Commit 62565cdd authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Security: Declare SUPER_USER at product level.

It does not depend on a specific plugin.
Also, update all importers.
Also, reduce import cycles in ERP5Security.
parent 0c0ce4d6
......@@ -48,7 +48,7 @@ from AccessControl.PermissionRole import rolesForPermissionOn
from MethodObject import Method
from Products.ERP5Security import mergedLocalRoles
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
from Products.ZSQLCatalog.Utils import sqlquote
import warnings
......@@ -470,7 +470,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
"""
user = _getAuthenticatedUser(self)
user_str = str(user)
user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
allowedRolesAndUsers = self._listAllowedRolesAndUsers(user)
role_column_dict = {}
local_role_column_dict = {}
......@@ -596,7 +596,7 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
"""
user = _getAuthenticatedUser(self)
user_str = str(user)
user_is_superuser = (user == system_user) or (user_str == SUPER_USER)
user_is_superuser = (user == system_user) or (user_str == ERP5Security.SUPER_USER)
if user_is_superuser:
# We need no security check for super user.
return query
......
......@@ -33,7 +33,7 @@ from Products.ERP5Type.Permissions import ManagePortal
from Products.ERP5Type.Globals import DTMLFile
from Products.ERP5SecurePayment import _dtmldir
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager
from zLOG import LOG
......@@ -66,7 +66,7 @@ class SecurePaymentTool(BaseTool):
user = getSecurityManager().getUser()
if not('Member' in user.getRoles()):
newSecurityManager(None,
self.getPortalObject().acl_users.getUserById(SUPER_USER))
self.getPortalObject().acl_users.getUserById(ERP5Security.SUPER_USER))
def _getParametersFromSelection(self,service,selection):
if selection is not None:
......
......@@ -33,7 +33,7 @@ from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.interfaces import plugins
from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
from AccessControl.SecurityManagement import getSecurityManager, \
setSecurityManager, newSecurityManager
......@@ -182,8 +182,8 @@ class ERP5ExternalOauth2ExtractionPlugin:
# create the user if not found
if not self.searchUsers(id=user, exact_match=True):
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
if sm.getUser().getId() != ERP5Security.SUPER_USER:
newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
try:
self.REQUEST['USER_CREATION_IN_PROGRESS'] = user
if user_entry is None:
......
......@@ -32,7 +32,7 @@ import sys
from zLOG import LOG, WARNING
from ERP5UserManager import SUPER_USER
from Products import ERP5Security
# It can be useful to set NO_CACHE_MODE to 1 in order to debug
# complex security issues related to caching groups. For example,
......@@ -83,7 +83,7 @@ class ERP5GroupManager(BasePlugin):
""" See IGroupsPlugin.
"""
# If this is the super user, skip the check.
if principal.getId() == SUPER_USER:
if principal.getId() == ERP5Security.SUPER_USER:
return ()
@UnrestrictedMethod
......
......@@ -47,8 +47,8 @@ from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHel
from Products.ERP5Type.Cache import CachingMethod
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from Products.ERP5Security.ERP5UserManager import ERP5UserManager, \
SUPER_USER, \
_AuthenticationFailure
from Products import ERP5Security
from Crypto.Cipher import AES
from Crypto import Random
......@@ -325,7 +325,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
if key != None:
login = self.decrypt(key)
# Forbidden the usage of the super user.
if login == SUPER_USER:
if login == ERP5Security.SUPER_USER:
return None
#Function to allow cache
......
......@@ -23,7 +23,7 @@ from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, \
IRoleEnumerationPlugin
from ERP5UserManager import SUPER_USER
from Products import ERP5Security
manage_addERP5RoleManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5RoleManager', globals(),
......@@ -64,7 +64,7 @@ class ERP5RoleManager( BasePlugin ):
""" See IRolesPlugin.
We only ever return Member for every principal
"""
if principal.getId() == SUPER_USER:
if principal.getId() == ERP5Security.SUPER_USER:
# If this is the super user, give all the roles present in this system.
# XXX no API to do this in PAS.
rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )
......
......@@ -26,7 +26,7 @@ from Products.PluggableAuthService.interfaces.plugins import IUserFactoryPlugin
from Products.PluggableAuthService.PropertiedUser import PropertiedUser
from Products.PluggableAuthService.PropertiedUser import \
_what_not_even_god_should_do
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
manage_addERP5UserFactoryForm = PageTemplateFile(
'www/ERP5Security_addERP5UserFactory', globals(),
......@@ -104,7 +104,7 @@ class ERP5User(PropertiedUser):
As for getRolesInContext, we take into account _getAcquireLocalRoles for
ERP5.
"""
if self.getUserName() == SUPER_USER:
if self.getUserName() == ERP5Security.SUPER_USER:
# super user is allowed to accesss any object
return 1
......
......@@ -31,9 +31,7 @@ from ZODB.POSException import ConflictError
import sys
from DateTime import DateTime
from zLOG import LOG, PROBLEM
# This user is used to bypass all security checks.
SUPER_USER = '__erp5security-=__'
from Products import ERP5Security
manage_addERP5UserManagerForm = PageTemplateFile(
'www/ERP5Security_addERP5UserManager', globals(),
......@@ -139,7 +137,7 @@ class ERP5UserManager(BasePlugin):
login = credentials.get('external_login')
ignore_password = True
# Forbidden the usage of the super user.
if login == SUPER_USER:
if login == ERP5Security.SUPER_USER:
return None
@UnrestrictedMethod
......@@ -235,7 +233,7 @@ class ERP5UserManager(BasePlugin):
id_list = []
has_super_user = False
for user_id in id:
if user_id == SUPER_USER:
if user_id == ERP5Security.SUPER_USER:
has_super_user = True
elif user_id:
id_list.append(user_id)
......@@ -257,7 +255,7 @@ class ERP5UserManager(BasePlugin):
else:
user_list = []
if has_super_user:
user_list.append({'uid': None, 'path': None, 'reference': SUPER_USER})
user_list.append({'uid': None, 'path': None, 'reference': ERP5Security.SUPER_USER})
plugin_id = self.getId()
return tuple([
{
......
......@@ -21,16 +21,8 @@ from AccessControl.Permissions import manage_users as ManageUsers
from Products.PluggableAuthService.PluggableAuthService import registerMultiPlugin
from Products.PluggableAuthService.permissions import ManageGroups
import ERP5UserManager
import ERP5GroupManager
import ERP5RoleManager
import ERP5UserFactory
import ERP5KeyAuthPlugin
import ERP5ExternalAuthenticationPlugin
import ERP5BearerExtractionPlugin
import ERP5ExternalOauth2ExtractionPlugin
import ERP5AccessTokenExtractionPlugin
import ERP5DumbHTTPExtractionPlugin
# This user is used to bypass all security checks.
SUPER_USER = '__erp5security-=__'
def mergedLocalRoles(object):
"""Returns a merging of object and its ancestors'
......@@ -60,19 +52,30 @@ def mergedLocalRoles(object):
return deepcopy(merged)
registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
def initialize(context):
import ERP5UserManager
import ERP5GroupManager
import ERP5RoleManager
import ERP5UserFactory
import ERP5KeyAuthPlugin
import ERP5ExternalAuthenticationPlugin
import ERP5BearerExtractionPlugin
import ERP5ExternalOauth2ExtractionPlugin
import ERP5AccessTokenExtractionPlugin
import ERP5DumbHTTPExtractionPlugin
registerMultiPlugin(ERP5UserManager.ERP5UserManager.meta_type)
registerMultiPlugin(ERP5GroupManager.ERP5GroupManager.meta_type)
registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)
registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5FacebookExtractionPlugin.meta_type)
registerMultiPlugin(ERP5ExternalOauth2ExtractionPlugin.ERP5GoogleExtractionPlugin.meta_type)
registerMultiPlugin(ERP5AccessTokenExtractionPlugin.ERP5AccessTokenExtractionPlugin.meta_type)
registerMultiPlugin(ERP5DumbHTTPExtractionPlugin.ERP5DumbHTTPExtractionPlugin.meta_type)
context.registerClass( ERP5UserManager.ERP5UserManager
, permission=ManageUsers
......
......@@ -38,6 +38,7 @@ from AccessControl.SecurityManagement import getSecurityManager
from Products.PluggableAuthService import PluggableAuthService
from zope.interface.verify import verifyClass
from DateTime import DateTime
from Products import ERP5Security
class TestUserManagement(ERP5TypeTestCase):
"""Tests User Management in ERP5Security.
......@@ -210,13 +211,11 @@ class TestUserManagement(ERP5TypeTestCase):
def test_PersonWithSuperUserLoginCannotBeCreated(self):
"""Tests one cannot create person with the "super user" special login."""
from Products.ERP5Security.ERP5UserManager import SUPER_USER
self.assertRaises(RuntimeError, self._makePerson, reference=SUPER_USER)
self.assertRaises(RuntimeError, self._makePerson, reference=ERP5Security.SUPER_USER)
def test_PersonWithSuperUserLogin(self):
"""Tests one cannot use the "super user" special login."""
from Products.ERP5Security.ERP5UserManager import SUPER_USER
self._assertUserDoesNotExists(SUPER_USER, '')
self._assertUserDoesNotExists(ERP5Security.SUPER_USER, '')
def test_searchUsers(self):
p1 = self._makePerson(reference='person1')
......
......@@ -42,7 +42,7 @@ import zope.interface
from Products.ERP5Type import Permissions, PropertySheet, interfaces
from Products.ERP5Type.XMLObject import XMLObject
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
class DummyGateway(XMLObject):
......@@ -114,7 +114,7 @@ class DummyGateway(XMLObject):
try:
#Use SUPER_USER
portal_membership = self.getPortalObject().portal_membership
newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
#Dummy notify only new SMS
self.notifyReception(REQUEST.get("sender"),
......
......@@ -44,7 +44,7 @@ from zLOG import LOG, INFO
from Products.ERP5Type import Permissions, PropertySheet, interfaces
from Products.ERP5Type.XMLObject import XMLObject
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
#Product Module
from Products.ERP5ShortMessage.Errors import SMSGatewayError
......@@ -237,7 +237,7 @@ class EssendexGateway(XMLObject):
try:
#Use SUPER_USER
portal_membership = self.getPortalObject().portal_membership
newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
#Parse XML
root = etree.fromstring(datas)
......
......@@ -42,7 +42,7 @@ from zLOG import LOG, INFO
from Products.ERP5Type import Permissions, PropertySheet, interfaces
from Products.ERP5Type.XMLObject import XMLObject
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
#Product Module
from Products.ERP5ShortMessage.Errors import SMSGatewayError
......@@ -256,7 +256,7 @@ class MobytGateway(XMLObject):
try:
#Use SUPER_USER
portal_membership = self.getPortalObject().portal_membership
newSecurityManager(None, portal_membership.getMemberById(SUPER_USER))
newSecurityManager(None, portal_membership.getMemberById(ERP5Security.SUPER_USER))
#Mobyt notify only new SMS
self.notifyReception(REQUEST.get("orig"),
......
......@@ -25,7 +25,8 @@ from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlug
IUserEnumerationPlugin
from Products.ERP5Type.Cache import CachingMethod
from DateTime import DateTime
from Products.ERP5Security.ERP5UserManager import ERP5UserManager, SUPER_USER, _AuthenticationFailure
from Products.ERP5Security.ERP5UserManager import ERP5UserManager, _AuthenticationFailure
from Products import ERP5Security
from BTrees.OOBTree import OOBTree
from zLOG import LOG, INFO, WARNING
......@@ -133,7 +134,7 @@ class ERP5RemoteUserManager(ERP5UserManager):
ILoginPasswordExtractionPlugin.
"""
# Forbidden the usage of the super user.
if credentials.get('login') == SUPER_USER:
if credentials.get('login') == ERP5Security.SUPER_USER:
return None
def _authenticateCredentials(login, password, path):
......@@ -148,8 +149,8 @@ class ERP5RemoteUserManager(ERP5UserManager):
user = user_list[0]
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
if sm.getUser().getId() != ERP5Security.SUPER_USER:
newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
try:
# get assignment
assignment_list = [x for x in user.contentValues(portal_type="Assignment") \
......
......@@ -28,7 +28,7 @@
from AccessControl.SecurityManagement import newSecurityManager
from Products.ERP5.ERP5Site import ERP5Site
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
from Products.ERP5Type.Base import Base
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
from Products.ERP5Wizard import addERP5RemoteUserManager
......@@ -41,7 +41,7 @@ def proxyMethodHandler(self, kw):
"""Dummy proxyMethodHandler"""
# login as super user
newSecurityManager(self, self.getPortalObject().acl_users.getUserById(
SUPER_USER))
ERP5Security.SUPER_USER))
data = getattr(self, kw['method_id'])(**kw['method_kw'])
response = GeneratorCall(data=data)
return response.dump()
......
......@@ -35,7 +35,7 @@ import sys
from zLOG import LOG, WARNING
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products import ERP5Security
NO_CACHE_MODE = 0
......@@ -86,7 +86,7 @@ class EGOVGroupManager(ERP5GroupManager):
""" See IGroupsPlugin.
"""
# If this is the super user, skip the check.
if principal.getId() == SUPER_USER:
if principal.getId() == ERP5Security.SUPER_USER:
return ()
def _getGroupsForPrincipal(user_name, path):
......@@ -98,8 +98,8 @@ class EGOVGroupManager(ERP5GroupManager):
# because we aren't logged in, we have to create our own
# SecurityManager to be able to access the Catalog
sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER))
if sm.getUser().getId() != ERP5Security.SUPER_USER:
newSecurityManager(self, self.getUser(ERP5Security.SUPER_USER))
try:
# To get the complete list of groups, we try to call the
# ERP5Type_getSecurityCategoryMapping which should return a list
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment