Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
7
Merge Requests
7
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
Jérome Perrin
erp5
Commits
975ad4d7
Commit
975ad4d7
authored
Nov 26, 2015
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ERP5Security: cleanup. fix indentation and remove unused import.
parent
3751610a
Changes
11
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
473 additions
and
481 deletions
+473
-481
product/ERP5Security/ERP5AccessTokenExtractionPlugin.py
product/ERP5Security/ERP5AccessTokenExtractionPlugin.py
+5
-6
product/ERP5Security/ERP5BearerExtractionPlugin.py
product/ERP5Security/ERP5BearerExtractionPlugin.py
+7
-7
product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
+5
-5
product/ERP5Security/ERP5ExternalAuthenticationPlugin.py
product/ERP5Security/ERP5ExternalAuthenticationPlugin.py
+5
-5
product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
+12
-12
product/ERP5Security/ERP5GroupManager.py
product/ERP5Security/ERP5GroupManager.py
+0
-4
product/ERP5Security/ERP5KeyAuthPlugin.py
product/ERP5Security/ERP5KeyAuthPlugin.py
+24
-28
product/ERP5Security/ERP5RoleManager.py
product/ERP5Security/ERP5RoleManager.py
+42
-42
product/ERP5Security/ERP5UserFactory.py
product/ERP5Security/ERP5UserFactory.py
+91
-91
product/ERP5Security/ERP5UserManager.py
product/ERP5Security/ERP5UserManager.py
+184
-183
product/ERP5Security/__init__.py
product/ERP5Security/__init__.py
+98
-98
No files found.
product/ERP5Security/ERP5AccessTokenExtractionPlugin.py
View file @
975ad4d7
...
...
@@ -28,7 +28,6 @@
#
##############################################################################
from
zLOG
import
LOG
,
PROBLEM
from
Products.ERP5Type.Globals
import
InitializeClass
from
AccessControl
import
ClassSecurityInfo
...
...
@@ -102,11 +101,11 @@ def addERP5AccessTokenExtractionPlugin(dispatcher, id, title=None, REQUEST=None)
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5AccessTokenExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5AccessTokenExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
#List implementation of class
classImplements
(
ERP5AccessTokenExtractionPlugin
,
...
...
product/ERP5Security/ERP5BearerExtractionPlugin.py
View file @
975ad4d7
...
...
@@ -35,8 +35,8 @@ from Products.PluggableAuthService.utils import classImplements
from
Products.PluggableAuthService.plugins.BasePlugin
import
BasePlugin
from
Products.ERP5Security.ERP5UserManager
import
SUPER_USER
from
Products.PluggableAuthService.PluggableAuthService
import
DumbHTTPExtractor
from
AccessControl.SecurityManagement
import
getSecurityManager
,
\
setSecurityManager
,
newSecurityManager
from
AccessControl.SecurityManagement
import
getSecurityManager
,
\
setSecurityManager
,
newSecurityManager
#Form for new plugin in ZMI
manage_addERP5BearerExtractionPluginForm
=
PageTemplateFile
(
...
...
@@ -50,11 +50,11 @@ def addERP5BearerExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5BearerExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5BearerExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
class
ERP5BearerExtractionPlugin
(
BasePlugin
):
"""
...
...
product/ERP5Security/ERP5DumbHTTPExtractionPlugin.py
View file @
975ad4d7
...
...
@@ -69,11 +69,11 @@ def addERP5DumbHTTPExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5DumbHTTPExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5DumbHTTPExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
#List implementation of class
classImplements
(
ERP5DumbHTTPExtractionPlugin
,
...
...
product/ERP5Security/ERP5ExternalAuthenticationPlugin.py
View file @
975ad4d7
...
...
@@ -49,11 +49,11 @@ def addERP5ExternalAuthenticationPlugin(dispatcher, id, title=None, user_id_key=
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5ExternalAuthenticationPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5ExternalAuthenticationPlugin+added.'
%
dispatcher
.
absolute_url
())
class
ERP5ExternalAuthenticationPlugin
(
BasePlugin
):
"""
...
...
product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
View file @
975ad4d7
...
...
@@ -35,8 +35,8 @@ from Products.PluggableAuthService.utils import classImplements
from
Products.PluggableAuthService.plugins.BasePlugin
import
BasePlugin
from
Products.ERP5Security.ERP5UserManager
import
SUPER_USER
from
Products.PluggableAuthService.PluggableAuthService
import
DumbHTTPExtractor
from
AccessControl.SecurityManagement
import
getSecurityManager
,
\
setSecurityManager
,
newSecurityManager
from
AccessControl.SecurityManagement
import
getSecurityManager
,
\
setSecurityManager
,
newSecurityManager
from
Products.ERP5Type.Cache
import
DEFAULT_CACHE_SCOPE
import
socket
from
Products.ERP5Security.ERP5UserManager
import
getUserByLogin
...
...
@@ -66,11 +66,11 @@ def addERP5FacebookExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5FacebookExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5FacebookExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
#Form for new plugin in ZMI
manage_addERP5GoogleExtractionPluginForm
=
PageTemplateFile
(
...
...
@@ -84,11 +84,11 @@ def addERP5GoogleExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5GoogleExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5GoogleExtractionPlugin+added.'
%
dispatcher
.
absolute_url
())
class
ERP5ExternalOauth2ExtractionPlugin
:
...
...
product/ERP5Security/ERP5GroupManager.py
View file @
975ad4d7
...
...
@@ -17,8 +17,6 @@
from
Products.ERP5Type.Globals
import
InitializeClass
from
AccessControl
import
ClassSecurityInfo
from
AccessControl.SecurityManagement
import
newSecurityManager
,
\
getSecurityManager
,
setSecurityManager
from
Products.PageTemplates.PageTemplateFile
import
PageTemplateFile
from
Products.PluggableAuthService.plugins.BasePlugin
import
BasePlugin
from
Products.PluggableAuthService.utils
import
classImplements
...
...
@@ -28,7 +26,6 @@ from Products.ERP5Type.ERP5Type \
import
ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT
from
Products.ERP5Type.UnrestrictedMethod
import
UnrestrictedMethod
from
Products.ZSQLCatalog.SQLCatalog
import
SimpleQuery
from
Products.PluggableAuthService.PropertiedUser
import
PropertiedUser
from
ZODB.POSException
import
ConflictError
import
sys
...
...
@@ -130,7 +127,6 @@ class ERP5GroupManager(BasePlugin):
else
:
# no person is linked to this user login
return
()
person_object
=
catalog_result
[
0
].
getObject
()
person_id
=
person_object
.
getId
()
# Fetch category values from defined scripts
for
(
method_name
,
base_category_list
)
in
security_definition_list
:
...
...
product/ERP5Security/ERP5KeyAuthPlugin.py
View file @
975ad4d7
...
...
@@ -35,9 +35,6 @@ from Products.ERP5Type.Globals import InitializeClass
from
zope.interface
import
Interface
from
AccessControl
import
ClassSecurityInfo
from
AccessControl.SecurityManagement
import
getSecurityManager
,
\
newSecurityManager
,
\
setSecurityManager
from
Products.PageTemplates.PageTemplateFile
import
PageTemplateFile
...
...
@@ -49,8 +46,8 @@ from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHel
from
Products.ERP5Type.Cache
import
CachingMethod
from
Products.ERP5Type.UnrestrictedMethod
import
UnrestrictedMethod
from
Products.ERP5Security.ERP5UserManager
import
ERP5UserManager
,
\
SUPER_USER
,
\
from
Products.ERP5Security.ERP5UserManager
import
ERP5UserManager
,
\
SUPER_USER
,
\
_AuthenticationFailure
from
Crypto.Cipher
import
AES
...
...
@@ -136,22 +133,22 @@ manage_addERP5KeyAuthPluginForm = PageTemplateFile(
'www/ERP5Security_addERP5KeyAuthPlugin'
,
globals
(),
__name__
=
'manage_addERP5KeyAuthPluginForm'
)
def
addERP5KeyAuthPlugin
(
dispatcher
,
id
,
title
=
None
,
\
encryption_key
=
''
,
cipher
=
'AES'
,
cookie_name
=
''
,
\
def
addERP5KeyAuthPlugin
(
dispatcher
,
id
,
title
=
None
,
encryption_key
=
''
,
cipher
=
'AES'
,
cookie_name
=
''
,
default_cookie_name
=
''
,
REQUEST
=
None
):
""" Add a ERP5KeyAuthPlugin to a Pluggable Auth Service. """
""" Add a ERP5KeyAuthPlugin to a Pluggable Auth Service. """
plugin
=
ERP5KeyAuthPlugin
(
id
=
id
,
title
=
title
,
encryption_key
=
encryption_key
,
cipher
=
cipher
,
cookie_name
=
cookie_name
,
default_cookie_name
=
default_cookie_name
)
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
plugin
=
ERP5KeyAuthPlugin
(
id
=
id
,
title
=
title
,
encryption_key
=
encryption_key
,
cipher
=
cipher
,
cookie_name
=
cookie_name
,
default_cookie_name
=
default_cookie_name
)
dispatcher
.
_setObject
(
plugin
.
getId
(),
plugin
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5KeyAuthPlugin+added.'
%
dispatcher
.
absolute_url
())
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5KeyAuthPlugin+added.'
%
dispatcher
.
absolute_url
())
class
ERP5KeyAuthPlugin
(
ERP5UserManager
,
CookieAuthHelper
):
"""
...
...
@@ -277,9 +274,9 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
if
creds
:
creds
[
'remote_host'
]
=
request
.
get
(
'REMOTE_HOST'
,
''
)
try
:
creds
[
'remote_address'
]
=
request
.
getClientAddr
()
creds
[
'remote_address'
]
=
request
.
getClientAddr
()
except
AttributeError
:
creds
[
'remote_address'
]
=
request
.
get
(
'REMOTE_ADDR'
,
''
)
creds
[
'remote_address'
]
=
request
.
get
(
'REMOTE_ADDR'
,
''
)
except
StandardError
,
e
:
#Log standard error to check error
LOG
(
'ERP5KeyAuthPlugin.extractCredentials'
,
PROBLEM
,
str
(
e
))
...
...
@@ -373,14 +370,13 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
id
=
'ERP5KeyAuthPlugin_authenticateCredentials'
,
cache_factory
=
'erp5_content_short'
)
try
:
return
_authenticateCredentials
(
login
=
login
)
return
_authenticateCredentials
(
login
=
login
)
except
_AuthenticationFailure
:
return
None
return
None
except
StandardError
,
e
:
#Log standard error
LOG
(
'ERP5KeyAuthPlugin.authenticateCredentials'
,
PROBLEM
,
str
(
e
))
return
None
#Log standard error
LOG
(
'ERP5KeyAuthPlugin.authenticateCredentials'
,
PROBLEM
,
str
(
e
))
return
None
################################
# Properties for ZMI managment #
...
...
@@ -429,8 +425,8 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
#Redirect
if
RESPONSE
is
not
None
:
if
error_message
!=
''
:
self
.
REQUEST
.
form
[
'manage_tabs_message'
]
=
error_message
return
self
.
manage_editERP5KeyAuthPluginForm
(
RESPONSE
)
self
.
REQUEST
.
form
[
'manage_tabs_message'
]
=
error_message
return
self
.
manage_editERP5KeyAuthPluginForm
(
RESPONSE
)
else
:
message
=
"Updated"
RESPONSE
.
redirect
(
'%s/manage_editERP5KeyAuthPluginForm'
...
...
product/ERP5Security/ERP5RoleManager.py
View file @
975ad4d7
...
...
@@ -20,60 +20,60 @@ from AccessControl import ClassSecurityInfo
from
Products.PageTemplates.PageTemplateFile
import
PageTemplateFile
from
Products.PluggableAuthService.plugins.BasePlugin
import
BasePlugin
from
Products.PluggableAuthService.utils
import
classImplements
from
Products.PluggableAuthService.interfaces.plugins
import
IRolesPlugin
,
\
IRoleEnumerationPlugin
from
Products.PluggableAuthService.interfaces.plugins
import
IRolesPlugin
,
\
IRoleEnumerationPlugin
from
ERP5UserManager
import
SUPER_USER
manage_addERP5RoleManagerForm
=
PageTemplateFile
(
'www/ERP5Security_addERP5RoleManager'
,
globals
(),
__name__
=
'manage_addERP5RoleManagerForm'
)
'www/ERP5Security_addERP5RoleManager'
,
globals
(),
__name__
=
'manage_addERP5RoleManagerForm'
)
def
addERP5RoleManager
(
dispatcher
,
id
,
title
=
None
,
REQUEST
=
None
):
""" Add a ERP5RoleManager to a Pluggable Auth Service. """
""" Add a ERP5RoleManager to a Pluggable Auth Service. """
erm
=
ERP5RoleManager
(
id
,
title
)
dispatcher
.
_setObject
(
erm
.
getId
(),
erm
)
erm
=
ERP5RoleManager
(
id
,
title
)
dispatcher
.
_setObject
(
erm
.
getId
(),
erm
)
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5RoleManager+added.'
%
dispatcher
.
absolute_url
())
if
REQUEST
is
not
None
:
REQUEST
[
'RESPONSE'
].
redirect
(
'%s/manage_workspace'
'?manage_tabs_message='
'ERP5RoleManager+added.'
%
dispatcher
.
absolute_url
())
class
ERP5RoleManager
(
BasePlugin
):
""" PAS plugin to add 'Member' as default
Role for every user.
""" PAS plugin to add 'Member' as default
Role for every user.
"""
meta_type
=
'ERP5 Role Manager'
security
=
ClassSecurityInfo
()
def
__init__
(
self
,
id
,
title
=
None
):
self
.
_id
=
self
.
id
=
id
self
.
title
=
title
#
# IRolesPlugin implementation
#
security
.
declarePrivate
(
'getRolesForPrincipal'
)
def
getRolesForPrincipal
(
self
,
principal
,
request
=
None
):
""" See IRolesPlugin.
We only ever return Member for every principal
"""
meta_type
=
'ERP5 Role Manager'
security
=
ClassSecurityInfo
()
def
__init__
(
self
,
id
,
title
=
None
):
self
.
_id
=
self
.
id
=
id
self
.
title
=
title
#
# IRolesPlugin implementation
#
security
.
declarePrivate
(
'getRolesForPrincipal'
)
def
getRolesForPrincipal
(
self
,
principal
,
request
=
None
):
""" See IRolesPlugin.
We only ever return Member for every principal
"""
if
principal
.
getId
()
==
SUPER_USER
:
# If this is the super user, give all the roles present in this system.
# XXX no API to do this in PAS.
rolemakers
=
self
.
_getPAS
().
plugins
.
listPlugins
(
IRoleEnumerationPlugin
)
roles
=
[]
for
rolemaker_id
,
rolemaker
in
rolemakers
:
roles
.
extend
([
role
[
'id'
]
for
role
in
rolemaker
.
enumerateRoles
()])
return
tuple
(
roles
)
return
(
'Member'
,)
if
principal
.
getId
()
==
SUPER_USER
:
# If this is the super user, give all the roles present in this system.
# XXX no API to do this in PAS.
rolemakers
=
self
.
_getPAS
().
plugins
.
listPlugins
(
IRoleEnumerationPlugin
)
roles
=
[]
for
rolemaker_id
,
rolemaker
in
rolemakers
:
roles
.
extend
([
role
[
'id'
]
for
role
in
rolemaker
.
enumerateRoles
()])
return
tuple
(
roles
)
return
(
'Member'
,)
classImplements
(
ERP5RoleManager
,
IRolesPlugin
...
...
product/ERP5Security/ERP5UserFactory.py
View file @
975ad4d7
...
...
@@ -61,7 +61,7 @@ class ERP5User(PropertiedUser):
principal_ids
=
list
(
group_ids
)
principal_ids
.
insert
(
0
,
user_id
)
local
=
{}
local
=
{}
object
=
aq_inner
(
object
)
while
1
:
...
...
@@ -98,102 +98,102 @@ class ERP5User(PropertiedUser):
return
list
(
self
.
getRoles
()
)
+
local
.
keys
()
def
allowed
(
self
,
object
,
object_roles
=
None
):
""" Check whether the user has access to object.
As for getRolesInContext, we take into account _getAcquireLocalRoles for
ERP5.
"""
if
self
.
getUserName
()
==
SUPER_USER
:
# super user is allowed to accesss any object
return
1
if
object_roles
is
_what_not_even_god_should_do
:
return
0
""" Check whether the user has access to object.
As for getRolesInContext, we take into account _getAcquireLocalRoles for
ERP5.
"""
if
self
.
getUserName
()
==
SUPER_USER
:
# super user is allowed to accesss any object
return
1
if
object_roles
is
_what_not_even_god_should_do
:
return
0
# Short-circuit the common case of anonymous access.
if
object_roles
is
None
or
'Anonymous'
in
object_roles
:
return
1
# Check for Developer Role, see patches.User for rationale
# XXX-arnau: copy/paste
object_roles
=
set
(
object_roles
)
if
'Developer'
in
object_roles
:
object_roles
.
remove
(
'Developer'
)
product_config
=
getattr
(
getConfiguration
(),
'product_config'
,
None
)
if
product_config
:
config
=
product_config
.
get
(
'erp5'
)
if
config
and
self
.
getId
()
in
config
.
developer_list
:
return
1
# Short-circuit the common case of anonymous access.
# Provide short-cut access if object is protected by 'Authenticated'
# role and user is not nobody
if
'Authenticated'
in
object_roles
and
(
self
.
getUserName
()
!=
'Anonymous User'
):
return
1
# Check for ancient role data up front, convert if found.
# This should almost never happen, and should probably be
# deprecated at some point.
if
'Shared'
in
object_roles
:
object_roles
=
self
.
_shared_roles
(
object
)
if
object_roles
is
None
or
'Anonymous'
in
object_roles
:
return
1
# Check for Developer Role, see patches.User for rationale
# XXX-arnau: copy/paste
object_roles
=
set
(
object_roles
)
if
'Developer'
in
object_roles
:
object_roles
.
remove
(
'Developer'
)
product_config
=
getattr
(
getConfiguration
(),
'product_config'
,
None
)
if
product_config
:
config
=
product_config
.
get
(
'erp5'
)
if
config
and
self
.
getId
()
in
config
.
developer_list
:
return
1
# Provide short-cut access if object is protected by 'Authenticated'
# role and user is not nobody
if
'Authenticated'
in
object_roles
and
(
self
.
getUserName
()
!=
'Anonymous User'
):
return
1
# Check for ancient role data up front, convert if found.
# This should almost never happen, and should probably be
# deprecated at some point.
if
'Shared'
in
object_roles
:
object_roles
=
self
.
_shared_roles
(
object
)
if
object_roles
is
None
or
'Anonymous'
in
object_roles
:
# Check for a role match with the normal roles given to
# the user, then with local roles only if necessary. We
# want to avoid as much overhead as possible.
user_roles
=
self
.
getRoles
()
for
role
in
object_roles
:
if
role
in
user_roles
:
if
self
.
_check_context
(
object
):
return
1
return
None
# Still have not found a match, so check local roles. We do
# this manually rather than call getRolesInContext so that
# we can incur only the overhead required to find a match.
inner_obj
=
aq_inner
(
object
)
user_id
=
self
.
getId
()
# [ x.getId() for x in self.getGroups() ]
group_ids
=
self
.
getGroups
()
principal_ids
=
list
(
group_ids
)
principal_ids
.
insert
(
0
,
user_id
)
while
1
:
local_roles
=
getattr
(
inner_obj
,
'__ac_local_roles__'
,
None
)
if
local_roles
:
if
callable
(
local_roles
):
local_roles
=
local_roles
()
dict
=
local_roles
or
{}
for
principal_id
in
principal_ids
:
local_roles
=
dict
.
get
(
principal_id
,
[]
)
for
role
in
object_roles
:
if
role
in
local_roles
:
if
self
.
_check_context
(
object
):
return
1
return
0
# patch by Klaus for LocalRole blocking
if
getattr
(
inner_obj
,
'_getAcquireLocalRoles'
,
None
)
is
not
None
:
if
not
inner_obj
.
_getAcquireLocalRoles
():
break
inner
=
aq_inner
(
inner_obj
)
parent
=
aq_parent
(
inner
)
if
parent
is
not
None
:
inner_obj
=
parent
continue
new
=
getattr
(
inner_obj
,
'im_self'
,
None
)
if
new
is
not
None
:
inner_obj
=
aq_inner
(
new
)
continue
break
# Check for a role match with the normal roles given to
# the user, then with local roles only if necessary. We
# want to avoid as much overhead as possible.
user_roles
=
self
.
getRoles
()
for
role
in
object_roles
:
if
role
in
user_roles
:
if
self
.
_check_context
(
object
):
return
1
return
None
# Still have not found a match, so check local roles. We do
# this manually rather than call getRolesInContext so that
# we can incur only the overhead required to find a match.
inner_obj
=
aq_inner
(
object
)
user_id
=
self
.
getId
()
# [ x.getId() for x in self.getGroups() ]
group_ids
=
self
.
getGroups
()
principal_ids
=
list
(
group_ids
)
principal_ids
.
insert
(
0
,
user_id
)
while
1
:
local_roles
=
getattr
(
inner_obj
,
'__ac_local_roles__'
,
None
)
if
local_roles
:
if
callable
(
local_roles
):
local_roles
=
local_roles
()
dict
=
local_roles
or
{}
for
principal_id
in
principal_ids
:
local_roles
=
dict
.
get
(
principal_id
,
[]
)
for
role
in
object_roles
:
if
role
in
local_roles
:
if
self
.
_check_context
(
object
):
return
1
return
0
# patch by Klaus for LocalRole blocking
if
getattr
(
inner_obj
,
'_getAcquireLocalRoles'
,
None
)
is
not
None
:
if
not
inner_obj
.
_getAcquireLocalRoles
():
break
inner
=
aq_inner
(
inner_obj
)
parent
=
aq_parent
(
inner
)
if
parent
is
not
None
:
inner_obj
=
parent
continue
new
=
getattr
(
inner_obj
,
'im_self'
,
None
)
if
new
is
not
None
:
inner_obj
=
aq_inner
(
new
)
continue
break
return
None
return
None
InitializeClass
(
ERP5User
)
...
...
product/ERP5Security/ERP5UserManager.py
View file @
975ad4d7
This diff is collapsed.
Click to expand it.
product/ERP5Security/__init__.py
View file @
975ad4d7
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment