Commit 9a95db9c authored by Hanno Schlichting's avatar Hanno Schlichting

Removed the unhelpful system for AccessControl

parent 91f27016
...@@ -52,7 +52,6 @@ class Owned(Base): ...@@ -52,7 +52,6 @@ class Owned(Base):
manage_options=({'label': 'Ownership', manage_options=({'label': 'Ownership',
'action': 'manage_owner', 'action': 'manage_owner',
'help': ('OFSP','Ownership.stx'),
'filter': ownableFilter 'filter': ownableFilter
}, },
) )
......
...@@ -54,9 +54,7 @@ class RoleManager(Base, RoleManager): ...@@ -54,9 +54,7 @@ class RoleManager(Base, RoleManager):
security = ClassSecurityInfo() security = ClassSecurityInfo()
manage_options=( manage_options=(
{'label': 'Security', 'action': 'manage_access', {'label': 'Security', 'action': 'manage_access'},
'help': ('OFSP', 'Security.stx'),
},
) )
__ac_roles__=('Manager', 'Owner', 'Anonymous', 'Authenticated') __ac_roles__=('Manager', 'Owner', 'Anonymous', 'Authenticated')
...@@ -126,9 +124,7 @@ class RoleManager(Base, RoleManager): ...@@ -126,9 +124,7 @@ class RoleManager(Base, RoleManager):
security.declareProtected(change_permissions, 'manage_roleForm') security.declareProtected(change_permissions, 'manage_roleForm')
manage_roleForm=DTMLFile('dtml/roleEdit', globals(), manage_roleForm=DTMLFile('dtml/roleEdit', globals(),
management_view='Security', management_view='Security')
help_topic='Security_Manage-Role.stx',
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_role') security.declareProtected(change_permissions, 'manage_role')
@requestmethod('POST') @requestmethod('POST')
...@@ -145,9 +141,7 @@ class RoleManager(Base, RoleManager): ...@@ -145,9 +141,7 @@ class RoleManager(Base, RoleManager):
security.declareProtected(change_permissions, 'manage_acquiredForm') security.declareProtected(change_permissions, 'manage_acquiredForm')
manage_acquiredForm=DTMLFile('dtml/acquiredEdit', globals(), manage_acquiredForm=DTMLFile('dtml/acquiredEdit', globals(),
management_view='Security', management_view='Security')
help_topic='Security_Manage-Acquisition.stx',
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_acquiredPermissions') security.declareProtected(change_permissions, 'manage_acquiredPermissions')
@requestmethod('POST') @requestmethod('POST')
...@@ -230,9 +224,7 @@ class RoleManager(Base, RoleManager): ...@@ -230,9 +224,7 @@ class RoleManager(Base, RoleManager):
security.declareProtected(change_permissions, 'manage_permissionForm') security.declareProtected(change_permissions, 'manage_permissionForm')
manage_permissionForm=DTMLFile('dtml/permissionEdit', globals(), manage_permissionForm=DTMLFile('dtml/permissionEdit', globals(),
management_view='Security', management_view='Security')
help_topic='Security_Manage-Permission.stx',
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_permission') security.declareProtected(change_permissions, 'manage_permission')
@requestmethod('POST') @requestmethod('POST')
...@@ -365,15 +357,11 @@ class RoleManager(Base, RoleManager): ...@@ -365,15 +357,11 @@ class RoleManager(Base, RoleManager):
security.declareProtected(change_permissions, 'manage_listLocalRoles') security.declareProtected(change_permissions, 'manage_listLocalRoles')
manage_listLocalRoles=DTMLFile('dtml/listLocalRoles', globals(), manage_listLocalRoles=DTMLFile('dtml/listLocalRoles', globals(),
management_view='Security', management_view='Security')
help_topic='Security_Local-Roles.stx',
help_product='OFSP')
security.declareProtected(change_permissions, 'manage_editLocalRoles') security.declareProtected(change_permissions, 'manage_editLocalRoles')
manage_editLocalRoles=DTMLFile('dtml/editLocalRoles', globals(), manage_editLocalRoles=DTMLFile('dtml/editLocalRoles', globals(),
management_view='Security', management_view='Security')
help_topic='Security_User-Local-Roles.stx',
help_product='OFSP')
def has_local_roles(self): def has_local_roles(self):
dict=self.__ac_local_roles__ or {} dict=self.__ac_local_roles__ or {}
......
...@@ -434,10 +434,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -434,10 +434,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
manage_options=( manage_options=(
( (
{'label':'Contents', 'action':'manage_main', {'label': 'Contents', 'action': 'manage_main'},
'help':('OFSP','User-Folder_Contents.stx')}, {'label': 'Properties', 'action':'manage_userFolderProperties'},
{'label':'Properties', 'action':'manage_userFolderProperties',
'help':('OFSP','User-Folder_Properties.stx')},
) )
+RoleManager.manage_options +RoleManager.manage_options
+Item.manage_options +Item.manage_options
......
<dtml-var manage_page_header> <dtml-var manage_page_header>
<dtml-var "manage_form_title(this(), _, <dtml-var "manage_form_title(this(), _, form_title='Add User')">
form_title='Add User',
help_product='OFSP',
help_topic='User-Folder_Add-User.stx'
)">
<p class="form-help"> <p class="form-help">
To add a new user, enter the name <dtml-unless remote_user_mode__> To add a new user, enter the name <dtml-unless remote_user_mode__>
......
<dtml-var manage_page_header> <dtml-var manage_page_header>
<dtml-var "manage_form_title(this(), _, <dtml-var "manage_form_title(this(), _, form_title='Change User')">
form_title='Change User',
help_product='OFSP',
help_topic='User-Folder_Edit-User.stx'
)">
<FORM ACTION="manage_users" METHOD="POST"> <FORM ACTION="manage_users" METHOD="POST">
<TABLE> <TABLE>
......
"""
AccessControl: Security functions and classes
The functions and classes in this module are available to
Python-based Scripts and Page Templates.
"""
def getSecurityManager():
"""
Returns the security manager. See the 'SecurityManager' class.
"""
class SecurityManager:
"""
A security manager provides methods for checking access and
managing executable context and policies
"""
def validate(accessed=None, container=None, name=None, value=None,
roles=None):
"""
Validate access.
Arguments:
accessed -- the object that was being accessed
container -- the object the value was found in
name -- The name used to access the value
value -- The value retrieved though the access.
roles -- The roles of the object if already known.
The arguments may be provided as keyword arguments. Some of
these arguments may be omitted, however, the policy may
reject access in some cases when arguments are omitted. It
is best to provide all the values possible.
permission -- Always available
"""
def checkPermission(self, permission, object):
"""
Check whether the security context allows the given permission
on the given object.
permission -- Always available
"""
def getUser(self):
"""
Get the current authenticated user. See the
'AuthenticatedUser' class.
permission -- Always available
"""
def calledByExecutable(self):
"""
Return a boolean value indicating if this context was called
by an executable.
permission -- Always available
"""
##############################################################################
#
# Copyright (c) 2002 Zope Foundation and Contributors.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
class AuthenticatedUser:
"""
This interface needs to be supported by objects that
are returned by user validation and used for access control.
"""
def getUserName():
"""
Return the name of a user
Permission -- Always available
"""
def has_role(roles, object=None):
"""
Return true if the user has at least one role from a list of
roles, optionally in the context of an object.
Permission -- Always available
"""
def has_permission(permission, object):
"""
Return true if the user has a permission on an object.
Permission -- Always available
"""
def getRoles():
"""
Return a list of the user's roles.
Permission -- Always available
"""
def getRolesInContext(object):
"""
Return the list of roles assigned to the user, including local
roles assigned in context of an object.
Permission -- Always available
"""
def getId():
"""
Get the ID of the user. The ID can be used from
Python to get the user from the user's UserDatabase.
Permission -- Always available
"""
def getDomains():
"""
Return the list of domain restrictions for a user.
Permission -- Always available
"""
Ownership: Manage ownership.
Description
This view allows you to set the ownership of an object.
