source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 12068

Last change on this file since 12068 was 12068, checked in by Henrik Bettermann, 10 years ago

Add local role ProductManager?.

We don't need local roles for the products container.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 10.3 KB
Line 
1## $Id: permissions.py 12068 2014-11-27 07:48:15Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.ikoba.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewProducts(grok.Permission):
47    grok.name('waeup.viewProducts')
48
49class ManageProducts(grok.Permission):
50    grok.name('waeup.manageProducts')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
63
64class ImportData(grok.Permission):
65    grok.name('waeup.importData')
66
67class ExportData(grok.Permission):
68    grok.name('waeup.exportData')
69
70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
72
73
74# Local Roles
75
76class Owner(grok.Role):
77    grok.name('waeup.local.Owner')
78    grok.title(u'Owner')
79    grok.permissions('waeup.editUser')
80
81class ProductManager(grok.Role):
82    grok.name('waeup.local.ProductManager')
83    grok.title(u'Product Manager')
84    grok.permissions('waeup.manageProducts',
85                     'waeup.viewProducts',
86                     'waeup.exportData')
87
88# Site Roles
89class ProductsOfficer(grok.Role):
90    grok.name('waeup.ProductsOfficer')
91    grok.title(u'Products Officer (view only)')
92    grok.permissions('waeup.viewProducts')
93
94class ProductssManager(grok.Role):
95    grok.name('waeup.ProductsManager')
96    grok.title(u'Products Manager')
97    grok.permissions('waeup.viewProducts',
98                     'waeup.manageProducts')
99
100class DataCenterManager(grok.Role):
101    grok.name('waeup.DataCenterManager')
102    grok.title(u'Datacenter Manager')
103    grok.permissions('waeup.manageDataCenter')
104
105class ImportManager(grok.Role):
106    grok.name('waeup.ImportManager')
107    grok.title(u'Import Manager')
108    grok.permissions('waeup.manageDataCenter',
109                     'waeup.importData')
110
111class ExportManager(grok.Role):
112    grok.name('waeup.ExportManager')
113    grok.title(u'Export Manager')
114    grok.permissions('waeup.manageDataCenter',
115                     'waeup.exportData')
116
117class UsersManager(grok.Role):
118    grok.name('waeup.UsersManager')
119    grok.title(u'Users Manager')
120    grok.permissions('waeup.manageUsers',
121                     'waeup.editUser')
122
123class WorkflowManager(grok.Role):
124    grok.name('waeup.WorkflowManager')
125    grok.title(u'Workflow Manager')
126    grok.permissions('waeup.triggerTransition')
127
128class PortalManager(grok.Role):
129    grok.name('waeup.PortalManager')
130    grok.title(u'Portal Manager')
131    grok.permissions('waeup.managePortal',
132                     'waeup.manageUsers',
133                     'waeup.viewProducts', 'waeup.manageProducts',
134                     'waeup.manageDataCenter',
135                     'waeup.importData',
136                     'waeup.exportData',
137                     'waeup.managePortalConfiguration',
138                     'waeup.editUser',
139                     'waeup.manageReports',
140                     'waeup.manageJobs',
141                     'waeup.viewCustomer', 'waeup.viewCustomers',
142                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
143                     'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
144                     'waeup.triggerTransition',
145                     'waeup.viewCustomersTab'
146                     )
147
148class CCOfficer(grok.Role):
149    """This is basically a copy of the the PortalManager class. We exclude some
150    'dangerous' permissions by commenting them out.
151    """
152    grok.baseclass()
153    grok.name('waeup.CCOfficer')
154    grok.title(u'Computer Center Officer')
155    grok.permissions(#'waeup.managePortal',
156                     #'waeup.manageUsers',
157                     'waeup.viewProducts', 'waeup.manageProducts',
158                     #'waeup.manageACBatches',
159                     'waeup.manageDataCenter',
160                     #'waeup.importData',
161                     'waeup.exportData',
162                     'waeup.managePortalConfiguration',
163                     #'waeup.editUser',
164                     'waeup.manageReports',
165                     #'waeup.manageJobs',
166                     'waeup.viewCustomer', 'waeup.viewCustomers',
167                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
168                     'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
169                     'waeup.triggerTransition',
170                     'waeup.viewCustomersTab'
171                     )
172
173def get_all_roles():
174    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
175    """
176    return getUtilitiesFor(IRole)
177
178def get_waeup_roles(also_local=False):
179    """Get all Ikoba roles.
180
181    Ikoba roles are ordinary roles whose id by convention starts with
182    a ``waeup.`` prefix.
183
184    If `also_local` is ``True`` (``False`` by default), also local
185    roles are returned. Local Ikoba roles are such whose id starts
186    with ``waeup.local.`` prefix (this is also a convention).
187
188    Returns a generator of the found roles.
189    """
190    for name, item in get_all_roles():
191        if not name.startswith('waeup.'):
192            # Ignore non-Ikoba roles...
193            continue
194        if not also_local and name.startswith('waeup.local.'):
195            # Ignore local roles...
196            continue
197        yield item
198
199def get_waeup_role_names():
200    """Get the ids of all Ikoba roles.
201
202    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
203
204    This function returns a sorted list of Ikoba role names.
205    """
206    return sorted([x.id for x in get_waeup_roles()])
207
208class LocalRolesAssignable(grok.Adapter):
209    """Default implementation for `ILocalRolesAssignable`.
210
211    This adapter returns a list for dictionaries for objects for which
212    we want to know the roles assignable to them locally.
213
214    The returned dicts contain a ``name`` and a ``title`` entry which
215    give a role (``name``) and a description, for which kind of users
216    the permission is meant to be used (``title``).
217
218    Having this adapter registered we make sure, that for each normal
219    object we get a valid `ILocalRolesAssignable` adapter.
220
221    Objects that want to offer certain local roles, can do so by
222    setting a (preferably class-) attribute to a list of role ids.
223
224    You can also define different adapters for different contexts to
225    have different role lookup mechanisms become available. But in
226    normal cases it should be sufficient to use this basic adapter.
227    """
228    grok.context(Interface)
229    grok.provides(ILocalRolesAssignable)
230
231    _roles = []
232
233    def __init__(self, context):
234        self.context = context
235        role_ids = getattr(context, 'local_roles', self._roles)
236        self._roles = [(name, role) for name, role in get_all_roles()
237                       if name in role_ids]
238        return
239
240    def __call__(self):
241        """Get a list of dictionaries containing ``names`` (the roles to
242        assign) and ``titles`` (some description of the type of user
243        to assign each role to).
244        """
245        list_of_dict = [dict(
246                name=name,
247                title=role.title,
248                description=role.description)
249                for name, role in self._roles]
250        return sorted(list_of_dict, key=lambda x: x['name'])
251
252def get_all_users():
253    """Get a list of dictionaries.
254    """
255    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
256    for key, val in users:
257        yield(dict(name=key, val=val))
258
259def get_users_with_local_roles(context):
260    """Get a list of dicts representing the local roles set for `context`.
261
262    Each dict returns `user_name`, `user_title`, `local_role`,
263    `local_role_title`, and `setting` for each entry in the local
264    roles map of the `context` object.
265    """
266    try:
267        role_map = IPrincipalRoleMap(context)
268    except TypeError:
269        # no map no roles.
270        raise StopIteration
271    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
272        user = grok.getSite()['users'].get(user_name,None)
273        user_title = getattr(user, 'title', user_name)
274        local_role_title = getattr(
275            dict(get_all_roles()).get(local_role, None), 'title', None)
276        yield dict(user_name = user_name,
277                   user_title = user_title,
278                   local_role = local_role,
279                   local_role_title = local_role_title,
280                   setting = setting)
281
282def get_users_with_role(role, context):
283    """Get a list of dicts representing the usres who have been granted
284    a role for `context`.
285    """
286    try:
287        role_map = IPrincipalRoleMap(context)
288    except TypeError:
289        # no map no roles.
290        raise StopIteration
291    for user_name, setting in role_map.getPrincipalsForRole(role):
292        user = grok.getSite()['users'].get(user_name,None)
293        user_title = getattr(user, 'title', user_name)
294        user_email = getattr(user, 'email', None)
295        yield dict(user_name = user_name,
296                   user_title = user_title,
297                   user_email = user_email,
298                   setting = setting)
Note: See TracBrowser for help on using the repository browser.