Context navigation

source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 11665

Last change on this file since 11665 was 11665, checked in by uli, 10 years ago
Add a permission for getting biometric data.
Property svn:eol-style set to `native` Property svn:keywords set to `Id`
File size: 17.6 KB

Rev	Line
[7193]	1	## $Id: permissions.py 11665 2014-05-26 13:22:20Z uli $
	2	##
	3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
	4	## This program is free software; you can redistribute it and/or modify
	5	## it under the terms of the GNU General Public License as published by
	6	## the Free Software Foundation; either version 2 of the License, or
	7	## (at your option) any later version.
	8	##
	9	## This program is distributed in the hope that it will be useful,
	10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	## GNU General Public License for more details.
	13	##
	14	## You should have received a copy of the GNU General Public License
	15	## along with this program; if not, write to the Free Software
	16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17	##
[3521]	18	import grok
[6157]	19	from zope.component import getUtilitiesFor
[6144]	20	from zope.interface import Interface
[6163]	21	from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]	22	from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]	23
[4789]	24	class Public(grok.Permission):
	25	"""Everyone-can-do-this-permission.
	26
	27	This permission is meant to be applied to objects/views/pages
	28	etc., that should be usable/readable by everyone.
	29
	30	We need this to be able to tune default permissions more
	31	restrictive and open up some dedicated objects like the front
	32	page.
	33	"""
	34	grok.name('waeup.Public')
[6142]	35
[5433]	36	class Anonymous(grok.Permission):
	37	"""Only-anonymous-can-do-this-permission.
	38	"""
[6142]	39	grok.name('waeup.Anonymous')
[4789]	40
[7184]	41	class Authenticated(grok.Permission):
	42	"""Only-logged-in-users-can-do-this-permission.
	43	"""
	44	grok.name('waeup.Authenticated')
[4789]	45
[7184]	46	class ViewAcademicsPermission(grok.Permission):
	47	grok.name('waeup.viewAcademics')
	48
[8367]	49	class ManageAcademicsPermission(grok.Permission):
	50	grok.name('waeup.manageAcademics')
[4789]	51
[8367]	52	class ManagePortal(grok.Permission):
	53	grok.name('waeup.managePortal')
	54
[4789]	55	class ManageUsers(grok.Permission):
	56	grok.name('waeup.manageUsers')
[6142]	57
[7205]	58	class ShowStudents(grok.Permission):
	59	grok.name('waeup.showStudents')
	60
[10632]	61	class EditScores(grok.Permission):
	62	grok.name('waeup.editScores')
	63
[7163]	64	class EditUser(grok.Permission):
	65	grok.name('waeup.editUser')
	66
[6127]	67	class ManageDataCenter(grok.Permission):
	68	grok.name('waeup.manageDataCenter')
[6142]	69
[8367]	70	class ImportData(grok.Permission):
	71	grok.name('waeup.importData')
	72
[10177]	73	class ExportData(grok.Permission):
	74	grok.name('waeup.exportData')
	75
[10279]	76	class ExportPaymentsOverview(grok.Permission):
	77	grok.name('waeup.exportPaymentsOverview')
	78
	79	class ExportBursaryData(grok.Permission):
	80	grok.name('waeup.exportBursaryData')
	81
[10278]	82	class ViewTranscript(grok.Permission):
	83	grok.name('waeup.viewTranscript')
	84
[6907]	85	class ManagePortalConfiguration(grok.Permission):
	86	grok.name('waeup.managePortalConfiguration')
[6155]	87
[7181]	88	class ManageACBatches(grok.Permission):
	89	grok.name('waeup.manageACBatches')
	90
[11665]	91	class GetBiometricDataPermission(grok.Permission):
	92	"""Permission to read biometric data.
