Define a super user and use it for searching users.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@5807 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Security/ERP5GroupManager.py

@@ -24,11 +24,14 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
 from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin
 from Products.ERP5Type.Cache import CachingMethod
+from Products.PluggableAuthService.PropertiedUser import PropertiedUser
 
 from pickle import dumps, loads
 
 from zLOG import LOG
 
+from ERP5UserManager import SUPER_USER
+
 manage_addERP5GroupManagerForm = PageTemplateFile(
     'www/ERP5Security_addERP5GroupManager', globals(), __name__='manage_addERP5GroupManagerForm' )
 
@@ -65,6 +68,10 @@ class ERP5GroupManager(BasePlugin):
   def getGroupsForPrincipal(self, principal, request=None):
     """ See IGroupsPlugin.
     """
+    # If this is the super user, skip the check.
+    if principal.getId() == SUPER_USER:
+      return ()
+
     def _getGroupsForPrincipal(user_name, path):
       security_category_dict = {} # key is the base_category_list,
                                   # value is the list of fetched categories
@@ -73,10 +80,9 @@ class ERP5GroupManager(BasePlugin):
 
       # because we aren't logged in, we have to create our own
       # SecurityManager to be able to access the Catalog
-      #FIXME here we assume that the portal owner will always have
-      #      enough rights, which might as well be wrong
       sm = getSecurityManager()
-      newSecurityManager(self, self.getPortalObject().getOwner())
+      if sm.getUser() != SUPER_USER:
+        newSecurityManager(self, self.getUser(SUPER_USER))
 
       # To get the complete list of groups, we try to call the
       # ERP5Type_getSecurityCategoryMapping which should return a list

product/ERP5Security/ERP5RoleManager.py

@@ -20,7 +20,9 @@ from AccessControl import ClassSecurityInfo
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
 from Products.PluggableAuthService.utils import classImplements
-from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin
+from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, IRoleEnumerationPlugin
+
+from ERP5UserManager import SUPER_USER
 
 manage_addERP5RoleManagerForm = PageTemplateFile(
     'www/ERP5Security_addERP5RoleManager', globals(), __name__='manage_addERP5RoleManagerForm' )
@@ -37,7 +39,7 @@ def addERP5RoleManager( dispatcher, id, title=None, REQUEST=None ):
                                 '?manage_tabs_message='
                                 'ERP5RoleManager+added.'
                             % dispatcher.absolute_url())
-        
+ 
 class ERP5RoleManager( BasePlugin ):
 
     """ PAS plugin to add 'Member' as default
@@ -51,7 +53,7 @@ class ERP5RoleManager( BasePlugin ):
 
         self._id = self.id = id
         self.title = title
-        
+
     #
     #   IRolesPlugin implementation
     #
@@ -60,9 +62,17 @@ class ERP5RoleManager( BasePlugin ):
         """ See IRolesPlugin.
         We only ever return Member for every principal
         """
-        
+        if principal.getId() == SUPER_USER:
+          # If this is the super user, give all the roles present in this system.
+          # XXX no API to do this in PAS.
+          rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )
+          roles = []
+          for rolemaker_id, rolemaker in rolemakers:
+            roles.extend([role['id'] for role in rolemaker.enumerateRoles()])
+          return tuple(roles)
+
         return ('Member',)
-    
+
 classImplements( ERP5RoleManager
                , IRolesPlugin
                )

product/ERP5Security/ERP5UserManager.py

@@ -28,6 +28,9 @@ from Products.ERP5Type.Cache import CachingMethod
 
 from zLOG import LOG
 
+# This user is used to bypass all security checks.
+SUPER_USER = '__erp5security-=__'
+
 manage_addERP5UserManagerForm = PageTemplateFile(
     'www/ERP5Security_addERP5UserManager', globals(), __name__='manage_addERP5UserManagerForm' )
 
@@ -67,6 +70,10 @@ class ERP5UserManager(BasePlugin):
         o We expect the credentials to be those returned by
             ILoginPasswordExtractionPlugin.
         """
+        # Forbidden the usage of the super user.
+        if credentials.get('login') == SUPER_USER:
+          return None
+
         def _authenticateCredentials(login, password, path):
             if login is None or password is None:
                 return None
@@ -80,7 +87,6 @@ class ERP5UserManager(BasePlugin):
 
             if user.getPassword() == password and\
                 user.getCareerRole() == 'internal':
-              LOG('authenticateCredentials', 0, user.getId())
               return login, login # use same for user_id and login
 
             return None
@@ -99,21 +105,32 @@ class ERP5UserManager(BasePlugin):
             user_info = []
             plugin_id = self.getId()
 
-            if not exact_match:
-              id_tuple = tuple(['%%%s%%' % id for id in id_tuple])
+            id_list = []
+            for id in id_tuple:
+              if SUPER_USER == id:
+                info = { 'id' : SUPER_USER
+                        , 'login' : SUPER_USER
+                        , 'pluginid' : plugin_id
+                        }
+                user_info.append(info)
+              else:
+                if exact_match:
+                  id_list.append(id)
+                else:
+                  id_list.append('%%%s%%' % id)
 
-            user_objects = [user for user in self.getUserByLogin(id_tuple)\
-                if user.getCareerRole() == 'internal']
-                #XXX is this static check ok ?
+            if id_list:
+              user_objects = [user for user in self.getUserByLogin(tuple(id_list))\
+                  if user.getCareerRole() == 'internal']
+                  #XXX is this static check ok ?
 
-            for user in user_objects:
-                LOG('enumerateUsers', 0, user.getReference())
-                info = { 'id' : user.getReference()
-                       , 'login' : user.getReference()
-                       , 'pluginid' : plugin_id
-                       }
+              for user in user_objects:
+                  info = { 'id' : user.getReference()
+                          , 'login' : user.getReference()
+                          , 'pluginid' : plugin_id
+                          }
 
-                user_info.append(info)
+                  user_info.append(info)
 
             return tuple(user_info)
 
@@ -135,7 +152,8 @@ class ERP5UserManager(BasePlugin):
         # because we aren't logged in, we have to create our own
         # SecurityManager to be able to access the Catalog
         sm = getSecurityManager()
-        newSecurityManager(self, self.getPortalObject().portal_catalog.getOwner())
+        if sm.getUser() != SUPER_USER:
+          newSecurityManager(self, self.getUser(SUPER_USER))
 
         result = self.getPortalObject().portal_catalog(portal_type="Person", reference=login)