Commit b385b625 authored by Yoshinori Okuji's avatar Yoshinori Okuji

Define a super user and use it for searching users.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@5807 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 8175e80f
......@@ -24,11 +24,14 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin
from Products.ERP5Type.Cache import CachingMethod
from Products.PluggableAuthService.PropertiedUser import PropertiedUser
from pickle import dumps, loads
from zLOG import LOG
from ERP5UserManager import SUPER_USER
manage_addERP5GroupManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5GroupManager', globals(), __name__='manage_addERP5GroupManagerForm' )
......@@ -65,6 +68,10 @@ class ERP5GroupManager(BasePlugin):
def getGroupsForPrincipal(self, principal, request=None):
""" See IGroupsPlugin.
"""
# If this is the super user, skip the check.
if principal.getId() == SUPER_USER:
return ()
def _getGroupsForPrincipal(user_name, path):
security_category_dict = {} # key is the base_category_list,
# value is the list of fetched categories
......@@ -73,10 +80,9 @@ class ERP5GroupManager(BasePlugin):
# because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog
#FIXME here we assume that the portal owner will always have
# enough rights, which might as well be wrong
sm = getSecurityManager()
newSecurityManager(self, self.getPortalObject().getOwner())
if sm.getUser() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
# To get the complete list of groups, we try to call the
# ERP5Type_getSecurityCategoryMapping which should return a list
......
......@@ -20,7 +20,9 @@ from AccessControl import ClassSecurityInfo
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin
from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, IRoleEnumerationPlugin
from ERP5UserManager import SUPER_USER
manage_addERP5RoleManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5RoleManager', globals(), __name__='manage_addERP5RoleManagerForm' )
......@@ -37,7 +39,7 @@ def addERP5RoleManager( dispatcher, id, title=None, REQUEST=None ):
'?manage_tabs_message='
'ERP5RoleManager+added.'
% dispatcher.absolute_url())
class ERP5RoleManager( BasePlugin ):
""" PAS plugin to add 'Member' as default
......@@ -51,7 +53,7 @@ class ERP5RoleManager( BasePlugin ):
self._id = self.id = id
self.title = title
#
# IRolesPlugin implementation
#
......@@ -60,9 +62,17 @@ class ERP5RoleManager( BasePlugin ):
""" See IRolesPlugin.
We only ever return Member for every principal
"""
if principal.getId() == SUPER_USER:
# If this is the super user, give all the roles present in this system.
# XXX no API to do this in PAS.
rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )
roles = []
for rolemaker_id, rolemaker in rolemakers:
roles.extend([role['id'] for role in rolemaker.enumerateRoles()])
return tuple(roles)
return ('Member',)
classImplements( ERP5RoleManager
, IRolesPlugin
)
......
......@@ -28,6 +28,9 @@ from Products.ERP5Type.Cache import CachingMethod
from zLOG import LOG
# This user is used to bypass all security checks.
SUPER_USER = '__erp5security-=__'
manage_addERP5UserManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5UserManager', globals(), __name__='manage_addERP5UserManagerForm' )
......@@ -67,6 +70,10 @@ class ERP5UserManager(BasePlugin):
o We expect the credentials to be those returned by
ILoginPasswordExtractionPlugin.
"""
# Forbidden the usage of the super user.
if credentials.get('login') == SUPER_USER:
return None
def _authenticateCredentials(login, password, path):
if login is None or password is None:
return None
......@@ -80,7 +87,6 @@ class ERP5UserManager(BasePlugin):
if user.getPassword() == password and\
user.getCareerRole() == 'internal':
LOG('authenticateCredentials', 0, user.getId())
return login, login # use same for user_id and login
return None
......@@ -99,21 +105,32 @@ class ERP5UserManager(BasePlugin):
user_info = []
plugin_id = self.getId()
if not exact_match:
id_tuple = tuple(['%%%s%%' % id for id in id_tuple])
id_list = []
for id in id_tuple:
if SUPER_USER == id:
info = { 'id' : SUPER_USER
, 'login' : SUPER_USER
, 'pluginid' : plugin_id
}
user_info.append(info)
else:
if exact_match:
id_list.append(id)
else:
id_list.append('%%%s%%' % id)
user_objects = [user for user in self.getUserByLogin(id_tuple)\
if user.getCareerRole() == 'internal']
#XXX is this static check ok ?
if id_list:
user_objects = [user for user in self.getUserByLogin(tuple(id_list))\
if user.getCareerRole() == 'internal']
#XXX is this static check ok ?
for user in user_objects:
LOG('enumerateUsers', 0, user.getReference())
info = { 'id' : user.getReference()
, 'login' : user.getReference()
, 'pluginid' : plugin_id
}
for user in user_objects:
info = { 'id' : user.getReference()
, 'login' : user.getReference()
, 'pluginid' : plugin_id
}
user_info.append(info)
user_info.append(info)
return tuple(user_info)
......@@ -135,7 +152,8 @@ class ERP5UserManager(BasePlugin):
# because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog
sm = getSecurityManager()
newSecurityManager(self, self.getPortalObject().portal_catalog.getOwner())
if sm.getUser() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
result = self.getPortalObject().portal_catalog(portal_type="Person", reference=login)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment