source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 13766

Last change on this file since 13766 was 13763, checked in by Henrik Bettermann, 9 years ago

Be more precise.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 26.6 KB
RevLine 
[7193]1## $Id: permissions.py 13763 2016-03-07 08:55:58Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]22from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]23
[4789]24class Public(grok.Permission):
[12844]25    """The Public or everyone-can-do-this-permission is being applied
26    to views/pages that are used by everyone.
[4789]27    """
28    grok.name('waeup.Public')
[6142]29
[5433]30class Anonymous(grok.Permission):
[12843]31    """The Anonymous permission is applied to
[12844]32    views/pages which are dedicated to anonymous users only.
33    Logged-in users can't access these views.
[5433]34    """
[6142]35    grok.name('waeup.Anonymous')
[4789]36
[7184]37class Authenticated(grok.Permission):
[12843]38    """The Authenticated permission is applied to pages
[12835]39    which can only be used by logged-in users and not by anonymous users.
[7184]40    """
41    grok.name('waeup.Authenticated')
[4789]42
[12835]43class ViewAcademics(grok.Permission):
[12843]44    """The ViewAcademics permission is applied to all
[12835]45    views of the Academic Section. Users with this permission can view but
46    not edit content in the Academic Section.
47    """
[7184]48    grok.name('waeup.viewAcademics')
49
[12835]50class ManageAcademics(grok.Permission):
[12844]51    """The ManageAcademics permission is applied to all edit/manage
[12835]52    pages in the Academic Section. Users who have this permission
53    can change/edit context objects.
54    """
[8367]55    grok.name('waeup.manageAcademics')
[4789]56
[8367]57class ManagePortal(grok.Permission):
[12843]58    """The ManagePortal permission is used for very few pages
[12844]59    (e.g. the DatacenterSettings page). Only PortalManagers have this
60    permission. It is furthermore used to control delete methods of container
[12843]61    pages in the Academic Section. The ManageAcademics permission,
[12835]62    described above, does enable users to edit content but not to
63    remove sub-containers, like faculties, departments or certificates.
[12843]64    Users must have the ManagePortal permission too to remove
[12835]65    entire containers.
66    """
[8367]67    grok.name('waeup.managePortal')
68
[4789]69class ManageUsers(grok.Permission):
[12843]70    """The ManageUsers permission is a real superuser permission
[12835]71    and therefore very 'dangerous'. It allows to add, remove or edit
72    user accounts. Editing a user account includes the option to assign
73    or remove roles. That means that a user with this permission can lock out
[12844]74    other users by either removing their account or by removing
75    permissions.
[12835]76    """
[4789]77    grok.name('waeup.manageUsers')
[6142]78
[7205]79class ShowStudents(grok.Permission):
[12843]80    """Users with this permission do not neccessarily see the 'Students' tab
81    but they can search for students at department, certificate or course
82    level. If they additionally have the ExportData permission they can
83    export the data as csv files.
[12835]84
[12844]85    Bursary or Department Officers don't have the ExportData
[12835]86    permission (see Roles section) and are only allowed to export bursary
87    or payments overview data respectively.
88    """
[7205]89    grok.name('waeup.showStudents')
90
[11862]91class ClearAllStudents(grok.Permission):
[12843]92    """The ClearAllStudents permission allows to clear all students
[12844]93    in a department at one sweep.
[12835]94    """
[11862]95    grok.name('waeup.clearAllStudents')
96
[10632]97class EditScores(grok.Permission):
[12843]98    """The EditScores permission allows to edit scores in course tickets.
[12835]99    """
[10632]100    grok.name('waeup.editScores')
101
[12843]102class TriggerTransition(grok.Permission):
103    """The TriggerTransition permission allows to trigger workflow transitions
104    of student and document objects.
105    """
106    grok.name('waeup.triggerTransition')
107
[7163]108class EditUser(grok.Permission):
[12843]109    """The EditUser permission is required for editing
[12835]110    single user accounts.
111    """
[7163]112    grok.name('waeup.editUser')
113
[6127]114class ManageDataCenter(grok.Permission):
[12843]115    """The ManageDataCenter permission allows to access all pages
[12844]116    in the Data Center and to upload files. It does not automatically
[12847]117    allow to process uploaded data files.
[12835]118    """
[6127]119    grok.name('waeup.manageDataCenter')
[6142]120
[8367]121class ImportData(grok.Permission):
[12843]122    """The ImportData permission allows to batch process (import) any kind of
[12847]123    portal data except for user data. The User Data processor
[12844]124    requires also the ManageUsers permission.
[12835]125    """
[8367]126    grok.name('waeup.importData')
127
[10177]128class ExportData(grok.Permission):
[12844]129    """The ExportData permission allows to export any kind of portal data.
[12835]130    """
[10177]131    grok.name('waeup.exportData')
132
[10279]133class ExportPaymentsOverview(grok.Permission):
134    grok.name('waeup.exportPaymentsOverview')
135
136class ExportBursaryData(grok.Permission):
137    grok.name('waeup.exportBursaryData')
138
[10278]139class ViewTranscript(grok.Permission):
140    grok.name('waeup.viewTranscript')
141
[6907]142class ManagePortalConfiguration(grok.Permission):
[12843]143    """The ManagePortalConfiguration permission allows to
[12835]144    edit global and sessional portal configuration data.
145    """
[6907]146    grok.name('waeup.managePortalConfiguration')
[6155]147
[7181]148class ManageACBatches(grok.Permission):
[12843]149    """The ManageACBatches permission allows to view and
[12835]150    manage accesscodes.
151    """
[7181]152    grok.name('waeup.manageACBatches')
153
[11673]154class PutBiometricDataPermission(grok.Permission):
[12835]155    """This permission allows to upload/change biometric data.
[11673]156    """
157    grok.name('waeup.putBiometricData')
158
[11665]159class GetBiometricDataPermission(grok.Permission):
[12835]160    """This permission allows to read biometric data.
[11665]161    """
162    grok.name('waeup.getBiometricData')
163
164
[6125]165# Local Roles
[12847]166
[10226]167class ApplicationsManager(grok.Role):
[13570]168    """The local ApplicationsManager role can be assigned at applicants
169    container and at department level. At department level an Applications
170    Manager can manage all applicants which desire to study a programme
171    offered by the department (1st Choice Course of Study).
172
173    At container level (local) Applications Managers gain permissions
174    which allow to manage the container and all applicants inside the container.
175    At container level the permission set of this local role corresonds with
176    the permission set of the same-named global role.
[12843]177    """
[10226]178    grok.name('waeup.local.ApplicationsManager')
179    grok.title(u'Applications Manager')
[13570]180    grok.permissions('waeup.viewAcademics',
181                     'waeup.manageApplication', 'waeup.viewApplication',
182                     'waeup.payApplicant')
[10226]183
[7185]184class DepartmentManager(grok.Role):
[12847]185    """The local DepartmentManager role can be assigned at faculty or
186    department level. The role allows to edit all data within this container.
187    It does not automatically allow to remove sub-containers.
188
189    Department Managers (Dean of Faculty or Head of Department respectively)
190    can also list student data but not access student pages.
[12843]191    """
[7185]192    grok.name('waeup.local.DepartmentManager')
193    grok.title(u'Department Manager')
[10248]194    grok.permissions('waeup.manageAcademics',
195                     'waeup.showStudents',
196                     'waeup.exportData')
[6142]197
[10279]198class DepartmentOfficer(grok.Role):
[12847]199    """The local DepartmentOfficer role can be assigned at faculty or
200    department level. The role allows to list all student data within the
201    faculty/department the local role is assigned.
202
203    Department Managers (Dean of Faculty or Head of Department respectively)
204    can also list student data but not access student pages. They can
205    furthermore export payment overviews.
[12843]206    """
[10279]207    grok.name('waeup.local.DepartmentOfficer')
208    grok.title(u'Department Officer')
209    grok.permissions('waeup.showStudents',
210                     'waeup.viewAcademics',
211                     'waeup.exportPaymentsOverview')
212
[6655]213class ClearanceOfficer(grok.Role):
[12847]214    """The local ClearanceOfficer role can be assigned at faculty or
215    department level. The role allows to list or export all student
216    data within the faculty/department the local role is assigned.
217
218    Clearance Officers can furthermore clear all students or reject clearance
219    of all students in their faculty/department. They get the
220    StudentsClearanceOfficer role for this subset of students.
[7168]221    """
[6655]222    grok.name('waeup.local.ClearanceOfficer')
223    grok.title(u'Clearance Officer')
[10248]224    grok.permissions('waeup.showStudents',
225                     'waeup.viewAcademics',
[11862]226                     'waeup.exportData',
227                     'waeup.clearAllStudents')
[6655]228
[10639]229class LocalStudentsManager(grok.Role):
[12847]230    """The local LocalStudentsManager role can be assigned at faculty or
231    department level. The role allows to view all data and to view or export
232    all student data within the faculty/department the local role is assigned.
233
234    Local Students Managers can furthermore manage data of students
235    in their faculty/department. They get the StudentsManager role for
236    this subset of students.
[10639]237    """
238    grok.name('waeup.local.LocalStudentsManager')
239    grok.title(u'Students Manager')
240    grok.permissions('waeup.showStudents',
241                     'waeup.viewAcademics',
242                     'waeup.exportData')
243
244class LocalWorkflowManager(grok.Role):
[12847]245    """The local LocalWorkflowManager role can be assigned at faculty level.
246    The role allows to view all data and to list or export
247    all student data within the faculty the local role is assigned.
248
249    Local Workflow Managers can trigger transition of students in their
250    faculty/department. They get the WorkflowManager role for
251    this subset of students.
[10639]252    """
253    grok.name('waeup.local.LocalWorkflowManager')
254    grok.title(u'Student Workflow Manager')
255    grok.permissions('waeup.showStudents',
256                     'waeup.viewAcademics',
257                     'waeup.exportData')
258
[8962]259class UGClearanceOfficer(grok.Role):
[12847]260    """UG Clearance Officers are regular Clearance Officers with restricted
261    dynamic permission assignment. They can only access undergraduate
262    students.
[8962]263    """
264    grok.name('waeup.local.UGClearanceOfficer')
265    grok.title(u'UG Clearance Officer')
[10248]266    grok.permissions('waeup.showStudents',
267                     'waeup.viewAcademics',
[11862]268                     'waeup.exportData',
269                     'waeup.clearAllStudents')
[8962]270
271class PGClearanceOfficer(grok.Role):
[12847]272    """PG Clearance Officers are regular Clearance Officers with restricted
273    dynamic permission assignment. They can only access postgraduate
274    students.
[8962]275    """
276    grok.name('waeup.local.PGClearanceOfficer')
277    grok.title(u'PG Clearance Officer')
[10248]278    grok.permissions('waeup.showStudents',
279                     'waeup.viewAcademics',
[11862]280                     'waeup.exportData',
281                     'waeup.clearAllStudents')
[8962]282
[7334]283class CourseAdviser100(grok.Role):
[12847]284    """The local CourseAdviser100 role can be assigned at faculty,
285    department or certificate level. The role allows to view all data and
286    to list or export all student data within the faculty, department
287    or certificate the local role is assigned.
288
289    Local Course Advisers can validate or reject course lists of students
290    in ther faculty/department/certificate at level 100.
291    They get the StudentsCourseAdviser role for this subset of students.
[7168]292    """
[7334]293    grok.name('waeup.local.CourseAdviser100')
294    grok.title(u'Course Adviser 100L')
[10248]295    grok.permissions('waeup.showStudents',
296                     'waeup.viewAcademics',
297                     'waeup.exportData')
[6655]298
[7334]299class CourseAdviser200(grok.Role):
[12847]300    """Same as CourseAdviser100 but for level 200.
