def http_check_credentials(req, role): """Retrieve Apache password and check user credential with the check_auth function. If this function returns True check if the user is enabled to the given role. If this is True, return, otherwise popup a new apache login box. """ authorized = False while True: if req.headers_in.has_key("Authorization"): try: s = req.headers_in["Authorization"][6:] s = base64.decodestring(s) user, passwd = s.split(":", 1) except (ValueError, base64.binascii.Error, base64.binascii.Incomplete): raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST authorized = auth_apache_user_p(user, passwd) if authorized: setApacheUser(req, user) authorized = acc_firerole_check_user(collect_user_info(req), load_role_definition(acc_get_role_id(role))) setApacheUser(req, '') if not authorized: # note that Opera supposedly doesn't like spaces around "=" below s = 'Basic realm="%s"' % role req.headers_out["WWW-Authenticate"] = s raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED else: setApacheUser(req, user) return
def isUserSuperAdmin(user_info): """Return True if the user is superadmin; False otherwise.""" if run_sql("""SELECT r.id FROM accROLE r LEFT JOIN user_accROLE ur ON r.id = ur.id_accROLE WHERE r.name = %s AND ur.id_user = %s AND ur.expiration>=NOW() LIMIT 1""", (SUPERADMINROLE, user_info['uid']), 1): return True return acc_firerole_check_user(user_info, load_role_definition(acc_get_role_id(SUPERADMINROLE)))
def isUserSuperAdmin(user_info): """Return True if the user is superadmin; False otherwise.""" if run_sql( """SELECT r.id FROM accROLE r LEFT JOIN user_accROLE ur ON r.id = ur.id_accROLE WHERE r.name = %s AND ur.id_user = %s AND ur.expiration>=NOW() LIMIT 1""", (SUPERADMINROLE, user_info['uid']), 1): return True return acc_firerole_check_user( user_info, load_role_definition(acc_get_role_id(SUPERADMINROLE)))
def acc_get_authorized_emails(name_action, **arguments): """ Given the action and its arguments, try to retireve all the matching email addresses of users authorized. This is a best effort operation, because if a role is authorized and happens to be defined using a FireRole rule based on regular expression or on IP addresses, non every email might be returned. @param name_action: the name of the action. @type name_action: string @param arguments: the arguments to the action. @return: the list of authorized emails. @rtype: set of string """ authorized_emails = set() roles = acc_find_possible_roles(name_action, always_add_superadmin=False, **arguments) for id_role in roles: for dummy1, email, dummy2 in acc_get_role_users(id_role): authorized_emails.add(email.lower().strip()) firerole = load_role_definition(id_role) authorized_emails = authorized_emails.union(acc_firerole_extract_emails(firerole)) return authorized_emails