Define a super user and use it for searching users.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@5807 20353a03-c40f-0410-a6d1-a30d3c3de9de

Define a super user and use it for searching users.
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@5807 20353a03-c40f-0410-a6d1-a30d3c3de9de
b385b625 · Yoshinori Okuji · 8175e80f · b385b625 · b385b625 · b385b625
Commit b385b625 authored Feb 23, 2006 by Yoshinori Okuji
3 changed files
--- a/product/ERP5Security/ERP5GroupManager.py
+++ b/product/ERP5Security/ERP5GroupManager.py
@@ -24,11 +24,14 @@ from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
 from Products.PluggableAuthService.utils import classImplements
 from Products.PluggableAuthService.interfaces.plugins import IGroupsPlugin
 from Products.ERP5Type.Cache import CachingMethod
+from Products.PluggableAuthService.PropertiedUser import PropertiedUser

 from pickle import dumps, loads

 from zLOG import LOG

+from ERP5UserManager import SUPER_USER
+
 manage_addERP5GroupManagerForm = PageTemplateFile(
    'www/ERP5Security_addERP5GroupManager', globals(), __name__='manage_addERP5GroupManagerForm' )

@@ -65,6 +68,10 @@ class ERP5GroupManager(BasePlugin):
  def getGroupsForPrincipal(self, principal, request=None):
    """ See IGroupsPlugin.
    """
+    # If this is the super user, skip the check.
+    if principal.getId() == SUPER_USER:
+      return ()
+
    def _getGroupsForPrincipal(user_name, path):
      security_category_dict = {} # key is the base_category_list,
                                  # value is the list of fetched categories
@@ -73,10 +80,9 @@ class ERP5GroupManager(BasePlugin):

      # because we aren't logged in, we have to create our own
      # SecurityManager to be able to access the Catalog
-      #FIXME here we assume that the portal owner will always have
-      #      enough rights, which might as well be wrong
      sm = getSecurityManager()
-      newSecurityManager(self, self.getPortalObject().getOwner())
+      if sm.getUser() != SUPER_USER:
+        newSecurityManager(self, self.getUser(SUPER_USER))

      # To get the complete list of groups, we try to call the
      # ERP5Type_getSecurityCategoryMapping which should return a list

--- a/product/ERP5Security/ERP5RoleManager.py
+++ b/product/ERP5Security/ERP5RoleManager.py
@@ -20,7 +20,9 @@ from AccessControl import ClassSecurityInfo
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
 from Products.PluggableAuthService.utils import classImplements
-from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin
+from Products.PluggableAuthService.interfaces.plugins import IRolesPlugin, IRoleEnumerationPlugin
+
+from ERP5UserManager import SUPER_USER

 manage_addERP5RoleManagerForm = PageTemplateFile(
    'www/ERP5Security_addERP5RoleManager', globals(), __name__='manage_addERP5RoleManagerForm' )
@@ -37,7 +39,7 @@ def addERP5RoleManager( dispatcher, id, title=None, REQUEST=None ):
                                '?manage_tabs_message='
                                'ERP5RoleManager+added.'
                            % dispatcher.absolute_url())
-        
+ 
 class ERP5RoleManager( BasePlugin ):

    """ PAS plugin to add 'Member' as default
@@ -51,7 +53,7 @@ class ERP5RoleManager( BasePlugin ):

        self._id = self.id = id
        self.title = title
-        
+
    #
    #   IRolesPlugin implementation
    #
@@ -60,9 +62,17 @@ class ERP5RoleManager( BasePlugin ):
        """ See IRolesPlugin.
        We only ever return Member for every principal
        """
-        
+        if principal.getId() == SUPER_USER:
+          # If this is the super user, give all the roles present in this system.
+          # XXX no API to do this in PAS.
+          rolemakers = self._getPAS().plugins.listPlugins( IRoleEnumerationPlugin )
+          roles = []
+          for rolemaker_id, rolemaker in rolemakers:
+            roles.extend([role['id'] for role in rolemaker.enumerateRoles()])
+          return tuple(roles)
+
        return ('Member',)
-    
+
 classImplements( ERP5RoleManager
               , IRolesPlugin
               )

--- a/product/ERP5Security/ERP5UserManager.py
+++ b/product/ERP5Security/ERP5UserManager.py
@@ -28,6 +28,9 @@ from Products.ERP5Type.Cache import CachingMethod

 from zLOG import LOG

+# This user is used to bypass all security checks.
+SUPER_USER = '__erp5security-=__'
+
 manage_addERP5UserManagerForm = PageTemplateFile(
    'www/ERP5Security_addERP5UserManager', globals(), __name__='manage_addERP5UserManagerForm' )

@@ -67,6 +70,10 @@ class ERP5UserManager(BasePlugin):
        o We expect the credentials to be those returned by
            ILoginPasswordExtractionPlugin.
        """
+        # Forbidden the usage of the super user.
+        if credentials.get('login') == SUPER_USER:
+          return None
+
        def _authenticateCredentials(login, password, path):
            if login is None or password is None:
                return None
@@ -80,7 +87,6 @@ class ERP5UserManager(BasePlugin):

            if user.getPassword() == password and\
                user.getCareerRole() == 'internal':
-              LOG('authenticateCredentials', 0, user.getId())
              return login, login # use same for user_id and login

            return None
@@ -99,21 +105,32 @@ class ERP5UserManager(BasePlugin):
            user_info = []
            plugin_id = self.getId()

-            if not exact_match:
-              id_tuple = tuple(['%%%s%%' % id for id in id_tuple])
+            id_list = []
+            for id in id_tuple:
+              if SUPER_USER == id:
+                info = { 'id' : SUPER_USER
+                        , 'login' : SUPER_USER
+                        , 'pluginid' : plugin_id
+                        }
+                user_info.append(info)
+              else:
+                if exact_match:
+                  id_list.append(id)
+                else:
+                  id_list.append('%%%s%%' % id)

-            user_objects = [user for user in self.getUserByLogin(id_tuple)\
-                if user.getCareerRole() == 'internal']
-                #XXX is this static check ok ?
+            if id_list:
+              user_objects = [user for user in self.getUserByLogin(tuple(id_list))\
+                  if user.getCareerRole() == 'internal']
+                  #XXX is this static check ok ?

-            for user in user_objects:
-                LOG('enumerateUsers', 0, user.getReference())
-                info = { 'id' : user.getReference()
-                       , 'login' : user.getReference()
-                       , 'pluginid' : plugin_id
-                       }
+              for user in user_objects:
+                  info = { 'id' : user.getReference()
+                          , 'login' : user.getReference()
+                          , 'pluginid' : plugin_id
+                          }

-                user_info.append(info)
+                  user_info.append(info)

            return tuple(user_info)

@@ -135,7 +152,8 @@ class ERP5UserManager(BasePlugin):
        # because we aren't logged in, we have to create our own
        # SecurityManager to be able to access the Catalog
        sm = getSecurityManager()
-        newSecurityManager(self, self.getPortalObject().portal_catalog.getOwner())
+        if sm.getUser() != SUPER_USER:
+          newSecurityManager(self, self.getUser(SUPER_USER))

        result = self.getPortalObject().portal_catalog(portal_type="Person", reference=login)