source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10178

Last change on this file since 10178 was 10177, checked in by Henrik Bettermann, 12 years ago

Add exportData permission and role. Permission not yet used.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 14.7 KB
Line 
1## $Id: permissions.py 10177 2013-05-14 03:58:14Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ManagePortalConfiguration(grok.Permission):
74    grok.name('waeup.managePortalConfiguration')
75
76class ManageACBatches(grok.Permission):
77    grok.name('waeup.manageACBatches')
78
79# Local Roles
80class DepartmentManager(grok.Role):
81    grok.name('waeup.local.DepartmentManager')
82    grok.title(u'Department Manager')
83    grok.permissions('waeup.manageAcademics','waeup.showStudents')
84
85class ClearanceOfficer(grok.Role):
86    """The clearance officer role is meant for the
87    assignment of dynamic roles only.
88    """
89    grok.name('waeup.local.ClearanceOfficer')
90    grok.title(u'Clearance Officer')
91    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
92
93class UGClearanceOfficer(grok.Role):
94    """The clearance officer role is meant for the
95    assignment of dynamic roles only.
96    """
97    grok.name('waeup.local.UGClearanceOfficer')
98    grok.title(u'UG Clearance Officer')
99    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
100
101class PGClearanceOfficer(grok.Role):
102    """The clearance officer role is meant for the
103    assignment of dynamic roles only.
104    """
105    grok.name('waeup.local.PGClearanceOfficer')
106    grok.title(u'PG Clearance Officer')
107    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
108
109class CourseAdviser100(grok.Role):
110    """The 100 level course adviser role is meant for the
111    assignment of dynamic roles only.
112    """
113    grok.name('waeup.local.CourseAdviser100')
114    grok.title(u'Course Adviser 100L')
115    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
116
117class CourseAdviser200(grok.Role):
118    """The course 200 level adviser role is meant for the
119    assignment of dynamic roles only.
120    """
121    grok.name('waeup.local.CourseAdviser200')
122    grok.title(u'Course Adviser 200L')
123    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
124
125class CourseAdviser300(grok.Role):
126    """The 300 level course adviser role is meant for the
127    assignment of dynamic roles only.
128    """
129    grok.name('waeup.local.CourseAdviser300')
130    grok.title(u'Course Adviser 300L')
131    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
132
133class CourseAdviser400(grok.Role):
134    """The 400 level course adviser role is meant for the
135    assignment of dynamic roles only.
136    """
137    grok.name('waeup.local.CourseAdviser400')
138    grok.title(u'Course Adviser 400L')
139    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
140
141class CourseAdviser500(grok.Role):
142    """The 500 level course adviser role is meant for the
143    assignment of dynamic roles only.
144    """
145    grok.name('waeup.local.CourseAdviser500')
146    grok.title(u'Course Adviser 500L')
147    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
148
149class CourseAdviser600(grok.Role):
150    """The 600 level course adviser role is meant for the
151    assignment of dynamic roles only.
152    """
153    grok.name('waeup.local.CourseAdviser600')
154    grok.title(u'Course Adviser 600L')
155    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
156
157class CourseAdviser700(grok.Role):
158    """The 700 level course adviser role is meant for the
159    assignment of dynamic roles only.
160    """
161    grok.name('waeup.local.CourseAdviser700')
162    grok.title(u'Course Adviser 700L')
163    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
164
165class CourseAdviser800(grok.Role):
166    """The 800 level course adviser role is meant for the
167    assignment of dynamic roles only.
168    """
169    grok.name('waeup.local.CourseAdviser800')
170    grok.title(u'Course Adviser 800L')
171    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
172
173class Lecturer(grok.Role):
174    """The lecturer role is meant for the
175    assignment of dynamic roles only.
176    """
177    grok.name('waeup.local.Lecturer')
178    grok.title(u'Lecturer')
179    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
180
181class Owner(grok.Role):
182    grok.name('waeup.local.Owner')
183    grok.title(u'Owner')
184    grok.permissions('waeup.editUser')
185
186# Site Roles
187class AcademicsOfficer(grok.Role):
188    grok.name('waeup.AcademicsOfficer')
189    grok.title(u'Academics Officer (view only)')
190    grok.permissions('waeup.viewAcademics')
191
192class AcademicsManager(grok.Role):
193    grok.name('waeup.AcademicsManager')
194    grok.title(u'Academics Manager')
195    grok.permissions('waeup.viewAcademics',
196                     'waeup.manageAcademics')
197
198class ACManager(grok.Role):
199    grok.name('waeup.ACManager')
200    grok.title(u'Access Code Manager')
201    grok.permissions('waeup.manageACBatches')
202
203class DataCenterManager(grok.Role):
204    grok.name('waeup.DataCenterManager')
205    grok.title(u'Datacenter Manager')
206    grok.permissions('waeup.manageDataCenter')
207
208class ImportManager(grok.Role):
209    grok.name('waeup.ImportManager')
210    grok.title(u'Import Manager')
211    grok.permissions('waeup.manageDataCenter',
212                     'waeup.importData')
213
214class ExportManager(grok.Role):
215    grok.name('waeup.ExportManager')
216    grok.title(u'Export Manager')
217    grok.permissions('waeup.manageDataCenter',
218                     'waeup.exportData')
219
220class UsersManager(grok.Role):
221    grok.name('waeup.UsersManager')
222    grok.title(u'Users Manager')
223    grok.permissions('waeup.manageUsers',
224                     'waeup.editUser')
225
226class WorkflowManager(grok.Role):
227    grok.name('waeup.WorkflowManager')
228    grok.title(u'Workflow Manager')
229    grok.permissions('waeup.triggerTransition')
230
231class PortalManager(grok.Role):
232    grok.name('waeup.PortalManager')
233    grok.title(u'Portal Manager')
234    grok.permissions('waeup.managePortal',
235                     'waeup.manageUsers',
236                     'waeup.viewAcademics', 'waeup.manageAcademics',
237                     'waeup.manageACBatches',
238                     'waeup.manageDataCenter',
239                     'waeup.importData',
240                     'waeup.exportData',
241                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
242                     'waeup.manageApplication', 'waeup.handleApplication',
243                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
244                     'waeup.viewApplicationStatistics',
245                     'waeup.viewStudent', 'waeup.manageStudent',
246                     'waeup.clearStudent', 'waeup.payStudent',
247                     'waeup.uploadStudentFile', 'waeup.showStudents',
248                     'waeup.triggerTransition',
249                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
250                     'waeup.handleAccommodation',
251                     'waeup.viewHostels', 'waeup.manageHostels',
252                     'waeup.editUser',
253                     'waeup.loginAsStudent',
254                     'waeup.manageReports',
255                     'waeup.manageJobs',
256                     )
257
258class CCOfficer(grok.Role):
259    """This is basically a copy of the the PortalManager class. We exclude some
260    'dangerous' permissions by commenting them out.
261    """
262    grok.name('waeup.CCOfficer')
263    grok.title(u'Computer Center Officer')
264    grok.permissions(#'waeup.managePortal',
265                     #'waeup.manageUsers',
266                     'waeup.viewAcademics', 'waeup.manageAcademics',
267                     #'waeup.manageACBatches',
268                     'waeup.manageDataCenter',
269                     #'waeup.importData',
270                     #'waeup.exportData',
271                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
272                     'waeup.manageApplication', 'waeup.handleApplication',
273                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
274                     'waeup.viewApplicationStatistics',
275                     'waeup.viewStudent', 'waeup.manageStudent',
276                     'waeup.clearStudent', 'waeup.payStudent',
277                     'waeup.uploadStudentFile', 'waeup.showStudents',
278                     #'waeup.triggerTransition',
279                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
280                     'waeup.handleAccommodation',
281                     'waeup.viewHostels', 'waeup.manageHostels',
282                     #'waeup.editUser',
283                     #'waeup.loginAsStudent',
284                     'waeup.manageReports',
285                     #'waeup.manageJobs',
286                     )
287
288def get_all_roles():
289    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
290    """
291    return getUtilitiesFor(IRole)
292
293def get_waeup_roles(also_local=False):
294    """Get all Kofa roles.
295
296    Kofa roles are ordinary roles whose id by convention starts with
297    a ``waeup.`` prefix.
298
299    If `also_local` is ``True`` (``False`` by default), also local
300    roles are returned. Local Kofa roles are such whose id starts
301    with ``waeup.local.`` prefix (this is also a convention).
302
303    Returns a generator of the found roles.
304    """
305    for name, item in get_all_roles():
306        if not name.startswith('waeup.'):
307            # Ignore non-Kofa roles...
308            continue
309        if not also_local and name.startswith('waeup.local.'):
310            # Ignore local roles...
311            continue
312        yield item
313
314def get_waeup_role_names():
315    """Get the ids of all Kofa roles.
316
317    See :func:`get_waeup_roles` for what a 'KofaRole' is.
318
319    This function returns a sorted list of Kofa role names.
320    """
321    return sorted([x.id for x in get_waeup_roles()])
322
323class LocalRolesAssignable(grok.Adapter):
324    """Default implementation for `ILocalRolesAssignable`.
325
326    This adapter returns a list for dictionaries for objects for which
327    we want to know the roles assignable to them locally.
328
329    The returned dicts contain a ``name`` and a ``title`` entry which
330    give a role (``name``) and a description, for which kind of users
331    the permission is meant to be used (``title``).
332
333    Having this adapter registered we make sure, that for each normal
334    object we get a valid `ILocalRolesAssignable` adapter.
335
336    Objects that want to offer certain local roles, can do so by
337    setting a (preferably class-) attribute to a list of role ids.
338
339    You can also define different adapters for different contexts to
340    have different role lookup mechanisms become available. But in
341    normal cases it should be sufficient to use this basic adapter.
342    """
343    grok.context(Interface)
344    grok.provides(ILocalRolesAssignable)
345
346    _roles = []
347
348    def __init__(self, context):
349        self.context = context
350        role_ids = getattr(context, 'local_roles', self._roles)
351        self._roles = [(name, role) for name, role in get_all_roles()
352                       if name in role_ids]
353        return
354
355    def __call__(self):
356        """Get a list of dictionaries containing ``names`` (the roles to
357        assign) and ``titles`` (some description of the type of user
358        to assign each role to).
359        """
360        list_of_dict = [dict(
361                name=name,
362                title=role.title,
363                description=role.description)
364                for name, role in self._roles]
365        return sorted(list_of_dict, key=lambda x: x['name'])
366
367def get_all_users():
368    """Get a list of dictionaries.
369    """
370    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
371    for key, val in users:
372        yield(dict(name=key, val=val))
373
374def get_users_with_local_roles(context):
375    """Get a list of dicts representing the local roles set for `context`.
376
377    Each dict returns `user_name`, `user_title`, `local_role`,
378    `local_role_title`, and `setting` for each entry in the local
379    roles map of the `context` object.
380    """
381    try:
382        role_map = IPrincipalRoleMap(context)
383    except TypeError:
384        # no map no roles.
385        raise StopIteration
386    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
387        user = grok.getSite()['users'].get(user_name,None)
388        user_title = getattr(user, 'title', user_name)
389        local_role_title = dict(get_all_roles())[local_role].title
390        yield dict(user_name = user_name,
391                   user_title = user_title,
392                   local_role = local_role,
393                   local_role_title = local_role_title,
394                   setting = setting)
395
396def get_users_with_role(role, context):
397    """Get a list of dicts representing the usres who have been granted
398    a role for `context`.
399    """
400    try:
401        role_map = IPrincipalRoleMap(context)
402    except TypeError:
403        # no map no roles.
404        raise StopIteration
405    for user_name, setting in role_map.getPrincipalsForRole(role):
406        user = grok.getSite()['users'].get(user_name,None)
407        user_title = getattr(user, 'title', user_name)
408        user_email = getattr(user, 'email', None)
409        yield dict(user_name = user_name,
410                   user_title = user_title,
411                   user_email = user_email,
412                   setting = setting)
Note: See TracBrowser for help on using the repository browser.