source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 17952

Last change on this file since 17952 was 12838, checked in by Henrik Bettermann, 10 years ago

Fix documentation. Remove all Sphinx warning messages.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 11.0 KB
Line 
1## $Id: permissions.py 12838 2015-03-31 17:31:34Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.ikoba.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    """
31    grok.name('waeup.Public')
32
33class Anonymous(grok.Permission):
34    """Only-anonymous-can-do-this-permission.
35
36    """
37    grok.name('waeup.Anonymous')
38
39class Authenticated(grok.Permission):
40    """Only-logged-in-users-can-do-this-permission.
41    """
42    grok.name('waeup.Authenticated')
43
44class ViewProducts(grok.Permission):
45    grok.name('waeup.viewProducts')
46
47class ManageProducts(grok.Permission):
48    grok.name('waeup.manageProducts')
49
50class ManagePortal(grok.Permission):
51    grok.name('waeup.managePortal')
52
53class ManageUsers(grok.Permission):
54    grok.name('waeup.manageUsers')
55
56class EditUser(grok.Permission):
57    grok.name('waeup.editUser')
58
59class ManageDataCenter(grok.Permission):
60    grok.name('waeup.manageDataCenter')
61
62class ImportData(grok.Permission):
63    grok.name('waeup.importData')
64
65class ExportData(grok.Permission):
66    grok.name('waeup.exportData')
67
68class ManagePortalConfiguration(grok.Permission):
69    grok.name('waeup.managePortalConfiguration')
70
71class ViewPayments(grok.Permission):
72    grok.name('waeup.viewPayments')
73
74class ManagePayments(grok.Permission):
75    grok.name('waeup.managePayments')
76
77# Local Roles
78
79class Owner(grok.Role):
80    grok.name('waeup.local.Owner')
81    grok.title(u'Owner')
82    grok.permissions('waeup.editUser')
83
84class ProductManager(grok.Role):
85    grok.name('waeup.local.ProductManager')
86    grok.title(u'Product Manager')
87    grok.permissions('waeup.manageProducts',
88                     'waeup.viewProducts',
89                     'waeup.exportData')
90
91# Site Roles
92class ProductsOfficer(grok.Role):
93    grok.name('waeup.ProductsOfficer')
94    grok.title(u'Products Officer (view only)')
95    grok.permissions('waeup.viewProducts')
96
97class ProductsManager(grok.Role):
98    grok.name('waeup.ProductsManager')
99    grok.title(u'Products Manager')
100    grok.permissions('waeup.viewProducts',
101                     'waeup.manageProducts')
102
103class DataCenterManager(grok.Role):
104    grok.name('waeup.DataCenterManager')
105    grok.title(u'Datacenter Manager')
106    grok.permissions('waeup.manageDataCenter')
107
108class ImportManager(grok.Role):
109    grok.name('waeup.ImportManager')
110    grok.title(u'Import Manager')
111    grok.permissions('waeup.manageDataCenter',
112                     'waeup.importData')
113
114class ExportManager(grok.Role):
115    grok.name('waeup.ExportManager')
116    grok.title(u'Export Manager')
117    grok.permissions('waeup.manageDataCenter',
118                     'waeup.exportData')
119
120class UsersManager(grok.Role):
121    grok.name('waeup.UsersManager')
122    grok.title(u'Users Manager')
123    grok.permissions('waeup.manageUsers',
124                     'waeup.editUser')
125
126class WorkflowManager(grok.Role):
127    grok.name('waeup.WorkflowManager')
128    grok.title(u'Workflow Manager')
129    grok.permissions('waeup.triggerTransition')
130
131class PaymentsOfficer(grok.Role):
132    grok.name('waeup.PaymentsOfficer')
133    grok.title(u'Payments Officer (view only)')
134    grok.permissions('waeup.viewPayments')
135
136class PaymentsManager(grok.Role):
137    grok.name('waeup.PaymentsManager')
138    grok.title(u'Payments Manager')
139    grok.permissions('waeup.viewPayments',
140                     'waeup.managePayments')
141
142class PortalManager(grok.Role):
143    grok.name('waeup.PortalManager')
144    grok.title(u'Portal Manager')
145    grok.permissions('waeup.managePortal',
146                     'waeup.manageUsers',
147                     'waeup.viewProducts', 'waeup.manageProducts',
148                     'waeup.viewDocuments', 'waeup.manageDocuments',
149                     'waeup.manageDataCenter',
150                     'waeup.importData',
151                     'waeup.exportData',
152                     'waeup.managePortalConfiguration',
153                     'waeup.editUser',
154                     'waeup.manageReports',
155                     'waeup.manageJobs',
156                     'waeup.viewCustomer', 'waeup.viewCustomers',
157                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
158                     'waeup.editCustomerDocuments',
159                     'waeup.triggerTransition',
160                     'waeup.viewCustomersTab',
161                     'waeup.editContracts',
162                     'waeup.viewPayments', 'waeup.managePayments',
163                     )
164
165class CCOfficer(grok.Role):
166    """This is basically a copy of the the PortalManager class. We exclude some
167    'dangerous' permissions by commenting them out.
168    """
169    grok.baseclass()
170    grok.name('waeup.CCOfficer')
171    grok.title(u'Computer Center Officer')
172    grok.permissions(#'waeup.managePortal',
173                     #'waeup.manageUsers',
174                     'waeup.viewProducts', 'waeup.manageProducts',
175                     'waeup.viewDocuments', 'waeup.manageDocuments',
176                     #'waeup.manageACBatches',
177                     'waeup.manageDataCenter',
178                     #'waeup.importData',
179                     'waeup.exportData',
180                     'waeup.managePortalConfiguration',
181                     #'waeup.editUser',
182                     'waeup.manageReports',
183                     #'waeup.manageJobs',
184                     'waeup.viewCustomer', 'waeup.viewCustomers',
185                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
186                     'waeup.editCustomerDocuments',
187                     'waeup.triggerTransition',
188                     'waeup.viewCustomersTab',
189                     'waeup.editContracts',
190                     'waeup.viewPayments', 'waeup.managePayments',
191                     )
192
193def get_all_roles():
194    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
195    """
196    return getUtilitiesFor(IRole)
197
198def get_waeup_roles(also_local=False):
199    """Get all Ikoba roles.
200
201    Ikoba roles are ordinary roles whose id by convention starts with
202    a ``waeup.`` prefix.
203
204    If `also_local` is ``True`` (``False`` by default), also local
205    roles are returned. Local Ikoba roles are such whose id starts
206    with ``waeup.local.`` prefix (this is also a convention).
207
208    Returns a generator of the found roles.
209    """
210    for name, item in get_all_roles():
211        if not name.startswith('waeup.'):
212            # Ignore non-Ikoba roles...
213            continue
214        if not also_local and name.startswith('waeup.local.'):
215            # Ignore local roles...
216            continue
217        yield item
218
219def get_waeup_role_names():
220    """Get the ids of all Ikoba roles.
221
222    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
223
224    This function returns a sorted list of Ikoba role names.
225    """
226    return sorted([x.id for x in get_waeup_roles()])
227
228class LocalRolesAssignable(grok.Adapter):
229    """Default implementation for `ILocalRolesAssignable`.
230
231    This adapter returns a list for dictionaries for objects for which
232    we want to know the roles assignable to them locally.
233
234    The returned dicts contain a ``name`` and a ``title`` entry which
235    give a role (``name``) and a description, for which kind of users
236    the permission is meant to be used (``title``).
237
238    Having this adapter registered we make sure, that for each normal
239    object we get a valid `ILocalRolesAssignable` adapter.
240
241    Objects that want to offer certain local roles, can do so by
242    setting a (preferably class-) attribute to a list of role ids.
243
244    You can also define different adapters for different contexts to
245    have different role lookup mechanisms become available. But in
246    normal cases it should be sufficient to use this basic adapter.
247    """
248    grok.context(Interface)
249    grok.provides(ILocalRolesAssignable)
250
251    _roles = []
252
253    def __init__(self, context):
254        self.context = context
255        role_ids = getattr(context, 'local_roles', self._roles)
256        self._roles = [(name, role) for name, role in get_all_roles()
257                       if name in role_ids]
258        return
259
260    def __call__(self):
261        """Get a list of dictionaries containing ``names`` (the roles to
262        assign) and ``titles`` (some description of the type of user
263        to assign each role to).
264        """
265        list_of_dict = [dict(
266                name=name,
267                title=role.title,
268                description=role.description)
269                for name, role in self._roles]
270        return sorted(list_of_dict, key=lambda x: x['name'])
271
272def get_all_users():
273    """Get a list of dictionaries.
274    """
275    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
276    for key, val in users:
277        yield(dict(name=key, val=val))
278
279def get_users_with_local_roles(context):
280    """Get a list of dicts representing the local roles set for `context`.
281
282    Each dict returns `user_name`, `user_title`, `local_role`,
283    `local_role_title`, and `setting` for each entry in the local
284    roles map of the `context` object.
285    """
286    try:
287        role_map = IPrincipalRoleMap(context)
288    except TypeError:
289        # no map no roles.
290        raise StopIteration
291    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
292        user = grok.getSite()['users'].get(user_name,None)
293        user_title = getattr(user, 'title', user_name)
294        local_role_title = getattr(
295            dict(get_all_roles()).get(local_role, None), 'title', None)
296        yield dict(user_name = user_name,
297                   user_title = user_title,
298                   local_role = local_role,
299                   local_role_title = local_role_title,
300                   setting = setting)
301
302def get_users_with_role(role, context):
303    """Get a list of dicts representing the usres who have been granted
304    a role for `context`.
305    """
306    try:
307        role_map = IPrincipalRoleMap(context)
308    except TypeError:
309        # no map no roles.
310        raise StopIteration
311    for user_name, setting in role_map.getPrincipalsForRole(role):
312        user = grok.getSite()['users'].get(user_name,None)
313        user_title = getattr(user, 'title', user_name)
314        user_email = getattr(user, 'email', None)
315        yield dict(user_name = user_name,
316                   user_title = user_title,
317                   user_email = user_email,
318                   setting = setting)
Note: See TracBrowser for help on using the repository browser.