diff --git a/users_ldap_groups/__init__.py b/users_ldap_groups/__init__.py index d359182a2..4db4e4cb2 100644 --- a/users_ldap_groups/__init__.py +++ b/users_ldap_groups/__init__.py @@ -19,4 +19,4 @@ # ############################################################################## -import users_ldap_groups +import users_ldap_groups # noqa diff --git a/users_ldap_groups/__openerp__.py b/users_ldap_groups/__openerp__.py index 190917a88..9b63fec86 100644 --- a/users_ldap_groups/__openerp__.py +++ b/users_ldap_groups/__openerp__.py @@ -30,13 +30,13 @@ Adds user accounts to groups based on rules defined by the administrator. Usage: -Define mappings in Settings->Companies->[your company]->tab configuration->[your -ldap server]. +Define mappings in Settings->Companies->[your company]->tab configuration->[ +your ldap server]. Decide whether you want only groups mapped from ldap (Only ldap groups=y) or a -mix of manually set groups and ldap groups (Only ldap groups=n). Setting this to -'no' will result in users never losing privileges when you remove them from a -ldap group, so that's a potential security issue. It is still the default to +mix of manually set groups and ldap groups (Only ldap groups=n). Setting this +to 'no' will result in users never losing privileges when you remove them from +a ldap group, so that's a potential security issue. It is still the default to prevent losing group information by accident. For active directory, use LDAP attribute 'memberOf' and operator 'contains'. diff --git a/users_ldap_groups/users_ldap_groups.py b/users_ldap_groups/users_ldap_groups.py index bca79a05a..5dcdaed31 100644 --- a/users_ldap_groups/users_ldap_groups.py +++ b/users_ldap_groups/users_ldap_groups.py @@ -19,18 +19,20 @@ # ############################################################################## -from openerp.osv import fields, orm +from openerp import models +from openerp import fields +from openerp import api import logging import users_ldap_groups_operators import inspect -class CompanyLDAPGroupMapping(orm.Model): +class CompanyLDAPGroupMapping(models.Model): _name = 'res.company.ldap.group_mapping' _rec_name = 'ldap_attribute' _order = 'ldap_attribute' - def _get_operators(self, cr, uid, context=None): + def _get_operators(self): operators = [] members = inspect.getmembers( users_ldap_groups_operators, @@ -41,49 +43,47 @@ class CompanyLDAPGroupMapping(orm.Model): operators.append((name, name)) return tuple(operators) - _columns = { - 'ldap_id': fields.many2one('res.company.ldap', 'LDAP server', required=True), - 'ldap_attribute': fields.char( - 'LDAP attribute', size=64, - help='The LDAP attribute to check.\n' - 'For active directory, use memberOf.'), - 'operator': fields.selection( - _get_operators, 'Operator', - help='The operator to check the attribute against the value\n' - 'For active directory, use \'contains\'', required=True), - 'value': fields.char( - 'Value', size=1024, - help='The value to check the attribute against.\n' - 'For active directory, use the dn of the desired group', - required=True), - 'group': fields.many2one( - 'res.groups', 'OpenERP group', - help='The OpenERP group to assign', required=True), - } + ldap_id = fields.Many2one('res.company.ldap', 'LDAP server', required=True) + ldap_attribute = fields.Char( + 'LDAP attribute', size=64, + help='The LDAP attribute to check.\n' + 'For active directory, use memberOf.') + operator = fields.Selection( + _get_operators, 'Operator', + help='The operator to check the attribute against the value\n' + 'For active directory, use \'contains\'', required=True) + value = fields.Char( + 'Value', size=1024, + help='The value to check the attribute against.\n' + 'For active directory, use the dn of the desired group', + required=True) + group = fields.Many2one( + 'res.groups', 'OpenERP group', + help='The OpenERP group to assign', required=True) -class CompanyLDAP(orm.Model): +class CompanyLDAP(models.Model): _inherit = 'res.company.ldap' - _columns = { - 'group_mappings': fields.one2many( - 'res.company.ldap.group_mapping', - 'ldap_id', 'Group mappings', - help='Define how OpenERP groups are assigned to ldap users'), - 'only_ldap_groups': fields.boolean( - 'Only ldap groups', - help='If this is checked, manual changes to group membership are ' - 'undone on every login (so OpenERP groups are always synchronous ' - 'with LDAP groups). If not, manually added groups are preserved.') - } + group_mappings = fields.One2many( + 'res.company.ldap.group_mapping', + 'ldap_id', 'Group mappings', + help='Define how OpenERP groups are assigned to ldap users') + only_ldap_groups = fields.Boolean( + 'Only ldap groups', + help='If this is checked, manual changes to group membership are ' + 'undone on every login (so OpenERP groups are always synchronous ' + 'with LDAP groups). If not, manually added groups are preserved.') _default = { 'only_ldap_groups': False, } - def get_or_create_user(self, cr, uid, conf, login, ldap_entry, context=None): - user_id = super(CompanyLDAP, self).get_or_create_user(cr, uid, conf, login, - ldap_entry, context) + @api.multi + def get_or_create_user(self, cr, uid, conf, login, ldap_entry, + context=None): + user_id = super(CompanyLDAP, self).get_or_create_user( + cr, uid, conf, login, ldap_entry, context) if not user_id: return user_id logger = logging.getLogger('users_ldap_groups') @@ -92,11 +92,13 @@ class CompanyLDAP(orm.Model): conf_all = self.read(cr, uid, conf['id'], ['only_ldap_groups']) if(conf_all['only_ldap_groups']): logger.debug('deleting all groups from user %d' % user_id) - userobj.write(cr, uid, [user_id], {'groups_id': [(5, )]}, context=context) + userobj.write( + cr, uid, [user_id], {'groups_id': [(5, )]}, context=context) for mapping in mappingobj.read(cr, uid, mappingobj.search( cr, uid, [('ldap_id', '=', conf['id'])]), []): - operator = getattr(users_ldap_groups_operators, mapping['operator'])() + operator = getattr(users_ldap_groups_operators, + mapping['operator'])() logger.debug('checking mapping %s' % mapping) if operator.check_value(ldap_entry, mapping['ldap_attribute'], mapping['value'], conf, self, logger): diff --git a/users_ldap_groups/users_ldap_groups_operators.py b/users_ldap_groups/users_ldap_groups_operators.py index 4de745fbf..e4354a825 100644 --- a/users_ldap_groups/users_ldap_groups_operators.py +++ b/users_ldap_groups/users_ldap_groups_operators.py @@ -26,22 +26,28 @@ class LDAPOperator: class contains(LDAPOperator): - def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger): - return (attribute in ldap_entry[1]) and (value in ldap_entry[1][attribute]) + def check_value(self, ldap_entry, attribute, value, ldap_config, company, + logger): + return (attribute in ldap_entry[1]) and \ + (value in ldap_entry[1][attribute]) class equals(LDAPOperator): - def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger): - return attribute in ldap_entry[1] and unicode(value) == unicode(ldap_entry[1][attribute]) + def check_value(self, ldap_entry, attribute, value, ldap_config, company, + logger): + return attribute in ldap_entry[1] and \ + unicode(value) == unicode(ldap_entry[1][attribute]) class query(LDAPOperator): - def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger): + def check_value(self, ldap_entry, attribute, value, ldap_config, company, + logger): query_string = Template(value).safe_substitute(dict( [(attr, ldap_entry[1][attribute][0]) for attr in ldap_entry[1]] ) ) - logger.debug('evaluating query group mapping, filter: %s' % query_string) + logger.debug('evaluating query group mapping, filter: %s' % + query_string) results = company.query(ldap_config, query_string) logger.debug(results) return bool(results)