I have a problem where I need to be able to make custom content accessible for search and retrieval via portal_catalog by anonymous users but not viewable by them.
I used custom content types and a custom workflow, what I'm getting is most likely a permission issue. I defined a custom workflow through ZMI -> portal_workflow and then exported it into source code as an XML definition. I set the permissions for anonymous users as 'Access Content Information' but not 'View'. Note that 'active' in the code snippet is a workflow state that has that permission enabled -- sales_workflow
Brain lookup works for 'Manager' role, but when the role is switched to 'Anonymous', catalog returns an empty list.
import unittest2 as unittest
from . import INTEGRATION_TESTING
from AccessControl import getSecurityManager
from plone.app.testing import setRoles, logout
from plone.app.testing import TEST_USER_ID
from Products.CMFCore.utils import getToolByName
def drop_to_anonymous(self):
"""
Drop site roles to anonymous user only.
Note this is a class method and not a function
assign this method as a class member and then call it
"""
logout()
setRoles(self.portal, TEST_USER_ID, ['Anonymous'])
user = getSecurityManager().getUser()
roles = user.getRolesInContext(self.portal)
self.assertListEqual(['Anonymous'], roles)
class TestSalesRepWorkflow(unittest.TestCase):
layer = INTEGRATION_TESTING
drop_to_anonymous = drop_to_anonymous
def setUp(self):
self.portal = self.layer['portal']
self.wftool = getToolByName(self.portal, 'portal_workflow')
self.catalog = getToolByName(self.portal, 'portal_catalog')
def test_workflow_lookup_anon(self):
setRoles(self.portal, TEST_USER_ID, ['Manager'])
self.portal.invokeFactory(
'CustomProduct',
'prod1',
title="Product 1"
)
prod1 = self.portal['prod1']
self.wftool.doActionFor(prod1, action='activate')
review_state = self.wftool.getInfoFor(prod1, 'review_state')
prod1.reindexObject()
self.assertEqual('active', review_state)
lookup = self.catalog(portal_type='CustomProduct', Title='Product 1',
review_state='active')
#This test passes with managerial permissions
self.assertEqual(len(lookup), 1)
#Repeat the same test in 'Anonymous' role
self.drop_to_anonymous()
lookup1 = self.catalog(portal_type='CustomProduct', Title='Product 1',
review_state='active')
#When dropped to anonymous role, the test fails,
#lookup returns an empty list
self.assertEqual(len(lookup1), 1)
Is there a way to fix this without drastically reworking permissions?
Using unrestrictedSearchResults seems to fix the search, but whenever I attempt to run 'getObject' on a brain, the following error gets raised:
Unauthorized: You are not allowed to access 'XXX' in this context
Your active state needs to give the View permission to Anonymous. Currently it is restricted to these roles:
<state state_id="active" title="">
<!-- other information elided here -->
<permission-map name="View" acquired="False">
<permission-role>Manager</permission-role>
<permission-role>Owner</permission-role>
<permission-role>Reviewer</permission-role>
<permission-role>SalesRep</permission-role>
<permission-role>Site Administrator</permission-role>
</permission-map>
Without the View permission anonymous cannot see your objects even when given the active state, nor can they be found in the catalog by that user.
You can override this behaviour of the catalog by using the .unrestrictedSearchResults() method of the catalog:
lookup1 = self.catalog.unrestrictedSearchResults(
portal_type='SalesProduct', Title='Product 1', review_state='active')
This method cannot be used from restricted code.
The returned brain objects are perfectly accessible by anonymous users, but you cannot use the getObject() method on them because that'll use the current user's permissions to traverse to it. If you need to get the actual object from the brain, there is again a special, private method to get to the actual object without those restrictions, called ._unrestrictedGetObject():
obj = brain._unrestrictedGetObject()
This method is, once again, only available to unrestricted code.
