source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 14915

Last change on this file since 14915 was 14734, checked in by Henrik Bettermann, 7 years ago

Add waeup.showStudents permission to ExportManager role.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 26.8 KB
RevLine 
[14603]1# $Id: permissions.py 14734 2017-07-30 07:54:13Z henrik $
2#
3# Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation; either version 2 of the License, or
7# (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17#
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]22from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]23
[14603]24
[4789]25class Public(grok.Permission):
[12844]26    """The Public or everyone-can-do-this-permission is being applied
27    to views/pages that are used by everyone.
[4789]28    """
29    grok.name('waeup.Public')
[6142]30
[14603]31
[5433]32class Anonymous(grok.Permission):
[12843]33    """The Anonymous permission is applied to
[12844]34    views/pages which are dedicated to anonymous users only.
35    Logged-in users can't access these views.
[5433]36    """
[6142]37    grok.name('waeup.Anonymous')
[4789]38
[14603]39
[7184]40class Authenticated(grok.Permission):
[12843]41    """The Authenticated permission is applied to pages
[12835]42    which can only be used by logged-in users and not by anonymous users.
[7184]43    """
44    grok.name('waeup.Authenticated')
[4789]45
[14603]46
[12835]47class ViewAcademics(grok.Permission):
[12843]48    """The ViewAcademics permission is applied to all
[12835]49    views of the Academic Section. Users with this permission can view but
50    not edit content in the Academic Section.
51    """
[7184]52    grok.name('waeup.viewAcademics')
53
[14603]54
[12835]55class ManageAcademics(grok.Permission):
[12844]56    """The ManageAcademics permission is applied to all edit/manage
[12835]57    pages in the Academic Section. Users who have this permission
58    can change/edit context objects.
59    """
[8367]60    grok.name('waeup.manageAcademics')
[4789]61
[14603]62
[8367]63class ManagePortal(grok.Permission):
[12843]64    """The ManagePortal permission is used for very few pages
[14603]65    (e.g. the DatacenterSettings page). Only PortalManagers have this
[12844]66    permission. It is furthermore used to control delete methods of container
[12843]67    pages in the Academic Section. The ManageAcademics permission,
[12835]68    described above, does enable users to edit content but not to
69    remove sub-containers, like faculties, departments or certificates.
[12843]70    Users must have the ManagePortal permission too to remove
[12835]71    entire containers.
72    """
[8367]73    grok.name('waeup.managePortal')
74
[14603]75
[4789]76class ManageUsers(grok.Permission):
[12843]77    """The ManageUsers permission is a real superuser permission
[12835]78    and therefore very 'dangerous'. It allows to add, remove or edit
79    user accounts. Editing a user account includes the option to assign
80    or remove roles. That means that a user with this permission can lock out
[14603]81    other users by either removing their account or by removing
[12844]82    permissions.
[12835]83    """
[4789]84    grok.name('waeup.manageUsers')
[6142]85
[14603]86
[7205]87class ShowStudents(grok.Permission):
[12843]88    """Users with this permission do not neccessarily see the 'Students' tab
89    but they can search for students at department, certificate or course
90    level. If they additionally have the ExportData permission they can
91    export the data as csv files.
[12835]92
[12844]93    Bursary or Department Officers don't have the ExportData
[12835]94    permission (see Roles section) and are only allowed to export bursary
95    or payments overview data respectively.
96    """
[7205]97    grok.name('waeup.showStudents')
98
[14603]99
[11862]100class ClearAllStudents(grok.Permission):
[12843]101    """The ClearAllStudents permission allows to clear all students
[12844]102    in a department at one sweep.
[12835]103    """
[11862]104    grok.name('waeup.clearAllStudents')
105
[14603]106
[10632]107class EditScores(grok.Permission):
[12843]108    """The EditScores permission allows to edit scores in course tickets.
[12835]109    """
[10632]110    grok.name('waeup.editScores')
111
[14603]112
[12843]113class TriggerTransition(grok.Permission):
114    """The TriggerTransition permission allows to trigger workflow transitions
115    of student and document objects.
116    """
117    grok.name('waeup.triggerTransition')
118
[14603]119
[7163]120class EditUser(grok.Permission):
[12843]121    """The EditUser permission is required for editing
[12835]122    single user accounts.
123    """
[7163]124    grok.name('waeup.editUser')
125
[14603]126
[6127]127class ManageDataCenter(grok.Permission):
[12843]128    """The ManageDataCenter permission allows to access all pages
[12844]129    in the Data Center and to upload files. It does not automatically
[12847]130    allow to process uploaded data files.
[12835]131    """
[6127]132    grok.name('waeup.manageDataCenter')
[6142]133
[14603]134
[8367]135class ImportData(grok.Permission):
[14603]136    """The ImportData permission allows to batch process (import) any kind of
[12847]137    portal data except for user data. The User Data processor
[12844]138    requires also the ManageUsers permission.
[12835]139    """
[8367]140    grok.name('waeup.importData')
141
[14603]142
[10177]143class ExportData(grok.Permission):
[12844]144    """The ExportData permission allows to export any kind of portal data.
[12835]145    """
[10177]146    grok.name('waeup.exportData')
147
[14603]148
[10279]149class ExportPaymentsOverview(grok.Permission):
150    grok.name('waeup.exportPaymentsOverview')
151
[14603]152
[10279]153class ExportBursaryData(grok.Permission):
154    grok.name('waeup.exportBursaryData')
155
[14603]156
[10278]157class ViewTranscript(grok.Permission):
158    grok.name('waeup.viewTranscript')
159
[14603]160
[6907]161class ManagePortalConfiguration(grok.Permission):
[12843]162    """The ManagePortalConfiguration permission allows to
[12835]163    edit global and sessional portal configuration data.
164    """
[6907]165    grok.name('waeup.managePortalConfiguration')
[6155]166
[14603]167
[7181]168class ManageACBatches(grok.Permission):
[12843]169    """The ManageACBatches permission allows to view and
[12835]170    manage accesscodes.
171    """
[7181]172    grok.name('waeup.manageACBatches')
173
[14603]174
[11673]175class PutBiometricDataPermission(grok.Permission):
[12835]176    """This permission allows to upload/change biometric data.
[11673]177    """
178    grok.name('waeup.putBiometricData')
179
[14603]180
[11665]181class GetBiometricDataPermission(grok.Permission):
[12835]182    """This permission allows to read biometric data.
[11665]183    """
184    grok.name('waeup.getBiometricData')
185
186
[6125]187# Local Roles
[12847]188
[10226]189class ApplicationsManager(grok.Role):
[13570]190    """The local ApplicationsManager role can be assigned at applicants
[14603]191    container and at department level. At department level an Applications
192    Manager can manage all applicants which desire to study a programme
[13570]193    offered by the department (1st Choice Course of Study).
194
[14603]195    At container level (local) Applications Managers gain permissions which
196    allow to manage the container and all applicants inside the container.  At
197    container level the permission set of this local role corresonds with the
198    permission set of the same-named global role.
[12843]199    """
[10226]200    grok.name('waeup.local.ApplicationsManager')
201    grok.title(u'Applications Manager')
[13570]202    grok.permissions('waeup.viewAcademics',
203                     'waeup.manageApplication', 'waeup.viewApplication',
204                     'waeup.payApplicant')
[10226]205
[14603]206
[7185]207class DepartmentManager(grok.Role):
[12847]208    """The local DepartmentManager role can be assigned at faculty or
209    department level. The role allows to edit all data within this container.
210    It does not automatically allow to remove sub-containers.
211
212    Department Managers (Dean of Faculty or Head of Department respectively)
213    can also list student data but not access student pages.
[12843]214    """
[7185]215    grok.name('waeup.local.DepartmentManager')
216    grok.title(u'Department Manager')
[10248]217    grok.permissions('waeup.manageAcademics',
218                     'waeup.showStudents',
219                     'waeup.exportData')
[6142]220
[14603]221
[10279]222class DepartmentOfficer(grok.Role):
[12847]223    """The local DepartmentOfficer role can be assigned at faculty or
224    department level. The role allows to list all student data within the
225    faculty/department the local role is assigned.
226
227    Department Managers (Dean of Faculty or Head of Department respectively)
228    can also list student data but not access student pages. They can
229    furthermore export payment overviews.
