def setupSecurityOptions(self): import AccessControl AccessControl.setImplementation(self.cfg.security_policy_implementation) AccessControl.setDefaultBehaviors( not self.cfg.skip_ownership_checking, not self.cfg.skip_authentication_checking, self.cfg.verbose_security )
def import_file(filename, plominodb): filepath = join(DIRPATH, filename) plominodb.importDesignFromXML(open(filepath).read()) # If the import file has a pd b, allow it import AccessControl # obfuscate pd b module to fly under git pre-commit hook's radar AccessControl.ModuleSecurityInfo('pd' 'b').declarePublic('set_trace') AccessControl.ModuleSecurityInfo('ipd' 'b').declarePublic('set_trace')
def setupSecurityOptions(self): import AccessControl AccessControl.setImplementation( self.cfg.security_policy_implementation) AccessControl.setDefaultBehaviors( not self.cfg.skip_ownership_checking, not self.cfg.skip_authentication_checking, self.cfg.verbose_security)
def Get_Projects_List(url, values, log): """Get the list of projects from Klocwork server address defined in ServerData["url"]""" vals = copy(values) vals["action"] = "Projects" log.write("Getting projects list, query:\n %s\n" % vals) Response = AccessControl.RequestAPI(url, vals) Result = AccessControl.ParseAPI(ClassesAPI.ProjectList, Response) return Result
def attachable_documents_vocabulary(context): terms = [] user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: return SimpleVocabulary(terms) intids = getUtility(IIntIds) ids = [] for doc in context.getFolderContents( full_objects=True, contentFilter={ 'portal_type': ['opengever.document.document', 'ftw.mail.mail'] }): key = str(intids.getId(doc)) label = doc.Title() terms.append(SimpleVocabulary.createTerm(key, key, label)) ids.append(key) for relation in getattr(context, 'relatedItems', []): key = str(relation.to_id) # check if the task doesn't contain the related document allready if key in ids: continue label = relation.to_object.Title() terms.append(SimpleVocabulary.createTerm(key, key, label)) return SimpleVocabulary(terms)
def _exec(self, bound_names, args, kw): """Call a Page Template""" self._cook_check() if not kw.has_key('args'): kw['args'] = args bound_names['options'] = kw try: response = self.REQUEST.RESPONSE if not response.headers.has_key('content-type'): response.setHeader('content-type', self.content_type) except AttributeError: pass # Execute the template in a new security context. security = AccessControl.getSecurityManager() bound_names['user'] = security.getUser() security.addContext(self) try: context = self.pt_getContext() context.update(bound_names) return self.pt_render(extra_context=bound_names) finally: security.removeContext(self)
def key_value_provider(self): request = getRequest() # if we are not logged in we are in the traversal and should not # do anything... user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: return info = getUtility(IContactInformation) comm = getUtility(IClientCommunicator) # get client client_id = request.get('client', request.get('form.widgets.client')) if type(client_id) in (list, tuple, set): client_id = client_id[0] if not info.is_client_assigned(client_id=client_id): raise ValueError( 'Expected %s to be a assigned client of the current user.' % client_id) # get dossier path dossier_path = request.get('dossier_path', request.get('form.widgets.source_dossier')) if type(dossier_path) in (list, tuple, set): dossier_path = dossier_path[0] if dossier_path: cid = client_id if cid: for doc in comm.get_documents_of_dossier(cid, dossier_path): key = doc.get('path') value = doc.get('title') yield (key, value)
class HasProtectedMethods(SimpleItem): security = AccessControl.ClassSecurityInfo() def __init__(self, id): self.id = id @security.public def public_method(self): pass @security.protected('ppp') def pp_method(self): pass @security.protected('qqq') def qq_method(self): pass @security.protected('rrr') def rr_method(self): pass @security.private def private_method(self): pass
def attachable_documents_vocabulary(context): terms = [] user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: return SimpleVocabulary(terms) intids = getUtility(IIntIds) ids = [] for doc in context.getFolderContents( full_objects=True, contentFilter={'portal_type': ['opengever.document.document', 'ftw.mail.mail']}): key = str(intids.getId(doc)) label = doc.Title() terms.append(SimpleVocabulary.createTerm(key, key, label)) ids.append(key) for relation in getattr(context, 'relatedItems', []): key = str(relation.to_id) # check if the task doesn't contain the related document allready if key in ids: continue label = relation.to_object.Title() terms.append(SimpleVocabulary.createTerm(key, key, label)) return SimpleVocabulary(terms)
def update_cache(self, xslt_obj, source, result, anonymous_only=1): """ Update the page cache, based on several conditions. """ import time, md5, AccessControl sm = AccessControl.getSecurityManager() user_id = sm.getUser().getId() if anonymous_only and user_id != None: return 0 checksum = md5.new(source).hexdigest() page_cache = getattr(self, '_page_cache', OOBTree()) # create the cache file name -- include the user_id, primarily for # debugging xid = xslt_obj.getId() cache_fname = '%s_%s_%s' % (xid, user_id, checksum) cachekey = '%s%s' % (xid, checksum) if user_id == None: page_cache[cachekey] = (cache_fname, time.time(), 0) else: page_cache[cachekey] = (cache_fname, time.time(), 1) cache_file = file('%s/%s' % (self.cache_dir, cache_fname), 'w+') cache_file.write(result) cache_file.close() self._page_cache = page_cache return 1
class CatalogTool(base.CatalogTool): security = AccessControl.ClassSecurityInfo() def reindexComments(self): pass def clearFindAndRebuild(self): """Empties catalog, then finds all contentish objects (i.e. objects with an indexObject method), and reindexes them. This may take a long time. """ def indexObject(obj, path): if (base_hasattr(obj, 'indexObject') and safe_callable(obj.indexObject)): try: obj.indexObject() pdtool = obj.portal_discussion if pdtool.isDiscussionAllowedFor(obj): tb = pdtool.getDiscussionFor(obj) for ob in tb.getReplies(): ob.indexObject() except TypeError: # Catalogs have 'indexObject' as well, but they # take different args, and will fail pass self.manage_catalogClear() portal = aq_parent(aq_inner(self)) portal.ZopeFindAndApply(portal, search_sub=True, apply_func=indexObject)
def publishObject(self, object, message): """ Publish an object for the first time in the repository Creates a new folder to hold the version history of this object and create the first version of the object, returning the new unique ID for this object """ storage = self.getStorageForType(object.portal_type) objectId = storage.applyVersionControl(object) storage.createVersionFolder(object) user = AccessControl.getSecurityManager().getUser().getUserName() storage.checkinResource(object, message, user) self.cache.clearSearchCache() #FIXME: these things shouldn't be done here, but with some sort of event system # hitcount update hitcount = getToolByName(self, 'portal_hitcount', None) if hitcount: hitcount.registerObject(objectId, DateTime()) # storage events (mostly collection printing, at the moment) pubobj = storage.getObject(objectId, 'latest') storage.notifyObjectRevised(pubobj, None) # Removing this 'event' until Lens V2 #if object.getParent(): ### FIXME: We really want the Zope3 event system for this. ### Once we get that, we'll want to use something to the effect of: ### zope.event.notify(ObjectRevisionPublished) #self.lens_tool.notifyLensDerivedObject(object) ### End Event System Hack return objectId
def run(): try: credentials = AccessControl.getCredentials("simple.py") connection = cx_Oracle.connect(credentials.user, credentials.password, credentials.connstr) cursor = connection.cursor() cursor.execute(""" CREATE TABLE employees(first_name VARCHAR2(20), last_name VARCHAR2(20))""") print("Table has been created") values = [["ROBERT", "ROBERTSON"], ["ANDY", "ANDREWS"], ["MICHAEL", "MICHAELSON"]] cursor.executemany("INSERT INTO employees VALUES (:1, :2)", values) print("Inserted ", len(values), "employees into the table") cursor.execute(""" SELECT first_name, last_name FROM employees""") for fname, lname in cursor: print("Selected employee:", fname, lname) cursor.execute("DROP TABLE employees") print("Table has been dropped") cursor.close() connection.close() print("Connection has been released") except Exception as e: # Something went wrong print("An error ocurred", str(e))
def getTransitionVocab(context): if AccessControl.getSecurityManager().getUser( ) == AccessControl.SpecialUsers.nobody: return SimpleVocabulary([]) wftool = getToolByName(context, 'portal_workflow') transitions = [] if opengever.task.task.ITask.providedBy(context) and \ context.REQUEST.URL.find('++add++opengever.task.task') == -1: for tdef in wftool.getTransitionsFor(context): transitions.append( SimpleVocabulary.createTerm( tdef['id'], tdef['id'], PMF(tdef['id'], default=tdef['title_or_id']))) return SimpleVocabulary(transitions) else: wf = wftool.get(wftool.getChainForPortalType('opengever.task.task')[0]) state = wf.states.get(wf.initial_state) for tid in state.transitions: tdef = wf.transitions.get(tid, None) transitions.append( SimpleVocabulary.createTerm( tdef.id, tdef.id, PMF(tdef.id, default=tdef.title_or_id))) return SimpleVocabulary(transitions)
def _create_yearfolder(inbox, year): """creates the yearfolder for the given year""" _sm = AccessControl.getSecurityManager() AccessControl.SecurityManagement.newSecurityManager( inbox.REQUEST, AccessControl.SecurityManagement.SpecialUsers.system) try: # for creating the folder, we need to be a superuser since # normal user should not be able to add year folders. # --- help i18ndude --- msg = _(u'yearfolder_title', default=u'Closed ${year}', mapping=dict(year=str(year))) # --- / help i18ndude --- folder_title = translate(str(msg), msg.domain, msg.mapping, context=inbox.REQUEST, default=msg.default) folder = createContentInContainer( inbox, 'opengever.inbox.yearfolder', title=folder_title, id=year) except: AccessControl.SecurityManagement.setSecurityManager(_sm) raise else: AccessControl.SecurityManagement.setSecurityManager(_sm) return folder
def is_already_done(self, transition, text): """This method returns `True` if this exact request was already executed. This is the case when the sender client has a conflict error when committing and the sender-request needs to be re-done. In this case this view is called another time but the changes were already made and committed - so we need to return "OK" and do nothing. """ response_container = IResponseContainer(self.context) if len(response_container) == 0: return False last_response = response_container[-1] current_user = AccessControl.getSecurityManager().getUser() if ( last_response.transition == transition and last_response.creator == current_user.getId() and last_response.text == text ): return True else: return False
def __enter__(self): assert self._original_security is None self._original_security = AccessControl.getSecurityManager() _system_user = AccessControl.SecurityManagement.SpecialUsers.system AccessControl.SecurityManagement.newSecurityManager(None, _system_user)
class Plugin(PAS.plugins.BasePlugin.BasePlugin): security = AccessControl.ClassSecurityInfo() meta_type = 'LDAPAlchemy Plugin' # Tell PAS not to swallow our exceptions, do not use for production _dont_swallow_my_exceptions = True @security.public def authenticateCredentials(self, credentials): """see PAS.interfaces.plugins.IAuthenticationPlugin """ login = credentials.get('login') pw = credentials.get('password') if not (login and pw): return None # XXX: no real ldapalchemy, yet, but barebone ldapy # also for now, we open/close the ldap connection for each call ld = ldapy.initialize('ldapi://ldapi') login_dn = 'cn=%s,o=o' % login try: ldapy.simple_bind_s(ld, login_dn, pw) except ldapy.InvalidCredentials: authinfo = None else: uid = login authinfo = (uid, login) ldapy.unbind(ld) return authinfo
def __visible_groups_for_current_user(self): securityManager = AccessControl.getSecurityManager() allGroups = self.get_all_groups() # Quite a simple process, really: itterate through all the groups, # checking to see if the "messages" instance is visible. visibleGroups = [] for group in allGroups: # AM: "Visible groups" should really be: groups which a user # is a member of, public groups, and private groups. # Therefore, we should only be checking the visibility of the # group, not of the messages. # # A separate method ("visible messages" or similar) should be # used to determine what messages and files should be included # in search results (and in turn, latest topics and files on a # site homepage) should be shown to users. # **HOWEVER** at this point in time, we do not make a # distinction. Therefore, to preserve security, we define # "visible groups" very restrictively. if (hasattr(group, 'messages') and securityManager.checkPermission('View', group) and securityManager.checkPermission( 'View', group.aq_explicit.messages)): visibleGroups.append(group) assert type(visibleGroups) == list return visibleGroups
def get_visible_groups(self): # get the top level site ID to use with the cache site_root = self.context.site_root() top_level_site_id = site_root.getId() user = AccessControl.getSecurityManager().getUser() userId = user.getId() groups = '-'.join(user.getGroups()) key = '-'.join((top_level_site_id, self.siteInfo.id, groups)) if self.siteUserVisibleGroupsIds.has_key(key): # lint:ok visibleGroupsIds = self.siteUserVisibleGroupsIds.get(key) visibleGroups = [] for groupId in visibleGroupsIds: try: visibleGroups.append(getattr(self.groupsObj, groupId)) except: log.warn("trouble adding '%s' to visible groups" % groupId) else: top = time.time() visibleGroups = self.__visible_groups_for_current_user() visibleGroupsIds = [group.getId() for group in visibleGroups] self.siteUserVisibleGroupsIds.add(key, visibleGroupsIds) bottom = time.time() log.debug("Generated visible-groups for (%s) on %s (%s) in " "%.2fms" % (userId, self.siteInfo.name, self.siteInfo.id, (bottom - top) * 1000.0)) assert type(visibleGroups) == list, "visibleGroups is not a list" return visibleGroups
