![[at]](at.gif)
example![[dot]](dot.gif)
com
CFG_WEBSTYLE_EMAIL_ADDRESSES_OBFUSCATION_MODE = 2
## CFG_WEBSTYLE_INSPECT_TEMPLATES -- Do we want to debug all template
## functions so that they would return HTML results wrapped in
## comments indicating which part of HTML page was created by which
## template function? Useful only for debugging Pythonic HTML
## template. See WebStyle Admin Guide for more information.
CFG_WEBSTYLE_INSPECT_TEMPLATES = 0
## (deprecated) CFG_WEBSTYLE_CDSPAGEBOXLEFTTOP -- eventual global HTML
## left top box:
CFG_WEBSTYLE_CDSPAGEBOXLEFTTOP =
## (deprecated) CFG_WEBSTYLE_CDSPAGEBOXLEFTBOTTOM -- eventual global
## HTML left bottom box:
CFG_WEBSTYLE_CDSPAGEBOXLEFTBOTTOM =
## (deprecated) CFG_WEBSTYLE_CDSPAGEBOXRIGHTTOP -- eventual global
## HTML right top box:
CFG_WEBSTYLE_CDSPAGEBOXRIGHTTOP =
## (deprecated) CFG_WEBSTYLE_CDSPAGEBOXRIGHTBOTTOM -- eventual global
## HTML right bottom box:
CFG_WEBSTYLE_CDSPAGEBOXRIGHTBOTTOM =
## CFG_WEBSTYLE_HTTP_STATUS_ALERT_LIST -- when certain HTTP status
## codes are raised to the WSGI handler, the corresponding exceptions
## and error messages can be sent to the system administrator for
## inspecting. This is useful to detect and correct errors. The
## variable represents a comma-separated list of HTTP statuses that
## should alert admin. Wildcards are possible. If the status is
## followed by an "r", it means that a referer is required to exist
## (useful to distinguish broken known links from URL typos when 404
## errors are raised).
CFG_WEBSTYLE_HTTP_STATUS_ALERT_LIST = 404r,400,5*,41*
##################################
## Part 3: WebSearch parameters ##
##################################
## This section contains some configuration parameters for WebSearch
## module. Please note that WebSearch is mostly configured on
## run-time via its WebSearch Admin web interface. The parameters
## below are the ones that you do not probably want to modify very
## often during the runtime. (Note that you may modify them
## afterwards too, though.)
## CFG_WEBSEARCH_SEARCH_CACHE_SIZE -- how many queries we want to
## cache in memory per one Apache httpd process? This cache is used
## mainly for "next/previous page" functionality, but it caches also
## "popular" user queries if more than one user happen to search for
## the same thing. Note that large numbers may lead to great memory
## consumption. We recommend a value not greater than 100.
CFG_WEBSEARCH_SEARCH_CACHE_SIZE = 100
## CFG_WEBSEARCH_FIELDS_CONVERT -- if you migrate from an older
## system, you may want to map field codes of your old system (such as
## 'ti') to Invenio/MySQL ("title"). Use Python dictionary syntax
## for the translation table, e.g. {'wau':'author', 'wti':'title'}.
## Usually you don't want to do that, and you would use empty dict {}.
CFG_WEBSEARCH_FIELDS_CONVERT = {}
## CFG_WEBSEARCH_LIGHTSEARCH_PATTERN_BOX_WIDTH -- width of the
## search pattern window in the light search interface, in
## characters. CFG_WEBSEARCH_LIGHTSEARCH_PATTERN_BOX_WIDTH = 60
CFG_WEBSEARCH_LIGHTSEARCH_PATTERN_BOX_WIDTH = 60
## CFG_WEBSEARCH_SIMPLESEARCH_PATTERN_BOX_WIDTH -- width of the search
## pattern window in the simple search interface, in characters.
CFG_WEBSEARCH_SIMPLESEARCH_PATTERN_BOX_WIDTH = 40
## CFG_WEBSEARCH_ADVANCEDSEARCH_PATTERN_BOX_WIDTH -- width of the
## search pattern window in the advanced search interface, in
## characters.
CFG_WEBSEARCH_ADVANCEDSEARCH_PATTERN_BOX_WIDTH = 30
## CFG_WEBSEARCH_NB_RECORDS_TO_SORT -- how many records do we still
## want to sort? For higher numbers we print only a warning and won't
## perform any sorting other than default 'latest records first', as
## sorting would be very time consuming then. We recommend a value of
## not more than a couple of thousands.
CFG_WEBSEARCH_NB_RECORDS_TO_SORT = 1000
## CFG_WEBSEARCH_CALL_BIBFORMAT -- if a record is being displayed but
## it was not preformatted in the "HTML brief" format, do we want to
## call BibFormatting on the fly? Put "1" for "yes" and "0" for "no".
## Note that "1" will display the record exactly as if it were fully
## preformatted, but it may be slow due to on-the-fly processing; "0"
## will display a default format very fast, but it may not have all
## the fields as in the fully preformatted HTML brief format. Note
## also that this option is active only for old (PHP) formats; the new
## (Python) formats are called on the fly by default anyway, since
## they are much faster. When usure, please set "0" here.
CFG_WEBSEARCH_CALL_BIBFORMAT = 0
## CFG_WEBSEARCH_USE_ALEPH_SYSNOS -- do we want to make old SYSNOs
## visible rather than MySQL's record IDs? You may use this if you
## migrate from a different e-doc system, and you store your old
## system numbers into 970__a. Put "1" for "yes" and "0" for
## "no". Usually you don't want to do that, though.
CFG_WEBSEARCH_USE_ALEPH_SYSNOS = 0
## CFG_WEBSEARCH_I18N_LATEST_ADDITIONS -- Put "1" if you want the
## "Latest Additions" in the web collection pages to show
## internationalized records. Useful only if your brief BibFormat
## templates contains internationalized strings. Otherwise put "0" in
## order not to slow down the creation of latest additions by WebColl.
CFG_WEBSEARCH_I18N_LATEST_ADDITIONS = 0
## CFG_WEBSEARCH_INSTANT_BROWSE -- the number of records to display
## under 'Latest Additions' in the web collection pages.
CFG_WEBSEARCH_INSTANT_BROWSE = 10
## CFG_WEBSEARCH_INSTANT_BROWSE_RSS -- the number of records to
## display in the RSS feed.
CFG_WEBSEARCH_INSTANT_BROWSE_RSS = 25
## CFG_WEBSEARCH_RSS_I18N_COLLECTIONS -- comma-separated list of
## collections that feature an internationalized RSS feed on their
## main seach interface page created by webcoll. Other collections
## will have RSS feed using CFG_SITE_LANG.
CFG_WEBSEARCH_RSS_I18N_COLLECTIONS =
## CFG_WEBSEARCH_RSS_TTL -- number of minutes that indicates how long
## a feed cache is valid.
CFG_WEBSEARCH_RSS_TTL = 360
## CFG_WEBSEARCH_RSS_MAX_CACHED_REQUESTS -- maximum number of request kept
## in cache. If the cache is filled, following request are not cached.
CFG_WEBSEARCH_RSS_MAX_CACHED_REQUESTS = 1000
## CFG_WEBSEARCH_AUTHOR_ET_AL_THRESHOLD -- up to how many author names
## to print explicitely; for more print "et al". Note that this is
## used in default formatting that is seldomly used, as usually
## BibFormat defines all the format. The value below is only used
## when BibFormat fails, for example.
CFG_WEBSEARCH_AUTHOR_ET_AL_THRESHOLD = 3
## CFG_WEBSEARCH_NARROW_SEARCH_SHOW_GRANDSONS -- whether to show or
## not collection grandsons in Narrow Search boxes (sons are shown by
## default, grandsons are configurable here). Use 0 for no and 1 for
## yes.
CFG_WEBSEARCH_NARROW_SEARCH_SHOW_GRANDSONS = 1
## CFG_WEBSEARCH_CREATE_SIMILARLY_NAMED_AUTHORS_LINK_BOX -- shall we
## create help links for Ellis, Nick or Ellis, Nicholas and friends
## when Ellis, N was searched for? Useful if you have one author
## stored in the database under several name formats, namely surname
## comma firstname and surname comma initial cataloging policy. Use 0
## for no and 1 for yes.
CFG_WEBSEARCH_CREATE_SIMILARLY_NAMED_AUTHORS_LINK_BOX = 1
## CFG_WEBSEARCH_USE_JSMATH_FOR_FORMATS -- jsMath is a JavaScript
## library that renders (La)TeX mathematical formulas in the client
## browser. This parameter must contain a comma-separated list of
## output formats for which to apply the jsMath rendering, for example
## "hb,hd". If the list is empty, jsMath is disabled.
CFG_WEBSEARCH_USE_JSMATH_FOR_FORMATS =
## CFG_WEBSEARCH_EXTERNAL_COLLECTION_SEARCH_TIMEOUT -- when searching
## external collections (e.g. SPIRES, CiteSeer, etc), how many seconds
## do we wait for reply before abandonning?
CFG_WEBSEARCH_EXTERNAL_COLLECTION_SEARCH_TIMEOUT = 5
## CFG_WEBSEARCH_EXTERNAL_COLLECTION_SEARCH_MAXRESULTS -- how many
## results do we fetch?
CFG_WEBSEARCH_EXTERNAL_COLLECTION_SEARCH_MAXRESULTS = 10
## CFG_WEBSEARCH_SPLIT_BY_COLLECTION -- do we want to split the search
## results by collection or not? Use 0 for not, 1 for yes.
CFG_WEBSEARCH_SPLIT_BY_COLLECTION = 1
## CFG_WEBSEARCH_DEF_RECORDS_IN_GROUPS -- the default number of
## records to display per page in the search results pages.
CFG_WEBSEARCH_DEF_RECORDS_IN_GROUPS = 10
## CFG_WEBSEARCH_MAX_RECORDS_IN_GROUPS -- in order to limit denial of
## service attacks the total number of records per group displayed as a
## result of a search query will be limited to this number. Only the superuser
## queries will not be affected by this limit.
CFG_WEBSEARCH_MAX_RECORDS_IN_GROUPS = 200
## CFG_WEBSEARCH_PERMITTED_RESTRICTED_COLLECTIONS_LEVEL -- logged in users
## might have rights to access some restricted collections. This variable
## tweaks the kind of support the system will automatically provide to the
## user with respect to searching into these restricted collections.
## Set this to 0 in order to have the user to explicitly activate restricted
## collections in order to search into them. Set this to 1 in order to
## propose to the user the list of restricted collections to which he/she has
## rights (note: this is not yet implemented). Set this to 2 in order to
## silently add all the restricted collections to which the user has rights to
## to any query.
## Note: the system will discover which restricted collections a user has
## rights to, at login time. The time complexity of this procedure is
## proportional to the number of restricted collections. E.g. for a system
## with ~50 restricted collections, you might expect ~1s of delay in the
## login time, when this variable is set to a value higher than 0.
CFG_WEBSEARCH_PERMITTED_RESTRICTED_COLLECTIONS_LEVEL = 0
## CFG_WEBSEARCH_SHOW_COMMENT_COUNT -- do we want to show the 'N comments'
## links on the search engine pages? (useful only when you have allowed
## commenting)
CFG_WEBSEARCH_SHOW_COMMENT_COUNT = 1
## CFG_WEBSEARCH_SHOW_REVIEW_COUNT -- do we want to show the 'N reviews'
## links on the search engine pages? (useful only when you have allowed
## reviewing)
CFG_WEBSEARCH_SHOW_REVIEW_COUNT = 1
## CFG_WEBSEARCH_FULLTEXT_SNIPPETS -- how many full-text snippets to
## display for full-text searches?
CFG_WEBSEARCH_FULLTEXT_SNIPPETS = 0
## CFG_WEBSEARCH_FULLTEXT_SNIPPETS_WORDS -- how many context words
## to display around the pattern in the snippet?
CFG_WEBSEARCH_FULLTEXT_SNIPPETS_WORDS = 4
#######################################
## Part 4: BibHarvest OAI parameters ##
#######################################
## This part defines parameters for the Invenio OAI gateway.
## Useful if you are running Invenio as OAI data provider.
## CFG_OAI_ID_FIELD -- OAI identifier MARC field:
CFG_OAI_ID_FIELD = 909COo
## CFG_OAI_SET_FIELD -- OAI set MARC field:
CFG_OAI_SET_FIELD = 909COp
## CFG_OAI_DELETED_POLICY -- OAI deletedrecordspolicy
## (no/transient/persistent).
CFG_OAI_DELETED_POLICY = no
## CFG_OAI_ID_PREFIX -- OAI identifier prefix:
CFG_OAI_ID_PREFIX = atlantis.cern.ch
## CFG_OAI_SAMPLE_IDENTIFIER -- OAI sample identifier:
CFG_OAI_SAMPLE_IDENTIFIER = oai:atlantis.cern.ch:CERN-TH-4036
## CFG_OAI_IDENTIFY_DESCRIPTION -- description for the OAI Identify verb:
CFG_OAI_IDENTIFY_DESCRIPTION = Found preformatted output for record %i (cache updated on %s). """ % (recID, last_updated) decompress = zlib.decompress return "%s" % decompress(res[0][0]) else: # record 'recID' is not formatted in 'of', # so try to call BibFormat on the fly or use default format: if verbose == 9: out += """\n
Formatting record %i on-the-fly with old BibFormat.
""" % recID # Retrieve MARCXML # Build it on-the-fly only if 'call_old_bibformat' was called # with format=xm and on_the_fly=True xm_record = record_get_xml(recID, 'xm', on_the_fly=(on_the_fly and of == 'xm')) ## import platform ## # Some problem have been found using either popen() or os.system(). ## # Here is a temporary workaround until the issue is solved. ## if platform.python_compiler().find('Red Hat') > -1: ## # use os.system (result_code, result_path) = tempfile.mkstemp() command = "( %s/bibformat otype=%s ) > %s" % \ (CFG_BINDIR, of, result_path) (xm_code, xm_path) = tempfile.mkstemp() xm_file = open(xm_path, "w") xm_file.write(xm_record) xm_file.close() command = command + " <" + xm_path os.system(command) result_file = open(result_path,"r") bibformat_output = result_file.read() result_file.close() os.close(result_code) os.remove(result_path) os.close(xm_code) os.remove(xm_path) ## else: ## # use popen ## pipe_input, pipe_output, pipe_error = os.popen3(["%s/bibformat" % CFG_BINDIR, ## "otype=%s" % format], ## 'rw') ## pipe_input.write(xm_record) ## pipe_input.flush() ## pipe_input.close() ## bibformat_output = pipe_output.read() ## pipe_output.close() ## pipe_error.close() if bibformat_output.startswith("
Using %s template for record %i. """ % (template, recID) ############### FIXME: REMOVE WHEN MIGRATION IS DONE ############### path = "%s%s%s" % (CFG_BIBFORMAT_TEMPLATES_PATH, os.sep, template) if template is None or not os.access(path, os.R_OK): # template not found in new BibFormat. Call old one if verbose == 9: if template is None: out += """\n
No template found for output format %s and record %i. (Check invenio.err log file for more details) """ % (of, recID) else: out += """\n
Template %s could not be read. """ % (template) if CFG_PATH_PHP: if verbose == 9: out += """\n
Using old BibFormat for record %s. """ % recID return out + call_old_bibformat(recID, of=of, on_the_fly=True, verbose=verbose) ############################# END ################################## error = get_msgs_for_code_list([("ERR_BIBFORMAT_NO_TEMPLATE_FOUND", of)], stream='error', ln=CFG_SITE_LANG) errors_.append(error) if verbose == 0: register_errors(error, 'error') elif verbose > 5: return out + error[0][1] return out # Format with template (out_, errors) = format_with_format_template(template, bfo, verbose) errors_.extend(errors) out += out_ return out def decide_format_template(bfo, of): """ Returns the format template name that should be used for formatting given output format and BibFormatObject. Look at of rules, and take the first matching one. If no rule matches, returns None To match we ignore lettercase and spaces before and after value of rule and value of record @param bfo: a BibFormatObject @param of: the code of the output format to use """ output_format = get_output_format(of) for rule in output_format['rules']: if rule['field'].startswith('00'): # Rule uses controlfield value = bfo.control_field(rule['field']).strip() #Remove spaces else: # Rule uses datafield value = bfo.field(rule['field']).strip() #Remove spaces pattern = rule['value'].strip() #Remove spaces match_obj = re.match(pattern, value, re.IGNORECASE) if match_obj is not None and \ match_obj.start() == 0 and match_obj.end() == len(value): return rule['template'] template = output_format['default'] if template != '': return template else: return None def format_with_format_template(format_template_filename, bfo, verbose=0, format_template_code=None): """ Format a record given a format template. Also returns errors Returns a formatted version of the record represented by bfo, in the language specified in bfo, and with the specified format template. If format_template_code is provided, the template will not be loaded from format_template_filename (but format_template_filename will still be used to determine if bft or xsl transformation applies). This allows to preview format code without having to save file on disk. @param format_template_filename: the dilename of a format template @param bfo: the object containing parameters for the current formatting @param format_template_code: if not empty, use code as template instead of reading format_template_filename (used for previews) @param verbose: the level of verbosity from 0 to 9 (O: silent, 5: errors, 7: errors and warnings, 9: errors and warnings, stop if error (debug mode )) @return: tuple (formatted text, errors) """ _ = gettext_set_language(bfo.lang) def translate(match): """ Translate matching values """ word = match.group("word") translated_word = _(word) return translated_word errors_ = [] if format_template_code is not None: format_content = str(format_template_code) else: format_content = get_format_template(format_template_filename)['code'] if format_template_filename is None or \ format_template_filename.endswith("."+CFG_BIBFORMAT_FORMAT_TEMPLATE_EXTENSION): # .bft filtered_format = filter_languages(format_content, bfo.lang) localized_format = translation_pattern.sub(translate, filtered_format) (evaluated_format, errors) = eval_format_template_elements(localized_format, bfo, verbose) errors_ = errors else: #.xsl # Fetch MARCXML. On-the-fly xm if we are now formatting in xm xml_record = '\n' + \ record_get_xml(bfo.recID, 'xm', on_the_fly=False) # Transform MARCXML using stylesheet evaluated_format = format(xml_record, template_source=format_content) return (evaluated_format, errors_) def eval_format_template_elements(format_template, bfo, verbose=0): """ Evalutes the format elements of the given template and replace each element with its value. Also returns errors. Prepare the format template content so that we can directly replace the marc code by their value. This implies: 1) Look for special tags 2) replace special tags by their evaluation @param format_template: the format template code @param bfo: the object containing parameters for the current formatting @param verbose: the level of verbosity from 0 to 9 (O: silent, 5: errors, 7: errors and warnings, 9: errors and warnings, stop if error (debug mode )) @return: tuple (result, errors) """ errors_ = [] # First define insert_element_code(match), used in re.sub() function def insert_element_code(match): """ Analyses 'match', interpret the corresponding code, and return the result of the evaluation. Called by substitution in 'eval_format_template_elements(...)' @param match: a match object corresponding to the special tag that must be interpreted """ function_name = match.group("function_name") try: format_element = get_format_element(function_name, verbose) except Exception, e: if verbose >= 5: return '' + \ cgi.escape(str(e)).replace('\n', '
') + \ '' if format_element is None: error = get_msgs_for_code_list([("ERR_BIBFORMAT_CANNOT_RESOLVE_ELEMENT_NAME", function_name)], stream='error', ln=CFG_SITE_LANG) errors_.append(error) if verbose >= 5: return '' + \ error[0][1]+'' else: params = {} # Look for function parameters given in format template code all_params = match.group('params') if all_params is not None: function_params_iterator = pattern_function_params.finditer(all_params) for param_match in function_params_iterator: name = param_match.group('param') value = param_match.group('value') params[name] = value # Evaluate element with params and return (Do not return errors) (result, errors) = eval_format_element(format_element, bfo, params, verbose) errors_.append(errors) return result # Substitute special tags in the format by our own text. # Special tags have the form
) 3 - Mix of mode 1 and 2. If value of field starts with , then use mode 2. Else use mode 1. 4 - Remove all HTML tags 5 - Same as 2, with more tags allowed (like
) 3 - Mix of mode 1 and 2. If value of field starts with , then use mode 2. Else use mode 1. 4 - Remove all HTML tags 5 - Same as 2, with more tags allowed (like
) Escaped tags are removed. - mode 3: mix of mode 1 and mode 2. If field_value starts with , then use mode 2. Else use mode 1. - mode 4: escaping all HTML/XML tags (escaped tags are removed) - mode 5: same as 2, but allows more tags, like
Contents
1. Introduction, using roles2. WebAccess admin interface
3. Example pages, illustrating snapshots
4. Managing accounts / Access policy
5. Managing login methods
6. Firewall-like role definitions
1. INTRODUCTION, USING ROLES
WebAccess is a common RBAC, role based access control, for all of Invenio. This means that users are connected to roles that cover different areas of access. I.e administrator of the photo collection or system librarian. Users can be active in different areas and of course connected to as many roles as needed. The roles are connected to actions. An action identifies a task you can perform in Invenio. It can be defined to take any number of arguments in order to more clearly describe what you are allowing connected users to do. For example the system librarian can be allowed to run bibindex on the different indexes. To allow system librarians to run the bibindex indexing on the field author we connect role system librarian with action runbibindex using the argument index='author'. Additionally, roles could have firewall-like role definitions. A definition is a formal description of which users are entitled to belong to the role. So you have two ways for connecting users to roles. Either linking explicitly a user with the role or describing the characteristics that makes users belong to the role. WebAccess is based on allowing users to perform actions. This means that only allowed actions are stored in the access control engine's database.
2. WEBACCESS ADMIN INTERFACE
All the WebAccess Administration web pages have certain features/design choices in common - Divided into steps The process of adding new authorizations/information is stepwise. The subtitle contains information about wich step you are on and what you are supposed to do. - Restart from any wanted step You can always start from an earlier step by simply clicking the wanted button. This is not a way to undo changes! No information about previous database is kept, so all changes are definite. - Change or new entry must confirmed On all the pages you will be asked to confirm the change, with information about what kind of change you are about to perform. - Links to other relevant admin areas on the right side To make it easier to perform your administration tasks, we have added a menu area on the right hand side of these pages. The menu contain links to other relevant admin pages and change according to the page you are on and the information you have selected.
3. EXAMPLE PAGES
I. Role area II. Example - connecting role and user I. Role area Administration tasks starts in one of the administration areas. The role area is the main area from where you can perform all your managing tasks. The other admin areas are just other ways of entering.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration |
Role Administration
| administration with roles as access point | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|||||||||||||||||||||||||||||||||||
II. Example - connecting role and user One of the important tasks that can be handled via the WebAccess Admin Web Interface is the delegation of access rights to users. This is done by connecting them to the different roles offered. The task is divided into 5 simple and comprehensive steps. Below follows the pages from the different steps with comments on the ongoing procedure. - step 1 - select a role You must first select the role you want to connect users to. All the available roles are listed alfabetically in a select box. Just find the wanted role and select it. Then click on the button saying "select role". If you start from the Role Area, this step is already done, and you start directly on step 2.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration > Connect user to role |
Connect user to role
|
|||||
- step 2 - search for users As you can see, the subtitle of the page has now changed. The subtitle always tells you which step you are on and what your current task is. There can be possibly thousands of users using your online library, therefore it is important to make it easier to identify the user you are looking for. Give part of, or the entire search string and all users with partly matching e-mails will be listed on the next step. You can also see that the right hand menu has changed. This area is always updated with links to related admin areas.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration > Connect user to role |
Connect user to role
|
|||||
- step 3 - select a user. The select box contains all users with partly matching e-mail addresses. Select the one you want to connect to the role and continue. Notice the navigation trail that tells you were on the Administrator pages you are currently working.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration > Connect user to role |
Connect user to role
|
|||||
- step 4 - confirm to add user All WebAccess Administrator web pages display the action you are about to peform, this means explaining what kind of addition, change or update will be done to your access control data. If you are happy with your decision, simply confirm it.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration > Connect user to role |
Connect user to role
|
|||||
- step 5 - confirm user added. The user has now been added to this role. You can easily continue adding more users to this role be restarting from step 2 or 3. You can also go directly to another area and keep working on the same role.
| Home > Admin Area > WebAccess Admin > Manage WebAccess > Role Administration > Connect user to role |
Connect user to role
|
|||||
- we are done This example is very similar to all the other pages where you administrate WebAccess. The pages are an easy gateway to maintaing access control rights and share a lot of features. - divided into steps - restart from any wanted step (not undo) - changes must be confirmed - link to other relevant areas - prevent unwanted input As an administrator with access to these pages you are free to manage the rights any way you want.
IV. Managing accounts and access policy
Here you can administrate the accounts and the access policy for your Invenio installation.
- Access policy:
To change the access policy, the general config file (or
access_control_config.py) must be edited manually in a text
editor. The site can there be defined as opened or closed, you can
edit the access policy level for guest accounts, registered
accounts and decide when to warn the owner of the account when
something happens with it, either when it is created, deleted or
approved. The Apache server must be restarted after modifying
these settings.
The two levels for guest account, are:
0 - Allow guest accounts
1 - Do not allow guest accounts
The five levels for normal accounts, are:
0 - Allow user to create account, automatically activate new accounts
1 - Allow user to create account, administrator must activate account
2 - Only administrators can create account. User cannot edit the email address.
3 - Users cannot register or update account information (email/password)
4 - User cannot change default login method
You can configure Invenio to send an email:
1. To an admin email-address when an account is created
2. To the owner of an account when it is created
3. To the owner of an account when it is activated
4. To the owner of an account when it is deleted
Define how open the site is:
0 = normal operation of the site
1 = read-only site, all write operations temporarily closed
2 = site fully closed
3 = database connections disabled
CFG_ACCESS_CONTROL_LEVEL_SITE = 0
Access policy for guests:
0 = Allow guests to search,
1 = Guests cannot search (all users must login)
CFG_ACCESS_CONTROL_LEVEL_GUESTS = 0
Access policy for accounts:
0 = Users can register, automatically acticate accounts
1 = Users can register, but admin must activate the accounts
2 = Users cannot register or change email address, only admin can register accounts.
3 = Users cannot register or update email address or password, only admin can register accounts.
4 = Same as 3, but user cannot change login method.
CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS = 0
Limit email addresses available to use when register a new account (example: cern.ch):
CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN = ""
Send an email when a new account is created by an user:
CFG_ACCESS_CONTROL_NOTIFY_ADMIN_ABOUT_NEW_ACCOUNTS = 0
Send an email to the user notifying when the account is created:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT = 0
Send an email to the user notifying when the account is activated:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION = 0
Send an email to the user notifying when the account is deleted/rejected:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION = 0
- Account overview:
Here you find an overview of the number of guest accounts, registered accounts and accounts
awaiting activation, with a link to the activation page.
- Create account:
For creating new accounts, the email address must be unique. If configured to do so, an email
will be sent to the given address when an account is created.
- Edit accounts:
For activating or rejecting accounts in addition to modifying them. An activated account can be
inactivated for a short period of time, but this will not warn the account owner. To find accounts
enter a part of the email address of the account and then search. This may take some time. If there
are more than the selected number of accounts per page, you can use the next/prev links to switch
pages. The accounts to search in can also be limited to only activated or not activated accounts.
- Edit account:
When editing one account, you can change the email address, password, delete the account, or modify
the baskets or alerts belonging to one account. Which login method should be the default for this
account can also be selected. To modify baskets or alerts, you need to login as the user, and
modify the desired data as a normal user. Remember to log out as the user when you are finished
editing.
V. Managing login methods
Invenio supports using external login systems to authenticate users.
When a user wants to login, the username and password given by the user is checked against the selected
system, if the user is authenticated by the external system, a valid email-address is returned to
Invenio and used to recognize the user within Invenio.
If a new user is trying to login without having an account, using an external login system, an account
is automatically created in Invenio to recognize and store the users settings. The password for the
local account is randomly generated.
If you want the user to be unable to change login method and account username / password, forcing use
of certain external systems, set CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS to 4 as mentioned in the last paragraph.
If a user is changing login method from an external one to the internal, he also need to either change the
password before logging out, or set the password via the lost password email service.
If you are using CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS with a value greater than 1 note
that, even if the first login of a user through an external authentication technically means registering
the user into the system, this is not the semantic expected behaviour by the user. The user is already
registered at an authority that we trust, so there's no need to prevent the user from being imported
into the system. That's why for external authentication CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS is not
considered apart from what said above.
If a external login system is used, you may want to protect the users username / password using HTTPS.
To add new system, two changes must be made (for the time being):
- - The name of the method, if it is default or not, and the classname must be added to the variable
- CFG_EXTERNAL_AUTHENTICATION in access_control_config.py. Atleast one method must be marked as the
- default one. The internal login method should be given with None as classname.
-
- Example:
- CFG_EXTERNAL_AUTHENTICATION = {"%s (internal)" % CFG_SITE_NAME: (None, True), "CERN NICE (external)":
- (AuthCernWrapper(), False)}
+ - The name of the method, if it is default or not, and an instance of the class must be added to the variable
+ CFG_EXTERNAL_AUTHENTICATION in access_control_config.py.
- A class must be created derived from the class external_authentication inside file
external_authentication.py. This class must include at least the
function auth_user. This function returns a valid email-address in Invenio if the user
is authenticated, not necessarily the same entered by the user as username. If the user
is not authenticated, return None.
The class could also provide five more methods: fetch_user_preferences, user_exists,
fetch_user_groups_membership and fetch_all_users_groups_membership.
The first should take an email and eventually a password and should return a dictionary of keys
and value representing external preferences, infos or settings. If, for some reasons, you like
to force some kind of hiding for some particular field you should export the related key
prefixed by "HIDDEN_". Those fields won't be displayed in tables and pages regarding external
settings.
The second method should check through the external system if a particular email exists. If you
provide such a method then a user will be able to switch from and to this authorization method.
The third method should take an email and (if necessary) a password
and should return a dictionary of external_groups_names toghether with their description, for which
the user has a membership. Those groups will be merged into the groups system.
The user will be a member of those groups and will be able to use them in any place
where groups are useful, but won't be able to unsubscribe or to administrate them.
The fourth method should just return a dictionary of external groups as keys and tuples containing
a group description and a list of email of users belonging to each groups. Those memberships
will be merged into the database in the way done by the previous method, but could
provide batch synchronization of groups.
The fifth method should just return the nickname as is known by the external authentication
system, given the usual email/username and the password.
Note: if your system has more than one external login methods then incoherence in the groups
memberships could happen when a user switch his login method. This will be fixed some times in the
future.
If you add as an attribute of your class the enforce_external_nicknames and set it to True, this will enforce
the system to import external nicknames whenever the user login with the external login method for the
first time. Since a nickname is not changable this will stay fixed forever. If this nickname is
already registered in the system (suppose that is linked with a local account) then it will not be
imported. If this variable doesn't exist or is set to False then no nickname will be
imported and the user will be free to choose a nickname in the future (and then this will again
stay forever).
Note: every method will receive as last parameter the mod_python request object, that could
be used for particular purposes.
Example template:
from invenio.external_authentication import ExternalAuth, InvenioWebAccessExternalAuthError
class ExternalAuthFoo(ExternalAuth):
"""External authentication template example."""
def __init__ (self):
"""Initialize stuff here."""
self.name = None
self.enforce_external_nicknames = False
pass
def auth_user(self, username, password, req=None):
"""Authenticate user-supplied USERNAME and PASSWORD.
Return None if authentication failed, or the email address of the
person if the authentication was successful. In order to do
this you may perhaps have to keep a translation table between
usernames and email addresses.
Raise InvenioWebAccessExternalAuthError in case of external troubles.
"""
raise NotImplementedError
#return None
def user_exists(self, email, req=None):
"""Checks against external_authentication for existance of email.
@return True if the user exists, False otherwise
"""
raise NotImplementedError
def fetch_user_groups_membership(self, username, password=None, req=None):
"""Given a username, returns a dictionary of groups
and their description to which the user is subscribed.
Raise InvenioWebAccessExternalAuthError in case of troubles.
"""
raise NotImplementedError
#return {}
def fetch_user_preferences(self, username, password=None, req=None):
"""Given a username and a password, returns a dictionary of keys and
values, corresponding to external infos and settings.
userprefs = {"telephone": "2392489",
"address": "10th Downing Street"}
"""
raise NotImplementedError
#return {}
def fetch_all_users_groups_membership(self, req=None):
"""Fetch all the groups with a description, and users who belong to
each groups.
@return {'mygroup': ('description', ['email1', 'email2', ...]), ...}
"""
raise NotImplementedError
def fetch_user_nickname(self, username, password, req=None):
"""Given a username and a password, returns the right nickname belonging
to that user (username could be an email).
"""
raise NotImplementedError
#return Nickname
VI. FIREWALL-LIKE ROLE DEFINITIONS
The FireRole language description
In the WebAccess RBAC system, roles are built up from their names,
description and definition.
A definition is the way to formally implicitly define which users belong
to which roles.
A definition is expressed in a firewall like rules language. It's built up
by rows which are matched from top to bottom, in order to decide if the
current user (wethever he/she is logged in or not) may belong to a role.
Any row has this syntax:
ALLOW/DENY ANY/ALL
or
ALLOW/DENY FROM/UNTIL "YYYY-MM-DD"
ALLOW/DENY [NOT] field {one or more values}
The rows are parsed from top to bottom. If a row matches the user than the
user belongs to the role if the rule is an ALLOW rule, otherwise, if the
rule is a DENY one, the user doesn't belong to the role.
A rule of the kind ALLOW|DENY ANY always matches, regardless of the user.
Note, in place of ANY you can use the word ALL. The semantic is the same. The
system support both to let the user comply with the English grammar.
The second type of rule is interpreted as follows: given a date in the
form "YYYY-MM-DD" (double-)quoted), the rule is matched if, when using FROM,
the current date is either identical or 'bigger' than the given date, or if,
when using UNTIL, the current date is either identical or 'smaller' than the
given date. If the rule starts with ALLOW and is matched
then the next row is evaluated. If it is not matched, then the whole FireRole
will evaluate into a DENY ALL. If the rule starts with DENY and
is matched then the whole FireRole while evaluate as a DENY ALL. If it is
not matched then the next row is evaluated.
The third type of rule is interpreted as follows: given a dictionary
of keys:values describing a user (we will cover this below), the rule
considers the value associated with the key named in field, and checks
if it corresponds to at least one of the values in the "one or more values" list.
This is a list of comma separated strings, which can be literal
(double-)quoted strings or regexps (marked by `/' ... `/' signs). If at
least a value matches (literally or through the regexp language), the
whole rule is considered to match.
If the optional NOT keyword is specified than if at least a value of the
rule matches the rule is skipped, otherwise if all the value of the rules
don't match the whole rule matches.
A DENY ALL rule is implicitly added at the end of every definition. Note that
this imply that, if you are using e.g. a temporal rule (FROM/UNTIL), you
should explicitly add an additional row with value ALLOW ANY,
if you actually want to allow users in the specified timeframe.
Any field is valid, but only rules concerning fields which currently
exist in the user describing dictionary are checked. All the rules
with non existant fields are skipped.
The user describing dictionary (user_info) is built at runtime with all the informations
that can be gathered about the current user (and its session).
- Currently valid fields are: uid, email, nickname, apache_user, remote_ip,
- remote_host, groups, apache_groups and all the external settings provided
+ Currently valid fields are: uid, email, nickname, remote_ip,
+ remote_host, groups and all the external settings provided
by the external authentication systems (e.g. CERN SSO provides:
external_authmethod, external_building, external_department, external_email,
external_external, external_firstname, external_fullname, external_homdir,
external_homeinstitute, external_lastname, external_login, external_mobilenumber,
external_phonenumber).
Among those fields there are some special cases, which are remote_ip and
(apache_)groups. Rules can refer to remote_ip either using a literal
expression for specifing list of single ips, or a usual regexp (or list
of regexps), or, also, using the common network group/mask notation
(e.g. "127.0.0.0/24") as a literal string, which is a mix between literal
expressions and regexps. (apache_)groups are related to group memberships.
Since a user will probably belong to more than a group, then the rule
matches if there's at least one group to which the user belong, that matches
at least one of the expressions (NOT rules behave as you can imagine).
The dictionary is built using the current user session. If the user is
authenticated in some way (apache, locally, externally, SSO...) then more
infos could be provided to the firerole system in order to decide if the
user should belong to a role or not.
The default fields that are always there are:
- uid: an integer representing the user id
- nickname: the nickname of the user
- email: the email of the user
- group/groups: local or external group to which the user belong
- guest: 1 if the user is a guest (not logged), 0 otherwise
- remote_ip: the remote ip address of the user who is browsing
- remote_host: the remote hostname of the user who is browsing
- referer: the webpage from where the user is coming from
- uri: the uri the user is visiting
- agent: the agent string describing the user's browser -
- apache_user: the Apache user provided by the authenticated user -
- apache_group/apache_groups: the Apache groups to which the apache user - belong
If you think this is not correct, please contact: %s' % (CFG_SITE_SUPPORT_EMAIL, CFG_SITE_SUPPORT_EMAIL), 2: '
If you have any questions, please write to %s' % (CFG_SITE_SUPPORT_EMAIL, CFG_SITE_SUPPORT_EMAIL), 3: 'Guest users are not allowed, please login.' % CFG_SITE_SECURE_URL, 4: 'The site is temporarily closed for maintenance. Please come back soon.', 5: 'Authorization failure', 6: '%s temporarily closed' % CFG_SITE_NAME, 7: 'This functionality is temporarily closed due to server maintenance. Please use only the search engine in the meantime.', 8: 'Functionality temporarily closed' } CFG_WEBACCESS_WARNING_MSGS = { 0: 'Authorization granted', 1: 'You are not authorized to perform this action.', 2: 'You are not authorized to perform any action.', 3: 'The action %s does not exist.', 4: 'Unexpected error occurred.', 5: 'Missing mandatory keyword argument(s) for this action.', 6: 'Guest accounts are not authorized to perform this action.', 7: 'Not enough arguments, user ID and action name required.', 8: 'Incorrect keyword argument(s) for this action.', 9: """Account '%s' is not yet activated.""", 10: """You were not authorized by the authentication method '%s'.""", 11: """The selected login method '%s' is not the default method for this account, please try another one.""", 12: """Selected login method '%s' does not exist.""", 13: """Could not register '%s' account.""", 14: """Could not login using '%s', because this user is unknown.""", 15: """Could not login using your '%s' account, because you have introduced a wrong password.""", 16: """External authentication troubles using '%s' (maybe temporary network problems).""", 17: """You have not yet confirmed the email address for the '%s' authentication method.""", 18: """The administrator has not yet activated your account for the '%s' authentication method.""", 19: """The site is having troubles in sending you an email for confirming your email address. The error has been logged and will be taken care of as soon as possible.""", 20: """No roles are authorized to perform action %s with the given parameters.""" } diff --git a/modules/webaccess/lib/access_control_engine.py b/modules/webaccess/lib/access_control_engine.py index 356962c49..ea5dc625f 100644 --- a/modules/webaccess/lib/access_control_engine.py +++ b/modules/webaccess/lib/access_control_engine.py @@ -1,148 +1,90 @@ ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """Invenio Access Control Engine in mod_python.""" __revision__ = "$Id$" import cgi import sys from urllib import quote if sys.hexversion < 0x2040000: # pylint: disable=W0622 from sets import Set as set # pylint: enable=W0622 from invenio.config import CFG_SITE_SECURE_URL from invenio.dbquery import run_sql from invenio.access_control_admin import acc_find_possible_roles, acc_is_user_in_role, CFG_SUPERADMINROLE_ID, acc_get_role_users from invenio.access_control_config import CFG_WEBACCESS_WARNING_MSGS, CFG_WEBACCESS_MSGS from invenio.webuser import collect_user_info -from invenio.access_control_firerole import acc_firerole_suggest_apache_p, deserialize, load_role_definition, acc_firerole_extract_emails +from invenio.access_control_firerole import deserialize, load_role_definition, acc_firerole_extract_emails from invenio.urlutils import make_canonical_urlargd -CFG_CALLED_FROM_APACHE = 1 #1=web,0=cli -try: - import _apache -except ImportError, e: - CFG_CALLED_FROM_APACHE = 0 - -def make_list_apache_firerole(name_action, arguments): - """Given an action and a dictionary arguments returns a list of all the - roles (and their descriptions) which are authorized to perform this - action with these arguments, and whose FireRole definition expect - an Apache Password membership. - """ - roles = acc_find_possible_roles(name_action, **arguments) - - ret = [] - - for role in roles: - res = run_sql('SELECT name, description, firerole_def_ser FROM accROLE WHERE id=%s', (role, )) - if acc_firerole_suggest_apache_p(deserialize(res[0][2])): - ret.append((res[0][0], res[0][1])) - return ret - -def _format_list_of_apache_firerole(roles, referer): - """Given a list of tuples (role, description) (returned by make_list_apache_firerole), and a referer url, returns a nice string for - presenting urls that let the user login with Apache password through - Firerole. - This function is needed only at CERN for aiding in the migration of - Apache Passwords restricted collections to FireRole roles. - Please use it with care.""" - out = "" - if roles: - out += "
1) Here is a list of administrative roles you may have " \ - "received authorization for via an Apache password. If you are aware " \ - "of such a password, please follow the corresponding link:" - out += "
| %s | - %s | " % \ - ('%s%s' % (CFG_SITE_SECURE_URL, make_canonical_urlargd({'realm' : name, 'referer' : referer}, {})), name, description) - out += "
Existing login_method:
- %s
Existing robot names (for login_method %s):
- %s
""" % {'name': escape(login_method_name, True)} + else: + login_method_boxes += """
""" % {'name': escape(login_method_name, True)} + + forms += """
| + """ % { + 'login_method': escape(login_method, True), + 'robot_name': escape(robot_name, True), + 'new_pwd1': escape(new_pwd1, True), + 'new_pwd2': escape(new_pwd2, True), + 'confirm_field': confirm_field, + 'login_method_boxes': login_method_boxes, + } + forms += """ |
ERRORS
- "
+ for error in errors:
+ out += '
- %s ' % error + out += "
WARNINGS
- "
+ for warning in warnings:
+ out += '
- %s ' % warning + out += "
INFORMATION
- "
+ for message in messages:
+ out += '
- %s ' % message + out += "
- Create new role
- go here to add a new role.
- Users:
- add or remove users from the access to a role and its priviliges.
- Authorizations/Actions:
- these terms means almost the same, but an authorization is a
connection between a role and an action (possibly) containing arguments. - Roles:
- see all the information attached to a role and decide if you want
to
delete it.
- Create new role
- go here to add a new role.
- Authorizations/Roles:
- these terms means almost the same, but an authorization is a
connection between a role and an action (possibly) containing arguments. - Actions:
- see all the information attached to an action.
- Create new role
- go here to add a new role.
search for users to display.
""" # remove letters not allowed in an email email_user_pattern = cleanstring_email(email_user_pattern) text = ' 1. search for user\n' text += ' \n' % (email_user_pattern, ) output += createhiddenform(action="userarea", text=text, button="search for users") if email_user_pattern: try: users1 = run_sql("""SELECT id, email FROM user WHERE email<>'' AND email RLIKE %s ORDER BY email LIMIT %s""", (email_user_pattern, MAXPAGEUSERS+1)) except OperationalError: users1 = () if not users1: output += 'no matching users
' else: subtitle = 'step 2 - select what to do with user' users = [] for (id, email) in users1[:MAXPAGEUSERS]: users.append([id, email]) for col in [(('add', 'addroleuser'), ('remove', 'deleteuserrole')), (('show details', 'showuserdetails'), )]: users[-1].append('%s' % (col[0][1], email_user_pattern, id, col[0][0])) for (str, function) in col[1:]: users[-1][-1] += ' / %s' % \ (function, email_user_pattern, id, str) output += 'found %s matching users:
' % \ (len(users1), ) output += tupletotable(header=['id', 'email', 'roles', ''], tuple=users) if len(users1) > MAXPAGEUSERS: output += 'only showing the first %s users, ' \ 'narrow your search...
' % (MAXPAGEUSERS, ) return index(req=req, title='User Administration', subtitle=subtitle, body=[output], adminarea=2) def perform_resetarea(req): """create the reset area menu page.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) output = """- Reset to Default Authorizations
- remove all changes that has been done to the roles and
add only the default authorization settings. - Add Default Authorizations
- keep all changes and add the default authorization settings.
before you reset the settings, we need some users
to connect to %s.
enter as many e-mail addresses you want and press reset.
confirm reset settings when you have added enough e-mails.
%s is added as default.
enter user e-mail addresses:
""" if superusers: # remove emails output += """ """ # superusers confirm table start = '' output += 'reset default settings with the users below?
' output += tupletotable(header=['e-mail address'], tuple=superusers, start=start, extracolumn=extra, end=end) if confirm in [1, "1"]: res = acca.acc_reset_default_settings(superusers) if res: output += 'successfully reset default settings
' else: output += 'sorry, could not reset default settings
' return index(req=req, title='Reset Default Settings', subtitle='reset settings', body=[output], adminarea=6) def perform_adddefaultsettings(req, superusers=[], confirm=0): """add the default settings, and keep everything else. probably nothing will be deleted, except if there has been made changes to the defaults.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) # cleaning input if type(superusers) == str: superusers = [superusers] # remove not valid e-mails for email in superusers: if not check_email(email): superusers.remove(email) # instructions output = """
before you add the settings, we need some users
to connect to %s.
enter as many e-mail addresses you want and press add.
confirm add settings when you have added enough e-mails.
%s is added as default.
enter user e-mail addresses:
""" if superusers: # remove emails output += """ """ # superusers confirm table start = '' output += 'add default settings with the users below?
' output += tupletotable(header=['e-mail address'], tuple=superusers, start=start, extracolumn=extra, end=end) if confirm in [1, "1"]: res = acca.acc_add_default_settings(superusers) if res: output += 'successfully added default settings
' else: output += 'sorry, could not add default settings
' return index(req=req, title='Add Default Settings', subtitle='add settings', body=[output], adminarea=6) def perform_manageaccounts(req, mtype='', content='', confirm=0): """start area for managing accounts.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) subtitle = 'Overview' fin_output = '' fin_output += """| Menu | ||||
| 0. Show all | 1. Access policy | 2. Account overview | 3. Create account | 4. Edit accounts |
" if mtype == "perform_accountoverview" and content: fin_output += content elif mtype == "perform_accountoverview" or mtype == "perform_showall": fin_output += perform_accountoverview(req, callback='') fin_output += "
" if mtype == "perform_createaccount" and content: fin_output += content elif mtype == "perform_createaccount" or mtype == "perform_showall": fin_output += perform_createaccount(req, callback='') fin_output += "
" if mtype == "perform_modifyaccounts" and content: fin_output += content elif mtype == "perform_modifyaccounts" or mtype == "perform_showall": fin_output += perform_modifyaccounts(req, callback='') fin_output += "
" if mtype == "perform_becomeuser" and content: fin_output += content elif mtype == "perform_becomeuser" or mtype == "perform_showall": fin_output += perform_becomeuser(req, callback='') fin_output += "
" return index(req=req, title='Manage Accounts', subtitle=subtitle, body=[fin_output], adminarea=0, authorized=1) def perform_accesspolicy(req, callback='yes', confirm=0): """Modify default behaviour of a guest user or if new accounts should automatically/manually be modified.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """1. Access policy. [?]""" % CFG_SITE_URL + subtitle = """1. Access policy. [?]""" % CFG_SITE_SECURE_URL account_policy = {} account_policy[0] = "Users can register new accounts. New accounts automatically activated." account_policy[1] = "Users can register new accounts. Admin users must activate the accounts." account_policy[2] = "Only admin can register new accounts. User cannot edit email address." account_policy[3] = "Only admin can register new accounts. User cannot edit email address or password." account_policy[4] = "Only admin can register new accounts. User cannot edit email address,password or login method." site_policy = {} site_policy[0] = "Normal operation of the site." site_policy[1] = "Read-only site, all write operations temporarily closed." site_policy[2] = "Site fully closed." output = "(Modifications must be done in access_control_config.py)
" output += "
Current settings:
" output += "Site status: %s
" % (site_policy[CFG_ACCESS_CONTROL_LEVEL_SITE]) output += "Guest accounts allowed: %s
" % (CFG_ACCESS_CONTROL_LEVEL_GUESTS == 0 and "Yes" or "No") output += "Account policy: %s
" % (account_policy[CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS]) output += "Allowed email addresses limited: %s
" % (CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN and CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN or "Not limited") output += "Send email to admin when new account: %s
" % (CFG_ACCESS_CONTROL_NOTIFY_ADMIN_ABOUT_NEW_ACCOUNTS == 1 and "Yes" or "No") output += "Send email to user after creating new account: %s
" % (CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT == 1 and "Yes" or "No") output += "Send email to user when account is activated: %s
" % (CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION == 1 and "Yes" or "No") output += "Send email to user when account is deleted/rejected: %s
" % (CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION == 1 and "Yes" or "No") output += "
" output += "Available 'login via' methods:
" methods = CFG_EXTERNAL_AUTHENTICATION.keys() methods.sort() for system in methods: - output += """%s %s
""" % (system, (CFG_EXTERNAL_AUTHENTICATION[system][1] and "(Default)" or "")) + output += """%s %s
""" % (system, (CFG_EXTERNAL_AUTH_DEFAULT == system and "(Default)" or "")) output += "
Changing the settings:
" output += "Currently, all changes must be done using your favourite editor, and the webserver restarted for changes to take effect. For the settings to change, either look in the guide or in access_control_config.py ." body = [output] if callback: return perform_manageaccounts(req, "perform_accesspolicy", addadminbox(subtitle, body)) else: return addadminbox(subtitle, body) def perform_accountoverview(req, callback='yes', confirm=0): """Modify default behaviour of a guest user or if new accounts should automatically/manually be modified.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """2. Account overview. [?]""" % CFG_SITE_URL + subtitle = """2. Account overview. [?]""" % CFG_SITE_SECURE_URL output = "" res = run_sql("SELECT COUNT(*) FROM user WHERE email=''") output += "Guest accounts: %s
" % res[0][0] res = run_sql("SELECT COUNT(*) FROM user WHERE email!=''") output += "Registered accounts: %s
" % res[0][0] res = run_sql("SELECT COUNT(*) FROM user WHERE email!='' AND note='0' OR note IS NULL") output += "Inactive accounts: %s " % res[0][0] if res[0][0] > 0: output += ' [Activate/Reject accounts]' res = run_sql("SELECT COUNT(*) FROM user") output += "
Total nr of accounts: %s
" % res[0][0] body = [output] if callback: return perform_manageaccounts(req, "perform_accountoverview", addadminbox(subtitle, body)) else: return addadminbox(subtitle, body) def perform_createaccount(req, email='', password='', callback='yes', confirm=0): """Modify default behaviour of a guest user or if new accounts should automatically/manually be modified.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """3. Create account. [?]""" % CFG_SITE_URL + subtitle = """3. Create account. [?]""" % CFG_SITE_SECURE_URL output = "" text = ' Email:\n' text += '
' % (email, ) text += ' Password:\n' text += '
' % (password, ) output += createhiddenform(action="createaccount", text=text, confirm=1, button="Create") if confirm in [1, "1"] and email and email_valid_p(email): res = run_sql("SELECT email FROM user WHERE email=%s", (email,)) if not res: res = run_sql("INSERT INTO user (email,password, note) values(%s,AES_ENCRYPT(email,%s), '1')", (email, password)) if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT == 1: emailsent = send_new_user_account_warning(email, email, password) == 0 if password: output += 'Account created with password and activated.' else: output += 'Account created without password and activated.' if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT == 1: if emailsent: output += '
An email has been sent to the owner of the account.' else: output += '
Could not send an email to the owner of the account.' else: output += 'An account with the same email already exists.' elif confirm in [1, "1"]: output += 'Please specify an valid email-address.' body = [output] if callback: return perform_manageaccounts(req, "perform_createaccount", addadminbox(subtitle, body)) else: return addadminbox(subtitle, body) def perform_modifyaccountstatus(req, userID, email_user_pattern, limit_to, maxpage, page, callback='yes', confirm=0): """set a disabled account to enabled and opposite""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) res = run_sql("SELECT id, email, note FROM user WHERE id=%s", (userID, )) subtitle = "" output = "" if res: if res[0][2] in [0, "0", None]: res2 = run_sql("UPDATE user SET note=1 WHERE id=%s", (userID, )) output += """The account '%s' has been activated.""" % res[0][1] if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION == 1: emailsent = send_account_activated_message(res[0][1], res[0][1], '*****') if emailsent: output += """
An email has been sent to the owner of the account.""" else: output += """
Could not send an email to the owner of the account.""" elif res[0][2] in [1, "1"]: res2 = run_sql("UPDATE user SET note=0 WHERE id=%s", (userID, )) output += """The account '%s' has been set inactive.""" % res[0][1] else: output += 'The account id given does not exist.' body = [output] if callback: return perform_modifyaccounts(req, email_user_pattern, limit_to, maxpage, page, content=output, callback='yes') else: return addadminbox(subtitle, body) def perform_editaccount(req, userID, mtype='', content='', callback='yes', confirm=-1): """form to modify an account. this method is calling other methods which again is calling this and sending back the output of the method. if callback, the method will call perform_editcollection, if not, it will just return its output. userID - id of the user mtype - the method that called this method. content - the output from that method.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) res = run_sql("SELECT id, email FROM user WHERE id=%s", (userID, )) if not res: if mtype == "perform_deleteaccount": text = """The selected account has been deleted, to continue editing, go back to 'Manage Accounts'.""" if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION == 1: text += """
An email has been sent to the owner of the account.""" else: text = """The selected accounts does not exist, please go back and select an account to edit.""" return index(req=req, title='Edit Account', subtitle="Edit account", body=[text], adminarea=7, authorized=1) fin_output = """
| Menu | ||
| 0. Show all | 1. Modify login-data | 2. Modify preferences |
| 3. Delete account |
\n' % userID text = ' Nickname:\n' text += '
' % (nickname, ) text += ' Email:\n' text += '
' % (email, ) text += ' Password:\n' text += '
' % (password, ) output += createhiddenform(action="modifylogindata", text=text, userID=userID, confirm=1, button="Modify") if confirm in [1, "1"] and email and email_valid_p(email): res = run_sql("SELECT nickname FROM user WHERE nickname=%s AND id<>%s", (nickname, userID)) if res: output += 'Sorry, the specified nickname is already used.' else: res = run_sql("UPDATE user SET email=%s WHERE id=%s", (email, userID)) if password: res = run_sql("UPDATE user SET password=AES_ENCRYPT(email,%s) WHERE id=%s", (password, userID)) else: output += 'Password not modified. ' res = run_sql("UPDATE user SET nickname=%s WHERE id=%s", (nickname, userID)) output += 'Nickname/email and/or password modified.' elif confirm in [1, "1"]: output += 'Please specify an valid email-address.' else: output += 'The account id given does not exist.' body = [output] if callback: return perform_editaccount(req, userID, mtype='perform_modifylogindata', content=addadminbox(subtitle, body), callback='yes') else: return addadminbox(subtitle, body) def perform_modifypreferences(req, userID, login_method='', callback='yes', confirm=0): """modify email and password of an account""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """2. Modify preferences. [?]""" % CFG_SITE_URL + subtitle = """2. Modify preferences. [?]""" % CFG_SITE_SECURE_URL res = run_sql("SELECT id, email FROM user WHERE id=%s", (userID, )) output = "" if res: user_pref = get_user_preferences(userID) if confirm in [1, "1"]: if login_method: user_pref['login_method'] = login_method set_user_preferences(userID, user_pref) output += "Select default login method:
" text = "" methods = CFG_EXTERNAL_AUTHENTICATION.keys() methods.sort() for system in methods: text += """%s
""" % (system, (user_pref['login_method'] == system and "checked" or ""), system) output += createhiddenform(action="modifypreferences", text=text, confirm=1, userID=userID, button="Select") if confirm in [1, "1"]: if login_method: output += """The login method has been changed""" else: output += """Nothing to update""" else: output += 'The account id given does not exist.' body = [output] if callback: return perform_editaccount(req, userID, mtype='perform_modifypreferences', content=addadminbox(subtitle, body), callback='yes') else: return addadminbox(subtitle, body) def perform_deleteaccount(req, userID, callback='yes', confirm=0): """delete account""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """3. Delete account. [?]""" % CFG_SITE_URL + subtitle = """3. Delete account. [?]""" % CFG_SITE_SECURE_URL res = run_sql("SELECT id, email FROM user WHERE id=%s", (userID, )) output = "" if res: if confirm in [0, "0"]: text = 'Are you sure you want to delete the account with email: "%s"?' % res[0][1] output += createhiddenform(action="deleteaccount", text=text, userID=userID, confirm=1, button="Delete") elif confirm in [1, "1"]: res2 = run_sql("DELETE FROM user WHERE id=%s", (userID, )) output += 'Account deleted.' if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION == 1: emailsent = send_account_deleted_message(res[0][1], res[0][1]) else: output += 'The account id given does not exist.' body = [output] if callback: return perform_editaccount(req, userID, mtype='perform_deleteaccount', content=addadminbox(subtitle, body), callback='yes') else: return addadminbox(subtitle, body) def perform_rejectaccount(req, userID, email_user_pattern, limit_to, maxpage, page, callback='yes', confirm=0): """Delete account and send an email to the owner.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) res = run_sql("SELECT id, email, note FROM user WHERE id=%s", (userID, )) output = "" subtitle = "" if res: res2 = run_sql("DELETE FROM user WHERE id=%s", (userID, )) output += 'Account rejected and deleted.' if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION == 1: if not res[0][2] or res[0][2] == "0": emailsent = send_account_rejected_message(res[0][1], res[0][1]) elif res[0][2] == "1": emailsent = send_account_deleted_message(res[0][1], res[0][1]) if emailsent: output += """
An email has been sent to the owner of the account.""" else: output += """
Could not send an email to the owner of the account.""" else: output += 'The account id given does not exist.' body = [output] if callback: return perform_modifyaccounts(req, email_user_pattern, limit_to, maxpage, page, content=output, callback='yes') else: return addadminbox(subtitle, body) def perform_modifyaccounts(req, email_user_pattern='', limit_to=-1, maxpage=MAXPAGEUSERS, page=1, content='', callback='yes', confirm=0): """Modify default behaviour of a guest user or if new accounts should automatically/manually be modified.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) - subtitle = """4. Edit accounts. [?]""" % CFG_SITE_URL + subtitle = """4. Edit accounts. [?]""" % CFG_SITE_SECURE_URL output = "" # remove letters not allowed in an email email_user_pattern = cleanstring_email(email_user_pattern) try: maxpage = int(maxpage) except: maxpage = MAXPAGEUSERS try: page = int(page) if page < 1: page = 1 except: page = 1 text = ' Email (part of):\n' text += '
' % (email_user_pattern, ) text += """Limit to:
""" % ((limit_to=="all" and "selected" or ""), (limit_to=="enabled" and "selected" or ""), (limit_to=="disabled" and "selected" or "")) text += """Accounts per page:
""" % ((maxpage==25 and "selected" or ""), (maxpage==50 and "selected" or ""), (maxpage==100 and "selected" or ""), (maxpage==250 and "selected" or ""), (maxpage==500 and "selected" or ""), (maxpage==1000 and "selected" or "")) output += createhiddenform(action="modifyaccounts", text=text, button="search for accounts") if limit_to not in [-1, "-1"] and maxpage: options = [] users1 = "SELECT id,email,note FROM user WHERE " if limit_to == "enabled": users1 += " email!='' AND note=1" elif limit_to == "disabled": users1 += " email!='' AND note=0 OR note IS NULL" elif limit_to == "guest": users1 += " email=''" else: users1 += " email!=''" if email_user_pattern: users1 += " AND email RLIKE %s" options += [email_user_pattern] users1 += " ORDER BY email LIMIT %s" options += [maxpage * page + 1] try: users1 = run_sql(users1, tuple(options)) except OperationalError: users1 = () if not users1: output += 'There are no accounts matching the email given.' else: users = [] if maxpage * (page - 1) > len(users1): page = len(users1) / maxpage + 1 for (id, email, note) in users1[maxpage * (page - 1):(maxpage * page)]: users.append(['', id, email, (note=="1" and 'Active' or 'Inactive')]) for col in [(((note=="1" and 'Inactivate' or 'Activate'), 'modifyaccountstatus'), ((note == "0" and 'Reject' or 'Delete'), 'rejectaccount'), ), (('Edit account', 'editaccount'), ),]: users[-1].append('%s' % (col[0][1], id, email_user_pattern, limit_to, maxpage, page, random.randint(0, 1000), col[0][0])) for (str, function) in col[1:]: users[-1][-1] += ' / %s' % (function, id, email_user_pattern, limit_to, maxpage, page, random.randint(0, 1000), str) users[-1].append('%s' % ('becomeuser', id, email_user_pattern, limit_to, maxpage, page, random.randint(0, 1000), 'Become user')) last = "" next = "" if len(users1) > maxpage: if page > 1: last += 'Last Page' % (email_user_pattern, limit_to, maxpage, (page - 1)) if len(users1[maxpage * (page - 1):(maxpage * page)]) == maxpage: next += 'Next page' % (email_user_pattern, limit_to, maxpage, (page + 1)) output += 'Showing accounts %s-%s:' % (1 + maxpage * (page - 1), maxpage * page) else: output += '%s matching account(s):' % len(users1) output += tupletotable(header=[last, 'id', 'email', 'Status', '', '', next], tuple=users) else: output += 'Please select which accounts to find and how many to show per page.' if content: output += "
%s" % content body = [output] if callback: return perform_manageaccounts(req, "perform_modifyaccounts", addadminbox(subtitle, body)) else: return addadminbox(subtitle, body) def perform_delegate_startarea(req): """start area for lower level delegation of rights.""" # refuse access to guest users: uid = getUid(req) if isGuestUser(uid): return index(req=req, title='Delegate Rights', adminarea=0, authorized=0) subtitle = 'select what to do' output = '' if is_adminuser(req)[0] == 0: output += """
You are also allowed to be in the Main Admin Area which gives you
the access to the full functionality of WebAccess.
- Connect users to roles
- add users to the roles you have delegation rights to.
- Remove users from roles
- remove users from the roles you have delegation rights to.
- Set up delegation rights
- specialized area to set up the delegation rights used in the areas above.
you need to be a web administrator to access the area.
This is a specialized area to handle a task that also can be handled
from the "add authorization" interface.
By handling the delegation rights here you get the advantage of
not having to select the correct action (%s) or
remembering the names of available roles.
previously selected roles: %s.
' % (names_str, ) extra = """- Remove delegated roles
- use the standard administration area to remove delegation rights you no longer want to be available.
no previously selected roles.
' output += createroleselect(id_role=id_role_delegate, step=2, button='select delegate role', name='id_role_delegate', action='delegate_adminsetup', roles=delegate_roles, id_role_admin=id_role_admin) if str(id_role_delegate) != '0': subtitle = 'step 3 - confirm to add delegation right' name_role_delegate = acca.acc_get_role_name(id_role=id_role_delegate) output += """Warning: don't hand out delegation rights that can harm the system (e.g. delegating superrole).
""" output += createhiddenform(action="delegate_adminsetup", text='let role %s delegate rights over role %s?' % (name_role_admin, name_role_delegate), id_role_admin=id_role_admin, id_role_delegate=id_role_delegate, confirm=1) if int(confirm): subtitle = 'step 4 - confirm delegation right added' # res1 = acca.acc_add_role_action_arguments_names(name_role=name_role_admin, # name_action=DELEGATEADDUSERROLE, # arglistid=-1, # optional=0, # role=name_role_delegate) res1 = acca.acc_add_authorization(name_role=name_role_admin, name_action=DELEGATEADDUSERROLE, optional=0, role=name_role_delegate) if res1: output += 'confirm: role %s delegates role %s.' % (name_role_admin, name_role_delegate) else: output += '
sorry, delegation right could not be added,
it probably already exists.
You do not have the delegation rights over any roles.
If you think you should have such rights, contact a WebAccess Administrator.
Lower level delegation of access rights to roles.
An administrator with all rights have to give you these rights.
no qualified users, try new search.
' # too many matching users elif len(users1) > MAXSELECTUSERS: output += '%s hits, too many qualified users, specify more narrow search. (limit %s)
' % (len(users1), MAXSELECTUSERS) # show matching users else: subtitle = 'step 3 - select a user' users = [] extrausers = [] for (id, email) in users1: if (id, email) not in users2: users.append([id,email,'']) for (id, email) in users2: extrausers.append([-id, email,'']) output += createuserselect(id_user=id_user, action="delegate_adduserrole", step=3, users=users, extrausers=extrausers, button="add this user", id_role=id_role, email_user_pattern=email_user_pattern) try: id_user = int(id_user) except ValueError: pass # user selected already connected to role if id_user < 0: output += 'users in brackets are already attached to the role, try another one...
' # a user is selected elif email_out: subtitle = "step 4 - confirm to add user" output += createhiddenform(action="delegate_adduserrole", text='add user %s to role %s?' % (email_out, name_role), id_role=id_role, email_user_pattern=email_user_pattern, id_user=id_user, confirm=1) # it is confirmed that this user should be added if confirm: # add user result = acca.acc_add_user_role(id_user=id_user, id_role=id_role) if result and result[2]: subtitle = 'step 5 - confirm user added' output += 'confirm: user %s added to role %s.
' % (email_out, name_role) else: subtitle = 'step 5 - user could not be added' output += 'sorry, but user could not be added.
' extra = """- Remove users from role
- remove users from the roles you have delegating rights to.
in progress...
' # finding the allowed roles for this user id_admin = getUid(req) id_action = acca.acc_get_action_id(name_action=DELEGATEADDUSERROLE) actions = acca.acc_find_possible_actions_user(id_user=id_admin, id_action=id_action) output = '' if not actions: subtitle = 'no delegation rights' output += """
You do not have the delegation rights over any roles.
If you think you should have such rights, contact a WebAccess Administrator.
Lower level delegation of access rights to roles.
An administrator with all rights have to give you these rights.
confirm: deleted user %s from role %s.
' % (email_user, name_role) else: subtitle = 'step 4 - user could not be deleted' output += 'sorry, but user could not be deleteduser is probably already deleted.' extra = """
- Connect users to role
- add users to the roles you have delegating rights to.
- Add new authorization
- add an authorization.
- Modify authorizations
- modify existing authorizations.
- Remove role
- remove all authorizations from action and a role.
no details to show
' body = [output] return index(req=req, title='Show Action Details', subtitle='show action details', body=body, adminarea=4) def actiondetails(id_action=0): """show details of given action. """ output = '' if id_action not in [0, '0']: name_action = acca.acc_get_action_name(id_action=id_action) output += 'action details:
' output += tupletotable(header=['id', 'name', 'description', 'allowedkeywords', 'optional'], tuple=[acca.acc_get_action_details(id_action=id_action)]) roleshlp = acca.acc_get_action_roles(id_action=id_action) if roleshlp: roles = [] for (id, name, dummy) in roleshlp: res = acca.acc_find_possible_actions(id, id_action) if res: authorization_details = tupletotable(header=res[0], tuple=res[1:]) else: authorization_details = 'no details to show' roles.append([id, name, authorization_details, 'show connected users' % (id, )]) roletable = tupletotable(header=['id', 'name', 'authorization details', ''], tuple=roles) output += 'roles connected to %s:
\n' % (headerstrong(action=name_action, query=0), ) output += roletable else: output += 'no roles connected to %s.
\n' % (headerstrong(action=name_action, query=0), ) else: output += 'no details to show
' return output def perform_addrole(req, id_role=0, name_role='', description='put description here.', firerole_def_src=CFG_ACC_EMPTY_ROLE_DEFINITION_SRC, confirm=0): """form to add a new role with these values: name_role - name of the new role description - optional description of the role """ (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) name_role = cleanstring(name_role) title='Add Role' subtitle = 'step 1 - give values to the requested fields' output = """ """ % (escape(name_role, '"'), escape(description), escape(firerole_def_src)) if name_role: # description must be changed before submitting subtitle = 'step 2 - confirm to add role' internaldesc = '' if description != 'put description here.': internaldesc = description try: firerole_def_ser = serialize(compile_role_definition(firerole_def_src)) except InvenioWebAccessFireroleError, msg: output += "%s" % msg else: text = """ add role with:\n name: %s
""" % (name_role, ) if internaldesc: text += 'description: %s?\n' % (description, ) output += createhiddenform(action="addrole", text=text, name_role=escape(name_role, '"'), description=escape(description, '"'), firerole_def_src=escape(firerole_def_src, '"'), confirm=1) if confirm not in ["0", 0]: result = acca.acc_add_role(name_role=name_role, description=internaldesc, firerole_def_ser=firerole_def_ser, firerole_def_src=firerole_def_src) if result: subtitle = 'step 3 - role added' output += '
role added:
' result = list(result) result[3] = result[3].replace('\n', '') result = tuple(result) output += tupletotable(header=['id', 'role name', 'description', 'firewall like role definition'], tuple=[result]) else: subtitle = 'step 3 - role could not be added' output += '
sorry, could not add role,
role with the same name probably exists.
- Add authorization
- start adding new authorizations to role %s.
\n name: %s
""" % (name_role, ) if internaldesc: text += 'description: %s?
' % (description, ) text += 'firewall like role definition: %s' % firerole_def_src.replace('\n', '
') try: firerole_def_ser = serialize(compile_role_definition(firerole_def_src)) except InvenioWebAccessFireroleError, msg: subtitle = 'step 2 - role could not be modified' output += '
sorry, could not modify role because of troubles with its definition:
%s
role modified:
' output += tupletotable(header=['id', 'role name', 'description', 'firewall like role definition'], tuple=[(id_role, name_role, description, firerole_def_src.replace('\n', ''))]) else: subtitle = 'step 2 - role could not be modified' output += '
sorry, could not modify role,
please contact the administrator.
confirm: role %s deleted.
" % (name_role, )
output += "%s entries were removed.
sorry, the role could not be deleted.
" elif id_role != "0": output += 'the role has been deleted...
' return index(req=req, title=title, subtitle=subtitle, body=[output], adminarea=3) def perform_showroledetails(req, id_role): """show the details of a role.""" (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) output = createroleselect(id_role=id_role, action="showroledetails", step=1, roles=acca.acc_get_all_roles(), button="select role") if id_role not in [0, '0']: name_role = acca.acc_get_role_name(id_role=id_role) output += roledetails(id_role=id_role) extra = """- Modify role
- modify the role you are seeing
- Add new authorization
- add an authorization.
- Modify authorizations
- modify existing authorizations.
- Connect user
- connect a user to role %(name_role)s.
- Remove user
- remove a user from role %(name_role)s.
no details to show
' body = [output] return index(req=req, title='Show Role Details', subtitle='show role details', body=body, adminarea=3) def roledetails(id_role=0): """create the string to show details about a role. """ name_role = acca.acc_get_role_name(id_role=id_role) usershlp = acca.acc_get_role_users(id_role) users = [] for (id, email, dummy) in usershlp: users.append([id, email, 'show user details' % (id, )]) usertable = tupletotable(header=['id', 'email'], tuple=users) actionshlp = acca.acc_get_role_actions(id_role) actions = [] for (action_id, name, dummy) in actionshlp: res = acca.acc_find_possible_actions(id_role, action_id) if res: authorization_details = tupletotable(header=res[0], tuple=res[1:]) else: authorization_details = 'no details to show' actions.append([action_id, name, authorization_details, 'show action details' % (id_role, action_id)]) actiontable = tupletotable(header=['id', 'name', 'parameters', ''], tuple=actions) # show role details details = 'role details:
' role_details = acca.acc_get_role_details(id_role=id_role) if role_details[3] is None: role_details[3] = '' role_details[3] = role_details[3].replace('\n', '') # Hack for preformatting firerole rules details += tupletotable(header=['id', 'name', 'description', 'firewall like role definition'], tuple=[role_details]) # show connected users details += '
users connected to %s:
' % (headerstrong(role=name_role, query=0), ) if users: details += usertable else: details += 'no users connected.
' # show connected authorizations details += 'authorizations for %s:
' % (headerstrong(role=name_role, query=0), ) if actions: details += actiontable else: details += 'no authorizations connected
' return details def perform_adduserrole(req, id_role='0', email_user_pattern='', id_user='0', confirm=0): """create connection between user and role. id_role - id of the role to add user to email_user_pattern - search for users using this pattern id_user - id of user to add to the role. """ (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) email_out = acca.acc_get_user_email(id_user=id_user) name_role = acca.acc_get_role_name(id_role=id_role) title = 'Connect user to role ' subtitle = 'step 1 - select a role' output = createroleselect(id_role=id_role, action="adduserrole", step=1, roles=acca.acc_get_all_roles()) # role is selected if id_role != "0": title += name_role subtitle = 'step 2 - search for users' # remove letters not allowed in an email email_user_pattern = cleanstring_email(email_user_pattern) text = ' 2. search for user \n' text += ' \n' % (email_user_pattern, ) output += createhiddenform(action="adduserrole", text=text, button="search for users", id_role=id_role) # pattern is entered if email_user_pattern: # users with matching email-address try: users1 = run_sql("""SELECT id, email FROM user WHERE email<>'' AND email RLIKE %s ORDER BY email """, (email_user_pattern, )) except OperationalError: users1 = () # users that are connected try: users2 = run_sql("""SELECT DISTINCT u.id, u.email FROM user u LEFT JOIN user_accROLE ur ON u.id = ur.id_user WHERE ur.id_accROLE = %s AND u.email RLIKE %s ORDER BY u.email """, (id_role, email_user_pattern)) except OperationalError: users2 = () # no users that match the pattern if not (users1 or users2): output += 'no qualified users, try new search.
' elif len(users1) > MAXSELECTUSERS: output += '%s hits, too many qualified users, specify more narrow search. (limit %s)
' % (len(users1), MAXSELECTUSERS) # show matching users else: subtitle = 'step 3 - select a user' users = [] extrausers = [] for (user_id, email) in users1: if (user_id, email) not in users2: users.append([user_id,email,'']) for (user_id, email) in users2: extrausers.append([-user_id, email,'']) output += createuserselect(id_user=id_user, action="adduserrole", step=3, users=users, extrausers=extrausers, button="add this user", id_role=id_role, email_user_pattern=email_user_pattern) try: id_user = int(id_user) except ValueError: pass # user selected already connected to role if id_user < 0: output += 'users in brackets are already attached to the role, try another one...
' # a user is selected elif email_out: subtitle = "step 4 - confirm to add user" output += createhiddenform(action="adduserrole", text='add user %s to role %s?' % (email_out, name_role), id_role=id_role, email_user_pattern=email_user_pattern, id_user=id_user, confirm=1) # it is confirmed that this user should be added if confirm: # add user result = acca.acc_add_user_role(id_user=id_user, id_role=id_role) if result and result[2]: subtitle = 'step 5 - confirm user added' output += 'confirm: user %s added to role %s.
' % (email_out, name_role) else: subtitle = 'step 5 - user could not be added' output += 'sorry, but user could not be added.
' extra = """- Create new role
- go here to add a new role.
- Remove users
- remove users from role %s.
- Connected users
- show all users connected to role %s.
- Add authorization
- start adding new authorizations to role %s.
no qualified users, try new search.
' # too many users elif len(users) > MAXSELECTUSERS: output += '%s hits, too many qualified users, specify more narrow search. (limit %s)
' % (len(users), MAXSELECTUSERS) # ok number of users else: output += createuserselect(id_user=id_user, action='addroleuser', step=2, users=users, button='select user', email_user_pattern=email_user_pattern) if int(id_user): subtitle = 'step 3 - select role' # roles the user is connected to role_ids = acca.acc_get_user_roles(id_user=id_user) # all the roles, lists are sorted on the background of these... all_roles = acca.acc_get_all_roles() # sort the roles in connected and not connected roles for (id, name, description, dummy, dummy) in all_roles: if id in role_ids: con_roles.append([-id, name, description]) else: not_roles.append([id, name, description]) # create roleselect output += createroleselect(id_role=id_role, action='addroleuser', step=3, roles=not_roles, extraroles=con_roles, extrastamp='(connected)', button='add this role', email_user_pattern=email_user_pattern, id_user=id_user) if int(id_role) < 0: name_role = acca.acc_get_role_name(id_role=-int(id_role)) output += 'role %s already connected to the user, try another one...
' % (name_role, ) elif int(id_role): subtitle = 'step 4 - confirm to add role to user' output += createhiddenform(action='addroleuser', text='add role %s to user %s?' % (name_role, email_out), email_user_pattern=email_user_pattern, id_user=id_user, id_role=id_role, confirm=1) if confirm: # add role result = acca.acc_add_user_role(id_user=id_user, id_role=id_role) if result and result[2]: subtitle = 'step 5 - confirm role added' output += '
confirm: role %s added to user %s.
' % (name_role, email_out) else: subtitle = 'step 5 - role could not be added' output += 'sorry, but role could not be added
' extra = """- Create new role
- go here to add a new role. """ if int(id_user) and con_roles: extra += """
- Remove roles
- disconnect roles from user %s.
- Remove users
- disconnect users from role %s.
no need to remove roles from user %s,
user is not connected to any roles.
confirm: deleted user %s from role %s.
' % (email_user, name_role) else: subtitle = 'step 4 - user could not be deleted' output += 'sorry, but user could not be deleteduser is probably already deleted.' extra = '' if str(id_role) != "0": extra += """
- Connect user
- add users to role %s. """ % (id_role, name_role) if int(reverse): extra += """
- Remove user
- remove users from role %s. """ % (id_role, name_role) extra += '
- Connect role
- add roles to user %s. """ % (email_user, id_user, email_user) if not int(reverse): extra += """
- Remove role
- remove roles from user %s. """ % (id_user, email_user, email_user) extra += '
- Connect role
- connect a role to user %s.
- Remove role
- remove a role from user %s.
no details to show
'] return index(req=req, title='Show User Details', subtitle='show user details', body=body, adminarea=5) def userdetails(id_user=0): """create the string to show details about a user. """ # find necessary details email_user = acca.acc_get_user_email(id_user=id_user) userroles = acca.acc_get_user_roles(id_user=id_user) conn_roles = [] # find connected roles for (id, name, desc, dummy, dummy) in acca.acc_get_all_roles(): if id in userroles: conn_roles.append([id, name, desc]) conn_roles[-1].append('show details' % (id, )) if conn_roles: # print details details = 'roles connected to user %s
' % (email_user, ) details += tupletotable(header=['id', 'name', 'description', ''], tuple=conn_roles) else: details = 'no roles connected to user %s.
' % (email_user, ) return details def perform_addauthorization(req, id_role="0", id_action="0", optional=0, reverse="0", confirm=0, **keywords): """ form to add new connection between user and role: id_role - role to connect id_action - action to connect reverse - role or action first? """ (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) # values that might get used name_role = acca.acc_get_role_name(id_role=id_role) or id_role name_action = acca.acc_get_action_name(id_action=id_action) or id_action optional = optional == 'on' and 1 or int(optional) extra = """- Create new role
- go here to add a new role.
- Add authorization
- add authorizations to action %s.
- Add authorization
- add authorizations to role %s.
connection without arguments is already created.
' else: # action with arguments optionalargs = acca.acc_get_action_is_optional(id_action=id_action) output += '3. authorized arguments' if optionalargs: # optional arguments output += """
connect %s to %s for any arguments
connect %s to %s for only these argument cases:
%s
""" % (headerstrong(role=name_role, action=name_action, query=0), ) if optional: text += 'withouth arguments' keywords = {} else: for key in keys: text += '%s: %s \n' % (escape(key), escape(keywords[key])) output += createhiddenform(action="addauthorization", text=text, id_role=id_role, id_action=id_action, reverse=reverse, confirm=1, optional=optional, **keywords) # show existing authorizations, found authorizations further up in the code... # res_auths = acca.acc_find_possible_actions(id_role, id_action) output += '
existing authorizations:
' if res_auths: output += tupletotable(header=res_auths[0], tuple=res_auths[1:]) # shortcut to modifying authorizations extra += """- Modify authorizations
- modify the existing authorizations.
no details to show
' # user confirmed to add entries if confirm: subtitle = 'step 5 - confirm authorization added' res1 = acca.acc_add_authorization(name_role=name_role, name_action=name_action, optional=optional, **keywords) if res1: res2 = acca.acc_find_possible_actions(id_role, id_action) arg = res1[0][3] # the arglistid new = [res2[0]] for row in res2[1:]: if int(row[0]) == int(arg): new.append(row) newauths = tupletotable(header=new[0], tuple=new[1:]) newentries = tupletotable(header=['role id', 'action id', 'argument id', '#'], tuple=res1) st = 'style="vertical-align: top"' output += """new authorization and entries:
| %s | %s |
sorry, authorization could not be added,
it probably already exists
authorizations that will be deleted:
' output += tupletotable(header=res[0], tuple=res[1:]) output += createhiddenform(action="deleteroleaction", text='remove %s from %s' % (headerstrong(action=id_action), headerstrong(role=id_role)), confirm=1, id_role=id_role, id_action=id_action, reverse=reverse) else: output += 'no authorizations' # confirmation is given if confirm: subtitle = 'step 4 - confirm authorizations removed ' res = acca.acc_delete_role_action(id_role=id_role, id_action=id_action) if res: output += 'confirm: removed %s from %s
' % (headerstrong(action=id_action), headerstrong(role=id_role))
output += '%s entries were removed.
sorry, no entries could be removed.
' return index(req=req, title=title, subtitle=subtitle, body=[output], adminarea=adminarea) def perform_modifyauthorizations(req, id_role="0", id_action="0", reverse=0, confirm=0, errortext='', sel='', authids=[]): """given ids of a role and an action, show all possible action combinations with checkboxes and allow user to access other functions. id_role - id of the role id_action - id of the action reverse - 0: ask for role first 1: ask for action first sel - which button and modification that is selected errortext - text to print when no connection exist between role and action authids - ids of checked checkboxes """ (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) name_role = acca.acc_get_role_name(id_role) name_action = acca.acc_get_action_name(id_action) output = '' try: id_role, id_action, reverse = int(id_role), int(id_action), int(reverse) except ValueError: pass extra = """- Create new role
- go here to add a new role.
- \n'
if id_role and id_action:
extra += """
- Add authorizations
- add an authorization to the existing ones. """ % (id_role, id_action, reverse) if id_role: extra += """
- Add authorizations
- add to role %s. """ % (id_role, name_role) if id_action: extra += """
- Add authorizations
- add to action %s. """ % (id_action, name_action) extra += '\n
%s
' % (errortext, ) if id_role and id_action: # adding to main area if type(authids) is not list: authids = [authids] subtitle = 'step 3 - select groups and modification' # get info res = acca.acc_find_possible_actions(id_role, id_action) # clean the authids hiddenids = [] if sel in ['delete selected']: hiddenids = authids[:] elif sel in ['split groups', 'merge groups']: for authid in authids: arghlp = res[int(authid)][0] if authid not in hiddenids and arghlp not in [-1, '-1', 0, '0']: hiddenids.append(authid) authids = hiddenids[:] if confirm: # do selected modification and output with new authorizations if sel == 'split groups': res = splitgroups(id_role, id_action, authids) elif sel == 'merge groups': res = mergegroups(id_role, id_action, authids) elif sel == 'delete selected': res = deleteselected(id_role, id_action, authids) authids = [] res = acca.acc_find_possible_actions(id_role, id_action) output += 'authorizations after %s.\n' % (sel, ) elif sel and authids: output += 'confirm choice of authorizations and modification.
\n' else: output += 'select authorizations and perform modification.
\n' if not res: errortext = 'all connections deleted, try different ' if reverse in ["0", 0]: return perform_modifyauthorizations(req=req, id_role=id_role, errortext=errortext + 'action.') else: return perform_modifyauthorizations(req=req, id_action=id_action, reverse=reverse, errortext=errortext + 'role.') # display output += modifyauthorizationsmenu(id_role, id_action, header=res[0], tuple=res[1:], checked=authids, reverse=reverse) if sel and authids: subtitle = 'step 4 - confirm to perform modification' # form with hidden authids output += '' # tried to perform modification without something selected elif sel and not authids and not confirm: output += '
no valid groups selected
' # trying to put extra link on the right side try: body = [output, extra] except NameError: body = [output] # Display the page return index(req=req, title='Modify Authorizations', subtitle=subtitle, body=body, adminarea=adminarea) def modifyauthorizationsmenu(id_role, id_action, tuple=[], header=[], checked=[], reverse=0): """create table with header and checkboxes, used for multiple choice. makes use of tupletotable to add the actual table id_role - selected role, hidden value in the form id_action - selected action, hidden value in the form tuple - all rows to be put in the table (with checkboxes) header - column headers, empty strings added at start and end checked - ids of rows to be checked """ if not tuple: return 'no authorisations...' argnum = len(acca.acc_get_action_keywords(id_action=id_action)) tuple2 = [] for t in tuple: tuple2.append(t[:]) tuple2 = addcheckboxes(datalist=tuple2, name='authids', startindex=1, checked=checked) hidden = ' \n' \ % (id_role, ) hidden += ' \n' \ % (id_action, ) hidden += ' \n' \ % (reverse, ) button = '\n' if argnum > 1: button += '\n' button += '\n' hdrstr = '' for h in [''] + header + ['']: hdrstr += '| selection for WebAccess Admin |
|---|
|
authorizations for %s:
' \ % (headerstrong(action=id_action, role=id_role), ) output += tupletotable(header=res[0], tuple=res[1:], extracolumn=extra) else: output = 'no details to show' return index(req=req, title='Simple authorization details', subtitle='simple authorization details', body=[output], adminarea=3) def perform_showroleusers(req, id_role=0): """show a page with simple overview of a role and connected users. """ (auth_code, auth_message) = is_adminuser(req) if auth_code != 0: return mustloginpage(req, auth_message) res = acca.acc_get_role_users(id_role=id_role) name_role = acca.acc_get_role_name(id_role=id_role) if res: users = [] for (role_id, name, dummy) in res: users.append([role_id, name, 'show user details' % (role_id, )]) output = 'users connected to %s:
' \ % (headerstrong(role=id_role), ) output += tupletotable(header=['id', 'name', ''], tuple=users) else: output = 'no users connected to role %s' \ % (name_role, ) extra = """- Connect user
- connect users to the role.
popularized authors: "+str(time1-time2)+"
") #and publication venues venuetuples = get_most_popular_field_values(pubs, (VENUE_TAG)) time2 = time.time() if verbose == 9: req.write("
venues: "+str(time2-time1)+"
") #and keywords kwtuples = get_most_popular_field_values(pubs, (KEYWORD_TAG, FKEYWORD_TAG), count_repetitive_values=False) if CFG_INSPIRE_SITE: # filter kw tuples against unwanted keywords: kwtuples_filtered = () for (kw, num) in kwtuples: kwlower = kw.lower() kwlower_unwanted = False for unwanted_keyword in CFG_INSPIRE_UNWANTED_KEYWORDS_START: if kwlower.startswith(unwanted_keyword): kwlower_unwanted = True # unwanted keyword found break for unwanted_keyword in CFG_INSPIRE_UNWANTED_KEYWORDS_MIDDLE: if unwanted_keyword in kwlower: kwlower_unwanted = True # unwanted keyword found break if not kwlower_unwanted: kwtuples_filtered += ((kw, num),) kwtuples = kwtuples_filtered time1 = time.time() if verbose == 9: req.write("
keywords: "+str(time1-time2)+"
") #construct a simple list of tuples that contains keywords that appear more than once #moreover, limit the length of the list to MAX_KEYWORD_LIST kwtuples = kwtuples[0:MAX_KEYWORD_LIST] vtuples = venuetuples[0:MAX_VENUE_LIST] #remove the author in question from authors: they are associates if (authors.count(self.authorname) > 0): authors.remove(self.authorname) authors = authors[0:MAX_COLLAB_LIST] #cut extra time2 = time.time() if verbose == 9: req.write("
misc: "+str(time2-time1)+"
") #a dict. keys: affiliations, values: lists of publications author_aff_pubs = self.get_institute_pub_dict(pubs) time1 = time.time() if verbose == 9: req.write("
affiliations: "+str(time1-time2)+"
") totaldownloads = 0 if CFG_BIBRANK_SHOW_DOWNLOAD_STATS: #find out how many times these records have been downloaded recsloads = {} recsloads = get_download_weight_total(recsloads, pubs) #sum up for k in recsloads.keys(): totaldownloads = totaldownloads + recsloads[k] #get cited by.. citedbylist = get_cited_by_list(pubs) time1 = time.time() if verbose == 9: req.write("
citedby: "+str(time1-time2)+"
") #finally all stuff there, call the template websearch_templates.tmpl_author_information(req, pubs, self.authorname, totaldownloads, author_aff_pubs, citedbylist, kwtuples, authors, vtuples, ln) time1 = time.time() #cited-by summary out = summarize_records(intbitset(pubs), 'hcs', ln, self.authorname, 'exactauthor', req) time2 = time.time() if verbose == 9: req.write("
summarizer: "+str(time2-time1)+"
") req.write(out) simauthbox = create_similarly_named_authors_link_box(self.authorname) req.write(simauthbox) if verbose == 9: req.write("
all: "+str(time.time()-genstart)+"
") return page_end(req, 'hb', ln) def get_institute_pub_dict(self, recids): """return a dictionary consisting of institute -> list of publications""" author_aff_pubs = {} #the dictionary to be built for recid in recids: #iterate all so that we get first author's intitute #if this the first author OR #"his" institute if he is an affliate author affus = [] #list of insts from the given record mainauthors = get_fieldvalues(recid, AUTHOR_TAG) mainauthor = " " if mainauthors: mainauthor = mainauthors[0] if (mainauthor == self.authorname): affus = get_fieldvalues(recid, AUTHOR_INST_TAG) else: #search for coauthors.. coauthor_field_lines = [] coauthorfield_content = get_fieldvalues_alephseq_like(recid, \ COAUTHOR_TAG[:3]) if coauthorfield_content: coauthor_field_lines = coauthorfield_content.split("\n") for line in coauthor_field_lines: if line.count(self.authorname) > 0: #get affilitions .. the correct ones are $$+code code = COAUTHOR_INST_TAG[-1] myparts = line.split("$$") for part in myparts: if part and part[0] == code: myaff = part[1:] affus.append(myaff) break #if this is empty, add a dummy " " value if (affus == []): affus = [" "] for a in affus: #add in author_aff_pubs if (author_aff_pubs.has_key(a)): tmp = author_aff_pubs[a] tmp.append(recid) author_aff_pubs[a] = tmp else: author_aff_pubs[a] = [recid] return author_aff_pubs index = __call__ class WebInterfaceRecordPages(WebInterfaceDirectory): """ Handling of a /record/
' + (_("Sorry, collection %s does not seem to exist.") % ('' + str(c) + '')) + '
' page_body = '' + (_("You may want to start browsing from %s.") % ('' + get_coll_i18nname(CFG_SITE_NAME, ln) + '')) + '
' if req.header_only: raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND return page(title=_("Collection %s Not Found") % cgi.escape(c), body=page_body, description=(CFG_SITE_NAME + ' - ' + _("Not found") + ': ' + cgi.escape(str(c))), keywords="%s" % CFG_SITE_NAME, uid=uid, language=ln, req=req, navmenuid='search') # wash `aas' argument: if not os.path.exists("%s/collections/%d/body-as=%d-ln=%s.html" % \ (CFG_CACHEDIR, colID, aas, ln)): # nonexistent `aas' asked for, fall back to Simple Search: aas = 0 # display collection interface page: try: filedesc = open("%s/collections/%d/navtrail-as=%d-ln=%s.html" % \ (CFG_CACHEDIR, colID, aas, ln), "r") c_navtrail = filedesc.read() filedesc.close() except: c_navtrail = "" try: filedesc = open("%s/collections/%d/body-as=%d-ln=%s.html" % \ (CFG_CACHEDIR, colID, aas, ln), "r") c_body = filedesc.read() filedesc.close() except: c_body = "" try: filedesc = open("%s/collections/%d/portalbox-tp-ln=%s.html" % \ (CFG_CACHEDIR, colID, ln), "r") c_portalbox_tp = filedesc.read() filedesc.close() except: c_portalbox_tp = "" try: filedesc = open("%s/collections/%d/portalbox-te-ln=%s.html" % \ (CFG_CACHEDIR, colID, ln), "r") c_portalbox_te = filedesc.read() filedesc.close() except: c_portalbox_te = "" try: filedesc = open("%s/collections/%d/portalbox-lt-ln=%s.html" % \ (CFG_CACHEDIR, colID, ln), "r") c_portalbox_lt = filedesc.read() filedesc.close() except: c_portalbox_lt = "" try: # show help boxes (usually located in "tr", "top right") # if users have not banned them in their preferences: c_portalbox_rt = "" if user_preferences.get('websearch_helpbox', 1) > 0: filedesc = open("%s/collections/%d/portalbox-rt-ln=%s.html" % \ (CFG_CACHEDIR, colID, ln), "r") c_portalbox_rt = filedesc.read() filedesc.close() except: c_portalbox_rt = "" try: filedesc = open("%s/collections/%d/last-updated-ln=%s.html" % \ (CFG_CACHEDIR, colID, ln), "r") c_last_updated = filedesc.read() filedesc.close() except: c_last_updated = "" try: title = get_coll_i18nname(c, ln) except: title = "" show_title_p = True body_css_classes = [] if c == CFG_SITE_NAME: # Do not display title on home collection show_title_p = False body_css_classes.append('home') if len(collection_reclist_cache.cache.keys()) == 1: # if there is only one collection defined, do not print its # title on the page as it would be displayed repetitively. show_title_p = False if aas == -1: show_title_p = False # RSS: rssurl = CFG_SITE_URL + '/rss' rssurl_params = [] if c != CFG_SITE_NAME: rssurl_params.append('cc=' + quote(c)) if ln != CFG_SITE_LANG and \ c in CFG_WEBSEARCH_RSS_I18N_COLLECTIONS: rssurl_params.append('ln=' + ln) if rssurl_params: rssurl += '?' + '&'.join(rssurl_params) if 'hb' in CFG_WEBSEARCH_USE_JSMATH_FOR_FORMATS: metaheaderadd = """ """ else: metaheaderadd = '' return page(title=title, body=c_body, navtrail=c_navtrail, description="%s - %s" % (CFG_SITE_NAME, c), keywords="%s, %s" % (CFG_SITE_NAME, c), metaheaderadd=metaheaderadd, uid=uid, language=ln, req=req, cdspageboxlefttopadd=c_portalbox_lt, cdspageboxrighttopadd=c_portalbox_rt, titleprologue=c_portalbox_tp, titleepilogue=c_portalbox_te, lastupdated=c_last_updated, navmenuid='search', rssurl=rssurl, body_css_classes=body_css_classes, show_title_p=show_title_p) class WebInterfaceRSSFeedServicePages(WebInterfaceDirectory): """RSS 2.0 feed service pages.""" def __call__(self, req, form): """RSS 2.0 feed service.""" # Keep only interesting parameters for the search default_params = websearch_templates.rss_default_urlargd # We need to keep 'jrec' and 'rg' here in order to have # 'multi-page' RSS. These parameters are not kept be default # as we don't want to consider them when building RSS links # from search and browse pages. default_params.update({'jrec':(int, 1), 'rg': (int, CFG_WEBSEARCH_INSTANT_BROWSE_RSS)}) argd = wash_urlargd(form, default_params) user_info = collect_user_info(req) for coll in argd['c'] + [argd['cc']]: if collection_restricted_p(coll): (auth_code, auth_msg) = acc_authorize_action(user_info, VIEWRESTRCOLL, collection=coll) - if auth_code and user_info['email'] == 'guest' and not user_info['apache_user']: + if auth_code and user_info['email'] == 'guest': cookie = mail_cookie_create_authorize_action(VIEWRESTRCOLL, {'collection' : coll}) target = CFG_SITE_SECURE_URL + '/youraccount/login' + \ make_canonical_urlargd({'action': cookie, 'ln' : argd['ln'], 'referer' : CFG_SITE_URL + req.unparsed_uri}, {}) return redirect_to_url(req, target, norobot=True) elif auth_code: return page_not_authorized(req, "../", \ text = auth_msg,\ navmenuid='search') # Create a standard filename with these parameters current_url = websearch_templates.build_rss_url(argd) cache_filename = current_url.split('/')[-1] # In the same way as previously, add 'jrec' & 'rg' req.content_type = "application/rss+xml" req.send_http_header() try: # Try to read from cache path = "%s/rss/%s.xml" % (CFG_CACHEDIR, cache_filename) # Check if cache needs refresh filedesc = open(path, "r") last_update_time = datetime.datetime.fromtimestamp(os.stat(os.path.abspath(path)).st_mtime) assert(datetime.datetime.now() < last_update_time + datetime.timedelta(minutes=CFG_WEBSEARCH_RSS_TTL)) c_rss = filedesc.read() filedesc.close() req.write(c_rss) return except Exception, e: # do it live and cache previous_url = None if argd['jrec'] > 1: prev_jrec = argd['jrec'] - argd['rg'] if prev_jrec < 1: prev_jrec = 1 previous_url = websearch_templates.build_rss_url(argd, jrec=prev_jrec) recIDs = perform_request_search(req, of="id", c=argd['c'], cc=argd['cc'], p=argd['p'], f=argd['f'], p1=argd['p1'], f1=argd['f1'], m1=argd['m1'], op1=argd['op1'], p2=argd['p2'], f2=argd['f2'], m2=argd['m2'], op2=argd['op2'], p3=argd['p3'], f3=argd['f3'], m3=argd['m3']) nb_found = len(recIDs) next_url = None if len(recIDs) >= argd['jrec'] + argd['rg']: next_url = websearch_templates.build_rss_url(argd, jrec=(argd['jrec'] + argd['rg'])) first_url = websearch_templates.build_rss_url(argd, jrec=1) last_url = websearch_templates.build_rss_url(argd, jrec=nb_found-argd['rg']+1) recIDs = recIDs[-argd['jrec']:(-argd['rg']-argd['jrec']):-1] rss_prologue = '\n' + \ websearch_templates.tmpl_xml_rss_prologue(current_url=current_url, previous_url=previous_url, next_url=next_url, first_url=first_url, last_url=last_url, nb_found=nb_found, jrec=argd['jrec'], rg=argd['rg']) + '\n' req.write(rss_prologue) rss_body = format_records(recIDs, of='xr', ln=argd['ln'], user_info=user_info, record_separator="\n", req=req, epilogue="\n") rss_epilogue = websearch_templates.tmpl_xml_rss_epilogue() + '\n' req.write(rss_epilogue) # update cache dirname = "%s/rss" % (CFG_CACHEDIR) mymkdir(dirname) fullfilename = "%s/rss/%s.xml" % (CFG_CACHEDIR, cache_filename) try: # Remove the file just in case it already existed # so that a bit of space is created os.remove(fullfilename) except OSError: pass # Check if there's enough space to cache the request. if len(os.listdir(dirname)) < CFG_WEBSEARCH_RSS_MAX_CACHED_REQUESTS: try: os.umask(022) f = open(fullfilename, "w") f.write(rss_prologue + rss_body + rss_epilogue) f.close() except IOError, v: if v[0] == 36: # URL was too long. Never mind, don't cache pass else: raise repr(v) index = __call__ class WebInterfaceRecordExport(WebInterfaceDirectory): """ Handling of a /record/" bask=aler=msgs= _("The %(x_fmt_open)sguest%(x_fmt_close)s users need to %(x_url_open)sregister%(x_url_close)s first") %\ {'x_fmt_open': '', 'x_fmt_close': '', 'x_url_open': '', 'x_url_close': ''} sear= _("No queries found") else: user = username accBody = websession_templates.tmpl_account_body( ln = ln, user = user, ) #Display warnings if user is superuser roles = acc_find_user_role_actions(user_info) warnings = "0" for role in roles: if "superadmin" in role: warnings = "1" break warning_list = superuser_account_warnings() #check if tickets ok tickets = (acc_authorize_action(user_info, 'runbibedit')[0] == 0) return websession_templates.tmpl_account_page( ln = ln, warnings = warnings, warning_list = warning_list, accBody = accBody, baskets = bask, alerts = aler, searches = sear, messages = msgs, loans = loan, groups = grps, submissions = sbms, approvals = appr, tickets = tickets, administrative = admn ) def superuser_account_warnings(): """Check to see whether admin accounts have default / blank password etc. Returns a list""" warning_array = [] #Try and connect to the mysql database with the default invenio password try: conn = MySQLdb.connect (host = CFG_DATABASE_HOST, user = "root", passwd = "my123p$ss", db = "mysql") conn.close() warning_array.append("warning_mysql_password_equal_to_invenio_password") except: pass #Try and connect to the invenio database with the default invenio password try: conn = MySQLdb.connect (host = CFG_DATABASE_HOST, user = "invenio", passwd = "my123p$ss", db = CFG_DATABASE_NAME) conn.close () warning_array.append("warning_invenio_password_equal_to_default") except: pass #Check if the admin password is empty res = run_sql("SELECT password, email from user where nickname = 'admin'") res1 = run_sql("SELECT email from user where nickname = 'admin' and password = AES_ENCRYPT(%s,'')", (res[0][1], )) for user in res1: warning_array.append("warning_empty_admin_password") #Check if the admin email has been changed from the default if (CFG_SITE_ADMIN_EMAIL == "info@invenio-software.org" or CFG_SITE_SUPPORT_EMAIL == "info@invenio-software.org") and CFG_CERN_SITE == 0: warning_array.append("warning_site_support_email_equal_to_default") #Check for a new release of Invenio try: find = re.compile('Invenio v[0-9]+.[0-9]+.[0-9]+ is released') webFile = urllib.urlopen("http://cdsware.cern.ch/download/RELEASE-NOTES") temp = "" version = "" version1 = "" while 1: temp = webFile.readline() match1 = find.match(temp) try: version = match1.group() break except: pass if not temp: break webFile.close() submatch = re.compile('[0-9]+.[0-9]+.[0-9]+') version1 = submatch.search(version) web_version = version1.group().split(".") local_version = CFG_VERSION.split(".") if web_version[0] > local_version[0]: warning_array.append("note_new_release_available") elif web_version[0] == local_version[0] and web_version[1] > local_version[1]: warning_array.append("note_new_release_available") elif web_version[0] == local_version[0] and web_version[1] == local_version[1] and web_version[2] > local_version[2]: warning_array.append("note_new_release_available") except: warning_array.append("error_cannot_download_release_notes") return warning_array def template_account(title, body, ln): """It is a template for print each of the options from the user's account.""" return websession_templates.tmpl_account_template( ln = ln, title = title, body = body ) def warning_guest_user(type, ln=CFG_SITE_LANG): """It returns an alert message,showing that the user is a guest user and should log into the system.""" # load the right message language _ = gettext_set_language(ln) return websession_templates.tmpl_warning_guest_user( ln = ln, type = type, ) def perform_delete(ln): """Delete the account of the user, not implement yet.""" # TODO return websession_templates.tmpl_account_delete(ln = ln) def perform_set(email, ln, can_config_bibcatalog = False, verbose = 0): """Perform_set(email,password): edit your account parameters, email and password. If can_config_bibcatalog is True, show the bibcatalog dialog (if configured). """ try: res = run_sql("SELECT id, nickname FROM user WHERE email=%s", (email,)) uid = res[0][0] nickname = res[0][1] except: uid = 0 nickname = "" CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS_LOCAL = CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS prefs = get_user_preferences(uid) - if CFG_EXTERNAL_AUTHENTICATION.has_key(prefs['login_method']) and CFG_EXTERNAL_AUTHENTICATION[prefs['login_method']][0]: + if CFG_EXTERNAL_AUTHENTICATION.has_key(prefs['login_method']) and CFG_EXTERNAL_AUTHENTICATION[prefs['login_method']] is not None: CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS_LOCAL = 3 out = websession_templates.tmpl_user_preferences( ln = ln, email = email, email_disabled = (CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS_LOCAL >= 2), password_disabled = (CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS_LOCAL >= 3), nickname = nickname, ) if len(CFG_EXTERNAL_AUTHENTICATION) > 1: try: uid = run_sql("SELECT id FROM user where email=%s", (email,)) uid = uid[0][0] except: uid = 0 current_login_method = prefs['login_method'] methods = CFG_EXTERNAL_AUTHENTICATION.keys() # Filtering out methods that don't provide user_exists to check if # a user exists in the external auth method before letting him/her # to switch. for method in methods: - if CFG_EXTERNAL_AUTHENTICATION[method][0]: + if CFG_EXTERNAL_AUTHENTICATION[method] is not None: try: - if not CFG_EXTERNAL_AUTHENTICATION[method][0].user_exists(email): + if not CFG_EXTERNAL_AUTHENTICATION[method].user_exists(email): methods.remove(method) - except (AttributeError, InvenioWebAccessExternalAuthError): + except (AttributeError, InvenioWebAccessExternalAuthError, NotImplementedError): methods.remove(method) methods.sort() if len(methods) > 1: out += websession_templates.tmpl_user_external_auth( ln = ln, methods = methods, current = current_login_method, method_disabled = (CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 4) ) current_group_records = prefs.get('websearch_group_records', 10) show_latestbox = prefs.get('websearch_latestbox', True) show_helpbox = prefs.get('websearch_helpbox', True) out += websession_templates.tmpl_user_websearch_edit( ln = ln, current = current_group_records, show_latestbox = show_latestbox, show_helpbox = show_helpbox, ) preferred_lang = prefs.get('language', ln) out += websession_templates.tmpl_user_lang_edit( ln = ln, preferred_lang = preferred_lang ) #show this dialog only if the system has been configured to use a ticket system from invenio.config import CFG_BIBCATALOG_SYSTEM if CFG_BIBCATALOG_SYSTEM and can_config_bibcatalog: bibcatalog_username = prefs.get('bibcatalog_username', "") bibcatalog_password = prefs.get('bibcatalog_password', "") out += websession_templates.tmpl_user_bibcatalog_auth(bibcatalog_username, \ bibcatalog_password, ln=ln) if verbose >= 9: for key, value in prefs.items(): out += "%s:%s
" % (key, value) out += perform_display_external_user_settings(prefs, ln) return out def create_register_page_box(referer='', ln=CFG_SITE_LANG): """Register a new account.""" return websession_templates.tmpl_register_page( referer = referer, ln = ln, level = CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS, ) ## create_login_page_box(): ask for the user's email and password, for login into the system -def create_login_page_box(referer='', apache_msg="", ln=CFG_SITE_LANG): +def create_login_page_box(referer='', ln=CFG_SITE_LANG): # List of referer regexep and message to print _ = gettext_set_language(ln) login_referrer2msg = ( (re.compile(r"/search"), "
" + _("This collection is restricted. If you think you have right to access it, please authenticate yourself.") + "
"), (re.compile(r"/record/\d+/files/.+"), "" + _("This file is restricted. If you think you have right to access it, please authenticate yourself.") + "
"), ) msg = "" for regexp, txt in login_referrer2msg: if regexp.search(referer): msg = txt break - # FIXME: Temporary Hack to help CDS current migration - if CFG_CERN_SITE and apache_msg: - return msg + apache_msg - - if apache_msg: - msg += apache_msg + "2) Otherwise please authenticate yourself" \ - " in the following form:
" - internal = None for system in CFG_EXTERNAL_AUTHENTICATION.keys(): - if not CFG_EXTERNAL_AUTHENTICATION[system][0]: + if CFG_EXTERNAL_AUTHENTICATION[system] is None: internal = system break register_available = CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS <= 1 and internal - methods = CFG_EXTERNAL_AUTHENTICATION.keys() + ## Let's retrieve all the login method that are not dedicated to robots + methods = [method[0] for method in CFG_EXTERNAL_AUTHENTICATION.iteritems() if not method[1] or not method[1].robot_login_method_p()] methods.sort() - selected = '' - for method in methods: - if CFG_EXTERNAL_AUTHENTICATION[method][1]: - selected = method - break return websession_templates.tmpl_login_form( ln = ln, referer = referer, internal = internal, register_available = register_available, methods = methods, - selected_method = selected, + selected_method = CFG_EXTERNAL_AUTH_DEFAULT, msg = msg, ) # perform_logout: display the message of not longer authorized, def perform_logout(req, ln): return websession_templates.tmpl_account_logout(ln = ln) #def perform_lost: ask the user for his email, in order to send him the lost password def perform_lost(ln): return websession_templates.tmpl_lost_password_form(ln) #def perform_reset_password: ask the user for a new password to reset the lost one def perform_reset_password(ln, email, reset_key, msg=''): return websession_templates.tmpl_reset_password_form(ln, email, reset_key, msg) # perform_emailSent(email): confirm that the password has been emailed to 'email' address def perform_emailSent(email, ln): return websession_templates.tmpl_account_emailSent(ln = ln, email = email) # peform_emailMessage : display a error message when the email introduced is not correct, and sugest to try again def perform_emailMessage(eMsg, ln): return websession_templates.tmpl_account_emailMessage( ln = ln, msg = eMsg ) # perform_back(): template for return to a previous page, used for login,register and setting def perform_back(mess, url, linkname, ln='en'): return websession_templates.tmpl_back_form( ln = ln, message = mess, url = url, link = linkname, ) diff --git a/modules/websession/lib/webgroup.py b/modules/websession/lib/webgroup.py index 707988d79..ca678c47b 100644 --- a/modules/websession/lib/webgroup.py +++ b/modules/websession/lib/webgroup.py @@ -1,883 +1,883 @@ ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """Group features.""" __revision__ = "$Id$" import sys from invenio.config import CFG_SITE_LANG from invenio.messages import gettext_set_language from invenio.websession_config import CFG_WEBSESSION_INFO_MESSAGES, \ CFG_WEBSESSION_USERGROUP_STATUS, \ CFG_WEBSESSION_GROUP_JOIN_POLICY from invenio.webuser import nickname_valid_p, get_user_info from invenio.webmessage import perform_request_send import invenio.webgroup_dblayer as db from invenio.dbquery import IntegrityError try: import invenio.template websession_templates = invenio.template.load('websession') except ImportError: pass if sys.hexversion < 0x2040000: # pylint: disable=W0622 from sets import Set as set # pylint: enable=W0622 def perform_request_groups_display(uid, infos=[], errors = [], warnings = [], \ ln=CFG_SITE_LANG): """Display all the groups the user belongs to. @param uid: user id @param info: info about last user action @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ _ = gettext_set_language(ln) body = "" (body_admin, errors_admin) = display_admin_groups(uid, ln) (body_member, errors_member) = display_member_groups(uid, ln) (body_external, errors_external) = display_external_groups(uid, ln) if errors_admin: errors.extend(errors_admin) if errors_member: errors.extend(errors_member) if errors_external: errors.extend(errors_external) body = websession_templates.tmpl_display_all_groups(infos=infos, admin_group_html=body_admin, member_group_html=body_member, external_group_html=body_external, warnings=warnings, ln=ln) return (body, errors, warnings) def display_admin_groups(uid, ln=CFG_SITE_LANG): """Display groups the user is admin of. @param uid: user id @param ln: language @return: a (body, errors[]) formed tuple return html groups representation the user is admin of """ body = "" errors = [] record = db.get_groups_by_user_status(uid=uid, user_status=CFG_WEBSESSION_USERGROUP_STATUS["ADMIN"]) body = websession_templates.tmpl_display_admin_groups(groups=record, ln=ln) return (body, errors) def display_member_groups(uid, ln=CFG_SITE_LANG): """Display groups the user is member of. @param uid: user id @param ln: language @return: a (body, errors[]) formed tuple body : html groups representation the user is member of """ body = "" errors = [] records = db.get_groups_by_user_status(uid, user_status=CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"] ) body = websession_templates.tmpl_display_member_groups(groups=records, ln=ln) return (body, errors) def display_external_groups(uid, ln=CFG_SITE_LANG): """Display groups the user is admin of. @param uid: user id @param ln: language @return: a (body, errors[]) formed tuple return html groups representation the user is admin of """ body = "" errors = [] record = db.get_external_groups(uid) if record: body = websession_templates.tmpl_display_external_groups(groups=record, ln=ln) else: body = None return (body, errors) def perform_request_input_create_group(group_name, group_description, join_policy, warnings=[], ln=CFG_SITE_LANG): """Display form for creating new group. @param group_name: name of the group entered if the page has been reloaded @param group_description: description entered if the page has been reloaded @param join_policy: join policy chosen if the page has been reloaded @param warnings: warnings @param ln: language @return: a (body, errors[], warnings[]) formed tuple body: html for group creation page """ body = "" errors = [] body = websession_templates.tmpl_display_input_group_info(group_name, group_description, join_policy, act_type="create", warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_create_group(uid, group_name, group_description, join_policy, ln=CFG_SITE_LANG): """Create new group. @param group_name: name of the group entered @param group_description: description of the group entered @param join_policy: join policy of the group entered @param ln: language @return: a (body, errors, warnings) formed tuple warning != [] if group_name or join_policy are not valid or if the name already exists in the database body="1" if succeed in order to display info on the main page """ _ = gettext_set_language(ln) body = "" warnings = [] errors = [] infos = [] if group_name == "": warnings.append(('WRN_WEBSESSION_NO_GROUP_NAME',)) (body, errors, warnings) = perform_request_input_create_group( group_name, group_description, join_policy, warnings=warnings) elif not group_name_valid_p(group_name): warnings.append('WRN_WEBSESSION_NOT_VALID_GROUP_NAME') (body, errors, warnings) = perform_request_input_create_group( group_name, group_description, join_policy, warnings=warnings) elif join_policy=="-1": warnings.append('WRN_WEBSESSION_NO_JOIN_POLICY') (body, errors, warnings) = perform_request_input_create_group( group_name, group_description, join_policy, warnings=warnings) elif db.group_name_exist(group_name): warnings.append('WRN_WEBSESSION_GROUP_NAME_EXISTS') (body, errors, warnings) = perform_request_input_create_group( group_name, group_description, join_policy, warnings=warnings) else: db.insert_new_group(uid, group_name, group_description, join_policy) infos.append(CFG_WEBSESSION_INFO_MESSAGES["GROUP_CREATED"]) (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_input_join_group(uid, group_name, search, warnings=[], ln=CFG_SITE_LANG): """Return html for joining new group. @param group_name: name of the group entered if user is looking for a group @param search=1 if search performed else 0 @param warnings: warnings coming from perform_request_join_group @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ errors = [] group_from_search = {} records = db.get_visible_group_list(uid=uid) if search: group_from_search = db.get_visible_group_list(uid, group_name) body = websession_templates.tmpl_display_input_join_group(records.items(), group_name, group_from_search.items(), search, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_join_group(uid, grpID, group_name, search, ln=CFG_SITE_LANG): """Join group. @param grpID: list of the groups the user wants to join, only one value must be selected among the two group lists (default group list, group list resulting from the search) @param group_name: name of the group entered if search on name performed @param search=1 if search performed else 0 @param ln: language @return: a (body, errors[], warnings[]) formed tuple warnings != [] if 0 or more than one group is selected """ _ = gettext_set_language(ln) body = "" warnings = [] errors = [] infos = [] if "-1" in grpID: grpID = filter(lambda x: x != '-1', grpID) if len(grpID)==1 : grpID = int(grpID[0]) # test if user is already member or pending status = db.get_user_status(uid, grpID) if status: warnings.append('WRN_WEBSESSION_ALREADY_MEMBER') (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=ln) # insert new user of group else: group_infos = db.get_group_infos(grpID) group_type = group_infos[0][3] if group_type == CFG_WEBSESSION_GROUP_JOIN_POLICY["VISIBLEMAIL"]: db.insert_new_member(uid, grpID, CFG_WEBSESSION_USERGROUP_STATUS["PENDING"]) admin = db.get_users_by_status(grpID, CFG_WEBSESSION_USERGROUP_STATUS["ADMIN"])[0][1] group_name = group_infos[0][1] msg_subjet, msg_body = websession_templates.tmpl_admin_msg( group_name=group_name, grpID=grpID, ln=ln) (body, errors, warnings, dummy, dummy) = \ perform_request_send(uid, msg_to_user=admin, msg_to_group="", msg_subject=msg_subjet, msg_body=msg_body, ln=ln) infos.append(CFG_WEBSESSION_INFO_MESSAGES["JOIN_REQUEST"]) elif group_type == CFG_WEBSESSION_GROUP_JOIN_POLICY["VISIBLEOPEN"]: db.insert_new_member(uid, grpID, CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"]) infos.append(CFG_WEBSESSION_INFO_MESSAGES["JOIN_GROUP"]) (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=ln) else: warnings.append('WRN_WEBSESSION_MULTIPLE_GROUPS') (body, errors, warnings) = perform_request_input_join_group(uid, group_name, search, warnings, ln) return (body, errors, warnings) def perform_request_input_leave_group(uid, warnings=[], ln=CFG_SITE_LANG): """Return html for leaving group. @param uid: user ID @param warnings: warnings != [] if 0 group is selected or if not admin of the @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = "" errors = [] groups = [] records = db.get_groups_by_user_status(uid=uid, user_status=CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"]) map(lambda x: groups.append((x[0], x[1])), records) body = websession_templates.tmpl_display_input_leave_group(groups, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_leave_group(uid, grpID, confirmed=0, ln=CFG_SITE_LANG): """Leave group. @param uid: user ID @param grpID: ID of the group the user wants to leave @param warnings: warnings != [] if 0 group is selected @param confirmed: a confirmed page is first displayed @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ _ = gettext_set_language(ln) body = "" warnings = [] errors = [] infos = [] if not grpID == -1: if confirmed: db.leave_group(grpID, uid) infos.append(CFG_WEBSESSION_INFO_MESSAGES["LEAVE_GROUP"]) (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=ln) else: body = websession_templates.tmpl_confirm_leave(uid, grpID, ln) else: warnings.append('WRN_WEBSESSION_NO_GROUP_SELECTED') (body, errors, warnings) = perform_request_input_leave_group(uid, warnings= warnings, ln=ln) return (body, errors, warnings) def perform_request_edit_group(uid, grpID, warnings=[], ln=CFG_SITE_LANG): """Return html for group editing. @param uid: user ID @param grpID: ID of the group @param warnings: warnings @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] user_status = db.get_user_status(uid, grpID) if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) elif user_status[0][0] != CFG_WEBSESSION_USERGROUP_STATUS['ADMIN']: errors.append(('ERR_WEBSESSION_GROUP_NO_RIGHTS',)) return (body, errors, warnings) group_infos = db.get_group_infos(grpID)[0] if not len(group_infos): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) body = websession_templates.tmpl_display_input_group_info( group_name=group_infos[1], group_description=group_infos[2], join_policy=group_infos[3], act_type="update", grpID=grpID, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_update_group(uid, grpID, group_name, group_description, join_policy, ln=CFG_SITE_LANG): """Update group datas in database. @param uid: user ID @param grpID: ID of the group @param group_name: name of the group @param group_description: description of the group @param join_policy: join policy of the group @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] warnings = [] infos = [] _ = gettext_set_language(ln) group_name_available = db.group_name_exist(group_name) if group_name == "": warnings.append('WRN_WEBSESSION_NO_GROUP_NAME') (body, errors, warnings) = perform_request_edit_group(uid, grpID, warnings=warnings, ln=ln) elif not group_name_valid_p(group_name): warnings.append('WRN_WEBSESSION_NOT_VALID_GROUP_NAME') (body, errors, warnings) = perform_request_edit_group(uid, grpID, warnings=warnings, ln=ln) elif join_policy == "-1": warnings.append('WRN_WEBSESSION_NO_JOIN_POLICY') (body, errors, warnings) = perform_request_edit_group(uid, grpID, warnings=warnings, ln=ln) elif (group_name_available and group_name_available[0][0]!= grpID): warnings.append('WRN_WEBSESSION_GROUP_NAME_EXISTS') (body, errors, warnings) = perform_request_edit_group(uid, grpID, warnings=warnings, ln=ln) else: grpID = db.update_group_infos(grpID, group_name, group_description, join_policy) infos.append(CFG_WEBSESSION_INFO_MESSAGES["GROUP_UPDATED"]) (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=CFG_SITE_LANG) return (body, errors, warnings) def perform_request_delete_group(uid, grpID, confirmed=0, ln=CFG_SITE_LANG): """First display confirm message(confirmed=0). then(confirmed=1) delete group and all its members @param uid: user ID @param grpID: ID of the group @param confirmed: =1 if confirmed message has been previously displayed @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = "" warnings = [] errors = [] infos = [] _ = gettext_set_language(ln) group_infos = db.get_group_infos(grpID) user_status = db.get_user_status(uid, grpID) if not group_infos: warnings.append('WRN_WEBSESSION_GROUP_ALREADY_DELETED') (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=CFG_SITE_LANG) else: if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') elif confirmed: group_infos = db.get_group_infos(grpID) group_name = group_infos[0][1] msg_subjet, msg_body = websession_templates.tmpl_delete_msg( group_name=group_name, ln=ln) (body, errors, warnings, dummy, dummy) = perform_request_send( uid, msg_to_user="", msg_to_group=group_name, msg_subject=msg_subjet, msg_body=msg_body, ln=ln) db.delete_group_and_members(grpID) infos.append(CFG_WEBSESSION_INFO_MESSAGES["GROUP_DELETED"]) (body, errors, warnings) = perform_request_groups_display(uid, infos=infos, errors=errors, warnings=warnings, ln=CFG_SITE_LANG) else: body = websession_templates.tmpl_confirm_delete(grpID, ln) return (body, errors, warnings) def perform_request_manage_member(uid, grpID, infos=[], warnings=[], ln=CFG_SITE_LANG): """Return html for managing group's members. @param uid: user ID @param grpID: ID of the group @param info: info about last user action @param warnings: warnings @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] _ = gettext_set_language(ln) user_status = db.get_user_status(uid, grpID) if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) elif user_status[0][0] != CFG_WEBSESSION_USERGROUP_STATUS['ADMIN']: errors.append(('ERR_WEBSESSION_GROUP_NO_RIGHTS',)) return (body, errors, warnings) group_infos = db.get_group_infos(grpID) if not len(group_infos): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) members = db.get_users_by_status(grpID, CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"]) pending_members = db.get_users_by_status(grpID, CFG_WEBSESSION_USERGROUP_STATUS["PENDING"]) body = websession_templates.tmpl_display_manage_member(grpID=grpID, group_name=group_infos[0][1], members=members, pending_members=pending_members, warnings=warnings, infos=infos, ln=ln) return (body, errors, warnings) def perform_request_remove_member(uid, grpID, member_id, ln=CFG_SITE_LANG): """Remove member from a group. @param uid: user ID @param grpID: ID of the group @param member_id: selected member ID @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] warnings = [] infos = [] _ = gettext_set_language(ln) user_status = db.get_user_status(uid, grpID) if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) if member_id == -1: warnings.append('WRN_WEBSESSION_NO_MEMBER_SELECTED') (body, errors, warnings) = perform_request_manage_member(uid, grpID, warnings=warnings, ln=ln) else: db.delete_member(grpID, member_id) infos.append(CFG_WEBSESSION_INFO_MESSAGES["MEMBER_DELETED"]) (body, errors, warnings) = perform_request_manage_member(uid, grpID, infos=infos, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_add_member(uid, grpID, user_id, ln=CFG_SITE_LANG): """Add waiting member to a group. @param uid: user ID @param grpID: ID of the group @param user_id: selected member ID @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] warnings = [] infos = [] _ = gettext_set_language(ln) user_status = db.get_user_status(uid, grpID) if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) if user_id == -1: warnings.append('WRN_WEBSESSION_NO_USER_SELECTED_ADD') (body, errors, warnings) = perform_request_manage_member(uid, grpID, warnings=warnings, ln=ln) else : # test if user is already member or pending status = db.get_user_status(user_id, grpID) if status and status[0][0] == 'M': warnings.append('WRN_WEBSESSION_ALREADY_MEMBER_ADD') (body, errors, warnings) = perform_request_manage_member(uid, grpID, infos=infos, warnings=warnings, ln=ln) else: db.add_pending_member(grpID, user_id, CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"]) infos.append(CFG_WEBSESSION_INFO_MESSAGES["MEMBER_ADDED"]) group_infos = db.get_group_infos(grpID) group_name = group_infos[0][1] user = get_user_info(user_id, ln)[2] msg_subjet, msg_body = websession_templates.tmpl_member_msg( group_name=group_name, accepted=1, ln=ln) (body, errors, warnings, dummy, dummy) = perform_request_send( uid, msg_to_user=user, msg_to_group="", msg_subject=msg_subjet, msg_body=msg_body, ln=ln) (body, errors, warnings) = perform_request_manage_member(uid, grpID, infos=infos, warnings=warnings, ln=ln) return (body, errors, warnings) def perform_request_reject_member(uid, grpID, user_id, ln=CFG_SITE_LANG): """Reject waiting member and delete it from the list. @param uid: user ID @param grpID: ID of the group @param member_id: selected member ID @param ln: language @return: a (body, errors[], warnings[]) formed tuple """ body = '' errors = [] warnings = [] infos = [] _ = gettext_set_language(ln) user_status = db.get_user_status(uid, grpID) if not len(user_status): errors.append('ERR_WEBSESSION_DB_ERROR') return (body, errors, warnings) if user_id == -1: warnings.append('WRN_WEBSESSION_NO_USER_SELECTED_DEL') (body, errors, warnings) = perform_request_manage_member(uid, grpID, warnings=warnings, ln=ln) else : # test if user is already member or pending status = db.get_user_status(user_id, grpID) if not status: warnings.append('WRN_WEBSESSION_ALREADY_MEMBER_REJECT') (body, errors, warnings) = perform_request_manage_member(uid, grpID, infos=infos, warnings=warnings, ln=ln) else: db.delete_member(grpID, user_id) group_infos = db.get_group_infos(grpID) group_name = group_infos[0][1] user = get_user_info(user_id, ln)[2] msg_subjet, msg_body = websession_templates.tmpl_member_msg( group_name=group_name, accepted=0, ln=ln) (body, errors, warnings, dummy, dummy) = perform_request_send( uid, msg_to_user=user, msg_to_group="", msg_subject=msg_subjet, msg_body=msg_body, ln=ln) infos.append(CFG_WEBSESSION_INFO_MESSAGES["MEMBER_REJECTED"]) (body, errors, warnings) = perform_request_manage_member(uid, grpID, infos=infos, warnings=warnings, ln=ln) return (body, errors, warnings) def account_group(uid, ln=CFG_SITE_LANG): """Display group info for myaccount.py page. @param uid: user id (int) @param ln: language @return: html body """ nb_admin_groups = db.count_nb_group_user(uid, CFG_WEBSESSION_USERGROUP_STATUS["ADMIN"]) nb_member_groups = db.count_nb_group_user(uid, CFG_WEBSESSION_USERGROUP_STATUS["MEMBER"]) nb_total_groups = nb_admin_groups + nb_member_groups return websession_templates.tmpl_group_info(nb_admin_groups, nb_member_groups, nb_total_groups, ln=ln) def get_navtrail(ln=CFG_SITE_LANG, title=""): """Gets the navtrail for title. @param title: title of the page @param ln: language @return: HTML output """ navtrail = websession_templates.tmpl_navtrail(ln, title) return navtrail def synchronize_external_groups(userid, groups, login_method): """Synchronize external groups adding new groups that aren't already added, adding subscription for userid to groups, for groups that the user isn't already subsribed to, removing subscription to groups the user is no more subsribed to. @param userid, the intger representing the user inside the db @param groups, a dictionary of group_name : group_description @param login_method, a string unique to the type of authentication the groups are associated to, to be used inside the db """ groups_already_known = db.get_login_method_groups(userid, login_method) group_dict = {} for name, groupid in groups_already_known: group_dict[name] = groupid groups_already_known_name = set([g[0] for g in groups_already_known]) groups_name = set(groups.keys()) nomore_groups = groups_already_known_name - groups_name for group in nomore_groups: # delete the user from no more affiliated group db.delete_member(group_dict[group], userid) potential_new_groups = groups_name - groups_already_known_name for group in potential_new_groups: groupid = db.get_group_id(group, login_method) if groupid: # Adding the user to an already existent group db.insert_new_member(userid, groupid[0][0], CFG_WEBSESSION_USERGROUP_STATUS['MEMBER']) else: # Adding a new group try: groupid = db.insert_new_group(userid, group, groups[group], \ CFG_WEBSESSION_GROUP_JOIN_POLICY['VISIBLEEXTERNAL'], \ login_method) db.add_pending_member(groupid, userid, CFG_WEBSESSION_USERGROUP_STATUS['MEMBER']) except IntegrityError: ## The group already exists? Maybe because of concurrency? groupid = db.get_group_id(group, login_method) if groupid: # Adding the user to an already existent group db.insert_new_member(userid, groupid[0][0], CFG_WEBSESSION_USERGROUP_STATUS['MEMBER']) def synchronize_groups_with_login_method(): """For each login_method, if possible, synchronize groups in a bulk fashion (i.e. when fetch_all_users_groups_membership is implemented in the external_authentication class). Otherwise, for each user that belong to at least one external group for a given login_method, ask, if possible, for his group memberships and merge them. """ from invenio.access_control_config import CFG_EXTERNAL_AUTHENTICATION for login_method, authorizer in CFG_EXTERNAL_AUTHENTICATION.items(): - if authorizer[0]: + if authorizer: try: - usersgroups = authorizer[0].fetch_all_users_groups_membership() + usersgroups = authorizer.fetch_all_users_groups_membership() synchronize_all_external_groups(usersgroups, login_method) except (NotImplementedError, NameError): users = db.get_all_users_with_groups_with_login_method( login_method) for email, uid in users.items(): try: - groups = authorizer[0].fetch_user_groups_membership( + groups = authorizer.fetch_user_groups_membership( email) synchronize_external_groups(uid, groups, login_method) except (NotImplementedError, NameError): pass def synchronize_all_external_groups(usersgroups, login_method): """Merges all the groups vs users memberships. @param usersgroups: is {'mygroup': ('description', ['email1', 'email2', ...]), ...} @return: True in case everythings is ok, False otherwise """ db_users = db.get_all_users() # All users of the database {email:uid, ...} db_users_set = set(db_users.keys()) # Set of all users set('email1', # 'email2', ...) for key, value in usersgroups.items(): # cleaning users not in db cleaned_user_list = set() for username in value[1]: username = username.upper() if username in db_users_set: cleaned_user_list.add(db_users[username]) if cleaned_user_list: usersgroups[key] = (value[0], cleaned_user_list) else: # List of user now is empty del usersgroups[key] # cleaning not interesting groups # now for each group we got a description and a set of uid groups_already_known = db.get_all_login_method_groups(login_method) # groups in the db {groupname: id} groups_already_known_set = set(groups_already_known.keys()) # set of the groupnames in db usersgroups_set = set(usersgroups.keys()) # set of groupnames to be merged # deleted groups! nomore_groups = groups_already_known_set - usersgroups_set for group_name in nomore_groups: db.delete_group_and_members(groups_already_known[group_name]) # new groups! new_groups = usersgroups_set - groups_already_known_set for group_name in new_groups: groupid = db.insert_only_new_group( group_name, usersgroups[group_name][0], # description CFG_WEBSESSION_GROUP_JOIN_POLICY['VISIBLEEXTERNAL'], login_method) for uid in usersgroups[group_name][1]: db.insert_new_member(uid, groupid, CFG_WEBSESSION_USERGROUP_STATUS['MEMBER']) # changed groups? changed_groups = usersgroups_set & groups_already_known_set groups_description = db.get_all_groups_description(login_method) for group_name in changed_groups: users_already_in_group = db.get_users_in_group( groups_already_known[group_name]) users_already_in_group_set = set(users_already_in_group) users_in_group_set = usersgroups[group_name][1] # no more affiliation nomore_users = users_already_in_group_set - users_in_group_set for uid in nomore_users: db.delete_member(groups_already_known[group_name], uid) # new affiliation new_users = users_in_group_set - users_already_in_group_set for uid in new_users: db.insert_new_member(uid, groups_already_known[group_name], CFG_WEBSESSION_USERGROUP_STATUS['MEMBER']) # check description if groups_description[group_name] != usersgroups[group_name][0]: db.update_group_infos(groups_already_known[group_name], group_name, usersgroups[group_name][0], CFG_WEBSESSION_GROUP_JOIN_POLICY['VISIBLEEXTERNAL']) def group_name_valid_p(group_name): """Test if the group's name is valid.""" return nickname_valid_p(group_name) diff --git a/modules/websession/lib/websession_webinterface.py b/modules/websession/lib/websession_webinterface.py index 56745c776..799474296 100644 --- a/modules/websession/lib/websession_webinterface.py +++ b/modules/websession/lib/websession_webinterface.py @@ -1,1296 +1,1357 @@ # -*- coding: utf-8 -*- ## ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """Invenio ACCOUNT HANDLING""" __revision__ = "$Id$" __lastupdated__ = """$Date$""" import cgi from datetime import timedelta +import os from invenio.config import \ CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS, \ CFG_ACCESS_CONTROL_LEVEL_SITE, \ CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT, \ CFG_SITE_NAME, \ CFG_SITE_NAME_INTL, \ CFG_SITE_SUPPORT_EMAIL, \ CFG_SITE_SECURE_URL, \ CFG_SITE_URL, \ CFG_CERN_SITE, \ CFG_WEBSESSION_RESET_PASSWORD_EXPIRE_IN_DAYS from invenio import webuser from invenio.webpage import page from invenio import webaccount from invenio import webbasket from invenio import webalert from invenio.dbquery import run_sql from invenio.webmessage import account_new_mail -from invenio.access_control_engine import make_apache_message, make_list_apache_firerole, acc_authorize_action +from invenio.access_control_engine import acc_authorize_action from invenio.webinterface_handler import wash_urlargd, WebInterfaceDirectory +from invenio.webinterface_handler_config import HTTP_BAD_REQUEST from invenio.urlutils import redirect_to_url, make_canonical_urlargd from invenio import webgroup from invenio import webgroup_dblayer from invenio.messages import gettext_set_language, wash_language from invenio.mailutils import send_email from invenio.access_control_mailcookie import mail_cookie_retrieve_kind, \ mail_cookie_check_pw_reset, mail_cookie_delete_cookie, \ mail_cookie_create_pw_reset, mail_cookie_check_role, \ mail_cookie_check_mail_activation, InvenioWebAccessMailCookieError, \ InvenioWebAccessMailCookieDeletedError, mail_cookie_check_authorize_action from invenio.access_control_config import CFG_WEBACCESS_WARNING_MSGS, \ CFG_EXTERNAL_AUTH_USING_SSO, CFG_EXTERNAL_AUTH_LOGOUT_SSO, \ CFG_EXTERNAL_AUTHENTICATION import invenio.template websession_templates = invenio.template.load('websession') bibcatalog_templates = invenio.template.load('bibcatalog') class WebInterfaceYourAccountPages(WebInterfaceDirectory): _exports = ['', 'edit', 'change', 'lost', 'display', 'send_email', 'youradminactivities', 'access', - 'delete', 'logout', 'login', 'register', 'resetpassword'] + 'delete', 'logout', 'login', 'register', 'resetpassword', + 'robotlogin', 'robotlogout'] _force_https = True def index(self, req, form): redirect_to_url(req, '%s/youraccount/display' % CFG_SITE_SECURE_URL) def access(self, req, form): args = wash_urlargd(form, {'mailcookie' : (str, '')}) _ = gettext_set_language(args['ln']) title = _("Mail Cookie Service") try: kind = mail_cookie_retrieve_kind(args['mailcookie']) if kind == 'pw_reset': redirect_to_url(req, '%s/youraccount/resetpassword?k=%s&ln=%s' % (CFG_SITE_SECURE_URL, args['mailcookie'], args['ln'])) elif kind == 'role': uid = webuser.getUid(req) try: (role_name, expiration) = mail_cookie_check_role(args['mailcookie'], uid) except InvenioWebAccessMailCookieDeletedError: return page(title=_("Role authorization request"), req=req, body=_("This request for an authorization has already been authorized."), uid=webuser.getUid(req), navmenuid='youraccount', language=args['ln']) return page(title=title, body=webaccount.perform_back( _("You have successfully obtained an authorization as %(x_role)s! " "This authorization will last until %(x_expiration)s and until " "you close your browser if you are a guest user.") % {'x_role' : '%s' % role_name, 'x_expiration' : '%s' % expiration.strftime("%Y-%m-%d %H:%M:%S")}, '/youraccount/display?ln=%s' % args['ln'], _('login'), args['ln']), req=req, uid=webuser.getUid(req), language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') elif kind == 'mail_activation': try: email = mail_cookie_check_mail_activation(args['mailcookie']) if not email: raise StandardError webuser.confirm_email(email) body = "" + _("You have confirmed the validity of your email" " address!") + "
" if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 1: body += "" + _("Please, wait for the administrator to " "enable your account.") + "
" else: uid = webuser.update_Uid(req, email) body += "" + _("You can now go to %(x_url_open)syour account page%(x_url_close)s.") % {'x_url_open' : '' % args['ln'], 'x_url_close' : ''} + "
" return page(title=_("Email address successfully activated"), body=body, req=req, language=args['ln'], uid=webuser.getUid(req), lastupdated=__lastupdated__, navmenuid='youraccount') except InvenioWebAccessMailCookieDeletedError, e: body = "" + _("You have already confirmed the validity of your email address!") + "
" if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 1: body += "" + _("Please, wait for the administrator to " "enable your account.") + "
" else: body += "" + _("You can now go to %(x_url_open)syour account page%(x_url_close)s.") % {'x_url_open' : '' % args['ln'], 'x_url_close' : ''} + "
" return page(title=_("Email address successfully activated"), body=body, req=req, language=args['ln'], uid=webuser.getUid(req), lastupdated=__lastupdated__, navmenuid='youraccount') return webuser.page_not_authorized(req, "../youraccount/access", text=_("This request for confirmation of an email " "address is not valid or" " is expired."), navmenuid='youraccount') except InvenioWebAccessMailCookieError: return webuser.page_not_authorized(req, "../youraccount/access", text=_("This request for an authorization is not valid or" " is expired."), navmenuid='youraccount') def resetpassword(self, req, form): args = wash_urlargd(form, { 'k' : (str, ''), 'reset' : (int, 0), 'password' : (str, ''), 'password2' : (str, '') }) _ = gettext_set_language(args['ln']) title = _('Reset password') reset_key = args['k'] try: email = mail_cookie_check_pw_reset(reset_key) except InvenioWebAccessMailCookieDeletedError: return page(title=title, req=req, body=_("This request for resetting a password has already been used."), uid=webuser.getUid(req), navmenuid='youraccount', language=args['ln']) except InvenioWebAccessMailCookieError: return webuser.page_not_authorized(req, "../youraccount/access", text=_("This request for resetting a password is not valid or" " is expired."), navmenuid='youraccount') if email is None or CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 3: return webuser.page_not_authorized(req, "../youraccount/resetpassword", text=_("This request for resetting the password is not valid or" " is expired."), navmenuid='youraccount') if not args['reset']: return page(title=title, body=webaccount.perform_reset_password(args['ln'], email, reset_key), req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') elif args['password'] != args['password2']: msg = _('The two provided passwords aren\'t equal.') return page(title=title, body=webaccount.perform_reset_password(args['ln'], email, reset_key, msg), req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') run_sql('UPDATE user SET password=AES_ENCRYPT(email,%s) WHERE email=%s', (args['password'], email)) mail_cookie_delete_cookie(reset_key) return page(title=title, body=webaccount.perform_back( _("The password was successfully set! " "You can now proceed with the login."), '/youraccount/login?ln=%s' % args['ln'], _('login'), args['ln']), req=req, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def display(self, req, form): args = wash_urlargd(form, {}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/display", navmenuid='youraccount') if webuser.isGuestUser(uid): return page(title=_("Your Account"), body=webaccount.perform_info(req, args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') username = webuser.get_nickname_or_email(uid) user_info = webuser.collect_user_info(req) bask = user_info['precached_usebaskets'] and webbasket.account_list_baskets(uid, ln=args['ln']) or '' aler = user_info['precached_usealerts'] and webalert.account_list_alerts(uid, ln=args['ln']) or '' sear = webalert.account_list_searches(uid, ln=args['ln']) msgs = user_info['precached_usemessages'] and account_new_mail(uid, ln=args['ln']) or '' grps = user_info['precached_usegroups'] and webgroup.account_group(uid, ln=args['ln']) or '' appr = user_info['precached_useapprove'] sbms = user_info['precached_viewsubmissions'] loan = '' admn = webaccount.perform_youradminactivities(user_info, args['ln']) return page(title=_("Your Account"), body=webaccount.perform_display_account(req, username, bask, aler, sear, msgs, loan, grps, sbms, appr, admn, args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def edit(self, req, form): args = wash_urlargd(form, {"verbose" : (int, 0)}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/edit", navmenuid='youraccount') if webuser.isGuestUser(uid): return webuser.page_not_authorized(req, "../youraccount/edit", text=_("This functionality is forbidden to guest users."), navmenuid='youraccount') body = '' user_info = webuser.collect_user_info(req) if args['verbose'] == 9: keys = user_info.keys() keys.sort() for key in keys: body += "%s:%s" % (key, user_info[key]) #check if the user should see bibcatalog user name / passwd in the settings can_config_bibcatalog = (acc_authorize_action(user_info, 'runbibedit')[0] == 0) return page(title= _("Your Settings"), body=body+webaccount.perform_set(webuser.get_email(uid), args['ln'], can_config_bibcatalog, verbose=args['verbose']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description=_("%s Personalize, Your Settings") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def change(self, req, form): args = wash_urlargd(form, { 'nickname': (str, None), 'email': (str, None), 'old_password': (str, None), 'password': (str, None), 'password2': (str, None), 'login_method': (str, ""), 'group_records' : (int, None), 'latestbox' : (int, None), 'helpbox' : (int, None), 'lang' : (str, None), 'bibcatalog_username' : (str, None), 'bibcatalog_password' : (str, None), }) ## Wash arguments: args['login_method'] = wash_login_method(args['login_method']) if args['email']: args['email'] = args['email'].lower() ## Load the right message language: _ = gettext_set_language(args['ln']) ## Identify user and load old preferences: uid = webuser.getUid(req) prefs = webuser.get_user_preferences(uid) ## Check rights: if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/change", navmenuid='youraccount') # FIXME: the branching below is far from optimal. Should be # based on the submitted form name ids, to know precisely on # which form the user clicked. Not on the passed values, as # is the case now. The function body is too big and in bad # need of refactoring anyway. ## Will hold the output messages: mess = '' ## Change login method if needed: if args['login_method'] and CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS < 4 \ - and args['login_method'] in CFG_EXTERNAL_AUTHENTICATION.keys(): + and args['login_method'] in CFG_EXTERNAL_AUTHENTICATION: title = _("Settings edited") act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") if prefs['login_method'] != args['login_method']: if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 4: mess += '
' + _("Unable to change login method.") - elif not CFG_EXTERNAL_AUTHENTICATION[args['login_method']][0]: + elif not CFG_EXTERNAL_AUTHENTICATION[args['login_method']]: # Switching to internal authentication: we drop any external datas p_email = webuser.get_email(uid) webuser.drop_external_settings(uid) webgroup_dblayer.drop_external_groups(uid) prefs['login_method'] = args['login_method'] webuser.set_user_preferences(uid, prefs) mess += "
" + _("Switched to internal login method.") + " " mess += _("Please note that if this is the first time that you are using this account " "with the internal login method then the system has set for you " "a randomly generated password. Please click the " "following button to obtain a password reset request " "link sent to you via email:") + '
' mess += """""" % (p_email, _("Send Password")) else: query = """SELECT email FROM user WHERE id = %i""" res = run_sql(query % uid) if res: email = res[0][0] else: email = None if not email: mess += '' + _("Unable to switch to external login method %s, because your email address is unknown.") % cgi.escape(args['login_method']) else: try: - if not CFG_EXTERNAL_AUTHENTICATION[args['login_method']][0].user_exists(email): + if not CFG_EXTERNAL_AUTHENTICATION[args['login_method']].user_exists(email): mess += '
' + _("Unable to switch to external login method %s, because your email address is unknown to the external login system.") % cgi.escape(args['login_method']) else: prefs['login_method'] = args['login_method'] webuser.set_user_preferences(uid, prefs) mess += '
' + _("Login method successfully selected.") except AttributeError: mess += '
' + _("The external login method %s does not support email address based logins. Please contact the site administrators.") % cgi.escape(args['login_method']) ## Change email or nickname: if args['email'] or args['nickname']: uid2 = webuser.emailUnique(args['email']) uid_with_the_same_nickname = webuser.nicknameUnique(args['nickname']) if (CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 2 or (CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS <= 1 and \ webuser.email_valid_p(args['email']))) \ and (args['nickname'] is None or webuser.nickname_valid_p(args['nickname'])) \ and uid2 != -1 and (uid2 == uid or uid2 == 0) \ and uid_with_the_same_nickname != -1 and (uid_with_the_same_nickname == uid or uid_with_the_same_nickname == 0): if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS < 3: change = webuser.updateDataUser(uid, args['email'], args['nickname']) else: return webuser.page_not_authorized(req, "../youraccount/change", navmenuid='youraccount') if change: mess += '
' + _("Settings successfully edited.") mess += '
' + _("Note that if you have changed your email address, " "you will have to %(x_url_open)sreset your password%(x_url_close)s anew.") % \ {'x_url_open': '' % (CFG_SITE_SECURE_URL + '/youraccount/lost?ln=%s' % args['ln']), 'x_url_close': ''} act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") title = _("Settings edited") elif args['nickname'] is not None and not webuser.nickname_valid_p(args['nickname']): mess += '
' + _("Desired nickname %s is invalid.") % cgi.escape(args['nickname']) mess += " " + _("Please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing settings failed") elif not webuser.email_valid_p(args['email']): mess += '
' + _("Supplied email address %s is invalid.") % cgi.escape(args['email']) mess += " " + _("Please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing settings failed") elif uid2 == -1 or uid2 != uid and not uid2 == 0: mess += '
' + _("Supplied email address %s already exists in the database.") % cgi.escape(args['email']) mess += " " + websession_templates.tmpl_lost_your_password_teaser(args['ln']) mess += " " + _("Or please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing settings failed") elif uid_with_the_same_nickname == -1 or uid_with_the_same_nickname != uid and not uid_with_the_same_nickname == 0: mess += '
' + _("Desired nickname %s is already in use.") % cgi.escape(args['nickname']) mess += " " + _("Please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing settings failed") ## Change passwords: if args['old_password'] or args['password'] or args['password2']: if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 3: mess += '
' + _("Users cannot edit passwords on this site.") else: res = run_sql("SELECT id FROM user " "WHERE AES_ENCRYPT(email,%s)=password AND id=%s", (args['old_password'], uid)) if res: if args['password'] == args['password2']: webuser.updatePasswordUser(uid, args['password']) mess += '
' + _("Password successfully edited.") act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") title = _("Password edited") else: mess += '
' + _("Both passwords must match.") mess += " " + _("Please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing password failed") else: mess += '
' + _("Wrong old password inserted.") mess += " " + _("Please try again.") act = "/youraccount/edit?ln=%s" % args['ln'] linkname = _("Edit settings") title = _("Editing password failed") ## Change search-related settings: if args['group_records']: prefs = webuser.get_user_preferences(uid) prefs['websearch_group_records'] = args['group_records'] prefs['websearch_latestbox'] = args['latestbox'] prefs['websearch_helpbox'] = args['helpbox'] webuser.set_user_preferences(uid, prefs) title = _("Settings edited") act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") mess += '
' + _("User settings saved correctly.") ## Change language-related settings: if args['lang']: lang = wash_language(args['lang']) prefs = webuser.get_user_preferences(uid) prefs['language'] = lang args['ln'] = lang _ = gettext_set_language(lang) webuser.set_user_preferences(uid, prefs) title = _("Settings edited") act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") mess += '
' + _("User settings saved correctly.") ## Edit cataloging-related settings: if args['bibcatalog_username'] or args['bibcatalog_password']: act = "/youraccount/display?ln=%s" % args['ln'] linkname = _("Show account") if ((len(args['bibcatalog_username']) == 0) or (len(args['bibcatalog_password']) == 0)): title = _("Editing bibcatalog authorization failed") mess += '
' + _("Empty username or password") else: title = _("Settings edited") prefs['bibcatalog_username'] = args['bibcatalog_username'] prefs['bibcatalog_password'] = args['bibcatalog_password'] webuser.set_user_preferences(uid, prefs) mess += '
' + _("User settings saved correctly.") if not mess: mess = _("Unable to update settings.") if not act: act = "/youraccount/edit?ln=%s" % args['ln'] if not linkname: linkname = _("Edit settings") if not title: title = _("Editing settings failed") ## Finally, output the results: return page(title=title, body=webaccount.perform_back(mess, act, linkname, args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def lost(self, req, form): args = wash_urlargd(form, {}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/lost", navmenuid='youraccount') return page(title=_("Lost your password?"), body=webaccount.perform_lost(args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def send_email(self, req, form): # set all the declared query fields as local variables args = wash_urlargd(form, {'p_email': (str, None)}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/send_email", navmenuid='youraccount') user_prefs = webuser.get_user_preferences(webuser.emailUnique(args['p_email'])) if user_prefs: - if CFG_EXTERNAL_AUTHENTICATION.has_key(user_prefs['login_method']) and \ - CFG_EXTERNAL_AUTHENTICATION[user_prefs['login_method']][0] is not None: + if user_prefs['login_method'] in CFG_EXTERNAL_AUTHENTICATION and \ + CFG_EXTERNAL_AUTHENTICATION[user_prefs['login_method']] is not None: eMsg = _("Cannot send password reset request since you are using external authentication system.") return page(title=_("Your Account"), body=webaccount.perform_emailMessage(eMsg, args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME)), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') try: reset_key = mail_cookie_create_pw_reset(args['p_email'], cookie_timeout=timedelta(days=CFG_WEBSESSION_RESET_PASSWORD_EXPIRE_IN_DAYS)) except InvenioWebAccessMailCookieError: reset_key = None if reset_key is None: eMsg = _("The entered email address does not exist in the database.") return page(title=_("Your Account"), body=webaccount.perform_emailMessage(eMsg, args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') ip_address = req.remote_host or req.remote_ip if not send_email(CFG_SITE_SUPPORT_EMAIL, args['p_email'], "%s %s" % (_("Password reset request for"), CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME)), websession_templates.tmpl_account_reset_password_email_body( args['p_email'],reset_key, ip_address, args['ln'])): eMsg = _("The entered email address is incorrect, please check that it is written correctly (e.g. johndoe@example.com).") return page(title=_("Incorrect email address"), body=webaccount.perform_emailMessage(eMsg, args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') return page(title=_("Reset password link sent"), body=webaccount.perform_emailSent(args['p_email'], args['ln']), description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def youradminactivities(self, req, form): args = wash_urlargd(form, {}) uid = webuser.getUid(req) user_info = webuser.collect_user_info(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/youradminactivities", navmenuid='admin') return page(title=_("Your Administrative Activities"), body=webaccount.perform_youradminactivities(user_info, args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='admin') def delete(self, req, form): args = wash_urlargd(form, {}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/delete", navmenuid='youraccount') return page(title=_("Delete Account"), body=webaccount.perform_delete(args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def logout(self, req, form): args = wash_urlargd(form, {}) uid = webuser.logoutUser(req) # load the right message language _ = gettext_set_language(args['ln']) if uid == -1 or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../youraccount/logout", navmenuid='youraccount') if CFG_EXTERNAL_AUTH_USING_SSO: return redirect_to_url(req, CFG_EXTERNAL_AUTH_LOGOUT_SSO) return page(title=_("Logout"), body=webaccount.perform_logout(req, args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords=_("%s, personalize") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') + def robotlogout(self, req, form): + """ + Implement logout method for external service providers. + """ + webuser.logoutUser(req) + redirect_to_url(req, "%s/img/pix.png" % CFG_SITE_URL) + + def robotlogin(self, req, form): + """ + Implement authentication method for external service providers. + """ + from invenio.external_authentication import InvenioWebAccessExternalAuthError + args = wash_urlargd(form, { + 'login_method': (str, None), + 'remember_me' : (str, ''), + 'referer': (str, ''), + 'p_un': (str, ''), + 'p_pw': (str, '') + }) + # sanity checks: + args['login_method'] = wash_login_method(args['login_method']) + args['remember_me'] = args['remember_me'] != '' + locals().update(args) + if CFG_ACCESS_CONTROL_LEVEL_SITE > 0: + return webuser.page_not_authorized(req, "../youraccount/login?ln=%s" % args['ln'], + navmenuid='youraccount') + uid = webuser.getUid(req) + + # load the right message language + _ = gettext_set_language(args['ln']) + + try: + (iden, args['p_un'], args['p_pw'], msgcode) = webuser.loginUser(req, args['p_un'], args['p_pw'], args['login_method']) + except InvenioWebAccessExternalAuthError, err: + return page("Error", body=str(err)) + if len(iden)>0: + uid = webuser.update_Uid(req, args['p_un'], args['remember_me']) + uid2 = webuser.getUid(req) + if uid2 == -1: + webuser.logoutUser(req) + return webuser.page_not_authorized(req, "../youraccount/login?ln=%s" % args['ln'], uid=uid, + navmenuid='youraccount') + + # login successful! + if args['referer']: + redirect_to_url(req, args['referer']) + else: + return self.display(req, form) + else: + mess = CFG_WEBACCESS_WARNING_MSGS[msgcode] % cgi.escape(args['login_method']) + if msgcode == 14: + if webuser.username_exists_p(args['p_un']): + mess = CFG_WEBACCESS_WARNING_MSGS[15] % cgi.escape(args['login_method']) + act = '/youraccount/login%s' % make_canonical_urlargd({'ln' : args['ln'], 'referer' : args['referer']}, {}) + return page(title=_("Login"), + body=webaccount.perform_back(mess, act, _("login"), args['ln']), + navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", + description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), + keywords="%s , personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), + uid=uid, + req=req, + secure_page_p = 1, + language=args['ln'], + lastupdated=__lastupdated__, + navmenuid='youraccount') + + + def login(self, req, form): args = wash_urlargd(form, { 'p_un': (str, None), 'p_pw': (str, None), 'login_method': (str, None), 'action': (str, ''), 'remember_me' : (str, ''), 'referer': (str, '')}) # sanity checks: args['login_method'] = wash_login_method(args['login_method']) if args['p_un']: args['p_un'] = args['p_un'].strip() args['remember_me'] = args['remember_me'] != '' locals().update(args) if CFG_ACCESS_CONTROL_LEVEL_SITE > 0: return webuser.page_not_authorized(req, "../youraccount/login?ln=%s" % args['ln'], navmenuid='youraccount') uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) - apache_msg = "" if args['action']: cookie = args['action'] try: action, arguments = mail_cookie_check_authorize_action(cookie) - apache_msg = make_apache_message(action, arguments, args['referer']) - - # FIXME: Temporary Hack to help CDS current migration - if CFG_CERN_SITE: - roles = make_list_apache_firerole(action, arguments) - if len(roles) == 1: - # There's only one role enabled to see this collection - # Let's redirect to log to it! - return redirect_to_url(req, '%s/%s' % (CFG_SITE_SECURE_URL, make_canonical_urlargd({'realm' : roles[0][0], 'referer' : args['referer']}, {}))) except InvenioWebAccessMailCookieError: pass if not CFG_EXTERNAL_AUTH_USING_SSO: if args['p_un'] is None or not args['login_method']: return page(title=_("Login"), - body=webaccount.create_login_page_box(args['referer'], apache_msg, args['ln']), + body=webaccount.create_login_page_box(args['referer'], args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords="%s , personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') (iden, args['p_un'], args['p_pw'], msgcode) = webuser.loginUser(req, args['p_un'], args['p_pw'], args['login_method']) else: # Fake parameters for p_un & p_pw because SSO takes them from the environment (iden, args['p_un'], args['p_pw'], msgcode) = webuser.loginUser(req, '', '', CFG_EXTERNAL_AUTH_USING_SSO) args['remember_me'] = False if len(iden)>0: uid = webuser.update_Uid(req, args['p_un'], args['remember_me']) uid2 = webuser.getUid(req) if uid2 == -1: webuser.logoutUser(req) return webuser.page_not_authorized(req, "../youraccount/login?ln=%s" % args['ln'], uid=uid, navmenuid='youraccount') # login successful! if args['referer']: redirect_to_url(req, args['referer']) else: return self.display(req, form) else: mess = CFG_WEBACCESS_WARNING_MSGS[msgcode] % cgi.escape(args['login_method']) if msgcode == 14: if webuser.username_exists_p(args['p_un']): mess = CFG_WEBACCESS_WARNING_MSGS[15] % cgi.escape(args['login_method']) act = '/youraccount/login%s' % make_canonical_urlargd({'ln' : args['ln'], 'referer' : args['referer']}, {}) return page(title=_("Login"), body=webaccount.perform_back(mess, act, _("login"), args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description="%s Personalize, Main page" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords="%s , personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') def register(self, req, form): args = wash_urlargd(form, { 'p_nickname': (str, None), 'p_email': (str, None), 'p_pw': (str, None), 'p_pw2': (str, None), 'action': (str, "login"), 'referer': (str, "")}) if CFG_ACCESS_CONTROL_LEVEL_SITE > 0: return webuser.page_not_authorized(req, "../youraccount/register?ln=%s" % args['ln'], navmenuid='youraccount') uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(args['ln']) if args['p_nickname'] is None or args['p_email'] is None: return page(title=_("Register"), body=webaccount.create_register_page_box(args['referer'], args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description=_("%s Personalize, Main page") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords="%s , personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') mess = "" act = "" if args['p_pw'] == args['p_pw2']: ruid = webuser.registerUser(req, args['p_email'], args['p_pw'], args['p_nickname'], ln=args['ln']) else: ruid = -2 if ruid == 0: mess = _("Your account has been successfully created.") title = _("Account created") if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT == 1: mess += " " + _("In order to confirm its validity, an email message containing an account activation key has been sent to the given email address.") mess += " " + _("Please follow instructions presented there in order to complete the account registration process.") if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 1: mess += " " + _("A second email will be sent when the account has been activated and can be used.") elif CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT != 1: uid = webuser.update_Uid(req, args['p_email']) mess += " " + _("You can now access your %(x_url_open)saccount%(x_url_close)s.") %\ {'x_url_open': '', 'x_url_close': ''} elif ruid == -2: mess = _("Both passwords must match.") mess += " " + _("Please try again.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 1: mess = _("Supplied email address %s is invalid.") % cgi.escape(args['p_email']) mess += " " + _("Please try again.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 2: mess = _("Desired nickname %s is invalid.") % cgi.escape(args['p_nickname']) mess += " " + _("Please try again.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 3: mess = _("Supplied email address %s already exists in the database.") % cgi.escape(args['p_email']) mess += " " + websession_templates.tmpl_lost_your_password_teaser(args['ln']) mess += " " + _("Or please try again.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 4: mess = _("Desired nickname %s already exists in the database.") % cgi.escape(args['p_nickname']) mess += " " + _("Please try again.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 5: mess = _("Users cannot register themselves, only admin can register them.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") elif ruid == 6: mess = _("The site is having troubles in sending you an email for confirming your email address.") + _("The error has been logged and will be taken in consideration as soon as possible.") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") else: # this should never happen mess = _("Internal Error") act = "/youraccount/register?ln=%s" % args['ln'] title = _("Registration failure") return page(title=title, body=webaccount.perform_back(mess,act, _("register"), args['ln']), navtrail="""""" % (CFG_SITE_SECURE_URL, args['ln']) + _("Your Account") + """""", description=_("%s Personalize, Main page") % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), keywords="%s , personalize" % CFG_SITE_NAME_INTL.get(args['ln'], CFG_SITE_NAME), uid=uid, req=req, secure_page_p = 1, language=args['ln'], lastupdated=__lastupdated__, navmenuid='youraccount') class WebInterfaceYourTicketsPages(WebInterfaceDirectory): #support for /yourtickets url _exports = ['', 'display'] def __call__(self, req, form): #if there is no trailing slash self.index(req, form) def index(self, req, form): #take all the parameters.. unparsed_uri = req.unparsed_uri qstr = "" if unparsed_uri.count('?') > 0: dummy, qstr = unparsed_uri.split('?') qstr = '?'+qstr redirect_to_url(req, '/yourtickets/display'+qstr) def display(self, req, form): #show tickets for this user argd = wash_urlargd(form, {'ln': (str, ''), 'start': (int, 1) }) uid = webuser.getUid(req) ln = argd['ln'] start = argd['start'] _ = gettext_set_language(ln) body = bibcatalog_templates.tmpl_your_tickets(uid, ln, start) return page(title=_("Your tickets"), body=body, navtrail="""""" % (CFG_SITE_SECURE_URL, argd['ln']) + _("Your Account") + """""", uid=uid, req=req, language=argd['ln'], lastupdated=__lastupdated__) class WebInterfaceYourGroupsPages(WebInterfaceDirectory): _exports = ['', 'display', 'create', 'join', 'leave', 'edit', 'members'] def index(self, req, form): redirect_to_url(req, '/yourgroups/display') def display(self, req, form): """ Displays groups the user is admin of and the groups the user is member of(but not admin) @param ln: language @return: the page for all the groups """ argd = wash_urlargd(form, {}) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/display", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) (body, errors, warnings) = webgroup.perform_request_groups_display(uid=uid, ln=argd['ln']) return page(title = _("Your Groups"), body = body, navtrail = webgroup.get_navtrail(argd['ln']), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def create(self, req, form): """create(): interface for creating a new group @param group_name: : name of the new webgroup.Must be filled @param group_description: : description of the new webgroup.(optionnal) @param join_policy: : join policy of the new webgroup.Must be chosen @param *button: which button was pressed @param ln: language @return: the compose page Create group """ argd = wash_urlargd(form, {'group_name': (str, ""), 'group_description': (str, ""), 'join_policy': (str, ""), 'create_button':(str, ""), 'cancel':(str, "") }) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/create", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) if argd['cancel']: url = CFG_SITE_URL + '/yourgroups/display?ln=%s' url %= argd['ln'] redirect_to_url(req, url) if argd['create_button'] : (body, errors, warnings)= webgroup.perform_request_create_group(uid=uid, group_name=argd['group_name'], group_description=argd['group_description'], join_policy=argd['join_policy'], ln = argd['ln']) else: (body, errors, warnings) = webgroup.perform_request_input_create_group(group_name=argd['group_name'], group_description=argd['group_description'], join_policy=argd['join_policy'], ln=argd['ln']) title = _("Create new group") return page(title = title, body = body, navtrail = webgroup.get_navtrail(argd['ln'], title), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def join(self, req, form): """join(): interface for joining a new group @param grpID: : list of the group the user wants to become a member. The user must select only one group. @param group_name: : will search for groups matching group_name @param *button: which button was pressed @param ln: language @return: the compose page Join group """ argd = wash_urlargd(form, {'grpID':(list, []), 'group_name':(str, ""), 'find_button':(str, ""), 'join_button':(str, ""), 'cancel':(str, "") }) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/join", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) if argd['cancel']: url = CFG_SITE_URL + '/yourgroups/display?ln=%s' url %= argd['ln'] redirect_to_url(req, url) if argd['join_button']: search = 0 if argd['group_name']: search = 1 (body, errors, warnings) = webgroup.perform_request_join_group(uid, argd['grpID'], argd['group_name'], search, argd['ln']) else: search = 0 if argd['find_button']: search = 1 (body, errors, warnings) = webgroup.perform_request_input_join_group(uid, argd['group_name'], search, ln=argd['ln']) title = _("Join New Group") return page(title = title, body = body, navtrail = webgroup.get_navtrail(argd['ln'], title), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def leave(self, req, form): """leave(): interface for leaving a group @param grpID: : group the user wants to leave. @param group_name: : name of the group the user wants to leave @param *button: which button was pressed @param confirmed: : the user is first asked to confirm @param ln: language @return: the compose page Leave group """ argd = wash_urlargd(form, {'grpID':(int, 0), 'group_name':(str, ""), 'leave_button':(str, ""), 'cancel':(str, ""), 'confirmed': (int, 0) }) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/leave", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) if argd['cancel']: url = CFG_SITE_URL + '/yourgroups/display?ln=%s' url %= argd['ln'] redirect_to_url(req, url) if argd['leave_button']: (body, errors, warnings) = webgroup.perform_request_leave_group(uid, argd['grpID'], argd['confirmed'], argd['ln']) else: (body, errors, warnings) = webgroup.perform_request_input_leave_group(uid=uid, ln=argd['ln']) title = _("Leave Group") return page(title = title, body = body, navtrail = webgroup.get_navtrail(argd['ln'], title), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def edit(self, req, form): """edit(): interface for editing group @param grpID: : group ID @param group_name: : name of the new webgroup.Must be filled @param group_description: : description of the new webgroup.(optionnal) @param join_policy: : join policy of the new webgroup.Must be chosen @param update: button update group pressed @param delete: button delete group pressed @param cancel: button cancel pressed @param confirmed: : the user is first asked to confirm before deleting @param ln: language @return: the main page displaying all the groups """ argd = wash_urlargd(form, {'grpID': (int, 0), 'update': (str, ""), 'cancel': (str, ""), 'delete': (str, ""), 'group_name': (str, ""), 'group_description': (str, ""), 'join_policy': (str, ""), 'confirmed': (int, 0) }) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/display", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) if argd['cancel']: url = CFG_SITE_URL + '/yourgroups/display?ln=%s' url %= argd['ln'] redirect_to_url(req, url) elif argd['delete']: (body, errors, warnings) = webgroup.perform_request_delete_group(uid=uid, grpID=argd['grpID'], confirmed=argd['confirmed']) elif argd['update']: (body, errors, warnings) = webgroup.perform_request_update_group(uid= uid, grpID=argd['grpID'], group_name=argd['group_name'], group_description=argd['group_description'], join_policy=argd['join_policy'], ln=argd['ln']) else : (body, errors, warnings)= webgroup.perform_request_edit_group(uid=uid, grpID=argd['grpID'], ln=argd['ln']) title = _("Edit Group") return page(title = title, body = body, navtrail = webgroup.get_navtrail(argd['ln'], title), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def members(self, req, form): """member(): interface for managing members of a group @param grpID: : group ID @param add_member: button add_member pressed @param remove_member: button remove_member pressed @param reject_member: button reject__member pressed @param delete: button delete group pressed @param member_id: : ID of the existing member selected @param pending_member_id: : ID of the pending member selected @param cancel: button cancel pressed @param info: : info about last user action @param ln: language @return: the same page with data updated """ argd = wash_urlargd(form, {'grpID': (int, 0), 'cancel': (str, ""), 'add_member': (str, ""), 'remove_member': (str, ""), 'reject_member': (str, ""), 'member_id': (int, 0), 'pending_member_id': (int, 0) }) uid = webuser.getUid(req) # load the right message language _ = gettext_set_language(argd['ln']) if uid == -1 or webuser.isGuestUser(uid) or CFG_ACCESS_CONTROL_LEVEL_SITE >= 1: return webuser.page_not_authorized(req, "../yourgroups/display", navmenuid='yourgroups') user_info = webuser.collect_user_info(req) if not user_info['precached_usegroups']: return webuser.page_not_authorized(req, "../", \ text = _("You are not authorized to use groups.")) if argd['cancel']: url = CFG_SITE_URL + '/yourgroups/display?ln=%s' url %= argd['ln'] redirect_to_url(req, url) if argd['remove_member']: (body, errors, warnings) = webgroup.perform_request_remove_member(uid=uid, grpID=argd['grpID'], member_id=argd['member_id'], ln=argd['ln']) elif argd['reject_member']: (body, errors, warnings) = webgroup.perform_request_reject_member(uid=uid, grpID=argd['grpID'], user_id=argd['pending_member_id'], ln=argd['ln']) elif argd['add_member']: (body, errors, warnings) = webgroup.perform_request_add_member(uid=uid, grpID=argd['grpID'], user_id=argd['pending_member_id'], ln=argd['ln']) else: (body, errors, warnings)= webgroup.perform_request_manage_member(uid=uid, grpID=argd['grpID'], ln=argd['ln']) title = _("Edit group members") return page(title = title, body = body, navtrail = webgroup.get_navtrail(argd['ln'], title), uid = uid, req = req, language = argd['ln'], lastupdated = __lastupdated__, errors = errors, warnings = warnings, navmenuid = 'yourgroups') def wash_login_method(login_method): """ Wash the login_method parameter that came from the web input form. @param login_method: Wanted login_method value as it came from the web input form. @type login_method: string @return: Washed version of login_method. If the login_method value is valid, then return it. If it is not valid, then return `Local' (the default login method). @rtype: string @warning: Beware, 'Local' is hardcoded here! """ - if login_method in CFG_EXTERNAL_AUTHENTICATION.keys(): + if login_method in CFG_EXTERNAL_AUTHENTICATION: return login_method else: return 'Local' diff --git a/modules/websession/lib/webuser.py b/modules/websession/lib/webuser.py index b8c427cb6..2320d60f5 100644 --- a/modules/websession/lib/webuser.py +++ b/modules/websession/lib/webuser.py @@ -1,1298 +1,1187 @@ # -*- coding: utf-8 -*- ## ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """ This file implements all methods necessary for working with users and sessions in Invenio. Contains methods for logging/registration when a user log/register into the system, checking if it is a guest user or not. At the same time this presents all the stuff it could need with sessions managements, working with websession. It also contains Apache-related user authentication stuff. """ __revision__ = "$Id$" from invenio import webinterface_handler_config as apache import cgi import urllib import urlparse from socket import gaierror import os import crypt import socket import smtplib import re import random import datetime import base64 from invenio.config import \ CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS, \ CFG_ACCESS_CONTROL_LEVEL_GUESTS, \ CFG_ACCESS_CONTROL_LEVEL_SITE, \ CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN, \ CFG_ACCESS_CONTROL_NOTIFY_ADMIN_ABOUT_NEW_ACCOUNTS, \ CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT, \ CFG_APACHE_GROUP_FILE, \ CFG_APACHE_PASSWORD_FILE, \ CFG_SITE_ADMIN_EMAIL, \ CFG_SITE_LANG, \ CFG_SITE_NAME, \ CFG_SITE_NAME_INTL, \ CFG_SITE_SUPPORT_EMAIL, \ CFG_SITE_SECURE_URL, \ CFG_TMPDIR, \ CFG_SITE_URL, \ CFG_WEBSESSION_DIFFERENTIATE_BETWEEN_GUESTS, \ CFG_CERN_SITE, \ CFG_WEBSEARCH_PERMITTED_RESTRICTED_COLLECTIONS_LEVEL try: from invenio.session import get_session except ImportError: pass from invenio.dbquery import run_sql, OperationalError, \ serialize_via_marshal, deserialize_via_marshal from invenio.access_control_admin import acc_get_role_id, acc_get_action_roles, acc_get_action_id, acc_is_user_in_role, acc_find_possible_activities from invenio.access_control_mailcookie import mail_cookie_create_mail_activation from invenio.access_control_firerole import acc_firerole_check_user, load_role_definition from invenio.access_control_config import SUPERADMINROLE, CFG_EXTERNAL_AUTH_USING_SSO from invenio.messages import gettext_set_language, wash_languages, wash_language from invenio.mailutils import send_email from invenio.errorlib import register_exception from invenio.webgroup_dblayer import get_groups from invenio.external_authentication import InvenioWebAccessExternalAuthError from invenio.access_control_config import CFG_EXTERNAL_AUTHENTICATION, \ - CFG_WEBACCESS_MSGS, CFG_WEBACCESS_WARNING_MSGS + CFG_WEBACCESS_MSGS, CFG_WEBACCESS_WARNING_MSGS, CFG_EXTERNAL_AUTH_DEFAULT import invenio.template tmpl = invenio.template.load('websession') re_invalid_nickname = re.compile(""".*[,'@]+.*""") # pylint: disable=C0301 def createGuestUser(): """Create a guest user , insert into user null values in all fields createGuestUser() -> GuestUserID """ if CFG_ACCESS_CONTROL_LEVEL_GUESTS == 0: try: return run_sql("insert into user (email, note) values ('', '1')") except OperationalError: return None else: try: return run_sql("insert into user (email, note) values ('', '0')") except OperationalError: return None def page_not_authorized(req, referer='', uid='', text='', navtrail='', ln=CFG_SITE_LANG, navmenuid=""): """Show error message when user is not authorized to do something. @param referer: in case the displayed message propose a login link, this is the url to return to after logging in. If not specified it is guessed from req. @param uid: the uid of the user. If not specified it is guessed from req. @param text: the message to be displayed. If not specified it will be guessed from the context. """ from invenio.webpage import page _ = gettext_set_language(ln) if not referer: referer = req.unparsed_uri if not CFG_ACCESS_CONTROL_LEVEL_SITE: title = CFG_WEBACCESS_MSGS[5] if not uid: uid = getUid(req) try: res = run_sql("SELECT email FROM user WHERE id=%s AND note=1" % uid) if res and res[0][0]: if text: body = text else: body = "%s %s" % (CFG_WEBACCESS_WARNING_MSGS[9] % cgi.escape(res[0][0]), ("%s %s" % (CFG_WEBACCESS_MSGS[0] % urllib.quote(referer), CFG_WEBACCESS_MSGS[1]))) else: if text: body = text else: if CFG_ACCESS_CONTROL_LEVEL_GUESTS == 1: body = CFG_WEBACCESS_MSGS[3] else: body = CFG_WEBACCESS_WARNING_MSGS[4] + CFG_WEBACCESS_MSGS[2] except OperationalError, e: body = _("Database problem") + ': ' + str(e) elif CFG_ACCESS_CONTROL_LEVEL_SITE == 1: title = CFG_WEBACCESS_MSGS[8] body = "%s %s" % (CFG_WEBACCESS_MSGS[7], CFG_WEBACCESS_MSGS[2]) elif CFG_ACCESS_CONTROL_LEVEL_SITE == 2: title = CFG_WEBACCESS_MSGS[6] body = "%s %s" % (CFG_WEBACCESS_MSGS[4], CFG_WEBACCESS_MSGS[2]) return page(title=title, language=ln, uid=getUid(req), body=body, navtrail=navtrail, req=req, navmenuid=navmenuid) -def getApacheUser(req): - """Return the ApacheUser taking it from the cookie of the request.""" - session = get_session(req) - return session.get('apache_user') - def getUid(req): """Return user ID taking it from the cookie of the request. Includes control mechanism for the guest users, inserting in the database table when need be, raising the cookie back to the client. User ID is set to 0 when client refuses cookie or we are in the read-only site operation mode. User ID is set to -1 when we are in the permission denied site operation mode. getUid(req) -> userId """ if hasattr(req, '_user_info'): return req._user_info['uid'] if CFG_ACCESS_CONTROL_LEVEL_SITE == 1: return 0 if CFG_ACCESS_CONTROL_LEVEL_SITE == 2: return -1 guest = 0 session = get_session(req) uid = session.get('uid', -1) if uid == -1: # first time, so create a guest user if CFG_WEBSESSION_DIFFERENTIATE_BETWEEN_GUESTS: uid = session['uid'] = createGuestUser() guest = 1 else: if CFG_ACCESS_CONTROL_LEVEL_GUESTS == 0: session['uid'] = 0 return 0 else: return -1 else: if not hasattr(req, '_user_info') and 'user_info' in session: req._user_info = session['user_info'] req._user_info = collect_user_info(req, refresh=True) if guest == 0: guest = isGuestUser(uid) if guest: if CFG_ACCESS_CONTROL_LEVEL_GUESTS == 0: return uid elif CFG_ACCESS_CONTROL_LEVEL_GUESTS >= 1: return -1 else: res = run_sql("SELECT note FROM user WHERE id=%s", (uid, )) if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 0: return uid elif CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 1 and res and res[0][0] in [1, "1"]: return uid else: return -1 -def setApacheUser(req, apache_user): - """It sets the apache_user into the session, and raise the cookie to the client. - """ - if hasattr(req, '_user_info'): - del req._user_info - session = get_session(req) - session['apache_user'] = apache_user - user_info = collect_user_info(req, login_time=True) - session['user_info'] = user_info - req._user_info = user_info - session.save() - return apache_user - def setUid(req, uid, remember_me=False): """It sets the userId into the session, and raise the cookie to the client. """ if hasattr(req, '_user_info'): del req._user_info session = get_session(req) session['uid'] = uid if remember_me: session.set_timeout(86400) session.set_remember_me() if uid > 0: user_info = collect_user_info(req, login_time=True) session['user_info'] = user_info req._user_info = user_info else: del session['user_info'] session.save() return uid def session_param_del(req, key): """ Remove a given key from the session. """ session = get_session(req) del session[key] session.save() def session_param_set(req, key, value): """ Associate a VALUE to the session param KEY for the current session. """ session = get_session(req) session[key] = value session.save() def session_param_get(req, key): """ Return session parameter value associated with session parameter KEY for the current session. If the key doesn't exists raise KeyError. """ session = get_session(req) return session[key] def session_param_list(req): """ List all available session parameters. """ session = get_session(req) return session.keys() def get_last_login(uid): """Return the last_login datetime for uid if any, otherwise return the Epoch.""" res = run_sql('SELECT last_login FROM user WHERE id=%s', (uid, ), 1) if res and res[0][0]: return res[0][0] else: return datetime.datetime(1970, 1, 1) def get_user_info(uid, ln=CFG_SITE_LANG): """Get infos for a given user. @param uid: user id (int) @return: tuple: (uid, nickname, display_name) """ _ = gettext_set_language(ln) query = """SELECT id, nickname FROM user WHERE id=%s""" res = run_sql(query, (uid, )) if res: if res[0]: user = list(res[0]) if user[1]: user.append(user[1]) else: user[1] = str(user[0]) user.append(_("user") + ' #' + str(user[0])) return tuple(user) return (uid, '', _("N/A")) def get_uid_from_email(email): """Return the uid corresponding to an email. Return -1 when the email does not exists.""" try: res = run_sql("SELECT id FROM user WHERE email=%s", (email, )) if res: return res[0][0] else: return -1 except OperationalError: register_exception() return -1 def isGuestUser(uid): """It Checks if the userId corresponds to a guestUser or not isGuestUser(uid) -> boolean """ out = 1 try: res = run_sql("SELECT email FROM user WHERE id=%s LIMIT 1", (uid,), 1) if res: if res[0][0]: out = 0 except OperationalError: register_exception() return out def isUserSubmitter(user_info): """Return True if the user is a submitter for something; False otherwise.""" u_email = get_email(user_info['uid']) res = run_sql("SELECT email FROM sbmSUBMISSIONS WHERE email=%s LIMIT 1", (u_email,), 1) return len(res) > 0 def isUserReferee(user_info): """Return True if the user is a referee for something; False otherwise.""" if CFG_CERN_SITE: return True else: for (role_id, role_name, role_description) in acc_get_action_roles(acc_get_action_id('referee')): if acc_is_user_in_role(user_info, role_id): return True return False def isUserAdmin(user_info): """Return True if the user has some admin rights; False otherwise.""" return acc_find_possible_activities(user_info) != {} def isUserSuperAdmin(user_info): """Return True if the user is superadmin; False otherwise.""" if run_sql("""SELECT r.id FROM accROLE r LEFT JOIN user_accROLE ur ON r.id = ur.id_accROLE WHERE r.name = %s AND ur.id_user = %s AND ur.expiration>=NOW() LIMIT 1""", (SUPERADMINROLE, user_info['uid']), 1): return True return acc_firerole_check_user(user_info, load_role_definition(acc_get_role_id(SUPERADMINROLE))) def nickname_valid_p(nickname): """Check whether wanted NICKNAME supplied by the user is valid. At the moment we just check whether it is not empty, does not contain blanks or @, is not equal to `guest', etc. This check relies on re_invalid_nickname regexp (see above) Return 1 if nickname is okay, return 0 if it is not. """ if nickname and \ not(nickname.startswith(' ') or nickname.endswith(' ')) and \ nickname.lower() != 'guest': if not re_invalid_nickname.match(nickname): return 1 return 0 def email_valid_p(email): """Check whether wanted EMAIL address supplied by the user is valid. At the moment we just check whether it contains '@' and whether it doesn't contain blanks. We also check the email domain if CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN is set. Return 1 if email is okay, return 0 if it is not. """ if (email.find("@") <= 0) or (email.find(" ") > 0): return 0 elif CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN: if not email.endswith(CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN): return 0 return 1 def confirm_email(email): """Confirm the email. It returns None when there are problems, otherwise it return the uid involved.""" if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 0: activated = 1 elif CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 1: activated = 0 elif CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 2: return -1 run_sql('UPDATE user SET note=%s where email=%s', (activated, email)) res = run_sql('SELECT id FROM user where email=%s', (email, )) if res: if CFG_ACCESS_CONTROL_NOTIFY_ADMIN_ABOUT_NEW_ACCOUNTS: send_new_admin_account_warning(email, CFG_SITE_ADMIN_EMAIL) return res[0][0] else: return None def registerUser(req, email, passw, nickname, register_without_nickname=False, login_method=None, ln=CFG_SITE_LANG): """Register user with the desired values of NICKNAME, EMAIL and PASSW. If REGISTER_WITHOUT_NICKNAME is set to True, then ignore desired NICKNAME and do not set any. This is suitable for external authentications so that people can login without having to register an internal account first. Return 0 if the registration is successful, 1 if email is not valid, 2 if nickname is not valid, 3 if email is already in the database, 4 if nickname is already in the database, 5 when users cannot register themselves because of the site policy, 6 when the site is having problem contacting the user. If login_method is None or is equal to the key corresponding to local authentication, then CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS is taken in account for deciding the behaviour about registering. """ # is email valid? email = email.lower() if not email_valid_p(email): return 1 _ = gettext_set_language(ln) # is email already taken? res = run_sql("SELECT email FROM user WHERE email=%s", (email,)) if len(res) > 0: return 3 if register_without_nickname: # ignore desired nick and use default empty string one: nickname = "" else: # is nickname valid? if not nickname_valid_p(nickname): return 2 # is nickname already taken? res = run_sql("SELECT nickname FROM user WHERE nickname=%s", (nickname,)) if len(res) > 0: return 4 activated = 1 # By default activated - if not login_method or not CFG_EXTERNAL_AUTHENTICATION[login_method][0]: # local login + if not login_method or not CFG_EXTERNAL_AUTHENTICATION[login_method]: # local login if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 2: return 5 elif CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT: activated = 2 # Email confirmation required elif CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 1: activated = 0 # Administrator confirmation required if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT: address_activation_key = mail_cookie_create_mail_activation(email) ip_address = req.remote_host or req.remote_ip try: if not send_email(CFG_SITE_SUPPORT_EMAIL, email, _("Account registration at %s") % CFG_SITE_NAME_INTL.get(ln, CFG_SITE_NAME), tmpl.tmpl_account_address_activation_email_body(email, address_activation_key, ip_address, ln)): return 1 except (smtplib.SMTPException, socket.error): return 6 # okay, go on and register the user: user_preference = get_default_user_preferences() uid = run_sql("INSERT INTO user (nickname, email, password, note, settings, last_login) " "VALUES (%s,%s,AES_ENCRYPT(email,%s),%s,%s, NOW())", (nickname, email, passw, activated, serialize_via_marshal(user_preference))) if activated == 1: # Ok we consider the user as logged in :-) setUid(req, uid) return 0 def updateDataUser(uid, email, nickname): """ Update user data. Used when a user changed his email or password or nickname. """ email = email.lower() if email == 'guest': return 0 if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS < 2: run_sql("update user set email=%s where id=%s", (email, uid)) if nickname and nickname != '': run_sql("update user set nickname=%s where id=%s", (nickname, uid)) return 1 def updatePasswordUser(uid, password): """Update the password of a user.""" if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS < 3: run_sql("update user set password=AES_ENCRYPT(email,%s) where id=%s", (password, uid)) return 1 def loginUser(req, p_un, p_pw, login_method): """It is a first simple version for the authentication of user. It returns the id of the user, for checking afterwards if the login is correct """ # p_un passed may be an email or a nickname: p_email = get_email_from_username(p_un) # go on with the old stuff based on p_email: - if not CFG_EXTERNAL_AUTHENTICATION.has_key(login_method): + if not login_method in CFG_EXTERNAL_AUTHENTICATION: return ([], p_email, p_pw, 12) - if CFG_EXTERNAL_AUTHENTICATION[login_method][0]: # External Authenthication + if CFG_EXTERNAL_AUTHENTICATION[login_method]: # External Authenthication try: - p_email = CFG_EXTERNAL_AUTHENTICATION[login_method][0].auth_user(p_email, p_pw, req) or CFG_EXTERNAL_AUTHENTICATION[login_method][0].auth_user(p_un, p_pw, req) ## We try to login with either the email of the nickname + p_email = CFG_EXTERNAL_AUTHENTICATION[login_method].auth_user(p_email, p_pw, req) or CFG_EXTERNAL_AUTHENTICATION[login_method].auth_user(p_un, p_pw, req) ## We try to login with either the email of the nickname if p_email: p_email = p_email.lower() else: return([], p_email, p_pw, 15) except InvenioWebAccessExternalAuthError: - register_exception(alert_admin=True) + register_exception(req=req, alert_admin=True) raise if p_email: # Authenthicated externally query_result = run_sql("SELECT id from user where email=%s", (p_email,)) if not query_result: # First time user p_pw_local = int(random.random() * 1000000) p_nickname = '' - if CFG_EXTERNAL_AUTHENTICATION[login_method][0].enforce_external_nicknames: + if CFG_EXTERNAL_AUTHENTICATION[login_method].enforce_external_nicknames: try: # Let's discover the external nickname! - p_nickname = CFG_EXTERNAL_AUTHENTICATION[login_method][0].fetch_user_nickname(p_email, p_pw, req) + p_nickname = CFG_EXTERNAL_AUTHENTICATION[login_method].fetch_user_nickname(p_email, p_pw, req) except (AttributeError, NotImplementedError): pass except: - register_exception(alert_admin=True) + register_exception(req=req, alert_admin=True) raise res = registerUser(req, p_email, p_pw_local, p_nickname, register_without_nickname=p_nickname == '', login_method=login_method) if res == 4 or res == 2: # The nickname was already taken res = registerUser(req, p_email, p_pw_local, '', register_without_nickname=True, login_method=login_method) + query_result = run_sql("SELECT id from user where email=%s", (p_email,)) elif res == 0: # Everything was ok, with or without nickname. query_result = run_sql("SELECT id from user where email=%s", (p_email,)) elif res == 6: # error in contacting the user via email return([], p_email, p_pw_local, 19) else: return([], p_email, p_pw_local, 13) try: - groups = CFG_EXTERNAL_AUTHENTICATION[login_method][0].fetch_user_groups_membership(p_email, p_pw, req) + groups = CFG_EXTERNAL_AUTHENTICATION[login_method].fetch_user_groups_membership(p_email, p_pw, req) # groups is a dictionary {group_name : group_description,} new_groups = {} for key, value in groups.items(): new_groups[key + " [" + str(login_method) + "]"] = value groups = new_groups except (AttributeError, NotImplementedError): pass except: - register_exception(alert_admin=True) + register_exception(req=req, alert_admin=True) return([], p_email, p_pw, 16) else: # Groups synchronization - if groups != 0: + if groups: userid = query_result[0][0] from invenio.webgroup import synchronize_external_groups synchronize_external_groups(userid, groups, login_method) user_prefs = get_user_preferences(query_result[0][0]) - if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 4: - # Let's prevent the user to switch login_method - if user_prefs.has_key("login_method") and \ - user_prefs["login_method"] != login_method: - return([], p_email, p_pw, 11) - user_prefs["login_method"] = login_method + if not CFG_EXTERNAL_AUTHENTICATION[login_method]: + ## I.e. if the login method is not of robot type: + if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS >= 4: + # Let's prevent the user to switch login_method + if user_prefs.has_key("login_method") and \ + user_prefs["login_method"] != login_method: + return([], p_email, p_pw, 11) + user_prefs["login_method"] = login_method # Cleaning external settings for key in user_prefs.keys(): if key.startswith('EXTERNAL_'): del user_prefs[key] try: # Importing external settings - new_prefs = CFG_EXTERNAL_AUTHENTICATION[login_method][0].fetch_user_preferences(p_email, p_pw, req) + new_prefs = CFG_EXTERNAL_AUTHENTICATION[login_method].fetch_user_preferences(p_email, p_pw, req) for key, value in new_prefs.items(): user_prefs['EXTERNAL_' + key] = value except (AttributeError, NotImplementedError): pass except InvenioWebAccessExternalAuthError: - register_exception(alert_admin=True) + register_exception(req=req, alert_admin=True) return([], p_email, p_pw, 16) # Storing settings set_user_preferences(query_result[0][0], user_prefs) else: return ([], p_un, p_pw, 10) else: # Internal Authenthication if not p_pw: p_pw = '' query_result = run_sql("SELECT id,email,note from user where email=%s and password=AES_ENCRYPT(email,%s)", (p_email, p_pw,)) if query_result: #FIXME drop external groups and settings note = query_result[0][2] if note == '1': # Good account preferred_login_method = get_user_preferences(query_result[0][0])['login_method'] p_email = query_result[0][1].lower() if login_method != preferred_login_method: - if CFG_EXTERNAL_AUTHENTICATION.has_key(preferred_login_method): + if preferred_login_method in CFG_EXTERNAL_AUTHENTICATION: return ([], p_email, p_pw, 11) elif note == '2': # Email address need to be confirmed by user return ([], p_email, p_pw, 17) elif note == '0': # Account need to be confirmed by administrator return ([], p_email, p_pw, 18) else: return ([], p_email, p_pw, 14) # Login successful! Updating the last access time run_sql("UPDATE user SET last_login=NOW() WHERE email=%s", (p_email, )) return (query_result, p_email, p_pw, 0) def drop_external_settings(userId): """Drop the external (EXTERNAL_) settings of userid.""" prefs = get_user_preferences(userId) for key in prefs.keys(): if key.startswith('EXTERNAL_'): del prefs[key] set_user_preferences(userId, prefs) def logoutUser(req): """It logout the user of the system, creating a guest user. """ session = get_session(req) if CFG_WEBSESSION_DIFFERENTIATE_BETWEEN_GUESTS: uid = createGuestUser() session['uid'] = uid session.save() else: uid = 0 session.invalidate() if hasattr(req, '_user_info'): delattr(req, '_user_info') return uid def username_exists_p(username): """Check if USERNAME exists in the system. Username may be either nickname or email. Return 1 if it does exist, 0 if it does not. """ if username == "": # return not exists if asked for guest users return 0 res = run_sql("SELECT email FROM user WHERE email=%s", (username,)) + \ run_sql("SELECT email FROM user WHERE nickname=%s", (username,)) if len(res) > 0: return 1 return 0 def emailUnique(p_email): """Check if the email address only exists once. If yes, return userid, if not, -1 """ query_result = run_sql("select id, email from user where email=%s", (p_email,)) if len(query_result) == 1: return query_result[0][0] elif len(query_result) == 0: return 0 return -1 def nicknameUnique(p_nickname): """Check if the nickname only exists once. If yes, return userid, if not, -1 """ query_result = run_sql("select id, nickname from user where nickname=%s", (p_nickname,)) if len(query_result) == 1: return query_result[0][0] elif len(query_result) == 0: return 0 return -1 def update_Uid(req, p_email, remember_me=False): """It updates the userId of the session. It is used when a guest user is logged in succesfully in the system with a given email and password. As a side effect it will discover all the restricted collection to which the user has right to """ query_ID = int(run_sql("select id from user where email=%s", (p_email,))[0][0]) setUid(req, query_ID, remember_me) return query_ID def send_new_admin_account_warning(new_account_email, send_to, ln=CFG_SITE_LANG): """Send an email to the address given by send_to about the new account new_account_email.""" _ = gettext_set_language(ln) sub = _("New account on") + " '%s'" % CFG_SITE_NAME if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 1: sub += " - " + _("PLEASE ACTIVATE") body = _("A new account has been created on") + " '%s'" % CFG_SITE_NAME if CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS == 1: body += _(" and is awaiting activation") body += ":\n\n" body += _(" Username/Email") + ": %s\n\n" % new_account_email body += _("You can approve or reject this account request at") + ": %s/admin/webaccess/webaccessadmin.py/manageaccounts\n" % CFG_SITE_URL return send_email(CFG_SITE_SUPPORT_EMAIL, send_to, subject=sub, content=body) def get_email(uid): """Return email address of the user uid. Return string 'guest' in case the user is not found.""" out = "guest" res = run_sql("SELECT email FROM user WHERE id=%s", (uid,), 1) if res and res[0][0]: out = res[0][0].lower() return out def get_email_from_username(username): """Return email address of the user corresponding to USERNAME. The username may be either nickname or email. Return USERNAME untouched if not found in the database or if found several matching entries. """ if username == '': return '' out = username res = run_sql("SELECT email FROM user WHERE email=%s", (username,), 1) + \ run_sql("SELECT email FROM user WHERE nickname=%s", (username,), 1) if res and len(res) == 1: out = res[0][0].lower() return out #def get_password(uid): #"""Return password of the user uid. Return None in case #the user is not found.""" #out = None #res = run_sql("SELECT password FROM user WHERE id=%s", (uid,), 1) #if res and res[0][0] != None: #out = res[0][0] #return out def get_nickname(uid): """Return nickname of the user uid. Return None in case the user is not found.""" out = None res = run_sql("SELECT nickname FROM user WHERE id=%s", (uid,), 1) if res and res[0][0]: out = res[0][0] return out def get_nickname_or_email(uid): """Return nickname (preferred) or the email address of the user uid. Return string 'guest' in case the user is not found.""" out = "guest" res = run_sql("SELECT nickname, email FROM user WHERE id=%s", (uid,), 1) if res and res[0]: if res[0][0]: out = res[0][0] elif res[0][1]: out = res[0][1].lower() return out def create_userinfobox_body(req, uid, language="en"): """Create user info box body for user UID in language LANGUAGE.""" if req: if req.subprocess_env.has_key('HTTPS') \ and req.subprocess_env['HTTPS'] == 'on': url_referer = CFG_SITE_SECURE_URL + req.unparsed_uri else: url_referer = CFG_SITE_URL + req.unparsed_uri if '/youraccount/logout' in url_referer: url_referer = '' else: url_referer = CFG_SITE_URL user_info = collect_user_info(req) try: return tmpl.tmpl_create_userinfobox(ln=language, url_referer=url_referer, guest = isGuestUser(uid), username = get_nickname_or_email(uid), submitter = user_info['precached_viewsubmissions'], referee = user_info['precached_useapprove'], admin = user_info['precached_useadmin'], usebaskets = user_info['precached_usebaskets'], usemessages = user_info['precached_usemessages'], usealerts = user_info['precached_usealerts'], usegroups = user_info['precached_usegroups'], useloans = user_info['precached_useloans'], usestats = user_info['precached_usestats'] ) except OperationalError: return "" def create_useractivities_menu(req, uid, navmenuid, ln="en"): """Create user activities menu. @param req: request object @param uid: user id @type uid: int @param navmenuid: the section of the website this page belongs (search, submit, baskets, etc.) @type navmenuid: string @param ln: language @type ln: string @return: HTML menu of the user activities @rtype: string """ if req: if req.subprocess_env.has_key('HTTPS') \ and req.subprocess_env['HTTPS'] == 'on': url_referer = CFG_SITE_SECURE_URL + req.unparsed_uri else: url_referer = CFG_SITE_URL + req.unparsed_uri if '/youraccount/logout' in url_referer: url_referer = '' else: url_referer = CFG_SITE_URL user_info = collect_user_info(req) is_user_menu_selected = False if navmenuid == 'personalize' or \ navmenuid.startswith('your') and \ navmenuid != 'youraccount': is_user_menu_selected = True try: return tmpl.tmpl_create_useractivities_menu( ln=ln, selected=is_user_menu_selected, url_referer=url_referer, guest = isGuestUser(uid), username = get_nickname_or_email(uid), submitter = user_info['precached_viewsubmissions'], referee = user_info['precached_useapprove'], admin = user_info['precached_useadmin'], usebaskets = user_info['precached_usebaskets'], usemessages = user_info['precached_usemessages'], usealerts = user_info['precached_usealerts'], usegroups = user_info['precached_usegroups'], useloans = user_info['precached_useloans'], usestats = user_info['precached_usestats'] ) except OperationalError: return "" def create_adminactivities_menu(req, uid, navmenuid, ln="en"): """Create admin activities menu. @param req: request object @param uid: user id @type uid: int @param navmenuid: the section of the website this page belongs (search, submit, baskets, etc.) @type navmenuid: string @param ln: language @type ln: string @return: HTML menu of the user activities @rtype: string """ _ = gettext_set_language(ln) if req: if req.subprocess_env.has_key('HTTPS') \ and req.subprocess_env['HTTPS'] == 'on': url_referer = CFG_SITE_SECURE_URL + req.unparsed_uri else: url_referer = CFG_SITE_URL + req.unparsed_uri if '/youraccount/logout' in url_referer: url_referer = '' else: url_referer = CFG_SITE_URL user_info = collect_user_info(req) activities = acc_find_possible_activities(user_info, ln) # For BibEdit and BibDocFile menu items, take into consideration # current record whenever possible if activities.has_key(_("Run Record Editor")) or \ activities.has_key(_("Run Document File Manager")) and \ user_info['uri'].startswith('/record/'): try: # Get record ID and try to cast it to an int current_record_id = int(urlparse.urlparse(user_info['uri'])[2].split('/')[2]) except: pass else: if activities.has_key(_("Run Record Editor")): activities[_("Run Record Editor")] = activities[_("Run Record Editor")] + '&#state=edit&recid=' + str(current_record_id) if activities.has_key(_("Run File Manager")): activities[_("Run File Manager")] = activities[_("Run File Manager")] + '&recid=' + str(current_record_id) try: return tmpl.tmpl_create_adminactivities_menu( ln=ln, selected=navmenuid == 'admin', url_referer=url_referer, guest = isGuestUser(uid), username = get_nickname_or_email(uid), submitter = user_info['precached_viewsubmissions'], referee = user_info['precached_useapprove'], admin = user_info['precached_useadmin'], usebaskets = user_info['precached_usebaskets'], usemessages = user_info['precached_usemessages'], usealerts = user_info['precached_usealerts'], usegroups = user_info['precached_usegroups'], useloans = user_info['precached_useloans'], usestats = user_info['precached_usestats'], activities = activities ) except OperationalError: return "" def list_registered_users(): """List all registered users.""" return run_sql("SELECT id,email FROM user where email!=''") def list_users_in_role(role): """List all users of a given role (see table accROLE) @param role: role of user (string) @return: list of uids """ res = run_sql("""SELECT uacc.id_user FROM user_accROLE uacc JOIN accROLE acc ON uacc.id_accROLE=acc.id WHERE acc.name=%s""", (role,)) if res: return map(lambda x: int(x[0]), res) return [] def list_users_in_roles(role_list): """List all users of given roles (see table accROLE) @param role_list: list of roles [string] @return: list of uids """ if not(type(role_list) is list or type(role_list) is tuple): role_list = [role_list] query = """SELECT DISTINCT(uacc.id_user) FROM user_accROLE uacc JOIN accROLE acc ON uacc.id_accROLE=acc.id """ query_addons = "" query_params = () if len(role_list) > 0: query_params = role_list query_addons = " WHERE " for role in role_list[:-1]: query_addons += "acc.name=%s OR " query_addons += "acc.name=%s" res = run_sql(query + query_addons, query_params) if res: return map(lambda x: int(x[0]), res) return [] def get_uid_based_on_pref(prefname, prefvalue): """get the user's UID based where his/her preference prefname has value prefvalue in preferences""" prefs = run_sql("SELECT id, settings FROM user WHERE settings is not NULL") the_uid = None for pref in prefs: try: settings = deserialize_via_marshal(pref[1]) if (settings.has_key(prefname)) and (settings[prefname] == prefvalue): the_uid = pref[0] except: pass return the_uid def get_user_preferences(uid): pref = run_sql("SELECT id, settings FROM user WHERE id=%s", (uid,)) if pref: try: return deserialize_via_marshal(pref[0][1]) except: pass return get_default_user_preferences() # empty dict mean no preferences def set_user_preferences(uid, pref): assert(type(pref) == type({})) run_sql("UPDATE user SET settings=%s WHERE id=%s", (serialize_via_marshal(pref), uid)) def get_default_user_preferences(): user_preference = { 'login_method': ''} - for system in CFG_EXTERNAL_AUTHENTICATION.keys(): - if CFG_EXTERNAL_AUTHENTICATION[system][1]: - user_preference['login_method'] = system - break + if CFG_EXTERNAL_AUTH_DEFAULT in CFG_EXTERNAL_AUTHENTICATION: + user_preference['login_method'] = CFG_EXTERNAL_AUTH_DEFAULT return user_preference def get_preferred_user_language(req): def _get_language_from_req_header(accept_language_header): """Extract langs info from req.headers_in['Accept-Language'] which should be set to something similar to: 'fr,en-us;q=0.7,en;q=0.3' """ tmp_langs = {} for lang in accept_language_header.split(','): lang = lang.split(';q=') if len(lang) == 2: lang[1] = lang[1].replace('"', '') # Hack for Yeti robot try: tmp_langs[float(lang[1])] = lang[0] except ValueError: pass else: tmp_langs[1.0] = lang[0] ret = [] priorities = tmp_langs.keys() priorities.sort() priorities.reverse() for priority in priorities: ret.append(tmp_langs[priority]) return ret uid = getUid(req) guest = isGuestUser(uid) new_lang = None preferred_lang = None if not guest: user_preferences = get_user_preferences(uid) preferred_lang = new_lang = user_preferences.get('language', None) if not new_lang: try: new_lang = wash_languages(cgi.parse_qs(req.args)['ln']) except (TypeError, AttributeError, KeyError): pass if not new_lang: try: new_lang = wash_languages(_get_language_from_req_header(req.headers_in['Accept-Language'])) except (TypeError, AttributeError, KeyError): pass new_lang = wash_language(new_lang) if new_lang != preferred_lang and not guest: user_preferences['language'] = new_lang set_user_preferences(uid, user_preferences) return new_lang def collect_user_info(req, login_time=False, refresh=False): """Given the mod_python request object rec or a uid it returns a dictionary containing at least the keys uid, nickname, email, groups, plus any external keys in the user preferences (collected at login time and built by the different external authentication plugins) and if the mod_python request object is provided, also the remote_ip, remote_host, referer, agent fields. - If the user is authenticated with Apache should provide also - apache_user and apache_group. NOTE: if req is a mod_python request object, the user_info dictionary is saved into req._user_info (for caching purpouses) setApacheUser & setUid will properly reset it. """ from invenio.search_engine import get_permitted_restricted_collections user_info = { 'remote_ip' : '', 'remote_host' : '', 'referer' : '', 'uri' : '', 'agent' : '', - 'apache_user' : '', - 'apache_group' : [], 'uid' : -1, 'nickname' : '', 'email' : '', 'group' : [], 'guest' : '1', 'session' : None, 'precached_permitted_restricted_collections' : [], 'precached_usebaskets' : False, 'precached_useloans' : False, 'precached_usegroups' : False, 'precached_usealerts' : False, 'precached_usemessages' : False, 'precached_viewsubmissions' : False, 'precached_useapprove' : False, 'precached_useadmin' : False, 'precached_usestats' : False, } try: is_req = False - if req is None: + if not req: uid = -1 elif type(req) in (type(1), type(1L)): ## req is infact a user identification uid = req elif type(req) is dict: ## req is by mistake already a user_info try: assert(req.has_key('uid')) assert(req.has_key('email')) assert(req.has_key('nickname')) except AssertionError: ## mmh... misuse of collect_user_info. Better warn the admin! register_exception(alert_admin=True) user_info.update(req) return user_info else: is_req = True uid = getUid(req) if hasattr(req, '_user_info') and not login_time: user_info = req._user_info if not refresh: return req._user_info req._user_info = user_info try: user_info['remote_ip'] = req.remote_ip except gaierror: #FIXME: we should support IPV6 too. (hint for FireRole) pass user_info['session'] = get_session(req).sid() user_info['remote_host'] = req.remote_host or '' user_info['referer'] = req.headers_in.get('Referer', '') user_info['uri'] = req.unparsed_uri or () user_info['agent'] = req.headers_in.get('User-Agent', 'N/A') - try: - user_info['apache_user'] = getApacheUser(req) - if user_info['apache_user']: - user_info['apache_group'] = auth_apache_user_in_groups(user_info['apache_user']) - except AttributeError: - pass user_info['uid'] = uid user_info['nickname'] = get_nickname(uid) or '' user_info['email'] = get_email(uid) or '' user_info['group'] = [] user_info['guest'] = str(isGuestUser(uid)) if user_info['guest'] == '0': user_info['group'] = [group[1] for group in get_groups(uid)] prefs = get_user_preferences(uid) login_method = prefs['login_method'] - login_object = CFG_EXTERNAL_AUTHENTICATION[login_method][0] + login_object = CFG_EXTERNAL_AUTHENTICATION[login_method] if login_object and ((datetime.datetime.now() - get_last_login(uid)).seconds > 3600): ## The user uses an external authentication method and it's a bit since ## she has not performed a login if not CFG_EXTERNAL_AUTH_USING_SSO or ( is_req and req.is_https()): ## If we're using SSO we must be sure to be in HTTPS ## otherwise we can't really read anything, hence ## it's better skeep the synchronization try: groups = login_object.fetch_user_groups_membership(user_info['email'], req=req) # groups is a dictionary {group_name : group_description,} new_groups = {} for key, value in groups.items(): new_groups[key + " [" + str(login_method) + "]"] = value groups = new_groups except (AttributeError, NotImplementedError, TypeError, InvenioWebAccessExternalAuthError): pass else: # Groups synchronization from invenio.webgroup import synchronize_external_groups synchronize_external_groups(uid, groups, login_method) user_info['group'] = [group[1] for group in get_groups(uid)] try: # Importing external settings new_prefs = login_object.fetch_user_preferences(user_info['email'], req=req) for key, value in new_prefs.items(): prefs['EXTERNAL_' + key] = value except (AttributeError, NotImplementedError, TypeError, InvenioWebAccessExternalAuthError): pass else: set_user_preferences(uid, prefs) prefs = get_user_preferences(uid) run_sql('UPDATE user SET last_login=NOW() WHERE id=%s', (uid, )) if prefs: for key, value in prefs.iteritems(): user_info[key.lower()] = value if login_time: ## Heavy computational information from invenio.access_control_engine import acc_authorize_action if CFG_WEBSEARCH_PERMITTED_RESTRICTED_COLLECTIONS_LEVEL > 0: user_info['precached_permitted_restricted_collections'] = get_permitted_restricted_collections(user_info) user_info['precached_usebaskets'] = acc_authorize_action(user_info, 'usebaskets')[0] == 0 user_info['precached_useloans'] = acc_authorize_action(user_info, 'useloans')[0] == 0 user_info['precached_usegroups'] = acc_authorize_action(user_info, 'usegroups')[0] == 0 user_info['precached_usealerts'] = acc_authorize_action(user_info, 'usealerts')[0] == 0 user_info['precached_usemessages'] = acc_authorize_action(user_info, 'usemessages')[0] == 0 user_info['precached_usestats'] = acc_authorize_action(user_info, 'runwebstatadmin')[0] == 0 user_info['precached_viewsubmissions'] = isUserSubmitter(user_info) user_info['precached_useapprove'] = isUserReferee(user_info) user_info['precached_useadmin'] = isUserAdmin(user_info) except Exception, e: register_exception() return user_info - -## --- follow some functions for Apache user/group authentication - -def _load_apache_password_file(apache_password_file=CFG_APACHE_PASSWORD_FILE): - ret = {} - for row in open(os.path.join(CFG_TMPDIR, apache_password_file)): - row = row.split(':') - if len(row) == 2: - ret[row[0].strip()] = row[1].strip() - return ret -_apache_passwords = _load_apache_password_file() - -def auth_apache_user_p(user, password): - """Check whether user-supplied credentials correspond to valid - Apache password data file.""" - if user in _apache_passwords: - password_apache = _apache_passwords[user] - salt = password_apache[:2] - return crypt.crypt(password, salt) == password_apache - else: - return False - -def _load_apache_group_file(apache_group_file=CFG_APACHE_GROUP_FILE): - ret = {} - for row in open(os.path.join(CFG_TMPDIR, apache_group_file)): - row = row.split(':') - if len(row) == 2: - group = row[0].strip() - users = row[1].strip().split(' ') - for user in users: - user = user.strip() - if user not in ret: - ret[user] = [] - ret[user].append(group) - return ret -_apache_groups = _load_apache_group_file() - -def auth_apache_user_in_groups(user): - """Return list of Apache groups to which Apache user belong.""" - return _apache_groups.get(user, []) - -def http_get_credentials(req): - if req.headers_in.has_key("Authorization"): - try: - s = req.headers_in["Authorization"][6:] - s = base64.decodestring(s) - user, passwd = s.split(":", 1) - except (ValueError, base64.binascii.Error, base64.binascii.Incomplete): - raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST - return (user, passwd) - return (None, None) - -def http_check_credentials(req, role): - """Retrieve Apache password and check user credential with the - check_auth function. If this function returns True check if the user - is enabled to the given role. If this is True, return, otherwise - popup a new apache login box. - """ - - authorized = False - while True: - if req.headers_in.has_key("Authorization"): - try: - s = req.headers_in["Authorization"][6:] - s = base64.decodestring(s) - user, passwd = s.split(":", 1) - except (ValueError, base64.binascii.Error, base64.binascii.Incomplete): - raise apache.SERVER_RETURN, apache.HTTP_BAD_REQUEST - - authorized = auth_apache_user_p(user, passwd) - - if authorized: - setApacheUser(req, user) - authorized = acc_firerole_check_user(collect_user_info(req), load_role_definition(acc_get_role_id(role))) - setApacheUser(req, '') - - if not authorized: - # note that Opera supposedly doesn't like spaces around "=" below - s = 'Basic realm="%s"' % role - req.headers_out["WWW-Authenticate"] = s - raise apache.SERVER_RETURN, apache.HTTP_UNAUTHORIZED - else: - setApacheUser(req, user) - return diff --git a/modules/websession/lib/webuser_tests.py b/modules/websession/lib/webuser_tests.py index 939658dad..24525b0ce 100644 --- a/modules/websession/lib/webuser_tests.py +++ b/modules/websession/lib/webuser_tests.py @@ -1,87 +1,49 @@ # -*- coding: utf-8 -*- ## ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """Unit tests for the user handling library.""" __revision__ = "$Id$" import unittest from invenio import webuser from invenio.testutils import make_test_suite, run_test_suite from invenio.dbquery import run_sql -class ApacheAuthenticationTests(unittest.TestCase): - """Test functions related to the Apache authentication.""" - - def test_auth_apache_user_p(self): - """webuser - apache user password checking""" - # These should succeed: - self.assertEqual(True, - webuser.auth_apache_user_p('jekyll', 'j123ekyll')) - self.assertEqual(True, - webuser.auth_apache_user_p('hyde', 'h123yde')) - # Note: the following one should succeed even though the real - # password is different, because crypt() looks at first 8 - # chars only: - self.assertEqual(True, - webuser.auth_apache_user_p('jekyll', 'j123ekylx')) - # Now some attempts that should fail: - self.assertEqual(False, - webuser.auth_apache_user_p('jekyll', '')) - self.assertEqual(False, - webuser.auth_apache_user_p('jekyll', 'h123yde')) - self.assertEqual(False, - webuser.auth_apache_user_p('jekyll', 'aoeuidhtns')) - self.assertEqual(False, - webuser.auth_apache_user_p('aoeui', '')) - self.assertEqual(False, - webuser.auth_apache_user_p('aoeui', 'h123yde')) - self.assertEqual(False, - webuser.auth_apache_user_p('aoeui', 'dhtns')) - - def test_auth_apache_user_in_groups(self): - """webuser - apache user group membership checking""" - self.assertEqual(['theses'], - webuser.auth_apache_user_in_groups('jekyll')) - self.assertEqual([], - webuser.auth_apache_user_in_groups('hyde')) - self.assertEqual([], - webuser.auth_apache_user_in_groups('aoeui')) - class IsUserSuperAdminTests(unittest.TestCase): """Test functions related to the isUserSuperAdmin function.""" def setUp(self): self.id_admin = run_sql('SELECT id FROM user WHERE nickname="admin"')[0][0] self.id_hyde = run_sql('SELECT id FROM user WHERE nickname="hyde"')[0][0] def test_isUserSuperAdmin_admin(self): """webuser - isUserSuperAdmin with admin""" self.failUnless(webuser.isUserSuperAdmin(webuser.collect_user_info(self.id_admin))) def test_isUserSuperAdmin_hyde(self): """webuser - isUserSuperAdmin with hyde""" self.failIf(webuser.isUserSuperAdmin(webuser.collect_user_info(self.id_hyde))) -TEST_SUITE = make_test_suite(ApacheAuthenticationTests, IsUserSuperAdminTests) +TEST_SUITE = make_test_suite(IsUserSuperAdminTests) if __name__ == "__main__": run_test_suite(TEST_SUITE) diff --git a/modules/webstyle/img/Makefile.am b/modules/webstyle/img/Makefile.am index 1c9436f79..338b6a852 100644 --- a/modules/webstyle/img/Makefile.am +++ b/modules/webstyle/img/Makefile.am @@ -1,237 +1,238 @@ ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. imgdir=$(localstatedir)/www/img img_DATA = add-small.png \ add.png \ answer_bad.gif \ arrow_down.gif \ arrow_down2.png \ arrow_link-icon-15x11-right.gif \ arrow_up.gif \ arrow_up2.png \ at.gif \ balloon_arrow_left_shadow.png \ balloon_bottom_left_shadow.png \ balloon_bottom_shadow.png \ balloon_right_shadow.png \ balloon_top_right_shadow.png \ balloon_arrow_shadow.png \ balloon_bottom_right_shadow.png \ balloon_left_shadow.png \ balloon_top_left_shadow.png \ balloon_top_shadow.png \ blankicon.gif \ blue_gradient.gif \ bullet_toggle_minus.png \ bullet_toggle_plus.png \ circle_green.png \ circle_red.png \ cross_red.gif \ delete-big.png \ delete-small.png \ delete.png \ description.gif \ diff.png \ dot.gif \ down-trans.gif \ down.gif \ drop_down_menu_arrow_down_g.gif \ drop_down_menu_arrow_down_b.gif \ drop_down_menu_arrow_down_lb.gif \ drop_down_menu_arrow_down_w.gif \ edit1.gif \ external-icon-light-8x8.gif \ feed-icon-12x12.gif \ file-icon-none-96x128.gif \ file-icon-text-12x16.gif \ file-icon-text-15x20.gif \ file-icon-text-34x48.gif \ file-icon-text-96x128.gif \ forbidden_left.gif \ forbidden_right.gif \ gradient-lightgray-1x100.gif \ gradient_tab-gray-1x23.gif \ gradient_tab_on-gray-1x23.gif \ group_admin.png \ head.gif \ header_background.gif \ help.png \ icon-journal_Athanasius_Kircher_Atlantis.gif \ icon-journal_hms_beagle.gif \ iconcross.gif \ iconcross2.gif \ + pix.png \ plus_orange.png \ iconeye.gif \ iconpen.gif \ indicator.gif \ journal-template1.gif \ journal-template2.gif \ journal-template3.gif \ journal-template4.gif \ journal_Athanasius_Kircher_Atlantis.gif \ journal_content.png \ journal_footer.png \ journal_footer2.png \ journal_header.png \ journal_hms_beagle.gif \ journal_new.png \ journal_virgin_forest.gif \ journal_water_dog.gif \ keep_sso_connection_alive.gif \ last-right-part-trans.gif \ left-part-topless-trans.gif \ left-part-trans.gif \ left-trans.gif \ left.gif \ line-up-trans.gif \ line.gif \ loading.gif \ mail-icon-12x8.gif \ mainmenu.gif \ merge-small.png \ merge.png \ mergeNC.png \ move.png \ move_from.gif \ move_to.gif \ noway.gif \ okay.gif \ out.gif \ paper-texture-128x128.gif \ paper_clip-72x72.gif \ r.gif \ rcorners-gray-1280x18.gif \ rcorners-gray-1280x60-folded.gif \ red_gradient.gif \ refresh.png \ replace.png \ restricted.gif \ right-part-topless-trans.gif \ right-part-trans.gif \ right-trans.gif \ right.gif \ rss.png \ sb.gif \ sbm_guide_accessnumber.png \ sbm_guide_approvals.png \ sbm_guide_approve_button.png \ sbm_guide_browse.png \ sbm_guide_description.png \ sbm_guide_login.png \ sbm_guide_logout.png \ sbm_guide_modify_button.png \ sbm_guide_revise_button.png \ sbm_guide_submissions.png \ sbm_guide_submit_button.png \ sbm_guide_subnumber.png \ sbm_guide_summary.png \ sclose.gif \ se.gif \ search.png \ site_logo.gif \ site_logo_rss.png \ site_logo_small.gif \ smallbin.gif \ smalldown.gif \ smallfiles.gif \ smallup.gif \ smchk_gr.gif \ smchk_rd.gif \ sn.gif \ sp.gif \ star-icon-30x30.gif \ star_dot-icon-30x30.gif \ star_empty-icon-30x30.gif \ star_half-icon-30x30.gif \ stars-0-0.png \ stars-0-5.png \ stars-1-0.png \ stars-1-5.png \ stars-2-0.png \ stars-2-5.png \ stars-3-0.png \ stars-3-5.png \ stars-4-0.png \ stars-4-5.png \ stars-5-0.png \ summary.gif \ table.png \ table_add.png \ table_delete.png \ table_multiple.png \ table_row_delete.png \ table_row_insert.png \ table_sort.png \ tick.gif \ tree_branch.gif \ up.gif \ user-icon-1-16x16.gif \ user-icon-1-20x20.gif \ user-icon-1-24x24.gif \ waiting_or.gif \ warning.png \ webbasket_create.png \ webbasket_create_small.png \ webbasket_delete.png \ webbasket_down.png \ webbasket_extern.png \ webbasket_intern.png \ webbasket_move.png \ webbasket_ugs.png \ webbasket_up.png \ webbasket_us.png \ webbasket_user.png \ webbasket_usergroup.png \ webbasket_usergroup_gray.png \ webbasket_world.png \ webbasket_ws.png \ wb-add-note.png \ wb-copy-item.png \ wb-create-basket.png \ wb-delete-basket.png \ wb-delete-item.png \ wb-edit-basket.png \ wb-edit-topic.png \ wb-external-item.png \ wb-go-back.png \ wb-move-item-down-disabled.png \ wb-move-item-down.png \ wb-move-item-up-disabled.png \ wb-move-item-up.png \ wb-next-item-disabled.png \ wb-next-item.png \ wb-notes.png \ wb-previous-item-disabled.png \ wb-previous-item.png \ wb-sort-asc.gif \ wb-sort-desc.gif \ wb-sort-none.gif \ wb-subscribe.png \ wb-unsubscribe.png \ white_field.gif \ wsignout.gif \ compare.png tmpdir=$(localstatedir)/tmp tmp_DATA = plotextractor_dummy.png EXTRA_DIST = $(img_DATA) $(tmp_DATA) CLEANFILES = *~ *.tmp diff --git a/modules/webstyle/img/pix.png b/modules/webstyle/img/pix.png new file mode 100644 index 000000000..0da93fd36 Binary files /dev/null and b/modules/webstyle/img/pix.png differ diff --git a/modules/webstyle/lib/httptest_webinterface.py b/modules/webstyle/lib/httptest_webinterface.py index 4943a6184..96b453ad3 100644 --- a/modules/webstyle/lib/httptest_webinterface.py +++ b/modules/webstyle/lib/httptest_webinterface.py @@ -1,91 +1,98 @@ ## This file is part of Invenio. ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## Invenio is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with Invenio; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. """ HTTP Test web interface. This is the place where to put helpers for regression tests related to HTTP (or WSGI or SSO). """ __revision__ = \ "$Id$" __lastupdated__ = """$Date$""" import cgi from invenio.config import CFG_SITE_URL from invenio.webpage import page from invenio.webinterface_handler import WebInterfaceDirectory from invenio.urlutils import redirect_to_url class WebInterfaceHTTPTestPages(WebInterfaceDirectory): - _exports = ["", "post1", "post2", "sso", "dumpreq"] + _exports = ["", "post1", "post2", "sso", "dumpreq", "whatismyip"] def __call__(self, req, form): redirect_to_url(req, CFG_SITE_URL + '/httptest/post1') index = __call__ def sso(self, req, form): """ For testing single sign-on """ req.add_common_vars() sso_env = {} for var, value in req.subprocess_env.iteritems(): if var.startswith('HTTP_ADFS_'): sso_env[var] = value out = "