Commit 89d3e3f0 authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_erp5: Allow compute node owner invalidate Certificate Login

parent d2375d50
...@@ -7,8 +7,21 @@ ...@@ -7,8 +7,21 @@
<multi_property id='base_category'>aggregate</multi_property> <multi_property id='base_category'>aggregate</multi_property>
</role> </role>
<role id='Assignee'> <role id='Assignee'>
<property id='title'>The User Himself</property> <property id='title'>Compute Node Agent</property>
<property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParentContent</property>
<multi_property id='categories'>local_role_group/user</multi_property>
<multi_property id='base_category'>source_administration</multi_property>
</role>
<role id='Assignee'>
<property id='title'>The User Himself (Compute Node)</property>
<property id='condition'>python: here.getParentValue().getPortalType() in ( "Compute Node", "Software Instance")</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromParent</property>
<multi_property id='categories'>local_role_group/computer</multi_property>
<multi_property id='base_category'>group</multi_property>
</role>
<role id='Assignee'>
<property id='title'>The User Himself (Person)</property>
<property id='condition'>python: here.getParentValue().getPortalType() == "Person"</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromParent</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParent</property>
<multi_property id='categories'>local_role_group/user</multi_property> <multi_property id='categories'>local_role_group/user</multi_property>
<multi_property id='base_category'>group</multi_property> <multi_property id='base_category'>group</multi_property>
......
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if ob is None:
return []
for base_category in base_category_list:
category_list.append({base_category: [x.getRelativeUrl() for x in ob.getParentValue().getValueList(base_category)]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="_reconstructor" module="copy_reg"/>
</klass>
<tuple>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
<global name="object" module="__builtin__"/>
<none/>
</tuple>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, ob, portal_type</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Type_getSecurityCategoryFromParentContent</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -682,11 +682,8 @@ class TestPerson(TestSlapOSGroupRoleSecurityMixin): ...@@ -682,11 +682,8 @@ class TestPerson(TestSlapOSGroupRoleSecurityMixin):
self.assertRoles(person, project.getReference(), ['Auditor']) self.assertRoles(person, project.getReference(), ['Auditor'])
self.assertRoles(person, self.user_id, ['Owner']) self.assertRoles(person, self.user_id, ['Owner'])
class TestCertificateLogin(TestSlapOSGroupRoleSecurityMixin):
login_portal_type = "Certificate Login"
class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
login_portal_type = "ERP5 Login"
def test_PersonCanAccessLoginDocument(self): def test_PersonCanAccessLoginDocument(self):
person = self.portal.person_module.newContent(portal_type='Person') person = self.portal.person_module.newContent(portal_type='Person')
...@@ -699,9 +696,6 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin): ...@@ -699,9 +696,6 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
self.assertRoles(login, person.getUserId(), ['Assignee']) self.assertRoles(login, person.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner']) self.assertRoles(login, self.user_id, ['Owner'])
class TestCertificateLogin(TestERP5Login):
login_portal_type = "Certificate Login"
def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self): def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self):
software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance') software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
login = software_instance.newContent(portal_type=self.login_portal_type) login = software_instance.newContent(portal_type=self.login_portal_type)
...@@ -717,7 +711,8 @@ class TestCertificateLogin(TestERP5Login): ...@@ -717,7 +711,8 @@ class TestCertificateLogin(TestERP5Login):
login.updateLocalRolesOnSecurityGroups() login.updateLocalRolesOnSecurityGroups()
self.assertSecurityGroup(login, self.assertSecurityGroup(login,
[self.user_id, software_instance.getUserId(), compute_node.getUserId()], False) [self.user_id, software_instance.getUserId(),
compute_node.getUserId()], False)
self.assertRoles(login, software_instance.getUserId(), ['Assignee']) self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner']) self.assertRoles(login, self.user_id, ['Owner'])
self.assertRoles(login, compute_node.getUserId(), ['Assignor']) self.assertRoles(login, compute_node.getUserId(), ['Assignor'])
...@@ -733,6 +728,21 @@ class TestCertificateLogin(TestERP5Login): ...@@ -733,6 +728,21 @@ class TestCertificateLogin(TestERP5Login):
self.assertRoles(login, compute_node.getUserId(), ['Assignee']) self.assertRoles(login, compute_node.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner']) self.assertRoles(login, self.user_id, ['Owner'])
def test_ComputeNodeSourceAdministrationCanAccessLoginDocument(self):
person = self.portal.person_module.newContent(portal_type='Person')
compute_node = self.portal.compute_node_module.newContent(
portal_type='Compute Node', source_administration=person.getRelativeUrl())
login = compute_node.newContent(portal_type=self.login_portal_type)
compute_node.updateLocalRolesOnSecurityGroups()
login.updateLocalRolesOnSecurityGroups()
self.assertSecurityGroup(login,
[self.user_id, compute_node.getUserId(),
person.getUserId()], False)
self.assertRoles(login, compute_node.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner'])
self.assertRoles(login, person.getUserId(), ['Assignee'])
def test_SoftwareInstanceCanAccessLoginDocument(self): def test_SoftwareInstanceCanAccessLoginDocument(self):
software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance') software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
login = software_instance.newContent(portal_type=self.login_portal_type) login = software_instance.newContent(portal_type=self.login_portal_type)
...@@ -744,13 +754,26 @@ class TestCertificateLogin(TestERP5Login): ...@@ -744,13 +754,26 @@ class TestCertificateLogin(TestERP5Login):
self.assertRoles(login, software_instance.getUserId(), ['Assignee']) self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner']) self.assertRoles(login, self.user_id, ['Owner'])
class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
login_portal_type = "ERP5 Login"
def test_PersonCanAccessLoginDocument(self):
person = self.portal.person_module.newContent(portal_type='Person')
login = person.newContent(portal_type=self.login_portal_type)
person.updateLocalRolesOnSecurityGroups()
login.updateLocalRolesOnSecurityGroups()
self.assertSecurityGroup(login,
[self.user_id, person.getUserId()], False)
self.assertRoles(login, person.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner'])
class TestGoogleLogin(TestERP5Login): class TestGoogleLogin(TestERP5Login):
login_portal_type = "Google Login" login_portal_type = "Google Login"
class TestFacebookLogin(TestERP5Login): class TestFacebookLogin(TestERP5Login):
login_portal_type = "Facebook Login" login_portal_type = "Facebook Login"
class TestPersonModule(TestSlapOSGroupRoleSecurityMixin): class TestPersonModule(TestSlapOSGroupRoleSecurityMixin):
def test(self): def test(self):
module = self.portal.person_module module = self.portal.person_module
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment