-
Notifications
You must be signed in to change notification settings - Fork 5
/
usermanager.py
328 lines (277 loc) · 11.1 KB
/
usermanager.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
# Copyright 2005 Plone Solutions
# info@plonesolutions.com
# Copyright 2006 The Open Planning Project
# robm <at> openplans -dot- org
from AccessControl import ClassSecurityInfo
from AccessControl.class_init import InitializeClass
from OFS.Cache import Cacheable
from Products.CMFCore.utils import getToolByName
from Products.membrane.config import QIM_ANNOT_KEY
from Products.membrane.config import TOOLNAME
from Products.membrane.interfaces import user as user_ifaces
from Products.membrane.interfaces.plugins import IMembraneUserManagerPlugin
from Products.membrane.utils import findImplementations
from Products.membrane.utils import findMembraneUserAspect
from Products.membrane.utils import getCurrentUserAdder
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.PluggableAuthService.utils import createViewName
from Products.ZCTextIndex.ZCTextIndex import ZCTextIndex
from zope.annotation.interfaces import IAnnotations
from zope.component.hooks import getSite
from zope.interface import implementer
import copy
manage_addMembraneUserManagerForm = PageTemplateFile(
"../www/MembraneUserManagerForm",
globals(),
__name__="manage_addMembraneUserManagerForm",
)
def addMembraneUserManager(dispatcher, id, title=None, REQUEST=None):
"""Add a MembraneUserManager to a Pluggable Auth Service."""
pmm = MembraneUserManager(id, title)
dispatcher._setObject(pmm.getId(), pmm)
if REQUEST is not None:
REQUEST["RESPONSE"].redirect(
"%s/manage_workspace"
"?manage_tabs_message="
"MembraneUserManager+added." % dispatcher.absolute_url()
)
@implementer(IMembraneUserManagerPlugin)
class MembraneUserManager(BasePlugin, Cacheable):
"""PAS plugin for managing contentish members in Plone."""
meta_type = "Membrane User Manager"
security = ClassSecurityInfo()
def __init__(self, id, title=None):
self._id = self.id = id
self.title = title
#
# IAuthenticationPlugin implementation
#
@security.private
def authenticateCredentials(self, credentials):
"""See IAuthenticationPlugin.
o We expect the credentials to be those returned by
ILoginPasswordExtractionPlugin.
"""
login = credentials.get("login")
# We can't depend on security when authenticating the user,
# or we'll get stuck in loops
mbtool = getToolByName(self, TOOLNAME)
member = mbtool.getUserObject(login=login)
if member is None:
return None
# Delegate to member object
auth = user_ifaces.IMembraneUserAuth(member, None)
if auth is None:
return None
return auth.authenticateCredentials(credentials)
#
# IUserEnumerationPlugin implementation
#
@security.private
def enumerateUsers(
self,
id=None,
login=None,
exact_match=False,
sort_by=None,
max_results=None,
**kw
):
"""See IUserEnumerationPlugin."""
user_info = []
plugin_id = self.getId()
view_name = createViewName("enumerateUsers", id or login)
if isinstance(id, str):
id = [id]
if isinstance(login, str) and login:
login = [login]
mbtool = getToolByName(self, TOOLNAME)
query = {}
# allow arbitrary indexes to be passed in to the catalog query
query_index_map = IAnnotations(mbtool).get(QIM_ANNOT_KEY)
if query_index_map is not None:
for keyword in kw.keys():
if keyword in query_index_map:
index_name = query_index_map[keyword]
search_term = kw[keyword]
if search_term is not None:
if not exact_match:
index = mbtool.Indexes[index_name]
if isinstance(index, ZCTextIndex):
# split, glob, join
sep = search_term.strip().split()
sep = ["%s*" % val for val in sep]
search_term = " ".join(sep)
query[index_name] = search_term
# Look in the cache first...
keywords = copy.deepcopy(kw)
keywords.update(
{
"id": id,
"login": login,
"exact_match": exact_match,
"sort_by": sort_by,
"max_results": max_results,
}
)
cached_info = self.ZCacheable_get(
view_name=view_name, keywords=keywords, default=None
)
if cached_info is not None:
return tuple(cached_info)
# Note: ZCTextIndex doesn't allow 'contains' searches AFAICT,
# so we use 'starts with'.
if login:
if exact_match:
query["exact_getUserName"] = login
else:
query["getUserName"] = ["%s*" % _login for _login in login]
elif id:
if exact_match:
query["exact_getUserId"] = id
else:
query["getUserId"] = ["%s*" % i for i in id]
elif keywords.get("fullname"):
# Controlpanel searches with keyword argument ``fullname``.
# Title is a ZCTextIndex, we don't need to look for exact_match.
query["Title"] = keywords["fullname"]
if not query and (id or login or kw):
# The query is empty, even though we did explicitly search
# for something. The most likely cause is specifying a
# search term for which we have no index. If we continue,
# that would lead to returning all members, which is not
# what we want here.
#
# Note that if in Plone you click 'Show all users' in the
# users panel, that leads to three queries. At least one
# of those will not be empty, so all users will be listed
# anyway, which is good in that case.
return []
if sort_by is not None:
if sort_by == "login":
query["sort_on"] = "getUserName"
if sort_by == "id":
query["sort_on"] = "getUserId"
query["object_implements"] = user_ifaces.IMembraneUserObject.__identifier__
members = mbtool.unrestrictedSearchResults(**query)
if max_results is not None and max_results != "":
members = members[: int(max_results)]
for m in members:
obj = m._unrestrictedGetObject()
member = user_ifaces.IMembraneUserObject(obj, None)
if member is None:
continue
info = dict(
id=member.getUserId(),
login=member.getUserName(),
pluginid=plugin_id,
editurl="%s/edit" % obj.absolute_url(),
)
user_info.append(info)
# Put the computed value into the cache
self.ZCacheable_set(user_info, view_name=view_name, keywords=keywords)
return tuple(user_info)
def updateUser(self, user_id, login_name):
"""Update the login name of the user with id user_id.
This is a new part of the IUserEnumerationPlugin interface,
but not interesting for us. Actually, it may be interesting,
but usually the login name and user id are the same. An
implementation might choose to do this differently.
If the user is managed by membrane, all user specific settings
(including the login_name) are handled there and cannot be updated
by this method.
If membrane is responsible for managing the user, we have to return
True to set the correct state for following updaters.
"""
context = getSite()
mtool = getToolByName(context, "membrane_tool")
if mtool:
members = mtool.unrestrictedSearchResults({"getUserId": user_id})
if len(members) == 1:
return True
def updateEveryLoginName(self, quit_on_first_error=True):
"""Update login names of all users to their canonical value.
This is a new part of the IUserEnumerationPlugin interface,
but by default we cannot do anything here. This is up to the
member implementation. If anyone needs some code here, let us
know on the mailing list.
"""
pass
#
# IUserIntrospection implementation
#
@security.private
def getUserIds(self):
"""
Return a list of user ids
"""
users = findImplementations(self, user_ifaces.IMembraneUserObject)
return tuple([u.getUserId for u in users])
@security.private
def getUserNames(self):
"""
Return a list of usernames
"""
users = findImplementations(self, user_ifaces.IMembraneUserObject)
return tuple([u.getUserName for u in users])
@security.private
def getUsers(self):
"""
Return a list of users
XXX DON'T USE THIS, it will kill performance
"""
uf = getToolByName(self, "acl_users")
return tuple([uf.getUserById(x) for x in self.getUserIds()])
#
# IUserManagement implementation
# (including IMembraneUserChanger implementation)
#
def doChangeUser(self, user_id, password, **kwargs):
changers = findMembraneUserAspect(
self, user_ifaces.IMembraneUserChanger, exact_getUserId=user_id
)
if changers:
changers[0].doChangeUser(user_id, password, **kwargs)
else:
raise RuntimeError(
"No IMembraneUserChanger adapter found for user id: %s" % user_id
)
def doDeleteUser(self, login): # XXX: is it really login, or user_id?
deleters = findMembraneUserAspect(
self, user_ifaces.IMembraneUserDeleter, getUserName=login
)
if deleters:
deleters[0].doDeleteUser(login)
else:
raise KeyError("No IMembraneUserDeleter adapter found for user: %s" % login)
def doAddUser(self, login, password):
"""
This is highly usecase dependent, so it delegates to a local
utility
"""
adder = getCurrentUserAdder(self)
if adder is not None:
adder.addUser(login, password)
return True
else:
return False
def allowPasswordSet(self, user_id):
"""
Check if we have access to set the password.
We can verify this by checking if we can adapt to an IUserChanger
"""
changers = findMembraneUserAspect(
self, user_ifaces.IMembraneUserChanger, exact_getUserId=user_id
)
return bool(changers)
def allowDeletePrincipal(self, user_id):
"""
Check to see if the user can be deleted by trying to adapt
to an IMembraneUserDeleter
"""
deleters = findMembraneUserAspect(
self, user_ifaces.IMembraneUserDeleter, exact_getUserId=user_id
)
return bool(deleters)
InitializeClass(MembraneUserManager)