source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 17868

Last change on this file since 17868 was 17860, checked in by Henrik Bettermann, 5 months ago

Extendi roles.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 29.3 KB
RevLine 
[14603]1# $Id: permissions.py 17860 2024-07-27 06:15:39Z henrik $
2#
3# Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation; either version 2 of the License, or
7# (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17#
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]22from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]23
[14603]24
[4789]25class Public(grok.Permission):
[12844]26    """The Public or everyone-can-do-this-permission is being applied
27    to views/pages that are used by everyone.
[4789]28    """
29    grok.name('waeup.Public')
[6142]30
[14603]31
[5433]32class Anonymous(grok.Permission):
[12843]33    """The Anonymous permission is applied to
[12844]34    views/pages which are dedicated to anonymous users only.
35    Logged-in users can't access these views.
[5433]36    """
[6142]37    grok.name('waeup.Anonymous')
[4789]38
[14603]39
[7184]40class Authenticated(grok.Permission):
[12843]41    """The Authenticated permission is applied to pages
[12835]42    which can only be used by logged-in users and not by anonymous users.
[7184]43    """
44    grok.name('waeup.Authenticated')
[4789]45
[14603]46
[12835]47class ViewAcademics(grok.Permission):
[12843]48    """The ViewAcademics permission is applied to all
[12835]49    views of the Academic Section. Users with this permission can view but
50    not edit content in the Academic Section.
51    """
[7184]52    grok.name('waeup.viewAcademics')
53
[14603]54
[12835]55class ManageAcademics(grok.Permission):
[12844]56    """The ManageAcademics permission is applied to all edit/manage
[12835]57    pages in the Academic Section. Users who have this permission
58    can change/edit context objects.
59    """
[8367]60    grok.name('waeup.manageAcademics')
[4789]61
[14603]62
[8367]63class ManagePortal(grok.Permission):
[12843]64    """The ManagePortal permission is used for very few pages
[14603]65    (e.g. the DatacenterSettings page). Only PortalManagers have this
[12844]66    permission. It is furthermore used to control delete methods of container
[12843]67    pages in the Academic Section. The ManageAcademics permission,
[12835]68    described above, does enable users to edit content but not to
69    remove sub-containers, like faculties, departments or certificates.
[12843]70    Users must have the ManagePortal permission too to remove
[12835]71    entire containers.
72    """
[8367]73    grok.name('waeup.managePortal')
74
[14603]75
[4789]76class ManageUsers(grok.Permission):
[12843]77    """The ManageUsers permission is a real superuser permission
[12835]78    and therefore very 'dangerous'. It allows to add, remove or edit
79    user accounts. Editing a user account includes the option to assign
80    or remove roles. That means that a user with this permission can lock out
[14603]81    other users by either removing their account or by removing
[12844]82    permissions.
[12835]83    """
[4789]84    grok.name('waeup.manageUsers')
[6142]85
[14603]86
[7205]87class ShowStudents(grok.Permission):
[12843]88    """Users with this permission do not neccessarily see the 'Students' tab
89    but they can search for students at department, certificate or course
90    level. If they additionally have the ExportData permission they can
91    export the data as csv files.
[12835]92
[12844]93    Bursary or Department Officers don't have the ExportData
[12835]94    permission (see Roles section) and are only allowed to export bursary
95    or payments overview data respectively.
96    """
[7205]97    grok.name('waeup.showStudents')
98
[14603]99
[11862]100class ClearAllStudents(grok.Permission):
[12843]101    """The ClearAllStudents permission allows to clear all students
[12844]102    in a department at one sweep.
[12835]103    """
[11862]104    grok.name('waeup.clearAllStudents')
105
[14603]106
[10632]107class EditScores(grok.Permission):
[12843]108    """The EditScores permission allows to edit scores in course tickets.
[12835]109    """
[10632]110    grok.name('waeup.editScores')
111
[14603]112
[12843]113class TriggerTransition(grok.Permission):
114    """The TriggerTransition permission allows to trigger workflow transitions
115    of student and document objects.
116    """
117    grok.name('waeup.triggerTransition')
118
[14603]119
[7163]120class EditUser(grok.Permission):
[12843]121    """The EditUser permission is required for editing
[12835]122    single user accounts.
123    """
[7163]124    grok.name('waeup.editUser')
125
[14603]126
[6127]127class ManageDataCenter(grok.Permission):
[12843]128    """The ManageDataCenter permission allows to access all pages
[12844]129    in the Data Center and to upload files. It does not automatically
[12847]130    allow to process uploaded data files.
[12835]131    """
[6127]132    grok.name('waeup.manageDataCenter')
[6142]133
[14603]134
[8367]135class ImportData(grok.Permission):
[14603]136    """The ImportData permission allows to batch process (import) any kind of
[12847]137    portal data except for user data. The User Data processor
[12844]138    requires also the ManageUsers permission.
[12835]139    """
[8367]140    grok.name('waeup.importData')
141
[14603]142
[10177]143class ExportData(grok.Permission):
[12844]144    """The ExportData permission allows to export any kind of portal data.
[12835]145    """
[10177]146    grok.name('waeup.exportData')
147
[14603]148
[10279]149class ExportPaymentsOverview(grok.Permission):
[15277]150    """Department Officers don't have the general exportData
151    permission and are only allowed to export payments overviews.
152    The ExportPaymentsOverview permission is only used to filter the
153    respective exporters in the ExportJobContainerJobConfig view.
154    """
[10279]155    grok.name('waeup.exportPaymentsOverview')
156
[14603]157
[10279]158class ExportBursaryData(grok.Permission):
[15277]159    """Bursary Officers don't have the general exportData
160    permission and are only allowed to export bursary data.
161    The ExportBursaryData permission is only used to filter the
162    respective exporter in the ExportJobContainerJobConfig view.
163    """
[10279]164    grok.name('waeup.exportBursaryData')
165
[14603]166
[6907]167class ManagePortalConfiguration(grok.Permission):
[12843]168    """The ManagePortalConfiguration permission allows to
[12835]169    edit global and sessional portal configuration data.
170    """
[6907]171    grok.name('waeup.managePortalConfiguration')
[6155]172
[14603]173
[7181]174class ManageACBatches(grok.Permission):
[12843]175    """The ManageACBatches permission allows to view and
[12835]176    manage accesscodes.
177    """
[7181]178    grok.name('waeup.manageACBatches')
179
[14603]180
[11673]181class PutBiometricDataPermission(grok.Permission):
[12835]182    """This permission allows to upload/change biometric data.
[11673]183    """
184    grok.name('waeup.putBiometricData')
185
[14603]186
[11665]187class GetBiometricDataPermission(grok.Permission):
[12835]188    """This permission allows to read biometric data.
[11665]189    """
190    grok.name('waeup.getBiometricData')
191
192
[6125]193# Local Roles
[12847]194
[10226]195class ApplicationsManager(grok.Role):
[13570]196    """The local ApplicationsManager role can be assigned at applicants
[14603]197    container and at department level. At department level an Applications
198    Manager can manage all applicants which desire to study a programme
[13570]199    offered by the department (1st Choice Course of Study).
200
[14603]201    At container level (local) Applications Managers gain permissions which
202    allow to manage the container and all applicants inside the container.  At
203    container level the permission set of this local role corresonds with the
204    permission set of the same-named global role.
[12843]205    """
[10226]206    grok.name('waeup.local.ApplicationsManager')
207    grok.title(u'Applications Manager')
[13570]208    grok.permissions('waeup.viewAcademics',
209                     'waeup.manageApplication', 'waeup.viewApplication',
210                     'waeup.payApplicant')
[10226]211
[14603]212
[14992]213class DepartmentOfficer(grok.Role):
214    """The local DepartmentOfficer role can be assigned at faculty or
215    department level. The role allows to list all student data within the
[15277]216    faculty/department the local role is assigned. And it allows to export
217    payment data overviews.