	93	"""
	94	grok.name('waeup.getBiometricData')
	95
	96
[6125]	97	# Local Roles
[10226]	98	class ApplicationsManager(grok.Role):
	99	grok.name('waeup.local.ApplicationsManager')
	100	grok.title(u'Applications Manager')
	101	grok.permissions('waeup.viewAcademics')
	102
[7185]	103	class DepartmentManager(grok.Role):
	104	grok.name('waeup.local.DepartmentManager')
	105	grok.title(u'Department Manager')
[10248]	106	grok.permissions('waeup.manageAcademics',
	107	'waeup.showStudents',
	108	'waeup.exportData')
[6142]	109
[10279]	110	class DepartmentOfficer(grok.Role):
	111	grok.name('waeup.local.DepartmentOfficer')
	112	grok.title(u'Department Officer')
	113	grok.permissions('waeup.showStudents',
	114	'waeup.viewAcademics',
	115	'waeup.exportPaymentsOverview')
	116
[6655]	117	class ClearanceOfficer(grok.Role):
[7168]	118	"""The clearance officer role is meant for the
	119	assignment of dynamic roles only.
	120	"""
[6655]	121	grok.name('waeup.local.ClearanceOfficer')
	122	grok.title(u'Clearance Officer')
[10248]	123	grok.permissions('waeup.showStudents',
	124	'waeup.viewAcademics',
	125	'waeup.exportData')
[6655]	126
[10639]	127	class LocalStudentsManager(grok.Role):
	128	"""The local students manager role is meant for the
	129	assignment of dynamic roles only.
	130	"""
	131	grok.name('waeup.local.LocalStudentsManager')
	132	grok.title(u'Students Manager')
	133	grok.permissions('waeup.showStudents',
	134	'waeup.viewAcademics',
	135	'waeup.exportData')
	136
	137	class LocalWorkflowManager(grok.Role):
	138	"""The local workflow manager role is meant for the
	139	assignment of dynamic roles only.
	140	"""
	141	grok.name('waeup.local.LocalWorkflowManager')
	142	grok.title(u'Student Workflow Manager')
	143	grok.permissions('waeup.showStudents',
	144	'waeup.viewAcademics',
	145	'waeup.exportData')
	146
[8962]	147	class UGClearanceOfficer(grok.Role):
	148	"""The clearance officer role is meant for the
	149	assignment of dynamic roles only.
	150	"""
	151	grok.name('waeup.local.UGClearanceOfficer')
	152	grok.title(u'UG Clearance Officer')
[10248]	153	grok.permissions('waeup.showStudents',
	154	'waeup.viewAcademics',
	155	'waeup.exportData')
[8962]	156
	157	class PGClearanceOfficer(grok.Role):
	158	"""The clearance officer role is meant for the
	159	assignment of dynamic roles only.
	160	"""
	161	grok.name('waeup.local.PGClearanceOfficer')
	162	grok.title(u'PG Clearance Officer')
[10248]	163	grok.permissions('waeup.showStudents',
	164	'waeup.viewAcademics',
	165	'waeup.exportData')
[8962]	166
[7334]	167	class CourseAdviser100(grok.Role):
[7335]	168	"""The 100 level course adviser role is meant for the
[7168]	169	assignment of dynamic roles only.
	170	"""
[7334]	171	grok.name('waeup.local.CourseAdviser100')
	172	grok.title(u'Course Adviser 100L')
[10248]	173	grok.permissions('waeup.showStudents',
	174	'waeup.viewAcademics',
	175	'waeup.exportData')
[6655]	176
[7334]	177	class CourseAdviser200(grok.Role):
[7335]	178	"""The course 200 level adviser role is meant for the
[7334]	179	assignment of dynamic roles only.
	180	"""
	181	grok.name('waeup.local.CourseAdviser200')
	182	grok.title(u'Course Adviser 200L')
[10248]	183	grok.permissions('waeup.showStudents',
	184	'waeup.viewAcademics',
	185	'waeup.exportData')
[7334]	186
	187	class CourseAdviser300(grok.Role):
[7335]	188	"""The 300 level course adviser role is meant for the
[7334]	189	assignment of dynamic roles only.
	190	"""
	191	grok.name('waeup.local.CourseAdviser300')
	192	grok.title(u'Course Adviser 300L')
[10248]	193	grok.permissions('waeup.showStudents',
	194	'waeup.viewAcademics',
	195	'waeup.exportData')
[7334]	196
	197	class CourseAdviser400(grok.Role):
[7335]	198	"""The 400 level course adviser role is meant for the
[7334]	199	assignment of dynamic roles only.
	200	"""
	201	grok.name('waeup.local.CourseAdviser400')
	202	grok.title(u'Course Adviser 400L')
[10248]	203	grok.permissions('waeup.showStudents',
	204	'waeup.viewAcademics',
	205	'waeup.exportData')
[7334]	206
	207	class CourseAdviser500(grok.Role):
[7335]	208	"""The 500 level course adviser role is meant for the
[7334]	209	assignment of dynamic roles only.
	210	"""
	211	grok.name('waeup.local.CourseAdviser500')
	212	grok.title(u'Course Adviser 500L')
[10248]	213	grok.permissions('waeup.showStudents',
	214	'waeup.viewAcademics',
	215	'waeup.exportData')
[7334]	216
	217	class CourseAdviser600(grok.Role):
[7335]	218	"""The 600 level course adviser role is meant for the
[7334]	219	assignment of dynamic roles only.
	220	"""
	221	grok.name('waeup.local.CourseAdviser600')
	222	grok.title(u'Course Adviser 600L')
[10248]	223	grok.permissions('waeup.showStudents',
	224	'waeup.viewAcademics',
	225	'waeup.exportData')
[7334]	226
[10064]	227	class CourseAdviser700(grok.Role):
	228	"""The 700 level course adviser role is meant for the
	229	assignment of dynamic roles only.
	230	"""
	231	grok.name('waeup.local.CourseAdviser700')
	232	grok.title(u'Course Adviser 700L')
[10248]	233	grok.permissions('waeup.showStudents',
	234	'waeup.viewAcademics',
	235	'waeup.exportData')
[10064]	236
	237	class CourseAdviser800(grok.Role):
	238	"""The 800 level course adviser role is meant for the
	239	assignment of dynamic roles only.
	240	"""
	241	grok.name('waeup.local.CourseAdviser800')
	242	grok.title(u'Course Adviser 800L')
[10248]	243	grok.permissions('waeup.showStudents',
	244	'waeup.viewAcademics',
	245	'waeup.exportData')
[10064]	246
[9002]	247	class Lecturer(grok.Role):
	248	"""The lecturer role is meant for the
	249	assignment of dynamic roles only.
	250	"""
	251	grok.name('waeup.local.Lecturer')
	252	grok.title(u'Lecturer')
[10248]	253	grok.permissions('waeup.showStudents',
[10632]	254	'waeup.editScores',
[10248]	255	'waeup.viewAcademics',
	256	'waeup.exportData')
[9002]	257
[7163]	258	class Owner(grok.Role):
	259	grok.name('waeup.local.Owner')
	260	grok.title(u'Owner')
	261	grok.permissions('waeup.editUser')
	262
[7178]	263	# Site Roles
[7185]	264	class AcademicsOfficer(grok.Role):
	265	grok.name('waeup.AcademicsOfficer')
[7188]	266	grok.title(u'Academics Officer (view only)')
[7184]	267	grok.permissions('waeup.viewAcademics')
[3521]	268
[8367]	269	class AcademicsManager(grok.Role):
	270	grok.name('waeup.AcademicsManager')
	271	grok.title(u'Academics Manager')
	272	grok.permissions('waeup.viewAcademics',
	273	'waeup.manageAcademics')
	274
[7181]	275	class ACManager(grok.Role):
	276	grok.name('waeup.ACManager')
	277	grok.title(u'Access Code Manager')
	278	grok.permissions('waeup.manageACBatches')
	279
[8367]	280	class DataCenterManager(grok.Role):
	281	grok.name('waeup.DataCenterManager')
	282	grok.title(u'Datacenter Manager')
	283	grok.permissions('waeup.manageDataCenter')
	284
	285	class ImportManager(grok.Role):
	286	grok.name('waeup.ImportManager')
	287	grok.title(u'Import Manager')
	288	grok.permissions('waeup.manageDataCenter',
	289	'waeup.importData')
	290
[10177]	291	class ExportManager(grok.Role):
	292	grok.name('waeup.ExportManager')
	293	grok.title(u'Export Manager')
	294	grok.permissions('waeup.manageDataCenter',
	295	'waeup.exportData')
	296
[10246]	297	class BursaryOfficer(grok.Role):
	298	grok.name('waeup.BursaryOfficer')
	299	grok.title(u'Bursary Officer')
[10279]	300	grok.permissions('waeup.showStudents',
	301	'waeup.viewAcademics',
	302	'waeup.exportBursaryData')
[10246]	303
[8367]	304	class UsersManager(grok.Role):
	305	grok.name('waeup.UsersManager')
	306	grok.title(u'Users Manager')
[9259]	307	grok.permissions('waeup.manageUsers',
	308	'waeup.editUser')
[8367]	309
[9300]	310	class WorkflowManager(grok.Role):
	311	grok.name('waeup.WorkflowManager')
	312	grok.title(u'Workflow Manager')
[9299]	313	grok.permissions('waeup.triggerTransition')
	314
[4789]	315	class PortalManager(grok.Role):
	316	grok.name('waeup.PortalManager')
[6159]	317	grok.title(u'Portal Manager')
[9259]	318	grok.permissions('waeup.managePortal',
	319	'waeup.manageUsers',
[8374]	320	'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]	321	'waeup.manageACBatches',
[9259]	322	'waeup.manageDataCenter',
	323	'waeup.importData',
[10177]	324	'waeup.exportData',
[10278]	325	'waeup.viewTranscript',
[7184]	326	'waeup.managePortalConfiguration', 'waeup.viewApplication',
	327	'waeup.manageApplication', 'waeup.handleApplication',
[7250]	328	'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]	329	'waeup.viewApplicationStatistics',
[7250]	330	'waeup.viewStudent', 'waeup.manageStudent',
	331	'waeup.clearStudent', 'waeup.payStudent',
	332	'waeup.uploadStudentFile', 'waeup.showStudents',
[10632]	333	'waeup.editScores',
[9273]	334	'waeup.triggerTransition',
[7250]	335	'waeup.viewStudentsContainer','waeup.viewStudentsTab',
[9186]	336	'waeup.handleAccommodation',
[7205]	337	'waeup.viewHostels', 'waeup.manageHostels',
[9335]	338	'waeup.editUser',
[9637]	339	'waeup.loginAsStudent',
	340	'waeup.manageReports',
[9645]	341	'waeup.manageJobs',
[7240]	342	)
[4789]	343
[9259]	344	class CCOfficer(grok.Role):
[9303]	345	"""This is basically a copy of the the PortalManager class. We exclude some
[9262]	346	'dangerous' permissions by commenting them out.
[9259]	347	"""
[10346]	348	grok.baseclass()
[9259]	349	grok.name('waeup.CCOfficer')
	350	grok.title(u'Computer Center Officer')
	351	grok.permissions(#'waeup.managePortal',
	352	#'waeup.manageUsers',
	353	'waeup.viewAcademics', 'waeup.manageAcademics',
	354	#'waeup.manageACBatches',
	355	'waeup.manageDataCenter',
	356	#'waeup.importData',
[10243]	357	'waeup.exportData',
[10278]	358	'waeup.viewTranscript',
[9259]	359	'waeup.managePortalConfiguration', 'waeup.viewApplication',
	360	'waeup.manageApplication', 'waeup.handleApplication',
	361	'waeup.viewApplicantsTab', 'waeup.payApplicant',
	362	'waeup.viewApplicationStatistics',
	363	'waeup.viewStudent', 'waeup.manageStudent',
	364	'waeup.clearStudent', 'waeup.payStudent',
	365	'waeup.uploadStudentFile', 'waeup.showStudents',
[10632]	366	'waeup.editScores',
[9273]	367	#'waeup.triggerTransition',
[9259]	368	'waeup.viewStudentsContainer','waeup.viewStudentsTab',
	369	'waeup.handleAccommodation',
	370	'waeup.viewHostels', 'waeup.manageHostels',
[9335]	371	#'waeup.editUser',
[9637]	372	#'waeup.loginAsStudent',
	373	'waeup.manageReports',
[9645]	374	#'waeup.manageJobs',
[9259]	375	)
	376
[7186]	377	def get_all_roles():
[6157]	378	"""Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
	379	"""
	380	return getUtilitiesFor(IRole)
	381
[7186]	382	def get_waeup_roles(also_local=False):
[7819]	383	"""Get all Kofa roles.
[6157]	384
[7819]	385	Kofa roles are ordinary roles whose id by convention starts with
[6157]	386	a ``waeup.`` prefix.
	387
	388	If `also_local` is ``True`` (``False`` by default), also local
[7819]	389	roles are returned. Local Kofa roles are such whose id starts
[6157]	390	with ``waeup.local.`` prefix (this is also a convention).
	391
	392	Returns a generator of the found roles.
	393	"""
[7186]	394	for name, item in get_all_roles():
[6157]	395	if not name.startswith('waeup.'):
[7819]	396	# Ignore non-Kofa roles...
[4789]	397	continue
[6157]	398	if not also_local and name.startswith('waeup.local.'):
	399	# Ignore local roles...
[6045]	400	continue
[6157]	401	yield item
[4789]	402
[7186]	403	def get_waeup_role_names():
[7819]	404	"""Get the ids of all Kofa roles.
[6157]	405
[7819]	406	See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]	407
[7819]	408	This function returns a sorted list of Kofa role names.
[6157]	409	"""
[7186]	410	return sorted([x.id for x in get_waeup_roles()])
[6157]	411
[6144]	412	class LocalRolesAssignable(grok.Adapter):
	413	"""Default implementation for `ILocalRolesAssignable`.
	414
	415	This adapter returns a list for dictionaries for objects for which
	416	we want to know the roles assignable to them locally.
	417
	418	The returned dicts contain a ``name`` and a ``title`` entry which
	419	give a role (``name``) and a description, for which kind of users
	420	the permission is meant to be used (``title``).
	421
	422	Having this adapter registered we make sure, that for each normal
	423	object we get a valid `ILocalRolesAssignable` adapter.
	424
	425	Objects that want to offer certain local roles, can do so by
[6162]	426	setting a (preferably class-) attribute to a list of role ids.
[6144]	427
	428	You can also define different adapters for different contexts to
	429	have different role lookup mechanisms become available. But in
	430	normal cases it should be sufficient to use this basic adapter.
	431	"""
	432	grok.context(Interface)
	433	grok.provides(ILocalRolesAssignable)
	434
	435	_roles = []
	436
	437	def __init__(self, context):
	438	self.context = context
[6162]	439	role_ids = getattr(context, 'local_roles', self._roles)
[7186]	440	self._roles = [(name, role) for name, role in get_all_roles()
[6162]	441	if name in role_ids]
[6144]	442	return
	443
	444	def __call__(self):
	445	"""Get a list of dictionaries containing ``names`` (the roles to
	446	assign) and ``titles`` (some description of the type of user
	447	to assign each role to).
	448	"""
[7334]	449	list_of_dict = [dict(
[6162]	450	name=name,
	451	title=role.title,
[6163]	452	description=role.description)
[7334]	453	for name, role in self._roles]
	454	return sorted(list_of_dict, key=lambda x: x['name'])
[6144]	455
[8774]	456	def get_all_users():
	457	"""Get a list of dictionaries.
	458	"""
	459	users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
	460	for key, val in users:
	461	yield(dict(name=key, val=val))
	462
[6163]	463	def get_users_with_local_roles(context):
	464	"""Get a list of dicts representing the local roles set for `context`.
	465
	466	Each dict returns `user_name`, `user_title`, `local_role`,
	467	`local_role_title`, and `setting` for each entry in the local
	468	roles map of the `context` object.
	469	"""
[6202]	470	try:
	471	role_map = IPrincipalRoleMap(context)
	472	except TypeError:
	473	# no map no roles.
	474	raise StopIteration
[6163]	475	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
	476	user = grok.getSite()['users'].get(user_name,None)
[7213]	477	user_title = getattr(user, 'title', user_name)
[10227]	478	local_role_title = getattr(
	479	dict(get_all_roles()).get(local_role, None), 'title', None)
[6163]	480	yield dict(user_name = user_name,
	481	user_title = user_title,
	482	local_role = local_role,
	483	local_role_title = local_role_title,
[9309]	484	setting = setting)
	485
	486	def get_users_with_role(role, context):
	487	"""Get a list of dicts representing the usres who have been granted
	488	a role for `context`.
	489	"""
	490	try:
	491	role_map = IPrincipalRoleMap(context)
	492	except TypeError:
	493	# no map no roles.
	494	raise StopIteration
	495	for user_name, setting in role_map.getPrincipalsForRole(role):
	496	user = grok.getSite()['users'].get(user_name,None)
	497	user_title = getattr(user, 'title', user_name)
	498	user_email = getattr(user, 'email', None)
	499	yield dict(user_name = user_name,
	500	user_title = user_title,
	501	user_email = user_email,
	502	setting = setting)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: