Exemplo n.º 1
0
    def constructInstance(self, container, id, *args, **kw):
        """Build an instance of the type.

        Builds the instance in 'container', using 'id' as its id.
        Returns the object.
        """
        if not self.isConstructionAllowed(container):
            raise AccessControl_Unauthorized('Cannot create %s' % self.getId())

        ob = self._constructInstance(container, id, *args, **kw)

        return self._finishConstruction(ob)
Exemplo n.º 2
0
 def _getFactoryMethod(self, container, check_security=1):
     if not self.product or not self.factory:
         raise ValueError, ('Product factory for %s was undefined' %
                            self.getId())
     p = container.manage_addProduct[self.product]
     m = getattr(p, self.factory, None)
     if m is None:
         raise ValueError, ('Product factory for %s was invalid' %
                            self.getId())
     if not check_security:
         return m
     if getSecurityManager().validate(p, p, self.factory, m):
         return m
     raise AccessControl_Unauthorized('Cannot create %s' % self.getId())
Exemplo n.º 3
0
def _limitGrantedRoles(roles, context, special_roles=()):
    # Only allow a user to grant roles already possessed by that user,
    # with the exception that all special_roles can also be granted.
    user = _getAuthenticatedUser(context)
    if user is None:
        user_roles = ()
    else:
        user_roles = user.getRolesInContext(context)
    if 'Manager' in user_roles:
        # Assume all other roles are allowed.
        return
    for role in roles:
        if role not in special_roles and role not in user_roles:
            raise AccessControl_Unauthorized('Too many roles specified.')
Exemplo n.º 4
0
 def getActionInfo(self, action_chain, object=None, check_visibility=0,
                   check_condition=0):
     """ Get an ActionInfo object specified by a chain of actions.
     """
     action_infos = self.listActionInfos(action_chain, object,
                                         check_visibility=check_visibility,
                                         check_permissions=False,
                                         check_condition=check_condition)
     if not action_infos:
         raise ValueError('No Action meets the given specification.')
     for ai in action_infos:
         if ai['allowed']:
             return ai
     raise AccessControl_Unauthorized('You are not allowed to access any '
                                      'of the specified Actions.')
Exemplo n.º 5
0
    def deleteMembers(self,
                      member_ids,
                      delete_memberareas=1,
                      delete_localroles=1,
                      REQUEST=None):
        """ Delete members specified by member_ids.
        """
        # XXX: this method violates the rules for tools/utilities:
        # it depends on a non-utility tool

        # Delete members in acl_users.
        acl_users = self.acl_users
        if _checkPermission(ManageUsers, acl_users):
            if isinstance(member_ids, basestring):
                member_ids = (member_ids, )
            member_ids = list(member_ids)
            for member_id in member_ids[:]:
                if not acl_users.getUserById(member_id, None):
                    member_ids.remove(member_id)
            try:
                acl_users.userFolderDelUsers(member_ids)
            except (AttributeError, NotImplementedError, 'NotImplemented'):
                raise NotImplementedError('The underlying User Folder '
                                          'doesn\'t support deleting members.')
        else:
            raise AccessControl_Unauthorized(
                'You need the \'Manage users\' '
                'permission for the underlying User Folder.')

        # Delete member data in portal_memberdata.
        mdtool = getToolByName(self, 'portal_memberdata', None)
        if mdtool is not None:
            for member_id in member_ids:
                mdtool.deleteMemberData(member_id)

        # Delete members' home folders including all content items.
        if delete_memberareas:
            for member_id in member_ids:
                self.deleteMemberArea(member_id)

        # Delete members' local roles.
        if delete_localroles:
            self.deleteLocalRoles(getUtility(ISiteRoot),
                                  member_ids,
                                  reindex=1,
                                  recursive=1)

        return tuple(member_ids)
Exemplo n.º 6
0
    def deleteMembers(self,
                      member_ids,
                      delete_memberareas=1,
                      delete_localroles=1):
        """ Delete members specified by member_ids.
        """

        # Delete members in acl_users.
        acl_users = self.acl_users
        if _checkPermission(ManageUsers, acl_users):
            if type(member_ids) is StringType:
                member_ids = (member_ids, )
            member_ids = list(member_ids)
            for member_id in member_ids[:]:
                if not acl_users.getUserById(member_id, None):
                    member_ids.remove(member_id)
            try:
                acl_users.userFolderDelUsers(member_ids)
            except (NotImplementedError, 'NotImplemented'):
                raise NotImplementedError('The underlying User Folder '
                                          'doesn\'t support deleting members.')
        else:
            raise AccessControl_Unauthorized(
                'You need the \'Manage users\' '
                'permission for the underlying User Folder.')

        # Delete member data in portal_memberdata.
        mdtool = getToolByName(self, 'portal_memberdata', None)
        if mdtool:
            for member_id in member_ids:
                mdtool.deleteMemberData(member_id)

        # Delete members' home folders including all content items.
        if delete_memberareas:
            for member_id in member_ids:
                self.deleteMemberArea(member_id)

        # Delete members' local roles.
        if delete_localroles:
            utool = getToolByName(self, 'portal_url', None)
            self.deleteLocalRoles(utool.getPortalObject(),
                                  member_ids,
                                  reindex=1,
                                  recursive=1)

        return tuple(member_ids)
Exemplo n.º 7
0
 def getActionInfo(self, action_chain, object=None, check_visibility=0,
                   check_condition=0):
     """ Get an ActionInfo object specified by a chain of actions.
     """
     action_infos = self.listActionInfos(action_chain, object,
                                         check_visibility=check_visibility,
                                         check_permissions=False,
                                         check_condition=check_condition)
     if not action_infos:
         if object is None:
             provider = self
         else:
             provider = object
         msg = 'Action "%s" not available for %s' % (
                     action_chain, '/'.join(provider.getPhysicalPath()))
         raise ValueError(msg)
     for ai in action_infos:
         if ai['allowed']:
             return ai
     raise AccessControl_Unauthorized('You are not allowed to access any '
                                      'of the specified Actions.')
Exemplo n.º 8
0
def _getViewFor(obj, view='view'):
    warn(
        '__call__() and view() methods using _getViewFor() as well as '
        '_getViewFor() itself are deprecated and will be removed in CMF 2.0. '
        'Bypass these methods by defining \'(Default)\' and \'view\' Method '
        'Aliases.', DeprecationWarning)
    ti = obj.getTypeInfo()

    if ti is not None:

        context = getActionContext(obj)
        actions = ti.listActions()

        for action in actions:
            if action.getId() == view:
                if _verifyActionPermissions(obj, action):
                    target = action.action(context).strip()
                    if target.startswith('/'):
                        target = target[1:]
                    __traceback_info__ = (ti.getId(), target)
                    return obj.restrictedTraverse(target)

        # "view" action is not present or not allowed.
        # Find something that's allowed.
        for action in actions:
            if _verifyActionPermissions(obj, action):
                target = action.action(context).strip()
                if target.startswith('/'):
                    target = target[1:]
                __traceback_info__ = (ti.getId(), target)
                return obj.restrictedTraverse(target)

        raise AccessControl_Unauthorized('No accessible views available for '
                                         '%s' %
                                         '/'.join(obj.getPhysicalPath()))
    else:
        raise NotFound('Cannot find default view for "%s"' %
                       '/'.join(obj.getPhysicalPath()))
Exemplo n.º 9
0
    def constructContent(self,
                         type_name,
                         container,
                         id,
                         RESPONSE=None,
                         *args,
                         **kw):
        """
            Build an instance of the appropriate content class in
            'container', using 'id'.
        """
        info = self.getTypeInfo(type_name)
        if info is None:
            raise ValueError('No such content type: %s' % type_name)

        # check we're allowed to access the type object
        if not self._checkViewType(info):
            raise AccessControl_Unauthorized(info)

        ob = info.constructInstance(container, id, *args, **kw)

        if RESPONSE is not None:
            immediate_url = '%s/%s' % (ob.absolute_url(), info.immediate_view)
            RESPONSE.redirect(immediate_url)
Exemplo n.º 10
0
    def doActionFor(self, ob, action, comment=''):
        '''
        Allows the user to request a workflow action.  This method
        must perform its own security checks.
        '''
        allow_review = _checkPermission(ReviewPortalContent, ob)
        allow_request = _checkPermission(RequestReview, ob)
        review_state = self.getReviewStateOf(ob)
        tool = aq_parent(aq_inner(self))

        if action == 'submit':
            if not allow_request:
                raise AccessControl_Unauthorized('Not authorized')
            elif review_state != 'private':
                raise AccessControl_Unauthorized('Already in submit state')
            self.setReviewStateOf(ob, 'pending', action, comment)

        elif action == 'retract':
            if not allow_request:
                raise AccessControl_Unauthorized('Not authorized')
            elif review_state == 'private':
                raise AccessControl_Unauthorized('Already private')
            content_creator = ob.Creator()
            pm = getToolByName(self, 'portal_membership')
            current_user = pm.getAuthenticatedMember().getId()
            if (content_creator != current_user) and not allow_review:
                raise AccessControl_Unauthorized('Not creator or reviewer')
            self.setReviewStateOf(ob, 'private', action, comment)