def participate_user(self): """Participates `self.user` on `self.context`. """ local_roles = dict(self.context.get_local_roles()) # get all current local roles of the user on this context user_roles = list(local_roles.get(self.member.getId(), [])) user_roles.extend(self.roles()) # make the roles unique user_roles = dict(zip(user_roles, user_roles)).keys() # Set the local roles with the security of the inviter. If # he has no longer permissions on this context this will # fail. _old_security_manager = AccessControl.getSecurityManager() _new_user = self.context.acl_users.getUserById( self.invitation.inviter) AccessControl.SecurityManagement.newSecurityManager( self.request, _new_user) try: self.context.manage_setLocalRoles(self.member.getId(), user_roles) self.context.reindexObjectSecurity() except: AccessControl.SecurityManagement.setSecurityManager( _old_security_manager) raise else: AccessControl.SecurityManagement.setSecurityManager( _old_security_manager)
def setUp(self): """Shared test environment set-up, ran before every test.""" portal = self.portal = self.layer['portal'] portal._setObject('hpm', HasProtectedMethods('hpm')) sm = AccessControl.getSecurityManager() sm._policy._verbose = 1 for role in ('Member', 'VIP', 'Manager'): portal._addRole(role) for permission, roles in role_mapping: portal.manage_permission(permission, roles, 1) api.user.create( username='******', email='*****@*****.**', password='******', roles=('Member', 'VIP') ) self._old_sm = AccessControl.SecurityManagement.getSecurityManager() AccessControl.SecurityManagement.newSecurityManager( self.portal.REQUEST, self.portal.acl_users.getUser('boss'), )
def getTransitionVocab(context): if AccessControl.getSecurityManager( ).getUser() == AccessControl.SpecialUsers.nobody: return SimpleVocabulary([]) wftool = getToolByName(context, 'portal_workflow') transitions = [] if opengever.task.task.ITask.providedBy(context) and \ context.REQUEST.URL.find('++add++opengever.task.task') == -1: for tdef in wftool.getTransitionsFor(context): transitions.append(SimpleVocabulary.createTerm( tdef['id'], tdef['id'], PMF(tdef['id'], default=tdef['title_or_id']))) return SimpleVocabulary(transitions) else: wf = wftool.get(wftool.getChainForPortalType('opengever.task.task')[0]) state = wf.states.get(wf.initial_state) for tid in state.transitions: tdef = wf.transitions.get(tid, None) transitions.append(SimpleVocabulary.createTerm( tdef.id, tdef.id, PMF(tdef.id, default=tdef.title_or_id))) return SimpleVocabulary(transitions)
def _create_yearfolder(inbox, year): """creates the yearfolder for the given year""" _sm = AccessControl.getSecurityManager() AccessControl.SecurityManagement.newSecurityManager( inbox.REQUEST, AccessControl.SecurityManagement.SpecialUsers.system) try: # for creating the folder, we need to be a superuser since # normal user should not be able to add year folders. # --- help i18ndude --- msg = _(u'yearfolder_title', default=u'Closed ${year}', mapping=dict(year=str(year))) # --- / help i18ndude --- folder_title = translate(str(msg), msg.domain, msg.mapping, context=inbox.REQUEST, default=msg.default) folder = createContentInContainer(inbox, 'opengever.inbox.yearfolder', title=folder_title, id=year) except: AccessControl.SecurityManagement.setSecurityManager(_sm) raise else: AccessControl.SecurityManagement.setSecurityManager(_sm) return folder
class HasProtectedMethods(SimpleItem): security = AccessControl.ClassSecurityInfo() security.declarePublic('public_method') security.declareProtected('ppp', 'pp_method') security.declareProtected('qqq', 'qq_method') security.declareProtected('rrr', 'rr_method') security.declarePrivate('private_method') def __init__(self, id): self.id = id def public_method(self): pass def pp_method(self): pass def qq_method(self): pass def rr_method(self): pass def private_method(self): pass
def member_groups(self): user = AccessControl.getSecurityManager().getUser() memberGroups = self.groupsInfo.get_member_groups_for_user(user, user) if self.maxGroupsToDisplay: memberGroups = memberGroups[:self.maxGroupsToDisplay] groups = map(IGSGroupInfo, memberGroups) return groups
class MemberData(BaseMemberData): security = AccessControl.ClassSecurityInfo() security.declarePrivate('setMemberProperties') def setMemberProperties(self, mapping): """Overridden to store a copy of certain user data fields in an SQL database""" # Only pass relevant fields to the database db_args = dict([(f, v) for (f, v) in mapping.items() if f in DB_FIELDS and self.getProperty(f) != v]) dbtool = getToolByName(self, 'portal_moduledb') if dbtool and db_args: # We have to pass in aq_parent to be our own parent, # otheriwse the ZSQL method will acquire blank arguments # from the property sheet if not self.member_catalog(getUserName=self.getId()): zLOG.LOG( "MemberData", zLOG.INFO, "INSERT memberdata for %s: %s" % (self.getId(), db_args)) dbtool.sqlInsertMember(aq_parent=self.aq_parent, id=self.getId(), **db_args) else: zLOG.LOG( "MemberData", zLOG.INFO, "UPDATE memberdata for %s: %s" % (self.getId(), db_args)) dbtool.sqlUpdateMember(aq_parent=self.aq_parent, id=self.getId(), **db_args) BaseMemberData.setMemberProperties(self, mapping)
