Skip to content

Z
Zope
Commit 7de2b48f authored by 's avatar
Browse files
Options

Merged changes to domain authentication mode from 2.3 branch

parent 33e38deb
Show whitespace changes
Inline Side-by-side
Showing with 41 additions and 49 deletions
lib/python/AccessControl/User.py
View file @ 7de2b48f
...@@ -84,7 +84,7 @@ ...@@ -84,7 +84,7 @@
############################################################################## ##############################################################################
"""Access control package""" """Access control package"""
__version__='$Revision: 1.133 $'[11:-2] __version__='$Revision: 1.134 $'[11:-2]
import Globals, socket, ts_regex, SpecialUsers import Globals, socket, ts_regex, SpecialUsers
import os import os
...@@ -413,7 +413,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -413,7 +413,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
__ac_permissions__=( __ac_permissions__=(
('Manage users', ('Manage users',
('manage_users','getUserNames','getUser','getUsers', ('manage_users','getUserNames', 'getUser', 'getUsers',
'getUserById', 'user_names', 'setDomainAuthenticationMode',
) )
), ),
) )
...@@ -461,12 +462,12 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -461,12 +462,12 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
# ----------------------------------- # -----------------------------------
_remote_user_mode=_remote_user_mode _remote_user_mode=_remote_user_mode
_domain_auth_mode=0
_emergency_user=emergency_user _emergency_user=emergency_user
# Note: use of the '_super' name is deprecated. # Note: use of the '_super' name is deprecated.
_super=emergency_user _super=emergency_user
_nobody=nobody _nobody=nobody
_check_for_domain_defined_nobody=1
_do_dns_lookup_caching=1
def identify(self, auth): def identify(self, auth):
if auth and lower(auth[:6])=='basic ': if auth and lower(auth[:6])=='basic ':
...@@ -501,25 +502,6 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -501,25 +502,6 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
except 'Unauthorized': pass except 'Unauthorized': pass
return 0 return 0
def _setRemote(self, request):
# If no authorization, only a user with a domain spec and no
# passwd or nobody can match. We cache reverse DNS before
# checking the users, otherwise it can get real slow looking
# it up for every user.
host=request.get('REMOTE_HOST', '')
addr=request.get('REMOTE_ADDR', '')
if host or addr:
if not host:
try:
host=socket.gethostbyaddr(addr)[0]
request.set('REMOTE_HOST', host)
except: pass
if not addr:
try:
addr=socket.gethostbyname(host)
request.set('REMOTE_ADDR', addr)
except: pass
def validate(self, request, auth='', roles=_noroles): def validate(self, request, auth='', roles=_noroles):
""" """
this method performs identification, authentication, and this method performs identification, authentication, and
...@@ -533,8 +515,6 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -533,8 +515,6 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
folders or to raise an unauthorized by returning None from this folders or to raise an unauthorized by returning None from this
method. method.
""" """
if self._do_dns_lookup_caching:
self._setRemote(request)
v = request['PUBLISHED'] # the published object v = request['PUBLISHED'] # the published object
a, c, n, v = self._getobcontext(v, request) a, c, n, v = self._getobcontext(v, request)
...@@ -543,7 +523,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -543,7 +523,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
# database has no password and he has domain restrictions, # database has no password and he has domain restrictions,
# return him as the authorized user. # return him as the authorized user.
if not auth: if not auth:
if self._check_for_domain_defined_nobody: if self._domain_auth_mode:
self._lookupRemoteHostAddr(request)
for user in self.getUsers(): for user in self.getUsers():
if user.getDomains(): if user.getDomains():
if self.authenticate(user.getUserName(), '', request): if self.authenticate(user.getUserName(), '', request):
...@@ -588,13 +569,12 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -588,13 +569,12 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
if _remote_user_mode: if _remote_user_mode:
def validate(self, request, auth='', roles=_noroles): def validate(self, request, auth='', roles=_noroles):
if self._do_dns_lookup_caching:
self._setRemote(request)
v = request['PUBLISHED'] v = request['PUBLISHED']
a, c, n, v = self._getobcontext(v, request) a, c, n, v = self._getobcontext(v, request)
name = request.environ.get('REMOTE_USER', None) name = request.environ.get('REMOTE_USER', None)
if name is None: if name is None:
if self._check_for_domain_defined_nobody: if self._domain_auth_mode:
self._lookupRemoteHostAddr(request)
for user in self.getUsers(): for user in self.getUsers():
if user.getDomains(): if user.getDomains():
if self.authenticate( if self.authenticate(
...@@ -809,31 +789,11 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -809,31 +789,11 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
names=reqattr(REQUEST, 'names') names=reqattr(REQUEST, 'names')
return self._delUsers(names,REQUEST) return self._delUsers(names,REQUEST)
if submit=='Toggle Domain Defined Anonymous Mode':
self.toggleDomainDefinedNobodyMode()
if submit=='Toggle DNS Lookup Caching':
self.toggleDNSLookupCaching()
return self._mainUser(self, REQUEST) return self._mainUser(self, REQUEST)
def user_names(self): def user_names(self):
return self.getUserNames() return self.getUserNames()
def getDomainDefinedNobodyMode(self):
return self._check_for_domain_defined_nobody
def toggleDomainDefinedNobodyMode(self):
ck = self._check_for_domain_defined_nobody
self._check_for_domain_defined_nobody = not ck
def getDNSLookupCaching(self):
return self._do_dns_lookup_caching
def toggleDNSLookupCaching(self):
ck = self._do_dns_lookup_caching
self._do_dns_lookup_caching = not ck
def manage_beforeDelete(self, item, container): def manage_beforeDelete(self, item, container):
if item is self: if item is self:
try: del container.__allow_groups__ try: del container.__allow_groups__
...@@ -854,6 +814,38 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager, ...@@ -854,6 +814,38 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
action ='./manage_main',) action ='./manage_main',)
# Domain authentication support. This is a good candidate to
# become deprecated in future Zope versions.
def setDomainAuthenticationMode(self, domain_auth_mode):
"""Set the domain-based authentication mode. By default, this
mode is off due to the high overhead of the operation that
is incurred for all anonymous accesses. If you have the
'Manage Users' permission, you can call this method via
the web, passing a boolean value for domain_auth_mode to
turn this behavior on or off."""
v = self._domain_auth_mode = domain_auth_mode and 1 or 0
return 'Domain authentication mode set to %d' % v
def _lookupRemoteHostAddr(self, request):
# If no authorization, only a user with a domain spec and no
# passwd or nobody can match. We cache reverse DNS before
# checking the users, otherwise it can get real slow looking
# it up for every user.
host=request.get('REMOTE_HOST', '')
addr=request.get('REMOTE_ADDR', '')
if host or addr:
if not host:
try:
host=socket.gethostbyaddr(addr)[0]
request.set('REMOTE_HOST', host)
except: pass
if not addr:
try:
addr=socket.gethostbyname(host)
request.set('REMOTE_ADDR', addr)
except: pass
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7