[Checkins] SVN: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/ Enabled masquerading for Masquerader role.
Tom Lazar
tom at tomster.org
Tue Mar 3 11:21:03 EST 2009
Log message for revision 97442:
Enabled masquerading for Masquerader role.
Changed:
U Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py
A Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/doc/masquerading.txt
U Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py
-=-
Modified: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py 2009-03-03 15:12:47 UTC (rev 97441)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/PluggableAuthService.py 2009-03-03 16:21:03 UTC (rev 97442)
@@ -21,7 +21,6 @@
import sys
import re
import types
-import os
from ZPublisher import BeforeTraverse
@@ -737,7 +736,7 @@
security.declarePrivate( '_canMasquerade' )
def _canMasquerade( self, plugins, user_id, name=None, request=None ):
- """ Return True if masquerading is enabled and user_id has the Manager role.
+ """ Return True if masquerading is enabled and user_id has the Manager or Masquerader role.
"""
if not masquerading():
return False
@@ -750,7 +749,8 @@
roles = rolemaker.getRolesForPrincipal( user, request )
- if roles and 'Manager' in roles:
+ if roles and ('Manager' in roles or
+ 'Masquerader' in roles):
return True
return False
Added: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/doc/masquerading.txt
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/doc/masquerading.txt (rev 0)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/doc/masquerading.txt 2009-03-03 16:21:03 UTC (rev 97442)
@@ -0,0 +1,11 @@
+Masquerading
+============
+
+If the environment variable ``PAS_MASQUERADING`` is set to ``on``, masquerading
+is enabled.
+
+Then, logging in as AUTHUSER/ROLEUSER (e.g. 'admin/jdoe') authenticates against
+AUTHUSER but returns ROLEUSER. As a security precaution, AUTHUSER must have
+the Manager or the Masquerader role.
+
+Note: AUTHUSER and ROLEUSER must live in the same user folder.
Modified: Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py
===================================================================
--- Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py 2009-03-03 15:12:47 UTC (rev 97441)
+++ Products.PluggableAuthService/branches/shh-15-masquerading/Products/PluggableAuthService/tests/test_masquerading.py 2009-03-03 16:21:03 UTC (rev 97442)
@@ -57,9 +57,13 @@
def afterSetUp(self):
self.pas = self.folder.acl_users
- # Create a masquerading user
+ # Create a masquerading user (Manager)
self.pas.users.addUser('fred_id', 'fred', 'r0ck')
self.pas.roles.assignRoleToPrincipal('Manager', 'fred_id')
+ # Create a masquerading user (Masquerader)
+ self.pas.users.addUser('barney_id', 'barney', 'p4per')
+ self.pas.roles.addRole('Masquerader')
+ self.pas.roles.assignRoleToPrincipal('Masquerader', 'barney_id')
# Create a masqueraded user
self.pas.users.addUser('wilma_id', 'wilma', 'geheim')
self.pas.roles.assignRoleToPrincipal(pastc.user_role, 'wilma_id')
@@ -76,7 +80,7 @@
# Disable masquerading
masquerading(False)
- def test__extractUserIds(self):
+ def test__extractUserIds_Manager(self):
request = self.app.REQUEST
request._auth = 'Basic %s' % pastc.mkauth('fred/wilma', 'r0ck')
@@ -87,6 +91,17 @@
self.assertEqual(user_id, 'wilma_id')
self.assertEqual(info, 'wilma')
+ def test__extractUserIds_Masquerader(self):
+ request = self.app.REQUEST
+ request._auth = 'Basic %s' % pastc.mkauth('barney/wilma', 'p4per')
+
+ uids = self.pas._extractUserIds(request, self.pas.plugins)
+ self.assertEqual(len(uids), 1)
+
+ user_id, info = uids[0]
+ self.assertEqual(user_id, 'wilma_id')
+ self.assertEqual(info, 'wilma')
+
def test__extractUserIds_masquerading_disabled(self):
request = self.app.REQUEST
request._auth = 'Basic %s' % pastc.mkauth('fred/wilma', 'r0ck')
@@ -124,7 +139,7 @@
info = self.pas._verifyUser(self.pas.plugins, login='fred/betty')
self.assertEqual(info, None)
- def test_validate(self):
+ def test_validate_Manager(self):
# Rig the request so it looks like we traversed to doc
request = self.app.REQUEST
request['PUBLISHED'] = self.doc
@@ -144,6 +159,26 @@
self.assertEqual(user.getUserName(), 'wilma')
self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
+ def test_validate_Masquerader(self):
+ # Rig the request so it looks like we traversed to doc
+ request = self.app.REQUEST
+ request['PUBLISHED'] = self.doc
+ request['PARENTS'] = [self.folder, self.app]
+ request.steps = list(self.doc.getPhysicalPath())
+ request._auth = 'Basic %s' % pastc.mkauth('barney/wilma', 'p4per')
+
+ user = self.pas.validate(request)
+ self.failIfEqual(user, None)
+ self.assertEqual(user.getId(), 'wilma_id')
+ self.assertEqual(user.getUserName(), 'wilma')
+ self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
+
+ user = getSecurityManager().getUser()
+ self.failIfEqual(user, None)
+ self.assertEqual(user.getId(), 'wilma_id')
+ self.assertEqual(user.getUserName(), 'wilma')
+ self.assertEqual(user.getRoles(), ['Authenticated', pastc.user_role])
+
def test_validate_masquerading_disabled(self):
# Rig the request so it looks like we traversed to doc
request = self.app.REQUEST
More information about the Checkins
mailing list