Skip to content

Z
Zope
Commit 27b94e36 authored by Chris McDonough's avatar Chris McDonough
Browse files
Options

- made user folders use the Zope security policy machinery 

- added logic to do domain-defined nobody lookup which I thought I could safely dump before.

- added a hook for ignoring the domain-defined "nobody" lookup, although I'm not going to change the user folder UI right now, and the default behavior of this implementation is the same as the old.

- refactored validate method into identify, authenticate, and authorize methods.

- added _getobcontext method to do acquisition dance to find out accessed, container, and name in order to pass them to securitypolicy.validate
parent a7e72cd2
Hide whitespace changes
Inline Side-by-side
Showing with 213 additions and 130 deletions
lib/python/AccessControl/User.py
View file @ 27b94e36
...@@ -84,7 +84,7 @@ ...@@ -84,7 +84,7 @@
############################################################################## ##############################################################################
"""Access control package""" """Access control package"""
__version__='$Revision: 1.123 $'[11:-2] __version__='$Revision: 1.124 $'[11:-2]
import Globals, socket, ts_regex, SpecialUsers import Globals, socket, ts_regex, SpecialUsers
import os import os
...@@ -98,6 +98,9 @@ from App.ImageFile import ImageFile ...@@ -98,6 +98,9 @@ from App.ImageFile import ImageFile
from Role import RoleManager from Role import RoleManager
from PermissionRole import _what_not_even_god_should_do, rolesForPermissionOn from PermissionRole import _what_not_even_god_should_do, rolesForPermissionOn
from AuthEncoding import pw_validate from AuthEncoding import pw_validate
from AccessControl import getSecurityManager
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager
ListType=type([]) ListType=type([])
NotImplemented='NotImplemented' NotImplemented='NotImplemented'
...@@ -196,23 +199,23 @@ class BasicUser(Implicit): ...@@ -196,23 +199,23 @@ class BasicUser(Implicit):
def _shared_roles(self, parent): def _shared_roles(self, parent):
r=[] r=[]
while 1: while 1:
if hasattr(parent,'__roles__'): if hasattr(parent,'__roles__'):
roles=parent.__roles__ roles=parent.__roles__
if roles is None: return 'Anonymous', if roles is None: return 'Anonymous',
if 'Shared' in roles: if 'Shared' in roles:
roles=list(roles) roles=list(roles)
roles.remove('Shared') roles.remove('Shared')
r=r+roles r=r+roles
else: else:
try: return r+list(roles) try: return r+list(roles)
except: return r except: return r
if hasattr(parent, 'aq_parent'): if hasattr(parent, 'aq_parent'):
while hasattr(parent.aq_self,'aq_self'): while hasattr(parent.aq_self,'aq_self'):
parent=parent.aq_self parent=parent.aq_self
parent=parent.aq_parent parent=parent.aq_parent
else: return r else: return r
def allowed(self, parent, roles=None): def allowed(self, parent, roles=None):
"""Check whether the user has access to parent, assuming that """Check whether the user has access to parent, assuming that
...@@ -246,6 +249,8 @@ class BasicUser(Implicit): ...@@ -246,6 +249,8 @@ class BasicUser(Implicit):
return None return None
hasRole=allowed hasRole=allowed
domains=[] domains=[]
...@@ -265,8 +270,7 @@ class BasicUser(Implicit): ...@@ -265,8 +270,7 @@ class BasicUser(Implicit):
def has_permission(self, permission, object): def has_permission(self, permission, object):
"""Check to see if a user has a given permission on an object.""" """Check to see if a user has a given permission on an object."""
roles=rolesForPermissionOn(permission, object) return getSecurityManager().checkPermission(permission, object)
return self.has_role(roles, object)
def __len__(self): return 1 def __len__(self): return 1
def __str__(self): return self.getUserName() def __str__(self): return self.getUserName()
...@@ -437,27 +441,46 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -437,27 +441,46 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
# Private UserFolder object interface # Private UserFolder object interface
# ----------------------------------- # -----------------------------------
_remote_user_mode=_remote_user_mode _remote_user_mode=_remote_user_mode
_emergency_user=emergency_user _emergency_user=emergency_user
# Note: use of the '_super' name is deprecated. # Note: use of the '_super' name is deprecated.
_super=emergency_user _super=emergency_user
_nobody=nobody _nobody=nobody
_check_for_domain_defined_nobody=1
def validate(self,request,auth='',roles=None): def identify(self, auth):
if auth and lower(auth[:6])=='basic ':
name, password=tuple(split(decodestring(split(auth)[-1]), ':', 1))
return name, password
else:
return None, None
if roles is _what_not_even_god_should_do: def authenticate(self, name, password, request):
request.response.notFoundError() emergency = self._emergency_user
if name is None:
published = request.get('PUBLISHED', None) return None
if published is None: if emergency and name==emergency.getUserName():
published = self user = emergency
else:
user = self.getUser(name)
if user is not None and user.authenticate(password, request):
return user
else:
return None
def authorize(self, user, accessed, container, name, value):
newSecurityManager(None, user)
if getSecurityManager().validate(accessed, container, name, value):
return 1
else:
noSecurityManager()
return 0
def _setRemote(self, request):
# If no authorization, only a user with a domain spec and no # If no authorization, only a user with a domain spec and no
# passwd or nobody can match. We cache reverse DNS before # passwd or nobody can match. We cache reverse DNS before
# checking the users, otherwise it can get real slow looking # checking the users, otherwise it can get real slow looking
# it up for every user. # it up for every user.
host=request.get('REMOTE_HOST', '') host=request.get('REMOTE_HOST', '')
addr=request.get('REMOTE_ADDR', '') addr=request.get('REMOTE_ADDR', '')
if host or addr: if host or addr:
...@@ -472,117 +495,167 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -472,117 +495,167 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
request.set('REMOTE_ADDR', addr) request.set('REMOTE_ADDR', addr)
except: pass except: pass
def validate(self, request, auth='', roles=None):
"""
this method performs identification, authentication, and
authorization
we ignore the roles argument in this method purposely due
to the availability of Zope 2.2+ security machinery
that makes its gathering superfluous, though we still need
to put it in the signature because it's part of the defacto
interface
v is the object (value) we're validating access to
n is the name used to access the object
a is the object the object was accessed through
c is the physical container of the object
We allow the publishing machinery to defer to higher-level user
folders or to raise an unauthorized by returning None from this
method.
"""
self._setRemote(request)
v = request['PUBLISHED'] # the published object
a, c, n, v = self._getobcontext(v, request)
# we need to continue to support this silly mode
# where if there is no auth info, but if a user in our
# database has no password and he has domain restrictions,
# return him as the authorized user.
if not auth: if not auth:
for ob in self.getUsers(): if self._check_for_domain_defined_nobody:
domains=ob.getDomains() for user in self.getUsers():
if domains: if user.getDomains():
if ob.authenticate('', request): if self.authenticate(user.getUserName(), '', request):
if ob.allowed(published, roles): if self.authorize(user, a, c, n, v):
ob=ob.__of__(self) return user.__of__(self)
return ob
nobody=self._nobody name, password = self.identify(auth)
if self._isTop() and nobody.allowed(published, roles): user = self.authenticate(name, password, request)
ob=nobody.__of__(self) # user will be None if we can't authenticate him or if we can't find
return ob # his username in this user database.
return None emergency = self._emergency_user
if emergency and user is emergency:
# Only do basic authentication if self._isTop():
if lower(auth[:6])!='basic ': # we do not need to authorize the emergency user against the
return None # published object.
name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) return emergency.__of__(self)
else:
# Check for emergency user # we're not the top-level user folder
emergency_user=self._emergency_user return None
if (emergency_user and self._isTop() and ( elif user is None:
name == emergency_user.getUserName()) # either we didn't find the username, or the user's password
and emergency_user.authenticate(password, request)): # was incorrect. try to authorize and return the anonymous user.
return emergency_user if self._isTop() and self.authorize(self._nobody, a, c, n, v):
return self._nobody.__of__(self)
# Try to get user else:
user=self.getUser(name) # anonymous can't authorize or we're not top-level user folder
if user is None: return None
else:
# If the user was not found and we are the top level user # We found a user, his password was correct, and the user
# database and the Anonymous user is allowed to access the # wasn't the emergency user. We need to authorize the user
# requested object, return the Anonymous user. # against the published object.
if self._isTop() and self._nobody.allowed(published, roles): if self.authorize(user, a, c, n, v):
user=self._nobody.__of__(self) return user.__of__(self)
return user # That didn't work. Try to authorize the anonymous user.
elif self._isTop() and self.authorize(self._nobody, a, c, n, v):
# Otherwise, return None which will defer to higher level user return self._nobody.__of__(self)
# databases or cause an unauthorized to be raised in the else:
# publisher layer. # we can't authorize the user, and we either can't authorize
return None # nobody against the published object or we're not top-level
return None
# Try to authenticate the user
if not user.authenticate(password, request):
# If no user was authenticated and we are the top level user
# database and the Anonymous user is allowed to access the
# requested object, return the Anonymous user.
if self._isTop() and self._nobody.allowed(published, roles):
user=self._nobody.__of__(self)
return user
# Otherwise, return None which will defer to higher level user
# databases or cause an unauthorized to be raised in the
# publisher layer.
return None
# We need the user to be able to acquire!
user=user.__of__(self)
# Try to authorize user
if user.allowed(published, roles):
return user
return None
if _remote_user_mode: if _remote_user_mode:
def validate(self,request,auth='',roles=None): def validate(self, request, auth='', roles=None):
published = request['PUBLISHED'] self._setRemote(request)
e=request.environ v = request['PUBLISHED']
if e.has_key('REMOTE_USER'): a, c, n, v = self._getobcontext(v, request)
name=e['REMOTE_USER'] name = request.environ.get('REMOTE_USER', None)
if name is None:
if self._check_for_domain_defined_nobody:
for user in self.getUsers():
if user.getDomains():
if self.authenticate(
user.getUserName(), '', request
):
if self.authorize(user, a, c, n, v):
return user.__of__(self)
user = self.getUser(name)
# user will be None if we can't find his username in this user
# database.
emergency = self._emergency_user
if emergency and name==emergency.getUserName():
if self._isTop():
# we do not need to authorize the emergency user against
#the published object.
return emergency.__of__(self)
else:
# we're not the top-level user folder
return None
elif user is None:
# we didn't find the username in this database
# try to authorize and return the anonymous user.
if self._isTop() and self.authorize(self._nobody, a, c, n, v):
return self._nobody.__of__(self)
else:
# anonymous can't authorize or we're not top-level user
# folder
return None
else: else:
for ob in self.getUsers(): # We found a user and the user wasn't the emergency user.
domains=ob.getDomains() # We need to authorize the user against the published object.
if domains: if self.authorize(user, a, c, n, v):
if ob.authenticate('', request): return user.__of__(self)
if ob.allowed(published, roles): # That didn't work. Try to authorize the anonymous user.
ob=ob.__of__(self) elif self._isTop() and self.authorize(
return ob self._nobody, a, c, n, v):
nobody=self._nobody return self._nobody.__of__(self)
if self._isTop() and nobody.allowed(published, roles): else:
ob=nobody.__of__(self) # we can't authorize the user, and we either can't
return ob # authorize nobody against the published object or
return None # we're not top-level
return None
# Check for emergency user
emergency_user=self._emergency_user
if (emergency_user and self._isTop() and
name==emergency_user.getUserName()):
return emergency_user
# Try to get user def _getobcontext(self, v, request):
user=self.getUser(name) """
if user is None: v is the object (value) we're validating access to
return None n is the name used to access the object
a is the object the object was accessed through
c is the physical container of the object
"""
n = request.steps[-1]
if hasattr(v, 'aq_parent'):
# this is not a method, we needn't treat it specially
a = v.aq_parent
c = v.aq_inner.aq_parent
elif hasattr(v, 'im_self'):
# this is a method, we need to treat it specially
a = getattr(v.im_self, 'aq_parent', None)
try:
c = v.im_self.aq_inner.aq_parent
except:
c = None
else:
# punt on setting accessed or container if its neither a
# method nor a regular object or if it's not aq-wrapped.
a = c = None
# We need the user to be able to acquire! request_container = getattr(request['PARENTS'][-1], 'aq_parent', [])
user=user.__of__(self)
# Try to authorize user if a is request_container:
if user.allowed(published, roles): # if pub's aq_parent is the request container, it
return user # means pub was accessed from and is contained in the root
return None root = request['PARENTS'][-1]
a = c = root
return a, c, n, v
def _isTop(self): def _isTop(self):
try: return self.aq_parent.aq_base.isTopLevelPrincipiaApplicationObject try:
except: return 0 return self.aq_parent.aq_base.isTopLevelPrincipiaApplicationObject
except:
return 0
def __len__(self): def __len__(self):
return 1 return 1
...@@ -717,11 +790,21 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -717,11 +790,21 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
names=reqattr(REQUEST, 'names') names=reqattr(REQUEST, 'names')
return self._delUsers(names,REQUEST) return self._delUsers(names,REQUEST)
if submit=='Toggle':
self.toggleDomainDefinedNobodyMode()
return self._mainUser(self, REQUEST) return self._mainUser(self, REQUEST)
def user_names(self): def user_names(self):
return self.getUserNames() return self.getUserNames()
def getDomainDefinedNobodyMode(self):
return self._check_for_domain_defined_nobody
def toggleDomainDefinedNobodyMode(self):
ck = self._check_for_domain_defined_nobody
self._check_for_domain_defined_nobody = not ck
def manage_beforeDelete(self, item, container): def manage_beforeDelete(self, item, container):
if item is self: if item is self:
try: del container.__allow_groups__ try: del container.__allow_groups__
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7