source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10259

Last change on this file since 10259 was 10248, checked in by Henrik Bettermann, 12 years ago

Bursary Officers are only allowed to export bursary data at all levels in academics.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 15.9 KB
Line 
1## $Id: permissions.py 10248 2013-05-29 06:46:54Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ManagePortalConfiguration(grok.Permission):
74    grok.name('waeup.managePortalConfiguration')
75
76class ManageACBatches(grok.Permission):
77    grok.name('waeup.manageACBatches')
78
79# Local Roles
80class ApplicationsManager(grok.Role):
81    grok.name('waeup.local.ApplicationsManager')
82    grok.title(u'Applications Manager')
83    grok.permissions('waeup.viewAcademics')
84
85class DepartmentManager(grok.Role):
86    grok.name('waeup.local.DepartmentManager')
87    grok.title(u'Department Manager')
88    grok.permissions('waeup.manageAcademics',
89                     'waeup.showStudents',
90                     'waeup.exportData')
91
92class ClearanceOfficer(grok.Role):
93    """The clearance officer role is meant for the
94    assignment of dynamic roles only.
95    """
96    grok.name('waeup.local.ClearanceOfficer')
97    grok.title(u'Clearance Officer')
98    grok.permissions('waeup.showStudents',
99                     'waeup.viewAcademics',
100                     'waeup.exportData')
101
102class UGClearanceOfficer(grok.Role):
103    """The clearance officer role is meant for the
104    assignment of dynamic roles only.
105    """
106    grok.name('waeup.local.UGClearanceOfficer')
107    grok.title(u'UG Clearance Officer')
108    grok.permissions('waeup.showStudents',
109                     'waeup.viewAcademics',
110                     'waeup.exportData')
111
112class PGClearanceOfficer(grok.Role):
113    """The clearance officer role is meant for the
114    assignment of dynamic roles only.
115    """
116    grok.name('waeup.local.PGClearanceOfficer')
117    grok.title(u'PG Clearance Officer')
118    grok.permissions('waeup.showStudents',
119                     'waeup.viewAcademics',
120                     'waeup.exportData')
121
122class CourseAdviser100(grok.Role):
123    """The 100 level course adviser role is meant for the
124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.CourseAdviser100')
127    grok.title(u'Course Adviser 100L')
128    grok.permissions('waeup.showStudents',
129                     'waeup.viewAcademics',
130                     'waeup.exportData')
131
132class CourseAdviser200(grok.Role):
133    """The course 200 level adviser role is meant for the
134    assignment of dynamic roles only.
135    """
136    grok.name('waeup.local.CourseAdviser200')
137    grok.title(u'Course Adviser 200L')
138    grok.permissions('waeup.showStudents',
139                     'waeup.viewAcademics',
140                     'waeup.exportData')
141
142class CourseAdviser300(grok.Role):
143    """The 300 level course adviser role is meant for the
144    assignment of dynamic roles only.
145    """
146    grok.name('waeup.local.CourseAdviser300')
147    grok.title(u'Course Adviser 300L')
148    grok.permissions('waeup.showStudents',
149                     'waeup.viewAcademics',
150                     'waeup.exportData')
151
152class CourseAdviser400(grok.Role):
153    """The 400 level course adviser role is meant for the
154    assignment of dynamic roles only.
155    """
156    grok.name('waeup.local.CourseAdviser400')
157    grok.title(u'Course Adviser 400L')
158    grok.permissions('waeup.showStudents',
159                     'waeup.viewAcademics',
160                     'waeup.exportData')
161
162class CourseAdviser500(grok.Role):
163    """The 500 level course adviser role is meant for the
164    assignment of dynamic roles only.
165    """
166    grok.name('waeup.local.CourseAdviser500')
167    grok.title(u'Course Adviser 500L')
168    grok.permissions('waeup.showStudents',
169                     'waeup.viewAcademics',
170                     'waeup.exportData')
171
172class CourseAdviser600(grok.Role):
173    """The 600 level course adviser role is meant for the
174    assignment of dynamic roles only.
175    """
176    grok.name('waeup.local.CourseAdviser600')
177    grok.title(u'Course Adviser 600L')
178    grok.permissions('waeup.showStudents',
179                     'waeup.viewAcademics',
180                     'waeup.exportData')
181
182class CourseAdviser700(grok.Role):
183    """The 700 level course adviser role is meant for the
184    assignment of dynamic roles only.
185    """
186    grok.name('waeup.local.CourseAdviser700')
187    grok.title(u'Course Adviser 700L')
188    grok.permissions('waeup.showStudents',
189                     'waeup.viewAcademics',
190                     'waeup.exportData')
191
192class CourseAdviser800(grok.Role):
193    """The 800 level course adviser role is meant for the
194    assignment of dynamic roles only.
195    """
196    grok.name('waeup.local.CourseAdviser800')
197    grok.title(u'Course Adviser 800L')
198    grok.permissions('waeup.showStudents',
199                     'waeup.viewAcademics',
200                     'waeup.exportData')
201
202class Lecturer(grok.Role):
203    """The lecturer role is meant for the
204    assignment of dynamic roles only.
205    """
206    grok.name('waeup.local.Lecturer')
207    grok.title(u'Lecturer')
208    grok.permissions('waeup.showStudents',
209                     'waeup.viewAcademics',
210                     'waeup.exportData')
211
212class Owner(grok.Role):
213    grok.name('waeup.local.Owner')
214    grok.title(u'Owner')
215    grok.permissions('waeup.editUser')
216
217# Site Roles
218class AcademicsOfficer(grok.Role):
219    grok.name('waeup.AcademicsOfficer')
220    grok.title(u'Academics Officer (view only)')
221    grok.permissions('waeup.viewAcademics')
222
223class AcademicsManager(grok.Role):
224    grok.name('waeup.AcademicsManager')
225    grok.title(u'Academics Manager')
226    grok.permissions('waeup.viewAcademics',
227                     'waeup.manageAcademics')
228
229class ACManager(grok.Role):
230    grok.name('waeup.ACManager')
231    grok.title(u'Access Code Manager')
232    grok.permissions('waeup.manageACBatches')
233
234class DataCenterManager(grok.Role):
235    grok.name('waeup.DataCenterManager')
236    grok.title(u'Datacenter Manager')
237    grok.permissions('waeup.manageDataCenter')
238
239class ImportManager(grok.Role):
240    grok.name('waeup.ImportManager')
241    grok.title(u'Import Manager')
242    grok.permissions('waeup.manageDataCenter',
243                     'waeup.importData')
244
245class ExportManager(grok.Role):
246    grok.name('waeup.ExportManager')
247    grok.title(u'Export Manager')
248    grok.permissions('waeup.manageDataCenter',
249                     'waeup.exportData')
250
251class BursaryOfficer(grok.Role):
252    grok.name('waeup.BursaryOfficer')
253    grok.title(u'Bursary Officer')
254    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
255
256class UsersManager(grok.Role):
257    grok.name('waeup.UsersManager')
258    grok.title(u'Users Manager')
259    grok.permissions('waeup.manageUsers',
260                     'waeup.editUser')
261
262class WorkflowManager(grok.Role):
263    grok.name('waeup.WorkflowManager')
264    grok.title(u'Workflow Manager')
265    grok.permissions('waeup.triggerTransition')
266
267class PortalManager(grok.Role):
268    grok.name('waeup.PortalManager')
269    grok.title(u'Portal Manager')
270    grok.permissions('waeup.managePortal',
271                     'waeup.manageUsers',
272                     'waeup.viewAcademics', 'waeup.manageAcademics',
273                     'waeup.manageACBatches',
274                     'waeup.manageDataCenter',
275                     'waeup.importData',
276                     'waeup.exportData',
277                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
278                     'waeup.manageApplication', 'waeup.handleApplication',
279                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
280                     'waeup.viewApplicationStatistics',
281                     'waeup.viewStudent', 'waeup.manageStudent',
282                     'waeup.clearStudent', 'waeup.payStudent',
283                     'waeup.uploadStudentFile', 'waeup.showStudents',
284                     'waeup.triggerTransition',
285                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
286                     'waeup.handleAccommodation',
287                     'waeup.viewHostels', 'waeup.manageHostels',
288                     'waeup.editUser',
289                     'waeup.loginAsStudent',
290                     'waeup.manageReports',
291                     'waeup.manageJobs',
292                     )
293
294class CCOfficer(grok.Role):
295    """This is basically a copy of the the PortalManager class. We exclude some
296    'dangerous' permissions by commenting them out.
297    """
298    grok.name('waeup.CCOfficer')
299    grok.title(u'Computer Center Officer')
300    grok.permissions(#'waeup.managePortal',
301                     #'waeup.manageUsers',
302                     'waeup.viewAcademics', 'waeup.manageAcademics',
303                     #'waeup.manageACBatches',
304                     'waeup.manageDataCenter',
305                     #'waeup.importData',
306                     'waeup.exportData',
307                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
308                     'waeup.manageApplication', 'waeup.handleApplication',
309                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
310                     'waeup.viewApplicationStatistics',
311                     'waeup.viewStudent', 'waeup.manageStudent',
312                     'waeup.clearStudent', 'waeup.payStudent',
313                     'waeup.uploadStudentFile', 'waeup.showStudents',
314                     #'waeup.triggerTransition',
315                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
316                     'waeup.handleAccommodation',
317                     'waeup.viewHostels', 'waeup.manageHostels',
318                     #'waeup.editUser',
319                     #'waeup.loginAsStudent',
320                     'waeup.manageReports',
321                     #'waeup.manageJobs',
322                     )
323
324def get_all_roles():
325    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
326    """
327    return getUtilitiesFor(IRole)
328
329def get_waeup_roles(also_local=False):
330    """Get all Kofa roles.
331
332    Kofa roles are ordinary roles whose id by convention starts with
333    a ``waeup.`` prefix.
334
335    If `also_local` is ``True`` (``False`` by default), also local
336    roles are returned. Local Kofa roles are such whose id starts
337    with ``waeup.local.`` prefix (this is also a convention).
338
339    Returns a generator of the found roles.
340    """
341    for name, item in get_all_roles():
342        if not name.startswith('waeup.'):
343            # Ignore non-Kofa roles...
344            continue
345        if not also_local and name.startswith('waeup.local.'):
346            # Ignore local roles...
347            continue
348        yield item
349
350def get_waeup_role_names():
351    """Get the ids of all Kofa roles.
352
353    See :func:`get_waeup_roles` for what a 'KofaRole' is.
354
355    This function returns a sorted list of Kofa role names.
356    """
357    return sorted([x.id for x in get_waeup_roles()])
358
359class LocalRolesAssignable(grok.Adapter):
360    """Default implementation for `ILocalRolesAssignable`.
361
362    This adapter returns a list for dictionaries for objects for which
363    we want to know the roles assignable to them locally.
364
365    The returned dicts contain a ``name`` and a ``title`` entry which
366    give a role (``name``) and a description, for which kind of users
367    the permission is meant to be used (``title``).
368
369    Having this adapter registered we make sure, that for each normal
370    object we get a valid `ILocalRolesAssignable` adapter.
371
372    Objects that want to offer certain local roles, can do so by
373    setting a (preferably class-) attribute to a list of role ids.
374
375    You can also define different adapters for different contexts to
376    have different role lookup mechanisms become available. But in
377    normal cases it should be sufficient to use this basic adapter.
378    """
379    grok.context(Interface)
380    grok.provides(ILocalRolesAssignable)
381
382    _roles = []
383
384    def __init__(self, context):
385        self.context = context
386        role_ids = getattr(context, 'local_roles', self._roles)
387        self._roles = [(name, role) for name, role in get_all_roles()
388                       if name in role_ids]
389        return
390
391    def __call__(self):
392        """Get a list of dictionaries containing ``names`` (the roles to
393        assign) and ``titles`` (some description of the type of user
394        to assign each role to).
395        """
396        list_of_dict = [dict(
397                name=name,
398                title=role.title,
399                description=role.description)
400                for name, role in self._roles]
401        return sorted(list_of_dict, key=lambda x: x['name'])
402
403def get_all_users():
404    """Get a list of dictionaries.
405    """
406    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
407    for key, val in users:
408        yield(dict(name=key, val=val))
409
410def get_users_with_local_roles(context):
411    """Get a list of dicts representing the local roles set for `context`.
412
413    Each dict returns `user_name`, `user_title`, `local_role`,
414    `local_role_title`, and `setting` for each entry in the local
415    roles map of the `context` object.
416    """
417    try:
418        role_map = IPrincipalRoleMap(context)
419    except TypeError:
420        # no map no roles.
421        raise StopIteration
422    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
423        user = grok.getSite()['users'].get(user_name,None)
424        user_title = getattr(user, 'title', user_name)
425        local_role_title = getattr(
426            dict(get_all_roles()).get(local_role, None), 'title', None)
427        yield dict(user_name = user_name,
428                   user_title = user_title,
429                   local_role = local_role,
430                   local_role_title = local_role_title,
431                   setting = setting)
432
433def get_users_with_role(role, context):
434    """Get a list of dicts representing the usres who have been granted
435    a role for `context`.
436    """
437    try:
438        role_map = IPrincipalRoleMap(context)
439    except TypeError:
440        # no map no roles.
441        raise StopIteration
442    for user_name, setting in role_map.getPrincipalsForRole(role):
443        user = grok.getSite()['users'].get(user_name,None)
444        user_title = getattr(user, 'title', user_name)
445        user_email = getattr(user, 'email', None)
446        yield dict(user_name = user_name,
447                   user_title = user_title,
448                   user_email = user_email,
449                   setting = setting)
Note: See TracBrowser for help on using the repository browser.