source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 12764

Last change on this file since 12764 was 12764, checked in by Henrik Bettermann, 10 years ago

Configure permissions to view and manage payments.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 11.1 KB
Line 
1## $Id: permissions.py 12764 2015-03-15 06:18:19Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.ikoba.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewProducts(grok.Permission):
47    grok.name('waeup.viewProducts')
48
49class ManageProducts(grok.Permission):
50    grok.name('waeup.manageProducts')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
63
64class ImportData(grok.Permission):
65    grok.name('waeup.importData')
66
67class ExportData(grok.Permission):
68    grok.name('waeup.exportData')
69
70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
72
73class ViewPayments(grok.Permission):
74    grok.name('waeup.viewPayments')
75
76class ManagePayments(grok.Permission):
77    grok.name('waeup.managePayments')
78
79# Local Roles
80
81class Owner(grok.Role):
82    grok.name('waeup.local.Owner')
83    grok.title(u'Owner')
84    grok.permissions('waeup.editUser')
85
86class ProductManager(grok.Role):
87    grok.name('waeup.local.ProductManager')
88    grok.title(u'Product Manager')
89    grok.permissions('waeup.manageProducts',
90                     'waeup.viewProducts',
91                     'waeup.exportData')
92
93# Site Roles
94class ProductsOfficer(grok.Role):
95    grok.name('waeup.ProductsOfficer')
96    grok.title(u'Products Officer (view only)')
97    grok.permissions('waeup.viewProducts')
98
99class ProductsManager(grok.Role):
100    grok.name('waeup.ProductsManager')
101    grok.title(u'Products Manager')
102    grok.permissions('waeup.viewProducts',
103                     'waeup.manageProducts')
104
105class DataCenterManager(grok.Role):
106    grok.name('waeup.DataCenterManager')
107    grok.title(u'Datacenter Manager')
108    grok.permissions('waeup.manageDataCenter')
109
110class ImportManager(grok.Role):
111    grok.name('waeup.ImportManager')
112    grok.title(u'Import Manager')
113    grok.permissions('waeup.manageDataCenter',
114                     'waeup.importData')
115
116class ExportManager(grok.Role):
117    grok.name('waeup.ExportManager')
118    grok.title(u'Export Manager')
119    grok.permissions('waeup.manageDataCenter',
120                     'waeup.exportData')
121
122class UsersManager(grok.Role):
123    grok.name('waeup.UsersManager')
124    grok.title(u'Users Manager')
125    grok.permissions('waeup.manageUsers',
126                     'waeup.editUser')
127
128class WorkflowManager(grok.Role):
129    grok.name('waeup.WorkflowManager')
130    grok.title(u'Workflow Manager')
131    grok.permissions('waeup.triggerTransition')
132
133class PaymentsOfficer(grok.Role):
134    grok.name('waeup.PaymentsOfficer')
135    grok.title(u'Payments Officer (view only)')
136    grok.permissions('waeup.viewPayments')
137
138class PaymentsManager(grok.Role):
139    grok.name('waeup.PaymentsManager')
140    grok.title(u'Payments Manager')
141    grok.permissions('waeup.viewPayments',
142                     'waeup.managePayments')
143
144class PortalManager(grok.Role):
145    grok.name('waeup.PortalManager')
146    grok.title(u'Portal Manager')
147    grok.permissions('waeup.managePortal',
148                     'waeup.manageUsers',
149                     'waeup.viewProducts', 'waeup.manageProducts',
150                     'waeup.viewDocuments', 'waeup.manageDocuments',
151                     'waeup.manageDataCenter',
152                     'waeup.importData',
153                     'waeup.exportData',
154                     'waeup.managePortalConfiguration',
155                     'waeup.editUser',
156                     'waeup.manageReports',
157                     'waeup.manageJobs',
158                     'waeup.viewCustomer', 'waeup.viewCustomers',
159                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
160                     'waeup.editCustomerDocuments',
161                     'waeup.triggerTransition',
162                     'waeup.viewCustomersTab',
163                     'waeup.editContracts',
164                     'managePayments'
165                     )
166
167class CCOfficer(grok.Role):
168    """This is basically a copy of the the PortalManager class. We exclude some
169    'dangerous' permissions by commenting them out.
170    """
171    grok.baseclass()
172    grok.name('waeup.CCOfficer')
173    grok.title(u'Computer Center Officer')
174    grok.permissions(#'waeup.managePortal',
175                     #'waeup.manageUsers',
176                     'waeup.viewProducts', 'waeup.manageProducts',
177                     'waeup.viewDocuments', 'waeup.manageDocuments',
178                     #'waeup.manageACBatches',
179                     'waeup.manageDataCenter',
180                     #'waeup.importData',
181                     'waeup.exportData',
182                     'waeup.managePortalConfiguration',
183                     #'waeup.editUser',
184                     'waeup.manageReports',
185                     #'waeup.manageJobs',
186                     'waeup.viewCustomer', 'waeup.viewCustomers',
187                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
188                     'waeup.editCustomerDocuments',
189                     'waeup.triggerTransition',
190                     'waeup.viewCustomersTab',
191                     'waeup.editContracts',
192                     'managePayments'
193                     )
194
195def get_all_roles():
196    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
197    """
198    return getUtilitiesFor(IRole)
199
200def get_waeup_roles(also_local=False):
201    """Get all Ikoba roles.
202
203    Ikoba roles are ordinary roles whose id by convention starts with
204    a ``waeup.`` prefix.
205
206    If `also_local` is ``True`` (``False`` by default), also local
207    roles are returned. Local Ikoba roles are such whose id starts
208    with ``waeup.local.`` prefix (this is also a convention).
209
210    Returns a generator of the found roles.
211    """
212    for name, item in get_all_roles():
213        if not name.startswith('waeup.'):
214            # Ignore non-Ikoba roles...
215            continue
216        if not also_local and name.startswith('waeup.local.'):
217            # Ignore local roles...
218            continue
219        yield item
220
221def get_waeup_role_names():
222    """Get the ids of all Ikoba roles.
223
224    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
225
226    This function returns a sorted list of Ikoba role names.
227    """
228    return sorted([x.id for x in get_waeup_roles()])
229
230class LocalRolesAssignable(grok.Adapter):
231    """Default implementation for `ILocalRolesAssignable`.
232
233    This adapter returns a list for dictionaries for objects for which
234    we want to know the roles assignable to them locally.
235
236    The returned dicts contain a ``name`` and a ``title`` entry which
237    give a role (``name``) and a description, for which kind of users
238    the permission is meant to be used (``title``).
239
240    Having this adapter registered we make sure, that for each normal
241    object we get a valid `ILocalRolesAssignable` adapter.
242
243    Objects that want to offer certain local roles, can do so by
244    setting a (preferably class-) attribute to a list of role ids.
245
246    You can also define different adapters for different contexts to
247    have different role lookup mechanisms become available. But in
248    normal cases it should be sufficient to use this basic adapter.
249    """
250    grok.context(Interface)
251    grok.provides(ILocalRolesAssignable)
252
253    _roles = []
254
255    def __init__(self, context):
256        self.context = context
257        role_ids = getattr(context, 'local_roles', self._roles)
258        self._roles = [(name, role) for name, role in get_all_roles()
259                       if name in role_ids]
260        return
261
262    def __call__(self):
263        """Get a list of dictionaries containing ``names`` (the roles to
264        assign) and ``titles`` (some description of the type of user
265        to assign each role to).
266        """
267        list_of_dict = [dict(
268                name=name,
269                title=role.title,
270                description=role.description)
271                for name, role in self._roles]
272        return sorted(list_of_dict, key=lambda x: x['name'])
273
274def get_all_users():
275    """Get a list of dictionaries.
276    """
277    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
278    for key, val in users:
279        yield(dict(name=key, val=val))
280
281def get_users_with_local_roles(context):
282    """Get a list of dicts representing the local roles set for `context`.
283
284    Each dict returns `user_name`, `user_title`, `local_role`,
285    `local_role_title`, and `setting` for each entry in the local
286    roles map of the `context` object.
287    """
288    try:
289        role_map = IPrincipalRoleMap(context)
290    except TypeError:
291        # no map no roles.
292        raise StopIteration
293    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
294        user = grok.getSite()['users'].get(user_name,None)
295        user_title = getattr(user, 'title', user_name)
296        local_role_title = getattr(
297            dict(get_all_roles()).get(local_role, None), 'title', None)
298        yield dict(user_name = user_name,
299                   user_title = user_title,
300                   local_role = local_role,
301                   local_role_title = local_role_title,
302                   setting = setting)
303
304def get_users_with_role(role, context):
305    """Get a list of dicts representing the usres who have been granted
306    a role for `context`.
307    """
308    try:
309        role_map = IPrincipalRoleMap(context)
310    except TypeError:
311        # no map no roles.
312        raise StopIteration
313    for user_name, setting in role_map.getPrincipalsForRole(role):
314        user = grok.getSite()['users'].get(user_name,None)
315        user_title = getattr(user, 'title', user_name)
316        user_email = getattr(user, 'email', None)
317        yield dict(user_name = user_name,
318                   user_title = user_title,
319                   user_email = user_email,
320                   setting = setting)
Note: See TracBrowser for help on using the repository browser.