Merge pull request #147 from plone/local-roles
api.user.get_roles(): add the option to ignore inherited roles
This commit is contained in:
commit
edb226ae3b
|
@ -323,6 +323,58 @@ class TestPloneApiUser(unittest.TestCase):
|
|||
with self.assertRaises(UserNotFoundError):
|
||||
api.user.get_roles(username='theurbanspaceman')
|
||||
|
||||
def test_get_roles_in_context(self):
|
||||
"""Test get local and inherited roles for a user on an object"""
|
||||
api.user.create(
|
||||
username='chuck',
|
||||
email='chuck@norris.org',
|
||||
password='secret',
|
||||
)
|
||||
|
||||
portal = api.portal.get()
|
||||
folder = api.content.create(
|
||||
container=portal,
|
||||
type='Folder',
|
||||
id='folder_one',
|
||||
title='Folder One',
|
||||
)
|
||||
document = api.content.create(
|
||||
container=folder,
|
||||
type='Document',
|
||||
id='document_one',
|
||||
title='Document One',
|
||||
)
|
||||
api.user.grant_roles(username='chuck', roles=['Editor'], obj=folder)
|
||||
self.assertIn(
|
||||
'Editor', api.user.get_roles(username='chuck', obj=document))
|
||||
|
||||
def test_get_roles_local_only(self):
|
||||
"""Test get local roles for a user on an object"""
|
||||
api.user.create(
|
||||
username='chuck',
|
||||
email='chuck@norris.org',
|
||||
password='secret',
|
||||
)
|
||||
|
||||
portal = api.portal.get()
|
||||
folder = api.content.create(
|
||||
container=portal,
|
||||
type='Folder',
|
||||
id='folder_one',
|
||||
title='Folder One',
|
||||
)
|
||||
document = api.content.create(
|
||||
container=folder,
|
||||
type='Document',
|
||||
id='document_one',
|
||||
title='Document One',
|
||||
)
|
||||
api.user.grant_roles(username='chuck', roles=['Editor'], obj=folder)
|
||||
self.assertNotIn(
|
||||
'Editor',
|
||||
api.user.get_roles(username='chuck', obj=document, inherit=False),
|
||||
)
|
||||
|
||||
def test_get_permissions_root(self):
|
||||
"""Test get permissions on site root."""
|
||||
|
||||
|
@ -566,6 +618,10 @@ class TestPloneApiUser(unittest.TestCase):
|
|||
'Editor',
|
||||
api.user.get_roles(username='chuck', obj=folder),
|
||||
)
|
||||
self.assertEqual(
|
||||
('Editor',),
|
||||
api.user.get_roles(username='chuck', obj=folder, inherit=False),
|
||||
)
|
||||
self.assertIn(
|
||||
'Editor',
|
||||
api.user.get_roles(user=user, obj=folder),
|
||||
|
|
|
@ -199,7 +199,7 @@ def is_anonymous():
|
|||
|
||||
|
||||
@mutually_exclusive_parameters('username', 'user')
|
||||
def get_roles(username=None, user=None, obj=None):
|
||||
def get_roles(username=None, user=None, obj=None, inherit=True):
|
||||
"""Get user's site-wide or local roles.
|
||||
|
||||
Arguments ``username`` and ``user`` are mutually exclusive. You
|
||||
|
@ -213,6 +213,9 @@ def get_roles(username=None, user=None, obj=None):
|
|||
:param obj: If obj is set then return local roles on this context.
|
||||
If obj is not given, the site root local roles will be returned.
|
||||
:type obj: content object
|
||||
:param inherit: if obj is set and inherit is False, only return
|
||||
local roles
|
||||
:type inherit: bool
|
||||
:raises:
|
||||
MissingParameterError
|
||||
:Example: :ref:`user_get_roles_example`
|
||||
|
@ -229,7 +232,13 @@ def get_roles(username=None, user=None, obj=None):
|
|||
if user is None:
|
||||
raise UserNotFoundError
|
||||
|
||||
return user.getRolesInContext(obj) if obj is not None else user.getRoles()
|
||||
if obj is not None:
|
||||
if inherit:
|
||||
return user.getRolesInContext(obj)
|
||||
else:
|
||||
return obj.get_local_roles_for_userid(username)
|
||||
else:
|
||||
return user.getRoles()
|
||||
|
||||
|
||||
@contextmanager
|
||||
|
@ -309,7 +318,7 @@ def grant_roles(username=None, user=None, obj=None, roles=None):
|
|||
if 'Anonymous' in roles or 'Authenticated' in roles:
|
||||
raise InvalidParameterError
|
||||
|
||||
roles.extend(get_roles(user=user, obj=obj))
|
||||
roles.extend(get_roles(user=user, obj=obj, inherit=False))
|
||||
|
||||
if obj is None:
|
||||
user.setSecurityProfile(roles=roles)
|
||||
|
|
Reference in New Issue