Add suport for anonymous user with groups or additional roles

09960648 · Julien Muchembled · Mame Coumba Sall · 3c93a394 · 09960648 · 09960648
Commit 09960648 authored Oct 14, 2013 by Julien Muchembled Committed by Mame Coumba Sall Oct 23, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 114 additions and 0 deletions

product/ERP5Type/ZopePatch.py product/ERP5Type/ZopePatch.py +1 -0

product/ERP5Type/patches/PluggableAuthService.py product/ERP5Type/patches/PluggableAuthService.py +113 -0

No files found.
--- a/product/ERP5Type/ZopePatch.py
+++ b/product/ERP5Type/ZopePatch.py
@@ -39,6 +39,7 @@ from Products.ERP5Type.patches import sqlvar
 from Products.ERP5Type.patches import CMFCatalogAware
 from Products.ERP5Type.patches import ProductContext
 from Products.ERP5Type.patches import PropertiedUser
+from Products.ERP5Type.patches import PluggableAuthService
 from Products.ERP5Type.patches import States
 from Products.ERP5Type.patches import FSZSQLMethod
 from Products.ERP5Type.patches import ActionInformation

--- a/product/ERP5Type/patches/PluggableAuthService.py
+++ b/product/ERP5Type/patches/PluggableAuthService.py
+##############################################################################
+#
+# Copyright (c) 2001 Zope Foundation and Contributors
+# Copyright (c) 2013 Nexedi SARL and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this
+# distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+##############################################################################
+from hashlib import md5
+from Products.PluggableAuthService.PluggableAuthService \
+  import PluggableAuthService, _noroles, nobody
+from Products.ERP5Type.Cache import caching_instance_method
+
+if 1:
+    assert md5(PluggableAuthService.validate.func_code.co_code).hexdigest() in (
+      # PluggableAuthService 1.9.0
+      '5e2e6adabd03124bfd21278d3b6fb1c7', # Python 2.6
+      '5ef8421949366195dbb2d15d979a14c9', # Python 2.7
+      )
+
+    # When no user is found, try to create anonymous user even if we're not the
+    # top user folder, so that anonymous user can be customized in appropriate
+    # context (in particular: assign anonymous user to groups).
+    # Because it's common to define admin users at root, original behaviour
+    # is kept if any basic auth string is passed.
+    def validate( self, request, auth='', roles=_noroles ):
+
+        """ See IUserFolder.
+        """
+        plugins = self._getOb( 'plugins' )
+        is_top = self._isTop()
+
+        if not is_top and self._isNotCompetent( request, plugins ):
+            # this user folder should not try to authenticate this request
+            return None
+
+        user_ids = self._extractUserIds(request, plugins)
+        ( accessed
+        , container
+        , name
+        , value
+        ) = self._getObjectContext( request[ 'PUBLISHED' ], request )
+
+        for user_id, login in user_ids:
+
+            user = self._findUser(plugins, user_id, login, request=request)
+
+            if aq_base( user ) is emergency_user:
+
+                if is_top:
+                    return user
+                else:
+                    return None
+
+            if self._authorizeUser( user
+                                  , accessed
+                                  , container
+                                  , name
+                                  , value
+                                  , roles
+                                  ):
+                return user
+
+        if auth and not is_top: # patch 1
+            return None
+
+        #
+        #   No other user folder above us can satisfy, and we have no user;
+        #   return a constructed anonymous only if anonymous is authorized.
+        #
+        anonymous = self._createAnonymousUser( plugins )
+        if self._authorizeUser( anonymous
+                              , accessed
+                              , container
+                              , name
+                              , value
+                              , roles
+                              ):
+            return anonymous
+
+        return None
+
+    PluggableAuthService.validate.im_func.func_code = validate.func_code
+
+    @caching_instance_method('createAnonymousUser',
+                             cache_factory='erp5_content_short')
+    def createAnonymousUser(self):
+        try:
+            role_list, group_list = self.ERP5Site_getAnonymousUserSecurity()
+            if role_list or group_list:
+                from Products.ERP5Security.ERP5UserFactory import ERP5User
+                user = ERP5User(nobody.getId(), nobody.getUserName())
+                user._addRoles(nobody.getRoles())
+                user._addRoles(role_list)
+                user._addGroups(group_list)
+                return user
+        except Exception:
+            pass
+
+    # AnonymousUserFactory plugins have never been usable in ERP5 so
+    # instead of bothering user to create one on existing site, ignore
+    # these plugins and call directly our code to create anonymous users.
+    def _createAnonymousUser(self, plugins):
+        user = createAnonymousUser(self)
+        return (nobody if user is None else user).__of__(self)
+
+    PluggableAuthService._createAnonymousUser = _createAnonymousUser
\ No newline at end of file