source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 10632

Last change on this file since 10632 was 10632, checked in by Henrik Bettermann, 11 years ago

Add permission for score editing.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 16.7 KB
Line 
1## $Id: permissions.py 10632 2013-09-21 06:05:36Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditScores(grok.Permission):
62    grok.name('waeup.editScores')
63
64class EditUser(grok.Permission):
65    grok.name('waeup.editUser')
66
67class ManageDataCenter(grok.Permission):
68    grok.name('waeup.manageDataCenter')
69
70class ImportData(grok.Permission):
71    grok.name('waeup.importData')
72
73class ExportData(grok.Permission):
74    grok.name('waeup.exportData')
75
76class ExportPaymentsOverview(grok.Permission):
77    grok.name('waeup.exportPaymentsOverview')
78
79class ExportBursaryData(grok.Permission):
80    grok.name('waeup.exportBursaryData')
81
82class ViewTranscript(grok.Permission):
83    grok.name('waeup.viewTranscript')
84
85class ManagePortalConfiguration(grok.Permission):
86    grok.name('waeup.managePortalConfiguration')
87
88class ManageACBatches(grok.Permission):
89    grok.name('waeup.manageACBatches')
90
91# Local Roles
92class ApplicationsManager(grok.Role):
93    grok.name('waeup.local.ApplicationsManager')
94    grok.title(u'Applications Manager')
95    grok.permissions('waeup.viewAcademics')
96
97class DepartmentManager(grok.Role):
98    grok.name('waeup.local.DepartmentManager')
99    grok.title(u'Department Manager')
100    grok.permissions('waeup.manageAcademics',
101                     'waeup.showStudents',
102                     'waeup.exportData')
103
104class DepartmentOfficer(grok.Role):
105    grok.name('waeup.local.DepartmentOfficer')
106    grok.title(u'Department Officer')
107    grok.permissions('waeup.showStudents',
108                     'waeup.viewAcademics',
109                     'waeup.exportPaymentsOverview')
110
111class ClearanceOfficer(grok.Role):
112    """The clearance officer role is meant for the
113    assignment of dynamic roles only.
114    """
115    grok.name('waeup.local.ClearanceOfficer')
116    grok.title(u'Clearance Officer')
117    grok.permissions('waeup.showStudents',
118                     'waeup.viewAcademics',
119                     'waeup.exportData')
120
121class UGClearanceOfficer(grok.Role):
122    """The clearance officer role is meant for the
123    assignment of dynamic roles only.
124    """
125    grok.name('waeup.local.UGClearanceOfficer')
126    grok.title(u'UG Clearance Officer')
127    grok.permissions('waeup.showStudents',
128                     'waeup.viewAcademics',
129                     'waeup.exportData')
130
131class PGClearanceOfficer(grok.Role):
132    """The clearance officer role is meant for the
133    assignment of dynamic roles only.
134    """
135    grok.name('waeup.local.PGClearanceOfficer')
136    grok.title(u'PG Clearance Officer')
137    grok.permissions('waeup.showStudents',
138                     'waeup.viewAcademics',
139                     'waeup.exportData')
140
141class CourseAdviser100(grok.Role):
142    """The 100 level course adviser role is meant for the
143    assignment of dynamic roles only.
144    """
145    grok.name('waeup.local.CourseAdviser100')
146    grok.title(u'Course Adviser 100L')
147    grok.permissions('waeup.showStudents',
148                     'waeup.viewAcademics',
149                     'waeup.exportData')
150
151class CourseAdviser200(grok.Role):
152    """The course 200 level adviser role is meant for the
153    assignment of dynamic roles only.
154    """
155    grok.name('waeup.local.CourseAdviser200')
156    grok.title(u'Course Adviser 200L')
157    grok.permissions('waeup.showStudents',
158                     'waeup.viewAcademics',
159                     'waeup.exportData')
160
161class CourseAdviser300(grok.Role):
162    """The 300 level course adviser role is meant for the
163    assignment of dynamic roles only.
164    """
165    grok.name('waeup.local.CourseAdviser300')
166    grok.title(u'Course Adviser 300L')
167    grok.permissions('waeup.showStudents',
168                     'waeup.viewAcademics',
169                     'waeup.exportData')
170
171class CourseAdviser400(grok.Role):
172    """The 400 level course adviser role is meant for the
173    assignment of dynamic roles only.
174    """
175    grok.name('waeup.local.CourseAdviser400')
176    grok.title(u'Course Adviser 400L')
177    grok.permissions('waeup.showStudents',
178                     'waeup.viewAcademics',
179                     'waeup.exportData')
180
181class CourseAdviser500(grok.Role):
182    """The 500 level course adviser role is meant for the
183    assignment of dynamic roles only.
184    """
185    grok.name('waeup.local.CourseAdviser500')
186    grok.title(u'Course Adviser 500L')
187    grok.permissions('waeup.showStudents',
188                     'waeup.viewAcademics',
189                     'waeup.exportData')
190
191class CourseAdviser600(grok.Role):
192    """The 600 level course adviser role is meant for the
193    assignment of dynamic roles only.
194    """
195    grok.name('waeup.local.CourseAdviser600')
196    grok.title(u'Course Adviser 600L')
197    grok.permissions('waeup.showStudents',
198                     'waeup.viewAcademics',
199                     'waeup.exportData')
200
201class CourseAdviser700(grok.Role):
202    """The 700 level course adviser role is meant for the
203    assignment of dynamic roles only.
204    """
205    grok.name('waeup.local.CourseAdviser700')
206    grok.title(u'Course Adviser 700L')
207    grok.permissions('waeup.showStudents',
208                     'waeup.viewAcademics',
209                     'waeup.exportData')
210
211class CourseAdviser800(grok.Role):
212    """The 800 level course adviser role is meant for the
213    assignment of dynamic roles only.
214    """
215    grok.name('waeup.local.CourseAdviser800')
216    grok.title(u'Course Adviser 800L')
217    grok.permissions('waeup.showStudents',
218                     'waeup.viewAcademics',
219                     'waeup.exportData')
220
221class Lecturer(grok.Role):
222    """The lecturer role is meant for the
223    assignment of dynamic roles only.
224    """
225    grok.name('waeup.local.Lecturer')
226    grok.title(u'Lecturer')
227    grok.permissions('waeup.showStudents',
228                     'waeup.editScores',
229                     'waeup.viewAcademics',
230                     'waeup.exportData')
231
232class Owner(grok.Role):
233    grok.name('waeup.local.Owner')
234    grok.title(u'Owner')
235    grok.permissions('waeup.editUser')
236
237# Site Roles
238class AcademicsOfficer(grok.Role):
239    grok.name('waeup.AcademicsOfficer')
240    grok.title(u'Academics Officer (view only)')
241    grok.permissions('waeup.viewAcademics')
242
243class AcademicsManager(grok.Role):
244    grok.name('waeup.AcademicsManager')
245    grok.title(u'Academics Manager')
246    grok.permissions('waeup.viewAcademics',
247                     'waeup.manageAcademics')
248
249class ACManager(grok.Role):
250    grok.name('waeup.ACManager')
251    grok.title(u'Access Code Manager')
252    grok.permissions('waeup.manageACBatches')
253
254class DataCenterManager(grok.Role):
255    grok.name('waeup.DataCenterManager')
256    grok.title(u'Datacenter Manager')
257    grok.permissions('waeup.manageDataCenter')
258
259class ImportManager(grok.Role):
260    grok.name('waeup.ImportManager')
261    grok.title(u'Import Manager')
262    grok.permissions('waeup.manageDataCenter',
263                     'waeup.importData')
264
265class ExportManager(grok.Role):
266    grok.name('waeup.ExportManager')
267    grok.title(u'Export Manager')
268    grok.permissions('waeup.manageDataCenter',
269                     'waeup.exportData')
270
271class BursaryOfficer(grok.Role):
272    grok.name('waeup.BursaryOfficer')
273    grok.title(u'Bursary Officer')
274    grok.permissions('waeup.showStudents',
275                     'waeup.viewAcademics',
276                     'waeup.exportBursaryData')
277
278class UsersManager(grok.Role):
279    grok.name('waeup.UsersManager')
280    grok.title(u'Users Manager')
281    grok.permissions('waeup.manageUsers',
282                     'waeup.editUser')
283
284class WorkflowManager(grok.Role):
285    grok.name('waeup.WorkflowManager')
286    grok.title(u'Workflow Manager')
287    grok.permissions('waeup.triggerTransition')
288
289class PortalManager(grok.Role):
290    grok.name('waeup.PortalManager')
291    grok.title(u'Portal Manager')
292    grok.permissions('waeup.managePortal',
293                     'waeup.manageUsers',
294                     'waeup.viewAcademics', 'waeup.manageAcademics',
295                     'waeup.manageACBatches',
296                     'waeup.manageDataCenter',
297                     'waeup.importData',
298                     'waeup.exportData',
299                     'waeup.viewTranscript',
300                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
301                     'waeup.manageApplication', 'waeup.handleApplication',
302                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
303                     'waeup.viewApplicationStatistics',
304                     'waeup.viewStudent', 'waeup.manageStudent',
305                     'waeup.clearStudent', 'waeup.payStudent',
306                     'waeup.uploadStudentFile', 'waeup.showStudents',
307                     'waeup.editScores',
308                     'waeup.triggerTransition',
309                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
310                     'waeup.handleAccommodation',
311                     'waeup.viewHostels', 'waeup.manageHostels',
312                     'waeup.editUser',
313                     'waeup.loginAsStudent',
314                     'waeup.manageReports',
315                     'waeup.manageJobs',
316                     )
317
318class CCOfficer(grok.Role):
319    """This is basically a copy of the the PortalManager class. We exclude some
320    'dangerous' permissions by commenting them out.
321    """
322    grok.baseclass()
323    grok.name('waeup.CCOfficer')
324    grok.title(u'Computer Center Officer')
325    grok.permissions(#'waeup.managePortal',
326                     #'waeup.manageUsers',
327                     'waeup.viewAcademics', 'waeup.manageAcademics',
328                     #'waeup.manageACBatches',
329                     'waeup.manageDataCenter',
330                     #'waeup.importData',
331                     'waeup.exportData',
332                     'waeup.viewTranscript',
333                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
334                     'waeup.manageApplication', 'waeup.handleApplication',
335                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
336                     'waeup.viewApplicationStatistics',
337                     'waeup.viewStudent', 'waeup.manageStudent',
338                     'waeup.clearStudent', 'waeup.payStudent',
339                     'waeup.uploadStudentFile', 'waeup.showStudents',
340                     'waeup.editScores',
341                     #'waeup.triggerTransition',
342                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
343                     'waeup.handleAccommodation',
344                     'waeup.viewHostels', 'waeup.manageHostels',
345                     #'waeup.editUser',
346                     #'waeup.loginAsStudent',
347                     'waeup.manageReports',
348                     #'waeup.manageJobs',
349                     )
350
351def get_all_roles():
352    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
353    """
354    return getUtilitiesFor(IRole)
355
356def get_waeup_roles(also_local=False):
357    """Get all Kofa roles.
358
359    Kofa roles are ordinary roles whose id by convention starts with
360    a ``waeup.`` prefix.
361
362    If `also_local` is ``True`` (``False`` by default), also local
363    roles are returned. Local Kofa roles are such whose id starts
364    with ``waeup.local.`` prefix (this is also a convention).
365
366    Returns a generator of the found roles.
367    """
368    for name, item in get_all_roles():
369        if not name.startswith('waeup.'):
370            # Ignore non-Kofa roles...
371            continue
372        if not also_local and name.startswith('waeup.local.'):
373            # Ignore local roles...
374            continue
375        yield item
376
377def get_waeup_role_names():
378    """Get the ids of all Kofa roles.
379
380    See :func:`get_waeup_roles` for what a 'KofaRole' is.
381
382    This function returns a sorted list of Kofa role names.
383    """
384    return sorted([x.id for x in get_waeup_roles()])
385
386class LocalRolesAssignable(grok.Adapter):
387    """Default implementation for `ILocalRolesAssignable`.
388
389    This adapter returns a list for dictionaries for objects for which
390    we want to know the roles assignable to them locally.
391
392    The returned dicts contain a ``name`` and a ``title`` entry which
393    give a role (``name``) and a description, for which kind of users
394    the permission is meant to be used (``title``).
395
396    Having this adapter registered we make sure, that for each normal
397    object we get a valid `ILocalRolesAssignable` adapter.
398
399    Objects that want to offer certain local roles, can do so by
400    setting a (preferably class-) attribute to a list of role ids.
401
402    You can also define different adapters for different contexts to
403    have different role lookup mechanisms become available. But in
404    normal cases it should be sufficient to use this basic adapter.
405    """
406    grok.context(Interface)
407    grok.provides(ILocalRolesAssignable)
408
409    _roles = []
410
411    def __init__(self, context):
412        self.context = context
413        role_ids = getattr(context, 'local_roles', self._roles)
414        self._roles = [(name, role) for name, role in get_all_roles()
415                       if name in role_ids]
416        return
417
418    def __call__(self):
419        """Get a list of dictionaries containing ``names`` (the roles to
420        assign) and ``titles`` (some description of the type of user
421        to assign each role to).
422        """
423        list_of_dict = [dict(
424                name=name,
425                title=role.title,
426                description=role.description)
427                for name, role in self._roles]
428        return sorted(list_of_dict, key=lambda x: x['name'])
429
430def get_all_users():
431    """Get a list of dictionaries.
432    """
433    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
434    for key, val in users:
435        yield(dict(name=key, val=val))
436
437def get_users_with_local_roles(context):
438    """Get a list of dicts representing the local roles set for `context`.
439
440    Each dict returns `user_name`, `user_title`, `local_role`,
441    `local_role_title`, and `setting` for each entry in the local
442    roles map of the `context` object.
443    """
444    try:
445        role_map = IPrincipalRoleMap(context)
446    except TypeError:
447        # no map no roles.
448        raise StopIteration
449    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
450        user = grok.getSite()['users'].get(user_name,None)
451        user_title = getattr(user, 'title', user_name)
452        local_role_title = getattr(
453            dict(get_all_roles()).get(local_role, None), 'title', None)
454        yield dict(user_name = user_name,
455                   user_title = user_title,
456                   local_role = local_role,
457                   local_role_title = local_role_title,
458                   setting = setting)
459
460def get_users_with_role(role, context):
461    """Get a list of dicts representing the usres who have been granted
462    a role for `context`.
463    """
464    try:
465        role_map = IPrincipalRoleMap(context)
466    except TypeError:
467        # no map no roles.
468        raise StopIteration
469    for user_name, setting in role_map.getPrincipalsForRole(role):
470        user = grok.getSite()['users'].get(user_name,None)
471        user_title = getattr(user, 'title', user_name)
472        user_email = getattr(user, 'email', None)
473        yield dict(user_name = user_name,
474                   user_title = user_title,
475                   user_email = user_email,
476                   setting = setting)
Note: See TracBrowser for help on using the repository browser.