[7334]301    """
302    grok.name('waeup.local.CourseAdviser200')
303    grok.title(u'Course Adviser 200L')
[10248]304    grok.permissions('waeup.showStudents',
305                     'waeup.viewAcademics',
306                     'waeup.exportData')
[7334]307
308class CourseAdviser300(grok.Role):
[12847]309    """Same as CourseAdviser100 but for level 300.
[7334]310    """
311    grok.name('waeup.local.CourseAdviser300')
312    grok.title(u'Course Adviser 300L')
[10248]313    grok.permissions('waeup.showStudents',
314                     'waeup.viewAcademics',
315                     'waeup.exportData')
[7334]316
317class CourseAdviser400(grok.Role):
[12847]318    """Same as CourseAdviser100 but for level 400.
[7334]319    """
320    grok.name('waeup.local.CourseAdviser400')
321    grok.title(u'Course Adviser 400L')
[10248]322    grok.permissions('waeup.showStudents',
323                     'waeup.viewAcademics',
324                     'waeup.exportData')
[7334]325
326class CourseAdviser500(grok.Role):
[12847]327    """Same as CourseAdviser100 but for level 500.
[7334]328    """
329    grok.name('waeup.local.CourseAdviser500')
330    grok.title(u'Course Adviser 500L')
[10248]331    grok.permissions('waeup.showStudents',
332                     'waeup.viewAcademics',
333                     'waeup.exportData')
[7334]334
335class CourseAdviser600(grok.Role):
[12847]336    """Same as CourseAdviser100 but for level 600.
[7334]337    """
338    grok.name('waeup.local.CourseAdviser600')
339    grok.title(u'Course Adviser 600L')
[10248]340    grok.permissions('waeup.showStudents',
341                     'waeup.viewAcademics',
342                     'waeup.exportData')
[7334]343
[10064]344class CourseAdviser700(grok.Role):
[12847]345    """Same as CourseAdviser100 but for level 700.
[10064]346    """
347    grok.name('waeup.local.CourseAdviser700')
348    grok.title(u'Course Adviser 700L')
[10248]349    grok.permissions('waeup.showStudents',
350                     'waeup.viewAcademics',
351                     'waeup.exportData')
[10064]352
353class CourseAdviser800(grok.Role):
[12847]354    """Same as CourseAdviser100 but for level 800.
[10064]355    """
356    grok.name('waeup.local.CourseAdviser800')
357    grok.title(u'Course Adviser 800L')
[10248]358    grok.permissions('waeup.showStudents',
359                     'waeup.viewAcademics',
360                     'waeup.exportData')
[10064]361
[9002]362class Lecturer(grok.Role):
[12847]363    """The local Lecturer role can be assigned at course level.
[13763]364    The role allows to export student
[13046]365    data within the course the local role is assigned. Lecturers can't access
[12847]366    student data directly but they can edit the scores in course tickets.
[9002]367    """
368    grok.name('waeup.local.Lecturer')
369    grok.title(u'Lecturer')
[10248]370    grok.permissions('waeup.showStudents',
[10632]371                     'waeup.editScores',
[10248]372                     'waeup.viewAcademics',
373                     'waeup.exportData')
[9002]374
[7163]375class Owner(grok.Role):
[12847]376    """Each user 'owns' her/his user object and gains permission to edit
377    some of the user attributes.
378    """
[7163]379    grok.name('waeup.local.Owner')
380    grok.title(u'Owner')
381    grok.permissions('waeup.editUser')
382
[7178]383# Site Roles
[12847]384
[7185]385class AcademicsOfficer(grok.Role):
[12844]386    """An Academics Officer can view but not edit data in the
[12862]387    academic section.
[12843]388
389    This is the default role which is automatically assigned to all
390    officers of the portal. A user with this role can access all display pages
391    at faculty, department, course, certificate and certificate course level.
392    """
[7185]393    grok.name('waeup.AcademicsOfficer')
[7188]394    grok.title(u'Academics Officer (view only)')
[7184]395    grok.permissions('waeup.viewAcademics')
[3521]396
[8367]397class AcademicsManager(grok.Role):
[12843]398    """An Academics Manager can view and edit all data in the
[12862]399    scademic section, i.e. access all manage pages
[12843]400    at faculty, department, course, certificate and certificate course level.
401    """
[8367]402    grok.name('waeup.AcademicsManager')
403    grok.title(u'Academics Manager')
[12835]404    title = u'Academics Manager'
[8367]405    grok.permissions('waeup.viewAcademics',
406                     'waeup.manageAcademics')
407
[7181]408class ACManager(grok.Role):
[12843]409    """This is the role for Access Code Managers.
[12847]410    An AC Manager can view and manage the Accesscodes Section, see
[12844]411    ManageACBatches permission above.
[12843]412    """
[7181]413    grok.name('waeup.ACManager')
414    grok.title(u'Access Code Manager')
415    grok.permissions('waeup.manageACBatches')
416
[8367]417class DataCenterManager(grok.Role):
[12843]418    """This single-permission role is dedicated to those users
419    who are charged with batch processing of portal data.
[12847]420    A Data Center Manager can access all pages in the Data Center,
[12844]421    see ManageDataCenter permission above.
[12843]422    """
[8367]423    grok.name('waeup.DataCenterManager')
424    grok.title(u'Datacenter Manager')
425    grok.permissions('waeup.manageDataCenter')
426
427class ImportManager(grok.Role):
[12847]428    """An Import Manager is a Data Center Manager who is also allowed
[12843]429    to batch process (import) data. All batch processors (importers) are
430    available except for the User Processor. This processor requires the
[12847]431    Users Manager role too. The ImportManager role includes the
[12844]432    DataCenterManager role but not vice versa.
[12843]433    """
[8367]434    grok.name('waeup.ImportManager')
435    grok.title(u'Import Manager')
436    grok.permissions('waeup.manageDataCenter',
437                     'waeup.importData')
438
[10177]439class ExportManager(grok.Role):
[12847]440    """An Export Manager is a Data Center Manager who is also allowed
[12843]441    to export all kind of portal data. The ExportManager role includes the
[12844]442    DataCenterManager role but not vice versa.
[12843]443    """
[10177]444    grok.name('waeup.ExportManager')
445    grok.title(u'Export Manager')
446    grok.permissions('waeup.manageDataCenter',
447                     'waeup.exportData')
448
[10246]449class BursaryOfficer(grok.Role):
[12847]450    """Bursary Officers can export bursary data. They can't access the
[12844]451    Data Center but see student data export buttons in the Academic Section.
[12843]452    """
[10246]453    grok.name('waeup.BursaryOfficer')
454    grok.title(u'Bursary Officer')
[10279]455    grok.permissions('waeup.showStudents',
456                     'waeup.viewAcademics',
457                     'waeup.exportBursaryData')
[10246]458
[8367]459class UsersManager(grok.Role):
[12847]460    """A Users Manager can add, remove or edit
[12844]461    user accounts, see ManageUsers permission for further information.
462    Be very careful with this role.
[12843]463    """
[8367]464    grok.name('waeup.UsersManager')
465    grok.title(u'Users Manager')
[9259]466    grok.permissions('waeup.manageUsers',
467                     'waeup.editUser')
[8367]468
[9300]469class WorkflowManager(grok.Role):
[12847]470    """The Workflow Manager can trigger workflow transitions
[12844]471    of student and document objects, see TriggerTransition permission
472    for further information.
[12843]473    """
[9300]474    grok.name('waeup.WorkflowManager')
475    grok.title(u'Workflow Manager')
[9299]476    grok.permissions('waeup.triggerTransition')
477
[4789]478class PortalManager(grok.Role):
[12847]479    """The PortalManager role is the maximum set of Kofa permissions
[12835]480    which are needed to manage the entire portal. This set must not
[12844]481    be customized. It is recommended to assign this role only
482    to a few certified Kofa administrators.
483    A less dangerous manager role is the CCOfficer role described below.
484    For the most tasks the CCOfficer role is sufficient.
[12835]485    """
[4789]486    grok.name('waeup.PortalManager')
[6159]487    grok.title(u'Portal Manager')
[9259]488    grok.permissions('waeup.managePortal',
489                     'waeup.manageUsers',
[8374]490                     'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]491                     'waeup.manageACBatches',
[9259]492                     'waeup.manageDataCenter',
493                     'waeup.importData',
[10177]494                     'waeup.exportData',
[10278]495                     'waeup.viewTranscript',
[12440]496                     'waeup.viewDocuments', 'waeup.manageDocuments',
[7184]497                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
498                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]499                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]500                     'waeup.viewApplicationStatistics',
[7250]501                     'waeup.viewStudent', 'waeup.manageStudent',
502                     'waeup.clearStudent', 'waeup.payStudent',
[13622]503                     'waeup.clearStudentFinancially',  # not used in base package
[7250]504                     'waeup.uploadStudentFile', 'waeup.showStudents',
[11862]505                     'waeup.clearAllStudents',
[10632]506                     'waeup.editScores',
[9273]507                     'waeup.triggerTransition',
[12843]508                     'waeup.viewStudentsContainer',
[9186]509                     'waeup.handleAccommodation',
[7205]510                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]511                     'waeup.editUser',
[9637]512                     'waeup.loginAsStudent',
[12900]513                     'waeup.handleReports',
[9637]514                     'waeup.manageReports',
[9645]515                     'waeup.manageJobs',
[7240]516                     )
[4789]517
[9259]518class CCOfficer(grok.Role):
[12843]519    """The role of the Computer Center Officer is basically a copy
[12835]520    of the the PortalManager role. Some 'dangerous' permissions are excluded
521    by commenting them out (see source code). If officers need to gain more
522    access rights than defined in this role, do not hastily switch to the
[12843]523    PortalManager role but add further manager roles instead. Additional
[12835]524    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
525    or StudentImpersonator.
[12843]526
[12844]527    CCOfficer is a base class which means that this role is subject to
528    customization. It is not used in the ``waeup.kofa`` base package.
[9259]529    """
[10346]530    grok.baseclass()
[9259]531    grok.name('waeup.CCOfficer')
532    grok.title(u'Computer Center Officer')
533    grok.permissions(#'waeup.managePortal',
534                     #'waeup.manageUsers',
535                     'waeup.viewAcademics', 'waeup.manageAcademics',
536                     #'waeup.manageACBatches',
537                     'waeup.manageDataCenter',
538                     #'waeup.importData',
[10243]539                     'waeup.exportData',
[10278]540                     'waeup.viewTranscript',
[12440]541                     'waeup.viewDocuments', 'waeup.manageDocuments',
[9259]542                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
543                     'waeup.manageApplication', 'waeup.handleApplication',
544                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
545                     'waeup.viewApplicationStatistics',
546                     'waeup.viewStudent', 'waeup.manageStudent',
547                     'waeup.clearStudent', 'waeup.payStudent',
548                     'waeup.uploadStudentFile', 'waeup.showStudents',
[11862]549                     'waeup.clearAllStudents',
[10632]550                     'waeup.editScores',
[9273]551                     #'waeup.triggerTransition',
[12843]552                     'waeup.viewStudentsContainer',
[9259]553                     'waeup.handleAccommodation',
554                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]555                     #'waeup.editUser',
[9637]556                     #'waeup.loginAsStudent',
[12900]557                     'waeup.handleReports',
[9637]558                     'waeup.manageReports',
[9645]559                     #'waeup.manageJobs',
[9259]560                     )
561
[7186]562def get_all_roles():
[6157]563    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
564    """
565    return getUtilitiesFor(IRole)
566
[7186]567def get_waeup_roles(also_local=False):
[7819]568    """Get all Kofa roles.
[6157]569
[7819]570    Kofa roles are ordinary roles whose id by convention starts with
[6157]571    a ``waeup.`` prefix.
572
573    If `also_local` is ``True`` (``False`` by default), also local
[7819]574    roles are returned. Local Kofa roles are such whose id starts
[6157]575    with ``waeup.local.`` prefix (this is also a convention).
576
577    Returns a generator of the found roles.
578    """
[7186]579    for name, item in get_all_roles():
[6157]580        if not name.startswith('waeup.'):
[7819]581            # Ignore non-Kofa roles...
[4789]582            continue
[6157]583        if not also_local and name.startswith('waeup.local.'):
584            # Ignore local roles...
[6045]585            continue
[6157]586        yield item
[4789]587
[7186]588def get_waeup_role_names():
[7819]589    """Get the ids of all Kofa roles.
[6157]590
[7819]591    See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]592
[7819]593    This function returns a sorted list of Kofa role names.
[6157]594    """
[7186]595    return sorted([x.id for x in get_waeup_roles()])
[6157]596
[6144]597class LocalRolesAssignable(grok.Adapter):
598    """Default implementation for `ILocalRolesAssignable`.
599
600    This adapter returns a list for dictionaries for objects for which
601    we want to know the roles assignable to them locally.
602
603    The returned dicts contain a ``name`` and a ``title`` entry which
604    give a role (``name``) and a description, for which kind of users
605    the permission is meant to be used (``title``).
606
607    Having this adapter registered we make sure, that for each normal
608    object we get a valid `ILocalRolesAssignable` adapter.
609
610    Objects that want to offer certain local roles, can do so by
[6162]611    setting a (preferably class-) attribute to a list of role ids.
[6144]612
613    You can also define different adapters for different contexts to
614    have different role lookup mechanisms become available. But in
615    normal cases it should be sufficient to use this basic adapter.
616    """
617    grok.context(Interface)
618    grok.provides(ILocalRolesAssignable)
619
620    _roles = []
621
622    def __init__(self, context):
623        self.context = context
[6162]624        role_ids = getattr(context, 'local_roles', self._roles)
[7186]625        self._roles = [(name, role) for name, role in get_all_roles()
[6162]626                       if name in role_ids]
[6144]627        return
628
629    def __call__(self):
630        """Get a list of dictionaries containing ``names`` (the roles to
631        assign) and ``titles`` (some description of the type of user
632        to assign each role to).
633        """
[7334]634        list_of_dict = [dict(
[6162]635                name=name,
636                title=role.title,
[6163]637                description=role.description)
[7334]638                for name, role in self._roles]
639        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]640
[8774]641def get_all_users():
642    """Get a list of dictionaries.
643    """
644    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
645    for key, val in users:
646        yield(dict(name=key, val=val))
647
[6163]648def get_users_with_local_roles(context):
649    """Get a list of dicts representing the local roles set for `context`.
650
651    Each dict returns `user_name`, `user_title`, `local_role`,
652    `local_role_title`, and `setting` for each entry in the local
653    roles map of the `context` object.
654    """
[6202]655    try:
656        role_map = IPrincipalRoleMap(context)
657    except TypeError:
658        # no map no roles.
659        raise StopIteration
[6163]660    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
661        user = grok.getSite()['users'].get(user_name,None)
[7213]662        user_title = getattr(user, 'title', user_name)
[10227]663        local_role_title = getattr(
664            dict(get_all_roles()).get(local_role, None), 'title', None)
[6163]665        yield dict(user_name = user_name,
666                   user_title = user_title,
667                   local_role = local_role,
668                   local_role_title = local_role_title,
[9309]669                   setting = setting)
670
671def get_users_with_role(role, context):
672    """Get a list of dicts representing the usres who have been granted
673    a role for `context`.
674    """
675    try:
676        role_map = IPrincipalRoleMap(context)
677    except TypeError:
678        # no map no roles.
679        raise StopIteration
680    for user_name, setting in role_map.getPrincipalsForRole(role):
681        user = grok.getSite()['users'].get(user_name,None)
682        user_title = getattr(user, 'title', user_name)
683        user_email = getattr(user, 'email', None)
684        yield dict(user_name = user_name,
685                   user_title = user_title,
686                   user_email = user_email,
687                   setting = setting)
Note: See TracBrowser for help on using the repository browser.