Context navigation

source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 12432

Last change on this file since 12432 was 11862, checked in by Henrik Bettermann, 10 years ago
Add permission, page and button to mass-clear all students in a department.
Property svn:eol-style set to `native` Property svn:keywords set to `Id`
File size: 18.0 KB

Line
1	## $Id: permissions.py 11862 2014-10-21 07:07:04Z henrik $
2	##
3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4	## This program is free software; you can redistribute it and/or modify
5	## it under the terms of the GNU General Public License as published by
6	## the Free Software Foundation; either version 2 of the License, or
7	## (at your option) any later version.
8	##
9	## This program is distributed in the hope that it will be useful,
10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	## GNU General Public License for more details.
13	##
14	## You should have received a copy of the GNU General Public License
15	## along with this program; if not, write to the Free Software
16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	##
18	import grok
19	from zope.component import getUtilitiesFor
20	from zope.interface import Interface
21	from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22	from waeup.kofa.interfaces import ILocalRolesAssignable
23
24	class Public(grok.Permission):
25	"""Everyone-can-do-this-permission.
26
27	This permission is meant to be applied to objects/views/pages
28	etc., that should be usable/readable by everyone.
29
30	We need this to be able to tune default permissions more
31	restrictive and open up some dedicated objects like the front
32	page.
33	"""
34	grok.name('waeup.Public')
35
36	class Anonymous(grok.Permission):
37	"""Only-anonymous-can-do-this-permission.
38	"""
39	grok.name('waeup.Anonymous')
40
41	class Authenticated(grok.Permission):
42	"""Only-logged-in-users-can-do-this-permission.
43	"""
44	grok.name('waeup.Authenticated')
45
46	class ViewAcademicsPermission(grok.Permission):
47	grok.name('waeup.viewAcademics')
48
49	class ManageAcademicsPermission(grok.Permission):
50	grok.name('waeup.manageAcademics')
51
52	class ManagePortal(grok.Permission):
53	grok.name('waeup.managePortal')
54
55	class ManageUsers(grok.Permission):
56	grok.name('waeup.manageUsers')
57
58	class ShowStudents(grok.Permission):
59	grok.name('waeup.showStudents')
60
61	class ClearAllStudents(grok.Permission):
62	grok.name('waeup.clearAllStudents')
63
64	class EditScores(grok.Permission):
65	grok.name('waeup.editScores')
66
67	class EditUser(grok.Permission):
68	grok.name('waeup.editUser')
69
70	class ManageDataCenter(grok.Permission):
71	grok.name('waeup.manageDataCenter')
72
73	class ImportData(grok.Permission):
74	grok.name('waeup.importData')
75
76	class ExportData(grok.Permission):
77	grok.name('waeup.exportData')
78
79	class ExportPaymentsOverview(grok.Permission):
80	grok.name('waeup.exportPaymentsOverview')
81
82	class ExportBursaryData(grok.Permission):
83	grok.name('waeup.exportBursaryData')
84
85	class ViewTranscript(grok.Permission):
86	grok.name('waeup.viewTranscript')
87
88	class ManagePortalConfiguration(grok.Permission):
89	grok.name('waeup.managePortalConfiguration')
90
91	class ManageACBatches(grok.Permission):
92	grok.name('waeup.manageACBatches')
93
94	class PutBiometricDataPermission(grok.Permission):
95	"""Permission to upload/change biometric data.
96	"""
97	grok.name('waeup.putBiometricData')
98
99	class GetBiometricDataPermission(grok.Permission):
100	"""Permission to read biometric data.
101	"""
102	grok.name('waeup.getBiometricData')
103
104
105	# Local Roles
106	class ApplicationsManager(grok.Role):
107	grok.name('waeup.local.ApplicationsManager')
108	grok.title(u'Applications Manager')
109	grok.permissions('waeup.viewAcademics')
110
111	class DepartmentManager(grok.Role):
112	grok.name('waeup.local.DepartmentManager')
113	grok.title(u'Department Manager')
114	grok.permissions('waeup.manageAcademics',
115	'waeup.showStudents',
116	'waeup.exportData')
117
118	class DepartmentOfficer(grok.Role):
119	grok.name('waeup.local.DepartmentOfficer')
120	grok.title(u'Department Officer')
121	grok.permissions('waeup.showStudents',
122	'waeup.viewAcademics',
123	'waeup.exportPaymentsOverview')
124
125	class ClearanceOfficer(grok.Role):
126	"""The clearance officer role is meant for the
127	assignment of dynamic roles only.
128	"""
129	grok.name('waeup.local.ClearanceOfficer')
130	grok.title(u'Clearance Officer')
131	grok.permissions('waeup.showStudents',
132	'waeup.viewAcademics',
133	'waeup.exportData',
134	'waeup.clearAllStudents')
135
136	class LocalStudentsManager(grok.Role):
137	"""The local students manager role is meant for the
138	assignment of dynamic roles only.
139	"""
140	grok.name('waeup.local.LocalStudentsManager')
141	grok.title(u'Students Manager')
142	grok.permissions('waeup.showStudents',
143	'waeup.viewAcademics',
144	'waeup.exportData')
145
146	class LocalWorkflowManager(grok.Role):
147	"""The local workflow manager role is meant for the
148	assignment of dynamic roles only.
149	"""
150	grok.name('waeup.local.LocalWorkflowManager')
151	grok.title(u'Student Workflow Manager')
152	grok.permissions('waeup.showStudents',
153	'waeup.viewAcademics',
154	'waeup.exportData')
155
156	class UGClearanceOfficer(grok.Role):
157	"""The clearance officer role is meant for the
158	assignment of dynamic roles only.
159	"""
160	grok.name('waeup.local.UGClearanceOfficer')
161	grok.title(u'UG Clearance Officer')
162	grok.permissions('waeup.showStudents',
163	'waeup.viewAcademics',
164	'waeup.exportData',
165	'waeup.clearAllStudents')
166
167	class PGClearanceOfficer(grok.Role):
168	"""The clearance officer role is meant for the
169	assignment of dynamic roles only.
170	"""
171	grok.name('waeup.local.PGClearanceOfficer')
172	grok.title(u'PG Clearance Officer')
173	grok.permissions('waeup.showStudents',
174	'waeup.viewAcademics',
175	'waeup.exportData',
176	'waeup.clearAllStudents')
177
178	class CourseAdviser100(grok.Role):
179	"""The 100 level course adviser role is meant for the
180	assignment of dynamic roles only.
181	"""
182	grok.name('waeup.local.CourseAdviser100')
183	grok.title(u'Course Adviser 100L')
184	grok.permissions('waeup.showStudents',
185	'waeup.viewAcademics',
186	'waeup.exportData')
187
188	class CourseAdviser200(grok.Role):
189	"""The course 200 level adviser role is meant for the
190	assignment of dynamic roles only.
191	"""
192	grok.name('waeup.local.CourseAdviser200')
193	grok.title(u'Course Adviser 200L')
194	grok.permissions('waeup.showStudents',
195	'waeup.viewAcademics',
196	'waeup.exportData')
197
198	class CourseAdviser300(grok.Role):
199	"""The 300 level course adviser role is meant for the
200	assignment of dynamic roles only.
201	"""
202	grok.name('waeup.local.CourseAdviser300')
203	grok.title(u'Course Adviser 300L')
204	grok.permissions('waeup.showStudents',
205	'waeup.viewAcademics',
206	'waeup.exportData')
207
208	class CourseAdviser400(grok.Role):
209	"""The 400 level course adviser role is meant for the
210	assignment of dynamic roles only.
211	"""
212	grok.name('waeup.local.CourseAdviser400')
213	grok.title(u'Course Adviser 400L')
214	grok.permissions('waeup.showStudents',
215	'waeup.viewAcademics',
216	'waeup.exportData')
217
218	class CourseAdviser500(grok.Role):
219	"""The 500 level course adviser role is meant for the
220	assignment of dynamic roles only.
221	"""
222	grok.name('waeup.local.CourseAdviser500')
223	grok.title(u'Course Adviser 500L')
224	grok.permissions('waeup.showStudents',
225	'waeup.viewAcademics',
226	'waeup.exportData')
227
228	class CourseAdviser600(grok.Role):
229	"""The 600 level course adviser role is meant for the
230	assignment of dynamic roles only.
231	"""
232	grok.name('waeup.local.CourseAdviser600')
233	grok.title(u'Course Adviser 600L')
234	grok.permissions('waeup.showStudents',
235	'waeup.viewAcademics',
236	'waeup.exportData')
237
238	class CourseAdviser700(grok.Role):
239	"""The 700 level course adviser role is meant for the
240	assignment of dynamic roles only.
241	"""
242	grok.name('waeup.local.CourseAdviser700')
243	grok.title(u'Course Adviser 700L')
244	grok.permissions('waeup.showStudents',
245	'waeup.viewAcademics',
246	'waeup.exportData')
247
248	class CourseAdviser800(grok.Role):
249	"""The 800 level course adviser role is meant for the
250	assignment of dynamic roles only.
251	"""
252	grok.name('waeup.local.CourseAdviser800')
253	grok.title(u'Course Adviser 800L')
254	grok.permissions('waeup.showStudents',
255	'waeup.viewAcademics',
256	'waeup.exportData')
257
258	class Lecturer(grok.Role):
259	"""The lecturer role is meant for the
260	assignment of dynamic roles only.
261	"""
262	grok.name('waeup.local.Lecturer')
263	grok.title(u'Lecturer')
264	grok.permissions('waeup.showStudents',
265	'waeup.editScores',
266	'waeup.viewAcademics',
267	'waeup.exportData')
268
269	class Owner(grok.Role):
270	grok.name('waeup.local.Owner')
271	grok.title(u'Owner')
272	grok.permissions('waeup.editUser')
273
274	# Site Roles
275	class AcademicsOfficer(grok.Role):
276	grok.name('waeup.AcademicsOfficer')
277	grok.title(u'Academics Officer (view only)')
278	grok.permissions('waeup.viewAcademics')
279
280	class AcademicsManager(grok.Role):
281	grok.name('waeup.AcademicsManager')
282	grok.title(u'Academics Manager')
283	grok.permissions('waeup.viewAcademics',
284	'waeup.manageAcademics')
285
286	class ACManager(grok.Role):
287	grok.name('waeup.ACManager')
288	grok.title(u'Access Code Manager')
289	grok.permissions('waeup.manageACBatches')
290
291	class DataCenterManager(grok.Role):
292	grok.name('waeup.DataCenterManager')
293	grok.title(u'Datacenter Manager')
294	grok.permissions('waeup.manageDataCenter')
295
296	class ImportManager(grok.Role):
297	grok.name('waeup.ImportManager')
298	grok.title(u'Import Manager')
299	grok.permissions('waeup.manageDataCenter',
300	'waeup.importData')
301
302	class ExportManager(grok.Role):
303	grok.name('waeup.ExportManager')
304	grok.title(u'Export Manager')
305	grok.permissions('waeup.manageDataCenter',
306	'waeup.exportData')
307
308	class BursaryOfficer(grok.Role):
309	grok.name('waeup.BursaryOfficer')
310	grok.title(u'Bursary Officer')
311	grok.permissions('waeup.showStudents',
312	'waeup.viewAcademics',
313	'waeup.exportBursaryData')
314
315	class UsersManager(grok.Role):
316	grok.name('waeup.UsersManager')
317	grok.title(u'Users Manager')
318	grok.permissions('waeup.manageUsers',
319	'waeup.editUser')
320
321	class WorkflowManager(grok.Role):
322	grok.name('waeup.WorkflowManager')
323	grok.title(u'Workflow Manager')
324	grok.permissions('waeup.triggerTransition')
325
326	class PortalManager(grok.Role):
327	grok.name('waeup.PortalManager')
328	grok.title(u'Portal Manager')
329	grok.permissions('waeup.managePortal',
330	'waeup.manageUsers',
331	'waeup.viewAcademics', 'waeup.manageAcademics',
332	'waeup.manageACBatches',
333	'waeup.manageDataCenter',
334	'waeup.importData',
335	'waeup.exportData',
336	'waeup.viewTranscript',
337	'waeup.managePortalConfiguration', 'waeup.viewApplication',
338	'waeup.manageApplication', 'waeup.handleApplication',
339	'waeup.viewApplicantsTab', 'waeup.payApplicant',
340	'waeup.viewApplicationStatistics',
341	'waeup.viewStudent', 'waeup.manageStudent',
342	'waeup.clearStudent', 'waeup.payStudent',
343	'waeup.uploadStudentFile', 'waeup.showStudents',
344	'waeup.clearAllStudents',
345	'waeup.editScores',
346	'waeup.triggerTransition',
347	'waeup.viewStudentsContainer','waeup.viewStudentsTab',
348	'waeup.handleAccommodation',
349	'waeup.viewHostels', 'waeup.manageHostels',
350	'waeup.editUser',
351	'waeup.loginAsStudent',
352	'waeup.manageReports',
353	'waeup.manageJobs',
354	)
355
356	class CCOfficer(grok.Role):
357	"""This is basically a copy of the the PortalManager class. We exclude some
358	'dangerous' permissions by commenting them out.
359	"""
360	grok.baseclass()
361	grok.name('waeup.CCOfficer')
362	grok.title(u'Computer Center Officer')
363	grok.permissions(#'waeup.managePortal',
364	#'waeup.manageUsers',
365	'waeup.viewAcademics', 'waeup.manageAcademics',
366	#'waeup.manageACBatches',
367	'waeup.manageDataCenter',
368	#'waeup.importData',
369	'waeup.exportData',
370	'waeup.viewTranscript',
371	'waeup.managePortalConfiguration', 'waeup.viewApplication',
372	'waeup.manageApplication', 'waeup.handleApplication',
373	'waeup.viewApplicantsTab', 'waeup.payApplicant',
374	'waeup.viewApplicationStatistics',
375	'waeup.viewStudent', 'waeup.manageStudent',
376	'waeup.clearStudent', 'waeup.payStudent',
377	'waeup.uploadStudentFile', 'waeup.showStudents',
378	'waeup.clearAllStudents',
379	'waeup.editScores',
380	#'waeup.triggerTransition',
381	'waeup.viewStudentsContainer','waeup.viewStudentsTab',
382	'waeup.handleAccommodation',
383	'waeup.viewHostels', 'waeup.manageHostels',
384	#'waeup.editUser',
385	#'waeup.loginAsStudent',
386	'waeup.manageReports',
387	#'waeup.manageJobs',
388	)
389
390	def get_all_roles():
391	"""Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
392	"""
393	return getUtilitiesFor(IRole)
394
395	def get_waeup_roles(also_local=False):
396	"""Get all Kofa roles.
397
398	Kofa roles are ordinary roles whose id by convention starts with
399	a ``waeup.`` prefix.
400
401	If `also_local` is ``True`` (``False`` by default), also local
402	roles are returned. Local Kofa roles are such whose id starts
403	with ``waeup.local.`` prefix (this is also a convention).
404
405	Returns a generator of the found roles.
406	"""
407	for name, item in get_all_roles():
408	if not name.startswith('waeup.'):
409	# Ignore non-Kofa roles...
410	continue
411	if not also_local and name.startswith('waeup.local.'):
412	# Ignore local roles...
413	continue
414	yield item
415
416	def get_waeup_role_names():
417	"""Get the ids of all Kofa roles.
418
419	See :func:`get_waeup_roles` for what a 'KofaRole' is.
420
421	This function returns a sorted list of Kofa role names.
422	"""
423	return sorted([x.id for x in get_waeup_roles()])
424
425	class LocalRolesAssignable(grok.Adapter):
426	"""Default implementation for `ILocalRolesAssignable`.
427
428	This adapter returns a list for dictionaries for objects for which
429	we want to know the roles assignable to them locally.
430
431	The returned dicts contain a ``name`` and a ``title`` entry which
432	give a role (``name``) and a description, for which kind of users
433	the permission is meant to be used (``title``).
434
435	Having this adapter registered we make sure, that for each normal
436	object we get a valid `ILocalRolesAssignable` adapter.
437
438	Objects that want to offer certain local roles, can do so by
439	setting a (preferably class-) attribute to a list of role ids.
440
441	You can also define different adapters for different contexts to
442	have different role lookup mechanisms become available. But in
443	normal cases it should be sufficient to use this basic adapter.
444	"""
445	grok.context(Interface)
446	grok.provides(ILocalRolesAssignable)
447
448	_roles = []
449
450	def __init__(self, context):
451	self.context = context
452	role_ids = getattr(context, 'local_roles', self._roles)
453	self._roles = [(name, role) for name, role in get_all_roles()
454	if name in role_ids]
455	return
456
457	def __call__(self):
458	"""Get a list of dictionaries containing ``names`` (the roles to
459	assign) and ``titles`` (some description of the type of user
460	to assign each role to).
461	"""
462	list_of_dict = [dict(
463	name=name,
464	title=role.title,
465	description=role.description)
466	for name, role in self._roles]
467	return sorted(list_of_dict, key=lambda x: x['name'])
468
469	def get_all_users():
470	"""Get a list of dictionaries.
471	"""
472	users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
473	for key, val in users:
474	yield(dict(name=key, val=val))
475
476	def get_users_with_local_roles(context):
477	"""Get a list of dicts representing the local roles set for `context`.
478
479	Each dict returns `user_name`, `user_title`, `local_role`,
480	`local_role_title`, and `setting` for each entry in the local
481	roles map of the `context` object.
482	"""
483	try:
484	role_map = IPrincipalRoleMap(context)
485	except TypeError:
486	# no map no roles.
487	raise StopIteration
488	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
489	user = grok.getSite()['users'].get(user_name,None)
490	user_title = getattr(user, 'title', user_name)
491	local_role_title = getattr(
492	dict(get_all_roles()).get(local_role, None), 'title', None)
493	yield dict(user_name = user_name,
494	user_title = user_title,
495	local_role = local_role,
496	local_role_title = local_role_title,
497	setting = setting)
498
499	def get_users_with_role(role, context):
500	"""Get a list of dicts representing the usres who have been granted
501	a role for `context`.
502	"""
503	try:
504	role_map = IPrincipalRoleMap(context)
505	except TypeError:
506	# no map no roles.
507	raise StopIteration
508	for user_name, setting in role_map.getPrincipalsForRole(role):
509	user = grok.getSite()['users'].get(user_name,None)
510	user_title = getattr(user, 'title', user_name)
511	user_email = getattr(user, 'email', None)
512	yield dict(user_name = user_name,
513	user_title = user_title,
514	user_email = user_email,
515	setting = setting)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: