Context navigation

source: main/waeup.sirp/trunk/src/waeup/sirp/authentication.py @ 7221

Last change on this file since 7221 was 7221, checked in by Henrik Bettermann, 13 years ago

Now we have a configuration object and can provide ContactAdminForm? with proper credentials for a smtp server.

Add Email address to IAccount objects so that 'From' fields in emails, sent by users, can be automatically filled.

Property svn:keywords set to Id

File size: 9.6 KB

Line
1	## $Id: authentication.py 7221 2011-11-27 06:50:43Z henrik $
2	##
3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4	## This program is free software; you can redistribute it and/or modify
5	## it under the terms of the GNU General Public License as published by
6	## the Free Software Foundation; either version 2 of the License, or
7	## (at your option) any later version.
8	##
9	## This program is distributed in the hope that it will be useful,
10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	## GNU General Public License for more details.
13	##
14	## You should have received a copy of the GNU General Public License
15	## along with this program; if not, write to the Free Software
16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	##
18	"""Authentication for WAeUP portals.
19	"""
20	import grok
21	from zope.event import notify
22	from zope.component import getUtility, getUtilitiesFor
23	from zope.interface import Interface
24	from zope.securitypolicy.interfaces import (
25	IPrincipalRoleMap, IPrincipalRoleManager)
26	from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
27	from zope.pluggableauth.interfaces import (
28	ICredentialsPlugin, IAuthenticatorPlugin, IPrincipalInfo)
29	from zope.password.interfaces import IPasswordManager
30	from zope.securitypolicy.principalrole import principalRoleManager
31	from waeup.sirp.interfaces import (ILocalRoleSetEvent,
32	IUserAccount, IAuthPluginUtility, IPasswordValidator)
33
34	def setup_authentication(pau):
35	"""Set up plugguble authentication utility.
36
37	Sets up an IAuthenticatorPlugin and
38	ICredentialsPlugin (for the authentication mechanism)
39
40	Then looks for any external utilities that want to modify the PAU.
41	"""
42	pau.credentialsPlugins = ('No Challenge if Authenticated', 'credentials')
43	pau.authenticatorPlugins = ('users',)
44
45	# Give any third-party code and subpackages a chance to modify the PAU
46	auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility)
47	for name, util in auth_plugin_utilities:
48	util.register(pau)
49
50	def get_principal_role_manager():
51	"""Get a role manager for principals.
52
53	If we are currently 'in a site', return the role manager for the
54	portal or the global rolemanager else.
55	"""
56	portal = grok.getSite()
57	if portal is not None:
58	return IPrincipalRoleManager(portal)
59	return principalRoleManager
60
61	class WAeUPSessionCredentialsPlugin(grok.GlobalUtility,
62	SessionCredentialsPlugin):
63	grok.provides(ICredentialsPlugin)
64	grok.name('credentials')
65
66	loginpagename = 'login'
67	loginfield = 'form.login'
68	passwordfield = 'form.password'
69
70	class PrincipalInfo(object):
71	grok.implements(IPrincipalInfo)
72
73	def __init__(self, id, title, description):
74	self.id = id
75	self.title = title
76	self.description = description
77	self.credentialsPlugin = None
78	self.authenticatorPlugin = None
79
80	class Account(grok.Model):
81	grok.implements(IUserAccount)
82
83	_local_roles = dict()
84
85	def __init__(self, name, password, title=None, description=None,
86	email=None, roles = []):
87	self.name = name
88	if title is None:
89	title = name
90	#if description is None:
91	# description = title
92	self.title = title
93	self.description = description
94	self.email = email
95	self.setPassword(password)
96	#self.setSiteRolesForPrincipal(roles)
97	# We don't want to share this dict with other accounts
98	self._local_roles = dict()
99
100	def setPassword(self, password):
101	passwordmanager = getUtility(IPasswordManager, 'SHA1')
102	self.password = passwordmanager.encodePassword(password)
103
104	def checkPassword(self, password):
105	passwordmanager = getUtility(IPasswordManager, 'SHA1')
106	return passwordmanager.checkPassword(self.password, password)
107
108	def getSiteRolesForPrincipal(self):
109	prm = get_principal_role_manager()
110	roles = [x[0] for x in prm.getRolesForPrincipal(self.name)
111	if x[0].startswith('waeup.')]
112	return roles
113
114	def setSiteRolesForPrincipal(self, roles):
115	prm = get_principal_role_manager()
116	old_roles = self.getSiteRolesForPrincipal()
117	for role in old_roles:
118	# Remove old roles, not to be set now...
119	if role.startswith('waeup.') and role not in roles:
120	prm.unsetRoleForPrincipal(role, self.name)
121	for role in roles:
122	prm.assignRoleToPrincipal(role, self.name)
123
124	roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal)
125
126	def getLocalRoles(self):
