source: main/waeup.ikoba/trunk/src/waeup/ikoba/permissions.py @ 12015

Last change on this file since 12015 was 12015, checked in by Henrik Bettermann, 10 years ago

Add first browser components with tests.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 10.8 KB
Line 
1## $Id: permissions.py 12015 2014-11-20 21:39:40Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.ikoba.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewProductsPermission(grok.Permission):
47    grok.name('waeup.viewProducts')
48
49class ManageProductsPermission(grok.Permission):
50    grok.name('waeup.manageProducts')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
63
64class ImportData(grok.Permission):
65    grok.name('waeup.importData')
66
67class ExportData(grok.Permission):
68    grok.name('waeup.exportData')
69
70class ExportPaymentsOverview(grok.Permission):
71    grok.name('waeup.exportPaymentsOverview')
72
73class ExportBursaryData(grok.Permission):
74    grok.name('waeup.exportBursaryData')
75
76class ViewTranscript(grok.Permission):
77    grok.name('waeup.viewTranscript')
78
79class ManagePortalConfiguration(grok.Permission):
80    grok.name('waeup.managePortalConfiguration')
81
82class ManageACBatches(grok.Permission):
83    grok.name('waeup.manageACBatches')
84
85class PutBiometricDataPermission(grok.Permission):
86    """Permission to upload/change biometric data.
87    """
88    grok.name('waeup.putBiometricData')
89
90class GetBiometricDataPermission(grok.Permission):
91    """Permission to read biometric data.
92    """
93    grok.name('waeup.getBiometricData')
94
95
96# Local Roles
97
98class Owner(grok.Role):
99    grok.name('waeup.local.Owner')
100    grok.title(u'Owner')
101    grok.permissions('waeup.editUser')
102
103# Site Roles
104class ProductsOfficer(grok.Role):
105    grok.name('waeup.ProductsOfficer')
106    grok.title(u'Products Officer (view only)')
107    grok.permissions('waeup.viewProducts')
108
109class ProductssManager(grok.Role):
110    grok.name('waeup.ProductsManager')
111    grok.title(u'Products Manager')
112    grok.permissions('waeup.viewProducts',
113                     'waeup.manageProducts')
114
115class DataCenterManager(grok.Role):
116    grok.name('waeup.DataCenterManager')
117    grok.title(u'Datacenter Manager')
118    grok.permissions('waeup.manageDataCenter')
119
120class ImportManager(grok.Role):
121    grok.name('waeup.ImportManager')
122    grok.title(u'Import Manager')
123    grok.permissions('waeup.manageDataCenter',
124                     'waeup.importData')
125
126class ExportManager(grok.Role):
127    grok.name('waeup.ExportManager')
128    grok.title(u'Export Manager')
129    grok.permissions('waeup.manageDataCenter',
130                     'waeup.exportData')
131
132class UsersManager(grok.Role):
133    grok.name('waeup.UsersManager')
134    grok.title(u'Users Manager')
135    grok.permissions('waeup.manageUsers',
136                     'waeup.editUser')
137
138class WorkflowManager(grok.Role):
139    grok.name('waeup.WorkflowManager')
140    grok.title(u'Workflow Manager')
141    grok.permissions('waeup.triggerTransition')
142
143class PortalManager(grok.Role):
144    grok.name('waeup.PortalManager')
145    grok.title(u'Portal Manager')
146    grok.permissions('waeup.managePortal',
147                     'waeup.manageUsers',
148                     'waeup.viewProducts', 'waeup.manageProducts',
149                     'waeup.manageACBatches',
150                     'waeup.manageDataCenter',
151                     'waeup.importData',
152                     'waeup.exportData',
153                     'waeup.managePortalConfiguration',
154                     'waeup.editUser',
155                     'waeup.manageReports',
156                     'waeup.manageJobs',
157                     'waeup.viewCustomer', 'waeup.viewCustomers',
158                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
159                     'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
160                     'waeup.triggerTransition',
161                     'waeup.viewCustomersTab'
162                     )
163
164class CCOfficer(grok.Role):
165    """This is basically a copy of the the PortalManager class. We exclude some
166    'dangerous' permissions by commenting them out.
167    """
168    grok.baseclass()
169    grok.name('waeup.CCOfficer')
170    grok.title(u'Computer Center Officer')
171    grok.permissions(#'waeup.managePortal',
172                     #'waeup.manageUsers',
173                     'waeup.viewProducts', 'waeup.manageProducts',
174                     #'waeup.manageACBatches',
175                     'waeup.manageDataCenter',
176                     #'waeup.importData',
177                     'waeup.exportData',
178                     'waeup.managePortalConfiguration',
179                     #'waeup.editUser',
180                     'waeup.manageReports',
181                     #'waeup.manageJobs',
182                     'waeup.viewCustomer', 'waeup.viewCustomers',
183                     'waeup.manageCustomer', 'waeup.viewCustomersContainer',
184                     'waeup.editCustomerDocuments', 'waeup.uploadCustomerFile',
185                     'waeup.triggerTransition',
186                     'waeup.viewCustomersTab'
187                     )
188
189def get_all_roles():
190    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
191    """
192    return getUtilitiesFor(IRole)
193
194def get_waeup_roles(also_local=False):
195    """Get all Ikoba roles.
196
197    Ikoba roles are ordinary roles whose id by convention starts with
198    a ``waeup.`` prefix.
199
200    If `also_local` is ``True`` (``False`` by default), also local
201    roles are returned. Local Ikoba roles are such whose id starts
202    with ``waeup.local.`` prefix (this is also a convention).
203
204    Returns a generator of the found roles.
205    """
206    for name, item in get_all_roles():
207        if not name.startswith('waeup.'):
208            # Ignore non-Ikoba roles...
209            continue
210        if not also_local and name.startswith('waeup.local.'):
211            # Ignore local roles...
212            continue
213        yield item
214
215def get_waeup_role_names():
216    """Get the ids of all Ikoba roles.
217
218    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
219
220    This function returns a sorted list of Ikoba role names.
221    """
222    return sorted([x.id for x in get_waeup_roles()])
223
224class LocalRolesAssignable(grok.Adapter):
225    """Default implementation for `ILocalRolesAssignable`.
226
227    This adapter returns a list for dictionaries for objects for which
228    we want to know the roles assignable to them locally.
229
230    The returned dicts contain a ``name`` and a ``title`` entry which
231    give a role (``name``) and a description, for which kind of users
232    the permission is meant to be used (``title``).
233
234    Having this adapter registered we make sure, that for each normal
235    object we get a valid `ILocalRolesAssignable` adapter.
236
237    Objects that want to offer certain local roles, can do so by
238    setting a (preferably class-) attribute to a list of role ids.
239
240    You can also define different adapters for different contexts to
241    have different role lookup mechanisms become available. But in
242    normal cases it should be sufficient to use this basic adapter.
243    """
244    grok.context(Interface)
245    grok.provides(ILocalRolesAssignable)
246
247    _roles = []
248
249    def __init__(self, context):
250        self.context = context
251        role_ids = getattr(context, 'local_roles', self._roles)
252        self._roles = [(name, role) for name, role in get_all_roles()
253                       if name in role_ids]
254        return
255
256    def __call__(self):
257        """Get a list of dictionaries containing ``names`` (the roles to
258        assign) and ``titles`` (some description of the type of user
259        to assign each role to).
260        """
261        list_of_dict = [dict(
262                name=name,
263                title=role.title,
264                description=role.description)
265                for name, role in self._roles]
266        return sorted(list_of_dict, key=lambda x: x['name'])
267
268def get_all_users():
269    """Get a list of dictionaries.
270    """
271    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
272    for key, val in users:
273        yield(dict(name=key, val=val))
274
275def get_users_with_local_roles(context):
276    """Get a list of dicts representing the local roles set for `context`.
277
278    Each dict returns `user_name`, `user_title`, `local_role`,
279    `local_role_title`, and `setting` for each entry in the local
280    roles map of the `context` object.
281    """
282    try:
283        role_map = IPrincipalRoleMap(context)
284    except TypeError:
285        # no map no roles.
286        raise StopIteration
287    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
288        user = grok.getSite()['users'].get(user_name,None)
289        user_title = getattr(user, 'title', user_name)
290        local_role_title = getattr(
291            dict(get_all_roles()).get(local_role, None), 'title', None)
292        yield dict(user_name = user_name,
293                   user_title = user_title,
294                   local_role = local_role,
295                   local_role_title = local_role_title,
296                   setting = setting)
297
298def get_users_with_role(role, context):
299    """Get a list of dicts representing the usres who have been granted
300    a role for `context`.
301    """
302    try:
303        role_map = IPrincipalRoleMap(context)
304    except TypeError:
305        # no map no roles.
306        raise StopIteration
307    for user_name, setting in role_map.getPrincipalsForRole(role):
308        user = grok.getSite()['users'].get(user_name,None)
309        user_title = getattr(user, 'title', user_name)
310        user_email = getattr(user, 'email', None)
311        yield dict(user_name = user_name,
312                   user_title = user_title,
313                   user_email = user_email,
314                   setting = setting)
Note: See TracBrowser for help on using the repository browser.