def assign_signatory_role(context, owner_login, unset=False):
log.debug("assign signatory role [%s] user: [%s]", context, owner_login)
if unset:
IPrincipalRoleMap(context).unsetRoleForPrincipal(
u"bungeni.Signatory", owner_login)
else:
IPrincipalRoleMap(context).assignRoleToPrincipal(
u"bungeni.Signatory", owner_login)
def get_group_prms(document):
prms = []
prms.append(IPrincipalRoleMap(common.get_application()))
parent_group = getattr(document, "group", None)
if parent_group:
prms.append(IPrincipalRoleMap(parent_group))
assigned_groups = getattr(document, "group_assignment", list())
if assigned_groups:
for group in assigned_groups:
prms.append(IPrincipalRoleMap(group))
return prms
def setBungeniOwner(context):
user_id = get_principal_id()
if not user_id:
user_id = "-"
owner_id = getOwnerId(context)
log.debug("setBungeniOwner [%s] user_id:%s owner_id:%s" % (
context, user_id, owner_id))
if user_id:
IPrincipalRoleMap(context).assignRoleToPrincipal(u'bungeni.Owner', user_id)
if owner_id and (owner_id!=user_id):
IPrincipalRoleMap(context).assignRoleToPrincipal(u'bungeni.Owner', owner_id)
def __init__(self, context, request):
if IDebateTakeContainer.providedBy(context):
self.context = removeSecurityProxy(context).__parent__
else:
self.context = removeSecurityProxy(context)
self.prm = IPrincipalRoleMap(self.context)
self.request = request
def get_pids_with_role_on_context(context, role_id):
"""Get the principal_ids (via the PrincipalRoleMap) who have the role on
the context, if any.
"""
return [ pid for (pid, setting)
in IPrincipalRoleMap(context).getPrincipalsForRole(role_id)
if setting ]
def group_membership_role_deleted(group_membership_role, event):
if group_membership_role.is_global:
prm = IPrincipalRoleMap(
get_group_context(group_membership_role.member.group))
prm.unsetRoleForPrincipal(
group_membership_role.role_id,
group_membership_role.member.user.login)
def group_membership_role_added(group_membership_role, event):
if group_membership_role.is_global:
prm = IPrincipalRoleMap(
get_group_context(group_membership_role.member.group))
prm.assignRoleToPrincipal(
group_membership_role.role_id,
group_membership_role.member.user.login)
def _set_group_local_role(context, unset=False):
def get_group_local_role(group):
if interfaces.IParliament.providedBy(group):
return "bungeni.MP"
elif interfaces.IMinistry.providedBy(group):
return "bungeni.Minister"
elif interfaces.ICommittee.providedBy(group):
return "bungeni.CommitteeMember"
elif interfaces.IPoliticalGroup.providedBy(group):
return "bungeni.PartyMember"
elif interfaces.IGovernment.providedBy(group):
return "bungeni.Government"
elif interfaces.IOffice.providedBy(group):
return group.office_role
else:
return "bungeni.GroupMember"
def get_group_context(context):
if interfaces.IOffice.providedBy(context):
return BungeniApp() #get_parliament(context)
else:
return removeSecurityProxy(context)
role = get_group_local_role(context)
group = removeSecurityProxy(context)
ctx = get_group_context(context)
prm = IPrincipalRoleMap(ctx)
if not unset:
prm.assignRoleToPrincipal(role, group.group_principal_id)
else:
prm.unsetRoleForPrincipal(role, group.group_principal_id)
def __init__(self, context, request):
self._assignable_roles = []
self.principal = utils.common.get_request_principal()
self.context_roles = common.get_context_roles(context, self.principal)
self.context = removeSecurityProxy(context)
self.prm = IPrincipalRoleMap(self.context)
super(UserAssignmentView, self).__init__(context, request)
def cached_principal_roles(self, parent, principal):
# Redefine it to get global roles
cache = self.cache(parent)
try:
cache_principal_roles = cache.principal_roles
except AttributeError:
cache_principal_roles = cache.principal_roles = {}
try:
return cache_principal_roles[principal]
except KeyError:
pass
if parent is None:
roles = dict(
[(role, SettingAsBoolean[setting])
for (role, setting) in globalRolesForPrincipal(principal)])
roles['plone.Anonymous'] = True # Everybody has Anonymous
cache_principal_roles[principal] = roles
return roles
roles = self.cached_principal_roles(
removeSecurityProxy(getattr(parent, '__parent__', None)),
principal)
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
roles = roles.copy()
for role, setting in prinrole.getRolesForPrincipal(
principal,
self.request):
roles[role] = SettingAsBoolean[setting]
cache_principal_roles[principal] = roles
return roles
def _set_group_local_role(context, unset=False):
group = context
role = get_group_local_role(group)
prm = IPrincipalRoleMap(get_group_context(group))
if not unset:
prm.assignRoleToPrincipal(role, group.group_principal_id)
else:
prm.unsetRoleForPrincipal(role, group.group_principal_id)
def assign_question_minister_role(context):
assert interfaces.IQuestion.providedBy(context), \
"Not a Question: %s" % (context)
if context.ministry is not None:
ministry_login_id = context.ministry.group_principal_id
if ministry_login_id:
IPrincipalRoleMap(context).assignRoleToPrincipal(
"bungeni.Minister", ministry_login_id)
def cached_principal_roles(self, parent, principal):
cache = self.cache(parent)
try:
cache_principal_roles = cache.principal_roles
except AttributeError:
cache_principal_roles = cache.principal_roles = {}
try:
return cache_principal_roles[principal]
except KeyError:
pass
if parent is None:
roles = dict([
(role, zopepolicy.SettingAsBoolean[setting])
for (role,
setting) in zopepolicy.globalRolesForPrincipal(principal)
])
roles['zope.Anonymous'] = True # Everybody has Anonymous
cache_principal_roles[principal] = roles
return roles
roles = self.cached_principal_roles(
removeSecurityProxy(getattr(parent, '__parent__', None)),
principal)
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
roles = roles.copy()
for role, setting in prinrole.getRolesForPrincipal(principal):
roles[role] = zopepolicy.SettingAsBoolean[setting]
# The lines below include the group that a document has been assigned
# to into the lookup hierarchy.
group_assignments = getattr(parent, "sa_group_assignments", [])
for group_assignment in group_assignments:
group = group_assignment.principal
#!+GROUP_ASSIGNMENT.GROUP assert isinstance(group, domain.Group), group
assigned_group_prinrole = IPrincipalRoleMap(group, None)
if assigned_group_prinrole:
roles = roles.copy()
role_settings = assigned_group_prinrole.getRolesForPrincipal(
principal)
for role, setting in role_settings:
roles[role] = zopepolicy.SettingAsBoolean[setting]
cache_principal_roles[principal] = roles
return roles
def assign_role(role_id, principal_id, context):
"""Add or activate implied role on this context, for implied principal.
!+check if already defined and active, inactive?
!+PrincipalRoleMapDynamic(mr, may-2012) infer role from context data
"""
log.debug("Assigning role [%s] to principal [%s] on [%s]", role_id,
principal_id, context)
# throws IntegrityError when principal_id is None
IPrincipalRoleMap(context).assignRoleToPrincipal(role_id, principal_id)
def setup_roles(self):
if self.document_submitted():
make_owner_signatory(self.context)
for signatory in self.signatories:
login_id = signatory.owner.login
IPrincipalRoleMap(self.context).assignRoleToPrincipal(
SIGNATORY_ROLE, login_id)
IPrincipalRoleMap(signatory).assignRoleToPrincipal(
OWNER_ROLE, login_id)
elif self.document_is_draft():
for signatory in self.signatories:
IPrincipalRoleMap(self.context).unsetRoleForPrincipal(
SIGNATORY_ROLE, signatory.owner.login)
elif self.expire_signatures():
for signatory in self.signatories:
wfc = IWorkflowController(signatory)
if (wfc.state_controller.get_status()
in SIGNATORIES_REJECT_STATES):
IPrincipalRoleMap(self.context).unsetRoleForPrincipal(
SIGNATORY_ROLE, signatory.owner.login)
async def sharing_get(context, request):
roleperm = IRolePermissionMap(context)
prinperm = IPrincipalPermissionMap(context)
prinrole = IPrincipalRoleMap(context)
result = {'local': {}, 'inherit': []}
result['local']['role_permission'] = roleperm._byrow
result['local']['principal_permission'] = prinperm._byrow
result['local']['principal_role'] = prinrole._byrow
for obj in iter_parents(context):
roleperm = IRolePermissionMap(obj)
prinperm = IPrincipalPermissionMap(obj)
prinrole = IPrincipalRoleMap(obj)
result['inherit'].append({
'@id': IAbsoluteURL(obj, request)(),
'role_permission': roleperm._byrow,
'principal_permission': prinperm._byrow,
'principal_role': prinrole._byrow,
})
await notify(ObjectPermissionsViewEvent(context))
return result
def _do_save(self, data):
group_role_changed = False
prm = IPrincipalRoleMap(get_group_context(self.context))
if (data["group_role"] != self.context.group_role):
if (prm.getSetting(self.context.group_role,
self.context.principal_name) == Allow):
group_role_changed = True
unset_group_local_role(self.context)
formlib.form.applyChanges(self.context, self.form_fields, data)
if group_role_changed:
set_group_local_role(self.context)
notify(ObjectModifiedEvent(self.context))
def getUsers(self):
users = {}
settings = IPrincipalRoleMap(self.context).getPrincipalsAndRoles()
for role, userid, access in settings:
if access is Allow:
if userid in users:
users[userid].add(role)
else:
users[userid] = set((role,))
users['zope.Authenticated'] = set()
users['zope.Everybody'] = set()
return users
def _query(self, **kw):
principal = common.get_request_principal()
roles = get_workspace_roles()
group_roles_domain_status = self.item_status_filter(kw, roles)
session = Session()
results = []
count = 0
reverse = True if (kw.get("sort_dir", "desc") == "desc") else False
for domain_class, status in group_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status)).enable_eagerloads(False)
#filter on title
query = self.filter_title(query, domain_class, kw)
#filter on status_date
query = self.filter_status_date(query, domain_class, kw)
# Order results
query = self.order_query(query, domain_class, kw, reverse)
results.extend(query.all())
for obj_role in ROLES_DIRECTLY_DEFINED_ON_OBJECTS:
object_roles_domain_status = self.item_status_filter(
kw, [obj_role])
for domain_class, status in object_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status)).enable_eagerloads(False)
#filter on title
query = self.filter_title(query, domain_class, kw)
#filter on status_date
query = self.filter_status_date(query, domain_class, kw)
# Order results
query = self.order_query(query, domain_class, kw, reverse)
for obj in query.all():
if obj in results:
continue
prm = IPrincipalRoleMap(obj)
if (prm.getSetting(obj_role, principal.id) == Allow):
results.append(
contained(obj, self, self.string_key(obj)))
results = [
item for item in results
if checkPermission(view_permission(item),
contained(item, self, self.string_key(item)))
]
# Sort items
if (kw.get("sort_on", None) and kw.get("sort_dir", None)):
results.sort(key=lambda x: getattr(x, str(kw.get("sort_on"))),
reverse=reverse)
count = len(results)
if not (kw.get("filter_title", None) or kw.get("filter_type", None)
or kw.get("filter_status", None)
or kw.get("filter_status_date", None)):
self.set_tab_count(principal.id, count)
return (results, count)
def _query(self, **kw):
principal = get_principal()
roles = get_workspace_roles()
group_roles_domain_status = self.item_status_filter(kw, roles)
session = Session()
results = []
count = 0
first_page = not kw.get("start", 0)
reverse = True if (kw.get("sort_dir", "desc") == "desc") else False
for domain_class, status in group_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status)
)
#filter on title
query = self.filter_query(query, domain_class, kw)
# Order results
query = self.order_query(query, domain_class, kw, reverse)
# The first page of the results is loaded the most number of times
# The limit on the query below optimises for when no filter has
# been applied by limiting the number of results returned.
if first_page:
count = count + query.count()
query = query.limit(kw.get("limit", 25))
results.extend(query.all())
object_roles_domain_status = self.item_status_filter(kw, OBJECT_ROLES)
for domain_class, status in object_roles_domain_status.iteritems():
object_roles_results = []
query = session.query(domain_class).filter(
domain_class.status.in_(status)
)
#filter on title
query = self.filter_query(query, domain_class, kw)
# Order results
query = self.order_query(query, domain_class, kw, reverse)
for obj in query.all():
prm = IPrincipalRoleMap(obj)
for obj_role in OBJECT_ROLES:
if (prm.getSetting(obj_role, principal.id) == Allow and
obj not in results):
object_roles_results.append(obj)
break
if first_page:
count = count + len(object_roles_results)
results.extend(object_roles_results)
# Sort items
if (kw.get("sort_on", None) and kw.get("sort_dir", None)):
results.sort(key=lambda x: getattr(x, str(kw.get("sort_on"))),
reverse=reverse)
if not first_page:
count = len(results)
return (results, count)
def get_prm_owner_principal_id(context):
"""Get the principal_id, if any, of the bungeni.Owner for context.
Raise ValueError if multiple, return None if none.
"""
principal_ids = [
pid for (pid, setting) in IPrincipalRoleMap(
context).getPrincipalsForRole("bungeni.Owner") if setting
]
len_pids = len(principal_ids)
if len_pids > 1:
# multiple Owner roles, force exception
raise ValueError("Ambiguous, multiple Owner roles assigned.")
elif len_pids == 1:
return principal_ids[0]
def _query(self, **kw):
principal = get_principal()
roles = get_workspace_roles()
group_roles_domain_status = self.item_status_filter(kw, roles)
session = Session()
results = []
count = 0
for domain_class, status in group_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status))
if kw.get("filter_short_name", None):
column = self.title_column(domain_class)
query = query.filter("""(lower(%s) LIKE '%%%s%%')""" %
(column, kw["filter_short_name"].lower()))
# The first page of the results is loaded the most number of times
# The limit on the query below optimises for when no filter has
# been applied by limiting the number of results returned.
if (not kw.get("start", 0) and not kw.get("sort_on", None)):
count = count + query.count()
query = query.order_by(domain_class.status_date).limit(
kw.get("limit", 25))
results.extend(query.all())
object_roles_domain_status = self.item_status_filter(kw, OBJECT_ROLES)
for domain_class, status in object_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status))
if kw.get("filter_short_name", None):
column = self.title_column(domain_class)
query = query.filter("""(lower(%s) LIKE '%%%s%%')""" %
(column, kw["filter_short_name"]))
if (not kw.get("start", 0) and not kw.get("sort_on", None)):
count = count + query.count()
query = query.order_by(domain_class.status_date).limit(
kw.get("limit", 25))
for obj in query.all():
prm = IPrincipalRoleMap(obj)
for obj_role in OBJECT_ROLES:
if (prm.getSetting(obj_role, principal.id) == Allow
and obj not in results):
results.append(obj)
break
# Sort items
if (kw.get("sort_on", None) and kw.get("sort_dir", None)):
rev = True if (kw.get("sort_dir") == "desc") else False
results.sort(key=lambda x: getattr(x, str(kw.get("sort_on"))),
reverse=rev)
if (kw.get("start", 0) and kw.get("sort_on", None)):
count = len(results)
return (results, count)
def getAllRoles(self):
ret = []
hfr = IPrincipalRoleMap(self.homefolder, None)
if hfr is None:
return ret
masteruser = False
for rolesetting in hfr.getRolesForPrincipal(self.principal.id):
role, setting = rolesetting
if 'uvc.Editor' == role and setting is Allow:
masteruser = True
ret.append('ENMS')
for name, productfolder in self.homefolder.items():
if not name.startswith('__'):
if masteruser:
ret.append(name)
else:
prm = IPrincipalRoleMap(productfolder)
for rolesetting in prm.getRolesForPrincipal(
self.principal.id):
role, setting = rolesetting
if 'uvc.Editor' == role and setting is Allow:
ret.append(name)
return ret
def publish_to_xml(context, type='', include=['event', 'versions']):
""" Generates XML for object and saves it to the file. If object contains
attachments - XML is saved in zip archive with all attached files.
"""
try:
context = removeSecurityProxy(context)
data = obj2dict(
context,
1,
parent=None,
include=include,
exclude=['file_data', 'image', 'logo_data', 'event_item'])
if not type:
type = context.type
data['permissions'] = []
map = IPrincipalRoleMap(context)
for x in list(map.getPrincipalsAndRoles()):
data['permissions'].append({
'role': x[0],
'user': x[1],
'permission': x[2].getName()
})
files = []
path = os.path.join(setupStorageDirectory(), type)
if not os.path.exists(path):
os.makedirs(path)
file_path = os.path.join(path, context.__name__)
files.append(file_path + '.xml')
with open(file_path + '.xml', 'w') as file:
file.write(serialize(data, name=type))
try:
if len(context.attached_files) > 0:
for attachment in context.attached_files:
attachment_path = os.path.join(path, attachment.file_name)
files.append(attachment_path)
with open(os.path.join(path, attachment.file_name),
'wb') as file:
file.write(attachment.file_data)
zip = ZipFile(file_path + '.zip', 'w')
for file in files:
zip.write(file, os.path.split(file)[-1])
os.remove(file)
zip.close()
except AttributeError:
pass
except:
traceback.print_exception(*sys.exc_info())
def get_members(context, role_id):
members = []
auth = getUtility(IAuthentication)
for ob in LocationIterator(context):
for x in IPrincipalRoleMap(ob).getPrincipalsForRole(role_id):
if x[1] == Allow:
try:
group = auth.getPrincipal(x[0])
for pid in group.getMembers():
if pid not in members:
try:
members.append(auth.getPrincipal(pid))
except PrincipalLookupError:
pass # TODO: remove member from group?
except PrincipalLookupError:
IPrincipalRoleManager(ob).removeRoleFromPrincipal(
x[0], role_id)
return members
def get_principal_ids(document, roles):
principal_ids = set()
document_prm = IPrincipalRoleMap(document)
group_prms = get_group_prms(document)
for role in roles:
if role in ROLES_DIRECTLY_DEFINED_ON_OBJECTS:
principals = document_prm.getPrincipalsForRole(role)
for principal in principals:
principal_ids.add(principal[0])
else:
for group_prm in group_prms:
principals = group_prm.getPrincipalsForRole(role)
for principal in principals:
principal_id = principal[0]
if principal_id.startswith("group"):
group_mbr_ids = get_group_member_ids(principal_id)
for group_mbr in group_mbr_ids:
principal_ids.add(group_mbr)
return principal_ids
def extend_results_for_roles(roles):
domain_status = self.item_status_filter(kw, roles)
OBJECT_ROLES = [
role for role in roles
if role in ROLES_DIRECTLY_DEFINED_ON_OBJECTS
]
for domain_class, status in domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status)).enable_eagerloads(False)
query = self.filter_group(query, domain_class, kw)
query = self.filter_title(query, domain_class, kw)
query = self.filter_status_date(query, domain_class, kw)
query = self.order_query(query, domain_class, kw, reverse)
for obj in query.all():
if obj in results:
continue
if OBJECT_ROLES:
prm = IPrincipalRoleMap(obj)
if not prm.getSetting(obj_role, principal_id) == Allow:
continue
results.append(contained(obj, self, self.string_key(obj)))
def cached_principal_roles(self, parent, principal):
cache = self.cache(parent)
try:
cache_principal_roles = cache.principal_roles
except AttributeError:
cache_principal_roles = cache.principal_roles = {}
try:
return cache_principal_roles[principal]
except KeyError:
pass
if parent is None:
roles = dict([(role, SettingAsBoolean[setting])
for (role,
setting) in globalRolesForPrincipal(principal)])
roles['zope.Anonymous'] = True # Everybody has Anonymous
cache_principal_roles[principal] = roles
return roles
if getattr(parent, 'inherit_permissions', False):
roles = self.cached_principal_roles(
removeSecurityProxy(getattr(parent, '__parent__', None)),
principal)
else:
roles = dict([(role, SettingAsBoolean[setting])
for (role,
setting) in globalRolesForPrincipal(principal)])
roles['zope.Anonymous'] = True # Everybody has Anonymous
prinrole = IPrincipalRoleMap(parent, None)
if prinrole:
for role, setting in prinrole.getRolesForPrincipal(principal):
roles[role] = SettingAsBoolean[setting]
cache_principal_roles[principal] = roles
return roles
def _query(self, **kw):
principal = get_principal()
roles = get_workspace_roles(principal)
group_roles_domain_status = self.item_status_filter(kw, roles)
session = Session()
results = []
for domain_class, status in group_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status))
if kw.get("filter_short_name", None):
column = self.title_column(domain_class)
query = query.filter("""(lower(%s) LIKE '%%%s%%')""" %
(column, kw["filter_short_name"].lower()))
results.extend(query.all())
object_roles_domain_status = self.item_status_filter(kw, OBJECT_ROLES)
for domain_class, status in object_roles_domain_status.iteritems():
query = session.query(domain_class).filter(
domain_class.status.in_(status))
if kw.get("filter_short_name", None):
column = self.title_column(domain_class)
query = query.filter("""(lower(%s) LIKE '%%%s%%')""" %
(column, kw["filter_short_name"]))
for obj in query.all():
prm = IPrincipalRoleMap(obj)
for obj_role in OBJECT_ROLES:
if (prm.getSetting(obj_role, principal.id) == Allow
and obj not in results):
results.append(obj)
break
# Sort items
if kw.get("sort_on", None):
if kw.get("sort_dir", None):
rev = True if (kw.get("sort_dir") == "desc") else False
results.sort(key=lambda x: getattr(x, str(kw.get("sort_on"))),
reverse=rev)
return results
def unset_role(role_id, principal_id, context):
log.debug("Unsetting role [%s] for principal [%s] on [%s]", role_id,
principal_id, context)
IPrincipalRoleMap(context).unsetRoleForPrincipal(role_id, principal_id)
