source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10232

Last change on this file since 10232 was 10227, checked in by Henrik Bettermann, 12 years ago

Do not raise exception if local role has been removed in code.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 14.9 KB
Line 
1## $Id: permissions.py 10227 2013-05-25 05:59:03Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ManagePortalConfiguration(grok.Permission):
74    grok.name('waeup.managePortalConfiguration')
75
76class ManageACBatches(grok.Permission):
77    grok.name('waeup.manageACBatches')
78
79# Local Roles
80class ApplicationsManager(grok.Role):
81    grok.name('waeup.local.ApplicationsManager')
82    grok.title(u'Applications Manager')
83    grok.permissions('waeup.viewAcademics')
84
85class DepartmentManager(grok.Role):
86    grok.name('waeup.local.DepartmentManager')
87    grok.title(u'Department Manager')
88    grok.permissions('waeup.manageAcademics','waeup.showStudents')
89
90class ClearanceOfficer(grok.Role):
91    """The clearance officer role is meant for the
92    assignment of dynamic roles only.
93    """
94    grok.name('waeup.local.ClearanceOfficer')
95    grok.title(u'Clearance Officer')
96    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
97
98class UGClearanceOfficer(grok.Role):
99    """The clearance officer role is meant for the
100    assignment of dynamic roles only.
101    """
102    grok.name('waeup.local.UGClearanceOfficer')
103    grok.title(u'UG Clearance Officer')
104    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
105
106class PGClearanceOfficer(grok.Role):
107    """The clearance officer role is meant for the
108    assignment of dynamic roles only.
109    """
110    grok.name('waeup.local.PGClearanceOfficer')
111    grok.title(u'PG Clearance Officer')
112    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
113
114class CourseAdviser100(grok.Role):
115    """The 100 level course adviser role is meant for the
116    assignment of dynamic roles only.
117    """
118    grok.name('waeup.local.CourseAdviser100')
119    grok.title(u'Course Adviser 100L')
120    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
121
122class CourseAdviser200(grok.Role):
123    """The course 200 level adviser role is meant for the
124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.CourseAdviser200')
127    grok.title(u'Course Adviser 200L')
128    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
129
130class CourseAdviser300(grok.Role):
131    """The 300 level course adviser role is meant for the
132    assignment of dynamic roles only.
133    """
134    grok.name('waeup.local.CourseAdviser300')
135    grok.title(u'Course Adviser 300L')
136    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
137
138class CourseAdviser400(grok.Role):
139    """The 400 level course adviser role is meant for the
140    assignment of dynamic roles only.
141    """
142    grok.name('waeup.local.CourseAdviser400')
143    grok.title(u'Course Adviser 400L')
144    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
145
146class CourseAdviser500(grok.Role):
147    """The 500 level course adviser role is meant for the
148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.CourseAdviser500')
151    grok.title(u'Course Adviser 500L')
152    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
153
154class CourseAdviser600(grok.Role):
155    """The 600 level course adviser role is meant for the
156    assignment of dynamic roles only.
157    """
158    grok.name('waeup.local.CourseAdviser600')
159    grok.title(u'Course Adviser 600L')
160    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
161
162class CourseAdviser700(grok.Role):
163    """The 700 level course adviser role is meant for the
164    assignment of dynamic roles only.
165    """
166    grok.name('waeup.local.CourseAdviser700')
167    grok.title(u'Course Adviser 700L')
168    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
169
170class CourseAdviser800(grok.Role):
171    """The 800 level course adviser role is meant for the
172    assignment of dynamic roles only.
173    """
174    grok.name('waeup.local.CourseAdviser800')
175    grok.title(u'Course Adviser 800L')
176    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
177
178class Lecturer(grok.Role):
179    """The lecturer role is meant for the
180    assignment of dynamic roles only.
181    """
182    grok.name('waeup.local.Lecturer')
183    grok.title(u'Lecturer')
184    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
185
186class Owner(grok.Role):
187    grok.name('waeup.local.Owner')
188    grok.title(u'Owner')
189    grok.permissions('waeup.editUser')
190
191# Site Roles
192class AcademicsOfficer(grok.Role):
193    grok.name('waeup.AcademicsOfficer')
194    grok.title(u'Academics Officer (view only)')
195    grok.permissions('waeup.viewAcademics')
196
197class AcademicsManager(grok.Role):
198    grok.name('waeup.AcademicsManager')
199    grok.title(u'Academics Manager')
200    grok.permissions('waeup.viewAcademics',
201                     'waeup.manageAcademics')
202
203class ACManager(grok.Role):
204    grok.name('waeup.ACManager')
205    grok.title(u'Access Code Manager')
206    grok.permissions('waeup.manageACBatches')
207
208class DataCenterManager(grok.Role):
209    grok.name('waeup.DataCenterManager')
210    grok.title(u'Datacenter Manager')
211    grok.permissions('waeup.manageDataCenter')
212
213class ImportManager(grok.Role):
214    grok.name('waeup.ImportManager')
215    grok.title(u'Import Manager')
216    grok.permissions('waeup.manageDataCenter',
217                     'waeup.importData')
218
219class ExportManager(grok.Role):
220    grok.name('waeup.ExportManager')
221    grok.title(u'Export Manager')
222    grok.permissions('waeup.manageDataCenter',
223                     'waeup.exportData')
224
225class UsersManager(grok.Role):
226    grok.name('waeup.UsersManager')
227    grok.title(u'Users Manager')
228    grok.permissions('waeup.manageUsers',
229                     'waeup.editUser')
230
231class WorkflowManager(grok.Role):
232    grok.name('waeup.WorkflowManager')
233    grok.title(u'Workflow Manager')
234    grok.permissions('waeup.triggerTransition')
235
236class PortalManager(grok.Role):
237    grok.name('waeup.PortalManager')
238    grok.title(u'Portal Manager')
239    grok.permissions('waeup.managePortal',
240                     'waeup.manageUsers',
241                     'waeup.viewAcademics', 'waeup.manageAcademics',
242                     'waeup.manageACBatches',
243                     'waeup.manageDataCenter',
244                     'waeup.importData',
245                     'waeup.exportData',
246                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
247                     'waeup.manageApplication', 'waeup.handleApplication',
248                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
249                     'waeup.viewApplicationStatistics',
250                     'waeup.viewStudent', 'waeup.manageStudent',
251                     'waeup.clearStudent', 'waeup.payStudent',
252                     'waeup.uploadStudentFile', 'waeup.showStudents',
253                     'waeup.triggerTransition',
254                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
255                     'waeup.handleAccommodation',
256                     'waeup.viewHostels', 'waeup.manageHostels',
257                     'waeup.editUser',
258                     'waeup.loginAsStudent',
259                     'waeup.manageReports',
260                     'waeup.manageJobs',
261                     )
262
263class CCOfficer(grok.Role):
264    """This is basically a copy of the the PortalManager class. We exclude some
265    'dangerous' permissions by commenting them out.
266    """
267    grok.name('waeup.CCOfficer')
268    grok.title(u'Computer Center Officer')
269    grok.permissions(#'waeup.managePortal',
270                     #'waeup.manageUsers',
271                     'waeup.viewAcademics', 'waeup.manageAcademics',
272                     #'waeup.manageACBatches',
273                     'waeup.manageDataCenter',
274                     #'waeup.importData',
275                     #'waeup.exportData',
276                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
277                     'waeup.manageApplication', 'waeup.handleApplication',
278                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
279                     'waeup.viewApplicationStatistics',
280                     'waeup.viewStudent', 'waeup.manageStudent',
281                     'waeup.clearStudent', 'waeup.payStudent',
282                     'waeup.uploadStudentFile', 'waeup.showStudents',
283                     #'waeup.triggerTransition',
284                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
285                     'waeup.handleAccommodation',
286                     'waeup.viewHostels', 'waeup.manageHostels',
287                     #'waeup.editUser',
288                     #'waeup.loginAsStudent',
289                     'waeup.manageReports',
290                     #'waeup.manageJobs',
291                     )
292
293def get_all_roles():
294    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
295    """
296    return getUtilitiesFor(IRole)
297
298def get_waeup_roles(also_local=False):
299    """Get all Kofa roles.
300
301    Kofa roles are ordinary roles whose id by convention starts with
302    a ``waeup.`` prefix.
303
304    If `also_local` is ``True`` (``False`` by default), also local
305    roles are returned. Local Kofa roles are such whose id starts
306    with ``waeup.local.`` prefix (this is also a convention).
307
308    Returns a generator of the found roles.
309    """
310    for name, item in get_all_roles():
311        if not name.startswith('waeup.'):
312            # Ignore non-Kofa roles...
313            continue
314        if not also_local and name.startswith('waeup.local.'):
315            # Ignore local roles...
316            continue
317        yield item
318
319def get_waeup_role_names():
320    """Get the ids of all Kofa roles.
321
322    See :func:`get_waeup_roles` for what a 'KofaRole' is.
323
324    This function returns a sorted list of Kofa role names.
325    """
326    return sorted([x.id for x in get_waeup_roles()])
327
328class LocalRolesAssignable(grok.Adapter):
329    """Default implementation for `ILocalRolesAssignable`.
330
331    This adapter returns a list for dictionaries for objects for which
332    we want to know the roles assignable to them locally.
333
334    The returned dicts contain a ``name`` and a ``title`` entry which
335    give a role (``name``) and a description, for which kind of users
336    the permission is meant to be used (``title``).
337
338    Having this adapter registered we make sure, that for each normal
339    object we get a valid `ILocalRolesAssignable` adapter.
340
341    Objects that want to offer certain local roles, can do so by
342    setting a (preferably class-) attribute to a list of role ids.
343
344    You can also define different adapters for different contexts to
345    have different role lookup mechanisms become available. But in
346    normal cases it should be sufficient to use this basic adapter.
347    """
348    grok.context(Interface)
349    grok.provides(ILocalRolesAssignable)
350
351    _roles = []
352
353    def __init__(self, context):
354        self.context = context
355        role_ids = getattr(context, 'local_roles', self._roles)
356        self._roles = [(name, role) for name, role in get_all_roles()
357                       if name in role_ids]
358        return
359
360    def __call__(self):
361        """Get a list of dictionaries containing ``names`` (the roles to
362        assign) and ``titles`` (some description of the type of user
363        to assign each role to).
364        """
365        list_of_dict = [dict(
366                name=name,
367                title=role.title,
368                description=role.description)
369                for name, role in self._roles]
370        return sorted(list_of_dict, key=lambda x: x['name'])
371
372def get_all_users():
373    """Get a list of dictionaries.
374    """
375    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
376    for key, val in users:
377        yield(dict(name=key, val=val))
378
379def get_users_with_local_roles(context):
380    """Get a list of dicts representing the local roles set for `context`.
381
382    Each dict returns `user_name`, `user_title`, `local_role`,
383    `local_role_title`, and `setting` for each entry in the local
384    roles map of the `context` object.
385    """
386    try:
387        role_map = IPrincipalRoleMap(context)
388    except TypeError:
389        # no map no roles.
390        raise StopIteration
391    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
392        user = grok.getSite()['users'].get(user_name,None)
393        user_title = getattr(user, 'title', user_name)
394        local_role_title = getattr(
395            dict(get_all_roles()).get(local_role, None), 'title', None)
396        yield dict(user_name = user_name,
397                   user_title = user_title,
398                   local_role = local_role,
399                   local_role_title = local_role_title,
400                   setting = setting)
401
402def get_users_with_role(role, context):
403    """Get a list of dicts representing the usres who have been granted
404    a role for `context`.
405    """
406    try:
407        role_map = IPrincipalRoleMap(context)
408    except TypeError:
409        # no map no roles.
410        raise StopIteration
411    for user_name, setting in role_map.getPrincipalsForRole(role):
412        user = grok.getSite()['users'].get(user_name,None)
413        user_title = getattr(user, 'title', user_name)
414        user_email = getattr(user, 'email', None)
415        yield dict(user_name = user_name,
416                   user_title = user_title,
417                   user_email = user_email,
418                   setting = setting)
Note: See TracBrowser for help on using the repository browser.