source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 11737

Last change on this file since 11737 was 11673, checked in by uli, 10 years ago

Add permission for uploading biometric data.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 17.7 KB
Line 
1## $Id: permissions.py 11673 2014-05-28 11:26:56Z uli $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditScores(grok.Permission):
62    grok.name('waeup.editScores')
63
64class EditUser(grok.Permission):
65    grok.name('waeup.editUser')
66
67class ManageDataCenter(grok.Permission):
68    grok.name('waeup.manageDataCenter')
69
70class ImportData(grok.Permission):
71    grok.name('waeup.importData')
72
73class ExportData(grok.Permission):
74    grok.name('waeup.exportData')
75
76class ExportPaymentsOverview(grok.Permission):
77    grok.name('waeup.exportPaymentsOverview')
78
79class ExportBursaryData(grok.Permission):
80    grok.name('waeup.exportBursaryData')
81
82class ViewTranscript(grok.Permission):
83    grok.name('waeup.viewTranscript')
84
85class ManagePortalConfiguration(grok.Permission):
86    grok.name('waeup.managePortalConfiguration')
87
88class ManageACBatches(grok.Permission):
89    grok.name('waeup.manageACBatches')
90
91class PutBiometricDataPermission(grok.Permission):
92    """Permission to upload/change biometric data.
93    """
94    grok.name('waeup.putBiometricData')
95
96class GetBiometricDataPermission(grok.Permission):
97    """Permission to read biometric data.
98    """
99    grok.name('waeup.getBiometricData')
100
101
102# Local Roles
103class ApplicationsManager(grok.Role):
104    grok.name('waeup.local.ApplicationsManager')
105    grok.title(u'Applications Manager')
106    grok.permissions('waeup.viewAcademics')
107
108class DepartmentManager(grok.Role):
109    grok.name('waeup.local.DepartmentManager')
110    grok.title(u'Department Manager')
111    grok.permissions('waeup.manageAcademics',
112                     'waeup.showStudents',
113                     'waeup.exportData')
114
115class DepartmentOfficer(grok.Role):
116    grok.name('waeup.local.DepartmentOfficer')
117    grok.title(u'Department Officer')
118    grok.permissions('waeup.showStudents',
119                     'waeup.viewAcademics',
120                     'waeup.exportPaymentsOverview')
121
122class ClearanceOfficer(grok.Role):
123    """The clearance officer role is meant for the
124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.ClearanceOfficer')
127    grok.title(u'Clearance Officer')
128    grok.permissions('waeup.showStudents',
129                     'waeup.viewAcademics',
130                     'waeup.exportData')
131
132class LocalStudentsManager(grok.Role):
133    """The local students manager role is meant for the
134    assignment of dynamic roles only.
135    """
136    grok.name('waeup.local.LocalStudentsManager')
137    grok.title(u'Students Manager')
138    grok.permissions('waeup.showStudents',
139                     'waeup.viewAcademics',
140                     'waeup.exportData')
141
142class LocalWorkflowManager(grok.Role):
143    """The local workflow manager role is meant for the
144    assignment of dynamic roles only.
145    """
146    grok.name('waeup.local.LocalWorkflowManager')
147    grok.title(u'Student Workflow Manager')
148    grok.permissions('waeup.showStudents',
149                     'waeup.viewAcademics',
150                     'waeup.exportData')
151
152class UGClearanceOfficer(grok.Role):
153    """The clearance officer role is meant for the
154    assignment of dynamic roles only.
155    """
156    grok.name('waeup.local.UGClearanceOfficer')
157    grok.title(u'UG Clearance Officer')
158    grok.permissions('waeup.showStudents',
159                     'waeup.viewAcademics',
160                     'waeup.exportData')
161
162class PGClearanceOfficer(grok.Role):
163    """The clearance officer role is meant for the
164    assignment of dynamic roles only.
165    """
166    grok.name('waeup.local.PGClearanceOfficer')
167    grok.title(u'PG Clearance Officer')
168    grok.permissions('waeup.showStudents',
169                     'waeup.viewAcademics',
170                     'waeup.exportData')
171
172class CourseAdviser100(grok.Role):
173    """The 100 level course adviser role is meant for the
174    assignment of dynamic roles only.
175    """
176    grok.name('waeup.local.CourseAdviser100')
177    grok.title(u'Course Adviser 100L')
178    grok.permissions('waeup.showStudents',
179                     'waeup.viewAcademics',
180                     'waeup.exportData')
181
182class CourseAdviser200(grok.Role):
183    """The course 200 level adviser role is meant for the
184    assignment of dynamic roles only.
185    """
186    grok.name('waeup.local.CourseAdviser200')
187    grok.title(u'Course Adviser 200L')
188    grok.permissions('waeup.showStudents',
189                     'waeup.viewAcademics',
190                     'waeup.exportData')
191
192class CourseAdviser300(grok.Role):
193    """The 300 level course adviser role is meant for the
194    assignment of dynamic roles only.
195    """
196    grok.name('waeup.local.CourseAdviser300')
197    grok.title(u'Course Adviser 300L')
198    grok.permissions('waeup.showStudents',
199                     'waeup.viewAcademics',
200                     'waeup.exportData')
201
202class CourseAdviser400(grok.Role):
203    """The 400 level course adviser role is meant for the
204    assignment of dynamic roles only.
205    """
206    grok.name('waeup.local.CourseAdviser400')
207    grok.title(u'Course Adviser 400L')
208    grok.permissions('waeup.showStudents',
209                     'waeup.viewAcademics',
210                     'waeup.exportData')
211
212class CourseAdviser500(grok.Role):
213    """The 500 level course adviser role is meant for the
214    assignment of dynamic roles only.
215    """
216    grok.name('waeup.local.CourseAdviser500')
217    grok.title(u'Course Adviser 500L')
218    grok.permissions('waeup.showStudents',
219                     'waeup.viewAcademics',
220                     'waeup.exportData')
221
222class CourseAdviser600(grok.Role):
223    """The 600 level course adviser role is meant for the
224    assignment of dynamic roles only.
225    """
226    grok.name('waeup.local.CourseAdviser600')
227    grok.title(u'Course Adviser 600L')
228    grok.permissions('waeup.showStudents',
229                     'waeup.viewAcademics',
230                     'waeup.exportData')
231
232class CourseAdviser700(grok.Role):
233    """The 700 level course adviser role is meant for the
234    assignment of dynamic roles only.
235    """
236    grok.name('waeup.local.CourseAdviser700')
237    grok.title(u'Course Adviser 700L')
238    grok.permissions('waeup.showStudents',
239                     'waeup.viewAcademics',
240                     'waeup.exportData')
241
242class CourseAdviser800(grok.Role):
243    """The 800 level course adviser role is meant for the
244    assignment of dynamic roles only.
245    """
246    grok.name('waeup.local.CourseAdviser800')
247    grok.title(u'Course Adviser 800L')
248    grok.permissions('waeup.showStudents',
249                     'waeup.viewAcademics',
250                     'waeup.exportData')
251
252class Lecturer(grok.Role):
253    """The lecturer role is meant for the
254    assignment of dynamic roles only.
255    """
256    grok.name('waeup.local.Lecturer')
257    grok.title(u'Lecturer')
258    grok.permissions('waeup.showStudents',
259                     'waeup.editScores',
260                     'waeup.viewAcademics',
261                     'waeup.exportData')
262
263class Owner(grok.Role):
264    grok.name('waeup.local.Owner')
265    grok.title(u'Owner')
266    grok.permissions('waeup.editUser')
267
268# Site Roles
269class AcademicsOfficer(grok.Role):
270    grok.name('waeup.AcademicsOfficer')
271    grok.title(u'Academics Officer (view only)')
272    grok.permissions('waeup.viewAcademics')
273
274class AcademicsManager(grok.Role):
275    grok.name('waeup.AcademicsManager')
276    grok.title(u'Academics Manager')
277    grok.permissions('waeup.viewAcademics',
278                     'waeup.manageAcademics')
279
280class ACManager(grok.Role):
281    grok.name('waeup.ACManager')
282    grok.title(u'Access Code Manager')
283    grok.permissions('waeup.manageACBatches')
284
285class DataCenterManager(grok.Role):
286    grok.name('waeup.DataCenterManager')
287    grok.title(u'Datacenter Manager')
288    grok.permissions('waeup.manageDataCenter')
289
290class ImportManager(grok.Role):
291    grok.name('waeup.ImportManager')
292    grok.title(u'Import Manager')
293    grok.permissions('waeup.manageDataCenter',
294                     'waeup.importData')
295
296class ExportManager(grok.Role):
297    grok.name('waeup.ExportManager')
298    grok.title(u'Export Manager')
299    grok.permissions('waeup.manageDataCenter',
300                     'waeup.exportData')
301
302class BursaryOfficer(grok.Role):
303    grok.name('waeup.BursaryOfficer')
304    grok.title(u'Bursary Officer')
305    grok.permissions('waeup.showStudents',
306                     'waeup.viewAcademics',
307                     'waeup.exportBursaryData')
308
309class UsersManager(grok.Role):
310    grok.name('waeup.UsersManager')
311    grok.title(u'Users Manager')
312    grok.permissions('waeup.manageUsers',
313                     'waeup.editUser')
314
315class WorkflowManager(grok.Role):
316    grok.name('waeup.WorkflowManager')
317    grok.title(u'Workflow Manager')
318    grok.permissions('waeup.triggerTransition')
319
320class PortalManager(grok.Role):
321    grok.name('waeup.PortalManager')
322    grok.title(u'Portal Manager')
323    grok.permissions('waeup.managePortal',
324                     'waeup.manageUsers',
325                     'waeup.viewAcademics', 'waeup.manageAcademics',
326                     'waeup.manageACBatches',
327                     'waeup.manageDataCenter',
328                     'waeup.importData',
329                     'waeup.exportData',
330                     'waeup.viewTranscript',
331                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
332                     'waeup.manageApplication', 'waeup.handleApplication',
333                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
334                     'waeup.viewApplicationStatistics',
335                     'waeup.viewStudent', 'waeup.manageStudent',
336                     'waeup.clearStudent', 'waeup.payStudent',
337                     'waeup.uploadStudentFile', 'waeup.showStudents',
338                     'waeup.editScores',
339                     'waeup.triggerTransition',
340                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
341                     'waeup.handleAccommodation',
342                     'waeup.viewHostels', 'waeup.manageHostels',
343                     'waeup.editUser',
344                     'waeup.loginAsStudent',
345                     'waeup.manageReports',
346                     'waeup.manageJobs',
347                     )
348
349class CCOfficer(grok.Role):
350    """This is basically a copy of the the PortalManager class. We exclude some
351    'dangerous' permissions by commenting them out.
352    """
353    grok.baseclass()
354    grok.name('waeup.CCOfficer')
355    grok.title(u'Computer Center Officer')
356    grok.permissions(#'waeup.managePortal',
357                     #'waeup.manageUsers',
358                     'waeup.viewAcademics', 'waeup.manageAcademics',
359                     #'waeup.manageACBatches',
360                     'waeup.manageDataCenter',
361                     #'waeup.importData',
362                     'waeup.exportData',
363                     'waeup.viewTranscript',
364                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
365                     'waeup.manageApplication', 'waeup.handleApplication',
366                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
367                     'waeup.viewApplicationStatistics',
368                     'waeup.viewStudent', 'waeup.manageStudent',
369                     'waeup.clearStudent', 'waeup.payStudent',
370                     'waeup.uploadStudentFile', 'waeup.showStudents',
371                     'waeup.editScores',
372                     #'waeup.triggerTransition',
373                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
374                     'waeup.handleAccommodation',
375                     'waeup.viewHostels', 'waeup.manageHostels',
376                     #'waeup.editUser',
377                     #'waeup.loginAsStudent',
378                     'waeup.manageReports',
379                     #'waeup.manageJobs',
380                     )
381
382def get_all_roles():
383    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
384    """
385    return getUtilitiesFor(IRole)
386
387def get_waeup_roles(also_local=False):
388    """Get all Kofa roles.
389
390    Kofa roles are ordinary roles whose id by convention starts with
391    a ``waeup.`` prefix.
392
393    If `also_local` is ``True`` (``False`` by default), also local
394    roles are returned. Local Kofa roles are such whose id starts
395    with ``waeup.local.`` prefix (this is also a convention).
396
397    Returns a generator of the found roles.
398    """
399    for name, item in get_all_roles():
400        if not name.startswith('waeup.'):
401            # Ignore non-Kofa roles...
402            continue
403        if not also_local and name.startswith('waeup.local.'):
404            # Ignore local roles...
405            continue
406        yield item
407
408def get_waeup_role_names():
409    """Get the ids of all Kofa roles.
410
411    See :func:`get_waeup_roles` for what a 'KofaRole' is.
412
413    This function returns a sorted list of Kofa role names.
414    """
415    return sorted([x.id for x in get_waeup_roles()])
416
417class LocalRolesAssignable(grok.Adapter):
418    """Default implementation for `ILocalRolesAssignable`.
419
420    This adapter returns a list for dictionaries for objects for which
421    we want to know the roles assignable to them locally.
422
423    The returned dicts contain a ``name`` and a ``title`` entry which
424    give a role (``name``) and a description, for which kind of users
425    the permission is meant to be used (``title``).
426
427    Having this adapter registered we make sure, that for each normal
428    object we get a valid `ILocalRolesAssignable` adapter.
429
430    Objects that want to offer certain local roles, can do so by
431    setting a (preferably class-) attribute to a list of role ids.
432
433    You can also define different adapters for different contexts to
434    have different role lookup mechanisms become available. But in
435    normal cases it should be sufficient to use this basic adapter.
436    """
437    grok.context(Interface)
438    grok.provides(ILocalRolesAssignable)
439
440    _roles = []
441
442    def __init__(self, context):
443        self.context = context
444        role_ids = getattr(context, 'local_roles', self._roles)
445        self._roles = [(name, role) for name, role in get_all_roles()
446                       if name in role_ids]
447        return
448
449    def __call__(self):
450        """Get a list of dictionaries containing ``names`` (the roles to
451        assign) and ``titles`` (some description of the type of user
452        to assign each role to).
453        """
454        list_of_dict = [dict(
455                name=name,
456                title=role.title,
457                description=role.description)
458                for name, role in self._roles]
459        return sorted(list_of_dict, key=lambda x: x['name'])
460
461def get_all_users():
462    """Get a list of dictionaries.
463    """
464    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
465    for key, val in users:
466        yield(dict(name=key, val=val))
467
468def get_users_with_local_roles(context):
469    """Get a list of dicts representing the local roles set for `context`.
470
471    Each dict returns `user_name`, `user_title`, `local_role`,
472    `local_role_title`, and `setting` for each entry in the local
473    roles map of the `context` object.
474    """
475    try:
476        role_map = IPrincipalRoleMap(context)
477    except TypeError:
478        # no map no roles.
479        raise StopIteration
480    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
481        user = grok.getSite()['users'].get(user_name,None)
482        user_title = getattr(user, 'title', user_name)
483        local_role_title = getattr(
484            dict(get_all_roles()).get(local_role, None), 'title', None)
485        yield dict(user_name = user_name,
486                   user_title = user_title,
487                   local_role = local_role,
488                   local_role_title = local_role_title,
489                   setting = setting)
490
491def get_users_with_role(role, context):
492    """Get a list of dicts representing the usres who have been granted
493    a role for `context`.
494    """
495    try:
496        role_map = IPrincipalRoleMap(context)
497    except TypeError:
498        # no map no roles.
499        raise StopIteration
500    for user_name, setting in role_map.getPrincipalsForRole(role):
501        user = grok.getSite()['users'].get(user_name,None)
502        user_title = getattr(user, 'title', user_name)
503        user_email = getattr(user, 'email', None)
504        yield dict(user_name = user_name,
505                   user_title = user_title,
506                   user_email = user_email,
507                   setting = setting)
Note: See TracBrowser for help on using the repository browser.