[14992]218    """
219    grok.name('waeup.local.DepartmentOfficer')
220    grok.title(u'Department Officer')
221    grok.permissions('waeup.showStudents',
222                     'waeup.viewAcademics',
223                     'waeup.exportPaymentsOverview')
224
225
[7185]226class DepartmentManager(grok.Role):
[12847]227    """The local DepartmentManager role can be assigned at faculty or
228    department level. The role allows to edit all data within this container.
229    It does not automatically allow to remove sub-containers.
230
231    Department Managers (Dean of Faculty or Head of Department respectively)
232    can also list student data but not access student pages.
[12843]233    """
[7185]234    grok.name('waeup.local.DepartmentManager')
235    grok.title(u'Department Manager')
[10248]236    grok.permissions('waeup.manageAcademics',
237                     'waeup.showStudents',
238                     'waeup.exportData')
[6142]239
[14603]240
[6655]241class ClearanceOfficer(grok.Role):
[12847]242    """The local ClearanceOfficer role can be assigned at faculty or
243    department level. The role allows to list or export all student
244    data within the faculty/department the local role is assigned.
245
246    Clearance Officers can furthermore clear all students or reject clearance
247    of all students in their faculty/department. They get the
248    StudentsClearanceOfficer role for this subset of students.
[7168]249    """
[6655]250    grok.name('waeup.local.ClearanceOfficer')
251    grok.title(u'Clearance Officer')
[10248]252    grok.permissions('waeup.showStudents',
253                     'waeup.viewAcademics',
[11862]254                     'waeup.exportData',
255                     'waeup.clearAllStudents')
[6655]256
[14603]257
[10639]258class LocalStudentsManager(grok.Role):
[12847]259    """The local LocalStudentsManager role can be assigned at faculty or
260    department level. The role allows to view all data and to view or export
261    all student data within the faculty/department the local role is assigned.
262
263    Local Students Managers can furthermore manage data of students
264    in their faculty/department. They get the StudentsManager role for
265    this subset of students.
[10639]266    """
267    grok.name('waeup.local.LocalStudentsManager')
268    grok.title(u'Students Manager')
269    grok.permissions('waeup.showStudents',
270                     'waeup.viewAcademics',
271                     'waeup.exportData')
272
[14603]273
[10639]274class LocalWorkflowManager(grok.Role):
[12847]275    """The local LocalWorkflowManager role can be assigned at faculty level.
276    The role allows to view all data and to list or export
277    all student data within the faculty the local role is assigned.
278
279    Local Workflow Managers can trigger transition of students in their
280    faculty/department. They get the WorkflowManager role for
281    this subset of students.
[10639]282    """
283    grok.name('waeup.local.LocalWorkflowManager')
284    grok.title(u'Student Workflow Manager')
285    grok.permissions('waeup.showStudents',
286                     'waeup.viewAcademics',
287                     'waeup.exportData')
288
[15968]289class LocalReportsOfficer(grok.Role):
290    """The local ReportsOfficer role can be assigned at department level.
291    The role allows to view all data and to list or export
292    all student data within the department the local role is assigned.
[14603]293
[15968]294    The LocalReportsOfficer requires the assignment of the global
295    ReportsOfficer role to access the reports section. If set, it reduces
[15970]296    the number of available report generators and selectable certificates.
297    Local Reports Officers can create only reports for their department.
[15968]298    """
299    grok.name('waeup.local.ReportsOfficer')
300    grok.title(u'Student Reports Officer')
301    grok.permissions('waeup.showStudents',
302                     'waeup.viewAcademics',
303                     'waeup.exportData')
304
[8962]305class UGClearanceOfficer(grok.Role):
[12847]306    """UG Clearance Officers are regular Clearance Officers with restricted
307    dynamic permission assignment. They can only access undergraduate
308    students.
[8962]309    """
310    grok.name('waeup.local.UGClearanceOfficer')
311    grok.title(u'UG Clearance Officer')
[10248]312    grok.permissions('waeup.showStudents',
313                     'waeup.viewAcademics',
[11862]314                     'waeup.exportData',
315                     'waeup.clearAllStudents')
[8962]316
[14603]317
[8962]318class PGClearanceOfficer(grok.Role):
[12847]319    """PG Clearance Officers are regular Clearance Officers with restricted
320    dynamic permission assignment. They can only access postgraduate
321    students.
