changeset 183:e54c4a0d0da1

replace cfg.superusers list by ACL 'superuser' capability we just call user.may.superuser(u'') for now (u'' is a fake, non-existing item name). we'll need to make another change to the way this works later, as the ACL it checks right now is the CONTENT ACL (before, item/default, after). We should rather have another ACL for this later, to have a clean separation between content ACLs and view/action ACLs.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Fri, 22 Apr 2011 21:30:51 +0200
parents 97f2ff32c92f
children 8d574f93a6ef
files MoinMoin/_tests/__init__.py MoinMoin/apps/admin/views.py MoinMoin/config/__init__.py MoinMoin/config/default.py MoinMoin/user.py docs/admin/upgrade.rst docs/examples/config/wikiconfig.py
diffstat 7 files changed, 8 insertions(+), 36 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/_tests/__init__.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/MoinMoin/_tests/__init__.py	Fri Apr 22 21:30:51 2011 +0200
@@ -41,18 +41,6 @@
     flaskg.user.auth_method = app.cfg.auth_methods_trusted[0]
 
 
-def become_superuser(username=u"SuperUser"):
-    """ modify flaskg.user so it is in the superusers list,
-        also make the user valid (see notes in become_valid()),
-        also make the user trusted (and thus in "Trusted" ACL pseudo group).
-
-        Note: being superuser is completely unrelated to ACL rights,
-              especially it is not related to ACL admin rights.
-    """
-    become_trusted(username)
-    if username not in app.cfg.superusers:
-        app.cfg.superusers.append(username)
-
 # Creating and destroying test items --------------------------------
 def update_item(name, revno, meta, data):
     """ creates or updates an item  """
--- a/MoinMoin/apps/admin/views.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/MoinMoin/apps/admin/views.py	Fri Apr 22 21:30:51 2011 +0200
@@ -34,7 +34,7 @@
     """
     User Account Browser
     """
-    if not flaskg.user or not flaskg.user.isSuperUser():
+    if not flaskg.user.may.superuser(u''):
         abort(403)
 
     groups = flaskg.groups
@@ -56,7 +56,7 @@
     """
     Set values in user profile
     """
-    if not flaskg.user or not flaskg.user.isSuperUser():
+    if not flaskg.user.may.superuser(u''):
         abort(403)
 
     uid = user.getUserId(user_name)
@@ -100,7 +100,7 @@
 
 @admin.route('/sysitems_upgrade', methods=['GET', 'POST', ])
 def sysitems_upgrade():
-    if not flaskg.user or not flaskg.user.isSuperUser():
+    if not flaskg.user.may.superuser(u''):
         abort(403)
 
     from MoinMoin.storage.backends import upgrade_sysitems
@@ -125,7 +125,7 @@
 
 @admin.route('/wikiconfig', methods=['GET', ])
 def wikiconfig():
-    if not flaskg.user or not flaskg.user.isSuperUser():
+    if not flaskg.user.may.superuser(u''):
         abort(403)
 
     settings = {}
@@ -172,7 +172,7 @@
 
 @admin.route('/wikiconfighelp', methods=['GET', ])
 def wikiconfighelp():
-    if not flaskg.user or not flaskg.user.isSuperUser():
+    if not flaskg.user.may.superuser(u''):
         abort(403)
 
     def format_default(default):
--- a/MoinMoin/config/__init__.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/MoinMoin/config/__init__.py	Fri Apr 22 21:30:51 2011 +0200
@@ -61,12 +61,13 @@
 
 
 # ACL rights that are valid in moin2
+SUPERUSER = 'superuser'
 ADMIN = 'admin'
 READ = 'read'
 WRITE = 'write'
 CREATE = 'create'
 DESTROY = 'destroy'
-ACL_RIGHTS_VALID = [READ, WRITE, CREATE, ADMIN, DESTROY, ]
+ACL_RIGHTS_VALID = [READ, WRITE, CREATE, ADMIN, DESTROY, SUPERUSER, ]
 
 # metadata keys
 UUID = "uuid"
--- a/MoinMoin/config/default.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/MoinMoin/config/default.py	Fri Apr 22 21:30:51 2011 +0200
@@ -69,12 +69,6 @@
         self.cache.item_dict_regexact = re.compile(u'^%s$' % self.item_dict_regex, re.UNICODE)
         self.cache.item_group_regexact = re.compile(u'^%s$' % self.item_group_regex, re.UNICODE)
 
-        if not isinstance(self.superusers, list):
-            msg = """The superusers setting in your wiki configuration is not
-                    a list (e.g. ['Sample User', 'AnotherUser']).  Please change
-                    it in your wiki configuration and try again."""
-            raise error.ConfigurationError(msg)
-
         plugins._loadPluginModule(self)
 
         if self.user_defaults['timezone'] is None:
@@ -195,7 +189,7 @@
             'interwiki_preferred',
             'item_root', 'item_license', 'mail_from',
             'item_dict_regex', 'item_group_regex',
-            'superusers', 'textchas_disabled_group', 'supplementation_item_names', 'html_pagetitle',
+            'textchas_disabled_group', 'supplementation_item_names', 'html_pagetitle',
             'theme_default', 'timezone_default', 'locale_default',
         )
 
@@ -293,8 +287,6 @@
   )),
   # ==========================================================================
   'auth': ('Authentication / Authorization / Security settings', None, (
-    ('superusers', [],
-     "List of trusted user names [Unicode] with wiki system administration super powers (not to be confused with ACL admin rights!). Used for e.g. software installation, language installation via SystemPagesSetup and more. See also HelpOnSuperUser."),
     ('auth', DefaultExpression('[MoinAuth()]'),
      "list of auth objects, to be called in this order (see HelpOnAuthentication)"),
     ('auth_methods_trusted', ['http', 'given', ], # Note: 'http' auth method is currently just a redirect to 'given'
--- a/MoinMoin/user.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/MoinMoin/user.py	Fri Apr 22 21:30:51 2011 +0200
@@ -720,10 +720,6 @@
         """ Check if this user object is the user doing the current request """
         return flaskg.user.name == self.name
 
-    def isSuperUser(self):
-        """ Check if this user is superuser """
-        return self.valid and self.name and self.name in app.cfg.superusers
-
     def host(self):
         """ Return user host """
         host = self.isCurrentUser() and self._cfg.show_hosts and request.remote_addr
--- a/docs/admin/upgrade.rst	Fri Apr 22 18:51:05 2011 +0200
+++ b/docs/admin/upgrade.rst	Fri Apr 22 21:30:51 2011 +0200
@@ -64,7 +64,6 @@
     mail_sendmail = ...
     mail_from = ...
     mail_login = ...
-    superusers = ...
     # XXX default_markup must be 'wiki' right now
     page_category_regex = ... # XXX check
     data_dir = ... # same as in 1.9, user profiles must be in data_dir/user
--- a/docs/examples/config/wikiconfig.py	Fri Apr 22 18:51:05 2011 +0200
+++ b/docs/examples/config/wikiconfig.py	Fri Apr 22 21:30:51 2011 +0200
@@ -66,10 +66,6 @@
 
     # Security ----------------------------------------------------------
 
-    # This is checked by some rather critical and potentially harmful actions,
-    # like despam or PackageInstaller action:
-    #superusers = [u"YourName", ]
-
     # The default (ENABLED) password_checker will keep users from choosing too
     # short or too easy passwords. If you don't like this and your site has
     # rather low security requirements, feel free to DISABLE the checker by: