用于将zope安全性还原为默认值的genericsetup处理程序
collective.securitycleanup的Python项目详细描述
内容
警告:在使用此软件包之前备份zodb!
Zope2安全框架非常强大 优势。它的力量来自于它的灵活性。暴露 对站点管理员的这种权力最终往往会给他们足够的 用来吊死自己的绳子。这正是“安全”标签 在ZMI里面。
在许多情况下,网站管理员或顾问都面临着 在整个zope中恢复所有安全设置的任务 反对继承权以使理智和可预测性回归 地点。collective.securitycleanup包提供 用于还原角色映射和本地角色的genericsetup处理程序 回到他们的默认值。此处理程序可以组合使用 用现有的处理程序设置角色映射并重新应用工作流 帮助启动安全清理过程的安全设置。
清理工作是在所有祖先身上进行的,包括Zope 应用根和通过走下继承权的所有后代。 这意味着处理程序使用的上下文的所有后代 上下文的所有祖先(包括根)都将被清除。 它不会清理兄弟姐妹或其他任何不是直接的 上下文的祖先。
清除将删除实例上存储的所有权限设置 从而有效地将它们恢复为代码默认值。清理工作 删除除返回用户的“所有者”角色之外的所有本地角色 由ofs.interfaces.iowned.getownertuple()执行,如果已经分配。如果 对象是具有creators字段的cmf内容,creator是 与所有者同步。最后,如果上下文是cmf门户, 将为整个门户更新工作流角色映射。
使用这个工具可能只是一个起点。所以是 在部署到生产服务器和 在使用之前备份你的zodb。
Start with Modified Security Settings
从zope应用程序开始,其中一些角色映射已更改 从代码默认值。应用程序还具有本地角色。
>>> app <Application at > >>> app.permission_settings('Modify portal content')[0]['acquire'] '' >>> app.rolesOfPermission('Modify portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': 'SELECTED', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Owner'}] >>> app.get_local_roles() (('test_user_1_', ('Owner',)),)
应用程序包含一个文件夹,其中一些角色映射无法获取 并分配角色,同样具有本地角色。
>>> app.folder <Folder at /folder> >>> app.folder.permission_settings( ... 'Add portal content')[0]['acquire'] '' >>> app.folder.rolesOfPermission('Add portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': 'SELECTED', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Owner'}] >>> app.folder.get_local_roles() (('test_user_1_', ('Manager',)),)
该文件夹还包含一个cmf门户,安装程序在其中 将应用处理程序。门户本身也改变了安全性 设置。
>>> portal <CMFSite at /folder/cmf> >>> portal.permission_settings( ... 'Review portal content')[0]['acquire'] '' >>> portal.rolesOfPermission('Review portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': 'SELECTED', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}] >>> portal.get_local_roles() (('portal_owner', ('Owner',)), ('test_user_1_', ('Member',)))
门户还包含一个文件夹,其中包含一个文档 还修改了安全设置。
>>> portal.folder <PortalFolder at /folder/cmf/folder> >>> portal.folder.permission_settings( ... 'Add portal folders')[0]['acquire'] '' >>> portal.folder.rolesOfPermission('Add portal folders') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': '', 'name': 'Owner'}, {'selected': 'SELECTED', 'name': 'Reviewer'}] >>> portal.folder.get_local_roles() (('portal_owner', ('Owner',)), ('test_user_1_', ('Reviewer',)))>>> portal.folder.document <Document at /folder/cmf/folder/document> >>> portal.folder.document.permission_settings( ... 'Copy or Move')[0]['acquire'] '' >>> portal.folder.document.rolesOfPermission('Copy or Move') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': 'SELECTED', 'name': 'Member'}, {'selected': '', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}] >>> portal.folder.document.get_local_roles() (('portal_owner', ('Owner',)), ('test_user_1_', ('Owner',))) >>> portal.folder.document.listCreators() ('test_user_1_',)
Run the Handler
配置文件包含collective.securitycleanup.txt文件信令 应该为该配置文件运行安装处理程序。
>>> import os >>> from collective import securitycleanup >>> os.path.exists(os.path.join( ... os.path.dirname(securitycleanup.__file__), ... "profiles", "default", "collective.securitycleanup.txt")) True
导入配置文件。
>>> portal.portal_setup.runAllImportStepsFromProfile( ... 'profile-collective.securitycleanup:default') {...collective.securitycleanup...
Security Settings are Restored to Defaults
现在,在 根据需要保留所有者本地角色。
>>> app.permission_settings('Modify portal content')[0]['acquire'] '' >>> app.rolesOfPermission('Modify portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Owner'}] >>> app.get_local_roles() ()>>> app.folder <Folder at /folder> >>> app.folder.permission_settings( ... 'Add portal content')[0]['acquire'] 'CHECKED' >>> app.folder.rolesOfPermission('Add portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Owner'}] >>> app.folder.get_local_roles() ()>>> portal <CMFSite at /folder/cmf> >>> portal.permission_settings( ... 'Review portal content')[0]['acquire'] 'CHECKED' >>> portal.rolesOfPermission('Review portal content') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': '', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}] >>> portal.get_local_roles() (('portal_owner', ('Owner',)),)>>> portal.folder <PortalFolder at /folder/cmf/folder> >>> portal.folder.permission_settings( ... 'Add portal folders')[0]['acquire'] 'CHECKED' >>> portal.folder.rolesOfPermission('Add portal folders') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': '', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}] >>> portal.folder.get_local_roles() (('portal_owner', ('Owner',)),)>>> portal.folder.document <Document at /folder/cmf/folder/document> >>> portal.folder.document.permission_settings( ... 'Copy or Move')[0]['acquire'] 'CHECKED' >>> portal.folder.document.rolesOfPermission('Copy or Move') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': '', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}] >>> portal.folder.document.get_local_roles() (('portal_owner', ('Owner',)),) >>> portal.folder.document.listCreators() ('portal_owner',) >>> portal.folder.document.rolesOfPermission('View') [{'selected': '', 'name': 'Anonymous'}, {'selected': '', 'name': 'Authenticated'}, {'selected': 'SELECTED', 'name': 'Manager'}, {'selected': '', 'name': 'Member'}, {'selected': 'SELECTED', 'name': 'Owner'}, {'selected': '', 'name': 'Reviewer'}]