Commit b7c85b0f authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

make 'System Processes' a virtual ERP5 user.

This commit fixes the regression in 4b16e1dd where python scripts
generated by alarm, that can happen with upgrader, will be executed as
Anonymous because it's owner does not exist.
parent faee5904
...@@ -245,22 +245,23 @@ class Message(BaseMessage): ...@@ -245,22 +245,23 @@ class Message(BaseMessage):
portal = activity_tool.getPortalObject() portal = activity_tool.getPortalObject()
portal_uf = portal.acl_users portal_uf = portal.acl_users
uf = portal_uf uf = portal_uf
user = uf.getUserById(user_name) if user_name == system_user.getUserName():
# if the user is not found, try to get it from a parent acl_users
# XXX this is still far from perfect, because we need to store all
# information about the user (like original user folder, roles) to
# replay the activity with exactly the same security context as if
# it had been executed without activity.
if user is None:
uf = portal.aq_parent.acl_users
user = uf.getUserById(user_name)
if user is None and user_name == system_user.getUserName():
# The following logic partly comes from unrestricted_apply() # The following logic partly comes from unrestricted_apply()
# implementation in ERP5Type.UnrestrictedMethod but we get roles # implementation in ERP5Type.UnrestrictedMethod but we get roles
# from the portal to have more roles. # from the portal to have more roles.
uf = portal_uf uf = portal_uf
role_list = uf.valid_roles() role_list = uf.valid_roles()
user = PrivilegedUser(user_name, None, role_list, ()).__of__(uf) user = PrivilegedUser(user_name, None, role_list, ()).__of__(uf)
else:
user = uf.getUserById(user_name)
# if the user is not found, try to get it from a parent acl_users
# XXX this is still far from perfect, because we need to store all
# information about the user (like original user folder, roles) to
# replay the activity with exactly the same security context as if
# it had been executed without activity.
if user is None:
uf = portal.aq_parent.acl_users
user = uf.getUserById(user_name)
if user is not None: if user is not None:
user = user.__of__(uf) user = user.__of__(uf)
newSecurityManager(None, user) newSecurityManager(None, user)
......
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
from Products.ERP5Type.Globals import InitializeClass from Products.ERP5Type.Globals import InitializeClass
from Acquisition import aq_inner, aq_parent from Acquisition import aq_inner, aq_parent
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from AccessControl.User import system as system_user
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from App.config import getConfiguration from App.config import getConfiguration
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
...@@ -102,7 +103,7 @@ class ERP5User(PropertiedUser): ...@@ -102,7 +103,7 @@ class ERP5User(PropertiedUser):
As for getRolesInContext, we take into account _getAcquireLocalRoles for As for getRolesInContext, we take into account _getAcquireLocalRoles for
ERP5. ERP5.
""" """
if self.getUserName() == SUPER_USER: if self.getUserName() in (SUPER_USER, system_user.getUserName()):
# super user is allowed to accesss any object # super user is allowed to accesss any object
return 1 return 1
......
...@@ -20,6 +20,7 @@ from AccessControl import ClassSecurityInfo ...@@ -20,6 +20,7 @@ from AccessControl import ClassSecurityInfo
from AccessControl.AuthEncoding import pw_validate from AccessControl.AuthEncoding import pw_validate
from AccessControl.SecurityManagement import getSecurityManager,\ from AccessControl.SecurityManagement import getSecurityManager,\
setSecurityManager, newSecurityManager setSecurityManager, newSecurityManager
from AccessControl.User import system as system_user
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.PluggableAuthService import \ from Products.PluggableAuthService.PluggableAuthService import \
_SWALLOWABLE_PLUGIN_EXCEPTIONS _SWALLOWABLE_PLUGIN_EXCEPTIONS
...@@ -124,7 +125,7 @@ class ERP5UserManager(BasePlugin): ...@@ -124,7 +125,7 @@ class ERP5UserManager(BasePlugin):
login = credentials.get('external_login') login = credentials.get('external_login')
ignore_password = True ignore_password = True
# Forbidden the usage of the super user. # Forbidden the usage of the super user.
if login == SUPER_USER: if login in (SUPER_USER, system_user.getUserName()):
return None return None
@UnrestrictedMethod @UnrestrictedMethod
...@@ -224,9 +225,9 @@ class ERP5UserManager(BasePlugin): ...@@ -224,9 +225,9 @@ class ERP5UserManager(BasePlugin):
id_list = [] id_list = []
for user_id in id: for user_id in id:
if SUPER_USER == user_id: if user_id in (SUPER_USER, system_user.getUserName()):
info = { 'id' : SUPER_USER info = { 'id' : user_id
, 'login' : SUPER_USER , 'login' : user_id
, 'pluginid' : plugin_id , 'pluginid' : plugin_id
} }
user_info.append(info) user_info.append(info)
......
...@@ -219,6 +219,16 @@ class TestUserManagement(ERP5TypeTestCase): ...@@ -219,6 +219,16 @@ class TestUserManagement(ERP5TypeTestCase):
from Products.ERP5Security.ERP5UserManager import SUPER_USER from Products.ERP5Security.ERP5UserManager import SUPER_USER
self._assertUserDoesNotExists(SUPER_USER, '') self._assertUserDoesNotExists(SUPER_USER, '')
def test_PersonWithSystemProcessesLoginCannotBeCreated(self):
"""Tests one cannot create person with the "super user" special login."""
from AccessControl.User import system as system_user
self.assertRaises(RuntimeError, self._makePerson, reference=system_user.getUserName())
def test_PersonWithSystemProcessesLogin(self):
"""Tests one cannot use the "super user" special login."""
from AccessControl.User import system as system_user
self._assertUserDoesNotExists(system_user.getUserName(), '')
def test_searchUsers(self): def test_searchUsers(self):
p1 = self._makePerson(reference='person1') p1 = self._makePerson(reference='person1')
p2 = self._makePerson(reference='person2') p2 = self._makePerson(reference='person2')
...@@ -402,6 +412,30 @@ class TestUserManagement(ERP5TypeTestCase): ...@@ -402,6 +412,30 @@ class TestUserManagement(ERP5TypeTestCase):
self.tic() self.tic()
self.assertEqual(None, person.getReference()) self.assertEqual(None, person.getReference())
def test_scriptGenerationByAlarm(self):
"""Make sure a script generated by alarm can be executed"""
self.portal = self.getPortal()
# create a security configuration script
skin_folder = self.portal.portal_skins.custom
if 'test_python_script' not in skin_folder.objectIds():
createZODBPythonScript(
skin_folder, 'test_alarm_script', '',
"""
script_id='test_python_script'
script_params=''
script_content='return context.getPortalObject().person_module.newContent().getId()'
if getattr(container, script_id, None) is None:
container.manage_addProduct['PythonScripts'].manage_addPythonScript(id=script_id)
script = container[script_id]
script.ZPythonScript_edit(script_params, script_content)
""")
alarm = self.portal.portal_alarms.newContent(
active_sense_method_id='test_alarm_script'
)
alarm.activeSense()
self.tic()
self.assertTrue(self.portal.test_python_script() is not None)
class TestUserManagementExternalAuthentication(TestUserManagement): class TestUserManagementExternalAuthentication(TestUserManagement):
def getTitle(self): def getTitle(self):
"""Title of the test.""" """Title of the test."""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment