
pid = "%s-%s" % (user['mnr'], user['az'])
else:
pid = user['mnr']
if homefolder.__name__ != pid:
for pf in homefolder.keys():
if pf in rollen:
prm = IPrincipalRoleManager(homefolder.get(pf))
if prm.getSetting('uvc.Editor', pid).getName() == 'Unset':
prm.assignRoleToPrincipal('uvc.Editor', pid)
uvcsite.log('Give uvc.Editor to %s in folder %s' %
(pid, pf))
def applyViewContentForCoUsers(factory):
principal = factory.object
homefolder = None
#if IUnauthenticatedPrincipal.providedBy(principal):
# homefolder = principal.homefolder
#else:
# # Workaround, um weiter arbeiten zu können - CK muss noch fixen
# #try:
# # homefolder = IHomeFolder(principal)
# #except TypeError:
# # return
# homefolder = IHomeFolder(principal)
homefolder = principal.homefolder
if not homefolder:
return
if homefolder.__name__ != principal.id:
hprm = IPrincipalRoleManager(homefolder)
if hprm.getSetting('uvc.HomeFolderUser',
principal.id).getName() in ('Deny', 'Unset'):
hprm.assignRoleToPrincipal('uvc.HomeFolderUser', principal.id)
uvcsite.log(
'applying Role uvc.HomeFolderUser for USER %s in HOMEFOLDER %s'
% (principal.id, homefolder.__name__))
def clean_roles(context, role_id, setting=Allow):
"""Remove given role for all principals"""
prinrole = IPrincipalRoleManager(context)
old = prinrole.getPrincipalsForRole(role_id)
for x in old:
if x[1] == setting:
prinrole.unsetRoleForPrincipal(role_id, x[0])
def issue_transition_handler(ob, e):
if e.transition.transition_id in UPDATE_RESPONSIBILITY:
clean_roles(ob, "dynamic_tacklets.project.DocumentResponsible")
prinrole = IPrincipalRoleManager(ob)
principal_id = IResponsibility(ob).responsible
prinrole.assignRoleToPrincipal("dynamic_tacklets.project.DocumentResponsible", principal_id)
def createPAU(event):
""" Create a pau (pluggable authentication utility, a signup
principal folder in it and a manger user (!)."""
sm = event.object.getSiteManager()
sm['default']['pau'] = pau = PluggableAuthentication()
pau.prefix = 'pau.'
pau['signup_principal_folder'] = folder = SignupPrincipalFolder()
pau.authenticatorPlugins = [folder.__name__]
folder.prefix = u"users."
folder.signup_roles = [u'quotationtool.Member']
principal_id = folder.signUp('admin', 'Op3n', 'Quotationtool Manager')
role_manager = IPrincipalRoleManager(event.object)
role_manager = removeSecurityProxy(role_manager)
role_manager.assignRoleToPrincipal('quotationtool.Manager', principal_id)
pau['SessionCredentialsPlugin'] = session_creds = SessionCredentialsPlugin()
pau.credentialsPlugins = [session_creds.__name__]
session_creds.loginpagename = u"loginForm.html"
loginfield = u"login"
passwordfield = u"password"
sm.registerUtility(pau, IAuthentication)
def handle_signin(self, **data):
"""signin button and signin action
"""
# create the people
people = People()
self.applyData(people, **data)
# check the login is not taken
if people.login in self.peoplelist:
msg = _(u'This username already exists: %s')
SessionMessageSource().send(
translate(msg, context=self.request) % people.login)
return self.redirect('signin')
# generate a weak but nice password
password = u''.join([
choice([
'z', 'r', 't', 'p', 'q', 's', 'd', 'f', 'g', 'h', 'j', 'k',
'l', 'm', 'w', 'x', 'c', 'v', 'b', 'n'
]) + choice(['a', 'e', 'i', 'o', 'u', 'y']) for i in range(4)
])
people.password = password
# send an email with the password
site = grok.getSite()
email = _(u'''Content-Type: text/plain; charset=UTF-8
Subject: your account for %s
Dear %s %s,
Thanks for your account!
You can connect to %s with the following informations:
%s
login : %s
password : %s''')
url = absoluteURL(site, self.request)
if ('HTTP_X_FORWARDED_SCHEME' in self.request
and 'HTTP_X_FORWARDED_SERVER' in self.request):
url = (self.request['HTTP_X_FORWARDED_SCHEME'] + '://' +
self.request['HTTP_X_FORWARDED_SERVER'])
email = translate(email, context=self.request) % (
site.name, people.firstname, people.lastname, site.name, url,
people.login, password)
mailer = getUtility(IMailDelivery, 'afpy.barcamp')
if 'nomail' not in self.request:
mailer.send('*****@*****.**', people.email.encode('utf-8'),
email.encode('utf-8'))
# add the user
self.peoplelist[people.login] = people
# grant him the Member role
prm = IPrincipalRoleManager(grok.getSite())
prm.assignRoleToPrincipal('afpy.barcamp.Member', people.login)
self.redirect('confirmation')
def test_homefolder_creation_roles(self):
from zope.securitypolicy.interfaces import IPrincipalRoleManager
utility = uvcsite.interfaces.IHomeFolderManager(self.app)
homefolder = utility.create('lars')
prm = IPrincipalRoleManager(homefolder)
for role, setting in prm.getRolesForPrincipal('lars'):
self.assertTrue(role in utility.owner_roles)
self.assertEqual(setting, zope.securitypolicy.settings.Allow)
def create(self, data):
entry = BiblatexEntry()
entry.entry_type = self.type.name
form.applyChanges(self, entry, data)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(entry)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return entry
def create(self, data):
description = CategorizableItemDescription()
form.applyChanges(self, description, data)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(description)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return description
def agregarUsuario(self, usuario, password, confirm_password, nombre_real,
rol, seccion):
if usuario not in self.contenedor_cuentas:
user = Cuenta(usuario, password, nombre_real, rol, seccion)
self.contenedor_cuentas[usuario] = user
role_manager = IPrincipalRoleManager(grok.getSite())
if rol == u'empleado':
role_manager.assignRoleToPrincipal('ct.empleadorol', usuario)
if rol == u'administrador':
role_manager.assignRoleToPrincipal('ct.adminrol', usuario)
else:
return u"El nombre de usuario ya existe"
def applyViewContentForCoUsers(factory):
principal = factory.object
homefolder = IHomeFolder(principal).homeFolder
if not homefolder:
return
if homefolder.__name__ != principal.id:
hprm = IPrincipalRoleManager(homefolder)
setting = hprm.getSetting('uvc.HomeFolderUser', principal.id).getName()
if setting in ('Deny', 'Unset'):
hprm.assignRoleToPrincipal('uvc.HomeFolderUser', principal.id)
log('applying Role uvc.HomeFolderUser for USER %s in HOMEFOLDER %s'
% (principal.id, homefolder.__name__))
def create(self, data):
obj = zope.component.createObject(
'quotationtool.biblatex.biblatexentry.BiblatexEntry')
form.applyChanges(self, obj, data)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(obj)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return obj
def create(self, data):
category_set = CategorySet()
form.applyChanges(self, category_set, data)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(category_set)
manager.assignRoleToPrincipal(
'quotationtool.Creator',
self.request.principal.id)
return category_set
def install(self):
# Creating and registering a local registry
self['_registry'] = registry = Registry()
# Set default plugins
registry.register_interface(ILayers)
registry.register_interface(IAddons)
registry.for_interface(ILayers).active_layers =\
frozenset({'plone.server.interfaces.layer.IDefaultLayer'})
roles = IPrincipalRoleManager(self)
roles.assignRoleToPrincipal('plone.SiteAdmin', ROOT_USER_ID)
roles.assignRoleToPrincipal('plone.Owner', ROOT_USER_ID)
def preload_acl_line(path, permspec, filename='-', lineno='-'):
obj = traverse1(path[1:])
if obj is None:
log.warning('No such object: \'%s\'; file: \'%s\' line: %s', path,
filename, lineno)
return
if obj.__transient__:
log.warning(
"Transient object %s always inherits permissions from its parent",
path)
return
if permspec in ('inherit', 'noinherit'):
obj.inherit_permissions = (permspec == 'inherit')
return
auth = getUtility(IAuthentication, context=None)
interaction = new_interaction(auth.getPrincipal('root'))
with interaction:
prinrole = IPrincipalRoleManager(obj)
action_map = {
'allow': prinrole.assignRoleToPrincipal,
'deny': prinrole.removeRoleFromPrincipal,
'unset': prinrole.unsetRoleForPrincipal
}
parsedspec = permspec.strip().split(':', 3)
if len(parsedspec) < 4:
log.error(
'Format error: not all fields are specified: \'%s\' on line %s',
filename, lineno)
return
permtype, kind, principal, perms = parsedspec
if not perms:
log.warning(
'No permissions specified for object: \'%s\'; file: \'%s\' line: %s',
path, filename, lineno)
return
for perm in perms.strip().split(','):
if perm not in Role.nick_to_role:
raise NoSuchPermission(perm)
role = Role.nick_to_role[perm].id
log.info('%s \'%s\' on %s (%s) to \'%s\'', permtype, perm, path,
obj, principal)
action_map[permtype](role, principal)
def create(self, data):
obj = Comment()
form.applyChanges(self, obj, data)
obj.source_type = 'html'
obj.about = removeAllProxies(self.context)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(obj)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return obj
def _do_print_acl(self, obj, verbose, recursive, seen):
prinrole = IPrincipalRoleManager(obj)
auth = getUtility(IAuthentication, context=None)
user_allow = collections.defaultdict(list)
user_deny = collections.defaultdict(list)
users = set()
for role, principal, setting in prinrole.getPrincipalsAndRoles():
users.add(principal)
if setting.getName() == 'Allow':
user_allow[principal].append(role)
else:
user_deny[principal].append(role)
for principal in users:
def formatted_perms(perms):
prin = auth.getPrincipal(principal)
typ = 'group' if isinstance(prin, Group) else 'user'
if verbose:
def grants(i):
return ','.join(
'@%s' % i[0] for i in
rolePermissionManager.getPermissionsForRole(i)
if i[0] != 'oms.nothing')
return (typ, principal, ''.join(
'%s{%s}' %
(Role.role_to_nick.get(i, '(%s)' % i), grants(i))
for i in sorted(perms)))
else:
return (typ, principal, ''.join(
Role.role_to_nick.get(i, '(%s)' % i)
for i in sorted(perms)))
if principal in user_allow:
self.write("%s:%s:+%s\n" %
formatted_perms(user_allow[principal]))
if principal in user_deny:
self.write("%s:%s:-%s\n" %
formatted_perms(user_deny[principal]))
if recursive and IContainer.providedBy(follow_symlinks(obj)):
for sobj in follow_symlinks(obj).listcontent():
if follow_symlinks(sobj) not in seen:
seen.append(sobj)
self.write('%s:\n' % canonical_path(sobj))
self._do_print_acl(sobj, verbose, recursive, seen)
def effective_perms(interaction, obj):
def roles_for(role_manager, obj):
allowed = []
for g in effective_principals(interaction):
for role, setting in role_manager.getRolesForPrincipal(g.id):
if setting.getName() == 'Allow':
allowed.append(role)
return allowed
effective_allowed = roles_for(prinroleG, obj)
with interaction:
effective_allowed.extend(roles_for(IPrincipalRoleManager(obj), obj))
return effective_allowed
def assignHomeFolder(self, principalId, folderName=None, create=None):
"""See IHomeFolderManager"""
# The name of the home folder is folderName, if specified, otherwise
# it is the principal id
name = folderName or principalId
# Make the assignment.
self.assignments[principalId] = name
# Create a home folder instance, if the correct flags are set.
if (create is True) or (create is None and self.createHomeFolder):
if name not in self.homeFolderBase:
objectToCreate = resolve(self.containerObject)
self.homeFolderBase[name] = objectToCreate()
principal_roles = IPrincipalRoleManager(self.homeFolderBase[name])
for role in self.homeFolderRole:
principal_roles.assignRoleToPrincipal(
role, principalId)
async def __call__(self):
data = await self.request.json()
if '@type' not in data and data['@type'] != 'Site':
return ErrorResponse('NotAllowed',
'can not create this type %s' % data['@type'],
status=401)
if 'title' not in data and not data['title']:
return ErrorResponse('NotAllowed', 'We need a title', status=401)
if 'id' not in data:
return ErrorResponse('NotAllowed', 'We need an id', status=401)
if 'description' not in data:
data['description'] = ''
if data['id'] in self.context:
# Already exist
return ErrorResponse('NotAllowed', 'Duplicate id', status=401)
site = create_content('Site',
id=data['id'],
title=data['title'],
description=data['description'])
# Special case we don't want the parent pointer
site.__name__ = data['id']
self.context[data['id']] = site
site.install()
self.request._site_id = site.__name__
user = get_authenticated_user_id(self.request)
# Local Roles assign owner as the creator user
roleperm = IPrincipalRoleManager(site)
roleperm.assignRoleToPrincipal('plone.Owner', user)
await notify(ObjectFinallyCreatedEvent(site))
# await notify(ObjectAddedEvent(site, self.context, site.__name__))
resp = {'@type': 'Site', 'id': data['id'], 'title': data['title']}
headers = {'Location': self.request.path + data['id']}
return Response(response=resp, headers=headers)
def anlegen(self):
data, errors = self.extractData()
if errors:
self.flash('Es sind Fehler aufgetreten', type='error')
return
um = getUtility(IUserManagement)
um.addUser(**data)
# Setting Home Folder Rights
for role in data.get('rollen'):
principal_roles = IPrincipalRoleManager(
self.context.__parent__[role])
principal_roles.assignRoleToPrincipal('uvc.Editor',
data.get('mnr'))
self.flash(_('Der Mitbenutzer wurde gespeichert'))
principal = self.request.principal
homeFolder = IHomeFolder(principal)
self.redirect(self.url(homeFolder, '++enms++'))
def signUp(self, login, title, password, confirmation):
if confirmation != password:
raise UserError(
_('password-confirmation-error',
u"Password and confirmation didn't match"))
folder = self._signupfolder()
if login in folder:
raise UserError(
_('duplicate-login-error',
u"This login has already been chosen."))
principal_id = folder.signUp(login, password, title)
role_manager = IPrincipalRoleManager(self.context)
role_manager = removeSecurityProxy(role_manager)
for role in folder.signup_roles:
role_manager.assignRoleToPrincipal(role, principal_id)
self.request.response.redirect("@@welcome.html")
def create(self, data):
quotation = zope.component.createObject(self.factory_name)
form.applyChanges(self, quotation, data)
quotation.source_type = 'html'
# We want an object which is not security proxied as reference
# attribute:
quotation.reference = removeAllProxies(self.context)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(quotation)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return quotation
async def sharing_post(context, request):
data = await request.json()
roleperm = IRolePermissionManager(context)
prinrole = IPrincipalRoleManager(context)
if 'prinrole' not in data and 'roleperm' not in data:
raise AttributeError('prinrole or roleperm missing')
if 'prinrole' in data:
for user, roles in data['prinrole'].items():
for role in roles:
prinrole.assignRoleToPrincipal(role, user)
if 'roleperm' in data:
for role, perms in data['roleperm'].items():
for perm in perms:
roleperm.grantPermissionToRole(perm, role)
await notify(ObjectPermissionsModifiedEvent(context))
def prepare(self):
results = getUtility(IAcknowledgements).search(object=self.context)
acknowledged = [i.principal for i in results]
allusers = searchPrincipals(
type=('user',),
principalSubscribed={'any_of': (True,)})
members = []
bannedusers = getUtility(IBanPrincipalConfiglet)
rolemanager = IPrincipalRoleManager(getSite())
checkroles = ['zope.Anonymous', ]
portal_roles = getUtility(IPortalRoles)
if 'site.member' in portal_roles:
checkroles.append(portal_roles['site.member'].id)
for pid in [i.id for i in allusers if i.id not in acknowledged]:
# Note: skip banned users
if pid in bannedusers.banned:
continue
try:
principal = getPrincipal(pid)
except PrincipalLookupError:
continue
# Note: skip users with Deny roles
nextitem = False
for role, setting in rolemanager.getRolesForPrincipal(pid):
if role == 'zope.Manager':
continue
if role in checkroles and setting == Deny:
nextitem = True
break
if nextitem:
continue
profile = IPersonalProfile(principal, None)
if profile is None:
continue
members.append(profile)
return self.export(members)
def create(self, data):
if data['__name__']:
self.category_name = data['__name__']
else:
self.category_name = data['title']
#interfaces.checkCategoryName(self.category_name, context=self.context)
category = Category()
del data['__name__']
form.applyChanges(self, category, data)
# Grant the current user the Edit permission by assigning him
# the quotationtool.Creator role, but only locally in the
# context of the newly created object.
manager = IPrincipalRoleManager(category)
manager.assignRoleToPrincipal('quotationtool.Creator',
self.request.principal.id)
return category
def get_members(context, role_id):
members = []
auth = getUtility(IAuthentication)
for ob in LocationIterator(context):
for x in IPrincipalRoleMap(ob).getPrincipalsForRole(role_id):
if x[1] == Allow:
try:
group = auth.getPrincipal(x[0])
for pid in group.getMembers():
if pid not in members:
try:
members.append(auth.getPrincipal(pid))
except PrincipalLookupError:
pass # TODO: remove member from group?
except PrincipalLookupError:
IPrincipalRoleManager(ob).removeRoleFromPrincipal(
x[0], role_id)
return members
def prepare(self):
results = getUtility(IAcknowledgements).search(object=self.context)
if len(results) > 0:
members = []
# localtz = tz.tzlocal()
bannedusers = getUtility(IBanPrincipalConfiglet)
rolemanager = IPrincipalRoleManager(getSite())
checkroles = ['zope.Anonymous', ]
portal_roles = getUtility(IPortalRoles)
if 'site.member' in portal_roles:
checkroles.append(portal_roles['site.member'].id)
for pid, ack_date in [(i.principal, i.date) for i in results]:
# Note: skip banned users
if pid in bannedusers.banned:
continue
try:
principal = getPrincipal(pid)
except PrincipalLookupError:
continue
# Note: skip users with Deny roles
nextitem = False
for role, setting in rolemanager.getRolesForPrincipal(pid):
if role == 'zope.Manager':
continue
if role in checkroles and setting == Deny:
nextitem = True
break
if nextitem:
continue
profile = IPersonalProfile(principal, None)
if profile is None:
continue
members.append(
(profile, ack_date.strftime('%Y-%m-%d %H:%M UTC')))
# NOTE: convert date to local time zone
# .replace(tzinfo=utc).astimezone(localtz).strftime('%Y-%m-%d %H:%M %Z')
return self.export(members)
