Class AuthS3

Initialise parent class & make any necessary modifications

to be called unless tables are defined manually

usages:

   # defines all needed tables and table files
   # UUID + "_auth_user.table", ...
   auth.define_tables()

   # defines all needed tables and table files
   # "myprefix_auth_user.table", ...
   auth.define_tables(migrate="myprefix_")

   # defines all needed tables without migration/table files
   auth.define_tables(migrate=False)

Logs user in

• extended to understand session.s3.roles

Set a Cookie to the client browser so that we know this user has registered & so we should present them with a login form instead of a register form

Overrides Web2Py's login() to use custom flash styles & utcnow

Returns:

a login form

Returns a form that lets the user change password

Returns a form to reset the user password, overrides web2py's version of the method to not swallow the _next var.

Returns a form to reset the user password, overrides web2py's version of the method to apply Eden formstyles.

Parameters:

• next - URL to redirect to after successful form submission
• onvalidation - callback to validate password reset form
• onaccept - callback to post-process password reset request
• log - event description for the log (string)

Log the user in
- common function called by login() & register()

Overrides Web2Py's register() to add new functionality:

• Checks whether registration is permitted
• Custom Flash styles
• Allow form to be embedded in other pages
• Optional addition of Mobile Phone field to the Register form
• Optional addition of Organisation field to the Register form
• Lookup Domains/Organisations to check for Whitelists &/or custom Approver

Returns:

a registration form

Overrides Web2Py's email_reset_password() to modify the message structure

Parameters:

• user - the auth_user record (Row)

gives user_id membership of group_id or role if user is None than user_id is that of current logged in user S3: extended to support Entities

action user to verify the registration email, XXXXXXXXXXXXXXXX

.. method:: Auth.verify_email([next=DEFAULT [, onvalidation=DEFAULT
    [, log=DEFAULT]]])

returns a form that lets the user change his/her profile

.. method:: Auth.profile([next=DEFAULT [, onvalidation=DEFAULT
    [, onaccept=DEFAULT [, log=DEFAULT]]]])

Patched for S3 to use s3_mark_required and handle opt_in mailing lists

Configure User Fields - for registration & user administration

pe_ids: an optional list of pe_ids for the Org Filter
        i.e. org_admin coming from admin.py/user()

Called when users are imported from CSV

Lookups Pseudo-reference Integer fields from Names e.g.: auth_membership.pe_id from organisation.name=<Org Name>

JavaScript client-side validation for Registration / User profile
- needed to check for passwords being same, etc

S3 framework function

Designed to be called when a user is created through:

• registration via OAuth, LDAP, etc

Does the following:

• Sets session.auth.user for authorstamp, etc
• Approves user (to set registration groups, such as AUTHENTICATED, link to Person)

S3 framework function

Designed to be called when a user is created through:

• registration

Does the following:

• Stores the user's email & profile image in auth_user_temp to be added to their person record when created on approval

" Designed to be called when a user is verified through:

• responding to their verification email
• if verification isn't required

Does the following:

• Sends a message to the approver to notify them if a user needs approval
• If deployment_settings.auth.always_notify_approver = True, send them notification regardless
• If approval isn't required - calls s3_approve_user

@returns boolean - if the user has been approved

S3 framework function

Designed to be called when a user is created through:

• prepop
• approved automatically during registration
• approved by admin
• added by admin
• updated by admin

Does the following:

• Adds user to the 'Authenticated' role
• Adds any default roles for the user
• @ToDo: adds them to the Org_x Access role

Parameters:

• user - the user Storage() or Row
• password - optional password to include in a custom welcome_email

S3 framework function

Designed to be called when a user is created & approved through:

• prepop
• approved automatically during registration
• approved by admin
• added by admin
• updated by admin

Does the following:

• Calls s3_link_to_organisation: Creates (if not existing) User's Organisation and links User
• Calls s3_link_to_person: Creates (if not existing) User's Person Record and links User
• Calls s3_link_to_human_resource: Creates (if not existing) User's Human Resource Record and links User
• Calls s3_link_to_member

Update the UI locale from user profile

Links user accounts to person registry entries

@param user: the user record
@param organisation_id: the user's organisation_id
                        to get the person's realm_entity

Policy for linking to pre-existing person records:

If this user is already linked to a person record with a different
first_name, last_name, email or realm_entity these will be
updated to those of the user.

If a person record with exactly the same first name and
last name exists, which has a contact information record
with exactly the same email address as used in the user
account, and is not linked to another user account, then
this person record will be linked to this user account.

Otherwise, a new person record is created, and a new email
contact record with the email address from the user record
is registered for that person.

Link a user account to an organisation

Parameters:

• user - the user account record

Link a user account to an organisation group

Parameters:

• user - the user account record
• person_id - the person record ID associated with this user

Take ownership of the HR records of the person record

Link to a member Record

Returns the Approver for a new Registration &
the organisation_id field

@param: user - the user record (form.vars when done direct)
@ToDo: Support multiple approvers per Org - via Org Admin (or specific Role?)
       Split into separate functions to returning approver & finding users' org from auth_organisations

@returns approver, organisation_id - if approver = False, user is automatically approved by whitelist

Send a welcome mail to newly-registered users
- especially suitable for users from Facebook/Google who don't
  verify their emails

@param user: the user dict, must contain "email", and can
             contain "language" for translation of the message
@param password: optional password to include in a custom welcome_email

S3 framework function

Designed to be used within tasks, which are run in a separate request & hence don't have access to current.auth

Parameters:

• user_id - auth.user.id or auth.user.email

Check whether the user is currently logged-in
- tries Basic if not

Get the IDs of the session roles by their UIDs, and store them in the current session, as these IDs should never change.

Get the pe_ids of all managed organisations (to authorize role assignments)

TODO use this in admin/user controller

Update pe_id, roles and realms for the current user

Back-end method to create roles with ACLs

Parameters:

• role - display name for the role
• description - description of the role (optional)
• acls - list of initial ACLs to assign to this role
• args - keyword arguments (see below)
• name - a unique name for the role
• hidden - hide this role completely from the RoleManager
• system - role can be assigned, but neither modified nor deleted in the RoleManager
• protected - role can be assigned and edited, but not deleted in the RoleManager

Remove a role from the system.

Parameters:

• role_id - the ID or UID of the role

Assigns a role to a user (add the user to a user group)

@param user_id: the record ID of the user account
@param group_id: the record ID(s)/UID(s) of the group
@param for_pe: the person entity (pe_id) to restrict the group
               membership to, possible values:

               - None: use default realm (entities the user is
                 affiliated with)
               - 0: site-wide realm (no entity-restriction)
               - X: restrict to records owned by entity X

@note: strings are assumed to be group UIDs
@note: for_pe will be ignored for ADMIN, ANONYMOUS and AUTHENTICATED

Removes a role assignment from a user account

@param user_id: the record ID of the user account
@param group_id: the record ID(s)/UID(s) of the role
@param for_pe: only remove the group membership for this
               realm, possible values:

               - None: only remove for the default realm
               - 0: only remove for the site-wide realm
               - X: only remove for entity X
               - []: remove for any realms

@note: strings are assumed to be role UIDs

Lookup all roles which have been assigned to user for an entity

Parameters:

• user_id - the user_id
• for_pe - the entity (pe_id) or list of entities

Check whether the currently logged-in user has a certain role (auth_group membership).

Parameters:

• role - the record ID or UID of the role
• for_pe - check for this particular realm, possible values:

  None - for any entity 0 - site-wide X - for entity X

Check whether the currently logged-in user has at least one out of a set of roles (or all of them, with all=True)

Parameters:

• roles - list|tuple|set of role IDs or UIDs
• for_pe - check for this particular realm, possible values: None - for any entity 0 - site-wide X - for entity X
• all - check whether the user has all of the roles

Get a list of members of a group

Parameters:

• group_id - the group record ID
• for_pe - show only group members for this PE

Returns:

a list of the user_ids for members of a group

Delegate a role (auth_group) from one entity to another

Parameters:

• group_id - the role ID or UID (or a list of either)
• entity - the delegating entity
• receiver - the pe_id of the receiving entity (or a list of pe_ids)
• role - the affiliation role
• role_type - the role type for the affiliation role (default=9)

Remove a delegation.

Parameters:

• group_id - the auth_group ID or UID (or a list of either)
• entity - the delegating entity
• receiver - the receiving entity
• role - the affiliation role

Lookup delegations for an entity, ordered either by receiver (by_role=False) or by affiliation role (by_role=True)

Parameters:

• entity - the delegating entity (pe_id)
• role_type - limit the lookup to this affiliation role type, (can use 0 to lookup 1:1 delegations)
• by_role - group by affiliation roles

Returns:

a Storage {<receiver>: [group_ids]}, or a Storage {<rolename>: {entities:[pe_ids], groups:[group_ids]}}

Wrapper for permission.update_acl to allow batch updating

Get the user_id for a person_id

Parameters:

• person_id - the pr_person record ID, or a user email address
• pe_id - the person entity ID, alternatively

Get the person pe_id for a user ID

Parameters:

• user_id - the user ID

Get the list of person pe_id for list of user_ids

Parameters:

• user_id - list of user IDs

Get the person record ID for the current logged-in user

Get the first HR record ID for the current logged-in user

S3 framework function to define whether a user can access a record in manner "method". Designed to be called from the RESTlike controller.

Parameters:

• method - the access method as string, one of "create", "read", "update", "delete"
• table - the table or tablename
• record_id - the record ID (if any)
• c - the controller name (overrides current.request)
• f - the function name (overrides current.request)

Returns a query with all accessible records for the currently logged-in user

Parameters:

• method - the access method as string, one of: "create", "read", "update" or "delete"
• table - the table or table name
• c - the controller name (overrides current.request)
• f - the function name (overrides current.request)

Checks if user is member of group_id or role

Extends Web2Py's requires_membership() to add new functionality:

• Custom Flash style
• Uses s3_has_role()

Checks if user is member of group_id or role

Extends Web2Py's requires_membership() to add new functionality:

• Custom Flash style
• Uses s3_has_role()

Decorator that prevents access to action if not logged in or if user logged in is not a member of group_id. If role is provided instead of group_id then the group_id is calculated.

Extends Web2Py's requires_membership() to add new functionality:

• Custom Flash style
• Uses s3_has_role()
• Administrators (id=1) are deemed to have all roles

Decorator that prevents access to action if not logged in or if user logged in is not a member of group_id. If role is provided instead of group_id then the group_id is calculated.

Extends Web2Py's requires_membership() to add new functionality:

• Custom Flash style
• Uses s3_has_role()
• Administrators (id=1) are deemed to have all roles

Makes the current session owner of a record

Parameters:

• table - the table or table name
• record_id - the record ID

Checks whether the current session owns a record

Parameters:

• table - the table or table name
• record_id - the record ID

Removes session ownership for a record

Parameters:

• table - the table or table name (default: all tables)
• record_id - the record ID (default: all records)

Update ownership fields in a record (DRY helper method for s3_set_record_owner and set_realm_entity)

Parameters:

• table - the table
• record - the record or record ID
• update - True to update realm_entity in all realm-components
• fields - dict of {ownership_field:value}

Set the record owned_by_user, owned_by_group and realm_entity for a record (auto-detect values).

To be called by CRUD and Importer during record creation.

Parameters:

• table - the Table (or table name)
• record - the record (or record ID)
• force_update - True to update all fields regardless of the current value in the record, False to only update if current value is None
• fields - override auto-detected values, see keywords
• owned_by_user - the auth_user ID of the owner user
• owned_by_group - the auth_group ID of the owner group
• realm_entity - the pe_id of the realm entity, or a tuple (instance_type, instance_id) to lookup the pe_id, e.g. ("org_organisation", 2)

Update the realm entity for records, will also update the realm in all configured realm-entities, see:

http://eden.sahanafoundation.org/wiki/S3AAA/OrgAuth#Realms1

To be called by CRUD and Importer during record update.

Parameters:

• table - the Table (or tablename)
• records - - a single record
  • a single record ID
  • a list of records, or a Rows object
  • a list of record IDs
  • a query to find records in table
• entity - - an entity ID
  • a tuple (table, instance_id)
  • 0 for default lookup

Lookup the realm entity for a record

Parameters:

• table - the Table
• record - the record (as Row or dict)
• entity - the entity (pe_id)

Update the shared fields in data in all super-entity rows linked with this record.

Parameters:

• table - the table
• record - a record, record ID or a query
• data - the field/value pairs to update

If there are no facilities that the user has permission for, prevents create & update of records in table & gives a warning if the user tries to.

Parameters:

• table - the table or table name
• error_msg - error message
• redirect_on_error - whether to redirect on error
• facility_type - restrict to this particular type of facilities (a tablename)

If there are no organisations that the user has update permission for, prevents create & update of a record in table & gives an warning if the user tries to.

Parameters:

• table - the table or table name
• error_msg - error message
• redirect_on_error - whether to redirect on error

Return the current user's root organisation ID or None

Return the current user's root organisation name or None

Function to return a query to filter a table to only display results for the user's root org OR record with no root org

S3_SYSTEM_ROLES

Value:

Storage(ADMIN= "ADMIN", AUTHENTICATED= "AUTHENTICATED", ANONYMOUS= "AN ONYMOUS", EDITOR= "EDITOR", MAP_ADMIN= "MAP_ADMIN", ORG_ADMIN= "ORG_AD MIN", ORG_GROUP_ADMIN= "ORG_GROUP_ADMIN",)