On the top of the page Zope will tell you whether the
object has an owner and who it is.
All Zope objects except objects within the Control Panel support
ownership. When an object is created, copied or imported in Zope,
the logged-in user performing the operation becomes the owner of
the resulting object(s). Note that simply moving or renaming an
object does not change its ownership.
Ownership is most important for Zope objects that "execute"
content supplied through the web, such as DTML Methods, DTML
Documents and SQL Methods. The abilities of these executable
objects are constrained by the abilities of the object's owner
as well as the user causing the object to execute from a Zope
security point of view. In other words, an executable cannot
perform operations that its owner could not perform directly.
While most Zope objects support ownership, objects may not always
have an owner assigned. Objects that do not have an assigned owner
are *unowned*. An unowned executable object executes with the
permissions of the user running the object.
It is possible to remove a user in your Zope installation while
objects that were owned by that user remain (for instance, someone
in your organization moves on, so you remove his account on your
Zope server). When you remove a Zope user, objects that were owned
by that user still have ownership information that refers to that
user. This will not cause an error, but it is important to
understand what happens to Zope objects whose owners no longer
exist. This is most important for "executable" objects. Usually,
the abilities of executable objects are constrained by the
abilities of the object's owner as well as the user causing the
object to execute. If Zope cannot find the user that the
executable's ownership information refers to when it tries to
execute the object, it will use the special 'nobody' or anonymous
user instead. The 'nobody' user has very minimal privileges, so
you should take this into account when deciding what to do about a
user's owned objects when you delete the user. If the user had
DTML documents or other executable objects that depended upon
their owner to have a higher level of privilege than the 'nobody'
user, they will not work correctly until their ownership has been
reassigned to another user with sufficient privileges.
Controls
'Take ownership' -- Gives you ownership of this object.
**Note: For this operation you have the 'Take ownership' role.**
'Also take ownership of all sub-objects' -- Gives you ownership of all the current object's sub-objects when you take ownership of the current object. Normally you should leave this option checked.
Security - Define security settings.
Description
This view allows you to define security settings.
Security settings are defined in terms of *roles* and
*permissions*. When a role is assigned to a permission users with
the given role will be able to perform tasks associated with the
permission on the object.
Controls
Assign Roles to Permissions
Roles are listed in columns and permissions are listed in rows.
To assign a role to a permission check the checkbox at the
intersection of the row and column. You can also manage roles
and permissions individually by clicking on their name links.
Create Roles
You can create new roles by entering the role name in the text
entry field under the 'User defined roles' heading and clicking
the 'Add Role' button. You can delete any existing user defined
roles by selecting them from the selection list under the 'User
defined roles' heading and clicking the 'Delete Role' button.
Local Roles
You can create and manage local roles by clicking the
'local roles' link.
Assign Permissions to a Role
You can manage the permissions assigned to a role by clicking on
the role name.
Assign Roles to a Permission
You can manage the roles assigned to a permission by clicking on
the permission name.
Acquire Permissions
The 'Acquire permission settings' check box next to each
permission indicates whether this item should inherit security
settings for this permission from its container object. The
acquired permission settings may be augmented by selecting roles
for a permission in addition to selecting to acquire
permissions.
You can manage the acquisition of permission
settings individually by clicking the 'Acquire permission
settings' link.
Folder - Local Roles: Manage local roles.
Description
Local roles allow you to give users additional roles in the
context of an object.
Controls
Editing local roles
'[Checkbox]' -- Select users. Click a user's name to edit their
local roles.
'Remove' -- Deletes local roles for the selected users.
Creating local roles
'User' -- The user for which you would like to define local
roles.
'Roles' -- The local roles you would like to assign to the user.
'Add' -- Adds the selected local roles for the selected user.
Security - Permissions Acquisition: Security acquisition settings.
Description
This view allows you to manage security acquisition settings. You
can control which permissions acquire security settings.
Controls
'[Permissions List]' -- The permissions which
should acquire security settings.
'Change' -- Sets the acquisition settings.
Folder - Manage Permission: Assign roles to a permission.
Description
This view allows you to assign roles to a permission.
Controls
'[Role List]' -- The roles assigned to the permission.
'Also use roles acquired from folders containing this object' --
Whether or not to acquire permissions settings for the permission.
'Change' -- Changes the security settings.
Folder - Manage Role: Assign permissions to a role.
Description
This view allows you to assign permissions to a role.
Controls
'[Permissions List]' -- The permissions
assigned to the role.
'Change' -- Changes the security settings.
Security - User local roles: Manage local roles.
Description
This view allows you to manage a user's local roles.
Controls
'User' -- The user whose local roles you going to change.
'Roles' -- The user's local roles.
'Change' -- Change the local roles.
User Folder - Defines users.
Description
User Folders define Zope users.
You can only have one User Folder per Folder. User Folders always
have 'acl_users' as an id.
User Folder - Add User: Define a new user.
Description
This view allows you to define a new user.
Controls
'Name' -- The user's name.
'Password' -- The user's password.
'Confirm' -- Confirm the user's password.
'Domains' -- Optionally allows you to restrict the
Internet domains from which the user can log in. Domains should be
separated by spaces.
For example, 'digicool.com zope.org'
'Roles' -- The user's roles
'Add' -- Create a new user.
User Folder - Contents: Manage users.
Description
This view allows you to manage the users defined in a User Folder.
Controls
Users are listed one per line. Click on a user to edit the user.
'[Checkbox]' -- Selects users.
'Add...' -- Adds a new user.
'Delete' -- Deletes the selected users.
User Folder - Edit User: Edit a user
Descriptions
This view allows you to edit a user.
Controls
'Name' -- The user's name.
'Password' -- The user's password.
'Confirm' -- Confirm the user's password.
'Domains' -- Optionally allows you to restrict the
Internet domains from which the user can log in. Domains should be
separated by spaces.
For example, 'digicool.com zope.org'
'Roles' -- The user's roles
'Change' -- Change the user.
\ No newline at end of file
User Folder - Properties: Change properties of the user folder.
Description
This view allows you to change settings of a user folder.
Controls
The 'Encrypt user passwords' checkbox controls whether user passwords
are stored encrypted. If passwords are stored encrypted, users can
still use their password to log in but it is very difficult for anyone,
especially intruders, to decrypt the passwords. It also prevents
system administrators from telling users what their current
password is, although system administrators can still reset user
passwords.
If you click the 'Update existing passwords' button while the
'Encrypt user passwords' checkbox is on, Zope will encrypt all the
unencrypted passwords of the users in the folder. Zope uses the
Secure Hash Algorithm so the encryption is irreversible.
Note that you can still undo after updating the existing passwords
because the unencrypted passwords are stored in the history in ZODB.
After encrypting the passwords, you should pack the database then
delete the temporary storage files created during packing.
class UserFolder:
"""
User Folder objects are containers for user objects. Programmers can
work with collections of user objects using the API shared by User
Folder implementations.
"""
def getUser(name):
"""
Returns the user object specified by name. If there is no
user named 'name' in the user folder, return None.
Permission -- Manage users
"""
def getUsers():
"""
Returns a sequence of all user objects which reside in the user
folder.
Permission -- Manage users
"""
def getUserNames():
"""
Returns a sequence of names of the users which reside in the user
folder.
Permission -- Manage users
"""
def userFolderAddUser(name, password, roles, domains, **kw):
"""
API method for creating a new user object. Note that not all
user folder implementations support dynamic creation of user
objects. Implementations that do not support dynamic creation
of user objects will raise an error for this method.
Permission -- Manage users
"""
def userFolderEditUser(name, password, roles, domains, **kw):
"""
API method for changing user object attributes. Note that not
all user folder implementations support changing of user object
attributes. Implementations that do not support changing of user
object attributes will raise an error for this method.
Permission -- Manage users
"""
def userFolderDelUsers(names):
"""
API method for deleting one or more user objects. Note that not
all user folder implementations support deletion of user objects.
Implementations that do not support deletion of user objects
will raise an error for this method.
Permission -- Manage users
"""
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment