def manage_getPermissionMapping(self): ips = self.getClassAttr("propertysheets") ips = getattr(ips, self.id) # ugh perms = {} for p in self.classDefinedAndInheritedPermissions(): perms[pname(p)] = p r = [] for p in property_sheet_permissions: v = getattr(ips, pname(p)) r.append({"permission_name": p, "class_permission": perms.get(v, "")}) return r
def _applyAllStaticSecurity(cls): """ Apply static security on portal_components to ensure that nobody can change Permissions, only 'ghost' Developer Role has Permissions to add/modify/delete Components. Also, make these permissions read-only thanks to 'property'. cls is erp5.portal_type.Component Tool and not this class as this function is called on Portal Type class when loading Componet Tool Portal Type class """ from AccessControl.Permission import getPermissions, pname for permission_name, _, _ in getPermissions(): if permission_name == 'Reset dynamic classes': permission_function = lambda self: ('Manager', ) elif permission_name in ('Change permissions', 'Define permissions'): permission_function = lambda self: () elif (permission_name.startswith('Access ') or permission_name.startswith('View') or permission_name == 'WebDAV access'): permission_function = lambda self: ('Developer', 'Manager') else: permission_function = lambda self: ('Developer', ) setattr(cls, pname(permission_name), property(permission_function))
def _applyAllStaticSecurity(cls): """ Apply static security on portal_components to ensure that nobody can change Permissions, only 'ghost' Developer Role has Permissions to add/modify/delete Components. Also, make these permissions read-only thanks to 'property'. cls is erp5.portal_type.Component Tool and not this class as this function is called on Portal Type class when loading Componet Tool Portal Type class """ from AccessControl.Permission import getPermissions, pname for permission_name, _, _ in getPermissions(): if permission_name == 'Reset dynamic classes': permission_function = lambda self: ('Manager',) elif permission_name in ('Change permissions', 'Define permissions'): permission_function = lambda self: () elif (permission_name.startswith('Access ') or permission_name.startswith('View') or permission_name == 'WebDAV access'): permission_function = lambda self: ('Developer', 'Manager') else: permission_function = lambda self: ('Developer',) setattr(cls, pname(permission_name), property(permission_function))
def setDefaultRoles(permission, roles): registered = _registeredPermissions if permission not in registered: registered[permission] = 1 Products.__ac_permissions__ = ( Products.__ac_permissions__ + ((permission, (), roles),)) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_getPermissionMapping(self): ips=self.getClassAttr('propertysheets') ips=getattr(ips, self.id) # ugh perms={} for p in self.classDefinedAndInheritedPermissions(): perms[pname(p)]=p r=[] for p in property_sheet_permissions: v=getattr(ips, pname(p)) r.append( {'permission_name': p, 'class_permission': perms.get(v,'') }) return r
def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): "Change property sheet permissions" ips = self.getClassAttr("propertysheets") ips = getattr(ips, self.id) perms = self.classDefinedAndInheritedPermissions() for i in range(len(permission_names)): name = permission_names[i] p = class_permissions[i] if p and (p not in perms): __traceback_info__ = perms, p, i raise ValueError, "Invalid class permission" if name not in property_sheet_permissions: continue setattr(ips, pname(name), pname(p)) if REQUEST is not None: return self.manage_security(self, REQUEST, manage_tabs_message="The permission mapping has been updated")
def setDefaultRoles(permission, roles): ''' Sets the defaults roles for a permission. ''' # XXX This ought to be in AccessControl.SecurityInfo. registered = _registeredPermissions if not registered.has_key(permission): registered[permission] = 1 Products.__ac_permissions__=( Products.__ac_permissions__+((permission,(),roles),)) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles(permission, roles): ''' Sets the defaults roles for a permission. ''' # XXX This ought to be in AccessControl.SecurityInfo. registered = _registeredPermissions if not registered.has_key(permission): registered[permission] = 1 Products.__ac_permissions__ = (Products.__ac_permissions__ + ((permission, (), roles), )) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_setPermissionMapping(self, permission_names=[], class_permissions=[], REQUEST=None): "Change property sheet permissions" ips=self.getClassAttr('propertysheets') ips=getattr(ips, self.id) perms=self.classDefinedAndInheritedPermissions() for i in range(len(permission_names)): name=permission_names[i] p=class_permissions[i] if p and (p not in perms): __traceback_info__=perms, p, i raise ValueError, 'Invalid class permission' if name not in property_sheet_permissions: continue setattr(ips, pname(name), pname(p)) if REQUEST is not None: return self.manage_security( self, REQUEST, manage_tabs_message='The permission mapping has been updated')
def setDefaultRoles(permission, roles): ''' Sets the defaults roles for a permission. ''' if addPermission is not None: addPermission(permission, roles) else: # BBB This is in AccessControl starting in Zope 2.13 import Products registered = _registeredPermissions if not registered.has_key(permission): registered[permission] = 1 Products.__ac_permissions__=( Products.__ac_permissions__+((permission,(),roles),)) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def get_permission_dict(): """Returns a dictionary mapping permission attribute name to permission. Does not discover permissions defined in ZClass products, since that would require access to the Zope application in the database. """ global _permission_dict_cache if _permission_dict_cache is not None: return _permission_dict_cache res = {} for item in Products.__ac_permissions__: p = item[0] attr = pname(p) res[attr] = p _permission_dict_cache = res return res
def setDefaultRoles(permission, roles): ''' Sets the defaults roles for a permission. ''' if addPermission is not None: addPermission(permission, roles) else: # BBB This is in AccessControl starting in Zope 2.13 import Products registered = _registeredPermissions if not registered.has_key(permission): registered[permission] = 1 Products.__ac_permissions__ = (Products.__ac_permissions__ + ((permission, (), roles), )) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles(permission, roles): """ Set the defaults roles for a permission. """ if addPermission is not None: addPermission(permission, roles) else: # BBB This is in AccessControl starting in Zope 2.13 from AccessControl.Permission import _registeredPermissions from AccessControl.Permission import pname from AccessControl.Permission import ApplicationDefaultPermissions import Products registered = _registeredPermissions if permission not in registered: registered[permission] = 1 Products.__ac_permissions__ = ( Products.__ac_permissions__ + ((permission, (), roles),)) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def setDefaultRoles( permission, roles ): """ Set the defaults roles for a permission. """ if addPermission is not None: addPermission(permission, roles) else: # BBB This is in AccessControl starting in Zope 2.13 from AccessControl.Permission import _registeredPermissions from AccessControl.Permission import pname from AccessControl.Permission import ApplicationDefaultPermissions import Products registered = _registeredPermissions if not permission in registered: registered[ permission ] = 1 Products.__ac_permissions__=( Products.__ac_permissions__+((permission,(),roles),)) mangled = pname(permission) setattr(ApplicationDefaultPermissions, mangled, roles)
def manage_getPermissionMapping(self): """Return the permission mapping for the object This is a list of dictionaries with: permission_name -- The name of the native object permission class_permission -- The class permission the permission is mapped to. """ wrapper=getattr(self, '_permissionMapper', None) if wrapper is None: wrapper=PM() perms={} for p in self.possible_permissions(): perms[pname(p)]=p r=[] a=r.append for ac_perms in self.ac_inherited_permissions(1): p=perms.get(getPermissionMapping(ac_perms[0], wrapper), '') a({'permission_name': ac_perms[0], 'class_permission': p}) return r
##################### # Newly created sites from AccessControl.Permission import _registeredPermissions from AccessControl.Permission import ApplicationDefaultPermissions from AccessControl.Permission import pname from Products.kupu.plone import permissions mangled = pname(permissions.ManageLibraries) if hasattr(ApplicationDefaultPermissions, mangled): delattr(ApplicationDefaultPermissions, mangled) if permissions.ManageLibraries in _registeredPermissions: del _registeredPermissions[permissions.ManageLibraries] permissions.setDefaultRoles(permissions.ManageLibraries, ("Manager", "Site Administrator"))
def deserialize(self, event, state): local_roles = {} # { username -> [role,] } defined_roles = [] # [role,] proxy_roles = [] # [role,] permission_roles = {} # { permission -> [role,] } permission_acquired = {} # { permission -> 0 or 1 } obj = event.obj for decl_type, role, permission, username in state: if decl_type == 'executable-owner': assert not role assert not permission #assert username pos = username.rfind('/') if pos < 0: # Default to the root folder ufolder = ['acl_users'] uname = username else: ufolder = list(username[:pos].split('/')) uname = username[pos + 1:] assert ufolder assert uname obj._owner = (ufolder, uname) elif decl_type == 'local-role': #assert role assert not permission #assert username r = local_roles.get(username) if r is None: r = [] local_roles[username] = r r.append(role) elif decl_type == 'define-role': #assert role assert not permission assert not username defined_roles.append(role) elif decl_type == 'proxy-role': #assert role assert not permission assert not username proxy_roles.append(role) elif decl_type == 'permission-role': #assert role #assert permission assert not username r = permission_roles.get(permission) if r is None: r = [] permission_roles[permission] = r r.append(role) if not permission_acquired.has_key(permission): permission_acquired[permission] = 1 elif decl_type == 'permission-no-acquire': assert not role #assert permission assert not username permission_acquired[permission] = 0 else: raise ValueError, ('declaration_type %s unknown' % repr(decl_type)) if local_roles: obj.__ac_local_roles__ = local_roles if defined_roles: defined_roles.sort() obj.__ac_roles__ = tuple(defined_roles) if proxy_roles: obj._proxy_roles = tuple(proxy_roles) for p, acquired in permission_acquired.items(): roles = permission_roles.get(p, []) if not acquired: roles = tuple(roles) setattr(obj, pname(p), roles)
##################### # Newly created sites from AccessControl.Permission import _registeredPermissions from AccessControl.Permission import ApplicationDefaultPermissions from AccessControl.Permission import pname from Products.kupu.plone import permissions mangled = pname(permissions.ManageLibraries) if hasattr(ApplicationDefaultPermissions, mangled): delattr(ApplicationDefaultPermissions, mangled) if permissions.ManageLibraries in _registeredPermissions: del _registeredPermissions[permissions.ManageLibraries] permissions.setDefaultRoles( permissions.ManageLibraries, ('Manager', 'Site Administrator',) )
def deserialize(self, event, state): local_roles = {} # { username -> [role,] } defined_roles = [] # [role,] proxy_roles = [] # [role,] permission_roles = {} # { permission -> [role,] } permission_acquired = {} # { permission -> 0 or 1 } obj = event.obj for decl_type, role, permission, username in state: if decl_type == 'executable-owner': assert not role assert not permission #assert username pos = username.rfind('/') if pos < 0: # Default to the root folder ufolder = ['acl_users'] uname = username else: ufolder = list(username[:pos].split('/')) uname = username[pos + 1:] assert ufolder assert uname obj._owner = (ufolder, uname) elif decl_type == 'local-role': #assert role assert not permission #assert username r = local_roles.get(username) if r is None: r = [] local_roles[username] = r r.append(role) elif decl_type == 'define-role': #assert role assert not permission assert not username defined_roles.append(role) elif decl_type == 'proxy-role': #assert role assert not permission assert not username proxy_roles.append(role) elif decl_type == 'permission-role': #assert role #assert permission assert not username r = permission_roles.get(permission) if r is None: r = [] permission_roles[permission] = r r.append(role) if not permission_acquired.has_key(permission): permission_acquired[permission] = 1 elif decl_type == 'permission-no-acquire': assert not role #assert permission assert not username permission_acquired[permission] = 0 else: raise ValueError, ( 'declaration_type %s unknown' % repr(decl_type)) if local_roles: obj.__ac_local_roles__ = local_roles if defined_roles: defined_roles.sort() obj.__ac_roles__ = tuple(defined_roles) if proxy_roles: obj._proxy_roles = tuple(proxy_roles) for p, acquired in permission_acquired.items(): roles = permission_roles.get(p, []) if not acquired: roles = tuple(roles) setattr(obj, pname(p), roles)
def getPermissionMapping(name, obj, st=type('')): obj=getattr(obj, 'aq_base', obj) name=pname(name) r=getattr(obj, name, '') if type(r) is not st: r='' return r
def setPermissionMapping(name, obj, v): name=pname(name) if v: setattr(obj, name, pname(v)) elif obj.__dict__.has_key(name): delattr(obj, name)