Commit b385b625 authored by Yoshinori Okuji's avatar Yoshinori Okuji

Define a super user and use it for searching users.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@5807 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 8175e80f
...@@ -24,11 +24,14 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin ...@@ -24,11 +24,14 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.utils import classImplements from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from Products.PluggableAuthService.PropertiedUser import PropertiedUser
from pickle import dumps, loads from pickle import dumps, loads
from zLOG import LOG from zLOG import LOG
from ERP5UserManager import SUPER_USER
manage_addERP5GroupManagerForm = PageTemplateFile( manage_addERP5GroupManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5GroupManager', globals(), __name__='manage_addERP5GroupManagerForm' ) 'www/ERP5Security_addERP5GroupManager', globals(), __name__='manage_addERP5GroupManagerForm' )
...@@ -65,6 +68,10 @@ class ERP5GroupManager(BasePlugin): ...@@ -65,6 +68,10 @@ class ERP5GroupManager(BasePlugin):
def getGroupsForPrincipal(self, principal, request=None): def getGroupsForPrincipal(self, principal, request=None):
""" See IGroupsPlugin. """ See IGroupsPlugin.
""" """
# If this is the super user, skip the check.
if principal.getId() == SUPER_USER:
return ()
def _getGroupsForPrincipal(user_name, path): def _getGroupsForPrincipal(user_name, path):
security_category_dict = {} # key is the base_category_list, security_category_dict = {} # key is the base_category_list,
# value is the list of fetched categories # value is the list of fetched categories
...@@ -73,10 +80,9 @@ class ERP5GroupManager(BasePlugin): ...@@ -73,10 +80,9 @@ class ERP5GroupManager(BasePlugin):
# because we aren't logged in, we have to create our own # because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog # SecurityManager to be able to access the Catalog
#FIXME here we assume that the portal owner will always have
# enough rights, which might as well be wrong
sm = getSecurityManager() sm = getSecurityManager()
newSecurityManager(self, self.getPortalObject().getOwner()) if sm.getUser() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
# To get the complete list of groups, we try to call the # To get the complete list of groups, we try to call the
# ERP5Type_getSecurityCategoryMapping which should return a list # ERP5Type_getSecurityCategoryMapping which should return a list
......
...@@ -20,7 +20,9 @@ from AccessControl import ClassSecurityInfo ...@@ -20,7 +20,9 @@ from AccessControl import ClassSecurityInfo
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.utils import classImplements from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, IRoleEnumerationPlugin
from ERP5UserManager import SUPER_USER
manage_addERP5RoleManagerForm = PageTemplateFile( manage_addERP5RoleManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5RoleManager', globals(), __name__='manage_addERP5RoleManagerForm' ) 'www/ERP5Security_addERP5RoleManager', globals(), __name__='manage_addERP5RoleManagerForm' )
...@@ -37,7 +39,7 @@ def addERP5RoleManager( dispatcher, id, title=None, REQUEST=None ): ...@@ -37,7 +39,7 @@ def addERP5RoleManager( dispatcher, id, title=None, REQUEST=None ):
'?manage_tabs_message=' '?manage_tabs_message='
'ERP5RoleManager+added.' 'ERP5RoleManager+added.'
% dispatcher.absolute_url()) % dispatcher.absolute_url())
class ERP5RoleManager( BasePlugin ): class ERP5RoleManager( BasePlugin ):
""" PAS plugin to add 'Member' as default """ PAS plugin to add 'Member' as default
...@@ -51,7 +53,7 @@ class ERP5RoleManager( BasePlugin ): ...@@ -51,7 +53,7 @@ class ERP5RoleManager( BasePlugin ):
self._id = self.id = id self._id = self.id = id
self.title = title self.title = title
# #
# IRolesPlugin implementation # IRolesPlugin implementation
# #
...@@ -60,9 +62,17 @@ class ERP5RoleManager( BasePlugin ): ...@@ -60,9 +62,17 @@ class ERP5RoleManager( BasePlugin ):
""" See IRolesPlugin. """ See IRolesPlugin.
We only ever return Member for every principal We only ever return Member for every principal
""" """
if principal.getId() == SUPER_USER:
# If this is the super user, give all the roles present in this system.
# XXX no API to do this in PAS.
rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )
roles = []
for rolemaker_id, rolemaker in rolemakers:
roles.extend([role['id'] for role in rolemaker.enumerateRoles()])
return tuple(roles)
return ('Member',) return ('Member',)
classImplements( ERP5RoleManager classImplements( ERP5RoleManager
, IRolesPlugin , IRolesPlugin
) )
......
...@@ -28,6 +28,9 @@ from Products.ERP5Type.Cache import CachingMethod ...@@ -28,6 +28,9 @@ from Products.ERP5Type.Cache import CachingMethod
from zLOG import LOG from zLOG import LOG
# This user is used to bypass all security checks.
SUPER_USER = '__erp5security-=__'
manage_addERP5UserManagerForm = PageTemplateFile( manage_addERP5UserManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5UserManager', globals(), __name__='manage_addERP5UserManagerForm' ) 'www/ERP5Security_addERP5UserManager', globals(), __name__='manage_addERP5UserManagerForm' )
...@@ -67,6 +70,10 @@ class ERP5UserManager(BasePlugin): ...@@ -67,6 +70,10 @@ class ERP5UserManager(BasePlugin):
o We expect the credentials to be those returned by o We expect the credentials to be those returned by
ILoginPasswordExtractionPlugin. ILoginPasswordExtractionPlugin.
""" """
# Forbidden the usage of the super user.
if credentials.get('login') == SUPER_USER:
return None
def _authenticateCredentials(login, password, path): def _authenticateCredentials(login, password, path):
if login is None or password is None: if login is None or password is None:
return None return None
...@@ -80,7 +87,6 @@ class ERP5UserManager(BasePlugin): ...@@ -80,7 +87,6 @@ class ERP5UserManager(BasePlugin):
if user.getPassword() == password and\ if user.getPassword() == password and\
user.getCareerRole() == 'internal': user.getCareerRole() == 'internal':
LOG('authenticateCredentials', 0, user.getId())
return login, login # use same for user_id and login return login, login # use same for user_id and login
return None return None
...@@ -99,21 +105,32 @@ class ERP5UserManager(BasePlugin): ...@@ -99,21 +105,32 @@ class ERP5UserManager(BasePlugin):
user_info = [] user_info = []
plugin_id = self.getId() plugin_id = self.getId()
if not exact_match: id_list = []
id_tuple = tuple(['%%%s%%' % id for id in id_tuple]) for id in id_tuple:
if SUPER_USER == id:
info = { 'id' : SUPER_USER
, 'login' : SUPER_USER
, 'pluginid' : plugin_id
}
user_info.append(info)
else:
if exact_match:
id_list.append(id)
else:
id_list.append('%%%s%%' % id)
user_objects = [user for user in self.getUserByLogin(id_tuple)\ if id_list:
if user.getCareerRole() == 'internal'] user_objects = [user for user in self.getUserByLogin(tuple(id_list))\
#XXX is this static check ok ? if user.getCareerRole() == 'internal']
#XXX is this static check ok ?
for user in user_objects: for user in user_objects:
LOG('enumerateUsers', 0, user.getReference()) info = { 'id' : user.getReference()
info = { 'id' : user.getReference() , 'login' : user.getReference()
, 'login' : user.getReference() , 'pluginid' : plugin_id
, 'pluginid' : plugin_id }
}
user_info.append(info) user_info.append(info)
return tuple(user_info) return tuple(user_info)
...@@ -135,7 +152,8 @@ class ERP5UserManager(BasePlugin): ...@@ -135,7 +152,8 @@ class ERP5UserManager(BasePlugin):
# because we aren't logged in, we have to create our own # because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog # SecurityManager to be able to access the Catalog
sm = getSecurityManager() sm = getSecurityManager()
newSecurityManager(self, self.getPortalObject().portal_catalog.getOwner()) if sm.getUser() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
result = self.getPortalObject().portal_catalog(portal_type="Person", reference=login) result = self.getPortalObject().portal_catalog(portal_type="Person", reference=login)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment