source: main/waeup.kofa/branches/henrik-transcript-workflow/src/waeup/kofa/permissions.py @ 17269

Last change on this file since 17269 was 15155, checked in by Henrik Bettermann, 6 years ago

Reorganise interfaces.

Transcript processing views and viewlets are now in the context of studycourses. Officers can now validate, sign and release transcripts directly on the transcript page.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 27.5 KB
RevLine 
[14603]1# $Id: permissions.py 15155 2018-09-20 07:04:17Z henrik $
2#
3# Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation; either version 2 of the License, or
7# (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17#
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]22from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]23
[14603]24
[4789]25class Public(grok.Permission):
[12844]26    """The Public or everyone-can-do-this-permission is being applied
27    to views/pages that are used by everyone.
[4789]28    """
29    grok.name('waeup.Public')
[6142]30
[14603]31
[5433]32class Anonymous(grok.Permission):
[12843]33    """The Anonymous permission is applied to
[12844]34    views/pages which are dedicated to anonymous users only.
35    Logged-in users can't access these views.
[5433]36    """
[6142]37    grok.name('waeup.Anonymous')
[4789]38
[14603]39
[7184]40class Authenticated(grok.Permission):
[12843]41    """The Authenticated permission is applied to pages
[12835]42    which can only be used by logged-in users and not by anonymous users.
[7184]43    """
44    grok.name('waeup.Authenticated')
[4789]45
[14603]46
[12835]47class ViewAcademics(grok.Permission):
[12843]48    """The ViewAcademics permission is applied to all
[12835]49    views of the Academic Section. Users with this permission can view but
50    not edit content in the Academic Section.
51    """
[7184]52    grok.name('waeup.viewAcademics')
53
[14603]54
[12835]55class ManageAcademics(grok.Permission):
[12844]56    """The ManageAcademics permission is applied to all edit/manage
[12835]57    pages in the Academic Section. Users who have this permission
58    can change/edit context objects.
59    """
[8367]60    grok.name('waeup.manageAcademics')
[4789]61
[14603]62
[8367]63class ManagePortal(grok.Permission):
[12843]64    """The ManagePortal permission is used for very few pages
[14603]65    (e.g. the DatacenterSettings page). Only PortalManagers have this
[12844]66    permission. It is furthermore used to control delete methods of container
[12843]67    pages in the Academic Section. The ManageAcademics permission,
[12835]68    described above, does enable users to edit content but not to
69    remove sub-containers, like faculties, departments or certificates.
[12843]70    Users must have the ManagePortal permission too to remove
[12835]71    entire containers.
72    """
[8367]73    grok.name('waeup.managePortal')
74
[14603]75
[4789]76class ManageUsers(grok.Permission):
[12843]77    """The ManageUsers permission is a real superuser permission
[12835]78    and therefore very 'dangerous'. It allows to add, remove or edit
79    user accounts. Editing a user account includes the option to assign
80    or remove roles. That means that a user with this permission can lock out
[14603]81    other users by either removing their account or by removing
[12844]82    permissions.
[12835]83    """
[4789]84    grok.name('waeup.manageUsers')
[6142]85
[14603]86
[7205]87class ShowStudents(grok.Permission):
[12843]88    """Users with this permission do not neccessarily see the 'Students' tab
89    but they can search for students at department, certificate or course
90    level. If they additionally have the ExportData permission they can
91    export the data as csv files.
[12835]92
[12844]93    Bursary or Department Officers don't have the ExportData
[12835]94    permission (see Roles section) and are only allowed to export bursary
95    or payments overview data respectively.
96    """
[7205]97    grok.name('waeup.showStudents')
98
[14603]99
[11862]100class ClearAllStudents(grok.Permission):
[12843]101    """The ClearAllStudents permission allows to clear all students
[12844]102    in a department at one sweep.
[12835]103    """
[11862]104    grok.name('waeup.clearAllStudents')
105
[14603]106
[10632]107class EditScores(grok.Permission):
[12843]108    """The EditScores permission allows to edit scores in course tickets.
[12835]109    """
[10632]110    grok.name('waeup.editScores')
111
[14603]112
[12843]113class TriggerTransition(grok.Permission):
114    """The TriggerTransition permission allows to trigger workflow transitions
115    of student and document objects.
116    """
117    grok.name('waeup.triggerTransition')
118
[14603]119
[7163]120class EditUser(grok.Permission):
[12843]121    """The EditUser permission is required for editing
[12835]122    single user accounts.
123    """
[7163]124    grok.name('waeup.editUser')
125
[14603]126
[6127]127class ManageDataCenter(grok.Permission):
[12843]128    """The ManageDataCenter permission allows to access all pages
[12844]129    in the Data Center and to upload files. It does not automatically
[12847]130    allow to process uploaded data files.
[12835]131    """
[6127]132    grok.name('waeup.manageDataCenter')
[6142]133
[14603]134
[8367]135class ImportData(grok.Permission):
[14603]136    """The ImportData permission allows to batch process (import) any kind of
[12847]137    portal data except for user data. The User Data processor
[12844]138    requires also the ManageUsers permission.
[12835]139    """
[8367]140    grok.name('waeup.importData')
141
[14603]142
[10177]143class ExportData(grok.Permission):
[12844]144    """The ExportData permission allows to export any kind of portal data.
[12835]145    """
[10177]146    grok.name('waeup.exportData')
147
[14603]148
[10279]149class ExportPaymentsOverview(grok.Permission):
150    grok.name('waeup.exportPaymentsOverview')
151
[14603]152
[10279]153class ExportBursaryData(grok.Permission):
154    grok.name('waeup.exportBursaryData')
155
[14603]156
[6907]157class ManagePortalConfiguration(grok.Permission):
[12843]158    """The ManagePortalConfiguration permission allows to
[12835]159    edit global and sessional portal configuration data.
160    """
[6907]161    grok.name('waeup.managePortalConfiguration')
[6155]162
[14603]163
[7181]164class ManageACBatches(grok.Permission):
[12843]165    """The ManageACBatches permission allows to view and
[12835]166    manage accesscodes.
167    """
[7181]168    grok.name('waeup.manageACBatches')
169
[14603]170
[11673]171class PutBiometricDataPermission(grok.Permission):
[12835]172    """This permission allows to upload/change biometric data.
[11673]173    """
174    grok.name('waeup.putBiometricData')
175
[14603]176
[11665]177class GetBiometricDataPermission(grok.Permission):
[12835]178    """This permission allows to read biometric data.
[11665]179    """
180    grok.name('waeup.getBiometricData')
181
182
[6125]183# Local Roles
[12847]184
[10226]185class ApplicationsManager(grok.Role):
[13570]186    """The local ApplicationsManager role can be assigned at applicants
[14603]187    container and at department level. At department level an Applications
188    Manager can manage all applicants which desire to study a programme
[13570]189    offered by the department (1st Choice Course of Study).
190
[14603]191    At container level (local) Applications Managers gain permissions which
192    allow to manage the container and all applicants inside the container.  At
193    container level the permission set of this local role corresonds with the
194    permission set of the same-named global role.
[12843]195    """
[10226]196    grok.name('waeup.local.ApplicationsManager')
197    grok.title(u'Applications Manager')
[13570]198    grok.permissions('waeup.viewAcademics',
199                     'waeup.manageApplication', 'waeup.viewApplication',
200                     'waeup.payApplicant')
[10226]201
[14603]202
[14992]203class DepartmentOfficer(grok.Role):
204    """The local DepartmentOfficer role can be assigned at faculty or
205    department level. The role allows to list all student data within the
206    faculty/department the local role is assigned.
207    """
208    grok.name('waeup.local.DepartmentOfficer')
209    grok.title(u'Department Officer')
210    grok.permissions('waeup.showStudents',
211                     'waeup.viewAcademics',
212                     'waeup.exportPaymentsOverview')
213
214
[7185]215class DepartmentManager(grok.Role):
[12847]216    """The local DepartmentManager role can be assigned at faculty or
217    department level. The role allows to edit all data within this container.
218    It does not automatically allow to remove sub-containers.
219
220    Department Managers (Dean of Faculty or Head of Department respectively)
221    can also list student data but not access student pages.
[12843]222    """
[7185]223    grok.name('waeup.local.DepartmentManager')
224    grok.title(u'Department Manager')
[10248]225    grok.permissions('waeup.manageAcademics',
226                     'waeup.showStudents',
227                     'waeup.exportData')
[6142]228
[14603]229
[6655]230class ClearanceOfficer(grok.Role):
[12847]231    """The local ClearanceOfficer role can be assigned at faculty or
232    department level. The role allows to list or export all student
233    data within the faculty/department the local role is assigned.
234
235    Clearance Officers can furthermore clear all students or reject clearance
236    of all students in their faculty/department. They get the
237    StudentsClearanceOfficer role for this subset of students.
[7168]238    """
[6655]239    grok.name('waeup.local.ClearanceOfficer')
240    grok.title(u'Clearance Officer')
[10248]241    grok.permissions('waeup.showStudents',
242                     'waeup.viewAcademics',
[11862]243                     'waeup.exportData',
244                     'waeup.clearAllStudents')
[6655]245
[14603]246
[10639]247class LocalStudentsManager(grok.Role):
[12847]248    """The local LocalStudentsManager role can be assigned at faculty or
249    department level. The role allows to view all data and to view or export
250    all student data within the faculty/department the local role is assigned.
251
252    Local Students Managers can furthermore manage data of students
253    in their faculty/department. They get the StudentsManager role for
254    this subset of students.
[10639]255    """
256    grok.name('waeup.local.LocalStudentsManager')
257    grok.title(u'Students Manager')
258    grok.permissions('waeup.showStudents',
259                     'waeup.viewAcademics',
260                     'waeup.exportData')
261
[14603]262
[10639]263class LocalWorkflowManager(grok.Role):
[12847]264    """The local LocalWorkflowManager role can be assigned at faculty level.
265    The role allows to view all data and to list or export
266    all student data within the faculty the local role is assigned.
267
268    Local Workflow Managers can trigger transition of students in their
269    faculty/department. They get the WorkflowManager role for
270    this subset of students.
[10639]271    """
272    grok.name('waeup.local.LocalWorkflowManager')
273    grok.title(u'Student Workflow Manager')
274    grok.permissions('waeup.showStudents',
275                     'waeup.viewAcademics',
276                     'waeup.exportData')
277
[14603]278
[8962]279class UGClearanceOfficer(grok.Role):
[12847]280    """UG Clearance Officers are regular Clearance Officers with restricted
281    dynamic permission assignment. They can only access undergraduate
282    students.
[8962]283    """
284    grok.name('waeup.local.UGClearanceOfficer')
285    grok.title(u'UG Clearance Officer')
[10248]286    grok.permissions('waeup.showStudents',
287                     'waeup.viewAcademics',
[11862]288                     'waeup.exportData',
289                     'waeup.clearAllStudents')
[8962]290
[14603]291
[8962]292class PGClearanceOfficer(grok.Role):
[12847]293    """PG Clearance Officers are regular Clearance Officers with restricted
294    dynamic permission assignment. They can only access postgraduate
295    students.
[8962]296    """
297    grok.name('waeup.local.PGClearanceOfficer')
298    grok.title(u'PG Clearance Officer')
[10248]299    grok.permissions('waeup.showStudents',
300                     'waeup.viewAcademics',
[11862]301                     'waeup.exportData',
302                     'waeup.clearAllStudents')
[8962]303
[14603]304
[7334]305class CourseAdviser100(grok.Role):
[12847]306    """The local CourseAdviser100 role can be assigned at faculty,
[14603]307    department or certificate level. The role allows to view all data and
308    to list or export all student data within the faculty, department
[12847]309    or certificate the local role is assigned.
310
311    Local Course Advisers can validate or reject course lists of students
312    in ther faculty/department/certificate at level 100.
313    They get the StudentsCourseAdviser role for this subset of students.
[7168]314    """
[7334]315    grok.name('waeup.local.CourseAdviser100')
316    grok.title(u'Course Adviser 100L')
[10248]317    grok.permissions('waeup.showStudents',
318                     'waeup.viewAcademics',
319                     'waeup.exportData')
[6655]320
[14603]321
[7334]322class CourseAdviser200(grok.Role):
[12847]323    """Same as CourseAdviser100 but for level 200.
[7334]324    """
325    grok.name('waeup.local.CourseAdviser200')
326    grok.title(u'Course Adviser 200L')
[10248]327    grok.permissions('waeup.showStudents',
328                     'waeup.viewAcademics',
329                     'waeup.exportData')
[7334]330
[14603]331
[7334]332class CourseAdviser300(grok.Role):
[12847]333    """Same as CourseAdviser100 but for level 300.
[7334]334    """
335    grok.name('waeup.local.CourseAdviser300')
336    grok.title(u'Course Adviser 300L')
[10248]337    grok.permissions('waeup.showStudents',
338                     'waeup.viewAcademics',
339                     'waeup.exportData')
[7334]340
[14603]341
[7334]342class CourseAdviser400(grok.Role):
[12847]343    """Same as CourseAdviser100 but for level 400.
[7334]344    """
345    grok.name('waeup.local.CourseAdviser400')
346    grok.title(u'Course Adviser 400L')
[10248]347    grok.permissions('waeup.showStudents',
348                     'waeup.viewAcademics',
349                     'waeup.exportData')
[7334]350
[14603]351
[7334]352class CourseAdviser500(grok.Role):
[12847]353    """Same as CourseAdviser100 but for level 500.
[7334]354    """
355    grok.name('waeup.local.CourseAdviser500')
356    grok.title(u'Course Adviser 500L')
[10248]357    grok.permissions('waeup.showStudents',
358                     'waeup.viewAcademics',
359                     'waeup.exportData')
[7334]360
[14603]361
[7334]362class CourseAdviser600(grok.Role):
[12847]363    """Same as CourseAdviser100 but for level 600.
[7334]364    """
365    grok.name('waeup.local.CourseAdviser600')
366    grok.title(u'Course Adviser 600L')
[10248]367    grok.permissions('waeup.showStudents',
368                     'waeup.viewAcademics',
369                     'waeup.exportData')
[7334]370
[14603]371
[10064]372class CourseAdviser700(grok.Role):
[12847]373    """Same as CourseAdviser100 but for level 700.
[10064]374    """
375    grok.name('waeup.local.CourseAdviser700')
376    grok.title(u'Course Adviser 700L')
[10248]377    grok.permissions('waeup.showStudents',
378                     'waeup.viewAcademics',
379                     'waeup.exportData')
[10064]380
[14603]381
[10064]382class CourseAdviser800(grok.Role):
[12847]383    """Same as CourseAdviser100 but for level 800.
[10064]384    """
385    grok.name('waeup.local.CourseAdviser800')
386    grok.title(u'Course Adviser 800L')
[10248]387    grok.permissions('waeup.showStudents',
388                     'waeup.viewAcademics',
389                     'waeup.exportData')
[10064]390
[14603]391
[15134]392class LocalTranscriptOfficer(grok.Role):
[15152]393    """The LocalTranscriptOfficer role can be assigned at faculty
394    level. The role allows to view, to validate and to
[15155]395    release student transcripts at faculty level.
396    Local Transcript Officers get the TranscriptOfficer role
397    for this subset of students.
[15134]398    """
399    grok.name('waeup.local.TranscriptOfficer')
400    grok.title(u'Transcript Officer')
[15155]401    grok.permissions('waeup.viewAcademics',)
[15134]402
403
404class LocalTranscriptSignee(grok.Role):
[15152]405    """The LocalTranscriptSignee role can be assigned at faculty
[15155]406    level. The role allows to view and to sign student transcripts
407    at faculty level. Local Transcript Signees  get the TranscriptSignee role
408    for this subset of students.
[15134]409    """
410    grok.name('waeup.local.TranscriptSignee')
411    grok.title(u'Transcript Signee')
[15155]412    grok.permissions('waeup.viewAcademics',)
[15134]413
414
[9002]415class Lecturer(grok.Role):
[12847]416    """The local Lecturer role can be assigned at course level.
[13894]417    The role allows to export some student
[13046]418    data within the course the local role is assigned. Lecturers can't access
[12847]419    student data directly but they can edit the scores in course tickets.
[9002]420    """
421    grok.name('waeup.local.Lecturer')
422    grok.title(u'Lecturer')
[13894]423    grok.permissions('waeup.editScores',
[10248]424                     'waeup.viewAcademics',
425                     'waeup.exportData')
[9002]426
[14603]427
[7163]428class Owner(grok.Role):
[12847]429    """Each user 'owns' her/his user object and gains permission to edit
430    some of the user attributes.
431    """
[7163]432    grok.name('waeup.local.Owner')
433    grok.title(u'Owner')
434    grok.permissions('waeup.editUser')
435
[14603]436
[7178]437# Site Roles
[7185]438class AcademicsOfficer(grok.Role):
[12844]439    """An Academics Officer can view but not edit data in the
[12862]440    academic section.
[12843]441
442    This is the default role which is automatically assigned to all
443    officers of the portal. A user with this role can access all display pages
444    at faculty, department, course, certificate and certificate course level.
445    """
[7185]446    grok.name('waeup.AcademicsOfficer')
[7188]447    grok.title(u'Academics Officer (view only)')
[7184]448    grok.permissions('waeup.viewAcademics')
[3521]449
[14603]450
[8367]451class AcademicsManager(grok.Role):
[12843]452    """An Academics Manager can view and edit all data in the
[12862]453    scademic section, i.e. access all manage pages
[12843]454    at faculty, department, course, certificate and certificate course level.
455    """
[8367]456    grok.name('waeup.AcademicsManager')
457    grok.title(u'Academics Manager')
[12835]458    title = u'Academics Manager'
[8367]459    grok.permissions('waeup.viewAcademics',
460                     'waeup.manageAcademics')
461
[14603]462
[7181]463class ACManager(grok.Role):
[12843]464    """This is the role for Access Code Managers.
[12847]465    An AC Manager can view and manage the Accesscodes Section, see
[12844]466    ManageACBatches permission above.
[12843]467    """
[7181]468    grok.name('waeup.ACManager')
469    grok.title(u'Access Code Manager')
470    grok.permissions('waeup.manageACBatches')
471
[14603]472
[8367]473class DataCenterManager(grok.Role):
[12843]474    """This single-permission role is dedicated to those users
475    who are charged with batch processing of portal data.
[12847]476    A Data Center Manager can access all pages in the Data Center,
[12844]477    see ManageDataCenter permission above.
[12843]478    """
[8367]479    grok.name('waeup.DataCenterManager')
480    grok.title(u'Datacenter Manager')
481    grok.permissions('waeup.manageDataCenter')
482
[14603]483
[8367]484class ImportManager(grok.Role):
[12847]485    """An Import Manager is a Data Center Manager who is also allowed
[14603]486    to batch process (import) data. All batch processors (importers) are
[12843]487    available except for the User Processor. This processor requires the
[12847]488    Users Manager role too. The ImportManager role includes the
[12844]489    DataCenterManager role but not vice versa.
[12843]490    """
[8367]491    grok.name('waeup.ImportManager')
492    grok.title(u'Import Manager')
493    grok.permissions('waeup.manageDataCenter',
494                     'waeup.importData')
495
[14603]496
[10177]497class ExportManager(grok.Role):
[12847]498    """An Export Manager is a Data Center Manager who is also allowed
[12843]499    to export all kind of portal data. The ExportManager role includes the
[12844]500    DataCenterManager role but not vice versa.
[12843]501    """
[10177]502    grok.name('waeup.ExportManager')
503    grok.title(u'Export Manager')
504    grok.permissions('waeup.manageDataCenter',
[14734]505                     'waeup.exportData',
506                     'waeup.showStudents')
[10177]507
[14603]508
[10246]509class BursaryOfficer(grok.Role):
[12847]510    """Bursary Officers can export bursary data. They can't access the
[12844]511    Data Center but see student data export buttons in the Academic Section.
[12843]512    """
[10246]513    grok.name('waeup.BursaryOfficer')
514    grok.title(u'Bursary Officer')
[10279]515    grok.permissions('waeup.showStudents',
516                     'waeup.viewAcademics',
517                     'waeup.exportBursaryData')
[10246]518
[14603]519
[8367]520class UsersManager(grok.Role):
[12847]521    """A Users Manager can add, remove or edit
[12844]522    user accounts, see ManageUsers permission for further information.
523    Be very careful with this role.
[12843]524    """
[8367]525    grok.name('waeup.UsersManager')
526    grok.title(u'Users Manager')
[9259]527    grok.permissions('waeup.manageUsers',
528                     'waeup.editUser')
[8367]529
[14603]530
[9300]531class WorkflowManager(grok.Role):
[12847]532    """The Workflow Manager can trigger workflow transitions
[12844]533    of student and document objects, see TriggerTransition permission
534    for further information.
[12843]535    """
[9300]536    grok.name('waeup.WorkflowManager')
537    grok.title(u'Workflow Manager')
[9299]538    grok.permissions('waeup.triggerTransition')
539
[14602]540
541class FingerprintReaderDeviceRole(grok.Role):
542    """Fingerprint Reader Devices.
543
544    Fingerprint readers are remote devices that can store and retrieve
[14634]545    fingerprint data.
[14602]546    """
547    grok.name('waeup.FingerprintDevice')
548    grok.title(u'Fingerprint Reader')
549    grok.permissions(
[14633]550        'waeup.getBiometricData',
551        'waeup.putBiometricData',
552    )
[14602]553
554
[4789]555class PortalManager(grok.Role):
[12847]556    """The PortalManager role is the maximum set of Kofa permissions
[12835]557    which are needed to manage the entire portal. This set must not
[12844]558    be customized. It is recommended to assign this role only
559    to a few certified Kofa administrators.
560    A less dangerous manager role is the CCOfficer role described below.
561    For the most tasks the CCOfficer role is sufficient.
[12835]562    """
[4789]563    grok.name('waeup.PortalManager')
[6159]564    grok.title(u'Portal Manager')
[9259]565    grok.permissions('waeup.managePortal',
566                     'waeup.manageUsers',
[8374]567                     'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]568                     'waeup.manageACBatches',
[9259]569                     'waeup.manageDataCenter',
570                     'waeup.importData',
[10177]571                     'waeup.exportData',
[10278]572                     'waeup.viewTranscript',
[15134]573                     'waeup.processTranscript',
[12440]574                     'waeup.viewDocuments', 'waeup.manageDocuments',
[14603]575                     'waeup.managePortalConfiguration',
576                     'waeup.viewApplication',
[7184]577                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]578                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]579                     'waeup.viewApplicationStatistics',
[7250]580                     'waeup.viewStudent', 'waeup.manageStudent',
581                     'waeup.clearStudent', 'waeup.payStudent',
[14603]582                     'waeup.clearStudentFinancially',  # not used in base pkg
[7250]583                     'waeup.uploadStudentFile', 'waeup.showStudents',
[14949]584                     'waeup.clearAllStudents',
585                     'waeup.createStudents',
[10632]586                     'waeup.editScores',
[9273]587                     'waeup.triggerTransition',
[14166]588                     'waeup.validateStudent',
[12843]589                     'waeup.viewStudentsContainer',
[9186]590                     'waeup.handleAccommodation',
[7205]591                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]592                     'waeup.editUser',
[9637]593                     'waeup.loginAsStudent',
[12900]594                     'waeup.handleReports',
[9637]595                     'waeup.manageReports',
[9645]596                     'waeup.manageJobs',
[7240]597                     )
[4789]598
[14603]599
[9259]600class CCOfficer(grok.Role):
[12843]601    """The role of the Computer Center Officer is basically a copy
[12835]602    of the the PortalManager role. Some 'dangerous' permissions are excluded
603    by commenting them out (see source code). If officers need to gain more
604    access rights than defined in this role, do not hastily switch to the
[12843]605    PortalManager role but add further manager roles instead. Additional
[12835]606    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
607    or StudentImpersonator.
[12843]608
[12844]609    CCOfficer is a base class which means that this role is subject to
610    customization. It is not used in the ``waeup.kofa`` base package.
[9259]611    """
[10346]612    grok.baseclass()
[9259]613    grok.name('waeup.CCOfficer')
614    grok.title(u'Computer Center Officer')
[14603]615    grok.permissions(
616        # 'waeup.managePortal',
617        # 'waeup.manageUsers',
618        'waeup.viewAcademics',
619        'waeup.manageAcademics',
620        # 'waeup.manageACBatches',
621        'waeup.manageDataCenter',
622        # 'waeup.importData',
623        'waeup.exportData',
624        'waeup.viewTranscript',
[15134]625        'waeup.processTranscript',
[14603]626        'waeup.viewDocuments', 'waeup.manageDocuments',
627        'waeup.managePortalConfiguration', 'waeup.viewApplication',
628        'waeup.manageApplication', 'waeup.handleApplication',
629        'waeup.viewApplicantsTab', 'waeup.payApplicant',
630        'waeup.viewApplicationStatistics',
631        'waeup.viewStudent', 'waeup.manageStudent',
632        'waeup.clearStudent', 'waeup.payStudent',
633        'waeup.uploadStudentFile', 'waeup.showStudents',
[14949]634        'waeup.clearAllStudents',
635        # 'waeup.createStudents',
[14603]636        'waeup.editScores',
637        # 'waeup.triggerTransition',
638        'waeup.validateStudent',
639        'waeup.viewStudentsContainer',
640        'waeup.handleAccommodation',
641        'waeup.viewHostels', 'waeup.manageHostels',
642        # 'waeup.editUser',
643        # 'waeup.loginAsStudent',
644        'waeup.handleReports',
645        'waeup.manageReports',
646        # 'waeup.manageJobs',
647        )
[9259]648
[14603]649
[7186]650def get_all_roles():
[6157]651    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
652    """
653    return getUtilitiesFor(IRole)
654
[14603]655
[7186]656def get_waeup_roles(also_local=False):
[7819]657    """Get all Kofa roles.
[6157]658
[7819]659    Kofa roles are ordinary roles whose id by convention starts with
[6157]660    a ``waeup.`` prefix.
661
662    If `also_local` is ``True`` (``False`` by default), also local
[7819]663    roles are returned. Local Kofa roles are such whose id starts
[6157]664    with ``waeup.local.`` prefix (this is also a convention).
665
666    Returns a generator of the found roles.
667    """
[7186]668    for name, item in get_all_roles():
[6157]669        if not name.startswith('waeup.'):
[7819]670            # Ignore non-Kofa roles...
[4789]671            continue
[6157]672        if not also_local and name.startswith('waeup.local.'):
673            # Ignore local roles...
[6045]674            continue
[6157]675        yield item
[4789]676
[14603]677
[7186]678def get_waeup_role_names():
[7819]679    """Get the ids of all Kofa roles.
[6157]680
[7819]681    See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]682
[7819]683    This function returns a sorted list of Kofa role names.
[6157]684    """
[7186]685    return sorted([x.id for x in get_waeup_roles()])
[6157]686
[14603]687
[6144]688class LocalRolesAssignable(grok.Adapter):
689    """Default implementation for `ILocalRolesAssignable`.
690
691    This adapter returns a list for dictionaries for objects for which
692    we want to know the roles assignable to them locally.
693
694    The returned dicts contain a ``name`` and a ``title`` entry which
695    give a role (``name``) and a description, for which kind of users
696    the permission is meant to be used (``title``).
697
698    Having this adapter registered we make sure, that for each normal
699    object we get a valid `ILocalRolesAssignable` adapter.
700
701    Objects that want to offer certain local roles, can do so by
[6162]702    setting a (preferably class-) attribute to a list of role ids.
[6144]703
704    You can also define different adapters for different contexts to
705    have different role lookup mechanisms become available. But in
706    normal cases it should be sufficient to use this basic adapter.
707    """
708    grok.context(Interface)
709    grok.provides(ILocalRolesAssignable)
710
711    _roles = []
712
713    def __init__(self, context):
714        self.context = context
[6162]715        role_ids = getattr(context, 'local_roles', self._roles)
[7186]716        self._roles = [(name, role) for name, role in get_all_roles()
[6162]717                       if name in role_ids]
[6144]718        return
719
720    def __call__(self):
721        """Get a list of dictionaries containing ``names`` (the roles to
722        assign) and ``titles`` (some description of the type of user
723        to assign each role to).
724        """
[7334]725        list_of_dict = [dict(
[6162]726                name=name,
727                title=role.title,
[6163]728                description=role.description)
[7334]729                for name, role in self._roles]
730        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]731
[14603]732
[8774]733def get_all_users():
734    """Get a list of dictionaries.
735    """
736    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
737    for key, val in users:
738        yield(dict(name=key, val=val))
739
[14603]740
[6163]741def get_users_with_local_roles(context):
742    """Get a list of dicts representing the local roles set for `context`.
743
744    Each dict returns `user_name`, `user_title`, `local_role`,
745    `local_role_title`, and `setting` for each entry in the local
746    roles map of the `context` object.
747    """
[6202]748    try:
749        role_map = IPrincipalRoleMap(context)
750    except TypeError:
751        # no map no roles.
752        raise StopIteration
[6163]753    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
[14603]754        user = grok.getSite()['users'].get(user_name, None)
[7213]755        user_title = getattr(user, 'title', user_name)
[10227]756        local_role_title = getattr(
757            dict(get_all_roles()).get(local_role, None), 'title', None)
[14603]758        yield dict(user_name=user_name,
759                   user_title=user_title,
760                   local_role=local_role,
761                   local_role_title=local_role_title,
762                   setting=setting)
[9309]763
[14603]764
[9309]765def get_users_with_role(role, context):
766    """Get a list of dicts representing the usres who have been granted
767    a role for `context`.
768    """
769    try:
770        role_map = IPrincipalRoleMap(context)
771    except TypeError:
772        # no map no roles.
773        raise StopIteration
774    for user_name, setting in role_map.getPrincipalsForRole(role):
[14603]775        user = grok.getSite()['users'].get(user_name, None)
[9309]776        user_title = getattr(user, 'title', user_name)
777        user_email = getattr(user, 'email', None)
[14603]778        yield dict(user_name=user_name,
779                   user_title=user_title,
780                   user_email=user_email,
781                   setting=setting)
Note: See TracBrowser for help on using the repository browser.