def http_check_credentials(req, role):
"""Retrieve Apache password and check user credential with the
check_auth function. If this function returns True check if the user
is enabled to the given role. If this is True, return, otherwise
popup a new apache login box.
"""
authorized = False
while True:
if req.headers_in.has_key("Authorization"):
try:
s = req.headers_in["Authorization"][6:]
s = base64.decodestring(s)
user, passwd = s.split(":", 1)
except (ValueError, base64.binascii.Error, base64.binascii.Incomplete):
raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST
authorized = auth_apache_user_p(user, passwd)
if authorized:
setApacheUser(req, user)
authorized = acc_firerole_check_user(collect_user_info(req), load_role_definition(acc_get_role_id(role)))
setApacheUser(req, '')
if not authorized:
# note that Opera supposedly doesn't like spaces around "=" below
s = 'Basic realm="%s"' % role
req.headers_out["WWW-Authenticate"] = s
raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED
else:
setApacheUser(req, user)
return
def isUserSuperAdmin(user_info):
"""Return True if the user is superadmin; False otherwise."""
if run_sql("""SELECT r.id
FROM accROLE r LEFT JOIN user_accROLE ur
ON r.id = ur.id_accROLE
WHERE r.name = %s AND
ur.id_user = %s AND ur.expiration>=NOW() LIMIT 1""", (SUPERADMINROLE, user_info['uid']), 1):
return True
return acc_firerole_check_user(user_info, load_role_definition(acc_get_role_id(SUPERADMINROLE)))
def isUserSuperAdmin(user_info):
"""Return True if the user is superadmin; False otherwise."""
if run_sql(
"""SELECT r.id
FROM accROLE r LEFT JOIN user_accROLE ur
ON r.id = ur.id_accROLE
WHERE r.name = %s AND
ur.id_user = %s AND ur.expiration>=NOW() LIMIT 1""",
(SUPERADMINROLE, user_info['uid']), 1):
return True
return acc_firerole_check_user(
user_info, load_role_definition(acc_get_role_id(SUPERADMINROLE)))
def acc_get_authorized_emails(name_action, **arguments):
"""
Given the action and its arguments, try to retireve all the matching
email addresses of users authorized.
This is a best effort operation, because if a role is authorized and
happens to be defined using a FireRole rule based on regular expression
or on IP addresses, non every email might be returned.
@param name_action: the name of the action.
@type name_action: string
@param arguments: the arguments to the action.
@return: the list of authorized emails.
@rtype: set of string
"""
authorized_emails = set()
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
for dummy1, email, dummy2 in acc_get_role_users(id_role):
authorized_emails.add(email.lower().strip())
firerole = load_role_definition(id_role)
authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole))
return authorized_emails
def acc_get_authorized_emails(name_action, **arguments):
"""
Given the action and its arguments, try to retireve all the matching
email addresses of users authorized.
This is a best effort operation, because if a role is authorized and
happens to be defined using a FireRole rule based on regular expression
or on IP addresses, non every email might be returned.
@param name_action: the name of the action.
@type name_action: string
@param arguments: the arguments to the action.
@return: the list of authorized emails.
@rtype: set of string
"""
authorized_emails = set()
roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments)
for id_role in roles:
for dummy1, email, dummy2 in acc_get_role_users(id_role):
authorized_emails.add(email.lower().strip())
firerole = load_role_definition(id_role)
authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole))
return authorized_emails
