source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10435

Last change on this file since 10435 was 10346, checked in by Henrik Bettermann, 12 years ago

CCOfficer is a baseclass and only necessary in custom packages.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 16.8 KB
Line 
1## $Id: permissions.py 10346 2013-06-22 16:40:42Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ExportPaymentsOverview(grok.Permission):
74    grok.name('waeup.exportPaymentsOverview')
75
76class ExportBursaryData(grok.Permission):
77    grok.name('waeup.exportBursaryData')
78
79class ViewTranscript(grok.Permission):
80    grok.name('waeup.viewTranscript')
81
82class ManagePortalConfiguration(grok.Permission):
83    grok.name('waeup.managePortalConfiguration')
84
85class ManageACBatches(grok.Permission):
86    grok.name('waeup.manageACBatches')
87
88# Local Roles
89class ApplicationsManager(grok.Role):
90    grok.name('waeup.local.ApplicationsManager')
91    grok.title(u'Applications Manager')
92    grok.permissions('waeup.viewAcademics')
93
94class DepartmentManager(grok.Role):
95    grok.name('waeup.local.DepartmentManager')
96    grok.title(u'Department Manager')
97    grok.permissions('waeup.manageAcademics',
98                     'waeup.showStudents',
99                     'waeup.exportData')
100
101class DepartmentOfficer(grok.Role):
102    grok.name('waeup.local.DepartmentOfficer')
103    grok.title(u'Department Officer')
104    grok.permissions('waeup.showStudents',
105                     'waeup.viewAcademics',
106                     'waeup.exportPaymentsOverview')
107
108class ClearanceOfficer(grok.Role):
109    """The clearance officer role is meant for the
110    assignment of dynamic roles only.
111    """
112    grok.name('waeup.local.ClearanceOfficer')
113    grok.title(u'Clearance Officer')
114    grok.permissions('waeup.showStudents',
115                     'waeup.viewAcademics',
116                     'waeup.exportData')
117
118class UGClearanceOfficer(grok.Role):
119    """The clearance officer role is meant for the
120    assignment of dynamic roles only.
121    """
122    grok.name('waeup.local.UGClearanceOfficer')
123    grok.title(u'UG Clearance Officer')
124    grok.permissions('waeup.showStudents',
125                     'waeup.viewAcademics',
126                     'waeup.exportData')
127
128class PGClearanceOfficer(grok.Role):
129    """The clearance officer role is meant for the
130    assignment of dynamic roles only.
131    """
132    grok.name('waeup.local.PGClearanceOfficer')
133    grok.title(u'PG Clearance Officer')
134    grok.permissions('waeup.showStudents',
135                     'waeup.viewAcademics',
136                     'waeup.exportData')
137
138class CourseAdviser100(grok.Role):
139    """The 100 level course adviser role is meant for the
140    assignment of dynamic roles only.
141    """
142    grok.name('waeup.local.CourseAdviser100')
143    grok.title(u'Course Adviser 100L')
144    grok.permissions('waeup.showStudents',
145                     'waeup.viewAcademics',
146                     'waeup.exportData')
147
148class CourseAdviser200(grok.Role):
149    """The course 200 level adviser role is meant for the
150    assignment of dynamic roles only.
151    """
152    grok.name('waeup.local.CourseAdviser200')
153    grok.title(u'Course Adviser 200L')
154    grok.permissions('waeup.showStudents',
155                     'waeup.viewAcademics',
156                     'waeup.exportData')
157
158class CourseAdviser300(grok.Role):
159    """The 300 level course adviser role is meant for the
160    assignment of dynamic roles only.
161    """
162    grok.name('waeup.local.CourseAdviser300')
163    grok.title(u'Course Adviser 300L')
164    grok.permissions('waeup.showStudents',
165                     'waeup.viewAcademics',
166                     'waeup.exportData')
167
168class CourseAdviser400(grok.Role):
169    """The 400 level course adviser role is meant for the
170    assignment of dynamic roles only.
171    """
172    grok.name('waeup.local.CourseAdviser400')
173    grok.title(u'Course Adviser 400L')
174    grok.permissions('waeup.showStudents',
175                     'waeup.viewAcademics',
176                     'waeup.exportData')
177
178class CourseAdviser500(grok.Role):
179    """The 500 level course adviser role is meant for the
180    assignment of dynamic roles only.
181    """
182    grok.name('waeup.local.CourseAdviser500')
183    grok.title(u'Course Adviser 500L')
184    grok.permissions('waeup.showStudents',
185                     'waeup.viewAcademics',
186                     'waeup.exportData')
187
188class CourseAdviser600(grok.Role):
189    """The 600 level course adviser role is meant for the
190    assignment of dynamic roles only.
191    """
192    grok.name('waeup.local.CourseAdviser600')
193    grok.title(u'Course Adviser 600L')
194    grok.permissions('waeup.showStudents',
195                     'waeup.viewAcademics',
196                     'waeup.exportData')
197
198class CourseAdviser700(grok.Role):
199    """The 700 level course adviser role is meant for the
200    assignment of dynamic roles only.
201    """
202    grok.name('waeup.local.CourseAdviser700')
203    grok.title(u'Course Adviser 700L')
204    grok.permissions('waeup.showStudents',
205                     'waeup.viewAcademics',
206                     'waeup.exportData')
207
208class CourseAdviser800(grok.Role):
209    """The 800 level course adviser role is meant for the
210    assignment of dynamic roles only.
211    """
212    grok.name('waeup.local.CourseAdviser800')
213    grok.title(u'Course Adviser 800L')
214    grok.permissions('waeup.showStudents',
215                     'waeup.viewAcademics',
216                     'waeup.exportData')
217
218class Lecturer(grok.Role):
219    """The lecturer role is meant for the
220    assignment of dynamic roles only.
221    """
222    grok.name('waeup.local.Lecturer')
223    grok.title(u'Lecturer')
224    grok.permissions('waeup.showStudents',
225                     'waeup.viewAcademics',
226                     'waeup.exportData')
227
228class Owner(grok.Role):
229    grok.name('waeup.local.Owner')
230    grok.title(u'Owner')
231    grok.permissions('waeup.editUser')
232
233# Site Roles
234class AcademicsOfficer(grok.Role):
235    grok.name('waeup.AcademicsOfficer')
236    grok.title(u'Academics Officer (view only)')
237    grok.permissions('waeup.viewAcademics')
238
239class AcademicsManager(grok.Role):
240    grok.name('waeup.AcademicsManager')
241    grok.title(u'Academics Manager')
242    grok.permissions('waeup.viewAcademics',
243                     'waeup.manageAcademics')
244
245class ACManager(grok.Role):
246    grok.name('waeup.ACManager')
247    grok.title(u'Access Code Manager')
248    grok.permissions('waeup.manageACBatches')
249
250class DataCenterManager(grok.Role):
251    grok.name('waeup.DataCenterManager')
252    grok.title(u'Datacenter Manager')
253    grok.permissions('waeup.manageDataCenter')
254
255class ImportManager(grok.Role):
256    grok.name('waeup.ImportManager')
257    grok.title(u'Import Manager')
258    grok.permissions('waeup.manageDataCenter',
259                     'waeup.importData')
260
261class ExportManager(grok.Role):
262    grok.name('waeup.ExportManager')
263    grok.title(u'Export Manager')
264    grok.permissions('waeup.manageDataCenter',
265                     'waeup.exportData')
266
267class BursaryOfficer(grok.Role):
268    grok.name('waeup.BursaryOfficer')
269    grok.title(u'Bursary Officer')
270    grok.permissions('waeup.showStudents',
271                     'waeup.viewAcademics',
272                     'waeup.exportBursaryData')
273
274class TranscriptOfficer(grok.Role):
275    grok.name('waeup.TranscriptOfficer')
276    grok.title(u'Transcript Officer')
277    grok.permissions('waeup.showStudents',
278                     'waeup.viewAcademics',
279                     'waeup.viewTranscript',
280                     'waeup.viewStudent')
281
282class UsersManager(grok.Role):
283    grok.name('waeup.UsersManager')
284    grok.title(u'Users Manager')
285    grok.permissions('waeup.manageUsers',
286                     'waeup.editUser')
287
288class WorkflowManager(grok.Role):
289    grok.name('waeup.WorkflowManager')
290    grok.title(u'Workflow Manager')
291    grok.permissions('waeup.triggerTransition')
292
293class PortalManager(grok.Role):
294    grok.name('waeup.PortalManager')
295    grok.title(u'Portal Manager')
296    grok.permissions('waeup.managePortal',
297                     'waeup.manageUsers',
298                     'waeup.viewAcademics', 'waeup.manageAcademics',
299                     'waeup.manageACBatches',
300                     'waeup.manageDataCenter',
301                     'waeup.importData',
302                     'waeup.exportData',
303                     'waeup.viewTranscript',
304                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
305                     'waeup.manageApplication', 'waeup.handleApplication',
306                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
307                     'waeup.viewApplicationStatistics',
308                     'waeup.viewStudent', 'waeup.manageStudent',
309                     'waeup.clearStudent', 'waeup.payStudent',
310                     'waeup.uploadStudentFile', 'waeup.showStudents',
311                     'waeup.triggerTransition',
312                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
313                     'waeup.handleAccommodation',
314                     'waeup.viewHostels', 'waeup.manageHostels',
315                     'waeup.editUser',
316                     'waeup.loginAsStudent',
317                     'waeup.manageReports',
318                     'waeup.manageJobs',
319                     )
320
321class CCOfficer(grok.Role):
322    """This is basically a copy of the the PortalManager class. We exclude some
323    'dangerous' permissions by commenting them out.
324    """
325    grok.baseclass()
326    grok.name('waeup.CCOfficer')
327    grok.title(u'Computer Center Officer')
328    grok.permissions(#'waeup.managePortal',
329                     #'waeup.manageUsers',
330                     'waeup.viewAcademics', 'waeup.manageAcademics',
331                     #'waeup.manageACBatches',
332                     'waeup.manageDataCenter',
333                     #'waeup.importData',
334                     'waeup.exportData',
335                     'waeup.viewTranscript',
336                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
337                     'waeup.manageApplication', 'waeup.handleApplication',
338                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
339                     'waeup.viewApplicationStatistics',
340                     'waeup.viewStudent', 'waeup.manageStudent',
341                     'waeup.clearStudent', 'waeup.payStudent',
342                     'waeup.uploadStudentFile', 'waeup.showStudents',
343                     #'waeup.triggerTransition',
344                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
345                     'waeup.handleAccommodation',
346                     'waeup.viewHostels', 'waeup.manageHostels',
347                     #'waeup.editUser',
348                     #'waeup.loginAsStudent',
349                     'waeup.manageReports',
350                     #'waeup.manageJobs',
351                     )
352
353def get_all_roles():
354    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
355    """
356    return getUtilitiesFor(IRole)
357
358def get_waeup_roles(also_local=False):
359    """Get all Kofa roles.
360
361    Kofa roles are ordinary roles whose id by convention starts with
362    a ``waeup.`` prefix.
363
364    If `also_local` is ``True`` (``False`` by default), also local
365    roles are returned. Local Kofa roles are such whose id starts
366    with ``waeup.local.`` prefix (this is also a convention).
367
368    Returns a generator of the found roles.
369    """
370    for name, item in get_all_roles():
371        if not name.startswith('waeup.'):
372            # Ignore non-Kofa roles...
373            continue
374        if not also_local and name.startswith('waeup.local.'):
375            # Ignore local roles...
376            continue
377        yield item
378
379def get_waeup_role_names():
380    """Get the ids of all Kofa roles.
381
382    See :func:`get_waeup_roles` for what a 'KofaRole' is.
383
384    This function returns a sorted list of Kofa role names.
385    """
386    return sorted([x.id for x in get_waeup_roles()])
387
388class LocalRolesAssignable(grok.Adapter):
389    """Default implementation for `ILocalRolesAssignable`.
390
391    This adapter returns a list for dictionaries for objects for which
392    we want to know the roles assignable to them locally.
393
394    The returned dicts contain a ``name`` and a ``title`` entry which
395    give a role (``name``) and a description, for which kind of users
396    the permission is meant to be used (``title``).
397
398    Having this adapter registered we make sure, that for each normal
399    object we get a valid `ILocalRolesAssignable` adapter.
400
401    Objects that want to offer certain local roles, can do so by
402    setting a (preferably class-) attribute to a list of role ids.
403
404    You can also define different adapters for different contexts to
405    have different role lookup mechanisms become available. But in
406    normal cases it should be sufficient to use this basic adapter.
407    """
408    grok.context(Interface)
409    grok.provides(ILocalRolesAssignable)
410
411    _roles = []
412
413    def __init__(self, context):
414        self.context = context
415        role_ids = getattr(context, 'local_roles', self._roles)
416        self._roles = [(name, role) for name, role in get_all_roles()
417                       if name in role_ids]
418        return
419
420    def __call__(self):
421        """Get a list of dictionaries containing ``names`` (the roles to
422        assign) and ``titles`` (some description of the type of user
423        to assign each role to).
424        """
425        list_of_dict = [dict(
426                name=name,
427                title=role.title,
428                description=role.description)
429                for name, role in self._roles]
430        return sorted(list_of_dict, key=lambda x: x['name'])
431
432def get_all_users():
433    """Get a list of dictionaries.
434    """
435    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
436    for key, val in users:
437        yield(dict(name=key, val=val))
438
439def get_users_with_local_roles(context):
440    """Get a list of dicts representing the local roles set for `context`.
441
442    Each dict returns `user_name`, `user_title`, `local_role`,
443    `local_role_title`, and `setting` for each entry in the local
444    roles map of the `context` object.
445    """
446    try:
447        role_map = IPrincipalRoleMap(context)
448    except TypeError:
449        # no map no roles.
450        raise StopIteration
451    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
452        user = grok.getSite()['users'].get(user_name,None)
453        user_title = getattr(user, 'title', user_name)
454        local_role_title = getattr(
455            dict(get_all_roles()).get(local_role, None), 'title', None)
456        yield dict(user_name = user_name,
457                   user_title = user_title,
458                   local_role = local_role,
459                   local_role_title = local_role_title,
460                   setting = setting)
461
462def get_users_with_role(role, context):
463    """Get a list of dicts representing the usres who have been granted
464    a role for `context`.
465    """
466    try:
467        role_map = IPrincipalRoleMap(context)
468    except TypeError:
469        # no map no roles.
470        raise StopIteration
471    for user_name, setting in role_map.getPrincipalsForRole(role):
472        user = grok.getSite()['users'].get(user_name,None)
473        user_title = getattr(user, 'title', user_name)
474        user_email = getattr(user, 'email', None)
475        yield dict(user_name = user_name,
476                   user_title = user_title,
477                   user_email = user_email,
478                   setting = setting)
Note: See TracBrowser for help on using the repository browser.