Context navigation

source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 12117

Last change on this file since 12117 was 12097, checked in by Henrik Bettermann, 10 years ago

The term 'application' should really not be used in Python-based portal software.

Replace 'application' by 'contract': batch 1

Property svn:eol-style set to native
Property svn:keywords set to Id

File size: 10.4 KB

Rev	Line
[7193]	1	## $Id: permissions.py 12097 2014-11-30 20:49:22Z henrik $
	2	##
	3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
	4	## This program is free software; you can redistribute it and/or modify
	5	## it under the terms of the GNU General Public License as published by
	6	## the Free Software Foundation; either version 2 of the License, or
	7	## (at your option) any later version.
	8	##
	9	## This program is distributed in the hope that it will be useful,
	10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	## GNU General Public License for more details.
	13	##
	14	## You should have received a copy of the GNU General Public License
	15	## along with this program; if not, write to the Free Software
	16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17	##
[3521]	18	import grok
[6157]	19	from zope.component import getUtilitiesFor
[6144]	20	from zope.interface import Interface
[6163]	21	from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[11949]	22	from waeup.ikoba.interfaces import ILocalRolesAssignable
[3521]	23
[4789]	24	class Public(grok.Permission):
	25	"""Everyone-can-do-this-permission.
	26
	27	This permission is meant to be applied to objects/views/pages
	28	etc., that should be usable/readable by everyone.
	29
	30	We need this to be able to tune default permissions more
	31	restrictive and open up some dedicated objects like the front
	32	page.
	33	"""
	34	grok.name('waeup.Public')
[6142]	35
[5433]	36	class Anonymous(grok.Permission):
	37	"""Only-anonymous-can-do-this-permission.
	38	"""
[6142]	39	grok.name('waeup.Anonymous')
[4789]	40
[7184]	41	class Authenticated(grok.Permission):
	42	"""Only-logged-in-users-can-do-this-permission.
	43	"""
	44	grok.name('waeup.Authenticated')
[4789]	45
[12065]	46	class ViewProducts(grok.Permission):
[11947]	47	grok.name('waeup.viewProducts')
[7184]	48
[12065]	49	class ManageProducts(grok.Permission):
[11947]	50	grok.name('waeup.manageProducts')
[4789]	51
[8367]	52	class ManagePortal(grok.Permission):
	53	grok.name('waeup.managePortal')
	54
[4789]	55	class ManageUsers(grok.Permission):
	56	grok.name('waeup.manageUsers')
[6142]	57
[7163]	58	class EditUser(grok.Permission):
	59	grok.name('waeup.editUser')
	60
[6127]	61	class ManageDataCenter(grok.Permission):
	62	grok.name('waeup.manageDataCenter')
[6142]	63
[8367]	64	class ImportData(grok.Permission):
	65	grok.name('waeup.importData')
	66
[10177]	67	class ExportData(grok.Permission):
	68	grok.name('waeup.exportData')
	69
[6907]	70	class ManagePortalConfiguration(grok.Permission):
	71	grok.name('waeup.managePortalConfiguration')
[6155]	72
[7181]	73
[6125]	74	# Local Roles
[10226]	75
[7163]	76	class Owner(grok.Role):
	77	grok.name('waeup.local.Owner')
	78	grok.title(u'Owner')
	79	grok.permissions('waeup.editUser')
	80
[12068]	81	class ProductManager(grok.Role):
	82	grok.name('waeup.local.ProductManager')
	83	grok.title(u'Product Manager')
	84	grok.permissions('waeup.manageProducts',
	85	'waeup.viewProducts',
	86	'waeup.exportData')
	87
[7178]	88	# Site Roles
[11947]	89	class ProductsOfficer(grok.Role):
	90	grok.name('waeup.ProductsOfficer')
	91	grok.title(u'Products Officer (view only)')
	92	grok.permissions('waeup.viewProducts')
[3521]	93
[12072]	94	class ProductsManager(grok.Role):
[11947]	95	grok.name('waeup.ProductsManager')
	96	grok.title(u'Products Manager')
	97	grok.permissions('waeup.viewProducts',
	98	'waeup.manageProducts')
[8367]	99
	100	class DataCenterManager(grok.Role):
	101	grok.name('waeup.DataCenterManager')
	102	grok.title(u'Datacenter Manager')
	103	grok.permissions('waeup.manageDataCenter')
	104
	105	class ImportManager(grok.Role):
	106	grok.name('waeup.ImportManager')
	107	grok.title(u'Import Manager')
	108	grok.permissions('waeup.manageDataCenter',
	109	'waeup.importData')
	110
[10177]	111	class ExportManager(grok.Role):
	112	grok.name('waeup.ExportManager')
	113	grok.title(u'Export Manager')
	114	grok.permissions('waeup.manageDataCenter',
	115	'waeup.exportData')
	116
[8367]	117	class UsersManager(grok.Role):
	118	grok.name('waeup.UsersManager')
	119	grok.title(u'Users Manager')
[9259]	120	grok.permissions('waeup.manageUsers',
	121	'waeup.editUser')
[8367]	122
[9300]	123	class WorkflowManager(grok.Role):
	124	grok.name('waeup.WorkflowManager')
	125	grok.title(u'Workflow Manager')
[9299]	126	grok.permissions('waeup.triggerTransition')
	127
[4789]	128	class PortalManager(grok.Role):
	129	grok.name('waeup.PortalManager')
[6159]	130	grok.title(u'Portal Manager')
[9259]	131	grok.permissions('waeup.managePortal',
	132	'waeup.manageUsers',
[11947]	133	'waeup.viewProducts', 'waeup.manageProducts',
[9259]	134	'waeup.manageDataCenter',
	135	'waeup.importData',
[10177]	136	'waeup.exportData',
[11947]	137	'waeup.managePortalConfiguration',
[9335]	138	'waeup.editUser',
[9637]	139	'waeup.manageReports',
[9645]	140	'waeup.manageJobs',
[11958]	141	'waeup.viewCustomer', 'waeup.viewCustomers',
	142	'waeup.manageCustomer', 'waeup.viewCustomersContainer',
[12015]	143	'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
[11967]	144	'waeup.triggerTransition',
[12090]	145	'waeup.viewCustomersTab',
[12097]	146	'waeup.editContracts'
[7240]	147	)
[4789]	148
[9259]	149	class CCOfficer(grok.Role):
[9303]	150	"""This is basically a copy of the the PortalManager class. We exclude some
[9262]	151	'dangerous' permissions by commenting them out.
[9259]	152	"""
[10346]	153	grok.baseclass()
[9259]	154	grok.name('waeup.CCOfficer')
	155	grok.title(u'Computer Center Officer')
	156	grok.permissions(#'waeup.managePortal',
	157	#'waeup.manageUsers',
[11947]	158	'waeup.viewProducts', 'waeup.manageProducts',
[9259]	159	#'waeup.manageACBatches',
	160	'waeup.manageDataCenter',
	161	#'waeup.importData',
[10243]	162	'waeup.exportData',
[11947]	163	'waeup.managePortalConfiguration',
[9335]	164	#'waeup.editUser',
[9637]	165	'waeup.manageReports',
[9645]	166	#'waeup.manageJobs',
[11958]	167	'waeup.viewCustomer', 'waeup.viewCustomers',
	168	'waeup.manageCustomer', 'waeup.viewCustomersContainer',
[12015]	169	'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
[11967]	170	'waeup.triggerTransition',
[12090]	171	'waeup.viewCustomersTab',
[12097]	172	'waeup.editContracts'
[9259]	173	)
	174
[7186]	175	def get_all_roles():
[6157]	176	"""Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
	177	"""
	178	return getUtilitiesFor(IRole)
	179
[7186]	180	def get_waeup_roles(also_local=False):
[11949]	181	"""Get all Ikoba roles.
[6157]	182
[11949]	183	Ikoba roles are ordinary roles whose id by convention starts with
[6157]	184	a ``waeup.`` prefix.
	185
	186	If `also_local` is ``True`` (``False`` by default), also local
[11949]	187	roles are returned. Local Ikoba roles are such whose id starts
[6157]	188	with ``waeup.local.`` prefix (this is also a convention).
	189
	190	Returns a generator of the found roles.
	191	"""
[7186]	192	for name, item in get_all_roles():
[6157]	193	if not name.startswith('waeup.'):
[11949]	194	# Ignore non-Ikoba roles...
[4789]	195	continue
[6157]	196	if not also_local and name.startswith('waeup.local.'):
	197	# Ignore local roles...
[6045]	198	continue
[6157]	199	yield item
[4789]	200
[7186]	201	def get_waeup_role_names():
[11949]	202	"""Get the ids of all Ikoba roles.
[6157]	203
[11949]	204	See :func:`get_waeup_roles` for what a 'IkobaRole' is.
[6157]	205
[11949]	206	This function returns a sorted list of Ikoba role names.
[6157]	207	"""
[7186]	208	return sorted([x.id for x in get_waeup_roles()])
[6157]	209
[6144]	210	class LocalRolesAssignable(grok.Adapter):
	211	"""Default implementation for `ILocalRolesAssignable`.
	212
	213	This adapter returns a list for dictionaries for objects for which
	214	we want to know the roles assignable to them locally.
	215
	216	The returned dicts contain a ``name`` and a ``title`` entry which
	217	give a role (``name``) and a description, for which kind of users
	218	the permission is meant to be used (``title``).
	219
	220	Having this adapter registered we make sure, that for each normal
	221	object we get a valid `ILocalRolesAssignable` adapter.
	222
	223	Objects that want to offer certain local roles, can do so by
[6162]	224	setting a (preferably class-) attribute to a list of role ids.
[6144]	225
	226	You can also define different adapters for different contexts to
	227	have different role lookup mechanisms become available. But in
	228	normal cases it should be sufficient to use this basic adapter.
	229	"""
	230	grok.context(Interface)
	231	grok.provides(ILocalRolesAssignable)
	232
	233	_roles = []
	234
	235	def __init__(self, context):
	236	self.context = context
[6162]	237	role_ids = getattr(context, 'local_roles', self._roles)
[7186]	238	self._roles = [(name, role) for name, role in get_all_roles()
[6162]	239	if name in role_ids]
[6144]	240	return
	241
	242	def __call__(self):
	243	"""Get a list of dictionaries containing ``names`` (the roles to
	244	assign) and ``titles`` (some description of the type of user
	245	to assign each role to).
	246	"""
[7334]	247	list_of_dict = [dict(
[6162]	248	name=name,
	249	title=role.title,
[6163]	250	description=role.description)
[7334]	251	for name, role in self._roles]
	252	return sorted(list_of_dict, key=lambda x: x['name'])
[6144]	253
[8774]	254	def get_all_users():
	255	"""Get a list of dictionaries.
	256	"""
	257	users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
	258	for key, val in users:
	259	yield(dict(name=key, val=val))
	260
[6163]	261	def get_users_with_local_roles(context):
	262	"""Get a list of dicts representing the local roles set for `context`.
	263
	264	Each dict returns `user_name`, `user_title`, `local_role`,
	265	`local_role_title`, and `setting` for each entry in the local
	266	roles map of the `context` object.
	267	"""
[6202]	268	try:
	269	role_map = IPrincipalRoleMap(context)
	270	except TypeError:
	271	# no map no roles.
	272	raise StopIteration
[6163]	273	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
	274	user = grok.getSite()['users'].get(user_name,None)
[7213]	275	user_title = getattr(user, 'title', user_name)
[10227]	276	local_role_title = getattr(
	277	dict(get_all_roles()).get(local_role, None), 'title', None)
[6163]	278	yield dict(user_name = user_name,
	279	user_title = user_title,
	280	local_role = local_role,
	281	local_role_title = local_role_title,
[9309]	282	setting = setting)
	283
	284	def get_users_with_role(role, context):
	285	"""Get a list of dicts representing the usres who have been granted
	286	a role for `context`.
	287	"""
	288	try:
	289	role_map = IPrincipalRoleMap(context)
	290	except TypeError:
	291	# no map no roles.
	292	raise StopIteration
	293	for user_name, setting in role_map.getPrincipalsForRole(role):
	294	user = grok.getSite()['users'].get(user_name,None)
	295	user_title = getattr(user, 'title', user_name)
	296	user_email = getattr(user, 'email', None)
	297	yield dict(user_name = user_name,
	298	user_title = user_title,
	299	user_email = user_email,
	300	setting = setting)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: