Commit 8b379f1b authored by Arnaud Fontaine's avatar Arnaud Fontaine

P-S: Revert 4b16e1dd and 75618d42.

This reverts commit "use UnrestrictedMethod's super user instead of ad-hoc
SUPER_USER." and related commits.

This commit breaks Python Script installation through UnrestrictedMethod (for
example upgrader Alarms for bt5s), thus the Owner of Python Scripts will be
'System Process' (erp5/acl_users). However, Zope checks Owner when executing
Python Script which fails because 'System Process' cannot be found in
erp5/acl_users.

Legacy SUPER_USER was working through a virtual user as implemented in
enumerateUsers (ERP5Security.ERP5UserManager).

Conflicts:
	product/CMFActivity/ActivityTool.py
	bt5/erp5_user_tutorial_ui_test/SkinTemplateItem/portal_skins/erp5_user_tutorial_ui_test/Zuite_checkPortalCatalog.xml
parent facbabe6
...@@ -72,7 +72,7 @@ for result in result_list:\n ...@@ -72,7 +72,7 @@ for result in result_list:\n
if strict_check_mode and method() != kw[key]:\n if strict_check_mode and method() != kw[key]:\n
raise RuntimeError, "One property is not the same that you wanted : you asked \'%s\' and expecting \'%s\' but get \'%s\'" % (key, kw[key], method())\n raise RuntimeError, "One property is not the same that you wanted : you asked \'%s\' and expecting \'%s\' but get \'%s\'" % (key, kw[key], method())\n
# check that every object are owner by you\n # check that every object are owner by you\n
if strict_check_mode and object.Base_getOwnerId() not in [owner_id, functional_test_username, \'System Processes\',\'zope\', functional_another_test_username]:\n if strict_check_mode and object.Base_getOwnerId() not in [owner_id, functional_test_username, \'__erp5security-=__\',\'zope\', functional_another_test_username]:\n
raise RuntimeError, "You have try to clean an item who haven\'t you as owner : %s is owned by %s and you are %s" % \\\n raise RuntimeError, "You have try to clean an item who haven\'t you as owner : %s is owned by %s and you are %s" % \\\n
(object.getTitle(), object.Base_getOwnerId(), owner_id)\n (object.getTitle(), object.Base_getOwnerId(), owner_id)\n
\n \n
......
788 789
\ No newline at end of file \ No newline at end of file
...@@ -44,7 +44,6 @@ from AccessControl.SecurityManagement import newSecurityManager ...@@ -44,7 +44,6 @@ from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager from AccessControl.SecurityManagement import noSecurityManager
from AccessControl.SecurityManagement import setSecurityManager from AccessControl.SecurityManagement import setSecurityManager
from AccessControl.SecurityManagement import getSecurityManager from AccessControl.SecurityManagement import getSecurityManager
from AccessControl.User import system as system_user
from Products.CMFCore.utils import UniqueObject, _getAuthenticatedUser from Products.CMFCore.utils import UniqueObject, _getAuthenticatedUser
from Products.ERP5Type.Globals import InitializeClass, DTMLFile from Products.ERP5Type.Globals import InitializeClass, DTMLFile
from Acquisition import aq_base, aq_inner, aq_parent from Acquisition import aq_base, aq_inner, aq_parent
...@@ -52,8 +51,6 @@ from ActivityBuffer import ActivityBuffer ...@@ -52,8 +51,6 @@ from ActivityBuffer import ActivityBuffer
from ActivityRuntimeEnvironment import BaseMessage from ActivityRuntimeEnvironment import BaseMessage
from zExceptions import ExceptionFormatter from zExceptions import ExceptionFormatter
from BTrees.OIBTree import OIBTree from BTrees.OIBTree import OIBTree
from Zope2 import app
from Products.ERP5Type.UnrestrictedMethod import PrivilegedUser
from zope.site.hooks import setSite from zope.site.hooks import setSite
try: try:
...@@ -278,13 +275,6 @@ class Message(BaseMessage): ...@@ -278,13 +275,6 @@ class Message(BaseMessage):
if user is None: if user is None:
uf = portal.aq_parent.acl_users uf = portal.aq_parent.acl_users
user = uf.getUserById(user_name) user = uf.getUserById(user_name)
if user is None and user_name == system_user.getUserName():
# The following logic partly comes from unrestricted_apply()
# implementation in ERP5Type.UnrestrictedMethod but we get roles
# from the portal to have more roles.
uf = portal_uf
role_list = uf.valid_roles()
user = PrivilegedUser(user_name, None, role_list, ()).__of__(uf)
if user is not None: if user is not None:
user = user.__of__(uf) user = user.__of__(uf)
newSecurityManager(None, user) newSecurityManager(None, user)
......
...@@ -32,11 +32,10 @@ from DateTime import DateTime ...@@ -32,11 +32,10 @@ from DateTime import DateTime
from AccessControl import ClassSecurityInfo, Unauthorized from AccessControl import ClassSecurityInfo, Unauthorized
from AccessControl.SecurityManagement import getSecurityManager, \ from AccessControl.SecurityManagement import getSecurityManager, \
setSecurityManager, newSecurityManager setSecurityManager, newSecurityManager
from AccessControl.User import nobody
from Products.CMFCore.utils import getToolByName from Products.CMFCore.utils import getToolByName
from Products.ERP5Type import Permissions, PropertySheet from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.XMLObject import XMLObject from Products.ERP5Type.XMLObject import XMLObject
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products.ERP5.mixin.periodicity import PeriodicityMixin from Products.ERP5.mixin.periodicity import PeriodicityMixin
class Alarm(XMLObject, PeriodicityMixin): class Alarm(XMLObject, PeriodicityMixin):
...@@ -119,10 +118,11 @@ class Alarm(XMLObject, PeriodicityMixin): ...@@ -119,10 +118,11 @@ class Alarm(XMLObject, PeriodicityMixin):
if not checkPermission(Permissions.ManagePortal, self): if not checkPermission(Permissions.ManagePortal, self):
raise Unauthorized('fixing problems or activating a disabled alarm is not allowed') raise Unauthorized('fixing problems or activating a disabled alarm is not allowed')
# Use UnrestrictedMethod, so that the behavior would not # Switch to the superuser temporarily, so that the behavior would not
# change even if this method is invoked by random users. # change even if this method is invoked by random users.
@UnrestrictedMethod sm = getSecurityManager()
def _activeSense(): newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
try:
# Set the next date at which this method should be invoked # Set the next date at which this method should be invoked
self.setNextAlarmDate() self.setNextAlarmDate()
...@@ -158,13 +158,6 @@ class Alarm(XMLObject, PeriodicityMixin): ...@@ -158,13 +158,6 @@ class Alarm(XMLObject, PeriodicityMixin):
getattr(self.activate(tag=tag), method_id)() getattr(self.activate(tag=tag), method_id)()
if self.isAlarmNotificationMode(): if self.isAlarmNotificationMode():
self.activate(after_tag=tag).notify(include_active=True, params=params) self.activate(after_tag=tag).notify(include_active=True, params=params)
# switch to nobody temporarily so that unrestricted _activeSense
# is already invoked by system user.
sm = getSecurityManager()
newSecurityManager(None, nobody)
try:
_activeSense()
finally: finally:
# Restore the original user. # Restore the original user.
setSecurityManager(sm) setSecurityManager(sm)
......