Related
Very basically I have a model member and want to restrict searching members to allowed users. I use the following in the corresponding view
if request.user.has_perm('view_member'):
context['user_list'] = get_user(q)
Sadly this does not work even if
a) I give a user this permission via the admin interface
b) in my tests that look a bit like the following
def test_user_search_view(self):
self.client.login(username='testuser0', password='12345') # this is a user that was given the permission (see below)
response = self.client.post(reverse('library:search'), data={'q': "Müller"})
# Check our user is logged in
self.assertEqual(str(response.context['user']), 'testuser0') # Works
self.assertContains(response, "Max") # Fails, but Max should be there
For further tests I used the debugging mode of PyCharm to go into the test. In the console I then executed the following
>>> permission_view_user = Permission.objects.get(codename='view_member')
>>> test_user0.user_permissions.add(permission_view_user)
>>> test_user0.save() # For good luck
>>> user = get_object_or_404(User, pk=test_user0.pk)
>>> user.has_perm(permission_view_user)
False
I would expect true here.
I forgot the app name 🙈
It should be
if request.user.has_perm('appname.view_member'):
context['user_list'] = get_user(q)
I'm trying to setup stream-framework the one here not the newer getstream. I've setup the Redis server and the environment properly, the issue I'm facing is in creating the activities for a user.
I've been trying to create activities, following the documentation to add an activity but it gives me an error message as follows:
...
File "/Users/.../stream_framework/activity.py", line 110, in serialization_id
if self.object_id >= 10 ** 10 or self.verb.id >= 10 ** 3:
AttributeError: 'int' object has no attribute 'id'
Here is the code
from stream_framework.activity import Activity
from stream_framework.feeds.redis import RedisFeed
class PinFeed(RedisFeed):
key_format = 'feed:normal:%(user_id)s'
class UserPinFeed(PinFeed):
key_format = 'feed:user:%(user_id)s'
feed = UserPinFeed(13)
print(feed)
activity = Activity(
actor=13, # Thierry's user id
verb=1, # The id associated with the Pin verb
object=1, # The id of the newly created Pin object
)
feed.add(activity) # Error at this line
I think there is something missing in the documentation or maybe I'm doing something wrong. I'll be very grateful if anyone helps me get the stream framework working properly.
The documentation is inconsistent. The verb you pass to the activity should be (an instance of?*) a subclass of stream_framework.verbs.base.Verb. Check out this documentation page on custom verbs and the tests for this class.
The following should fix the error you posted:
from stream_framework.activity import Activity
from stream_framework.feeds.redis import RedisFeed
from stream_framework.verbs import register
from stream_framework.verbs.base import Verb
class PinFeed(RedisFeed):
key_format = 'feed:normal:%(user_id)s'
class UserPinFeed(PinFeed):
key_format = 'feed:user:%(user_id)s'
class Pin(Verb):
id = 5
infinitive = 'pin'
past_tense = 'pinned'
register(Pin)
feed = UserPinFeed(13)
activity = Activity(
actor=13,
verb=Pin,
object=1,
)
feed.add(activity)
I quickly looked over the code for Activity and it looks like passing ints for actor and object should work. However, it is possible that these parameters are also outdated in the documentation.
* The tests pass in classes as verb. However, the Verb base class has the methods serialize and __str__ that can only be meaningfully invoked if you have an object of this class. So I'm still unsure which is required here. It seems like in the current state, the framework never calls these methods, so classes still work, but I feel like the author originally intended to pass instances.
With the help of great answer by #He3lixxx, I was able to solve it partially. As the package is no more maintained, the package installs the latest Redis client for python which was creating too many issues so by installation redis-2.10.5 if using stream-framework-1.3.7, should fix the issue.
I would also like to add a complete guide to properly add activity to a user feed.
Key points:
If you are not using feed manager, then make sure to first insert the activity before you add it to the user with feed.insert_activity(activity) method.
In case of getting feeds with feed[:] throws an error something like below:
File "/Users/.../stream_framework/activity.py", line 44, in get_hydrated
activity = activities[int(self.serialization_id)]
KeyError: 16223026351730000000001005L
then you need to clear data for that user using the key format for it in my case the key is feed:user:13 for user 13, delete it with DEL feed:user:13, In case if that doesn't fix the issue then you can FLUSHALL which will delete everything from Redis.
Sample code:
from stream_framework.activity import Activity
from stream_framework.feeds.redis import RedisFeed
from stream_framework.verbs import register
from stream_framework.verbs.base import Verb
class PinFeed(RedisFeed):
key_format = 'feed:normal:%(user_id)s'
class UserPinFeed(PinFeed):
key_format = 'feed:user:%(user_id)s'
class Pin(Verb):
id = 5
infinitive = 'pin'
past_tense = 'pinned'
register(Pin)
feed = UserPinFeed(13)
print(feed[:])
activity = Activity(
actor=13,
verb=Pin,
object=1)
feed.insert_activity(activity)
activity_id = feed.add(activity)
print(activity_id)
print(feed[:])
To preface, I've only been working with Python for about 5 months. I've been trying to write a program that will (eventually) do batch user creation. When formatted like it is below, it will successfully create a new user object, but the "userAccountControl" attribute will default to 546, ACCOUNTDISABLE | PASSWD_NOTREQD | NORMAL_ACCOUNT, and the value for "userPass" will appear plaintext as an octet string in the attributes editor for the object in AD. This program is using the ldap3 library: https://pypi.python.org/pypi/ldap3
class fromconfig:
def __init__(self):
Config = configparser.ConfigParser()
Config.read("config.ini")
self.serverip = Config.get('serverinfo', 'ip')
self.basepath = Config.get('serverinfo', 'base')
self.container = Config.get('serverinfo', 'container')
self.dc1 = Config.get('serverinfo', 'dc1')
self.dc2 = Config.get('serverinfo', 'dc2')
self.ou = Config.get('serverinfo', 'ou')
def add_user(username, givenname, surname, userPrincipalName, SAMAccountName, userPassword):
ad_server = Server(config.serverip, use_ssl=True, get_info=ALL)
ad_c = Connection(ad_server, user='domain\\user', password='password', authentication=NTLM)
if ad_c.bind():
ad_c.add('cn={},cn={},dc={},dc={}'.format(username, config.ou, config.dc1, config.dc2), ['person', 'user'], {'givenName': givenname, 'sn': surname, 'userPrincipalName': userPrincipalName, 'sAMAccountName': SAMAccountName, 'userPassword': userPassword})
print(ad_c.result)
ad_c.unbind()
I want to be able to define a 512 value for userAccountControl in the program, or otherwise successfully enable the account so that I don't have to go back through and uncheck "Account is disabled" in AD later. When I try to pass it, ad_c.result returns with an error 53. It's the same error I receive when I go in through AD and try to modify the attribute directly, or uncheck the disable account checkbox. The dialog for error 53 on the AD server says "The password does not meet length or complexity requirements", but the password I'm using for my testing is one that I've used on our AD in the past with no problems. So I think the issue has something to do with how userPassword is being stored rather than complexity or permissions.
I believe I've figured it out, thanks to the example from this. Defining a value for the "userPassword" key in the attributes dictionary will not work later when you go to manually enable the account. Instead, after adding the user account you can use the extended operations to unlock the account, modify the password, and then update the "userAccountControl" attribute with the desired value (In this case, I wanted 512: NORMAL_ACCOUNT).
It's extremely messy, but thankfully it works, so I'm now going to start refactoring the rest of the program so it doesn't look hideous
(continued from above)
ad_c.add(...)
ad_c.extend.microsoft.unlock_account(user='cn={},cn={},dc={},dc={}'.format(username, config.container, config.dc1, config.dc2))
ad_c.extend.microsoft.modify_password(user='cn={},cn={},dc={},dc={}'.format(username, config.container, config.dc1, config.dc2), new_password=userpassword, old_password=None)
changeUACattribute = {"userAccountControl": (MODIFY_REPLACE, [512])}
ad_c.modify('cn={},cn={},dc={},dc={}'.format(username, config.container, config.dc1, config.dc2), changes=changeUACattribute)
I'm super new in development in general. I'm currently building a webapp that get data from Rally/CA Agile Central and put them in a neat table.
My code:
response = rally.get('UserStory', fetch = True, query=query_criteria)
response_defect = rally.get('Defect', fetch = True, query=query_criteria)
story_list = []
if not response.errors:
for story in response:
#print (story.details())
a_story={}
#a_story['State'] = story.State.Name #if story.State else "Backlog"
a_story['State']=story.BusOpsKanban if story.BusOpsKanban else "unassigned"
#a_story['Status']=Story.Status if story.Status else "unassigned"
a_story['id'] = story.FormattedID
a_story['name'] = story.Name
a_story['Opened']=(datetime.strptime(story.CreationDate, '%Y-%m-%dT%H:%M:%S.%fZ').strftime('%Y-%d-%b'))
a_story['Requester']= story.Owner.Name if story.Owner else "unassigned"
a_story['Blocked']= story.Blocked
a_story['Service']=story.c_ServiceNowID
My issue is to get access to the value of the linkid of my customfield (c_ServiceNowID).
When I run a Dict = I see that I have LinkID attributes but when I type
story.c_ServiceNowID.LinkID, I receive an error message telling me there is no such attributes.... How do I access this value using python ?
Thank you
According to the documentation at http://pyral.readthedocs.io/en/latest/overview.html#custom-fields, pyral allows you to reference the field without the c_ prefix
Most Artifact types in Rally can be augmented with custom fields. As of Rally WSAPI v2.0, the ElementName for a custom field is prefixed with ‘c_’. The pyral toolkit allows you to reference these fields without having to use the ‘c_’ prefix. For example, if your custom field has a DisplayName of ‘Burnt Offerings Index’ you can use the String of ‘BurntOfferingsIndex’ in a fetch clause or a query clause or refer to the field directly on an artifact as artifact.BurntOfferingsIndex.
I think what you have should work, unless the ServiceNowID is empty. In that case there will not be a LinkID or DisplayString available on the ServiceNowID object.
If you update your code to check to make sure the Attribute is there, does it work?
if hasattr(story.c_ServiceNowID, 'LinkID'):
a_story['Service']=story.c_ServiceNowID.DisplayString
a_story['Link']=story.c_ServiceNowID.LinkID
Can you tell me how I apply this patch to google app engine as in where to put it? Thank you
def _user_init(self, email=None, _auth_domain=None,
_user_id=None, federated_identity=None, federated_provider=None):
if not _auth_domain:
_auth_domain = os.environ.get('AUTH_DOMAIN')
assert _auth_domain
if email is None and federated_identity is None:
email = os.environ.get('USER_EMAIL', email)
_user_id = os.environ.get('USER_ID', _user_id)
federated_identity = os.environ.get('FEDERATED_IDENTITY',
federated_identity)
federated_provider = os.environ.get('FEDERATED_PROVIDER',
federated_provider)
if not email and not federated_identity:
raise UserNotFoundError
self.__email = email
self.__federated_identity = federated_identity
self.__federated_provider = federated_provider
self.__auth_domain = _auth_domain
self.__user_id = _user_id or None
users.User.__init__ = _user_init
Just use it as-is: Put that code in a module that gets imported before you use the relevant User module or datastore functionality. I included the relevant line to patch the code (the last line) with the patch itself.
Overriding the constructor like this is not safe. If the internal implementation of the Users API changes in production, your application could break without warning.
What are you trying to accomplish here? I don't see any custom logic; it looks like you've just copied the constructor from the SDK verbatim. If you need to add custom logic, try subclassing UserProperty and/or wrapping the users API calls instead.
I think, this belongs to some application as a grep within the appengine sdk, for 'federated_identity' does not result any clues. BTW, you should be doing the same. Grep (or WinGrep) for terms like 'federated' to see if this partial patch can be applied to any source.
Thanks for the updated link. The patch can be added to the file google/appengine/api/users.py
You might just need to add the last line: users.User.__init__ = _user_init
I could figure this out after checking the latest code in the svn.