source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 12648

Last change on this file since 12648 was 12347, checked in by Henrik Bettermann, 10 years ago

We do nor need an extra permission for uploading passport pictures.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 10.5 KB
RevLine 
[7193]1## $Id: permissions.py 12347 2014-12-31 08:18:54Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[11949]22from waeup.ikoba.interfaces import ILocalRolesAssignable
[3521]23
[4789]24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
[6142]35
[5433]36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
[6142]39    grok.name('waeup.Anonymous')
[4789]40
[7184]41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
[4789]45
[12065]46class ViewProducts(grok.Permission):
[11947]47    grok.name('waeup.viewProducts')
[7184]48
[12065]49class ManageProducts(grok.Permission):
[11947]50    grok.name('waeup.manageProducts')
[4789]51
[8367]52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
[4789]55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
[6142]57
[7163]58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
[6127]61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
[6142]63
[8367]64class ImportData(grok.Permission):
65    grok.name('waeup.importData')
66
[10177]67class ExportData(grok.Permission):
68    grok.name('waeup.exportData')
69
[6907]70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
[6155]72
[7181]73
[6125]74# Local Roles
[10226]75
[7163]76class Owner(grok.Role):
77    grok.name('waeup.local.Owner')
78    grok.title(u'Owner')
79    grok.permissions('waeup.editUser')
80
[12068]81class ProductManager(grok.Role):
82    grok.name('waeup.local.ProductManager')
83    grok.title(u'Product Manager')
84    grok.permissions('waeup.manageProducts',
85                     'waeup.viewProducts',
86                     'waeup.exportData')
87
[7178]88# Site Roles
[11947]89class ProductsOfficer(grok.Role):
90    grok.name('waeup.ProductsOfficer')
91    grok.title(u'Products Officer (view only)')
92    grok.permissions('waeup.viewProducts')
[3521]93
[12072]94class ProductsManager(grok.Role):
[11947]95    grok.name('waeup.ProductsManager')
96    grok.title(u'Products Manager')
97    grok.permissions('waeup.viewProducts',
98                     'waeup.manageProducts')
[8367]99
100class DataCenterManager(grok.Role):
101    grok.name('waeup.DataCenterManager')
102    grok.title(u'Datacenter Manager')
103    grok.permissions('waeup.manageDataCenter')
104
105class ImportManager(grok.Role):
106    grok.name('waeup.ImportManager')
107    grok.title(u'Import Manager')
108    grok.permissions('waeup.manageDataCenter',
109                     'waeup.importData')
110
[10177]111class ExportManager(grok.Role):
112    grok.name('waeup.ExportManager')
113    grok.title(u'Export Manager')
114    grok.permissions('waeup.manageDataCenter',
115                     'waeup.exportData')
116
[8367]117class UsersManager(grok.Role):
118    grok.name('waeup.UsersManager')
119    grok.title(u'Users Manager')
[9259]120    grok.permissions('waeup.manageUsers',
121                     'waeup.editUser')
[8367]122
[9300]123class WorkflowManager(grok.Role):
124    grok.name('waeup.WorkflowManager')
125    grok.title(u'Workflow Manager')
[9299]126    grok.permissions('waeup.triggerTransition')
127
[4789]128class PortalManager(grok.Role):
129    grok.name('waeup.PortalManager')
[6159]130    grok.title(u'Portal Manager')
[9259]131    grok.permissions('waeup.managePortal',
132                     'waeup.manageUsers',
[11947]133                     'waeup.viewProducts', 'waeup.manageProducts',
[12207]134                     'waeup.viewDocuments', 'waeup.manageDocuments',
[9259]135                     'waeup.manageDataCenter',
136                     'waeup.importData',
[10177]137                     'waeup.exportData',
[11947]138                     'waeup.managePortalConfiguration',
[9335]139                     'waeup.editUser',
[9637]140                     'waeup.manageReports',
[9645]141                     'waeup.manageJobs',
[11958]142                     'waeup.viewCustomer', 'waeup.viewCustomers',
143                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
[12347]144                     'waeup.editCustomerDocuments',
[11967]145                     'waeup.triggerTransition',
[12090]146                     'waeup.viewCustomersTab',
[12097]147                     'waeup.editContracts'
[7240]148                     )
[4789]149
[9259]150class CCOfficer(grok.Role):
[9303]151    """This is basically a copy of the the PortalManager class. We exclude some
[9262]152    'dangerous' permissions by commenting them out.
[9259]153    """
[10346]154    grok.baseclass()
[9259]155    grok.name('waeup.CCOfficer')
156    grok.title(u'Computer Center Officer')
157    grok.permissions(#'waeup.managePortal',
158                     #'waeup.manageUsers',
[11947]159                     'waeup.viewProducts', 'waeup.manageProducts',
[12207]160                     'waeup.viewDocuments', 'waeup.manageDocuments',
[9259]161                     #'waeup.manageACBatches',
162                     'waeup.manageDataCenter',
163                     #'waeup.importData',
[10243]164                     'waeup.exportData',
[11947]165                     'waeup.managePortalConfiguration',
[9335]166                     #'waeup.editUser',
[9637]167                     'waeup.manageReports',
[9645]168                     #'waeup.manageJobs',
[11958]169                     'waeup.viewCustomer', 'waeup.viewCustomers',
170                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
[12347]171                     'waeup.editCustomerDocuments',
[11967]172                     'waeup.triggerTransition',
[12090]173                     'waeup.viewCustomersTab',
[12097]174                     'waeup.editContracts'
[9259]175                     )
176
[7186]177def get_all_roles():
[6157]178    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
179    """
180    return getUtilitiesFor(IRole)
181
[7186]182def get_waeup_roles(also_local=False):
[11949]183    """Get all Ikoba roles.
[6157]184
[11949]185    Ikoba roles are ordinary roles whose id by convention starts with
[6157]186    a ``waeup.`` prefix.
187
188    If `also_local` is ``True`` (``False`` by default), also local
[11949]189    roles are returned. Local Ikoba roles are such whose id starts
[6157]190    with ``waeup.local.`` prefix (this is also a convention).
191
192    Returns a generator of the found roles.
193    """
[7186]194    for name, item in get_all_roles():
[6157]195        if not name.startswith('waeup.'):
[11949]196            # Ignore non-Ikoba roles...
[4789]197            continue
[6157]198        if not also_local and name.startswith('waeup.local.'):
199            # Ignore local roles...
[6045]200            continue
[6157]201        yield item
[4789]202
[7186]203def get_waeup_role_names():
[11949]204    """Get the ids of all Ikoba roles.
[6157]205
[11949]206    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
[6157]207
[11949]208    This function returns a sorted list of Ikoba role names.
[6157]209    """
[7186]210    return sorted([x.id for x in get_waeup_roles()])
[6157]211
[6144]212class LocalRolesAssignable(grok.Adapter):
213    """Default implementation for `ILocalRolesAssignable`.
214
215    This adapter returns a list for dictionaries for objects for which
216    we want to know the roles assignable to them locally.
217
218    The returned dicts contain a ``name`` and a ``title`` entry which
219    give a role (``name``) and a description, for which kind of users
220    the permission is meant to be used (``title``).
221
222    Having this adapter registered we make sure, that for each normal
223    object we get a valid `ILocalRolesAssignable` adapter.
224
225    Objects that want to offer certain local roles, can do so by
[6162]226    setting a (preferably class-) attribute to a list of role ids.
[6144]227
228    You can also define different adapters for different contexts to
229    have different role lookup mechanisms become available. But in
230    normal cases it should be sufficient to use this basic adapter.
231    """
232    grok.context(Interface)
233    grok.provides(ILocalRolesAssignable)
234
235    _roles = []
236
237    def __init__(self, context):
238        self.context = context
[6162]239        role_ids = getattr(context, 'local_roles', self._roles)
[7186]240        self._roles = [(name, role) for name, role in get_all_roles()
[6162]241                       if name in role_ids]
[6144]242        return
243
244    def __call__(self):
245        """Get a list of dictionaries containing ``names`` (the roles to
246        assign) and ``titles`` (some description of the type of user
247        to assign each role to).
248        """
[7334]249        list_of_dict = [dict(
[6162]250                name=name,
251                title=role.title,
[6163]252                description=role.description)
[7334]253                for name, role in self._roles]
254        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]255
[8774]256def get_all_users():
257    """Get a list of dictionaries.
258    """
259    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
260    for key, val in users:
261        yield(dict(name=key, val=val))
262
[6163]263def get_users_with_local_roles(context):
264    """Get a list of dicts representing the local roles set for `context`.
265
266    Each dict returns `user_name`, `user_title`, `local_role`,
267    `local_role_title`, and `setting` for each entry in the local
268    roles map of the `context` object.
269    """
[6202]270    try:
271        role_map = IPrincipalRoleMap(context)
272    except TypeError:
273        # no map no roles.
274        raise StopIteration
[6163]275    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
276        user = grok.getSite()['users'].get(user_name,None)
[7213]277        user_title = getattr(user, 'title', user_name)
[10227]278        local_role_title = getattr(
279            dict(get_all_roles()).get(local_role, None), 'title', None)
[6163]280        yield dict(user_name = user_name,
281                   user_title = user_title,
282                   local_role = local_role,
283                   local_role_title = local_role_title,
[9309]284                   setting = setting)
285
286def get_users_with_role(role, context):
287    """Get a list of dicts representing the usres who have been granted
288    a role for `context`.
289    """
290    try:
291        role_map = IPrincipalRoleMap(context)
292    except TypeError:
293        # no map no roles.
294        raise StopIteration
295    for user_name, setting in role_map.getPrincipalsForRole(role):
296        user = grok.getSite()['users'].get(user_name,None)
297        user_title = getattr(user, 'title', user_name)
298        user_email = getattr(user, 'email', None)
299        yield dict(user_name = user_name,
300                   user_title = user_title,
301                   user_email = user_email,
302                   setting = setting)
Note: See TracBrowser for help on using the repository browser.