2010-09-02 09:16:08 -05:00
|
|
|
# ------------------------------------------------------------------------------
|
2014-10-24 08:55:45 -05:00
|
|
|
from appy.px import Px
|
2014-09-17 11:09:30 -05:00
|
|
|
from appy.fields.string import String
|
2012-05-05 10:04:19 -05:00
|
|
|
from appy.gen import WorkflowOwner
|
2014-09-11 09:41:08 -05:00
|
|
|
from appy.gen.layout import summaryPageLayouts
|
2011-12-05 08:11:29 -06:00
|
|
|
from appy.gen.wrappers import AbstractWrapper
|
2013-08-21 05:35:30 -05:00
|
|
|
from appy.gen import utils as gutils
|
2014-09-29 03:06:40 -05:00
|
|
|
from appy.shared import utils as sutils
|
2010-09-02 09:16:08 -05:00
|
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
|
|
class UserWrapper(AbstractWrapper):
|
2012-05-05 10:04:19 -05:00
|
|
|
workflow = WorkflowOwner
|
2014-07-18 09:54:11 -05:00
|
|
|
specialUsers = ('system', 'anon', 'admin')
|
2014-09-11 09:41:08 -05:00
|
|
|
layouts = summaryPageLayouts
|
2010-10-14 07:43:56 -05:00
|
|
|
|
2014-10-24 08:55:45 -05:00
|
|
|
# Display, in the user strip, links to the User instance of the logged user.
|
2014-11-13 08:02:33 -06:00
|
|
|
pxUserLink = Px('''
|
2014-10-24 08:55:45 -05:00
|
|
|
<td class="userStripText" align=":dright">
|
2014-11-14 06:19:47 -06:00
|
|
|
<a if="cfg.userLink" href=":user.url"><img src=":url('user')"/>
|
2014-10-24 08:55:45 -05:00
|
|
|
<span style="padding: 0 3px">:user.getTitle()</span></a>
|
2014-11-14 06:19:47 -06:00
|
|
|
<x if="not cfg.userLink">:user.getTitle()</x>
|
2014-10-24 08:55:45 -05:00
|
|
|
</td>''')
|
|
|
|
|
2014-11-12 01:49:11 -06:00
|
|
|
def isSpecial(self): return self.login in self.specialUsers
|
|
|
|
|
2014-09-29 03:06:40 -05:00
|
|
|
def getTitle(self, normalized=False):
|
|
|
|
'''Returns a nice name for this user, based on available information:
|
|
|
|
name/first name or title or login. If p_normalized is True, special
|
|
|
|
chars (like accents) are converted to ascii chars.'''
|
|
|
|
# Manage the special case of an anonymous user.
|
|
|
|
login = self.login
|
|
|
|
if login == 'anon':
|
|
|
|
res = self.translate('anonymous')
|
|
|
|
else:
|
|
|
|
res = self.title or login
|
|
|
|
if not normalized: return res
|
|
|
|
return sutils.normalizeString(name)
|
|
|
|
|
2010-09-02 09:16:08 -05:00
|
|
|
def showLogin(self):
|
|
|
|
'''When must we show the login field?'''
|
|
|
|
if self.o.isTemporary(): return 'edit'
|
2013-10-18 09:42:52 -05:00
|
|
|
# The manager has the possibility to change the login itself (local
|
|
|
|
# users only).
|
|
|
|
if self.user.has_role('Manager') and (self.source == 'zodb'):
|
|
|
|
return True
|
2012-05-05 10:04:19 -05:00
|
|
|
return ('view', 'result')
|
2010-09-02 09:16:08 -05:00
|
|
|
|
2013-10-18 09:42:52 -05:00
|
|
|
def showName(self):
|
|
|
|
'''Name and first name, by default, can not be edited for non-local
|
|
|
|
users.'''
|
|
|
|
if (self.source != 'zodb'): return ('view', 'result')
|
2012-03-03 16:29:32 -06:00
|
|
|
return True
|
|
|
|
|
2012-02-21 05:09:42 -06:00
|
|
|
def showEmail(self):
|
|
|
|
'''In most cases, email is the login. Show the field only if it is not
|
|
|
|
the case.'''
