Commit e64c2b87 authored by Romain Courteaud's avatar Romain Courteaud

Allow other roles than Owner to be catalogued in a monovalued column.

Monovalued column only index user ID, and no security group.
If some security groups are assigned to such role, they are still catalogued in
the roles_and_users table.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@25449 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a5499bba
...@@ -103,17 +103,9 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper): ...@@ -103,17 +103,9 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper):
else: else:
self.__dict__[name] = value self.__dict__[name] = value
def allowedRolesAndUsers(self): def _getSecurityParameterList(self):
""" result_key = '_cache_result'
Return a list of roles and users with View permission. if result_key not in self.__dict__:
Used by Portal Catalog to filter out items you're not allowed to see.
WARNING (XXX): some user base local role association is currently
being stored (ex. to be determined). This should be prevented or it will
make the table explode. To analyse the symptoms, look at the
user_and_roles table. You will find some user:foo values
which are not necessary.
"""
ob = self.__ob ob = self.__ob
security_product = getSecurityProduct(ob.acl_users) security_product = getSecurityProduct(ob.acl_users)
withnuxgroups = security_product == SECURITY_USING_NUX_USER_GROUPS withnuxgroups = security_product == SECURITY_USING_NUX_USER_GROUPS
...@@ -147,6 +139,12 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper): ...@@ -147,6 +139,12 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper):
if len(new_role_list)>0: if len(new_role_list)>0:
flat_localroles[key] = new_role_list flat_localroles[key] = new_role_list
localroles = flat_localroles localroles = flat_localroles
portal = self.getPortalObject()
role_dict = dict(portal.portal_catalog.getSQLCatalog().\
getSQLCatalogRoleKeysList())
getUserById = portal.acl_users.getUserById
# For each local role of a user: # For each local role of a user:
# If the local role grants View permission, add it. # If the local role grants View permission, add it.
# Every addition implies 2 lines: # Every addition implies 2 lines:
...@@ -154,18 +152,72 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper): ...@@ -154,18 +152,72 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper):
# user:<user_id>:<role_id> # user:<user_id>:<role_id>
# A line must not be present twice in final result. # A line must not be present twice in final result.
allowed = sets.Set(rolesForPermissionOn('View', ob)) allowed = sets.Set(rolesForPermissionOn('View', ob))
# XXX Owner is hardcoded, in order to prevent searching for user on the
# site root.
allowed.discard('Owner') allowed.discard('Owner')
add = allowed.add add = allowed.add
user_role_dict = {}
user_view_permission_role_dict = {}
for user, roles in localroles.iteritems(): for user, roles in localroles.iteritems():
if withnuxgroups: if withnuxgroups:
prefix = user prefix = user
else: else:
prefix = 'user:' + user prefix = 'user:' + user
for role in roles: for role in roles:
if (role in role_dict) and (getUserById(user) is not None):
# If role is monovalued, check if key is a user.
# If not, continue to index it in roles_and_users table.
user_role_dict[role] = user
if role in allowed: if role in allowed:
user_view_permission_role_dict[role] = user
elif role in allowed:
add(prefix) add(prefix)
add(prefix + ':' + role) add(prefix + ':' + role)
return list(allowed)
# __setattr__ explicitely set the parameter on the wrapper
setattr(self, result_key,
(list(allowed), user_role_dict,
user_view_permission_role_dict))
# Return expected value
return self.__dict__[result_key]
def allowedRolesAndUsers(self):
"""
Return a list of roles and users with View permission.
Used by Portal Catalog to filter out items you're not allowed to see.
WARNING (XXX): some user base local role association is currently
being stored (ex. to be determined). This should be prevented or it will
make the table explode. To analyse the symptoms, look at the
user_and_roles table. You will find some user:foo values
which are not necessary.
"""
return self._getSecurityParameterList()[0]
def getAssignee(self):
"""Returns the user ID of the user with 'Assignee' local role on this
document.
If there is more than one Assignee local role, the result is undefined.
"""
return self._getSecurityParameterList()[1].get('Assignee', None)
def getViewPermissionAssignee(self):
"""Returns the user ID of the user with 'Assignee' local role on this
document, if the Assignee role has View permission.
If there is more than one Assignee local role, the result is undefined.
"""
return self._getSecurityParameterList()[2].get('Assignee', None)
def getViewPermissionAssignor(self):
"""Returns the user ID of the user with 'Assignor' local role on this
document, if the Assignor role has View permission.
If there is more than one Assignor local role, the result is undefined.
"""
return self._getSecurityParameterList()[2].get('Assignor', None)
def __repr__(self): def __repr__(self):
return '<Products.ERP5Catalog.CatalogTool.IndexableObjectWrapper'\ return '<Products.ERP5Catalog.CatalogTool.IndexableObjectWrapper'\
...@@ -467,16 +519,31 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -467,16 +519,31 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
catalog = self.getSQLCatalog(sql_catalog_id) catalog = self.getSQLCatalog(sql_catalog_id)
column_map = catalog.getColumnMap() column_map = catalog.getColumnMap()
# We only consider here the Owner role (since it was not indexed)
# since some objects may only be visible by their owner
# which was not indexed
for role, column_id in catalog.getSQLCatalogRoleKeysList():
# XXX This should be a list
if not user_is_superuser:
try:
# if called by an executable with proxy roles, we don't use
# owner, but only roles from the proxy.
eo = getSecurityManager()._context.stack[-1]
proxy_roles = getattr(eo, '_proxy_roles', None)
if not proxy_roles:
role_column_dict[column_id] = user_str
except IndexError:
role_column_dict[column_id] = user_str
# Patch for ERP5 by JP Smets in order # Patch for ERP5 by JP Smets in order
# to implement worklists and search of local roles # to implement worklists and search of local roles
if kw.has_key('local_roles'): local_roles = kw.get('local_roles', None)
local_roles = kw['local_roles'] if local_roles:
local_role_dict = dict(catalog.getSQLCatalogLocalRoleKeysList()) local_role_dict = dict(catalog.getSQLCatalogLocalRoleKeysList())
role_dict = dict(catalog.getSQLCatalogRoleKeysList()) role_dict = dict(catalog.getSQLCatalogRoleKeysList())
# XXX user is not enough - we should also include groups of the user # XXX user is not enough - we should also include groups of the user
# Only consider local_roles if it is not empty
if local_roles not in (None, '', []): # XXX: Maybe "if local_roles:" is enough.
new_allowedRolesAndUsers = [] new_allowedRolesAndUsers = []
new_role_column_dict = {}
# Turn it into a list if necessary according to ';' separator # Turn it into a list if necessary according to ';' separator
if isinstance(local_roles, str): if isinstance(local_roles, str):
local_roles = local_roles.split(';') local_roles = local_roles.split(';')
...@@ -503,29 +570,12 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): ...@@ -503,29 +570,12 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
# XXX This should be a list # XXX This should be a list
# which also includes all user groups # which also includes all user groups
column_id = role_dict[role] column_id = role_dict[role]
role_column_dict[column_id] = user_str new_role_column_dict[column_id] = user_str
else:
# Else, we use the standard approach
new_allowedRolesAndUsers.append('%s:%s' % (user_or_group, role)) new_allowedRolesAndUsers.append('%s:%s' % (user_or_group, role))
if local_role_column_dict == {}: if local_role_column_dict == {}:
allowedRolesAndUsers = new_allowedRolesAndUsers allowedRolesAndUsers = new_allowedRolesAndUsers
role_column_dict = new_role_column_dict
else:
# We only consider here the Owner role (since it was not indexed)
# since some objects may only be visible by their owner
# which was not indexed
for role, column_id in catalog.getSQLCatalogRoleKeysList():
# XXX This should be a list
if not user_is_superuser:
try:
# if called by an executable with proxy roles, we don't use
# owner, but only roles from the proxy.
eo = getSecurityManager()._context.stack[-1]
proxy_roles = getattr(eo, '_proxy_roles', None)
if not proxy_roles:
role_column_dict[column_id] = user_str
except IndexError:
role_column_dict[column_id] = user_str
return allowedRolesAndUsers, role_column_dict, local_role_column_dict return allowedRolesAndUsers, role_column_dict, local_role_column_dict
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment