ERP5Security: Declare SUPER_USER at product level.

It does not depend on a specific plugin.
Also, update all importers.
Also, reduce import cycles in ERP5Security.

product/ERP5Catalog/CatalogTool.py

@@ -48,7 +48,7 @@ from AccessControl.PermissionRole import rolesForPermissionOn
 from MethodObject import Method
 
 from Products.ERP5Security import mergedLocalRoles
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.ZSQLCatalog.Utils import sqlquote
 
 import warnings
@@ -470,7 +470,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
       """
       user = _getAuthenticatedUser(self)
       user_str = str(user)
-      user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
+      user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
       allowedRolesAndUsers = self._listAllowedRolesAndUsers(user)
       role_column_dict = {}
       local_role_column_dict = {}
@@ -596,7 +596,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
       """
       user = _getAuthenticatedUser(self)
       user_str = str(user)
-      user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
+      user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
       if user_is_superuser:
         # We need no security check for super user.
         return query

product/ERP5SecurePayment/Tool/SecurePaymentTool.py

@@ -33,7 +33,7 @@ from Products.ERP5Type.Permissions import ManagePortal
 
 from Products.ERP5Type.Globals import DTMLFile
 from Products.ERP5SecurePayment import _dtmldir
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl import getSecurityManager
 from zLOG import LOG
@@ -66,7 +66,7 @@ class SecurePaymentTool(BaseTool):
     user = getSecurityManager().getUser()
     if not('Member' in user.getRoles()):
       newSecurityManager(None,
-       self.getPortalObject().acl_users.getUserById(SUPER_USER))
+       self.getPortalObject().acl_users.getUserById(ERP5Security.SUPER_USER))
 
   def _getParametersFromSelection(self,service,selection):
     if selection is not None:

product/ERP5Security/ERP5ExternalOauth2ExtractionPlugin.py

@@ -33,7 +33,7 @@ from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from Products.PluggableAuthService.interfaces import plugins
 from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
 from AccessControl.SecurityManagement import getSecurityManager, \
   setSecurityManager, newSecurityManager
@@ -182,8 +182,8 @@ class ERP5ExternalOauth2ExtractionPlugin:
       # create the user if not found
       if not self.searchUsers(id=user, exact_match=True):
         sm = getSecurityManager()
-        if sm.getUser().getId() != SUPER_USER:
-          newSecurityManager(self, self.getUser(SUPER_USER))
+        if sm.getUser().getId() != ERP5Security.SUPER_USER:
+          newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
         try:
           self.REQUEST['USER_CREATION_IN_PROGRESS'] = user
           if user_entry is None:

product/ERP5Security/ERP5GroupManager.py

@@ -32,7 +32,7 @@ import sys
 
 from zLOG import LOG, WARNING
 
-from ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 # It can be useful to set NO_CACHE_MODE to 1 in order to debug
 # complex security issues related to caching groups. For example,
@@ -83,7 +83,7 @@ class ERP5GroupManager(BasePlugin):
     """ See IGroupsPlugin.
     """
     # If this is the super user, skip the check.
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
       return ()
 
     @UnrestrictedMethod

product/ERP5Security/ERP5KeyAuthPlugin.py

@@ -47,8 +47,8 @@ from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHel
 from Products.ERP5Type.Cache import CachingMethod
 from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
 from Products.ERP5Security.ERP5UserManager import ERP5UserManager, \
-                                                  SUPER_USER, \
                                                   _AuthenticationFailure
+from Products import ERP5Security
 
 from Crypto.Cipher import AES
 from Crypto import Random
@@ -325,7 +325,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
     if key != None:
       login = self.decrypt(key)
       # Forbidden the usage of the super user.
-      if login == SUPER_USER:
+      if login == ERP5Security.SUPER_USER:
         return None
 
       #Function to allow cache

product/ERP5Security/ERP5RoleManager.py

@@ -23,7 +23,7 @@ from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, \
   IRoleEnumerationPlugin
 
-from ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 manage_addERP5RoleManagerForm = PageTemplateFile(
   'www/ERP5Security_addERP5RoleManager', globals(),
@@ -64,7 +64,7 @@ class ERP5RoleManager( BasePlugin ):
     """ See IRolesPlugin.
     We only ever return Member for every principal
     """
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
       # If this is the super user, give all the roles present in this system.
       # XXX no API to do this in PAS.
       rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )

product/ERP5Security/ERP5UserFactory.py

@@ -26,7 +26,7 @@ from Products.PluggableAuthService.interfaces.plugins import IUserFactoryPlugin
 from Products.PluggableAuthService.PropertiedUser import PropertiedUser
 from Products.PluggableAuthService.PropertiedUser import \
                                             _what_not_even_god_should_do
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 manage_addERP5UserFactoryForm = PageTemplateFile(
     'www/ERP5Security_addERP5UserFactory', globals(),
@@ -104,7 +104,7 @@ class ERP5User(PropertiedUser):
     As for getRolesInContext, we take into account _getAcquireLocalRoles for
     ERP5.
     """
-    if self.getUserName() == SUPER_USER:
+    if self.getUserName() == ERP5Security.SUPER_USER:
       # super user is allowed to accesss any object
       return 1
 

product/ERP5Security/ERP5UserManager.py

@@ -31,9 +31,7 @@ from ZODB.POSException import ConflictError
 import sys
 from DateTime import DateTime
 from zLOG import LOG, PROBLEM
-
-# This user is used to bypass all security checks.
-SUPER_USER = '__erp5security-=__'
+from Products import ERP5Security
 
 manage_addERP5UserManagerForm = PageTemplateFile(
   'www/ERP5Security_addERP5UserManager', globals(),
@@ -139,7 +137,7 @@ class ERP5UserManager(BasePlugin):
       login = credentials.get('external_login')
       ignore_password = True
     # Forbidden the usage of the super user.
-    if login == SUPER_USER:
+    if login == ERP5Security.SUPER_USER:
       return None
 
     @UnrestrictedMethod
@@ -235,7 +233,7 @@ class ERP5UserManager(BasePlugin):
     id_list = []
     has_super_user = False
     for user_id in id:
-      if user_id == SUPER_USER:
+      if user_id == ERP5Security.SUPER_USER:
         has_super_user = True
       elif user_id:
         id_list.append(user_id)
@@ -257,7 +255,7 @@ class ERP5UserManager(BasePlugin):
     else:
       user_list = []
     if has_super_user:
-      user_list.append({'uid': None, 'path': None, 'reference': SUPER_USER})
+      user_list.append({'uid': None, 'path': None, 'reference': ERP5Security.SUPER_USER})
     plugin_id = self.getId()
     return tuple([
       {

product/ERP5Security/__init__.py

@@ -21,16 +21,8 @@ from AccessControl.Permissions import manage_users as ManageUsers
 from Products.PluggableAuthService.PluggableAuthService import registerMultiPlugin
 from Products.PluggableAuthService.permissions import ManageGroups
 
-import ERP5UserManager
-import ERP5GroupManager
-import ERP5RoleManager
-import ERP5UserFactory
-import ERP5KeyAuthPlugin
-import ERP5ExternalAuthenticationPlugin
-import ERP5BearerExtractionPlugin
-import ERP5ExternalOauth2ExtractionPlugin
-import ERP5AccessTokenExtractionPlugin
-import ERP5DumbHTTPExtractionPlugin
+# This user is used to bypass all security checks.
+SUPER_USER = '__erp5security-=__'
 
 def mergedLocalRoles(object):
   """Returns a merging of object and its ancestors'
@@ -60,19 +52,30 @@ def mergedLocalRoles(object):
 
   return deepcopy(merged)
 
-registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
-registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
-registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
-registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
-registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
-registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
-registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
-
 def initialize(context):
+  import ERP5UserManager
+  import ERP5GroupManager
+  import ERP5RoleManager
+  import ERP5UserFactory
+  import ERP5KeyAuthPlugin
+  import ERP5ExternalAuthenticationPlugin
+  import ERP5BearerExtractionPlugin
+  import ERP5ExternalOauth2ExtractionPlugin
+  import ERP5AccessTokenExtractionPlugin
+  import ERP5DumbHTTPExtractionPlugin
+
+  registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
+  registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
+  registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
+  registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
+  registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
+  registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
+  registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
+
 
   context.registerClass( ERP5UserManager.ERP5UserManager
                        , permission=ManageUsers

product/ERP5Security/tests/testERP5Security.py

@@ -38,6 +38,7 @@ from AccessControl.SecurityManagement import getSecurityManager
 from Products.PluggableAuthService import PluggableAuthService
 from zope.interface.verify import verifyClass
 from DateTime import DateTime
+from Products import ERP5Security
 
 class TestUserManagement(ERP5TypeTestCase):
   """Tests User Management in ERP5Security.
@@ -210,13 +211,11 @@ class TestUserManagement(ERP5TypeTestCase):
 
   def test_PersonWithSuperUserLoginCannotBeCreated(self):
     """Tests one cannot create person with the "super user" special login."""
-    from Products.ERP5Security.ERP5UserManager import SUPER_USER
-    self.assertRaises(RuntimeError, self._makePerson, reference=SUPER_USER)
+    self.assertRaises(RuntimeError, self._makePerson, reference=ERP5Security.SUPER_USER)
 
   def test_PersonWithSuperUserLogin(self):
     """Tests one cannot use the "super user" special login."""
-    from Products.ERP5Security.ERP5UserManager import SUPER_USER
-    self._assertUserDoesNotExists(SUPER_USER, '')
+    self._assertUserDoesNotExists(ERP5Security.SUPER_USER, '')
 
   def test_searchUsers(self):
     p1 = self._makePerson(reference='person1')

product/ERP5ShortMessage/Document/DummyGateway.py

@@ -42,7 +42,7 @@ import zope.interface
 
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 
 class DummyGateway(XMLObject):
@@ -114,7 +114,7 @@ class DummyGateway(XMLObject):
       try:
         #Use SUPER_USER
         portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
 
         #Dummy notify only new SMS
         self.notifyReception(REQUEST.get("sender"),

product/ERP5ShortMessage/Document/EssendexGateway.py

@@ -44,7 +44,7 @@ from zLOG import LOG, INFO
 
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 #Product Module
 from Products.ERP5ShortMessage.Errors import SMSGatewayError
@@ -237,7 +237,7 @@ class EssendexGateway(XMLObject):
       try:
         #Use SUPER_USER
         portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
 
         #Parse XML
         root = etree.fromstring(datas)

product/ERP5ShortMessage/Document/MobytGateway.py

@@ -42,7 +42,7 @@ from zLOG import LOG, INFO
 
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 #Product Module
 from Products.ERP5ShortMessage.Errors import SMSGatewayError
@@ -256,7 +256,7 @@ class MobytGateway(XMLObject):
       try:
         #Use SUPER_USER
         portal_membership = self.getPortalObject().portal_membership
-        newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
+        newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
 
         #Mobyt notify only new SMS
         self.notifyReception(REQUEST.get("orig"),

product/ERP5Wizard/PAS/ERP5RemoteUserManager.py

@@ -25,7 +25,8 @@ from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlug
                                                              IUserEnumerationPlugin
 from Products.ERP5Type.Cache import CachingMethod
 from DateTime import DateTime
-from Products.ERP5Security.ERP5UserManager import ERP5UserManager, SUPER_USER, _AuthenticationFailure
+from Products.ERP5Security.ERP5UserManager import ERP5UserManager, _AuthenticationFailure
+from Products import ERP5Security
 
 from BTrees.OOBTree import OOBTree
 from zLOG import LOG, INFO, WARNING
@@ -133,7 +134,7 @@ class ERP5RemoteUserManager(ERP5UserManager):
             ILoginPasswordExtractionPlugin.
         """
         # Forbidden the usage of the super user.
-        if credentials.get('login') == SUPER_USER:
+        if credentials.get('login') == ERP5Security.SUPER_USER:
           return None
 
         def _authenticateCredentials(login, password, path):
@@ -148,8 +149,8 @@ class ERP5RemoteUserManager(ERP5UserManager):
             user = user_list[0]
 
             sm = getSecurityManager()
-            if sm.getUser().getId() != SUPER_USER:
-              newSecurityManager(self, self.getUser(SUPER_USER))
+            if sm.getUser().getId() != ERP5Security.SUPER_USER:
+              newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
             try:
               # get assignment
               assignment_list = [x for x in user.contentValues(portal_type="Assignment") \

product/ERP5Wizard/tests/testERP5RemoteUserManager.py

@@ -28,7 +28,7 @@
 
 from AccessControl.SecurityManagement import newSecurityManager
 from Products.ERP5.ERP5Site import ERP5Site
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 from Products.ERP5Type.Base import Base
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
 from Products.ERP5Wizard import addERP5RemoteUserManager
@@ -41,7 +41,7 @@ def proxyMethodHandler(self, kw):
   """Dummy proxyMethodHandler"""
   # login as super user
   newSecurityManager(self, self.getPortalObject().acl_users.getUserById(
-      SUPER_USER))
+      ERP5Security.SUPER_USER))
   data = getattr(self, kw['method_id'])(**kw['method_kw'])
   response = GeneratorCall(data=data)
   return response.dump()

product/ERP5eGovSecurity/EGOVGroupManager.py

@@ -35,7 +35,7 @@ import sys
 
 from zLOG import LOG, WARNING
 
-from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products import ERP5Security
 
 
 NO_CACHE_MODE = 0
@@ -86,7 +86,7 @@ class EGOVGroupManager(ERP5GroupManager):
     """ See IGroupsPlugin.
     """
     # If this is the super user, skip the check.
-    if principal.getId() == SUPER_USER:
+    if principal.getId() == ERP5Security.SUPER_USER:
       return ()
 
     def _getGroupsForPrincipal(user_name, path):
@@ -98,8 +98,8 @@ class EGOVGroupManager(ERP5GroupManager):
       # because we aren't logged in, we have to create our own
       # SecurityManager to be able to access the Catalog
       sm = getSecurityManager()
-      if sm.getUser().getId() != SUPER_USER:
-        newSecurityManager(self, self.getUser(SUPER_USER))
+      if sm.getUser().getId() != ERP5Security.SUPER_USER:
+        newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
       try:
         # To get the complete list of groups, we try to call the
         # ERP5Type_getSecurityCategoryMapping which should return a list