|
|
|
|
email = self.email
|
2013-10-18 09:42:52 -05:00
|
|
|
if email and (email != self.login):
|
|
|
|
if (self.source != 'zodb'): return ('view', 'result')
|
|
|
|
return True
|
2012-02-21 05:09:42 -06:00
|
|
|
|
2013-06-09 17:13:29 -05:00
|
|
|
def showRoles(tool):
|
2012-02-21 05:09:42 -06:00
|
|
|
'''Only the admin can view or edit roles.'''
|
2013-06-09 17:13:29 -05:00
|
|
|
return tool.user.has_role('Manager')
|
2012-02-21 05:09:42 -06:00
|
|
|
|
2010-09-02 09:16:08 -05:00
|
|
|
def validateLogin(self, login):
|
|
|
|
'''Is this p_login valid?'''
|
2012-07-10 07:21:08 -05:00
|
|
|
# 2 cases: (1) The user is being created and has no login yet, or
|
|
|
|
# (2) The user is being edited and has already a login, that
|
|
|
|
# can potentially be changed.
|
|
|
|
if not self.login or (login != self.login):
|
|
|
|
# A new p_login is requested. Check if it is valid and free.
|
2013-09-09 08:54:06 -05:00
|
|
|
# Some logins are not allowed.
|
2014-07-18 09:54:11 -05:00
|
|
|
if login in self.specialUsers:
|
2013-09-09 08:54:06 -05:00
|
|
|
return self.translate('login_reserved')
|
2012-07-10 07:21:08 -05:00
|
|
|
# Check that no user or group already uses this login.
|
|
|
|
if self.count('User', noSecurity=True, login=login) or \
|
|
|
|
self.count('Group', noSecurity=True, login=login):
|
|
|
|
return self.translate('login_in_use')
|
2010-09-02 09:16:08 -05:00
|
|
|
return True
|
|
|
|
|
|
|
|
def validatePassword(self, password):
|
|
|
|
'''Is this p_password valid?'''
|
|
|
|
# Password must be at least 5 chars length
|
|
|
|
if len(password) < 5:
|
2012-06-03 11:34:56 -05:00
|
|
|
return self.translate('password_too_short', mapping={'nb':5})
|
2010-09-02 09:16:08 -05:00
|
|
|
return True
|
|
|
|
|
2014-11-25 07:56:38 -06:00
|
|
|
def showPassword12(self):
|
|
|
|
'''Fields "passwords1" and "password2", used only for modifying a
|
|
|
|
password on an existing user (on specific page "passwords"), must be
|
|
|
|
shown only for the user that can modify his password.'''
|
|
|
|
# On creation, fields "password3" and "password4" are used
|
|
|
|
if self.o.isTemporary(): return
|
2012-07-10 07:21:08 -05:00
|
|
|
# When the user itself (we don't check role Owner because a Manager can
|
|
|
|
# also own a User instance) wants to edit information about himself.
|
2013-10-18 09:42:52 -05:00
|
|
|
if (self.user.login == self.login) and (self.source == 'zodb'):
|
|
|
|
return 'edit'
|
2010-09-02 09:16:08 -05:00
|
|
|
|
2014-11-25 07:56:38 -06:00
|
|
|
def showPassword34(self):
|
|
|
|
'''Fields "password3" and "password4", used only on the main page for
|
|
|
|
entering a password when creating a new user, must be shown only when
|
|
|
|
the object is temporary.'''
|
|
|
|
if self.o.isTemporary(): return 'edit'
|
|
|
|
|
2013-09-09 08:54:06 -05:00
|
|
|
def encryptPassword(self, clearPassword):
|
|
|
|
'''Returns p_clearPassword, encrypted.'''
|
|
|
|
return self.o.getTool().acl_users._encryptPassword(clearPassword)
|
|
|
|
|
2013-09-09 16:14:50 -05:00
|
|
|
def setPassword(self, newPassword=None, log=True):
|
2012-05-29 13:50:18 -05:00
|
|
|
'''Sets a p_newPassword for self. If p_newPassword is not given, we
|
|
|
|
generate one. This method returns the generated password (or simply
|
|
|
|
p_newPassword if no generation occurred).'''
|
2014-05-19 05:12:33 -05:00
|
|
|
if newPassword != None:
|
2012-05-29 13:50:18 -05:00
|
|
|
msgPart = 'changed'
|
|
|
|
else:
|
2014-11-25 07:56:38 -06:00
|
|
|
# Take any password field for generating a new password
|
|
|
|
newPassword = self.getField('password2').generatePassword()
|
2012-05-29 13:50:18 -05:00
|
|
|
msgPart = 'generated'
|
|
|
|
login = self.login
|
2013-08-21 05:35:30 -05:00
|
|
|
zopeUser = self.getZopeUser()
|
2012-05-29 13:50:18 -05:00
|
|
|
tool = self.tool.o
|
2013-09-09 08:54:06 -05:00
|
|
|
zopeUser.__ = self.encryptPassword(newPassword)
|
2013-09-09 16:14:50 -05:00
|
|
|
if self.user and (self.user.login == login):
|
2012-05-29 13:50:18 -05:00
|
|
|
# The user for which we change the password is the currently logged
|
|
|
|
# user. So update the authentication cookie, too.
|
2013-08-21 05:35:30 -05:00
|
|
|
gutils.writeCookie(login, newPassword, self.request)
|
2013-09-09 16:14:50 -05:00
|
|
|
if log:
|
2014-09-01 07:14:32 -05:00
|
|
|
self.log('password %s for %s.' % (msgPart, login))
|
2012-05-29 13:50:18 -05:00
|
|
|
return newPassword
|
|
|
|
|
2013-09-10 10:55:10 -05:00
|
|
|
def setEncryptedPassword(self, encryptedPassword):
|
|
|
|
'''Sets p_encryptedPassword for this user. m_setPassword above starts
|
|
|
|
for a clear (given or generated) password. This one simply sets an
|
|
|
|
already encrypted password for this user.'''
|
|
|
|
self.getZopeUser().__ = encryptedPassword
|
|
|
|
|
2012-07-12 10:54:14 -05:00
|
|
|
def checkPassword(self, clearPassword):
|
|
|
|
'''Returns True if p_clearPassword is the correct password for this
|
|
|
|
user.'''
|
|
|
|
encryptedPassword = self.getZopeUser()._getPassword()
|
|
|
|
from AccessControl.AuthEncoding import pw_validate
|
|
|
|
return pw_validate(encryptedPassword, clearPassword)
|
|
|
|
|
2014-09-17 11:09:30 -05:00
|
|
|
def getMailRecipient(self):
|
|
|
|
'''Returns, for this user, the "recipient string" (first name, name,
|
|
|
|
email) as can be used for sending an email.'''
|
|
|
|
res = self.email or self.login
|
|
|
|
# Ensure this is really an email
|
|
|
|
if not String.EMAIL.match(res): return
|
|
|
|
return '%s <%s>' % (self.title, res)
|
|
|
|
|
2012-07-11 10:27:40 -05:00
|
|
|
def setLogin(self, oldLogin, newLogin):
|
|
|
|
'''Changes the login of this user from p_oldLogin to p_newLogin.'''
|
|
|
|
self.login = newLogin
|
|
|
|
# Update the corresponding Zope-level user
|
|
|
|
aclUsers = self.o.acl_users
|
2013-09-09 08:54:06 -05:00
|
|
|
zopeUser = aclUsers.data[oldLogin]
|
2012-07-11 10:27:40 -05:00
|
|
|
zopeUser.name = newLogin
|
|
|
|
del aclUsers.data[oldLogin]
|
|
|
|
aclUsers.data[newLogin] = zopeUser
|
|
|
|
# Update the email if the email corresponds to the login.
|
|
|
|
email = self.email
|
|
|
|
if email == oldLogin:
|
|
|
|
self.email = newLogin
|
2013-08-21 05:35:30 -05:00
|
|
|
# Update the title
|
|
|
|
self.updateTitle()
|
2012-07-11 10:27:40 -05:00
|
|
|
# Browse all objects of the database and update potential local roles
|
|
|
|
# that referred to the old login.
|
|
|
|
context = {'nb': 0, 'old': oldLogin, 'new': newLogin}
|
2014-02-26 16:40:27 -06:00
|
|
|
for className in self.tool.o.getAllClassNames():
|
2012-07-11 10:27:40 -05:00
|
|
|
self.compute(className, context=context, noSecurity=True,
|
|
|
|
expression="ctx['nb'] += obj.o.applyUserIdChange(" \
|
|
|
|
"ctx['old'], ctx['new'])")
|
2014-09-01 07:14:32 -05:00
|
|
|
self.log("login %s renamed to %s." % (oldLogin, newLogin))
|
|
|
|
self.log('login change: local roles updated in %d object(s).' % \
|
2012-07-11 10:27:40 -05:00
|
|
|
context['nb'])
|
|
|
|
|
2010-09-02 09:16:08 -05:00
|
|
|
def getGrantableRoles(self):
|
|
|
|
'''Returns the list of roles that the admin can grant to a user.'''
|
|
|
|
res = []
|
|
|
|
for role in self.o.getProductConfig().grantableRoles:
|
|
|
|
res.append( (role, self.translate('role_%s' % role)) )
|
|
|
|
return res
|
|
|
|
|
|
|
|
def validate(self, new, errors):
|
|
|
|
'''Inter-field validation.'''
|
2012-07-10 07:21:08 -05:00
|
|
|
self.o._oldLogin = None
|
2014-11-25 07:56:38 -06:00
|
|
|
# Check that passwords match, either on page "passwords" (passwords 1
|
|
|
|
# and 2) or on page "main" (passwords 3 and 4).
|
|
|
|
for i in (1, 3):
|
|
|
|
passwordA = 'password%d' % i
|
|
|
|
passwordB = 'password%d' % (i + 1)
|
|
|
|
if hasattr(new, passwordA) and \
|
|
|
|
(getattr(new, passwordA) != getattr(new, passwordB)):
|
2012-06-03 11:34:56 -05:00
|
|
|
msg = self.translate('passwords_mismatch')
|
2014-11-25 07:56:38 -06:00
|
|
|
setattr(errors, passwordA, msg)
|
|
|
|
setattr(errors, passwordB, msg)
|
2012-07-10 07:21:08 -05:00
|
|
|
# Remember the previous login
|
|
|
|
if self.login: self.o._oldLogin = self.login
|
2011-02-06 10:39:36 -06:00
|
|
|
return self._callCustom('validate', new, errors)
|
2010-09-02 09:16:08 -05:00
|
|
|
|
2013-08-21 05:35:30 -05:00
|
|
|
def updateTitle(self):
|
|
|
|
'''Sets a title for this user.'''
|
2013-07-23 10:07:27 -05:00
|
|
|
if self.firstName and self.name:
|
|
|
|
self.title = '%s %s' % (self.name, self.firstName)
|
|
|
|
else:
|
2014-09-10 09:26:19 -05:00
|
|
|
self.title = self.title or self.login
|
2013-08-21 05:35:30 -05:00
|
|
|
|
2013-08-23 11:57:27 -05:00
|
|
|
def ensureAdminIsManager(self):
|
|
|
|
'''User 'admin' must always have role 'Manager'.'''
|
|
|
|
if self.o.id == 'admin':
|
|
|
|
roles = self.roles
|
|
|
|
if 'Manager' not in roles:
|
|
|
|
if not roles: roles = ['Manager']
|
|
|
|
else: roles.append('Manager')
|
|
|
|
self.roles = roles
|
|
|
|
|
2013-09-10 10:55:10 -05:00
|
|
|
def getSupTitle(self, nav):
|
|
|
|
'''Display a specific icon if the user is a local copy of an external
|
|
|
|
(ie, ldap) user.'''
|
|
|
|
if self.source == 'zodb': return
|
|
|
|
return '<img src="%s/ui/external.png"/>' % self.o.getTool().getSiteUrl()
|
|
|
|
|
2013-08-21 05:35:30 -05:00
|
|
|
def onEdit(self, created):
|
2013-09-09 08:54:06 -05:00
|
|
|
'''Triggered when a User is created or updated.'''
|
2011-11-25 11:01:20 -06:00
|
|
|
login = self.login
|
2013-09-09 08:54:06 -05:00
|
|
|
# Is it a local User or a LDAP User?
|
|
|
|
isLocal = self.source == 'zodb'
|
|
|
|
# Ensure correctness of some infos about this user.
|
|
|
|
if isLocal:
|
|
|
|
self.updateTitle()
|
|
|
|
self.ensureAdminIsManager()
|
2010-09-02 09:16:08 -05:00
|
|
|
if created:
|
2014-11-25 07:56:38 -06:00
|
|
|
# Create the corresponding Zope user
|
2013-09-09 08:54:06 -05:00
|
|
|
from AccessControl.User import User as ZopeUser
|
2014-11-25 07:56:38 -06:00
|
|
|
password = self.encryptPassword(self.password3)
|
2013-09-09 08:54:06 -05:00
|
|
|
zopeUser = ZopeUser(login, password, self.roles, ())
|
|
|
|
# Add it in acl_users if it is a local user.
|
|
|
|
if isLocal: self.o.acl_users.data[login] = zopeUser
|
|
|
|
# Add it in self.o._zopeUser if it is a LDAP user
|
|
|
|
else: self.o._zopeUser = zopeUser
|
2010-09-02 09:16:08 -05:00
|
|
|
# Remove our own password copies
|
2014-11-25 07:56:38 -06:00
|
|
|
self.password3 = self.password4 = ''
|
2011-11-28 15:50:01 -06:00
|
|
|
else:
|
2014-11-25 07:56:38 -06:00
|
|
|
# Update the login itself if the user has changed it
|
2012-07-10 07:21:08 -05:00
|
|
|
oldLogin = self.o._oldLogin
|
|
|
|
if oldLogin and (oldLogin != login):
|
2012-07-11 10:27:40 -05:00
|
|
|
self.setLogin(oldLogin, login)
|
2012-07-10 07:21:08 -05:00
|
|
|
del self.o._oldLogin
|
2014-11-25 07:56:38 -06:00
|
|
|
# Update roles at the Zope level
|
2013-08-21 05:35:30 -05:00
|
|
|
zopeUser = self.getZopeUser()
|
2011-11-28 15:50:01 -06:00
|
|
|
zopeUser.roles = self.roles
|
2014-11-25 07:56:38 -06:00
|
|
|
# Update the password if the user has entered new ones
|
2012-02-21 05:09:42 -06:00
|
|
|
rq = self.request
|
2014-11-25 07:56:38 -06:00
|
|
|
if rq.get('page', 'main') == 'passwords':
|
2012-06-02 13:55:25 -05:00
|
|
|
self.setPassword(rq['password1'])
|
|
|
|
self.password1 = self.password2 = ''
|
2012-02-16 11:13:51 -06:00
|
|
|
# "self" must be owned by its Zope user.
|
2011-11-25 11:01:20 -06:00
|
|
|
if 'Owner' not in self.o.get_local_roles_for_userid(login):
|
|
|
|
self.o.manage_addLocalRoles(login, ('Owner',))
|
2013-09-22 15:08:48 -05:00
|
|
|
# If the user was created by anon|system, anon|system can't stay Owner.
|
|
|
|
for login in ('anon', 'system'):
|
|
|
|
if login in self.o.__ac_local_roles__:
|
|
|
|
del self.o.__ac_local_roles__[login]
|
2011-02-06 10:39:36 -06:00
|
|
|
return self._callCustom('onEdit', created)
|
2010-11-26 10:30:46 -06:00
|
|
|
|
2012-09-17 14:11:54 -05:00
|
|
|
def mayEdit(self):
|
2013-10-18 09:42:52 -05:00
|
|
|
'''No one can edit users "system" and "anon".'''
|
2014-07-18 09:54:11 -05:00
|
|
|
if self.o.id in ('anon', 'system'): return
|
2013-08-23 11:57:27 -05:00
|
|
|
# Call custom "mayEdit" when present.
|
2012-09-17 14:11:54 -05:00
|
|
|
custom = self._getCustomMethod('mayEdit')
|
|
|
|
if custom: return self._callCustom('mayEdit')
|
2013-08-23 11:57:27 -05:00
|
|
|
return True
|
2012-09-17 14:11:54 -05:00
|
|
|
|
|
|
|
def mayDelete(self):
|
2013-10-18 09:42:52 -05:00
|
|
|
'''No one can delete users "system", "anon" and "admin".'''
|
2014-07-18 09:54:11 -05:00
|
|
|
if self.o.id in self.specialUsers: return
|
2013-08-23 11:57:27 -05:00
|
|
|
# Call custom "mayDelete" when present.
|
2012-09-17 14:11:54 -05:00
|
|
|
custom = self._getCustomMethod('mayDelete')
|
|
|
|
if custom: return self._callCustom('mayDelete')
|
2013-08-23 11:57:27 -05:00
|
|
|
return True
|
2012-08-17 10:12:15 -05:00
|
|
|
|
2011-11-28 15:50:01 -06:00
|
|
|
def getZopeUser(self):
|
|
|
|
'''Gets the Zope user corresponding to this user.'''
|
2013-09-09 08:54:06 -05:00
|
|
|
if self.source == 'zodb':
|
|
|
|
return self.o.acl_users.data.get(self.login, None)
|
|
|
|
return self.o._zopeUser
|
2011-11-28 15:50:01 -06:00
|
|
|
|
2010-11-26 10:30:46 -06:00
|
|
|
def onDelete(self):
|
2013-09-09 08:54:06 -05:00
|
|
|
'''Before deleting myself, I must delete the corresponding Zope user
|
|
|
|
(for local users only).'''
|
|
|
|
if self.source == 'zodb': del self.o.acl_users.data[self.login]
|
2014-09-01 07:14:32 -05:00
|
|
|
self.log('user %s deleted.' % self.login)
|
2010-11-26 10:30:46 -06:00
|
|
|
# Call a custom "onDelete" if any.
|
2011-02-06 10:39:36 -06:00
|
|
|
return self._callCustom('onDelete')
|
2011-11-28 15:50:01 -06:00
|
|
|
|
2013-09-23 15:36:09 -05:00
|
|
|
def getLogins(self, groupsOnly=False):
|
|
|
|
'''Gets all the logins that can "match" this user: it own login
|
|
|
|
(excepted if p_groupsOnly is True) and the logins of all the groups
|
|
|
|
he belongs to.'''
|
|
|
|
# Try first to get those logins from a cache on the request, if this
|
|
|
|
# user corresponds to the logged user.
|
|
|
|
rq = self.request
|
|
|
|
if (self.user == self) and hasattr(rq, 'userLogins'):
|
|
|
|
return rq.userLogins
|
|
|
|
# Compute it.
|
|
|
|
res = [group.login for group in self.groups]
|
|
|
|
if not groupsOnly: res.append(self.login)
|
|
|
|
return res
|
2013-08-21 05:35:30 -05:00
|
|
|
|
|
|
|
def getRoles(self):
|
2013-08-23 11:57:27 -05:00
|
|
|
'''This method returns all the global roles for this user, not simply
|
|
|
|
self.roles, but also "ungrantable roles" (like Anonymous or
|
|
|
|
Authenticated) and roles inherited from group membership.'''
|
2013-09-23 15:36:09 -05:00
|
|
|
# Try first to get those roles from a cache on the request, if this user
|
|
|
|
# corresponds to the logged user.
|
|
|
|
rq = self.request
|
|
|
|
if (self.user == self) and hasattr(rq, 'userRoles'):
|
|
|
|
return rq.userRoles
|
|
|
|
# Compute it.
|
|
|
|
res = list(self.roles)
|
|
|
|
# Add ungrantable roles
|
|
|
|
if self.o.id == 'anon':
|
|
|
|
res.append('Anonymous')
|
|
|
|
else:
|
|
|
|
res.append('Authenticated')
|
|
|
|
# Add group global roles
|
|
|
|
for group in self.groups:
|
|
|
|
for role in group.roles:
|
|
|
|
if role not in res: res.append(role)
|
|
|
|
return res
|
2011-11-28 15:50:01 -06:00
|
|
|
|
2013-08-23 11:57:27 -05:00
|
|
|
def getRolesFor(self, obj):
|
|
|
|
'''Gets the roles the user has in the context of p_obj: its global roles
|
|
|
|
+ its roles which are local to p_obj.'''
|
|
|
|
obj = obj.o
|
|
|
|
# Start with user global roles.
|
2011-11-28 15:50:01 -06:00
|
|
|
res = self.getRoles()
|
2013-08-23 11:57:27 -05:00
|
|
|
# Add local roles, granted to the user directly or to one of its groups.
|
|
|
|
localRoles = getattr(obj.aq_base, '__ac_local_roles__', None)
|
2011-11-28 15:50:01 -06:00
|
|
|
if not localRoles: return res
|
2013-08-23 11:57:27 -05:00
|
|
|
# Gets the logins of this user and all its groups.
|
|
|
|
logins = self.getLogins()
|
|
|
|
for login, roles in localRoles.iteritems():
|
|
|
|
# Ignore logins not corresponding to this user.
|
|
|
|
if login not in logins: continue
|
2012-02-02 10:30:54 -06:00
|
|
|
for role in roles:
|
|
|
|
if role not in res: res.append(role)
|
2011-11-28 15:50:01 -06:00
|
|
|
return res
|
|
|
|
|
2013-08-23 11:57:27 -05:00
|
|
|
def has_role(self, role, obj=None):
|
|
|
|
'''Has the logged user some p_role? If p_obj is None, check if the user
|
|
|
|
has p_role globally; else, check if he has this p_role in the context
|
|
|
|
of p_obj.'''
|
|
|
|
if obj:
|
|
|
|
roles = self.getRolesFor(obj)
|
|
|
|
else:
|
|
|
|
roles = self.getRoles()
|
|
|
|
return role in roles
|
|
|
|
|
|
|
|
def has_permission(self, permission, obj):
|
|
|
|
'''Has the logged user p_permission on p_obj?'''
|
|
|
|
obj = obj.o
|
|
|
|
# What are the roles which are granted p_permission on p_obj?
|
|
|
|
allowedRoles = obj.getRolesFor(permission)
|
|
|
|
# Grant access if "Anonymous" is among roles.
|
|
|
|
if ('Anonymous' in allowedRoles): return True
|
|
|
|
# Grant access if "Authenticated" is among p_roles and the user is not
|
|
|
|
# anonymous.
|
|
|
|
if ('Authenticated' in allowedRoles) and (self.o.id != 'anon'):
|
|
|
|
return True
|
|
|
|
# Grant access based on global user roles.
|
2011-11-28 15:50:01 -06:00
|
|
|
for role in self.getRoles():
|
2013-08-23 11:57:27 -05:00
|
|
|
if role in allowedRoles: return True
|
|
|
|
# Grant access based on local roles
|
|
|
|
localRoles = getattr(obj.aq_base, '__ac_local_roles__', None)
|
2011-11-28 15:50:01 -06:00
|
|
|
if not localRoles: return
|
2013-08-23 11:57:27 -05:00
|
|
|
# Gets the logins of this user and all its groups.
|
|
|
|
userLogins = self.getLogins()
|
|
|
|
for login, roles in localRoles.iteritems():
|
|
|
|
# Ignore logins not corresponding to this user.
|
2013-09-09 16:14:50 -05:00
|
|
|
if login not in userLogins: continue
|
2011-11-28 15:50:01 -06:00
|
|
|
for role in roles:
|
2013-08-23 11:57:27 -05:00
|
|
|
if role in allowedRoles: return True
|
2010-09-02 09:16:08 -05:00
|
|
|
# ------------------------------------------------------------------------------
|