source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10244

Last change on this file since 10244 was 10243, checked in by Henrik Bettermann, 12 years ago

Add local BursaryOfficer? role.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 15.1 KB
Line 
1## $Id: permissions.py 10243 2013-05-28 17:29:05Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ManagePortalConfiguration(grok.Permission):
74    grok.name('waeup.managePortalConfiguration')
75
76class ManageACBatches(grok.Permission):
77    grok.name('waeup.manageACBatches')
78
79# Local Roles
80class ApplicationsManager(grok.Role):
81    grok.name('waeup.local.ApplicationsManager')
82    grok.title(u'Applications Manager')
83    grok.permissions('waeup.viewAcademics')
84
85class DepartmentManager(grok.Role):
86    grok.name('waeup.local.DepartmentManager')
87    grok.title(u'Department Manager')
88    grok.permissions('waeup.manageAcademics','waeup.showStudents')
89
90class BursaryOfficer(grok.Role):
91    grok.name('waeup.local.BursaryOfficer')
92    grok.title(u'Bursary Officer')
93    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
94
95class ClearanceOfficer(grok.Role):
96    """The clearance officer role is meant for the
97    assignment of dynamic roles only.
98    """
99    grok.name('waeup.local.ClearanceOfficer')
100    grok.title(u'Clearance Officer')
101    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
102
103class UGClearanceOfficer(grok.Role):
104    """The clearance officer role is meant for the
105    assignment of dynamic roles only.
106    """
107    grok.name('waeup.local.UGClearanceOfficer')
108    grok.title(u'UG Clearance Officer')
109    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
110
111class PGClearanceOfficer(grok.Role):
112    """The clearance officer role is meant for the
113    assignment of dynamic roles only.
114    """
115    grok.name('waeup.local.PGClearanceOfficer')
116    grok.title(u'PG Clearance Officer')
117    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
118
119class CourseAdviser100(grok.Role):
120    """The 100 level course adviser role is meant for the
121    assignment of dynamic roles only.
122    """
123    grok.name('waeup.local.CourseAdviser100')
124    grok.title(u'Course Adviser 100L')
125    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
126
127class CourseAdviser200(grok.Role):
128    """The course 200 level adviser role is meant for the
129    assignment of dynamic roles only.
130    """
131    grok.name('waeup.local.CourseAdviser200')
132    grok.title(u'Course Adviser 200L')
133    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
134
135class CourseAdviser300(grok.Role):
136    """The 300 level course adviser role is meant for the
137    assignment of dynamic roles only.
138    """
139    grok.name('waeup.local.CourseAdviser300')
140    grok.title(u'Course Adviser 300L')
141    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
142
143class CourseAdviser400(grok.Role):
144    """The 400 level course adviser role is meant for the
145    assignment of dynamic roles only.
146    """
147    grok.name('waeup.local.CourseAdviser400')
148    grok.title(u'Course Adviser 400L')
149    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
150
151class CourseAdviser500(grok.Role):
152    """The 500 level course adviser role is meant for the
153    assignment of dynamic roles only.
154    """
155    grok.name('waeup.local.CourseAdviser500')
156    grok.title(u'Course Adviser 500L')
157    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
158
159class CourseAdviser600(grok.Role):
160    """The 600 level course adviser role is meant for the
161    assignment of dynamic roles only.
162    """
163    grok.name('waeup.local.CourseAdviser600')
164    grok.title(u'Course Adviser 600L')
165    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
166
167class CourseAdviser700(grok.Role):
168    """The 700 level course adviser role is meant for the
169    assignment of dynamic roles only.
170    """
171    grok.name('waeup.local.CourseAdviser700')
172    grok.title(u'Course Adviser 700L')
173    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
174
175class CourseAdviser800(grok.Role):
176    """The 800 level course adviser role is meant for the
177    assignment of dynamic roles only.
178    """
179    grok.name('waeup.local.CourseAdviser800')
180    grok.title(u'Course Adviser 800L')
181    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
182
183class Lecturer(grok.Role):
184    """The lecturer role is meant for the
185    assignment of dynamic roles only.
186    """
187    grok.name('waeup.local.Lecturer')
188    grok.title(u'Lecturer')
189    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
190
191class Owner(grok.Role):
192    grok.name('waeup.local.Owner')
193    grok.title(u'Owner')
194    grok.permissions('waeup.editUser')
195
196# Site Roles
197class AcademicsOfficer(grok.Role):
198    grok.name('waeup.AcademicsOfficer')
199    grok.title(u'Academics Officer (view only)')
200    grok.permissions('waeup.viewAcademics')
201
202class AcademicsManager(grok.Role):
203    grok.name('waeup.AcademicsManager')
204    grok.title(u'Academics Manager')
205    grok.permissions('waeup.viewAcademics',
206                     'waeup.manageAcademics')
207
208class ACManager(grok.Role):
209    grok.name('waeup.ACManager')
210    grok.title(u'Access Code Manager')
211    grok.permissions('waeup.manageACBatches')
212
213class DataCenterManager(grok.Role):
214    grok.name('waeup.DataCenterManager')
215    grok.title(u'Datacenter Manager')
216    grok.permissions('waeup.manageDataCenter')
217
218class ImportManager(grok.Role):
219    grok.name('waeup.ImportManager')
220    grok.title(u'Import Manager')
221    grok.permissions('waeup.manageDataCenter',
222                     'waeup.importData')
223
224class ExportManager(grok.Role):
225    grok.name('waeup.ExportManager')
226    grok.title(u'Export Manager')
227    grok.permissions('waeup.manageDataCenter',
228                     'waeup.exportData')
229
230class UsersManager(grok.Role):
231    grok.name('waeup.UsersManager')
232    grok.title(u'Users Manager')
233    grok.permissions('waeup.manageUsers',
234                     'waeup.editUser')
235
236class WorkflowManager(grok.Role):
237    grok.name('waeup.WorkflowManager')
238    grok.title(u'Workflow Manager')
239    grok.permissions('waeup.triggerTransition')
240
241class PortalManager(grok.Role):
242    grok.name('waeup.PortalManager')
243    grok.title(u'Portal Manager')
244    grok.permissions('waeup.managePortal',
245                     'waeup.manageUsers',
246                     'waeup.viewAcademics', 'waeup.manageAcademics',
247                     'waeup.manageACBatches',
248                     'waeup.manageDataCenter',
249                     'waeup.importData',
250                     'waeup.exportData',
251                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
252                     'waeup.manageApplication', 'waeup.handleApplication',
253                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
254                     'waeup.viewApplicationStatistics',
255                     'waeup.viewStudent', 'waeup.manageStudent',
256                     'waeup.clearStudent', 'waeup.payStudent',
257                     'waeup.uploadStudentFile', 'waeup.showStudents',
258                     'waeup.triggerTransition',
259                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
260                     'waeup.handleAccommodation',
261                     'waeup.viewHostels', 'waeup.manageHostels',
262                     'waeup.editUser',
263                     'waeup.loginAsStudent',
264                     'waeup.manageReports',
265                     'waeup.manageJobs',
266                     )
267
268class CCOfficer(grok.Role):
269    """This is basically a copy of the the PortalManager class. We exclude some
270    'dangerous' permissions by commenting them out.
271    """
272    grok.name('waeup.CCOfficer')
273    grok.title(u'Computer Center Officer')
274    grok.permissions(#'waeup.managePortal',
275                     #'waeup.manageUsers',
276                     'waeup.viewAcademics', 'waeup.manageAcademics',
277                     #'waeup.manageACBatches',
278                     'waeup.manageDataCenter',
279                     #'waeup.importData',
280                     'waeup.exportData',
281                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
282                     'waeup.manageApplication', 'waeup.handleApplication',
283                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
284                     'waeup.viewApplicationStatistics',
285                     'waeup.viewStudent', 'waeup.manageStudent',
286                     'waeup.clearStudent', 'waeup.payStudent',
287                     'waeup.uploadStudentFile', 'waeup.showStudents',
288                     #'waeup.triggerTransition',
289                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
290                     'waeup.handleAccommodation',
291                     'waeup.viewHostels', 'waeup.manageHostels',
292                     #'waeup.editUser',
293                     #'waeup.loginAsStudent',
294                     'waeup.manageReports',
295                     #'waeup.manageJobs',
296                     )
297
298def get_all_roles():
299    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
300    """
301    return getUtilitiesFor(IRole)
302
303def get_waeup_roles(also_local=False):
304    """Get all Kofa roles.
305
306    Kofa roles are ordinary roles whose id by convention starts with
307    a ``waeup.`` prefix.
308
309    If `also_local` is ``True`` (``False`` by default), also local
310    roles are returned. Local Kofa roles are such whose id starts
311    with ``waeup.local.`` prefix (this is also a convention).
312
313    Returns a generator of the found roles.
314    """
315    for name, item in get_all_roles():
316        if not name.startswith('waeup.'):
317            # Ignore non-Kofa roles...
318            continue
319        if not also_local and name.startswith('waeup.local.'):
320            # Ignore local roles...
321            continue
322        yield item
323
324def get_waeup_role_names():
325    """Get the ids of all Kofa roles.
326
327    See :func:`get_waeup_roles` for what a 'KofaRole' is.
328
329    This function returns a sorted list of Kofa role names.
330    """
331    return sorted([x.id for x in get_waeup_roles()])
332
333class LocalRolesAssignable(grok.Adapter):
334    """Default implementation for `ILocalRolesAssignable`.
335
336    This adapter returns a list for dictionaries for objects for which
337    we want to know the roles assignable to them locally.
338
339    The returned dicts contain a ``name`` and a ``title`` entry which
340    give a role (``name``) and a description, for which kind of users
341    the permission is meant to be used (``title``).
342
343    Having this adapter registered we make sure, that for each normal
344    object we get a valid `ILocalRolesAssignable` adapter.
345
346    Objects that want to offer certain local roles, can do so by
347    setting a (preferably class-) attribute to a list of role ids.
348
349    You can also define different adapters for different contexts to
350    have different role lookup mechanisms become available. But in
351    normal cases it should be sufficient to use this basic adapter.
352    """
353    grok.context(Interface)
354    grok.provides(ILocalRolesAssignable)
355
356    _roles = []
357
358    def __init__(self, context):
359        self.context = context
360        role_ids = getattr(context, 'local_roles', self._roles)
361        self._roles = [(name, role) for name, role in get_all_roles()
362                       if name in role_ids]
363        return
364
365    def __call__(self):
366        """Get a list of dictionaries containing ``names`` (the roles to
367        assign) and ``titles`` (some description of the type of user
368        to assign each role to).
369        """
370        list_of_dict = [dict(
371                name=name,
372                title=role.title,
373                description=role.description)
374                for name, role in self._roles]
375        return sorted(list_of_dict, key=lambda x: x['name'])
376
377def get_all_users():
378    """Get a list of dictionaries.
379    """
380    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
381    for key, val in users:
382        yield(dict(name=key, val=val))
383
384def get_users_with_local_roles(context):
385    """Get a list of dicts representing the local roles set for `context`.
386
387    Each dict returns `user_name`, `user_title`, `local_role`,
388    `local_role_title`, and `setting` for each entry in the local
389    roles map of the `context` object.
390    """
391    try:
392        role_map = IPrincipalRoleMap(context)
393    except TypeError:
394        # no map no roles.
395        raise StopIteration
396    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
397        user = grok.getSite()['users'].get(user_name,None)
398        user_title = getattr(user, 'title', user_name)
399        local_role_title = getattr(
400            dict(get_all_roles()).get(local_role, None), 'title', None)
401        yield dict(user_name = user_name,
402                   user_title = user_title,
403                   local_role = local_role,
404                   local_role_title = local_role_title,
405                   setting = setting)
406
407def get_users_with_role(role, context):
408    """Get a list of dicts representing the usres who have been granted
409    a role for `context`.
410    """
411    try:
412        role_map = IPrincipalRoleMap(context)
413    except TypeError:
414        # no map no roles.
415        raise StopIteration
416    for user_name, setting in role_map.getPrincipalsForRole(role):
417        user = grok.getSite()['users'].get(user_name,None)
418        user_title = getattr(user, 'title', user_name)
419        user_email = getattr(user, 'email', None)
420        yield dict(user_name = user_name,
421                   user_title = user_title,
422                   user_email = user_email,
423                   setting = setting)
Note: See TracBrowser for help on using the repository browser.