        elif action == 'publish':
            if not allow_review:
                raise AccessControl_Unauthorized('Not authorized')
            self.setReviewStateOf(ob, 'published', action, comment)

        elif action == 'reject':
            if not allow_review:
                raise AccessControl_Unauthorized('Not authorized')
            self.setReviewStateOf(ob, 'private', action, comment)
Exemplo n.º 11
0
    def _verifyObjectPaste(self, object, validate_src=1):
        # This assists the version in OFS.CopySupport.
        # It enables the clipboard to function correctly
        # with objects created by a multi-factory.
        mt = getattr(object, '__factory_meta_type__', None)
        meta_types = getattr(self, 'all_meta_types', None)

        if mt is not None and meta_types is not None:
            method_name = None
            mt_permission = None

            if callable(meta_types):
                meta_types = meta_types()

            for d in meta_types:
                if d['name'] == mt:
                    method_name = d['action']
                    mt_permission = d.get('permission')
                    break

            if mt_permission is not None:
                sm = getSecurityManager()

                if sm.checkPermission(mt_permission, self):
                    if validate_src:
                        # Ensure the user is allowed to access the object on
                        # the clipboard.
                        parent = aq_parent(aq_inner(object))

                        if not sm.validate(None, parent, None, object):
                            raise AccessControl_Unauthorized(object.getId())

                        if validate_src == 2:  # moving
                            if not sm.checkPermission(DeleteObjects, parent):
                                raise AccessControl_Unauthorized('Delete not '
                                                                 'allowed.')
                else:
                    raise AccessControl_Unauthorized(
                        'You do not possess the '
                        '%r permission in the context of the container '
                        'into which you are pasting, thus you are not '
                        'able to perform this operation.' % mt_permission)
            else:
                raise AccessControl_Unauthorized('The object %r does not '
                                                 'support this operation.' %
                                                 object.getId())
        else:
            # Call OFS' _verifyObjectPaste if necessary
            PortalFolderBase.inheritedAttribute('_verifyObjectPaste')(
                self, object, validate_src)

        # Finally, check allowed content types
        if hasattr(aq_base(object), 'getPortalTypeName'):

            type_name = object.getPortalTypeName()

            if type_name is not None:

                pt = getToolByName(self, 'portal_types')
                myType = pt.getTypeInfo(self)

                if myType is not None and not myType.allowType(type_name):
                    raise ValueError('Disallowed subobject type: %s' %
                                     type_name)
Exemplo n.º 12
0
    def _verifyObjectPaste(self, object, validate_src=1):
        # This assists the version in OFS.CopySupport.
        # It enables the clipboard to function correctly
        # with objects created by a multi-factory.
        if (hasattr(object, '__factory_meta_type__')
                and hasattr(self, 'all_meta_types')):
            mt = object.__factory_meta_type__
            method_name = None
            permission_name = None
            meta_types = self.all_meta_types
            if callable(meta_types): meta_types = meta_types()
            for d in meta_types:
                if d['name'] == mt:
                    method_name = d['action']
                    permission_name = d.get('permission', None)
                    break

            if permission_name is not None:
                if _checkPermission(permission_name, self):
                    if not validate_src:
                        # We don't want to check the object on the clipboard
                        return
                    try:
                        parent = aq_parent(aq_inner(object))
                    except:
                        parent = None
                    if getSecurityManager().validate(None, parent, None,
                                                     object):
                        # validation succeeded
                        return
                    raise AccessControl_Unauthorized(object.getId())
                else:
                    raise AccessControl_Unauthorized(permission_name)
            #
            # Old validation for objects that may not have registered
            # themselves in the proper fashion.
            #
            elif method_name is not None:
                meth = self.unrestrictedTraverse(method_name)
                if hasattr(meth, 'im_self'):
                    parent = meth.im_self
                else:
                    try:
                        parent = aq_parent(aq_inner(meth))
                    except:
                        parent = None
                if getSecurityManager().validate(None, parent, None, meth):
                    # Ensure the user is allowed to access the object on the
                    # clipboard.
                    if not validate_src:
                        return
                    try:
                        parent = aq_parent(aq_inner(object))
                    except:
                        parent = None
                    if getSecurityManager().validate(None, parent, None,
                                                     object):
                        return
                    raise AccessControl_Unauthorized(object.getId())
                else:
                    raise AccessControl_Unauthorized(method_name)
        PortalFolder.inheritedAttribute('_verifyObjectPaste')(self, object,
                                                              validate_src)