view MoinMoin/userprefs/ @ 2363:a73c99c076c2

clean up suid prefs
author Johannes Berg <johannes AT sipsolutions DOT net>
date Thu, 12 Jul 2007 11:39:04 +0200
parents 22749e92a461
children 5fc0717a060f
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
    MoinMoin - switch user form

    @copyright: 2001-2004 Juergen Hermann <>,
                2003-2007 MoinMoin:ThomasWaldmann
                2007      MoinMoin:JohannesBerg
    @license: GNU GPL, see COPYING for details.

from MoinMoin import user, util, wikiutil
from MoinMoin.widget import html
from MoinMoin.userprefs import UserPrefBase

class Settings(UserPrefBase):
    def __init__(self, request):
        """ Initialize setuid settings form. """
        UserPrefBase.__init__(self, request)
        self.request = request
        self._ = request.getText
        self.cfg = request.cfg
        self.title = self._("Switch user")

    def _is_super_user(self):
        return (self.request.user.isSuperUser() or
                (not self.request._setuid_real_user is None
                 and (self.request._setuid_real_user.isSuperUser())))

    allowed = _is_super_user

    def handle_form(self):
        _ = self._
        form = self.request.form

        if form.has_key('cancel'):

        if (wikiutil.checkTicket(self.request, self.request.form['ticket'][0]) and
            self.request.request_method == 'POST' and self._is_super_user()):
            su_user = form.get('selected_user', [''])[0]
            uid = user.getUserId(self.request, su_user)
            if not uid:
                return _("No user selected")
            if (not self.request._setuid_real_user is None
                and uid ==
                del self.request.session['setuid']
                self.request.user = self.request._setuid_real_user
                self.request._setuid_real_user = None
                theuser = user.User(self.request, uid, auth_method='setuid')
                theuser.disabled = None
                self.request.session['setuid'] = uid
                self.request._setuid_real_user = self.request.user
                # now continue as the other user
                self.request.user = theuser
            return  _("You can now change the settings of the selected user account; log out to get back to your account.")
            return None

    def _user_select(self):
        options = []
        users = user.getUserList(self.request)
        realuid = None
        if hasattr(self.request, '_setuid_real_user') and self.request._setuid_real_user:
            realuid =
            realuid =
        for uid in users:
            if uid != realuid:
                name = user.User(self.request, id=uid).name # + '/' + uid # for debugging
                options.append((name, name))

        size = min(5, len(options))
        current_user =
        return util.web.makeSelection('selected_user', options, current_user, size=size)

    def _make_form(self):
        """ Create the FORM, and the TABLE with the input fields
        sn = self.request.getScriptname()
        pi = self.request.getPathinfo()
        action = u"%s%s" % (sn, pi)
        self._form = html.FORM(action=action)

        # Use the user interface language and direction
        lang_attr = self.request.theme.ui_lang_attr()
        self._form.append(html.Raw('<div class="userpref"%s>' % lang_attr))

        self._form.append(html.INPUT(type="hidden", name="action", value="userprefs"))
        self._form.append(html.INPUT(type="hidden", name="handler", value="suid"))

    def create_form(self):
        """ Create the complete HTML form code. """
        _ = self._

        if (self.request.user.isSuperUser() or
            (not self.request._setuid_real_user is None and
            ticket = wikiutil.createTicket(self.request)
                              html.Text(_('As the superuser, you can temporarily '
                                          'assume the identity of another user.'))))
            self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
            self._form.append(html.INPUT(type="submit", name="select_user",
                                         value=_('Select User')))
            self._form.append(html.Text(' '))
            self._form.append(html.INPUT(type="submit", name="cancel",
            return unicode(self._form)

        return u''