source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 9855

Last change on this file since 9855 was 9645, checked in by Henrik Bettermann, 12 years ago

Add permission to roles.

Show user id on reports page.

Show reports of all users (to be discussed).

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 13.8 KB
RevLine 
[7193]1## $Id: permissions.py 9645 2012-11-16 10:17:52Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[7811]22from waeup.kofa.interfaces import ILocalRolesAssignable
[3521]23
[4789]24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
[6142]35
[5433]36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
[6142]39    grok.name('waeup.Anonymous')
[4789]40
[7184]41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
[4789]45
[7184]46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
[8367]49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
[4789]51
[8367]52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
[4789]55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
[6142]57
[7205]58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
[7163]61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
[6127]64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
[6142]66
[8367]67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
[6907]70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
[6155]72
[7181]73class ManageACBatches(grok.Permission):
74    grok.name('waeup.manageACBatches')
75
[6125]76# Local Roles
[7185]77class DepartmentManager(grok.Role):
78    grok.name('waeup.local.DepartmentManager')
79    grok.title(u'Department Manager')
[8367]80    grok.permissions('waeup.manageAcademics','waeup.showStudents')
[6142]81
[6655]82class ClearanceOfficer(grok.Role):
[7168]83    """The clearance officer role is meant for the
84    assignment of dynamic roles only.
85    """
[6655]86    grok.name('waeup.local.ClearanceOfficer')
87    grok.title(u'Clearance Officer')
[7217]88    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
[6655]89
[8962]90class UGClearanceOfficer(grok.Role):
91    """The clearance officer role is meant for the
92    assignment of dynamic roles only.
93    """
94    grok.name('waeup.local.UGClearanceOfficer')
95    grok.title(u'UG Clearance Officer')
96    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
97
98class PGClearanceOfficer(grok.Role):
99    """The clearance officer role is meant for the
100    assignment of dynamic roles only.
101    """
102    grok.name('waeup.local.PGClearanceOfficer')
103    grok.title(u'PG Clearance Officer')
104    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
105
[7334]106class CourseAdviser100(grok.Role):
[7335]107    """The 100 level course adviser role is meant for the
[7168]108    assignment of dynamic roles only.
109    """
[7334]110    grok.name('waeup.local.CourseAdviser100')
111    grok.title(u'Course Adviser 100L')
112    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
[6655]113
[7334]114class CourseAdviser200(grok.Role):
[7335]115    """The course 200 level adviser role is meant for the
[7334]116    assignment of dynamic roles only.
117    """
118    grok.name('waeup.local.CourseAdviser200')
119    grok.title(u'Course Adviser 200L')
120    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
121
122class CourseAdviser300(grok.Role):
[7335]123    """The 300 level course adviser role is meant for the
[7334]124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.CourseAdviser300')
127    grok.title(u'Course Adviser 300L')
128    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
129
130class CourseAdviser400(grok.Role):
[7335]131    """The 400 level course adviser role is meant for the
[7334]132    assignment of dynamic roles only.
133    """
134    grok.name('waeup.local.CourseAdviser400')
135    grok.title(u'Course Adviser 400L')
136    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
137
138class CourseAdviser500(grok.Role):
[7335]139    """The 500 level course adviser role is meant for the
[7334]140    assignment of dynamic roles only.
141    """
142    grok.name('waeup.local.CourseAdviser500')
143    grok.title(u'Course Adviser 500L')
144    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
145
146class CourseAdviser600(grok.Role):
[7335]147    """The 600 level course adviser role is meant for the
[7334]148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.CourseAdviser600')
151    grok.title(u'Course Adviser 600L')
152    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
153
[9002]154class Lecturer(grok.Role):
155    """The lecturer role is meant for the
156    assignment of dynamic roles only.
157    """
158    grok.name('waeup.local.Lecturer')
159    grok.title(u'Lecturer')
160    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
161
[7163]162class Owner(grok.Role):
163    grok.name('waeup.local.Owner')
164    grok.title(u'Owner')
165    grok.permissions('waeup.editUser')
166
[7178]167# Site Roles
[7185]168class AcademicsOfficer(grok.Role):
169    grok.name('waeup.AcademicsOfficer')
[7188]170    grok.title(u'Academics Officer (view only)')
[7184]171    grok.permissions('waeup.viewAcademics')
[3521]172
[8367]173class AcademicsManager(grok.Role):
174    grok.name('waeup.AcademicsManager')
175    grok.title(u'Academics Manager')
176    grok.permissions('waeup.viewAcademics',
177                     'waeup.manageAcademics')
178
[7181]179class ACManager(grok.Role):
180    grok.name('waeup.ACManager')
181    grok.title(u'Access Code Manager')
182    grok.permissions('waeup.manageACBatches')
183
[8367]184class DataCenterManager(grok.Role):
185    grok.name('waeup.DataCenterManager')
186    grok.title(u'Datacenter Manager')
187    grok.permissions('waeup.manageDataCenter')
188
189class ImportManager(grok.Role):
190    grok.name('waeup.ImportManager')
191    grok.title(u'Import Manager')
192    grok.permissions('waeup.manageDataCenter',
193                     'waeup.importData')
194
195class UsersManager(grok.Role):
196    grok.name('waeup.UsersManager')
197    grok.title(u'Users Manager')
[9259]198    grok.permissions('waeup.manageUsers',
199                     'waeup.editUser')
[8367]200
[9300]201class WorkflowManager(grok.Role):
202    grok.name('waeup.WorkflowManager')
203    grok.title(u'Workflow Manager')
[9299]204    grok.permissions('waeup.triggerTransition')
205
[4789]206class PortalManager(grok.Role):
207    grok.name('waeup.PortalManager')
[6159]208    grok.title(u'Portal Manager')
[9259]209    grok.permissions('waeup.managePortal',
210                     'waeup.manageUsers',
[8374]211                     'waeup.viewAcademics', 'waeup.manageAcademics',
[8367]212                     'waeup.manageACBatches',
[9259]213                     'waeup.manageDataCenter',
214                     'waeup.importData',
[7184]215                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
216                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]217                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
[8565]218                     'waeup.viewApplicationStatistics',
[7250]219                     'waeup.viewStudent', 'waeup.manageStudent',
220                     'waeup.clearStudent', 'waeup.payStudent',
221                     'waeup.uploadStudentFile', 'waeup.showStudents',
[9273]222                     'waeup.triggerTransition',
[7250]223                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
[9186]224                     'waeup.handleAccommodation',
[7205]225                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]226                     'waeup.editUser',
[9637]227                     'waeup.loginAsStudent',
228                     'waeup.manageReports',
[9645]229                     'waeup.manageJobs',
[7240]230                     )
[4789]231
[9259]232class CCOfficer(grok.Role):
[9303]233    """This is basically a copy of the the PortalManager class. We exclude some
[9262]234    'dangerous' permissions by commenting them out.
[9259]235    """
236    grok.name('waeup.CCOfficer')
237    grok.title(u'Computer Center Officer')
238    grok.permissions(#'waeup.managePortal',
239                     #'waeup.manageUsers',
240                     'waeup.viewAcademics', 'waeup.manageAcademics',
241                     #'waeup.manageACBatches',
242                     'waeup.manageDataCenter',
243                     #'waeup.importData',
244                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
245                     'waeup.manageApplication', 'waeup.handleApplication',
246                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
247                     'waeup.viewApplicationStatistics',
248                     'waeup.viewStudent', 'waeup.manageStudent',
249                     'waeup.clearStudent', 'waeup.payStudent',
250                     'waeup.uploadStudentFile', 'waeup.showStudents',
[9273]251                     #'waeup.triggerTransition',
[9259]252                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
253                     'waeup.handleAccommodation',
254                     'waeup.viewHostels', 'waeup.manageHostels',
[9335]255                     #'waeup.editUser',
[9637]256                     #'waeup.loginAsStudent',
257                     'waeup.manageReports',
[9645]258                     #'waeup.manageJobs',
[9259]259                     )
260
[7186]261def get_all_roles():
[6157]262    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
263    """
264    return getUtilitiesFor(IRole)
265
[7186]266def get_waeup_roles(also_local=False):
[7819]267    """Get all Kofa roles.
[6157]268
[7819]269    Kofa roles are ordinary roles whose id by convention starts with
[6157]270    a ``waeup.`` prefix.
271
272    If `also_local` is ``True`` (``False`` by default), also local
[7819]273    roles are returned. Local Kofa roles are such whose id starts
[6157]274    with ``waeup.local.`` prefix (this is also a convention).
275
276    Returns a generator of the found roles.
277    """
[7186]278    for name, item in get_all_roles():
[6157]279        if not name.startswith('waeup.'):
[7819]280            # Ignore non-Kofa roles...
[4789]281            continue
[6157]282        if not also_local and name.startswith('waeup.local.'):
283            # Ignore local roles...
[6045]284            continue
[6157]285        yield item
[4789]286
[7186]287def get_waeup_role_names():
[7819]288    """Get the ids of all Kofa roles.
[6157]289
[7819]290    See :func:`get_waeup_roles` for what a 'KofaRole' is.
[6157]291
[7819]292    This function returns a sorted list of Kofa role names.
[6157]293    """
[7186]294    return sorted([x.id for x in get_waeup_roles()])
[6157]295
[6144]296class LocalRolesAssignable(grok.Adapter):
297    """Default implementation for `ILocalRolesAssignable`.
298
299    This adapter returns a list for dictionaries for objects for which
300    we want to know the roles assignable to them locally.
301
302    The returned dicts contain a ``name`` and a ``title`` entry which
303    give a role (``name``) and a description, for which kind of users
304    the permission is meant to be used (``title``).
305
306    Having this adapter registered we make sure, that for each normal
307    object we get a valid `ILocalRolesAssignable` adapter.
308
309    Objects that want to offer certain local roles, can do so by
[6162]310    setting a (preferably class-) attribute to a list of role ids.
[6144]311
312    You can also define different adapters for different contexts to
313    have different role lookup mechanisms become available. But in
314    normal cases it should be sufficient to use this basic adapter.
315    """
316    grok.context(Interface)
317    grok.provides(ILocalRolesAssignable)
318
319    _roles = []
320
321    def __init__(self, context):
322        self.context = context
[6162]323        role_ids = getattr(context, 'local_roles', self._roles)
[7186]324        self._roles = [(name, role) for name, role in get_all_roles()
[6162]325                       if name in role_ids]
[6144]326        return
327
328    def __call__(self):
329        """Get a list of dictionaries containing ``names`` (the roles to
330        assign) and ``titles`` (some description of the type of user
331        to assign each role to).
332        """
[7334]333        list_of_dict = [dict(
[6162]334                name=name,
335                title=role.title,
[6163]336                description=role.description)
[7334]337                for name, role in self._roles]
338        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]339
[8774]340def get_all_users():
341    """Get a list of dictionaries.
342    """
343    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
344    for key, val in users:
345        yield(dict(name=key, val=val))
346
[6163]347def get_users_with_local_roles(context):
348    """Get a list of dicts representing the local roles set for `context`.
349
350    Each dict returns `user_name`, `user_title`, `local_role`,
351    `local_role_title`, and `setting` for each entry in the local
352    roles map of the `context` object.
353    """
[6202]354    try:
355        role_map = IPrincipalRoleMap(context)
356    except TypeError:
357        # no map no roles.
358        raise StopIteration
[6163]359    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
360        user = grok.getSite()['users'].get(user_name,None)
[7213]361        user_title = getattr(user, 'title', user_name)
[7186]362        local_role_title = dict(get_all_roles())[local_role].title
[6163]363        yield dict(user_name = user_name,
364                   user_title = user_title,
365                   local_role = local_role,
366                   local_role_title = local_role_title,
[9309]367                   setting = setting)
368
369def get_users_with_role(role, context):
370    """Get a list of dicts representing the usres who have been granted
371    a role for `context`.
372    """
373    try:
374        role_map = IPrincipalRoleMap(context)
375    except TypeError:
376        # no map no roles.
377        raise StopIteration
378    for user_name, setting in role_map.getPrincipalsForRole(role):
379        user = grok.getSite()['users'].get(user_name,None)
380        user_title = getattr(user, 'title', user_name)
381        user_email = getattr(user, 'email', None)
382        yield dict(user_name = user_name,
383                   user_title = user_title,
384                   user_email = user_email,
385                   setting = setting)
Note: See TracBrowser for help on using the repository browser.