def cmsContent(request, app, uri=None, action='', *args):
info = {}
appfactory = ptah.cms.Factories.get(app)
if appfactory is None:
raise NotFound()
root = appfactory(request)
request.root = root
if not uri:
content = root
else:
content = load(uri)
adapters = config.registry.adapters
action = adapters.lookup(
(IRestActionClassifier, providedBy(content)),
IRestAction, name=action, default=None)
if action:
request.environ['SCRIPT_NAME'] = '%s/content:%s/'%(
request.environ['SCRIPT_NAME'], app)
ptah.checkPermission(action.permission, content, request, True)
res = action.callable(content, request, *args)
if not res: # pragma: no cover
res = {}
return res
raise NotFound()
def test_checkpermission_deny(self):
import ptah
content = Content(acl=[(Allow, ptah.Everyone.id, ALL_PERMISSIONS)])
self.assertTrue(ptah.checkPermission('View', content, throw=False))
self.assertFalse(ptah.checkPermission(
ptah.NOT_ALLOWED, content, throw=False))
def test_checkpermission_allow(self):
import ptah
content = Content(acl=[DENY_ALL])
self.assertFalse(ptah.checkPermission('View', content, throw=False))
self.assertTrue(ptah.checkPermission(
NO_PERMISSION_REQUIRED, content, throw=False))
def test_checkpermission_authenticated(self):
import ptah
content = Content(acl=[(Allow, ptah.Authenticated.id, 'View')])
self.assertFalse(ptah.checkPermission('View', content, throw=False))
ptah.authService.set_userid('test-user')
self.assertTrue(ptah.checkPermission('View', content, throw=False))
def test_checkpermission_superuser(self):
import ptah
from pyramid import security
content = Content(
acl=[(Deny, ptah.SUPERUSER_URI, security.ALL_PERMISSIONS)])
ptah.authService.set_userid(ptah.SUPERUSER_URI)
self.assertTrue(ptah.checkPermission('View', content))
self.assertFalse(ptah.checkPermission(ptah.NOT_ALLOWED, content))
def test_checkpermission_local_roles(self):
import ptah
content = Content(
iface=ptah.ILocalRolesAware,
acl=[(Allow, 'role:test', 'View')])
ptah.authService.set_userid('test-user')
self.assertFalse(ptah.checkPermission('View', content, throw=False))
content.__local_roles__['test-user'] = ['role:test']
self.assertTrue(ptah.checkPermission('View', content, throw=False))
def containerNodeInfo(content, request, *args):
"""Container information"""
info = nodeInfo(content, request)
contents = []
for item in content.values():
if not ptah.checkPermission(View, item, request): # pragma: no cover
continue
contents.append(
OrderedDict((
('__name__', item.__name__),
('__type__', item.__type_id__),
('__uri__', item.__uri__),
('__container__', isinstance(item, Container)),
('__link__', '%s%s/'%(request.application_url,
item.__uri__)),
('title', item.title),
('description', item.description),
('created', item.created),
('modified', item.modified),
)))
info['__contents__'] = contents
return info
def isAllowed(self, container):
if not isinstance(container, Container):
return False
if self.permission:
return ptah.checkPermission(self.permission, container)
return True
def link_view(context, request):
""" This is a default view for a Link model.
If you have permission to edit it it will display the form.
If you do not have ability to edit it; you will be redirected.
"""
can_edit = ptah.checkPermission(ptahcms.ModifyContent, context)
if can_edit:
vform = ptah.form.DisplayForm(context, request) # needs better UI
vform.fields = Link.__type__.fieldset
vform.content = {
'title': context.title,
'description': context.description,
'href': context.href}
vform.update()
# the below render() would display form html without enclosing layout
#return vform.render()
"""
this should render the display form with layout applied
The layout is the "wrapping HTML" e.g. ptahcms.app layout you
see at http://localhost:8080/
"""
layout = view.query_layout(request, context)
return layout(vform.render())
raise HTTPFound(location=context.href)
def update(self):
context = self.context
request = self.request
registry = request.registry
self.deleteContent = ptah.checkPermission(
cms.DeleteContent, context)
# cms(uri).read()
# cms(uri).create(type)
# cms(uri).delete()
# cms(uri).update(**kwargs)
# cms(uri).items(offset, limit)
if self.deleteContent and 'form.buttons.remove' in request.POST:
uris = self.request.POST.getall('item')
for uri in uris:
cms.wrap(uri).delete()
self.message("Selected content items have been removed.")
if 'form.buttons.rename' in request.POST:
uris = self.request.POST.getall('item')
print '=============', uris
if 'form.buttons.cut' in request.POST:
uris = self.request.POST.getall('item')
print '=============', uris
def check(self, context, request):
if self.permission:
if not ptah.checkPermission(self.permission, context, request):
return False
if self.condition is not None:
return self.condition(context, request)
return True
def __getattr__(self, action):
if not self._actions or action not in self._actions:
raise NotFound(action)
fname, permission = self._actions[action]
if permission:
if not ptah.checkPermission(permission, self._content):
raise Forbidden(action)
return ActionWrapper(self._content, fname)
def apidocAction(content, request, *args):
"""api doc"""
actions = []
url = request.application_url
for name, action in config.registry.adapters.lookupAll(
(IRestActionClassifier, providedBy(content)), IRestAction):
if not ptah.checkPermission(
action.permission, content, request):
continue
actions.append(
(name, action.title,
OrderedDict(
(('name', name or 'info'),
('link', '%s%s/%s'%(url, content.__uri__, name)),
('title', action.title),
('description', action.description)))))
actions.sort()
return [action for _t, _n, action in actions]
def load(uri, permission=None):
""" Load node by `uri` and initialize __parent__ attributes. Also checks
permission if permissin is specified.
:param uri: Node uri
:param permission: Check permission on node object
:type permission: Permission id or None
:raise KeyError: Node with this uri is not found.
:raise Forbidden: If current principal doesn't pass permission check on loaded node.
"""
item = ptah.resolve(uri)
if item is not None:
load_parents(item)
if permission is not None:
if not ptah.checkPermission(permission, item):
raise Forbidden()
else:
raise NotFound(uri)
return item