[12843]230    """
[10279]231    grok.name('waeup.local.DepartmentOfficer')
232    grok.title(u'Department Officer')
233    grok.permissions('waeup.showStudents',
234                     'waeup.viewAcademics',
235                     'waeup.exportPaymentsOverview')
236
[14603]237
[6655]238class ClearanceOfficer(grok.Role):
[12847]239    """The local ClearanceOfficer role can be assigned at faculty or
240    department level. The role allows to list or export all student
241    data within the faculty/department the local role is assigned.
242
243    Clearance Officers can furthermore clear all students or reject clearance
244    of all students in their faculty/department. They get the
245    StudentsClearanceOfficer role for this subset of students.
[7168]246    """
[6655]247    grok.name('waeup.local.ClearanceOfficer')
248    grok.title(u'Clearance Officer')
[10248]249    grok.permissions('waeup.showStudents',
250                     'waeup.viewAcademics',
[11862]251                     'waeup.exportData',
252                     'waeup.clearAllStudents')
[6655]253
[14603]254
[10639]255class LocalStudentsManager(grok.Role):
[12847]256    """The local LocalStudentsManager role can be assigned at faculty or
257    department level. The role allows to view all data and to view or export
258    all student data within the faculty/department the local role is assigned.
259
260    Local Students Managers can furthermore manage data of students
261    in their faculty/department. They get the StudentsManager role for
262    this subset of students.
[10639]263    """
264    grok.name('waeup.local.LocalStudentsManager')
265    grok.title(u'Students Manager')
266    grok.permissions('waeup.showStudents',
267                     'waeup.viewAcademics',
268                     'waeup.exportData')
269
[14603]270
[10639]271class LocalWorkflowManager(grok.Role):
[12847]272    """The local LocalWorkflowManager role can be assigned at faculty level.
273    The role allows to view all data and to list or export
274    all student data within the faculty the local role is assigned.
275
276    Local Workflow Managers can trigger transition of students in their
277    faculty/department. They get the WorkflowManager role for
278    this subset of students.
[10639]279    """
280    grok.name('waeup.local.LocalWorkflowManager')
281    grok.title(u'Student Workflow Manager')
282    grok.permissions('waeup.showStudents',
283                     'waeup.viewAcademics',
284                     'waeup.exportData')
285
[14603]286
[8962]287class UGClearanceOfficer(grok.Role):
[12847]288    """UG Clearance Officers are regular Clearance Officers with restricted
289    dynamic permission assignment. They can only access undergraduate
290    students.
[8962]291    """
292    grok.name('waeup.local.UGClearanceOfficer')
293    grok.title(u'UG Clearance Officer')
[10248]294    grok.permissions('waeup.showStudents',
295                     'waeup.viewAcademics',
[11862]296                     'waeup.exportData',
297                     'waeup.clearAllStudents')
[8962]298
[14603]299
[8962]300class PGClearanceOfficer(grok.Role):
[12847]301    """PG Clearance Officers are regular Clearance Officers with restricted
302    dynamic permission assignment. They can only access postgraduate
303    students.
[8962]304    """
305    grok.name('waeup.local.PGClearanceOfficer')
306    grok.title(u'PG Clearance Officer')
[10248]307    grok.permissions('waeup.showStudents',
308                     'waeup.viewAcademics',
[11862]309                     'waeup.exportData',
310                     'waeup.clearAllStudents')
[8962]311
[14603]312
[7334]313class CourseAdviser100(grok.Role):
[12847]314    """The local CourseAdviser100 role can be assigned at faculty,
[14603]315    department or certificate level. The role allows to view all data and
316    to list or export all student data within the faculty, department
[12847]317    or certificate the local role is assigned.
318
319    Local Course Advisers can validate or reject course lists of students
320    in ther faculty/department/certificate at level 100.
321    They get the StudentsCourseAdviser role for this subset of students.
[7168]322    """
[7334]323    grok.name('waeup.local.CourseAdviser100')
324    grok.title(u'Course Adviser 100L')
[10248]325    grok.permissions('waeup.showStudents',
326                     'waeup.viewAcademics',
327                     'waeup.exportData')
[6655]328
[14603]329
[7334]330class CourseAdviser200(grok.Role):
[12847]331    """Same as CourseAdviser100 but for level 200.
[7334]332    """
333    grok.name('waeup.local.CourseAdviser200')
334    grok.title(u'Course Adviser 200L')
[10248]335    grok.permissions('waeup.showStudents',
336                     'waeup.viewAcademics',
337                     'waeup.exportData')
[7334]338
[14603]339
[7334]340class CourseAdviser300(grok.Role):
[12847]341    """Same as CourseAdviser100 but for level 300.
[7334]342    """
343    grok.name('waeup.local.CourseAdviser300')
344    grok.title(u'Course Adviser 300L')
[10248]345    grok.permissions('waeup.showStudents',
346                     'waeup.viewAcademics',
347                     'waeup.exportData')
[7334]348
[14603]349
[7334]350class CourseAdviser400(grok.Role):
[12847]351    """Same as CourseAdviser100 but for level 400.
[7334]352    """
353    grok.name('waeup.local.CourseAdviser400')
354    grok.title(u'Course Adviser 400L')
[10248]355    grok.permissions('waeup.showStudents',
356                     'waeup.viewAcademics',
357                     'waeup.exportData')
[7334]358
[14603]359
[7334]360class CourseAdviser500(grok.Role):
[12847]361    """Same as CourseAdviser100 but for level 500.
[7334]362    """
363    grok.name('waeup.local.CourseAdviser500')
364    grok.title(u'Course Adviser 500L')
[10248]365    grok.permissions('waeup.showStudents',
366                     'waeup.viewAcademics',
367                     'waeup.exportData')
[7334]368
[14603]369
[7334]370class CourseAdviser600(grok.Role):
[12847]371    """Same as CourseAdviser100 but for level 600.
[7334]372    """
373    grok.name('waeup.local.CourseAdviser600')
374    grok.title(u'Course Adviser 600L')
[10248]375    grok.permissions('waeup.showStudents',
376                     'waeup.viewAcademics',
377                     'waeup.exportData')
[7334]378
[14603]379
[10064]380class CourseAdviser700(grok.Role):
[12847]381    """Same as CourseAdviser100 but for level 700.
[10064]382    """
383    grok.name('waeup.local.CourseAdviser700')
384    grok.title(u'Course Adviser 700L')
[10248]385    grok.permissions('waeup.showStudents',
386                     'waeup.viewAcademics',
387                     'waeup.exportData')
[10064]388
[14603]389
[10064]390class CourseAdviser800(grok.Role):
[12847]391    """Same as CourseAdviser100 but for level 800.
[10064]392    """
393    grok.name('waeup.local.CourseAdviser800')
394    grok.title(u'Course Adviser 800L')
[10248]395    grok.permissions('waeup.showStudents',
396                     'waeup.viewAcademics',
397                     'waeup.exportData')
[10064]398
[14603]399
[9002]400class Lecturer(grok.Role):
[12847]401    """The local Lecturer role can be assigned at course level.
[13894]402    The role allows to export some student
[13046]403    data within the course the local role is assigned. Lecturers can't access
[12847]404    student data directly but they can edit the scores in course tickets.
[9002]405    """
406    grok.name('waeup.local.Lecturer')
407    grok.title(u'Lecturer')
[13894]408    grok.permissions('waeup.editScores',
[10248]409                     'waeup.viewAcademics',
410                     'waeup.exportData')
[9002]411
[14603]412
[7163]413class Owner(grok.Role):
[12847]414    """Each user 'owns' her/his user object and gains permission to edit
415    some of the user attributes.
416    """
[7163]417    grok.name('waeup.local.Owner')
418    grok.title(u'Owner')
419    grok.permissions('waeup.editUser')
420
[14603]421
[7178]422# Site Roles
[7185]423class AcademicsOfficer(grok.Role):
[12844]424    """An Academics Officer can view but not edit data in the
[12862]425    academic section.
[12843]426
427    This is the default role which is automatically assigned to all
428    officers of the portal. A user with this role can access all display pages
429    at faculty, department, course, certificate and certificate course level.
430    """
[7185]431    grok.name('waeup.AcademicsOfficer')
[7188]432    grok.title(u'Academics Officer (view only)')
[7184]433    grok.permissions('waeup.viewAcademics')
[3521]434
[14603]435
[8367]436class AcademicsManager(grok.Role):
[12843]437    """An Academics Manager can view and edit all data in the
[12862]438    scademic section, i.e. access all manage pages
[12843]439    at faculty, department, course, certificate and certificate course level.
440    """
[8367]441    grok.name('waeup.AcademicsManager')
442    grok.title(u'Academics Manager')
[12835]443    title = u'Academics Manager'
[8367]444    grok.permissions('waeup.viewAcademics',
445                     'waeup.manageAcademics')
446
[14603]447
[7181]448class ACManager(grok.Role):
[12843]449    """This is the role for Access Code Managers.
[12847]450    An AC Manager can view and manage the Accesscodes Section, see
[12844]451    ManageACBatches permission above.
[12843]452    """
[7181]453    grok.name('waeup.ACManager')
454    grok.title(u'Access Code Manager')
455    grok.permissions('waeup.manageACBatches')
456
[14603]457
[8367]458class DataCenterManager(grok.Role):
[12843]459    """This single-permission role is dedicated to those users
460    who are charged with batch processing of portal data.
[12847]461    A Data Center Manager can access all pages in the Data Center,
[12844]462    see ManageDataCenter permission above.
[12843]463    """
[8367]464    grok.name('waeup.DataCenterManager')
465    grok.title(u'Datacenter Manager')
466    grok.permissions('waeup.manageDataCenter')
467
[14603]468
[8367]469class ImportManager(grok.Role):
[12847]470    """An Import Manager is a Data Center Manager who is also allowed
[14603]471    to batch process (import) data. All batch processors (importers) are
[12843]472    available except for the User Processor. This processor requires the
[12847]473    Users Manager role too. The ImportManager role includes the
[12844]474    DataCenterManager role but not vice versa.
[12843]475    """
[8367]476    grok.name('waeup.ImportManager')
477    grok.title(u'Import Manager')
478    grok.permissions('waeup.manageDataCenter',
479                     'waeup.importData')
480
[14603]481
[10177]482class ExportManager(grok.Role):
[12847]483    """An Export Manager is a Data Center Manager who is also allowed
[12843]484    to export all kind of portal data. The ExportManager role includes the
[12844]485    DataCenterManager role but not vice versa.
[12843]486    """
[10177]487    grok.name('waeup.ExportManager')
488    grok.title(u'Export Manager')
489    grok.permissions('waeup.manageDataCenter',
[14734]490                     'waeup.exportData',
491                     'waeup.showStudents')
[10177]492
[14603]493
[10246]494class BursaryOfficer(grok.Role):
[12847]495    """Bursary Officers can export bursary data. They can't access the
[12844]496    Data Center but see student data export buttons in the Academic Section.
[12843]497    """
[10246]498    grok.name('waeup.BursaryOfficer')
499    grok.title(u'Bursary Officer')
[10279]500    grok.permissions('waeup.showStudents',
501                     'waeup.viewAcademics',
502                     'waeup.exportBursaryData')
[10246]503
[14603]504
[8367]505class UsersManager(grok.Role):
[12847]506    """A Users Manager can add, remove or edit
[12844]507    user accounts, see ManageUsers permission for further information.
508    Be very careful with this role.
[12843]509    """
[8367]510    grok.name('waeup.UsersManager')
511    grok.title(u'Users Manager')
[9259]512    grok.permissions('waeup.manageUsers',
513                     'waeup.editUser')
[8367]514
[14603]515
[9300]516class WorkflowManager(grok.Role):
[12847]517    """The Workflow Manager can trigger workflow transitions
[12844]518    of student and document objects, see TriggerTransition permission
519    for further information.
[12843]520    """
[9300]521    grok.name('waeup.WorkflowManager')
522    grok.title(u'Workflow Manager')
[9299]523    grok.permissions('waeup.triggerTransition')
524
[14602]525
526class FingerprintReaderDeviceRole(grok.Role):
527    """Fingerprint Reader Devices.
528
529    Fingerprint readers are remote devices that can store and retrieve
[14634]530    fingerprint data.
[14602]531    """
532    grok.name('waeup.FingerprintDevice')
533    grok.title(u'Fingerprint Reader')
534    grok.permissions(
[14633]535        'waeup.getBiometricData',
536        'waeup.putBiometricData',
537    )
[14602]538
539
[4789]540class PortalManager(grok.Role):
[12847]541    """The PortalManager role is the maximum set of Kofa permissions
[12835]542    which are needed to manage the entire portal. This set must not
[12844]543    be customized. It is recommended to assign this role only
544    to a few certified Kofa administrators.
545    A less dangerous manager role is the CCOfficer role described below.
546    For the most tasks the CCOfficer role is sufficient.
[12835]547    """
[4789]548    grok.name('waeup.PortalManager')
[6159]549    grok.title(u'Portal Manager')
[9259]550    grok.permissions('waeup.managePortal',
551                     'waeup.manageUsers',
[8374]552                     'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]553                     'waeup.manageACBatches',
[9259]554                     'waeup.manageDataCenter',
555                     'waeup.importData',
[10177]556                     'waeup.exportData',
[10278]557                     'waeup.viewTranscript',
[12440]558                     'waeup.viewDocuments', 'waeup.manageDocuments',
[14603]559                     'waeup.managePortalConfiguration',
560                     'waeup.viewApplication',
[7184]561                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]562                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]563                     'waeup.viewApplicationStatistics',
[7250]564                     'waeup.viewStudent', 'waeup.manageStudent',
565                     'waeup.clearStudent', 'waeup.payStudent',
[14603]566                     'waeup.clearStudentFinancially',  # not used in base pkg
[7250]567                     'waeup.uploadStudentFile', 'waeup.showStudents',
[11862]568                     'waeup.clearAllStudents',
[10632]569                     'waeup.editScores',
[9273]570                     'waeup.triggerTransition',
[14166]571                     'waeup.validateStudent',
[12843]572                     'waeup.viewStudentsContainer',
[9186]573                     'waeup.handleAccommodation',
[7205]574                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]575                     'waeup.editUser',
[9637]576                     'waeup.loginAsStudent',
[12900]577                     'waeup.handleReports',
[9637]578                     'waeup.manageReports',
[9645]579                     'waeup.manageJobs',
[7240]580                     )
[4789]581
[14603]582
[9259]583class CCOfficer(grok.Role):
[12843]584    """The role of the Computer Center Officer is basically a copy
[12835]585    of the the PortalManager role. Some 'dangerous' permissions are excluded
586    by commenting them out (see source code). If officers need to gain more
587    access rights than defined in this role, do not hastily switch to the
[12843]588    PortalManager role but add further manager roles instead. Additional
[12835]589    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
590    or StudentImpersonator.
[12843]591
[12844]592    CCOfficer is a base class which means that this role is subject to
593    customization. It is not used in the ``waeup.kofa`` base package.
[9259]594    """
[10346]595    grok.baseclass()
[9259]596    grok.name('waeup.CCOfficer')
597    grok.title(u'Computer Center Officer')
[14603]598    grok.permissions(
599        # 'waeup.managePortal',
600        # 'waeup.manageUsers',
601        'waeup.viewAcademics',
602        'waeup.manageAcademics',
603        # 'waeup.manageACBatches',
604        'waeup.manageDataCenter',
605        # 'waeup.importData',
606        'waeup.exportData',
607        'waeup.viewTranscript',
608        'waeup.viewDocuments', 'waeup.manageDocuments',
609        'waeup.managePortalConfiguration', 'waeup.viewApplication',
610        'waeup.manageApplication', 'waeup.handleApplication',
611        'waeup.viewApplicantsTab', 'waeup.payApplicant',
612        'waeup.viewApplicationStatistics',
613        'waeup.viewStudent', 'waeup.manageStudent',
614        'waeup.clearStudent', 'waeup.payStudent',
615        'waeup.uploadStudentFile', 'waeup.showStudents',
616        'waeup.clearAllStudents',
617        'waeup.editScores',
618        # 'waeup.triggerTransition',
619        'waeup.validateStudent',
620        'waeup.viewStudentsContainer',
621        'waeup.handleAccommodation',
622        'waeup.viewHostels', 'waeup.manageHostels',
623        # 'waeup.editUser',
624        # 'waeup.loginAsStudent',
625        'waeup.handleReports',
626        'waeup.manageReports',
627        # 'waeup.manageJobs',
628        )
[9259]629
[14603]630
[7186]631def get_all_roles():
[6157]632    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
633    """
634    return getUtilitiesFor(IRole)
635
[14603]636
[7186]637def get_waeup_roles(also_local=False):
[7819]638    """Get all Kofa roles.
[6157]639
[7819]640    Kofa roles are ordinary roles whose id by convention starts with
[6157]641    a ``waeup.`` prefix.
642
643    If `also_local` is ``True`` (``False`` by default), also local
[7819]644    roles are returned. Local Kofa roles are such whose id starts
[6157]645    with ``waeup.local.`` prefix (this is also a convention).
646
647    Returns a generator of the found roles.
648    """
[7186]649    for name, item in get_all_roles():
[6157]650        if not name.startswith('waeup.'):
[7819]651            # Ignore non-Kofa roles...
[4789]652            continue
[6157]653        if not also_local and name.startswith('waeup.local.'):
654            # Ignore local roles...
[6045]655            continue
[6157]656        yield item
[4789]657
[14603]658
[7186]659def get_waeup_role_names():
[7819]660    """Get the ids of all Kofa roles.
[6157]661
[7819]662    See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]663
[7819]664    This function returns a sorted list of Kofa role names.
[6157]665    """
[7186]666    return sorted([x.id for x in get_waeup_roles()])
[6157]667
[14603]668
[6144]669class LocalRolesAssignable(grok.Adapter):
670    """Default implementation for `ILocalRolesAssignable`.
671
672    This adapter returns a list for dictionaries for objects for which
673    we want to know the roles assignable to them locally.
674
675    The returned dicts contain a ``name`` and a ``title`` entry which
676    give a role (``name``) and a description, for which kind of users
677    the permission is meant to be used (``title``).
678
679    Having this adapter registered we make sure, that for each normal
680    object we get a valid `ILocalRolesAssignable` adapter.
681
682    Objects that want to offer certain local roles, can do so by
[6162]683    setting a (preferably class-) attribute to a list of role ids.
[6144]684
685    You can also define different adapters for different contexts to
686    have different role lookup mechanisms become available. But in
687    normal cases it should be sufficient to use this basic adapter.
688    """
689    grok.context(Interface)
690    grok.provides(ILocalRolesAssignable)
691
692    _roles = []
693
694    def __init__(self, context):
695        self.context = context
[6162]696        role_ids = getattr(context, 'local_roles', self._roles)
[7186]697        self._roles = [(name, role) for name, role in get_all_roles()
[6162]698                       if name in role_ids]
[6144]699        return
700
701    def __call__(self):
702        """Get a list of dictionaries containing ``names`` (the roles to
703        assign) and ``titles`` (some description of the type of user
704        to assign each role to).
705        """
[7334]706        list_of_dict = [dict(
[6162]707                name=name,
708                title=role.title,
[6163]709                description=role.description)
[7334]710                for name, role in self._roles]
711        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]712
[14603]713
[8774]714def get_all_users():
715    """Get a list of dictionaries.
716    """
717    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
718    for key, val in users:
719        yield(dict(name=key, val=val))
720
[14603]721
[6163]722def get_users_with_local_roles(context):
723    """Get a list of dicts representing the local roles set for `context`.
724
725    Each dict returns `user_name`, `user_title`, `local_role`,
726    `local_role_title`, and `setting` for each entry in the local
727    roles map of the `context` object.
728    """
[6202]729    try:
730        role_map = IPrincipalRoleMap(context)
731    except TypeError:
732        # no map no roles.
733        raise StopIteration
[6163]734    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
[14603]735        user = grok.getSite()['users'].get(user_name, None)
[7213]736        user_title = getattr(user, 'title', user_name)
[10227]737        local_role_title = getattr(
738            dict(get_all_roles()).get(local_role, None), 'title', None)
[14603]739        yield dict(user_name=user_name,
740                   user_title=user_title,
741                   local_role=local_role,
742                   local_role_title=local_role_title,
743                   setting=setting)
[9309]744
[14603]745
[9309]746def get_users_with_role(role, context):
747    """Get a list of dicts representing the usres who have been granted
748    a role for `context`.
749    """
750    try:
751        role_map = IPrincipalRoleMap(context)
752    except TypeError:
753        # no map no roles.
754        raise StopIteration
755    for user_name, setting in role_map.getPrincipalsForRole(role):
[14603]756        user = grok.getSite()['users'].get(user_name, None)
[9309]757        user_title = getattr(user, 'title', user_name)
758        user_email = getattr(user, 'email', None)
[14603]759        yield dict(user_name=user_name,
760                   user_title=user_title,
761                   user_email=user_email,
762                   setting=setting)
Note: See TracBrowser for help on using the repository browser.