...@@ -32,7 +32,6 @@ from Products.ZSQLCatalog.ZSQLCatalog import ZCatalog ...@@ -32,7 +32,6 @@ from Products.ZSQLCatalog.ZSQLCatalog import ZCatalog
from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery from Products.ZSQLCatalog.SQLCatalog import Query, ComplexQuery
from Products.ERP5Type import Permissions from Products.ERP5Type import Permissions
from AccessControl import ClassSecurityInfo, getSecurityManager from AccessControl import ClassSecurityInfo, getSecurityManager
from AccessControl.User import system as system_user
from Products.CMFCore.utils import UniqueObject, _getAuthenticatedUser, getToolByName from Products.CMFCore.utils import UniqueObject, _getAuthenticatedUser, getToolByName
from Products.ERP5Type.Globals import InitializeClass, DTMLFile from Products.ERP5Type.Globals import InitializeClass, DTMLFile
from Acquisition import aq_base, aq_inner, aq_parent, ImplicitAcquisitionWrapper from Acquisition import aq_base, aq_inner, aq_parent, ImplicitAcquisitionWrapper
...@@ -423,7 +422,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -423,7 +422,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
""" """
user = _getAuthenticatedUser(self) user = _getAuthenticatedUser(self)
user_str = str(user) user_str = str(user)
user_is_superuser = (user == system_user) or (user_str == SUPER_USER) user_is_superuser = (user_str == SUPER_USER)
allowedRolesAndUsers = self._listAllowedRolesAndUsers(user) allowedRolesAndUsers = self._listAllowedRolesAndUsers(user)
role_column_dict = {} role_column_dict = {}
local_role_column_dict = {} local_role_column_dict = {}
...@@ -544,12 +543,6 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -544,12 +543,6 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
values. The query takes into account the fact that some roles are values. The query takes into account the fact that some roles are
catalogued with columns. catalogued with columns.
""" """
user = _getAuthenticatedUser(self)
user_str = str(user)
user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
if user_is_superuser:
# We need no security check for super user.
return query
original_query = query original_query = query
security_uid_dict, role_column_dict, local_role_column_dict = \ security_uid_dict, role_column_dict, local_role_column_dict = \
self.getSecurityUidDictAndRoleColumnDict(sql_catalog_id=sql_catalog_id, **kw) self.getSecurityUidDictAndRoleColumnDict(sql_catalog_id=sql_catalog_id, **kw)
......
...@@ -26,7 +26,6 @@ from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin ...@@ -26,7 +26,6 @@ from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from Products.ERP5Type.ERP5Type \ from Products.ERP5Type.ERP5Type \
import ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT import ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from Products.PluggableAuthService.PropertiedUser import PropertiedUser from Products.PluggableAuthService.PropertiedUser import PropertiedUser
from ZODB.POSException import ConflictError from ZODB.POSException import ConflictError
...@@ -87,13 +86,17 @@ class ERP5GroupManager(BasePlugin): ...@@ -87,13 +86,17 @@ class ERP5GroupManager(BasePlugin):
if principal.getId() == SUPER_USER: if principal.getId() == SUPER_USER:
return () return ()
@UnrestrictedMethod
def _getGroupsForPrincipal(user_name, path): def _getGroupsForPrincipal(user_name, path):
security_category_dict = {} # key is the base_category_list, security_category_dict = {} # key is the base_category_list,
# value is the list of fetched categories # value is the list of fetched categories
security_group_list = [] security_group_list = []
security_definition_list = () security_definition_list = ()
# because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
try: try:
# To get the complete list of groups, we try to call the # To get the complete list of groups, we try to call the
# ERP5Type_getSecurityCategoryMapping which should return a list # ERP5Type_getSecurityCategoryMapping which should return a list
...@@ -177,7 +180,7 @@ class ERP5GroupManager(BasePlugin): ...@@ -177,7 +180,7 @@ class ERP5GroupManager(BasePlugin):
generator_name, generator_name,
error = sys.exc_info()) error = sys.exc_info())
finally: finally:
pass setSecurityManager(sm)
return tuple(security_group_list) return tuple(security_group_list)
if not NO_CACHE_MODE: if not NO_CACHE_MODE:
......
...@@ -48,7 +48,6 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin ...@@ -48,7 +48,6 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHelper from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHelper
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from Products.ERP5Security.ERP5UserManager import ERP5UserManager,\ from Products.ERP5Security.ERP5UserManager import ERP5UserManager,\
SUPER_USER,\ SUPER_USER,\
_AuthenticationFailure _AuthenticationFailure
...@@ -328,7 +327,6 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper): ...@@ -328,7 +327,6 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
return None return None
#Function to allow cache #Function to allow cache
@UnrestrictedMethod
def _authenticateCredentials(login): def _authenticateCredentials(login):
if not login: if not login:
return None return None
...@@ -339,7 +337,10 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper): ...@@ -339,7 +337,10 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
raise _AuthenticationFailure() raise _AuthenticationFailure()
user = user_list[0] user = user_list[0]
if True: #We need to be super_user
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
try: try:
# get assignment list # get assignment list
assignment_list = [x for x in user.contentValues(portal_type="Assignment") \ assignment_list = [x for x in user.contentValues(portal_type="Assignment") \
...@@ -360,7 +361,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper): ...@@ -360,7 +361,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
if len(valid_assignment_list) > 0: if len(valid_assignment_list) > 0:
return (login, login) return (login, login)
finally: finally:
pass setSecurityManager(sm)
raise _AuthenticationFailure() raise _AuthenticationFailure()
......
...@@ -26,7 +26,6 @@ from Products.PluggableAuthService.interfaces.plugins import IUserFactoryPlugin ...@@ -26,7 +26,6 @@ from Products.PluggableAuthService.interfaces.plugins import IUserFactoryPlugin
from Products.PluggableAuthService.PropertiedUser import PropertiedUser from Products.PluggableAuthService.PropertiedUser import PropertiedUser
from Products.PluggableAuthService.PropertiedUser import \ from Products.PluggableAuthService.PropertiedUser import \
_what_not_even_god_should_do _what_not_even_god_should_do
from Products.ERP5Security.ERP5UserManager import SUPER_USER
manage_addERP5UserFactoryForm = PageTemplateFile( manage_addERP5UserFactoryForm = PageTemplateFile(
'www/ERP5Security_addERP5UserFactory', globals(), 'www/ERP5Security_addERP5UserFactory', globals(),
...@@ -102,10 +101,6 @@ class ERP5User(PropertiedUser): ...@@ -102,10 +101,6 @@ class ERP5User(PropertiedUser):
As for getRolesInContext, we take into account _getAcquireLocalRoles for As for getRolesInContext, we take into account _getAcquireLocalRoles for
ERP5. ERP5.
""" """
if self.getUserName() == SUPER_USER:
# super user is allowed to accesss any object
return 1
if object_roles is _what_not_even_god_should_do: if object_roles is _what_not_even_god_should_do:
return 0 return 0
......
...@@ -28,7 +28,6 @@ from Products.PluggableAuthService.utils import classImplements ...@@ -28,7 +28,6 @@ from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
from Products.PluggableAuthService.interfaces.plugins import IUserEnumerationPlugin from Products.PluggableAuthService.interfaces.plugins import IUserEnumerationPlugin
from Products.ERP5Type.Cache import CachingMethod, transactional_cached from Products.ERP5Type.Cache import CachingMethod, transactional_cached
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from ZODB.POSException import ConflictError from ZODB.POSException import ConflictError
import sys import sys
from DateTime import DateTime from DateTime import DateTime
...@@ -127,7 +126,6 @@ class ERP5UserManager(BasePlugin): ...@@ -127,7 +126,6 @@ class ERP5UserManager(BasePlugin):
if login == SUPER_USER: if login == SUPER_USER:
return None return None
@UnrestrictedMethod
def _authenticateCredentials(login, password, path, def _authenticateCredentials(login, password, path,
ignore_password=False): ignore_password=False):
if not login or not (password or ignore_password): if not login or not (password or ignore_password):
...@@ -140,6 +138,9 @@ class ERP5UserManager(BasePlugin): ...@@ -140,6 +138,9 @@ class ERP5UserManager(BasePlugin):
user = user_list[0] user = user_list[0]
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
try: try:
# get assignment # get assignment
assignment_list = [x for x in user.contentValues(portal_type="Assignment") if x.getValidationState() == "open"] assignment_list = [x for x in user.contentValues(portal_type="Assignment") if x.getValidationState() == "open"]
...@@ -160,7 +161,7 @@ class ERP5UserManager(BasePlugin): ...@@ -160,7 +161,7 @@ class ERP5UserManager(BasePlugin):
.getValidationState() != 'deleted': #user.getCareerRole() == 'internal': .getValidationState() != 'deleted': #user.getCareerRole() == 'internal':
return login, login # use same for user_id and login return login, login # use same for user_id and login
finally: finally:
pass setSecurityManager(sm)
raise _AuthenticationFailure() raise _AuthenticationFailure()
_authenticateCredentials = CachingMethod(_authenticateCredentials, _authenticateCredentials = CachingMethod(_authenticateCredentials,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment