source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10278

Last change on this file since 10278 was 10278, checked in by Henrik Bettermann, 11 years ago

Add permission and role for transcript officers.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 16.3 KB
Line 
1## $Id: permissions.py 10278 2013-06-05 14:23:04Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ExportData(grok.Permission):
71    grok.name('waeup.exportData')
72
73class ViewTranscript(grok.Permission):
74    grok.name('waeup.viewTranscript')
75
76class ManagePortalConfiguration(grok.Permission):
77    grok.name('waeup.managePortalConfiguration')
78
79class ManageACBatches(grok.Permission):
80    grok.name('waeup.manageACBatches')
81
82# Local Roles
83class ApplicationsManager(grok.Role):
84    grok.name('waeup.local.ApplicationsManager')
85    grok.title(u'Applications Manager')
86    grok.permissions('waeup.viewAcademics')
87
88class DepartmentManager(grok.Role):
89    grok.name('waeup.local.DepartmentManager')
90    grok.title(u'Department Manager')
91    grok.permissions('waeup.manageAcademics',
92                     'waeup.showStudents',
93                     'waeup.exportData')
94
95class ClearanceOfficer(grok.Role):
96    """The clearance officer role is meant for the
97    assignment of dynamic roles only.
98    """
99    grok.name('waeup.local.ClearanceOfficer')
100    grok.title(u'Clearance Officer')
101    grok.permissions('waeup.showStudents',
102                     'waeup.viewAcademics',
103                     'waeup.exportData')
104
105class UGClearanceOfficer(grok.Role):
106    """The clearance officer role is meant for the
107    assignment of dynamic roles only.
108    """
109    grok.name('waeup.local.UGClearanceOfficer')
110    grok.title(u'UG Clearance Officer')
111    grok.permissions('waeup.showStudents',
112                     'waeup.viewAcademics',
113                     'waeup.exportData')
114
115class PGClearanceOfficer(grok.Role):
116    """The clearance officer role is meant for the
117    assignment of dynamic roles only.
118    """
119    grok.name('waeup.local.PGClearanceOfficer')
120    grok.title(u'PG Clearance Officer')
121    grok.permissions('waeup.showStudents',
122                     'waeup.viewAcademics',
123                     'waeup.exportData')
124
125class CourseAdviser100(grok.Role):
126    """The 100 level course adviser role is meant for the
127    assignment of dynamic roles only.
128    """
129    grok.name('waeup.local.CourseAdviser100')
130    grok.title(u'Course Adviser 100L')
131    grok.permissions('waeup.showStudents',
132                     'waeup.viewAcademics',
133                     'waeup.exportData')
134
135class CourseAdviser200(grok.Role):
136    """The course 200 level adviser role is meant for the
137    assignment of dynamic roles only.
138    """
139    grok.name('waeup.local.CourseAdviser200')
140    grok.title(u'Course Adviser 200L')
141    grok.permissions('waeup.showStudents',
142                     'waeup.viewAcademics',
143                     'waeup.exportData')
144
145class CourseAdviser300(grok.Role):
146    """The 300 level course adviser role is meant for the
147    assignment of dynamic roles only.
148    """
149    grok.name('waeup.local.CourseAdviser300')
150    grok.title(u'Course Adviser 300L')
151    grok.permissions('waeup.showStudents',
152                     'waeup.viewAcademics',
153                     'waeup.exportData')
154
155class CourseAdviser400(grok.Role):
156    """The 400 level course adviser role is meant for the
157    assignment of dynamic roles only.
158    """
159    grok.name('waeup.local.CourseAdviser400')
160    grok.title(u'Course Adviser 400L')
161    grok.permissions('waeup.showStudents',
162                     'waeup.viewAcademics',
163                     'waeup.exportData')
164
165class CourseAdviser500(grok.Role):
166    """The 500 level course adviser role is meant for the
167    assignment of dynamic roles only.
168    """
169    grok.name('waeup.local.CourseAdviser500')
170    grok.title(u'Course Adviser 500L')
171    grok.permissions('waeup.showStudents',
172                     'waeup.viewAcademics',
173                     'waeup.exportData')
174
175class CourseAdviser600(grok.Role):
176    """The 600 level course adviser role is meant for the
177    assignment of dynamic roles only.
178    """
179    grok.name('waeup.local.CourseAdviser600')
180    grok.title(u'Course Adviser 600L')
181    grok.permissions('waeup.showStudents',
182                     'waeup.viewAcademics',
183                     'waeup.exportData')
184
185class CourseAdviser700(grok.Role):
186    """The 700 level course adviser role is meant for the
187    assignment of dynamic roles only.
188    """
189    grok.name('waeup.local.CourseAdviser700')
190    grok.title(u'Course Adviser 700L')
191    grok.permissions('waeup.showStudents',
192                     'waeup.viewAcademics',
193                     'waeup.exportData')
194
195class CourseAdviser800(grok.Role):
196    """The 800 level course adviser role is meant for the
197    assignment of dynamic roles only.
198    """
199    grok.name('waeup.local.CourseAdviser800')
200    grok.title(u'Course Adviser 800L')
201    grok.permissions('waeup.showStudents',
202                     'waeup.viewAcademics',
203                     'waeup.exportData')
204
205class Lecturer(grok.Role):
206    """The lecturer role is meant for the
207    assignment of dynamic roles only.
208    """
209    grok.name('waeup.local.Lecturer')
210    grok.title(u'Lecturer')
211    grok.permissions('waeup.showStudents',
212                     'waeup.viewAcademics',
213                     'waeup.exportData')
214
215class Owner(grok.Role):
216    grok.name('waeup.local.Owner')
217    grok.title(u'Owner')
218    grok.permissions('waeup.editUser')
219
220# Site Roles
221class AcademicsOfficer(grok.Role):
222    grok.name('waeup.AcademicsOfficer')
223    grok.title(u'Academics Officer (view only)')
224    grok.permissions('waeup.viewAcademics')
225
226class AcademicsManager(grok.Role):
227    grok.name('waeup.AcademicsManager')
228    grok.title(u'Academics Manager')
229    grok.permissions('waeup.viewAcademics',
230                     'waeup.manageAcademics')
231
232class ACManager(grok.Role):
233    grok.name('waeup.ACManager')
234    grok.title(u'Access Code Manager')
235    grok.permissions('waeup.manageACBatches')
236
237class DataCenterManager(grok.Role):
238    grok.name('waeup.DataCenterManager')
239    grok.title(u'Datacenter Manager')
240    grok.permissions('waeup.manageDataCenter')
241
242class ImportManager(grok.Role):
243    grok.name('waeup.ImportManager')
244    grok.title(u'Import Manager')
245    grok.permissions('waeup.manageDataCenter',
246                     'waeup.importData')
247
248class ExportManager(grok.Role):
249    grok.name('waeup.ExportManager')
250    grok.title(u'Export Manager')
251    grok.permissions('waeup.manageDataCenter',
252                     'waeup.exportData')
253
254class BursaryOfficer(grok.Role):
255    grok.name('waeup.BursaryOfficer')
256    grok.title(u'Bursary Officer')
257    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
258
259class TranscriptOfficer(grok.Role):
260    grok.name('waeup.TranscriptOfficer')
261    grok.title(u'Transcript Officer')
262    grok.permissions('waeup.showStudents',
263                     'waeup.viewAcademics',
264                     'waeup.viewTranscript',
265                     'waeup.viewStudent')
266
267class UsersManager(grok.Role):
268    grok.name('waeup.UsersManager')
269    grok.title(u'Users Manager')
270    grok.permissions('waeup.manageUsers',
271                     'waeup.editUser')
272
273class WorkflowManager(grok.Role):
274    grok.name('waeup.WorkflowManager')
275    grok.title(u'Workflow Manager')
276    grok.permissions('waeup.triggerTransition')
277
278class PortalManager(grok.Role):
279    grok.name('waeup.PortalManager')
280    grok.title(u'Portal Manager')
281    grok.permissions('waeup.managePortal',
282                     'waeup.manageUsers',
283                     'waeup.viewAcademics', 'waeup.manageAcademics',
284                     'waeup.manageACBatches',
285                     'waeup.manageDataCenter',
286                     'waeup.importData',
287                     'waeup.exportData',
288                     'waeup.viewTranscript',
289                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
290                     'waeup.manageApplication', 'waeup.handleApplication',
291                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
292                     'waeup.viewApplicationStatistics',
293                     'waeup.viewStudent', 'waeup.manageStudent',
294                     'waeup.clearStudent', 'waeup.payStudent',
295                     'waeup.uploadStudentFile', 'waeup.showStudents',
296                     'waeup.triggerTransition',
297                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
298                     'waeup.handleAccommodation',
299                     'waeup.viewHostels', 'waeup.manageHostels',
300                     'waeup.editUser',
301                     'waeup.loginAsStudent',
302                     'waeup.manageReports',
303                     'waeup.manageJobs',
304                     )
305
306class CCOfficer(grok.Role):
307    """This is basically a copy of the the PortalManager class. We exclude some
308    'dangerous' permissions by commenting them out.
309    """
310    grok.name('waeup.CCOfficer')
311    grok.title(u'Computer Center Officer')
312    grok.permissions(#'waeup.managePortal',
313                     #'waeup.manageUsers',
314                     'waeup.viewAcademics', 'waeup.manageAcademics',
315                     #'waeup.manageACBatches',
316                     'waeup.manageDataCenter',
317                     #'waeup.importData',
318                     'waeup.exportData',
319                     'waeup.viewTranscript',
320                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
321                     'waeup.manageApplication', 'waeup.handleApplication',
322                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
323                     'waeup.viewApplicationStatistics',
324                     'waeup.viewStudent', 'waeup.manageStudent',
325                     'waeup.clearStudent', 'waeup.payStudent',
326                     'waeup.uploadStudentFile', 'waeup.showStudents',
327                     #'waeup.triggerTransition',
328                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
329                     'waeup.handleAccommodation',
330                     'waeup.viewHostels', 'waeup.manageHostels',
331                     #'waeup.editUser',
332                     #'waeup.loginAsStudent',
333                     'waeup.manageReports',
334                     #'waeup.manageJobs',
335                     )
336
337def get_all_roles():
338    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
339    """
340    return getUtilitiesFor(IRole)
341
342def get_waeup_roles(also_local=False):
343    """Get all Kofa roles.
344
345    Kofa roles are ordinary roles whose id by convention starts with
346    a ``waeup.`` prefix.
347
348    If `also_local` is ``True`` (``False`` by default), also local
349    roles are returned. Local Kofa roles are such whose id starts
350    with ``waeup.local.`` prefix (this is also a convention).
351
352    Returns a generator of the found roles.
353    """
354    for name, item in get_all_roles():
355        if not name.startswith('waeup.'):
356            # Ignore non-Kofa roles...
357            continue
358        if not also_local and name.startswith('waeup.local.'):
359            # Ignore local roles...
360            continue
361        yield item
362
363def get_waeup_role_names():
364    """Get the ids of all Kofa roles.
365
366    See :func:`get_waeup_roles` for what a 'KofaRole' is.
367
368    This function returns a sorted list of Kofa role names.
369    """
370    return sorted([x.id for x in get_waeup_roles()])
371
372class LocalRolesAssignable(grok.Adapter):
373    """Default implementation for `ILocalRolesAssignable`.
374
375    This adapter returns a list for dictionaries for objects for which
376    we want to know the roles assignable to them locally.
377
378    The returned dicts contain a ``name`` and a ``title`` entry which
379    give a role (``name``) and a description, for which kind of users
380    the permission is meant to be used (``title``).
381
382    Having this adapter registered we make sure, that for each normal
383    object we get a valid `ILocalRolesAssignable` adapter.
384
385    Objects that want to offer certain local roles, can do so by
386    setting a (preferably class-) attribute to a list of role ids.
387
388    You can also define different adapters for different contexts to
389    have different role lookup mechanisms become available. But in
390    normal cases it should be sufficient to use this basic adapter.
391    """
392    grok.context(Interface)
393    grok.provides(ILocalRolesAssignable)
394
395    _roles = []
396
397    def __init__(self, context):
398        self.context = context
399        role_ids = getattr(context, 'local_roles', self._roles)
400        self._roles = [(name, role) for name, role in get_all_roles()
401                       if name in role_ids]
402        return
403
404    def __call__(self):
405        """Get a list of dictionaries containing ``names`` (the roles to
406        assign) and ``titles`` (some description of the type of user
407        to assign each role to).
408        """
409        list_of_dict = [dict(
410                name=name,
411                title=role.title,
412                description=role.description)
413                for name, role in self._roles]
414        return sorted(list_of_dict, key=lambda x: x['name'])
415
416def get_all_users():
417    """Get a list of dictionaries.
418    """
419    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
420    for key, val in users:
421        yield(dict(name=key, val=val))
422
423def get_users_with_local_roles(context):
424    """Get a list of dicts representing the local roles set for `context`.
425
426    Each dict returns `user_name`, `user_title`, `local_role`,
427    `local_role_title`, and `setting` for each entry in the local
428    roles map of the `context` object.
429    """
430    try:
431        role_map = IPrincipalRoleMap(context)
432    except TypeError:
433        # no map no roles.
434        raise StopIteration
435    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
436        user = grok.getSite()['users'].get(user_name,None)
437        user_title = getattr(user, 'title', user_name)
438        local_role_title = getattr(
439            dict(get_all_roles()).get(local_role, None), 'title', None)
440        yield dict(user_name = user_name,
441                   user_title = user_title,
442                   local_role = local_role,
443                   local_role_title = local_role_title,
444                   setting = setting)
445
446def get_users_with_role(role, context):
447    """Get a list of dicts representing the usres who have been granted
448    a role for `context`.
449    """
450    try:
451        role_map = IPrincipalRoleMap(context)
452    except TypeError:
453        # no map no roles.
454        raise StopIteration
455    for user_name, setting in role_map.getPrincipalsForRole(role):
456        user = grok.getSite()['users'].get(user_name,None)
457        user_title = getattr(user, 'title', user_name)
458        user_email = getattr(user, 'email', None)
459        yield dict(user_name = user_name,
460                   user_title = user_title,
461                   user_email = user_email,
462                   setting = setting)
Note: See TracBrowser for help on using the repository browser.