source: main/waeup.kofa/branches/henrik-regista/src/waeup/ikoba/permissions.py @ 11949

Last change on this file since 11949 was 11949, checked in by Henrik Bettermann, 10 years ago

Change of name.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 10.2 KB
Line 
1## $Id: permissions.py 11949 2014-11-13 14:40:27Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.ikoba.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewProductsPermission(grok.Permission):
47    grok.name('waeup.viewProducts')
48
49class ManageProductsPermission(grok.Permission):
50    grok.name('waeup.manageProducts')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
63
64class ImportData(grok.Permission):
65    grok.name('waeup.importData')
66
67class ExportData(grok.Permission):
68    grok.name('waeup.exportData')
69
70class ExportPaymentsOverview(grok.Permission):
71    grok.name('waeup.exportPaymentsOverview')
72
73class ExportBursaryData(grok.Permission):
74    grok.name('waeup.exportBursaryData')
75
76class ViewTranscript(grok.Permission):
77    grok.name('waeup.viewTranscript')
78
79class ManagePortalConfiguration(grok.Permission):
80    grok.name('waeup.managePortalConfiguration')
81
82class ManageACBatches(grok.Permission):
83    grok.name('waeup.manageACBatches')
84
85class PutBiometricDataPermission(grok.Permission):
86    """Permission to upload/change biometric data.
87    """
88    grok.name('waeup.putBiometricData')
89
90class GetBiometricDataPermission(grok.Permission):
91    """Permission to read biometric data.
92    """
93    grok.name('waeup.getBiometricData')
94
95
96# Local Roles
97
98class Owner(grok.Role):
99    grok.name('waeup.local.Owner')
100    grok.title(u'Owner')
101    grok.permissions('waeup.editUser')
102
103# Site Roles
104class ProductsOfficer(grok.Role):
105    grok.name('waeup.ProductsOfficer')
106    grok.title(u'Products Officer (view only)')
107    grok.permissions('waeup.viewProducts')
108
109class ProductssManager(grok.Role):
110    grok.name('waeup.ProductsManager')
111    grok.title(u'Products Manager')
112    grok.permissions('waeup.viewProducts',
113                     'waeup.manageProducts')
114
115class DataCenterManager(grok.Role):
116    grok.name('waeup.DataCenterManager')
117    grok.title(u'Datacenter Manager')
118    grok.permissions('waeup.manageDataCenter')
119
120class ImportManager(grok.Role):
121    grok.name('waeup.ImportManager')
122    grok.title(u'Import Manager')
123    grok.permissions('waeup.manageDataCenter',
124                     'waeup.importData')
125
126class ExportManager(grok.Role):
127    grok.name('waeup.ExportManager')
128    grok.title(u'Export Manager')
129    grok.permissions('waeup.manageDataCenter',
130                     'waeup.exportData')
131
132class UsersManager(grok.Role):
133    grok.name('waeup.UsersManager')
134    grok.title(u'Users Manager')
135    grok.permissions('waeup.manageUsers',
136                     'waeup.editUser')
137
138class WorkflowManager(grok.Role):
139    grok.name('waeup.WorkflowManager')
140    grok.title(u'Workflow Manager')
141    grok.permissions('waeup.triggerTransition')
142
143class PortalManager(grok.Role):
144    grok.name('waeup.PortalManager')
145    grok.title(u'Portal Manager')
146    grok.permissions('waeup.managePortal',
147                     'waeup.manageUsers',
148                     'waeup.viewProducts', 'waeup.manageProducts',
149                     'waeup.manageACBatches',
150                     'waeup.manageDataCenter',
151                     'waeup.importData',
152                     'waeup.exportData',
153                     'waeup.viewTranscript',
154                     'waeup.managePortalConfiguration',
155                     'waeup.editUser',
156                     'waeup.manageReports',
157                     'waeup.manageJobs',
158                     )
159
160class CCOfficer(grok.Role):
161    """This is basically a copy of the the PortalManager class. We exclude some
162    'dangerous' permissions by commenting them out.
163    """
164    grok.baseclass()
165    grok.name('waeup.CCOfficer')
166    grok.title(u'Computer Center Officer')
167    grok.permissions(#'waeup.managePortal',
168                     #'waeup.manageUsers',
169                     'waeup.viewProducts', 'waeup.manageProducts',
170                     #'waeup.manageACBatches',
171                     'waeup.manageDataCenter',
172                     #'waeup.importData',
173                     'waeup.exportData',
174                     'waeup.viewTranscript',
175                     'waeup.managePortalConfiguration',
176                     #'waeup.editUser',
177                     'waeup.manageReports',
178                     #'waeup.manageJobs',
179                     )
180
181def get_all_roles():
182    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
183    """
184    return getUtilitiesFor(IRole)
185
186def get_waeup_roles(also_local=False):
187    """Get all Ikoba roles.
188
189    Ikoba roles are ordinary roles whose id by convention starts with
190    a ``waeup.`` prefix.
191
192    If `also_local` is ``True`` (``False`` by default), also local
193    roles are returned. Local Ikoba roles are such whose id starts
194    with ``waeup.local.`` prefix (this is also a convention).
195
196    Returns a generator of the found roles.
197    """
198    for name, item in get_all_roles():
199        if not name.startswith('waeup.'):
200            # Ignore non-Ikoba roles...
201            continue
202        if not also_local and name.startswith('waeup.local.'):
203            # Ignore local roles...
204            continue
205        yield item
206
207def get_waeup_role_names():
208    """Get the ids of all Ikoba roles.
209
210    See :func:`get_waeup_roles` for what a 'IkobaRole' is.
211
212    This function returns a sorted list of Ikoba role names.
213    """
214    return sorted([x.id for x in get_waeup_roles()])
215
216class LocalRolesAssignable(grok.Adapter):
217    """Default implementation for `ILocalRolesAssignable`.
218
219    This adapter returns a list for dictionaries for objects for which
220    we want to know the roles assignable to them locally.
221
222    The returned dicts contain a ``name`` and a ``title`` entry which
223    give a role (``name``) and a description, for which kind of users
224    the permission is meant to be used (``title``).
225
226    Having this adapter registered we make sure, that for each normal
227    object we get a valid `ILocalRolesAssignable` adapter.
228
229    Objects that want to offer certain local roles, can do so by
230    setting a (preferably class-) attribute to a list of role ids.
231
232    You can also define different adapters for different contexts to
233    have different role lookup mechanisms become available. But in
234    normal cases it should be sufficient to use this basic adapter.
235    """
236    grok.context(Interface)
237    grok.provides(ILocalRolesAssignable)
238
239    _roles = []
240
241    def __init__(self, context):
242        self.context = context
243        role_ids = getattr(context, 'local_roles', self._roles)
244        self._roles = [(name, role) for name, role in get_all_roles()
245                       if name in role_ids]
246        return
247
248    def __call__(self):
249        """Get a list of dictionaries containing ``names`` (the roles to
250        assign) and ``titles`` (some description of the type of user
251        to assign each role to).
252        """
253        list_of_dict = [dict(
254                name=name,
255                title=role.title,
256                description=role.description)
257                for name, role in self._roles]
258        return sorted(list_of_dict, key=lambda x: x['name'])
259
260def get_all_users():
261    """Get a list of dictionaries.
262    """
263    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
264    for key, val in users:
265        yield(dict(name=key, val=val))
266
267def get_users_with_local_roles(context):
268    """Get a list of dicts representing the local roles set for `context`.
269
270    Each dict returns `user_name`, `user_title`, `local_role`,
271    `local_role_title`, and `setting` for each entry in the local
272    roles map of the `context` object.
273    """
274    try:
275        role_map = IPrincipalRoleMap(context)
276    except TypeError:
277        # no map no roles.
278        raise StopIteration
279    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
280        user = grok.getSite()['users'].get(user_name,None)
281        user_title = getattr(user, 'title', user_name)
282        local_role_title = getattr(
283            dict(get_all_roles()).get(local_role, None), 'title', None)
284        yield dict(user_name = user_name,
285                   user_title = user_title,
286                   local_role = local_role,
287                   local_role_title = local_role_title,
288                   setting = setting)
289
290def get_users_with_role(role, context):
291    """Get a list of dicts representing the usres who have been granted
292    a role for `context`.
293    """
294    try:
295        role_map = IPrincipalRoleMap(context)
296    except TypeError:
297        # no map no roles.
298        raise StopIteration
299    for user_name, setting in role_map.getPrincipalsForRole(role):
300        user = grok.getSite()['users'].get(user_name,None)
301        user_title = getattr(user, 'title', user_name)
302        user_email = getattr(user, 'email', None)
303        yield dict(user_name = user_name,
304                   user_title = user_title,
305                   user_email = user_email,
306                   setting = setting)
Note: See TracBrowser for help on using the repository browser.