From 982ae08997feccf3b2d889b18966e9b0a07b4bdf Mon Sep 17 00:00:00 2001
From: Gaetan Delannay <gaetan.delannay@gmail.com>
Date: Thu, 18 Dec 2014 13:54:12 +0100
Subject: [PATCH] [gen] Added method UserWrapper.addRole (add a role
 programmatically). Added to the LDAP config, a user map allowing to
 automatically assign roles and groups to ldap-imported users.

---
 gen/wrappers/UserWrapper.py |  9 +++++++++
 shared/ldap_connector.py    | 26 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/gen/wrappers/UserWrapper.py b/gen/wrappers/UserWrapper.py
index e8f99f7..4fa696a 100644
--- a/gen/wrappers/UserWrapper.py
+++ b/gen/wrappers/UserWrapper.py
@@ -349,6 +349,15 @@ class UserWrapper(AbstractWrapper):
                 if role not in res: res.append(role)
         return res
 
+    def addRole(self, role):
+        '''Adds p_role to the user's global roles.'''
+        roles = self.roles
+        if role in roles: return
+        roles = list(roles)
+        roles.append(role)
+        self.roles = roles
+        self.getZopeUser().roles = roles
+
     def has_role(self, role, obj=None):
         '''Has the logged user some p_role? If p_obj is None, check if the user
            has p_role globally; else, check if he has this p_role in the context
diff --git a/shared/ldap_connector.py b/shared/ldap_connector.py
index fc8d6cb..35289ee 100644
--- a/shared/ldap_connector.py
+++ b/shared/ldap_connector.py
@@ -38,6 +38,16 @@ class LdapConfig:
         self.scope = 'SUBTREE' # Scope of the search within self.baseDn
         # Is this server connection enabled ?
         self.enabled = True
+        # The "user map" allows to put LDAP users into groups or assign them
+        # roles. This dict will be used every time a local User will be created.
+        # It can be while synchronizing all users (see m_synchronizeUsers
+        # below) or when the user logs in for the first time (see m_getUser
+        # below). This dict will NOT be used subsequently, when updating the
+        # User instance. Every key must be a user login. Every value is an
+        # appy.Object instance having the optional attributes:
+        # "groups": a list of group IDs (logins);
+        # "roles":  a list of global role names.
+        self.userMap = {}
 
     def getServerUri(self):
         '''Returns the complete URI for accessing the LDAP, ie
@@ -110,6 +120,22 @@ class LdapConfig:
                                source='ldap', **attrs)
             if password: user.setPassword(password, log=False)
             status = 'created'
+            # Put him into groups and/or grant him some roles according to
+            # self.userMap.
+            if login in self.userMap:
+                privileges = self.userMap[login]
+                # Put the user in some groups
+                groups = getattr(privileges, 'groups', None)
+                if groups:
+                    for groupLogin in groups:
+                        group = tool.search1('Group', noSecurity=True,
+                                             login=groupLogin)
+                        group.link('users', user)
+                # Grant him some roles
+                roles = getattr(privileges, 'roles', None)
+                if roles:
+                    for role in roles: user.addRole(role)
+                tool.log('%s: automatic privileges set.' % login)
         return user, status
 
     def getUser(self, tool, login, password):