ERP5Security: Declare SUPER_USER at product level.

It does not depend on a specific plugin. Also, update all importers. Also, reduce import cycles in ERP5Security.

ERP5Security: Declare SUPER_USER at product level.
It does not depend on a specific plugin. Also, update all importers. Also, reduce import cycles in ERP5Security.
62565cdd · Vincent Pelletier · 0c0ce4d6 · 62565cdd · 62565cdd · 62565cdd
Commit 62565cdd authored Dec 09, 2016 by Vincent Pelletier
16 changed files
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -48,7 +48,7 @@ from AccessControl.PermissionRole import rolesForPermissionOn
 from MethodObject import Method
 from Products.ERP5Security import mergedLocalRoles
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.ZSQLCatalog.Utils import sqlquote
 import warnings
@@ -470,7 +470,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
      """
      user = _getAuthenticatedUser(self)
      user_str = str(user)
-      user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
+      user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
      allowedRolesAndUsers = self._listAllowedRolesAndUsers(user)
      role_column_dict = {}
      local_role_column_dict = {}
@@ -596,7 +596,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
      """
      user = _getAuthenticatedUser(self)
      user_str = str(user)
-      user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
+      user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
      if user_is_superuser:
        # We need no security check for super user.
        return query

--- a/product/ERP5SecurePayment/Tool/SecurePaymentTool.py
+++ b/product/ERP5SecurePayment/Tool/SecurePaymentTool.py
@@ -33,7 +33,7 @@ from Products.ERP5Type.Permissions import ManagePortal
 from Products.ERP5Type.Globals import DTMLFile
 from Products.ERP5SecurePayment import _dtmldir
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl import getSecurityManager
 from zLOG import LOG
@@ -66,7 +66,7 @@ class SecurePaymentTool(BaseTool):
    user = getSecurityManager().getUser()
    if not('Member' in user.getRoles()):
      newSecurityManager(None,
-       self.getPortalObject().acl_users.getUserById(SUPER_USER))
+       self.getPortalObject().acl_users.getUserById(ERP5Security.SUPER_USER))
  def _getParametersFromSelection(self,service,selection):
    if selection is not None:

--- a/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
+++ b/product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py
@@ -33,7 +33,7 @@ from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from Products.PluggableAuthService.interfaces import plugins
 from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
 from AccessControl.SecurityManagement import getSecurityManager, \
  setSecurityManager, newSecurityManager
@@ -182,8 +182,8 @@ class ERP5ExternalOauth2ExtractionPlugin:
      # create the user if not found
      if not self.searchUsers(id=user, exact_match=True):
        sm = getSecurityManager()
-        if sm.getUser().getId() != SUPER_USER:
+        if sm.getUser().getId() != ERP5Security.SUPER_USER:
-          newSecurityManager(self, self.getUser(SUPER_USER))
+          newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
        try:
          self.REQUEST['USER_CREATION_IN_PROGRESS'] = user
          if user_entry is None:

--- a/product/ERP5Security/ERP5GroupManager.py
+++ b/product/ERP5Security/ERP5GroupManager.py
@@ -32,7 +32,7 @@ import sys
 from zLOG import LOG, WARNING
-from ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 # It can be useful to set NO_CACHE_MODE to 1 in order to debug
 # complex security issues related to caching groups. For example,
@@ -83,7 +83,7 @@ class ERP5GroupManager(BasePlugin):
    """ See IGroupsPlugin.
    """
    # If this is the super user, skip the check.
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
      return ()
    @UnrestrictedMethod

--- a/product/ERP5Security/ERP5KeyAuthPlugin.py
+++ b/product/ERP5Security/ERP5KeyAuthPlugin.py
@@ -47,8 +47,8 @@ from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHel
 from Products.ERP5Type.Cache import CachingMethod
 from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
 from Products.ERP5Security.ERP5UserManager import ERP5UserManager, \
-                                                  SUPER_USER, \
                                                  _AuthenticationFailure
+from Products import ERP5Security
 from Crypto.Cipher import AES
 from Crypto import Random
@@ -325,7 +325,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
    if key != None:
      login = self.decrypt(key)
      # Forbidden the usage of the super user.
-      if login == SUPER_USER:
+      if login == ERP5Security.SUPER_USER:
        return None
      #Function to allow cache