[8962]322    """
323    grok.name('waeup.local.PGClearanceOfficer')
324    grok.title(u'PG Clearance Officer')
[10248]325    grok.permissions('waeup.showStudents',
326                     'waeup.viewAcademics',
[11862]327                     'waeup.exportData',
328                     'waeup.clearAllStudents')
[8962]329
[14603]330
[7334]331class CourseAdviser100(grok.Role):
[12847]332    """The local CourseAdviser100 role can be assigned at faculty,
[14603]333    department or certificate level. The role allows to view all data and
334    to list or export all student data within the faculty, department
[12847]335    or certificate the local role is assigned.
336
337    Local Course Advisers can validate or reject course lists of students
338    in ther faculty/department/certificate at level 100.
339    They get the StudentsCourseAdviser role for this subset of students.
[7168]340    """
[7334]341    grok.name('waeup.local.CourseAdviser100')
342    grok.title(u'Course Adviser 100L')
[10248]343    grok.permissions('waeup.showStudents',
344                     'waeup.viewAcademics',
345                     'waeup.exportData')
[6655]346
[14603]347
[7334]348class CourseAdviser200(grok.Role):
[12847]349    """Same as CourseAdviser100 but for level 200.
[7334]350    """
351    grok.name('waeup.local.CourseAdviser200')
352    grok.title(u'Course Adviser 200L')
[10248]353    grok.permissions('waeup.showStudents',
354                     'waeup.viewAcademics',
355                     'waeup.exportData')
[7334]356
[14603]357
[7334]358class CourseAdviser300(grok.Role):
[12847]359    """Same as CourseAdviser100 but for level 300.
[7334]360    """
361    grok.name('waeup.local.CourseAdviser300')
362    grok.title(u'Course Adviser 300L')
[10248]363    grok.permissions('waeup.showStudents',
364                     'waeup.viewAcademics',
365                     'waeup.exportData')
[7334]366
[14603]367
[7334]368class CourseAdviser400(grok.Role):
[12847]369    """Same as CourseAdviser100 but for level 400.
[7334]370    """
371    grok.name('waeup.local.CourseAdviser400')
372    grok.title(u'Course Adviser 400L')
[10248]373    grok.permissions('waeup.showStudents',
374                     'waeup.viewAcademics',
375                     'waeup.exportData')
[7334]376
[14603]377
[7334]378class CourseAdviser500(grok.Role):
[12847]379    """Same as CourseAdviser100 but for level 500.
[7334]380    """
381    grok.name('waeup.local.CourseAdviser500')
382    grok.title(u'Course Adviser 500L')
[10248]383    grok.permissions('waeup.showStudents',
384                     'waeup.viewAcademics',
385                     'waeup.exportData')
[7334]386
[14603]387
[7334]388class CourseAdviser600(grok.Role):
[12847]389    """Same as CourseAdviser100 but for level 600.
[7334]390    """
391    grok.name('waeup.local.CourseAdviser600')
392    grok.title(u'Course Adviser 600L')
[10248]393    grok.permissions('waeup.showStudents',
394                     'waeup.viewAcademics',
395                     'waeup.exportData')
[7334]396
[14603]397
[10064]398class CourseAdviser700(grok.Role):
[12847]399    """Same as CourseAdviser100 but for level 700.
[10064]400    """
401    grok.name('waeup.local.CourseAdviser700')
402    grok.title(u'Course Adviser 700L')
[10248]403    grok.permissions('waeup.showStudents',
404                     'waeup.viewAcademics',
405                     'waeup.exportData')
[10064]406
[14603]407
[10064]408class CourseAdviser800(grok.Role):
[12847]409    """Same as CourseAdviser100 but for level 800.
[10064]410    """
411    grok.name('waeup.local.CourseAdviser800')
412    grok.title(u'Course Adviser 800L')
[10248]413    grok.permissions('waeup.showStudents',
414                     'waeup.viewAcademics',
415                     'waeup.exportData')
[10064]416
[14603]417
[15163]418class LocalTranscriptOfficer(grok.Role):
419    """The LocalTranscriptOfficer role can be assigned at faculty
420    level. The role allows to view, to validate and to
421    release student transcripts at faculty level.
422    Local Transcript Officers get the TranscriptOfficer role
423    for this subset of students.
424    """
425    grok.name('waeup.local.TranscriptOfficer')
426    grok.title(u'Transcript Officer')
427    grok.permissions('waeup.viewAcademics',)
428
429
430class LocalTranscriptSignee(grok.Role):
431    """The LocalTranscriptSignee role can be assigned at faculty
432    level. The role allows to view and to sign student transcripts
433    at faculty level. Local Transcript Signees  get the TranscriptSignee role
434    for this subset of students.
435    """
436    grok.name('waeup.local.TranscriptSignee')
437    grok.title(u'Transcript Signee')
438    grok.permissions('waeup.viewAcademics',)
439
440
[9002]441class Lecturer(grok.Role):
[12847]442    """The local Lecturer role can be assigned at course level.
[13894]443    The role allows to export some student
[13046]444    data within the course the local role is assigned. Lecturers can't access
[12847]445    student data directly but they can edit the scores in course tickets.
[9002]446    """
447    grok.name('waeup.local.Lecturer')
448    grok.title(u'Lecturer')
[13894]449    grok.permissions('waeup.editScores',
[15422]450                     'waeup.showStudents',
[10248]451                     'waeup.viewAcademics',
452                     'waeup.exportData')
[9002]453
[14603]454
[7163]455class Owner(grok.Role):
[12847]456    """Each user 'owns' her/his user object and gains permission to edit
457    some of the user attributes.
458    """
[7163]459    grok.name('waeup.local.Owner')
460    grok.title(u'Owner')
461    grok.permissions('waeup.editUser')
462
[14603]463
[7178]464# Site Roles
[7185]465class AcademicsOfficer(grok.Role):
[12844]466    """An Academics Officer can view but not edit data in the
[12862]467    academic section.
[12843]468
469    This is the default role which is automatically assigned to all
470    officers of the portal. A user with this role can access all display pages
471    at faculty, department, course, certificate and certificate course level.
472    """
[7185]473    grok.name('waeup.AcademicsOfficer')
[7188]474    grok.title(u'Academics Officer (view only)')
[7184]475    grok.permissions('waeup.viewAcademics')
[3521]476
[14603]477
[8367]478class AcademicsManager(grok.Role):
[12843]479    """An Academics Manager can view and edit all data in the
[12862]480    scademic section, i.e. access all manage pages
[12843]481    at faculty, department, course, certificate and certificate course level.
482    """
[8367]483    grok.name('waeup.AcademicsManager')
484    grok.title(u'Academics Manager')
[12835]485    title = u'Academics Manager'
[8367]486    grok.permissions('waeup.viewAcademics',
487                     'waeup.manageAcademics')
488
[14603]489
[7181]490class ACManager(grok.Role):
[12843]491    """This is the role for Access Code Managers.
[12847]492    An AC Manager can view and manage the Accesscodes Section, see
[12844]493    ManageACBatches permission above.
[12843]494    """
[7181]495    grok.name('waeup.ACManager')
496    grok.title(u'Access Code Manager')
497    grok.permissions('waeup.manageACBatches')
498
[14603]499
[8367]500class DataCenterManager(grok.Role):
[12843]501    """This single-permission role is dedicated to those users
502    who are charged with batch processing of portal data.
[12847]503    A Data Center Manager can access all pages in the Data Center,
[12844]504    see ManageDataCenter permission above.
[12843]505    """
[8367]506    grok.name('waeup.DataCenterManager')
507    grok.title(u'Datacenter Manager')
508    grok.permissions('waeup.manageDataCenter')
509
[14603]510
[8367]511class ImportManager(grok.Role):
[12847]512    """An Import Manager is a Data Center Manager who is also allowed
[14603]513    to batch process (import) data. All batch processors (importers) are
[12843]514    available except for the User Processor. This processor requires the
[12847]515    Users Manager role too. The ImportManager role includes the
[12844]516    DataCenterManager role but not vice versa.
[12843]517    """
[8367]518    grok.name('waeup.ImportManager')
519    grok.title(u'Import Manager')
520    grok.permissions('waeup.manageDataCenter',
521                     'waeup.importData')
522
[14603]523
[10177]524class ExportManager(grok.Role):
[12847]525    """An Export Manager is a Data Center Manager who is also allowed
[12843]526    to export all kind of portal data. The ExportManager role includes the
[12844]527    DataCenterManager role but not vice versa.
[12843]528    """
[10177]529    grok.name('waeup.ExportManager')
530    grok.title(u'Export Manager')
531    grok.permissions('waeup.manageDataCenter',
[14734]532                     'waeup.exportData',
533                     'waeup.showStudents')
[10177]534
[14603]535
[10246]536class BursaryOfficer(grok.Role):
[15539]537    """Bursary Officers can export bursary and payments data. They can't 
538    access the Data Center but see student data export buttons in the
[17850]539    Academic Section. Meanwhile they can also view the application section
540    and export application data.
[12843]541    """
[10246]542    grok.name('waeup.BursaryOfficer')
543    grok.title(u'Bursary Officer')
[10279]544    grok.permissions('waeup.showStudents',
545                     'waeup.viewAcademics',
[15501]546                     'waeup.exportBursaryData',
[15539]547                     'waeup.exportPaymentsOverview',
[17850]548                     'waeup.viewApplicantsTab',
549                     'waeup.viewApplication',
550                     'waeup.exportApplication')
[10246]551
[14603]552
[8367]553class UsersManager(grok.Role):
[12847]554    """A Users Manager can add, remove or edit
[12844]555    user accounts, see ManageUsers permission for further information.
556    Be very careful with this role.
[12843]557    """
[8367]558    grok.name('waeup.UsersManager')
559    grok.title(u'Users Manager')
[9259]560    grok.permissions('waeup.manageUsers',
561                     'waeup.editUser')
[8367]562
[14603]563
[9300]564class WorkflowManager(grok.Role):
[12847]565    """The Workflow Manager can trigger workflow transitions
[12844]566    of student and document objects, see TriggerTransition permission
567    for further information.
[12843]568    """
[9300]569    grok.name('waeup.WorkflowManager')
570    grok.title(u'Workflow Manager')
[9299]571    grok.permissions('waeup.triggerTransition')
572
[14602]573
574class FingerprintReaderDeviceRole(grok.Role):
575    """Fingerprint Reader Devices.
576
577    Fingerprint readers are remote devices that can store and retrieve
[14634]578    fingerprint data.
[14602]579    """
580    grok.name('waeup.FingerprintDevice')
581    grok.title(u'Fingerprint Reader')
582    grok.permissions(
[14633]583        'waeup.getBiometricData',
584        'waeup.putBiometricData',
585    )
[14602]586
587
[4789]588class PortalManager(grok.Role):
[12847]589    """The PortalManager role is the maximum set of Kofa permissions
[12835]590    which are needed to manage the entire portal. This set must not
[12844]591    be customized. It is recommended to assign this role only
592    to a few certified Kofa administrators.
593    A less dangerous manager role is the CCOfficer role described below.
594    For the most tasks the CCOfficer role is sufficient.
[12835]595    """
[4789]596    grok.name('waeup.PortalManager')
[6159]597    grok.title(u'Portal Manager')
[9259]598    grok.permissions('waeup.managePortal',
599                     'waeup.manageUsers',
[8374]600                     'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]601                     'waeup.manageACBatches',
[9259]602                     'waeup.manageDataCenter',
603                     'waeup.importData',
[10177]604                     'waeup.exportData',
[10278]605                     'waeup.viewTranscript',
[16172]606                     'waeup.downloadTranscript',
[15163]607                     'waeup.processTranscript',
[12440]608                     'waeup.viewDocuments', 'waeup.manageDocuments',
[14603]609                     'waeup.managePortalConfiguration',
610                     'waeup.viewApplication',
[7184]611                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]612                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]613                     'waeup.viewApplicationStatistics',
[7250]614                     'waeup.viewStudent', 'waeup.manageStudent',
615                     'waeup.clearStudent', 'waeup.payStudent',
[14603]616                     'waeup.clearStudentFinancially',  # not used in base pkg
[7250]617                     'waeup.uploadStudentFile', 'waeup.showStudents',
[14949]618                     'waeup.clearAllStudents',
619                     'waeup.createStudents',
[10632]620                     'waeup.editScores',
[9273]621                     'waeup.triggerTransition',
[14166]622                     'waeup.validateStudent',
[12843]623                     'waeup.viewStudentsContainer',
[9186]624                     'waeup.handleAccommodation',
[7205]625                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]626                     'waeup.editUser',
[9637]627                     'waeup.loginAsStudent',
[12900]628                     'waeup.handleReports',
[9637]629                     'waeup.manageReports',
[9645]630                     'waeup.manageJobs',
[17860]631                     'waeup.exportApplication',
[7240]632                     )
[4789]633
[14603]634
[9259]635class CCOfficer(grok.Role):
[12843]636    """The role of the Computer Center Officer is basically a copy
[12835]637    of the the PortalManager role. Some 'dangerous' permissions are excluded
638    by commenting them out (see source code). If officers need to gain more
639    access rights than defined in this role, do not hastily switch to the
[12843]640    PortalManager role but add further manager roles instead. Additional
[12835]641    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
642    or StudentImpersonator.
[12843]643
[12844]644    CCOfficer is a base class which means that this role is subject to
645    customization. It is not used in the ``waeup.kofa`` base package.
[9259]646    """
[10346]647    grok.baseclass()
[9259]648    grok.name('waeup.CCOfficer')
649    grok.title(u'Computer Center Officer')
[14603]650    grok.permissions(
651        # 'waeup.managePortal',
652        # 'waeup.manageUsers',
653        'waeup.viewAcademics',
654        'waeup.manageAcademics',
655        # 'waeup.manageACBatches',
656        'waeup.manageDataCenter',
657        # 'waeup.importData',
658        'waeup.exportData',
659        'waeup.viewTranscript',
[16170]660        'waeup.downloadTranscript',
[15163]661        'waeup.processTranscript',
[14603]662        'waeup.viewDocuments', 'waeup.manageDocuments',
663        'waeup.managePortalConfiguration', 'waeup.viewApplication',
664        'waeup.manageApplication', 'waeup.handleApplication',
665        'waeup.viewApplicantsTab', 'waeup.payApplicant',
666        'waeup.viewApplicationStatistics',
667        'waeup.viewStudent', 'waeup.manageStudent',
668        'waeup.clearStudent', 'waeup.payStudent',
669        'waeup.uploadStudentFile', 'waeup.showStudents',
[14949]670        'waeup.clearAllStudents',
671        # 'waeup.createStudents',
[14603]672        'waeup.editScores',
673        # 'waeup.triggerTransition',
674        'waeup.validateStudent',
675        'waeup.viewStudentsContainer',
676        'waeup.handleAccommodation',
677        'waeup.viewHostels', 'waeup.manageHostels',
678        # 'waeup.editUser',
679        # 'waeup.loginAsStudent',
680        'waeup.handleReports',
681        'waeup.manageReports',
682        # 'waeup.manageJobs',
[17860]683        'waeup.exportApplication',
[14603]684        )
[9259]685
[14603]686
[7186]687def get_all_roles():
[6157]688    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
689    """
690    return getUtilitiesFor(IRole)
691
[14603]692
[7186]693def get_waeup_roles(also_local=False):
[7819]694    """Get all Kofa roles.
[6157]695
[7819]696    Kofa roles are ordinary roles whose id by convention starts with
[6157]697    a ``waeup.`` prefix.
698
699    If `also_local` is ``True`` (``False`` by default), also local
[7819]700    roles are returned. Local Kofa roles are such whose id starts
[6157]701    with ``waeup.local.`` prefix (this is also a convention).
702
703    Returns a generator of the found roles.
704    """
[7186]705    for name, item in get_all_roles():
[6157]706        if not name.startswith('waeup.'):
[7819]707            # Ignore non-Kofa roles...
[4789]708            continue
[6157]709        if not also_local and name.startswith('waeup.local.'):
710            # Ignore local roles...
[6045]711            continue
[6157]712        yield item
[4789]713
[14603]714
[7186]715def get_waeup_role_names():
[7819]716    """Get the ids of all Kofa roles.
[6157]717
[7819]718    See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]719
[7819]720    This function returns a sorted list of Kofa role names.
[6157]721    """
[7186]722    return sorted([x.id for x in get_waeup_roles()])
[6157]723
[14603]724
[6144]725class LocalRolesAssignable(grok.Adapter):
726    """Default implementation for `ILocalRolesAssignable`.
727
728    This adapter returns a list for dictionaries for objects for which
729    we want to know the roles assignable to them locally.
730
731    The returned dicts contain a ``name`` and a ``title`` entry which
732    give a role (``name``) and a description, for which kind of users
733    the permission is meant to be used (``title``).
734
735    Having this adapter registered we make sure, that for each normal
736    object we get a valid `ILocalRolesAssignable` adapter.
737
738    Objects that want to offer certain local roles, can do so by
[6162]739    setting a (preferably class-) attribute to a list of role ids.
[6144]740
741    You can also define different adapters for different contexts to
742    have different role lookup mechanisms become available. But in
743    normal cases it should be sufficient to use this basic adapter.
744    """
745    grok.context(Interface)
746    grok.provides(ILocalRolesAssignable)
747
748    _roles = []
749
750    def __init__(self, context):
751        self.context = context
[6162]752        role_ids = getattr(context, 'local_roles', self._roles)
[7186]753        self._roles = [(name, role) for name, role in get_all_roles()
[6162]754                       if name in role_ids]
[6144]755        return
756
757    def __call__(self):
758        """Get a list of dictionaries containing ``names`` (the roles to
759        assign) and ``titles`` (some description of the type of user
760        to assign each role to).
761        """
[7334]762        list_of_dict = [dict(
[6162]763                name=name,
764                title=role.title,
[6163]765                description=role.description)
[7334]766                for name, role in self._roles]
767        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]768
[14603]769
[6163]770def get_users_with_local_roles(context):
771    """Get a list of dicts representing the local roles set for `context`.
772
773    Each dict returns `user_name`, `user_title`, `local_role`,
774    `local_role_title`, and `setting` for each entry in the local
775    roles map of the `context` object.
776    """
[6202]777    try:
778        role_map = IPrincipalRoleMap(context)
779    except TypeError:
780        # no map no roles.
781        raise StopIteration
[6163]782    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
[14603]783        user = grok.getSite()['users'].get(user_name, None)
[7213]784        user_title = getattr(user, 'title', user_name)
[16529]785        public_name = getattr(user, 'public_name', None)
786        if not public_name:
787            public_name = user_title
[10227]788        local_role_title = getattr(
789            dict(get_all_roles()).get(local_role, None), 'title', None)
[16529]790        yield dict(user=user,
791                   user_name=user_name,
[14603]792                   user_title=user_title,
[16529]793                   public_name=public_name,
[14603]794                   local_role=local_role,
795                   local_role_title=local_role_title,
[16529]796                   setting=setting,
797                   )
[9309]798
[14603]799
[9309]800def get_users_with_role(role, context):
801    """Get a list of dicts representing the usres who have been granted
802    a role for `context`.
803    """
804    try:
805        role_map = IPrincipalRoleMap(context)
806    except TypeError:
807        # no map no roles.
808        raise StopIteration
809    for user_name, setting in role_map.getPrincipalsForRole(role):
[14603]810        user = grok.getSite()['users'].get(user_name, None)
[9309]811        user_title = getattr(user, 'title', user_name)
812        user_email = getattr(user, 'email', None)
[14603]813        yield dict(user_name=user_name,
814                   user_title=user_title,
815                   user_email=user_email,
816                   setting=setting)
Note: See TracBrowser for help on using the repository browser.