| 1 | from AccessControl import ClassSecurityInfo |
|---|
| 2 | from ExtensionClass import Base |
|---|
| 3 | from Acquisition import Implicit |
|---|
| 4 | from Acquisition import aq_base, aq_parent, aq_inner |
|---|
| 5 | |
|---|
| 6 | security = ClassSecurityInfo() |
|---|
| 7 | |
|---|
| 8 | security.declarePublic('getRolesInContext') |
|---|
| 9 | def getRolesInContext(self, object): |
|---|
| 10 | """Return the list of roles assigned to the user, |
|---|
| 11 | including local roles assigned in context of |
|---|
| 12 | the passed in object.""" |
|---|
| 13 | name = self.getUserName() |
|---|
| 14 | roles = self.getRoles() |
|---|
| 15 | groups = self.getGroups() + ('role:Anonymous',) |
|---|
| 16 | if 'Authenticated' in roles: |
|---|
| 17 | groups = groups + ('role:Authenticated',) |
|---|
| 18 | local = {} |
|---|
| 19 | stop_loop = 0 |
|---|
| 20 | object = aq_inner(object) |
|---|
| 21 | import pdb; pdb.set_trace() |
|---|
| 22 | while 1: |
|---|
| 23 | # Collect all roles info |
|---|
| 24 | lrd = {} |
|---|
| 25 | local_roles = getattr(object, '__ac_local_roles__', None) |
|---|
| 26 | if local_roles: |
|---|
| 27 | if callable(local_roles): |
|---|
| 28 | local_roles = local_roles() or {} |
|---|
| 29 | for r in local_roles.get(name, ()): |
|---|
| 30 | if r: |
|---|
| 31 | lrd[r] = None |
|---|
| 32 | local_group_roles = getattr(object, '__ac_local_group_roles__', None) |
|---|
| 33 | if local_group_roles: |
|---|
| 34 | if callable(local_group_roles): |
|---|
| 35 | local_group_roles = local_group_roles() or {} |
|---|
| 36 | for g in groups: |
|---|
| 37 | for r in local_group_roles.get(g, ()): |
|---|
| 38 | if r: |
|---|
| 39 | lrd[r] = None |
|---|
| 40 | lr = lrd.keys() |
|---|
| 41 | # Positive role assertions |
|---|
| 42 | for r in lr: |
|---|
| 43 | if r[0] != '-': |
|---|
| 44 | if not local.has_key(r): |
|---|
| 45 | local[r] = 1 # acquired role |
|---|
| 46 | # Negative (blocking) role assertions |
|---|
| 47 | for r in lr: |
|---|
| 48 | if r[0] == '-': |
|---|
| 49 | r = r[1:] |
|---|
| 50 | if not r: |
|---|
| 51 | # role '-' blocks all acquisition |
|---|
| 52 | stop_loop = 1 |
|---|
| 53 | break |
|---|
| 54 | if not local.has_key(r): |
|---|
| 55 | local[r] = 0 # blocked role |
|---|
| 56 | if stop_loop: |
|---|
| 57 | break |
|---|
| 58 | inner = getattr(object, 'aq_inner', object) |
|---|
| 59 | parent = getattr(inner, 'aq_parent', None) |
|---|
| 60 | if parent is not None: |
|---|
| 61 | object = parent |
|---|
| 62 | continue |
|---|
| 63 | if hasattr(object, 'im_self'): |
|---|
| 64 | object = object.im_self |
|---|
| 65 | object = getattr(object, 'aq_inner', object) |
|---|
| 66 | continue |
|---|
| 67 | break |
|---|
| 68 | roles = list(roles) |
|---|
| 69 | for r, v in local.items(): |
|---|
| 70 | if v: # only if not blocked |
|---|
| 71 | roles.append(r) |
|---|
| 72 | ## patch to assign dynamic roles for WAeUP |
|---|
| 73 | info = self.getStudentInfo() |
|---|
| 74 | while 1: |
|---|
| 75 | if info is None: |
|---|
| 76 | break |
|---|
| 77 | if info['course'] is None: |
|---|
| 78 | break |
|---|
| 79 | res = self.portal_catalog(portal_type="Department",id=info['course_doc'].department) |
|---|
| 80 | if len(res) != 1: |
|---|
| 81 | break |
|---|
| 82 | dynamic_roles = self.getRolesInContext(res[0].getObject()) |
|---|
| 83 | for dr in self.getDynamicRoles(): |
|---|
| 84 | if dr in dynamic_roles: |
|---|
| 85 | roles.append(dr) |
|---|
| 86 | break |
|---|
| 87 | return roles |
|---|
| 88 | |
|---|
| 89 | security.declarePublic('allowed') |
|---|
| 90 | def allowed(self, object, object_roles=None): |
|---|
| 91 | """Check whether the user has access to object. The user must |
|---|
| 92 | have one of the roles in object_roles to allow access.""" |
|---|
| 93 | |
|---|
| 94 | if object_roles is _what_not_even_god_should_do: |
|---|
| 95 | return 0 |
|---|
| 96 | |
|---|
| 97 | # Short-circuit the common case of anonymous access. |
|---|
| 98 | if object_roles is None or 'Anonymous' in object_roles: |
|---|
| 99 | return 1 |
|---|
| 100 | |
|---|
| 101 | # Provide short-cut access if object is protected by 'Authenticated' |
|---|
| 102 | # role and user is not nobody |
|---|
| 103 | if 'Authenticated' in object_roles and ( |
|---|
| 104 | self.getUserName() != 'Anonymous User'): |
|---|
| 105 | return 1 |
|---|
| 106 | |
|---|
| 107 | # Check for a role match with the normal roles given to |
|---|
| 108 | # the user, then with local roles only if necessary. We |
|---|
| 109 | # want to avoid as much overhead as possible. |
|---|
| 110 | user_roles = self.getRoles() |
|---|
| 111 | for role in object_roles: |
|---|
| 112 | if role in user_roles: |
|---|
| 113 | if self._check_context(object): |
|---|
| 114 | return 1 |
|---|
| 115 | return None |
|---|
| 116 | |
|---|
| 117 | # Check local roles, calling getRolesInContext to avoid too much |
|---|
| 118 | # complexity, at the expense of speed. |
|---|
| 119 | for role in self.getRolesInContext(object): |
|---|
| 120 | if role in object_roles: |
|---|
| 121 | return 1 |
|---|
| 122 | |
|---|
| 123 | return None |
|---|
| 124 | |
|---|
| 125 | from Products.CPSUserFolder import UserFolderWithGroups |
|---|
| 126 | UserFolderWithGroups.getRolesInContext = getRolesInContext |
|---|
| 127 | UserFolderWithGroups.allowed = allowed |
|---|