--- a/product/ERP5Security/ERP5RoleManager.py
+++ b/product/ERP5Security/ERP5RoleManager.py
@@ -23,7 +23,7 @@ from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, \
  IRoleEnumerationPlugin
-from ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 manage_addERP5RoleManagerForm = PageTemplateFile(
  'www/ERP5Security_addERP5RoleManager', globals(),
@@ -64,7 +64,7 @@ class ERP5RoleManager( BasePlugin ):
    """ See IRolesPlugin.
    We only ever return Member for every principal
    """
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
      # If this is the super user, give all the roles present in this system.
      # XXX no API to do this in PAS.
      rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )

--- a/product/ERP5Security/ERP5UserFactory.py
+++ b/product/ERP5Security/ERP5UserFactory.py
@@ -26,7 +26,7 @@ from Products.PluggableAuthService.interfaces.plugins import IUserFactoryPlugin
 from Products.PluggableAuthService.PropertiedUser import PropertiedUser
 from Products.PluggableAuthService.PropertiedUser import \
                                            _what_not_even_god_should_do
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 manage_addERP5UserFactoryForm = PageTemplateFile(
    'www/ERP5Security_addERP5UserFactory', globals(),
@@ -104,7 +104,7 @@ class ERP5User(PropertiedUser):
    As for getRolesInContext, we take into account _getAcquireLocalRoles for
    ERP5.
    """
-    if self.getUserName() == SUPER_USER:
+    if self.getUserName() == ERP5Security.SUPER_USER:
      # super user is allowed to accesss any object
      return 1

--- a/product/ERP5Security/ERP5UserManager.py
+++ b/product/ERP5Security/ERP5UserManager.py
@@ -31,9 +31,7 @@ from ZODB.POSException import ConflictError
 import sys
 from DateTime import DateTime
 from zLOG import LOG, PROBLEM
+from Products import ERP5Security
-# This user is used to bypass all security checks.
-SUPER_USER = '__erp5security-=__'
 manage_addERP5UserManagerForm = PageTemplateFile(
  'www/ERP5Security_addERP5UserManager', globals(),
@@ -139,7 +137,7 @@ class ERP5UserManager(BasePlugin):
      login = credentials.get('external_login')
      ignore_password = True
    # Forbidden the usage of the super user.
-    if login == SUPER_USER:
+    if login == ERP5Security.SUPER_USER:
      return None
    @UnrestrictedMethod
@@ -235,7 +233,7 @@ class ERP5UserManager(BasePlugin):
    id_list = []
    has_super_user = False
    for user_id in id:
-      if user_id == SUPER_USER:
+      if user_id == ERP5Security.SUPER_USER:
        has_super_user = True
      elif user_id:
        id_list.append(user_id)
@@ -257,7 +255,7 @@ class ERP5UserManager(BasePlugin):
    else:
      user_list = []
    if has_super_user:
-      user_list.append({'uid': None, 'path': None, 'reference': SUPER_USER})
+      user_list.append({'uid': None, 'path': None, 'reference': ERP5Security.SUPER_USER})
    plugin_id = self.getId()
    return tuple([
      {

--- a/product/ERP5Security/__init__.py
+++ b/product/ERP5Security/__init__.py
@@ -21,16 +21,8 @@ from AccessControl.Permissions import manage_users as ManageUsers
 from Products.PluggableAuthService.PluggableAuthService import registerMultiPlugin
 from Products.PluggableAuthService.permissions import ManageGroups
-import ERP5UserManager
+# This user is used to bypass all security checks.
-import ERP5GroupManager
+SUPER_USER = '__erp5security-=__'
-import ERP5RoleManager
-import ERP5UserFactory
-import ERP5KeyAuthPlugin
-import ERP5ExternalAuthenticationPlugin
-import ERP5BearerExtractionPlugin
-import ERP5ExternalOauth2ExtractionPlugin
-import ERP5AccessTokenExtractionPlugin
-import ERP5DumbHTTPExtractionPlugin
 def mergedLocalRoles(object):
  """Returns a merging of object and its ancestors'
@@ -60,19 +52,30 @@ def mergedLocalRoles(object):
  return deepcopy(merged)
-registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
-registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
-registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
-registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
-registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
-registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
 def initialize(context):
+  import ERP5UserManager
+  import ERP5GroupManager
+  import ERP5RoleManager
+  import ERP5UserFactory
+  import ERP5KeyAuthPlugin
+  import ERP5ExternalAuthenticationPlugin
+  import ERP5BearerExtractionPlugin
+  import ERP5ExternalOauth2ExtractionPlugin
+  import ERP5AccessTokenExtractionPlugin
+  import ERP5DumbHTTPExtractionPlugin
+  registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
+  registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
+  registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
+  registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
+  registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
+  registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
  context.registerClass( ERP5UserManager.ERP5UserManager
                       , permission=ManageUsers

--- a/product/ERP5Security/tests/testERP5Security.py
+++ b/product/ERP5Security/tests/testERP5Security.py
@@ -38,6 +38,7 @@ from AccessControl.SecurityManagement import getSecurityManager
 from Products.PluggableAuthService import PluggableAuthService
 from zope.interface.verify import verifyClass
 from DateTime import DateTime
+from Products import ERP5Security
 class TestUserManagement(ERP5TypeTestCase):
  """Tests User Management in ERP5Security.
@@ -210,13 +211,11 @@ class TestUserManagement(ERP5TypeTestCase):
  def test_PersonWithSuperUserLoginCannotBeCreated(self):
    """Tests one cannot create person with the "super user" special login."""
-    from Products.ERP5Security.ERP5UserManager import SUPER_USER
+    self.assertRaises(RuntimeError, self._makePerson, reference=ERP5Security.SUPER_USER)
-    self.assertRaises(RuntimeError, self._makePerson, reference=SUPER_USER)
  def test_PersonWithSuperUserLogin(self):
    """Tests one cannot use the "super user" special login."""
-    from Products.ERP5Security.ERP5UserManager import SUPER_USER
+    self._assertUserDoesNotExists(ERP5Security.SUPER_USER, '')
-    self._assertUserDoesNotExists(SUPER_USER, '')
  def test_searchUsers(self):
    p1 = self._makePerson(reference='person1')

--- a/product/ERP5ShortMessage/Document/DummyGateway.py
+++ b/product/ERP5ShortMessage/Document/DummyGateway.py
@@ -42,7 +42,7 @@ import zope.interface
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 class DummyGateway(XMLObject):
@@ -114,7 +114,7 @@ class DummyGateway(XMLObject):
      try:
        #Use SUPER_USER
        portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
        #Dummy notify only new SMS
        self.notifyReception(REQUEST.get("sender"),

--- a/product/ERP5ShortMessage/Document/EssendexGateway.py
+++ b/product/ERP5ShortMessage/Document/EssendexGateway.py
@@ -44,7 +44,7 @@ from zLOG import LOG, INFO
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 #Product Module
 from Products.ERP5ShortMessage.Errors import SMSGatewayError
@@ -237,7 +237,7 @@ class EssendexGateway(XMLObject):
      try:
        #Use SUPER_USER
        portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
        #Parse XML
        root = etree.fromstring(datas)

--- a/product/ERP5ShortMessage/Document/MobytGateway.py
+++ b/product/ERP5ShortMessage/Document/MobytGateway.py
@@ -42,7 +42,7 @@ from zLOG import LOG, INFO
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 #Product Module
 from Products.ERP5ShortMessage.Errors import SMSGatewayError
@@ -256,7 +256,7 @@ class MobytGateway(XMLObject):
      try:
        #Use SUPER_USER
        portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
        #Mobyt notify only new SMS
        self.notifyReception(REQUEST.get("orig"),

--- a/product/ERP5Wizard/PAS/ERP5RemoteUserManager.py
+++ b/product/ERP5Wizard/PAS/ERP5RemoteUserManager.py
@@ -25,7 +25,8 @@ from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlug
                                                             IUserEnumerationPlugin
 from Products.ERP5Type.Cache import CachingMethod
 from DateTime import DateTime
-from Products.ERP5Security.ERP5UserManager import ERP5UserManager, SUPER_USER, _AuthenticationFailure
+from Products.ERP5Security.ERP5UserManager import ERP5UserManager, _AuthenticationFailure
+from Products import ERP5Security
 from BTrees.OOBTree import OOBTree
 from zLOG import LOG, INFO, WARNING
@@ -133,7 +134,7 @@ class ERP5RemoteUserManager(ERP5UserManager):
            ILoginPasswordExtractionPlugin.
        """
        # Forbidden the usage of the super user.
-        if credentials.get('login') == SUPER_USER:
+        if credentials.get('login') == ERP5Security.SUPER_USER:
          return None
        def _authenticateCredentials(login, password, path):
@@ -148,8 +149,8 @@ class ERP5RemoteUserManager(ERP5UserManager):
            user = user_list[0]
            sm = getSecurityManager()
-            if sm.getUser().getId() != SUPER_USER:
+            if sm.getUser().getId() != ERP5Security.SUPER_USER:
-              newSecurityManager(self, self.getUser(SUPER_USER))
+              newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
            try:
              # get assignment
              assignment_list = [x for x in user.contentValues(portal_type="Assignment") \

--- a/product/ERP5Wizard/tests/testERP5RemoteUserManager.py
+++ b/product/ERP5Wizard/tests/testERP5RemoteUserManager.py
@@ -28,7 +28,7 @@
 from AccessControl.SecurityManagement import newSecurityManager
 from Products.ERP5.ERP5Site import ERP5Site
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.ERP5Type.Base import Base
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
 from Products.ERP5Wizard import addERP5RemoteUserManager
@@ -41,7 +41,7 @@ def proxyMethodHandler(self, kw):
  """Dummy proxyMethodHandler"""
  # login as super user
  newSecurityManager(self, self.getPortalObject().acl_users.getUserById(
-      SUPER_USER))
+      ERP5Security.SUPER_USER))
  data = getattr(self, kw['method_id'])(**kw['method_kw'])
  response = GeneratorCall(data=data)
  return response.dump()

--- a/product/ERP5eGovSecurity/EGOVGroupManager.py
+++ b/product/ERP5eGovSecurity/EGOVGroupManager.py
@@ -35,7 +35,7 @@ import sys
 from zLOG import LOG, WARNING
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 NO_CACHE_MODE = 0
@@ -86,7 +86,7 @@ class EGOVGroupManager(ERP5GroupManager):
    """ See IGroupsPlugin.
    """
    # If this is the super user, skip the check.
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
      return ()
    def _getGroupsForPrincipal(user_name, path):
@@ -98,8 +98,8 @@ class EGOVGroupManager(ERP5GroupManager):
      # because we aren't logged in, we have to create our own
      # SecurityManager to be able to access the Catalog
      sm = getSecurityManager()
-      if sm.getUser().getId() != SUPER_USER:
+      if sm.getUser().getId() != ERP5Security.SUPER_USER:
-        newSecurityManager(self, self.getUser(SUPER_USER))
+        newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
      try:
        # To get the complete list of groups, we try to call the
        # ERP5Type_getSecurityCategoryMapping which should return a list