source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 12000

Last change on this file since 12000 was 11862, checked in by Henrik Bettermann, 10 years ago

Add permission, page and button to mass-clear all students in a department.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 18.0 KB
Line 
1## $Id: permissions.py 11862 2014-10-21 07:07:04Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class ClearAllStudents(grok.Permission):
62    grok.name('waeup.clearAllStudents')
63
64class EditScores(grok.Permission):
65    grok.name('waeup.editScores')
66
67class EditUser(grok.Permission):
68    grok.name('waeup.editUser')
69
70class ManageDataCenter(grok.Permission):
71    grok.name('waeup.manageDataCenter')
72
73class ImportData(grok.Permission):
74    grok.name('waeup.importData')
75
76class ExportData(grok.Permission):
77    grok.name('waeup.exportData')
78
79class ExportPaymentsOverview(grok.Permission):
80    grok.name('waeup.exportPaymentsOverview')
81
82class ExportBursaryData(grok.Permission):
83    grok.name('waeup.exportBursaryData')
84
85class ViewTranscript(grok.Permission):
86    grok.name('waeup.viewTranscript')
87
88class ManagePortalConfiguration(grok.Permission):
89    grok.name('waeup.managePortalConfiguration')
90
91class ManageACBatches(grok.Permission):
92    grok.name('waeup.manageACBatches')
93
94class PutBiometricDataPermission(grok.Permission):
95    """Permission to upload/change biometric data.
96    """
97    grok.name('waeup.putBiometricData')
98
99class GetBiometricDataPermission(grok.Permission):
100    """Permission to read biometric data.
101    """
102    grok.name('waeup.getBiometricData')
103
104
105# Local Roles
106class ApplicationsManager(grok.Role):
107    grok.name('waeup.local.ApplicationsManager')
108    grok.title(u'Applications Manager')
109    grok.permissions('waeup.viewAcademics')
110
111class DepartmentManager(grok.Role):
112    grok.name('waeup.local.DepartmentManager')
113    grok.title(u'Department Manager')
114    grok.permissions('waeup.manageAcademics',
115                     'waeup.showStudents',
116                     'waeup.exportData')
117
118class DepartmentOfficer(grok.Role):
119    grok.name('waeup.local.DepartmentOfficer')
120    grok.title(u'Department Officer')
121    grok.permissions('waeup.showStudents',
122                     'waeup.viewAcademics',
123                     'waeup.exportPaymentsOverview')
124
125class ClearanceOfficer(grok.Role):
126    """The clearance officer role is meant for the
127    assignment of dynamic roles only.
128    """
129    grok.name('waeup.local.ClearanceOfficer')
130    grok.title(u'Clearance Officer')
131    grok.permissions('waeup.showStudents',
132                     'waeup.viewAcademics',
133                     'waeup.exportData',
134                     'waeup.clearAllStudents')
135
136class LocalStudentsManager(grok.Role):
137    """The local students manager role is meant for the
138    assignment of dynamic roles only.
139    """
140    grok.name('waeup.local.LocalStudentsManager')
141    grok.title(u'Students Manager')
142    grok.permissions('waeup.showStudents',
143                     'waeup.viewAcademics',
144                     'waeup.exportData')
145
146class LocalWorkflowManager(grok.Role):
147    """The local workflow manager role is meant for the
148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.LocalWorkflowManager')
151    grok.title(u'Student Workflow Manager')
152    grok.permissions('waeup.showStudents',
153                     'waeup.viewAcademics',
154                     'waeup.exportData')
155
156class UGClearanceOfficer(grok.Role):
157    """The clearance officer role is meant for the
158    assignment of dynamic roles only.
159    """
160    grok.name('waeup.local.UGClearanceOfficer')
161    grok.title(u'UG Clearance Officer')
162    grok.permissions('waeup.showStudents',
163                     'waeup.viewAcademics',
164                     'waeup.exportData',
165                     'waeup.clearAllStudents')
166
167class PGClearanceOfficer(grok.Role):
168    """The clearance officer role is meant for the
169    assignment of dynamic roles only.
170    """
171    grok.name('waeup.local.PGClearanceOfficer')
172    grok.title(u'PG Clearance Officer')
173    grok.permissions('waeup.showStudents',
174                     'waeup.viewAcademics',
175                     'waeup.exportData',
176                     'waeup.clearAllStudents')
177
178class CourseAdviser100(grok.Role):
179    """The 100 level course adviser role is meant for the
180    assignment of dynamic roles only.
181    """
182    grok.name('waeup.local.CourseAdviser100')
183    grok.title(u'Course Adviser 100L')
184    grok.permissions('waeup.showStudents',
185                     'waeup.viewAcademics',
186                     'waeup.exportData')
187
188class CourseAdviser200(grok.Role):
189    """The course 200 level adviser role is meant for the
190    assignment of dynamic roles only.
191    """
192    grok.name('waeup.local.CourseAdviser200')
193    grok.title(u'Course Adviser 200L')
194    grok.permissions('waeup.showStudents',
195                     'waeup.viewAcademics',
196                     'waeup.exportData')
197
198class CourseAdviser300(grok.Role):
199    """The 300 level course adviser role is meant for the
200    assignment of dynamic roles only.
201    """
202    grok.name('waeup.local.CourseAdviser300')
203    grok.title(u'Course Adviser 300L')
204    grok.permissions('waeup.showStudents',
205                     'waeup.viewAcademics',
206                     'waeup.exportData')
207
208class CourseAdviser400(grok.Role):
209    """The 400 level course adviser role is meant for the
210    assignment of dynamic roles only.
211    """
212    grok.name('waeup.local.CourseAdviser400')
213    grok.title(u'Course Adviser 400L')
214    grok.permissions('waeup.showStudents',
215                     'waeup.viewAcademics',
216                     'waeup.exportData')
217
218class CourseAdviser500(grok.Role):
219    """The 500 level course adviser role is meant for the
220    assignment of dynamic roles only.
221    """
222    grok.name('waeup.local.CourseAdviser500')
223    grok.title(u'Course Adviser 500L')
224    grok.permissions('waeup.showStudents',
225                     'waeup.viewAcademics',
226                     'waeup.exportData')
227
228class CourseAdviser600(grok.Role):
229    """The 600 level course adviser role is meant for the
230    assignment of dynamic roles only.
231    """
232    grok.name('waeup.local.CourseAdviser600')
233    grok.title(u'Course Adviser 600L')
234    grok.permissions('waeup.showStudents',
235                     'waeup.viewAcademics',
236                     'waeup.exportData')
237
238class CourseAdviser700(grok.Role):
239    """The 700 level course adviser role is meant for the
240    assignment of dynamic roles only.
241    """
242    grok.name('waeup.local.CourseAdviser700')
243    grok.title(u'Course Adviser 700L')
244    grok.permissions('waeup.showStudents',
245                     'waeup.viewAcademics',
246                     'waeup.exportData')
247
248class CourseAdviser800(grok.Role):
249    """The 800 level course adviser role is meant for the
250    assignment of dynamic roles only.
251    """
252    grok.name('waeup.local.CourseAdviser800')
253    grok.title(u'Course Adviser 800L')
254    grok.permissions('waeup.showStudents',
255                     'waeup.viewAcademics',
256                     'waeup.exportData')
257
258class Lecturer(grok.Role):
259    """The lecturer role is meant for the
260    assignment of dynamic roles only.
261    """
262    grok.name('waeup.local.Lecturer')
263    grok.title(u'Lecturer')
264    grok.permissions('waeup.showStudents',
265                     'waeup.editScores',
266                     'waeup.viewAcademics',
267                     'waeup.exportData')
268
269class Owner(grok.Role):
270    grok.name('waeup.local.Owner')
271    grok.title(u'Owner')
272    grok.permissions('waeup.editUser')
273
274# Site Roles
275class AcademicsOfficer(grok.Role):
276    grok.name('waeup.AcademicsOfficer')
277    grok.title(u'Academics Officer (view only)')
278    grok.permissions('waeup.viewAcademics')
279
280class AcademicsManager(grok.Role):
281    grok.name('waeup.AcademicsManager')
282    grok.title(u'Academics Manager')
283    grok.permissions('waeup.viewAcademics',
284                     'waeup.manageAcademics')
285
286class ACManager(grok.Role):
287    grok.name('waeup.ACManager')
288    grok.title(u'Access Code Manager')
289    grok.permissions('waeup.manageACBatches')
290
291class DataCenterManager(grok.Role):
292    grok.name('waeup.DataCenterManager')
293    grok.title(u'Datacenter Manager')
294    grok.permissions('waeup.manageDataCenter')
295
296class ImportManager(grok.Role):
297    grok.name('waeup.ImportManager')
298    grok.title(u'Import Manager')
299    grok.permissions('waeup.manageDataCenter',
300                     'waeup.importData')
301
302class ExportManager(grok.Role):
303    grok.name('waeup.ExportManager')
304    grok.title(u'Export Manager')
305    grok.permissions('waeup.manageDataCenter',
306                     'waeup.exportData')
307
308class BursaryOfficer(grok.Role):
309    grok.name('waeup.BursaryOfficer')
310    grok.title(u'Bursary Officer')
311    grok.permissions('waeup.showStudents',
312                     'waeup.viewAcademics',
313                     'waeup.exportBursaryData')
314
315class UsersManager(grok.Role):
316    grok.name('waeup.UsersManager')
317    grok.title(u'Users Manager')
318    grok.permissions('waeup.manageUsers',
319                     'waeup.editUser')
320
321class WorkflowManager(grok.Role):
322    grok.name('waeup.WorkflowManager')
323    grok.title(u'Workflow Manager')
324    grok.permissions('waeup.triggerTransition')
325
326class PortalManager(grok.Role):
327    grok.name('waeup.PortalManager')
328    grok.title(u'Portal Manager')
329    grok.permissions('waeup.managePortal',
330                     'waeup.manageUsers',
331                     'waeup.viewAcademics', 'waeup.manageAcademics',
332                     'waeup.manageACBatches',
333                     'waeup.manageDataCenter',
334                     'waeup.importData',
335                     'waeup.exportData',
336                     'waeup.viewTranscript',
337                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
338                     'waeup.manageApplication', 'waeup.handleApplication',
339                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
340                     'waeup.viewApplicationStatistics',
341                     'waeup.viewStudent', 'waeup.manageStudent',
342                     'waeup.clearStudent', 'waeup.payStudent',
343                     'waeup.uploadStudentFile', 'waeup.showStudents',
344                     'waeup.clearAllStudents',
345                     'waeup.editScores',
346                     'waeup.triggerTransition',
347                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
348                     'waeup.handleAccommodation',
349                     'waeup.viewHostels', 'waeup.manageHostels',
350                     'waeup.editUser',
351                     'waeup.loginAsStudent',
352                     'waeup.manageReports',
353                     'waeup.manageJobs',
354                     )
355
356class CCOfficer(grok.Role):
357    """This is basically a copy of the the PortalManager class. We exclude some
358    'dangerous' permissions by commenting them out.
359    """
360    grok.baseclass()
361    grok.name('waeup.CCOfficer')
362    grok.title(u'Computer Center Officer')
363    grok.permissions(#'waeup.managePortal',
364                     #'waeup.manageUsers',
365                     'waeup.viewAcademics', 'waeup.manageAcademics',
366                     #'waeup.manageACBatches',
367                     'waeup.manageDataCenter',
368                     #'waeup.importData',
369                     'waeup.exportData',
370                     'waeup.viewTranscript',
371                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
372                     'waeup.manageApplication', 'waeup.handleApplication',
373                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
374                     'waeup.viewApplicationStatistics',
375                     'waeup.viewStudent', 'waeup.manageStudent',
376                     'waeup.clearStudent', 'waeup.payStudent',
377                     'waeup.uploadStudentFile', 'waeup.showStudents',
378                     'waeup.clearAllStudents',
379                     'waeup.editScores',
380                     #'waeup.triggerTransition',
381                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
382                     'waeup.handleAccommodation',
383                     'waeup.viewHostels', 'waeup.manageHostels',
384                     #'waeup.editUser',
385                     #'waeup.loginAsStudent',
386                     'waeup.manageReports',
387                     #'waeup.manageJobs',
388                     )
389
390def get_all_roles():
391    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
392    """
393    return getUtilitiesFor(IRole)
394
395def get_waeup_roles(also_local=False):
396    """Get all Kofa roles.
397
398    Kofa roles are ordinary roles whose id by convention starts with
399    a ``waeup.`` prefix.
400
401    If `also_local` is ``True`` (``False`` by default), also local
402    roles are returned. Local Kofa roles are such whose id starts
403    with ``waeup.local.`` prefix (this is also a convention).
404
405    Returns a generator of the found roles.
406    """
407    for name, item in get_all_roles():
408        if not name.startswith('waeup.'):
409            # Ignore non-Kofa roles...
410            continue
411        if not also_local and name.startswith('waeup.local.'):
412            # Ignore local roles...
413            continue
414        yield item
415
416def get_waeup_role_names():
417    """Get the ids of all Kofa roles.
418
419    See :func:`get_waeup_roles` for what a 'KofaRole' is.
420
421    This function returns a sorted list of Kofa role names.
422    """
423    return sorted([x.id for x in get_waeup_roles()])
424
425class LocalRolesAssignable(grok.Adapter):
426    """Default implementation for `ILocalRolesAssignable`.
427
428    This adapter returns a list for dictionaries for objects for which
429    we want to know the roles assignable to them locally.
430
431    The returned dicts contain a ``name`` and a ``title`` entry which
432    give a role (``name``) and a description, for which kind of users
433    the permission is meant to be used (``title``).
434
435    Having this adapter registered we make sure, that for each normal
436    object we get a valid `ILocalRolesAssignable` adapter.
437
438    Objects that want to offer certain local roles, can do so by
439    setting a (preferably class-) attribute to a list of role ids.
440
441    You can also define different adapters for different contexts to
442    have different role lookup mechanisms become available. But in
443    normal cases it should be sufficient to use this basic adapter.
444    """
445    grok.context(Interface)
446    grok.provides(ILocalRolesAssignable)
447
448    _roles = []
449
450    def __init__(self, context):
451        self.context = context
452        role_ids = getattr(context, 'local_roles', self._roles)
453        self._roles = [(name, role) for name, role in get_all_roles()
454                       if name in role_ids]
455        return
456
457    def __call__(self):
458        """Get a list of dictionaries containing ``names`` (the roles to
459        assign) and ``titles`` (some description of the type of user
460        to assign each role to).
461        """
462        list_of_dict = [dict(
463                name=name,
464                title=role.title,
465                description=role.description)
466                for name, role in self._roles]
467        return sorted(list_of_dict, key=lambda x: x['name'])
468
469def get_all_users():
470    """Get a list of dictionaries.
471    """
472    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
473    for key, val in users:
474        yield(dict(name=key, val=val))
475
476def get_users_with_local_roles(context):
477    """Get a list of dicts representing the local roles set for `context`.
478
479    Each dict returns `user_name`, `user_title`, `local_role`,
480    `local_role_title`, and `setting` for each entry in the local
481    roles map of the `context` object.
482    """
483    try:
484        role_map = IPrincipalRoleMap(context)
485    except TypeError:
486        # no map no roles.
487        raise StopIteration
488    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
489        user = grok.getSite()['users'].get(user_name,None)
490        user_title = getattr(user, 'title', user_name)
491        local_role_title = getattr(
492            dict(get_all_roles()).get(local_role, None), 'title', None)
493        yield dict(user_name = user_name,
494                   user_title = user_title,
495                   local_role = local_role,
496                   local_role_title = local_role_title,
497                   setting = setting)
498
499def get_users_with_role(role, context):
500    """Get a list of dicts representing the usres who have been granted
501    a role for `context`.
502    """
503    try:
504        role_map = IPrincipalRoleMap(context)
505    except TypeError:
506        # no map no roles.
507        raise StopIteration
508    for user_name, setting in role_map.getPrincipalsForRole(role):
509        user = grok.getSite()['users'].get(user_name,None)
510        user_title = getattr(user, 'title', user_name)
511        user_email = getattr(user, 'email', None)
512        yield dict(user_name = user_name,
513                   user_title = user_title,
514                   user_email = user_email,
515                   setting = setting)
Note: See TracBrowser for help on using the repository browser.