127	return self._local_roles
128
129	def notifyLocalRoleChanged(self, obj, role_id, granted=True):
130	objects = self._local_roles.get(role_id, [])
131	if granted and obj not in objects:
132	objects.append(obj)
133	if not granted and obj in objects:
134	objects.remove(obj)
135	self._local_roles[role_id] = objects
136	if len(objects) == 0:
137	del self._local_roles[role_id]
138	self._p_changed = True
139	return
140
141	class UserAuthenticatorPlugin(grok.GlobalUtility):
142	grok.implements(IAuthenticatorPlugin)
143	grok.provides(IAuthenticatorPlugin)
144	grok.name('users')
145
146	def authenticateCredentials(self, credentials):
147	if not isinstance(credentials, dict):
148	return None
149	if not ('login' in credentials and 'password' in credentials):
150	return None
151	account = self.getAccount(credentials['login'])
152
153	if account is None:
154	return None
155	if not account.checkPassword(credentials['password']):
156	return None
157	return PrincipalInfo(id=account.name,
158	title=account.title,
159	description=account.description)
160
161	def principalInfo(self, id):
162	account = self.getAccount(id)
163	if account is None:
164	return None
165	return PrincipalInfo(id=account.name,
166	title=account.title,
167	description=account.description)
168
169	def getAccount(self, login):
170	# ... look up the account object and return it ...
171	userscontainer = self.getUsersContainer()
172	if userscontainer is None:
173	return
174	return userscontainer.get(login, None)
175
176	def addAccount(self, account):
177	userscontainer = self.getUsersContainer()
178	if userscontainer is None:
179	return
180	# XXX: complain if name already exists...
181	userscontainer.addAccount(account)
182
183	def addUser(self, name, password, title=None, description=None):
184	userscontainer = self.getUsersContainer()
185	if userscontainer is None:
186	return
187	userscontainer.addUser(name, password, title, description)
188
189	def getUsersContainer(self):
190	site = grok.getSite()
191	return site['users']
192
193	class PasswordValidator(grok.GlobalUtility):
194
195	grok.implements(IPasswordValidator)
196
197	def validate_password(self, pw, pw_repeat):
198	errors = []
199	if len(pw) < 3:
200	errors.append('Password must have at least 3 chars.')
201	if pw != pw_repeat:
202	errors.append('Passwords do not match.')
203	return errors
204
205	class LocalRoleSetEvent(object):
206
207	grok.implements(ILocalRoleSetEvent)
208
209	def __init__(self, object, role_id, principal_id, granted=True):
210	self.object = object
211	self.role_id = role_id
212	self.principal_id = principal_id
213	self.granted = granted
214
215	@grok.subscribe(IUserAccount, grok.IObjectRemovedEvent)
216	def handle_account_removed(account, event):
217	"""When an account is removed, local roles might have to be deleted.
218	"""
219	local_roles = account.getLocalRoles()
220	principal = account.name
221	for role_id, object_list in local_roles.items():
222	for object in object_list:
223	try:
224	role_manager = IPrincipalRoleManager(object)
225	except TypeError:
226	# No role manager, no roles to remove
227	continue
228	role_manager.unsetRoleForPrincipal(role_id, principal)
229	return
230
231	@grok.subscribe(IUserAccount, grok.IObjectAddedEvent)
232	def handle_account_added(account, event):
233	"""When an account is added, the local owner role and the global
234	AcademicsOfficer role must be set.
235	"""
236	# We set the local Owner role
237	role_manager_account = IPrincipalRoleManager(account)
238	role_manager_account.assignRoleToPrincipal(
239	'waeup.local.Owner', account.name)
240	# We set the global AcademicsOfficer role
241	site = grok.getSite()
242	role_manager_site = IPrincipalRoleManager(site)
243	role_manager_site.assignRoleToPrincipal(
244	'waeup.AcademicsOfficer', account.name)
245	# Finally we have to notify the user account that the local role
246	# of the same object has changed
247	notify(LocalRoleSetEvent(
248	account, 'waeup.local.Owner', account.name, granted=True))
249	return
250
251	@grok.subscribe(Interface, ILocalRoleSetEvent)
252	def handle_local_role_changed(obj, event):
253	site = grok.getSite()
254	if site is None:
255	return
256	users = site.get('users', None)
257	if users is None:
258	return
259	role_id = event.role_id
260	if event.principal_id not in users.keys():
261	return
262	user = users[event.principal_id]
263	user.notifyLocalRoleChanged(event.object, event.role_id, event.granted)
264	return
265
266	@grok.subscribe(Interface, grok.IObjectRemovedEvent)
267	def handle_local_roles_on_obj_removed(obj, event):
268	try:
269	role_map = IPrincipalRoleMap(obj)
270	except TypeError:
271	# no map, no roles to remove
272	return
273	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
274	notify(LocalRoleSetEvent(
275	obj, local_role, user_name, granted=False))
276	return

Note: See TracBrowser for help on using the repository browser.

Download in other formats: