source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10064

Last change on this file since 10064 was 10064, checked in by Henrik Bettermann, 11 years ago

Add more local course adviser roles.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 14.4 KB
Line 
1## $Id: permissions.py 10064 2013-04-06 04:53:30Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
72
73class ManageACBatches(grok.Permission):
74    grok.name('waeup.manageACBatches')
75
76# Local Roles
77class DepartmentManager(grok.Role):
78    grok.name('waeup.local.DepartmentManager')
79    grok.title(u'Department Manager')
80    grok.permissions('waeup.manageAcademics','waeup.showStudents')
81
82class ClearanceOfficer(grok.Role):
83    """The clearance officer role is meant for the
84    assignment of dynamic roles only.
85    """
86    grok.name('waeup.local.ClearanceOfficer')
87    grok.title(u'Clearance Officer')
88    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
89
90class UGClearanceOfficer(grok.Role):
91    """The clearance officer role is meant for the
92    assignment of dynamic roles only.
93    """
94    grok.name('waeup.local.UGClearanceOfficer')
95    grok.title(u'UG Clearance Officer')
96    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
97
98class PGClearanceOfficer(grok.Role):
99    """The clearance officer role is meant for the
100    assignment of dynamic roles only.
101    """
102    grok.name('waeup.local.PGClearanceOfficer')
103    grok.title(u'PG Clearance Officer')
104    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
105
106class CourseAdviser100(grok.Role):
107    """The 100 level course adviser role is meant for the
108    assignment of dynamic roles only.
109    """
110    grok.name('waeup.local.CourseAdviser100')
111    grok.title(u'Course Adviser 100L')
112    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
113
114class CourseAdviser200(grok.Role):
115    """The course 200 level adviser role is meant for the
116    assignment of dynamic roles only.
117    """
118    grok.name('waeup.local.CourseAdviser200')
119    grok.title(u'Course Adviser 200L')
120    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
121
122class CourseAdviser300(grok.Role):
123    """The 300 level course adviser role is meant for the
124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.CourseAdviser300')
127    grok.title(u'Course Adviser 300L')
128    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
129
130class CourseAdviser400(grok.Role):
131    """The 400 level course adviser role is meant for the
132    assignment of dynamic roles only.
133    """
134    grok.name('waeup.local.CourseAdviser400')
135    grok.title(u'Course Adviser 400L')
136    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
137
138class CourseAdviser500(grok.Role):
139    """The 500 level course adviser role is meant for the
140    assignment of dynamic roles only.
141    """
142    grok.name('waeup.local.CourseAdviser500')
143    grok.title(u'Course Adviser 500L')
144    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
145
146class CourseAdviser600(grok.Role):
147    """The 600 level course adviser role is meant for the
148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.CourseAdviser600')
151    grok.title(u'Course Adviser 600L')
152    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
153
154class CourseAdviser700(grok.Role):
155    """The 700 level course adviser role is meant for the
156    assignment of dynamic roles only.
157    """
158    grok.name('waeup.local.CourseAdviser700')
159    grok.title(u'Course Adviser 700L')
160    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
161
162class CourseAdviser800(grok.Role):
163    """The 800 level course adviser role is meant for the
164    assignment of dynamic roles only.
165    """
166    grok.name('waeup.local.CourseAdviser800')
167    grok.title(u'Course Adviser 800L')
168    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
169
170class Lecturer(grok.Role):
171    """The lecturer role is meant for the
172    assignment of dynamic roles only.
173    """
174    grok.name('waeup.local.Lecturer')
175    grok.title(u'Lecturer')
176    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
177
178class Owner(grok.Role):
179    grok.name('waeup.local.Owner')
180    grok.title(u'Owner')
181    grok.permissions('waeup.editUser')
182
183# Site Roles
184class AcademicsOfficer(grok.Role):
185    grok.name('waeup.AcademicsOfficer')
186    grok.title(u'Academics Officer (view only)')
187    grok.permissions('waeup.viewAcademics')
188
189class AcademicsManager(grok.Role):
190    grok.name('waeup.AcademicsManager')
191    grok.title(u'Academics Manager')
192    grok.permissions('waeup.viewAcademics',
193                     'waeup.manageAcademics')
194
195class ACManager(grok.Role):
196    grok.name('waeup.ACManager')
197    grok.title(u'Access Code Manager')
198    grok.permissions('waeup.manageACBatches')
199
200class DataCenterManager(grok.Role):
201    grok.name('waeup.DataCenterManager')
202    grok.title(u'Datacenter Manager')
203    grok.permissions('waeup.manageDataCenter')
204
205class ImportManager(grok.Role):
206    grok.name('waeup.ImportManager')
207    grok.title(u'Import Manager')
208    grok.permissions('waeup.manageDataCenter',
209                     'waeup.importData')
210
211class UsersManager(grok.Role):
212    grok.name('waeup.UsersManager')
213    grok.title(u'Users Manager')
214    grok.permissions('waeup.manageUsers',
215                     'waeup.editUser')
216
217class WorkflowManager(grok.Role):
218    grok.name('waeup.WorkflowManager')
219    grok.title(u'Workflow Manager')
220    grok.permissions('waeup.triggerTransition')
221
222class PortalManager(grok.Role):
223    grok.name('waeup.PortalManager')
224    grok.title(u'Portal Manager')
225    grok.permissions('waeup.managePortal',
226                     'waeup.manageUsers',
227                     'waeup.viewAcademics', 'waeup.manageAcademics',
228                     'waeup.manageACBatches',
229                     'waeup.manageDataCenter',
230                     'waeup.importData',
231                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
232                     'waeup.manageApplication', 'waeup.handleApplication',
233                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
234                     'waeup.viewApplicationStatistics',
235                     'waeup.viewStudent', 'waeup.manageStudent',
236                     'waeup.clearStudent', 'waeup.payStudent',
237                     'waeup.uploadStudentFile', 'waeup.showStudents',
238                     'waeup.triggerTransition',
239                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
240                     'waeup.handleAccommodation',
241                     'waeup.viewHostels', 'waeup.manageHostels',
242                     'waeup.editUser',
243                     'waeup.loginAsStudent',
244                     'waeup.manageReports',
245                     'waeup.manageJobs',
246                     )
247
248class CCOfficer(grok.Role):
249    """This is basically a copy of the the PortalManager class. We exclude some
250    'dangerous' permissions by commenting them out.
251    """
252    grok.name('waeup.CCOfficer')
253    grok.title(u'Computer Center Officer')
254    grok.permissions(#'waeup.managePortal',
255                     #'waeup.manageUsers',
256                     'waeup.viewAcademics', 'waeup.manageAcademics',
257                     #'waeup.manageACBatches',
258                     'waeup.manageDataCenter',
259                     #'waeup.importData',
260                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
261                     'waeup.manageApplication', 'waeup.handleApplication',
262                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
263                     'waeup.viewApplicationStatistics',
264                     'waeup.viewStudent', 'waeup.manageStudent',
265                     'waeup.clearStudent', 'waeup.payStudent',
266                     'waeup.uploadStudentFile', 'waeup.showStudents',
267                     #'waeup.triggerTransition',
268                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
269                     'waeup.handleAccommodation',
270                     'waeup.viewHostels', 'waeup.manageHostels',
271                     #'waeup.editUser',
272                     #'waeup.loginAsStudent',
273                     'waeup.manageReports',
274                     #'waeup.manageJobs',
275                     )
276
277def get_all_roles():
278    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
279    """
280    return getUtilitiesFor(IRole)
281
282def get_waeup_roles(also_local=False):
283    """Get all Kofa roles.
284
285    Kofa roles are ordinary roles whose id by convention starts with
286    a ``waeup.`` prefix.
287
288    If `also_local` is ``True`` (``False`` by default), also local
289    roles are returned. Local Kofa roles are such whose id starts
290    with ``waeup.local.`` prefix (this is also a convention).
291
292    Returns a generator of the found roles.
293    """
294    for name, item in get_all_roles():
295        if not name.startswith('waeup.'):
296            # Ignore non-Kofa roles...
297            continue
298        if not also_local and name.startswith('waeup.local.'):
299            # Ignore local roles...
300            continue
301        yield item
302
303def get_waeup_role_names():
304    """Get the ids of all Kofa roles.
305
306    See :func:`get_waeup_roles` for what a 'KofaRole' is.
307
308    This function returns a sorted list of Kofa role names.
309    """
310    return sorted([x.id for x in get_waeup_roles()])
311
312class LocalRolesAssignable(grok.Adapter):
313    """Default implementation for `ILocalRolesAssignable`.
314
315    This adapter returns a list for dictionaries for objects for which
316    we want to know the roles assignable to them locally.
317
318    The returned dicts contain a ``name`` and a ``title`` entry which
319    give a role (``name``) and a description, for which kind of users
320    the permission is meant to be used (``title``).
321
322    Having this adapter registered we make sure, that for each normal
323    object we get a valid `ILocalRolesAssignable` adapter.
324
325    Objects that want to offer certain local roles, can do so by
326    setting a (preferably class-) attribute to a list of role ids.
327
328    You can also define different adapters for different contexts to
329    have different role lookup mechanisms become available. But in
330    normal cases it should be sufficient to use this basic adapter.
331    """
332    grok.context(Interface)
333    grok.provides(ILocalRolesAssignable)
334
335    _roles = []
336
337    def __init__(self, context):
338        self.context = context
339        role_ids = getattr(context, 'local_roles', self._roles)
340        self._roles = [(name, role) for name, role in get_all_roles()
341                       if name in role_ids]
342        return
343
344    def __call__(self):
345        """Get a list of dictionaries containing ``names`` (the roles to
346        assign) and ``titles`` (some description of the type of user
347        to assign each role to).
348        """
349        list_of_dict = [dict(
350                name=name,
351                title=role.title,
352                description=role.description)
353                for name, role in self._roles]
354        return sorted(list_of_dict, key=lambda x: x['name'])
355
356def get_all_users():
357    """Get a list of dictionaries.
358    """
359    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
360    for key, val in users:
361        yield(dict(name=key, val=val))
362
363def get_users_with_local_roles(context):
364    """Get a list of dicts representing the local roles set for `context`.
365
366    Each dict returns `user_name`, `user_title`, `local_role`,
367    `local_role_title`, and `setting` for each entry in the local
368    roles map of the `context` object.
369    """
370    try:
371        role_map = IPrincipalRoleMap(context)
372    except TypeError:
373        # no map no roles.
374        raise StopIteration
375    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
376        user = grok.getSite()['users'].get(user_name,None)
377        user_title = getattr(user, 'title', user_name)
378        local_role_title = dict(get_all_roles())[local_role].title
379        yield dict(user_name = user_name,
380                   user_title = user_title,
381                   local_role = local_role,
382                   local_role_title = local_role_title,
383                   setting = setting)
384
385def get_users_with_role(role, context):
386    """Get a list of dicts representing the usres who have been granted
387    a role for `context`.
388    """
389    try:
390        role_map = IPrincipalRoleMap(context)
391    except TypeError:
392        # no map no roles.
393        raise StopIteration
394    for user_name, setting in role_map.getPrincipalsForRole(role):
395        user = grok.getSite()['users'].get(user_name,None)
396        user_title = getattr(user, 'title', user_name)
397        user_email = getattr(user, 'email', None)
398        yield dict(user_name = user_name,
399                   user_title = user_title,
400                   user_email = user_email,
401                   setting = setting)
Note: See TracBrowser for help on using the repository browser.