Infrastructure/fedora-infrastructure
1
0
Fork 0
Code Issues 70 Pull requests Projects Releases Packages Wiki Activity Actions

Require special privileges (controlled by canViewGroup) to view groups matched by privileged_view_groups in app.cfg (ex. ^cla_.*).

Browse source
This commit is contained in:
Ricky Zhou (周家杰) 2007-09-07 21:13:18 -07:00
parent be7a9278f0
commit c71113d07d
4 changed files with 53 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

16
fas/fas/auth.py
View file

@ -5,6 +5,8 @@ from fas.fasLDAP import Person
from fas.fasLDAP import Groups from fas.fasLDAP import Groups
from fas.fasLDAP import UserGroup from fas.fasLDAP import UserGroup
import re
ADMINGROUP = config.get('admingroup') ADMINGROUP = config.get('admingroup')
def isAdmin(userName, g=None): def isAdmin(userName, g=None):
@ -79,6 +81,20 @@ def canEditGroup(userName, groupName, g=None):
else: else:
return False return False
def canViewGroup(userName, groupName, g=None):
# If the group matched by privileged_view_groups, then
# only people that can admin the group can view it
privilegedViewGroups = config.get('privileged_view_groups')
if re.compile(privilegedViewGroups).match(groupName):
if not g:
g = Groups.byUserName(userName)
if canAdminGroup(userName, groupName):
return True
else:
return False
else:
return True
def canApplyGroup(userName, groupName, applyUserName, g=None): def canApplyGroup(userName, groupName, applyUserName, g=None):
# This is where we could make groups depend on other ones. # This is where we could make groups depend on other ones.
if not g: if not g:

2
fas/fas/config/app.cfg
View file

@ -130,6 +130,8 @@ identity.provider='safas2'
# identity.soprovider.encryption_algorithm=None # identity.soprovider.encryption_algorithm=None
privileged_view_groups = "(^cla_.*)"
# compress the data sends to the web browser # compress the data sends to the web browser
# [/] # [/]
# gzip_filter.on = True # gzip_filter.on = True

52
fas/fas/group.py
View file

@ -83,24 +83,30 @@ class Group(controllers.Controller):
@identity.require(turbogears.identity.not_anonymous()) @identity.require(turbogears.identity.not_anonymous())
def view(self, groupName): def view(self, groupName):
'''View group''' '''View group'''
groups = Groups.byGroupName(groupName, includeUnapproved=True)
group = Groups.groups(groupName)[groupName]
userName = turbogears.identity.current.user_name userName = turbogears.identity.current.user_name
try: if not canViewGroup(userName, groupName):
myStatus = groups[userName].fedoraRoleStatus turbogears.flash(_("You cannot view '%s'") % groupName)
except KeyError: turbogears.redirect('/group/list')
# Not in group return dict()
myStatus = 'Not a Member' # This _has_ to stay 'Not a Member' else:
except TypeError: groups = Groups.byGroupName(groupName, includeUnapproved=True)
groups = {} group = Groups.groups(groupName)[groupName]
try: userName = turbogears.identity.current.user_name
me = groups[userName] try:
except: myStatus = groups[userName].fedoraRoleStatus
me = UserGroup() except KeyError:
#searchUserForm.groupName.display('group') # Not in group
#findUser.groupName.display(value='fff') myStatus = 'Not a Member' # This _has_ to stay 'Not a Member'
value = {'groupName': groupName} except TypeError:
return dict(userName=userName, groups=groups, group=group, me=me, value=value) groups = {}
try:
me = groups[userName]
except:
me = UserGroup()
#searchUserForm.groupName.display('group')
#findUser.groupName.display(value='fff')
value = {'groupName': groupName}
return dict(userName=userName, groups=groups, group=group, me=me, value=value)
@expose(template="fas.templates.group.new") @expose(template="fas.templates.group.new")
@identity.require(turbogears.identity.not_anonymous()) @identity.require(turbogears.identity.not_anonymous())
@ -341,7 +347,13 @@ class Group(controllers.Controller):
@error_handler(error) @error_handler(error)
@expose(template="genshi-text:fas.templates.group.dump", format="text", content_type='text/plain; charset=utf-8') @expose(template="genshi-text:fas.templates.group.dump", format="text", content_type='text/plain; charset=utf-8')
@identity.require(turbogears.identity.not_anonymous()) @identity.require(turbogears.identity.not_anonymous())
def dump(self, groupName=None): def dump(self, groupName):
groups = Groups.byGroupName(groupName) userName = turbogears.identity.current.user_name
return dict(groups=groups, Person=Person) if not canViewGroup(userName, groupName):
turbogears.flash(_("You cannot view '%s'") % groupName)
turbogears.redirect('/group/list')
return dict()
else:
groups = Groups.byGroupName(groupName)
return dict(groups=groups, Person=Person)

3
fas/fas/templates/group/list.html
View file

@ -7,6 +7,7 @@
<title>Groups List</title> <title>Groups List</title>
</head> </head>
<body> <body>
<?python from fas import auth ?>
<h2>List (${search})</h2> <h2>List (${search})</h2>
<h3>Search Groups</h3> <h3>Search Groups</h3>
<form method="get" action="${tg.url('/group/list')}"> <form method="get" action="${tg.url('/group/list')}">
@ -28,6 +29,7 @@
</thead> </thead>
<tbody> <tbody>
<tr py:for="group in sorted(groups.keys())"> <tr py:for="group in sorted(groups.keys())">
<div py:if="auth.canViewGroup(tg.identity.user.user_name, groups[group].cn)" py:strip="">
<td><a href="${tg.url('/group/view/%s' % groups[group].cn)}">${groups[group].cn}</a></td> <td><a href="${tg.url('/group/view/%s' % groups[group].cn)}">${groups[group].cn}</a></td>
<td>${groups[group].fedoraGroupDesc}</td> <td>${groups[group].fedoraGroupDesc}</td>
<td> <td>
@ -37,6 +39,7 @@
</a> </a>
<a py:if="groups[group].cn not in myGroups" href="${tg.url('/group/apply/%s/%s' % (groups[group].cn, tg.identity.user.user_name))}"><span>Apply</span></a> <a py:if="groups[group].cn not in myGroups" href="${tg.url('/group/apply/%s/%s' % (groups[group].cn, tg.identity.user.user_name))}"><span>Apply</span></a>
</td> </td>
</div>
</tr> </tr>
</tbody> </tbody>
</table> </table>