def checkPermission(permission, context=None): """ Return true if the current user has the specified permission on the given context or the dmd; otherwise, return false. """ manager = AccessControl.getSecurityManager() context = context or get_dmd() return manager.checkPermission(permission, context)
def Get_Ignored_Issues(ServerData, values, log): """Get summary of all ignored issues where Severity is Critical/Error and Code is NOT ServerData["ComplexityCode"] and issue ID of ignored issues without related comment""" temp_ignored = {} issue_id = [] vals = copy(values) val = copy(values) vals['action'] = "search" for i in 1, 2: # find all ignore Critical and Error issues vals["query"] = "severity:%d status:ignore -code:%s grouping:%s" % ( i, ServerData["ComplexityCode"], ServerData["Grouping"]) log.write("Getting not-ignored issues, query:\n %s" % vals) Response = AccessControl.RequestAPI(ServerData["url"], vals) Result = AccessControl.ParseAPI(ClassesAPI.IssuesBuild, Response) val["action"] = "issue_details" for issue in Result: # Search for ignored issues without comments val["id"] = issue.id response = AccessControl.RequestAPI(ServerData["url"], val) issue_details = AccessControl.ParseAPI(ClassesAPI.IssuesDetail, response) for index in range(len(issue_details[0].history)): if issue_details[0].history[index].status == u'Ignore': if issue_details[0].history[index].comment == u'': if (index - 1) < 0: issue_id.append(issue.id) break elif issue_details[0].history[index - 1].comment == u'': issue_id.append(issue.id) break if i == 1: temp_ignored["crit_ignore"] = len(Result) elif i == 2: temp_ignored["err_ignore"] = len(Result) temp_ignored["no_message_ignore_id"] = str(issue_id).strip('[]') return temp_ignored
def __call__(self, *args, **kwargs): """Add the zope user to the security context, as done in PageTemplateFile""" if not kwargs.has_key('args'): kwargs['args'] = args bound_names = {'options': kwargs} security = AccessControl.getSecurityManager() bound_names['user'] = security.getUser() return self.pt_render(extra_context=bound_names)
class MemberData(BaseMemberData): __implements__ = IMemberData security = AccessControl.ClassSecurityInfo() def __init__(self, id): self.id = id def getId(self): """Override to return the id we've stored""" return self.id security.declarePrivate('notifyModified') def notifyModified(self): # Recatalog this member cat = getToolByName(self, MEMBER_CATALOG) cat.catalog_object(self) security.declarePublic('getUser') def getUser(self): # First try using the acqusition context user = aq_parent(self) bcontext = aq_base(user) bcontainer = aq_base(aq_parent(aq_inner(self))) if bcontext is bcontainer or not hasattr(bcontext, 'getUserName'): # OK, the wrapper didn't work so let's try looking up the user by ID user_folder = getToolByName(self, 'acl_users') user = user_folder.getUser(self.getId()) if user: return user else: raise 'MemberDataError', "Can't find user data for %s" % self.getId( ) def getTool(self): return getToolByName(self, 'portal_memberdata') security.declarePublic('getMemberId') def getMemberId(self): return self.getId() ### GRUF interface security.declarePublic('getGroups') def getGroups(self): """Check to see if a user has a given role or roles.""" try: return self.getUser().getGroups() except AttributeError: # Cope with users from non-GRUF user folders return ()
def configure_zope(config_filename, debug_mode=False): """Read zope.conf with zdaemon^Wzcrap. """ from Zope2.Startup import options, handlers import AccessControl del sys.argv[1:] opts = options.ZopeOptions() opts.configfile = config_filename opts.realize(raise_getopt_errs=0) handlers.handleConfig(opts.configroot, opts.confighandlers) AccessControl.setImplementation( opts.configroot.security_policy_implementation) AccessControl.setDefaultBehaviors( not opts.configroot.skip_ownership_checking, not opts.configroot.skip_authentication_checking, opts.configroot.verbose_security) App.config.setConfiguration(opts.configroot) set_zope_debug_mode(debug_mode)
def issueTicket(ident): """ issues a timelimit ticket >>> type(issueTicket(object()))== type('') True """ ticket = str(random.random()) sm = AccessControl.getSecurityManager() user = sm.getUser() if user is None: raise Unauthorized('No currently authenticated user') ticketCache.set(user.getId(), ident, key=dict(ticket=ticket)) return ticket
def test_file_download_no_notification_when_system(self): _original_security = AccessControl.getSecurityManager() _system_user = AccessControl.SecurityManagement.SpecialUsers.system AccessControl.SecurityManagement.newSecurityManager(None, _system_user) self.index_html() events = [e for e in eventtesting.getEvents() if IFileDownloadedEvent.providedBy(e)] self.assertEqual(0, len(events)) AccessControl.SecurityManagement.setSecurityManager( _original_security) _original_security = None
def Get_Complexity_Issues(ServerData, values, log): """Appends into temp_project data about complexity issues: 1) Sum of "Approved" issues - status: Not a problem 2) Sum of "Not approved" issues - Status != Not a problem 3) Issue ID and complexity value of top 10 most complex "Not approved" issues - as a tuple""" vals = copy(values) vals['action'] = 'search' vals['query'] = "code:%s" % ServerData["ComplexityCode"] log.write("Getting complexity issues, query:\n %s" % vals) complex_approve = 0 complex_not_approve = 0 complex_details = [] temp_complex = {} import re Response = AccessControl.RequestAPI(ServerData["url"], vals) Result = AccessControl.ParseAPI(ClassesAPI.IssuesBuild, Response) for issue in Result: if issue.status == "Not a Problem": complex_approve += 1 else: complex_not_approve += 1 x = str(issue.message) y = re.search("[0-9]+(?=>)", x) y = int(y.group()) complex_details.append((issue.id, y)) complex_details = sorted(complex_details, key=lambda score: score[1], reverse=True) temp_complex["complex_approved"] = complex_approve temp_complex["complex_not_approved"] = complex_not_approve temp_complex["ComplexityDetails"] = complex_details[:10] return temp_complex
def writeobj(self, obj, arcname=None): # Check if this user has access to this object. if not AccessControl.getSecurityManager().checkPermission("View", obj): raise "Unauthorized", "not authorized to View %s" % (obj.absolute_url()) if hasattr(obj, "_original"): fsname = obj._original._get_fsname(obj._original.filename) elif hasattr(obj, "_get_fsname"): fsname = obj._get_fsname(obj.filename) else: raise Exception, "Can not determine filename for object." self.write(filename=fsname, arcname=arcname)
def Get_Builds_List(url, values, log): """Returns the first and second latest list of builds for the project in values['project'], and N/A if either one does not exist""" vals = copy(values) temp_project = {} vals["action"] = "builds" log.write("Getting builds list, query:\n %s" % vals) Response = AccessControl.RequestAPI(url, vals) Result = AccessControl.ParseAPI(ClassesAPI.Build, Response) if len(Result) > 0: # Find latest and second latest build dates and names temp_project["last_build"] = Result[0].date if len(Result) > 1: temp_project["prev_build"] = Result[1].date else: temp_project["prev_build"] = "N/A" else: temp_project["last_build"] = "N/A" temp_project["prev_build"] = "N/A" return temp_project
class EMailAspect(Products.AlphaFlow.aspect.Aspect): zope.interface.implements(IEMailAspect) security = AccessControl.ClassSecurityInfo() aspect_type = "email" security.declarePrivate('__call__') def __call__(self): """Send email.""" work_items = [self.getWorkItem()] Products.AlphaFlow.activities.notify._send_email( self, self.getDefinition(), work_items)
def get_roles_and_users(): """Return the roles and users values for the current user, which can be used to query against a roles_and_users index. """ user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: return ['Anonymous'] result = set(['Anonymous']) result.update(user.getRoles()) result.add('user:{}'.format(user.getId())) if hasattr(aq_base(user), 'getGroups'): result.update(map('user:{}'.format, user.getGroups())) return list(result)
def portal_newsletters(): """Return mailing-lists created with the newsletter tool.""" root = component.queryUtility(Products.CMFPlone.interfaces.IPloneSiteRoot) if root is None: return [] root = collective.dancing.utils.fix_request(root, 0) if 'portal_newsletters' in root.objectIds(): channels = root['portal_newsletters']['channels'].objectValues() security = AccessControl.getSecurityManager() return [c for c in channels if security.checkPermission('View', c) and collective.singing.interfaces.IChannel.providedBy(c)] else: return []
def initProcess(self, definition, obj): """Create a new process instance for a content object.""" # We need to handle the security for this methods ourselves. The user # has to have INIT_PROCESS on the content object. user = AccessControl.getSecurityManager().getUser() if not user.has_permission(gocept.alphaflow.config.INIT_PROCESS, obj): raise zExceptions.Unauthorized( "initProcess", obj, gocept.alphaflow.config.INIT_PROCESS) id = gocept.alphaflow.utils.generateUniqueId(definition.getId()) instance = zope.component.getMultiAdapter( (definition, obj, id), gocept.alphaflow.interfaces.ILifeCycleObject) self.instances._setObject(id, instance) return self.instances[id]
def Get_NotIgnored_Issues(ServerData, values, log): """Appends into "temp_project" data on non-ignored issues: 1) Sum of Critical issues 2) Sum of Error issues 3) Data of Complexity issues - assuming complexity issues are classified as Critical/Error""" temp = {} vals = copy(values) vals['action'] = "search" for i in 1, 2: # find all non-ignore Critical and Error issues vals["query"] = "severity:%d -status:ignore -code:%s grouping:%s" % ( i, ServerData["ComplexityCode"], ServerData["Grouping"]) log.write("Getting ignored issues, query:\n %s" % vals) Response = AccessControl.RequestAPI(ServerData["url"], vals) Result = AccessControl.ParseAPI(ClassesAPI.IssuesBuild, Response) if i == 1: temp["crit_issues"] = len(Result) elif i == 2: temp["err_issues"] = len(Result) return temp
def __call__(self): """If user is not allowed to view PersonalOverview, redirect him to the repository root, otherwise behave like always. """ user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SecurityManagement.SpecialUsers.nobody: raise Unauthorized if not self.user_is_allowed_to_view(): catalog = getToolByName(self.context, 'portal_catalog') repos = catalog(portal_type='opengever.repository.repositoryroot') repo_url = repos[0].getURL() return self.request.RESPONSE.redirect(repo_url) else: return super(PersonalOverview, self).__call__()
def protect_edit_form(obj, event): """If the object is locked for the current user, let's redirect to the view of the object, where the lockinfo viewlet usually is. """ # Since locking does not work for anonymous users, so we disable the # redirect for them. This also makes widget traversal work, since the # widget traversal is always anonymous. nobody = AccessControl.SecurityManagement.SpecialUsers.nobody if AccessControl.getSecurityManager().getUser() == nobody: return info = getMultiAdapter((obj, obj.REQUEST), name="plone_lock_info") if info.is_locked_for_current_user(): raise Redirect(obj.absolute_url())
def key_value_provider(self): """yield home dossiers key: relative path on home client value: "%(reference_number): %(title)" """ # if we are not logged in we are in the traversal and should not # do anything... user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: return request = getRequest() info = getUtility(IContactInformation) comm = getUtility(IClientCommunicator) client_id = request.get( 'client', request.get('form.widgets.client')) if type(client_id) in (list, tuple, set): client_id = client_id[0] client = info.get_client_by_id(client_id) if client and not info.is_client_assigned(client_id=client_id): raise ValueError( 'Expected %s to be a assigned client of the current user.' % client_id) elif client: # kss validation overrides getSite() hook with a bad object # but we need getSite to work properly, so we fix it. site = getSite() if site.__class__.__name__ == 'Z3CFormValidation': fixed_site = getToolByName(self.context, 'portal_url').getPortalObject() setSite(fixed_site) dossiers = comm.get_open_dossiers(client.client_id) setSite(site) else: dossiers = comm.get_open_dossiers(client.client_id) for dossier in dossiers: yield (dossier['path'], '%s: %s' % (dossier['reference_number'], dossier['title']))
def setUp(self): """Shared test environment set-up, ran before every test.""" portal = self.portal = self.layer['portal'] portal._setObject('hpm', HasProtectedMethods('hpm')) # This isn't necessary to the unit tests, it makes debugging them # easier when they go wrong. Like "verbose-security on" in zope.conf sm = AccessControl.getSecurityManager() sm._policy._verbose = 1 # Roles need to be created by name before we can assign permissions # to them or grant them to users. for role in ('Member', 'VIP', 'Manager'): portal._addRole(role) for permission, roles in role_mapping: portal.manage_permission(permission, roles, 1) api.user.create( username='******', email='*****@*****.**', password='******', roles=('Member',), ) api.user.create( username='******', email='*****@*****.**', password='******', roles=('Member', 'VIP'), ) api.user.create( username='******', email='*****@*****.**', password='******', roles=('Member', 'Manager'), ) self._old_sm = AccessControl.SecurityManagement.getSecurityManager() AccessControl.SecurityManagement.newSecurityManager( self.portal.REQUEST, self.portal.acl_users.getUser('boss'), )
def __call__(self, context): """this utility calls plone.principalsource.Groups utility so we can overwrite this one if we want a diffrent source. """ if context is None: context = getSite() factory = component.getUtility( schema.interfaces.IVocabularyFactory, name='plone.principalsource.Groups', context=context) items = factory(context) # check permission result = [] gtool = getToolByName(context, 'portal_groups') items = [] # Change SecurityManager - otherwise we dont receive all users form # existing_role_settings _old_security_manager = AccessControl.getSecurityManager() _new_user = AccessControl.SecurityManagement.SpecialUsers.system AccessControl.SecurityManagement.newSecurityManager( context.REQUEST, _new_user) try: sharing = context.restrictedTraverse('@@sharing') items = sharing.existing_role_settings() except: AccessControl.SecurityManagement.setSecurityManager( _old_security_manager) raise else: AccessControl.SecurityManagement.setSecurityManager( _old_security_manager) for item in items: if item['type'] == 'group': gid = item['id'] group = gtool.getGroupById(gid) if sum([group.has_role(r) for r in context.validRoles()]): result.append(item) return result
def extjs_enabled(self, view=None): """Returns `True` if extjs is enabled. """ if view is None: view = self.request.get("PUBLISHED", None) if INoExtJS.providedBy(view): return False user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: # ExtJS is not supported for anonymous users, since we are not # able to store the state. Things such as sorting would not even # work in the session. return False registry = getUtility(IRegistry) return registry["ftw.tabbedview.interfaces." "ITabbedView.extjs_enabled"]
def set_default_tab(self, tab=None, view=None): """Sets the default tab. The id of the tab is passed as argument or in the request payload as ``tab``. """ user = AccessControl.getSecurityManager().getUser() if user == AccessControl.SpecialUsers.nobody: tab = None else: tab = tab or self.request.get('tab') if not tab: return json.dumps([ 'error', translate('Error', 'plone', context=self.request), translate(_(u'error_set_default_tab', u'Could not set default tab.'), context=self.request)]) tab_title = translate(tab, 'ftw.tabbedview', context=self.request) success = [ 'info', translate('Information', 'plone', context=self.request), translate(_(u'info_set_default_tab', u'The tab ${title} is now your default tab. ' + u'This is a personal setting.', mapping={'title': tab_title}), context=self.request)] if not view and self.request.get('viewname', False): view = self.context.restrictedTraverse( self.request.get('viewname')) else: view = self key_generator = getMultiAdapter((self.context, view, self.request), IDefaultTabStorageKeyGenerator) key = key_generator.get_key() storage = IDictStorage(self) storage.set(key, tab.lower()) return json.dumps(success)
def publishRevision(self, object, message): """ Publish a revision of an object in the repository object: the object to place under version control. It must implement IMetadata and IVersionedObject message: a string log message by the user baseVersion: the version of the object this is based on returns: unique ID string for the new object """ if not self.isUnderVersionControl(object): raise CommitError, "Cannot publish revision of object %s not under version control" % object.getId() # handle to original object to preserve locked status, if necessary; # we could look this up after publication (and would have to with proper events), # but that would be version inspection origobj = object.getPublishedObject().latest storage = self.getStorageForType(object.portal_type) user = AccessControl.getSecurityManager().getUser().getUserName() storage.checkinResource(object, message, user) self.cache.clearSearchCache() ### FIXME: We really want the Zope3 event system for these. ### Once we get that, we'll want to use something to the effect of: ### zope.event.notify(ObjectRevisionPublished) try: # Grab the now-published version pubobj = object.getPublishedObject().latest except AttributeError: pass # lens events self.lens_tool.notifyLensRevisedObject(pubobj) # storage events (mostly collection printing, at the moment) storage.notifyObjectRevised(pubobj, origobj) # notice of change to all containing collections, latest version only container_objs = self.catalog(containedModuleIds=pubobj.objectId) for col in container_objs: colobj = col.getObject() colobj.notifyContentsRevised()
def update(self): self.__updated = True self.messageQuery = MessageQuery(self.context) # Both of the following should be aquired from adapters. self.siteInfo = createObject('groupserver.SiteInfo', self.context) self.groupsInfo = createObject('groupserver.GroupsInfo', self.context) user = AccessControl.getSecurityManager().getUser() self.searchTokens = createObject('groupserver.SearchTextTokens', self.s) self.groupIds = [gId for gId in self.g if gId] memberGroupIds = [] if self.mg and user.getId(): memberGroupIds = [g.getId() for g in self.groupsInfo.get_member_groups_for_user(user, user)] if self.groupIds: if memberGroupIds: self.groupIds = [gId for gId in self.groupIds if gId in memberGroupIds] else: self.groupIds = \ self.groupsInfo.filter_visible_group_ids(self.groupIds) else: if memberGroupIds: self.groupIds = memberGroupIds else: self.groupIds = self.groupsInfo.get_visible_group_ids() try: posts = self.messageQuery.post_search_keyword( self.searchTokens, self.siteInfo.get_id(), self.groupIds, self.a, limit=self.l + 1, offset=self.i) except SQLAlchemyError: log.exception("A problem occurred with a messageQuery:") self.__searchFailed = True return else: self.__searchFailed = False self.morePosts = (len(posts) == (self.l + 1)) self.posts = posts[:self.l]