source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 12811

Last change on this file since 12811 was 12440, checked in by Henrik Bettermann, 10 years ago

Add permissions to manager roles.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 18.2 KB
Line 
1## $Id: permissions.py 12440 2015-01-11 09:04:51Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class ClearAllStudents(grok.Permission):
62    grok.name('waeup.clearAllStudents')
63
64class EditScores(grok.Permission):
65    grok.name('waeup.editScores')
66
67class EditUser(grok.Permission):
68    grok.name('waeup.editUser')
69
70class ManageDataCenter(grok.Permission):
71    grok.name('waeup.manageDataCenter')
72
73class ImportData(grok.Permission):
74    grok.name('waeup.importData')
75
76class ExportData(grok.Permission):
77    grok.name('waeup.exportData')
78
79class ExportPaymentsOverview(grok.Permission):
80    grok.name('waeup.exportPaymentsOverview')
81
82class ExportBursaryData(grok.Permission):
83    grok.name('waeup.exportBursaryData')
84
85class ViewTranscript(grok.Permission):
86    grok.name('waeup.viewTranscript')
87
88class ManagePortalConfiguration(grok.Permission):
89    grok.name('waeup.managePortalConfiguration')
90
91class ManageACBatches(grok.Permission):
92    grok.name('waeup.manageACBatches')
93
94class PutBiometricDataPermission(grok.Permission):
95    """Permission to upload/change biometric data.
96    """
97    grok.name('waeup.putBiometricData')
98
99class GetBiometricDataPermission(grok.Permission):
100    """Permission to read biometric data.
101    """
102    grok.name('waeup.getBiometricData')
103
104
105# Local Roles
106class ApplicationsManager(grok.Role):
107    grok.name('waeup.local.ApplicationsManager')
108    grok.title(u'Applications Manager')
109    grok.permissions('waeup.viewAcademics')
110
111class DepartmentManager(grok.Role):
112    grok.name('waeup.local.DepartmentManager')
113    grok.title(u'Department Manager')
114    grok.permissions('waeup.manageAcademics',
115                     'waeup.showStudents',
116                     'waeup.exportData')
117
118class DepartmentOfficer(grok.Role):
119    grok.name('waeup.local.DepartmentOfficer')
120    grok.title(u'Department Officer')
121    grok.permissions('waeup.showStudents',
122                     'waeup.viewAcademics',
123                     'waeup.exportPaymentsOverview')
124
125class ClearanceOfficer(grok.Role):
126    """The clearance officer role is meant for the
127    assignment of dynamic roles only.
128    """
129    grok.name('waeup.local.ClearanceOfficer')
130    grok.title(u'Clearance Officer')
131    grok.permissions('waeup.showStudents',
132                     'waeup.viewAcademics',
133                     'waeup.exportData',
134                     'waeup.clearAllStudents')
135
136class LocalStudentsManager(grok.Role):
137    """The local students manager role is meant for the
138    assignment of dynamic roles only.
139    """
140    grok.name('waeup.local.LocalStudentsManager')
141    grok.title(u'Students Manager')
142    grok.permissions('waeup.showStudents',
143                     'waeup.viewAcademics',
144                     'waeup.exportData')
145
146class LocalWorkflowManager(grok.Role):
147    """The local workflow manager role is meant for the
148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.LocalWorkflowManager')
151    grok.title(u'Student Workflow Manager')
152    grok.permissions('waeup.showStudents',
153                     'waeup.viewAcademics',
154                     'waeup.exportData')
155
156class UGClearanceOfficer(grok.Role):
157    """The clearance officer role is meant for the
158    assignment of dynamic roles only.
159    """
160    grok.name('waeup.local.UGClearanceOfficer')
161    grok.title(u'UG Clearance Officer')
162    grok.permissions('waeup.showStudents',
163                     'waeup.viewAcademics',
164                     'waeup.exportData',
165                     'waeup.clearAllStudents')
166
167class PGClearanceOfficer(grok.Role):
168    """The clearance officer role is meant for the
169    assignment of dynamic roles only.
170    """
171    grok.name('waeup.local.PGClearanceOfficer')
172    grok.title(u'PG Clearance Officer')
173    grok.permissions('waeup.showStudents',
174                     'waeup.viewAcademics',
175                     'waeup.exportData',
176                     'waeup.clearAllStudents')
177
178class CourseAdviser100(grok.Role):
179    """The 100 level course adviser role is meant for the
180    assignment of dynamic roles only.
181    """
182    grok.name('waeup.local.CourseAdviser100')
183    grok.title(u'Course Adviser 100L')
184    grok.permissions('waeup.showStudents',
185                     'waeup.viewAcademics',
186                     'waeup.exportData')
187
188class CourseAdviser200(grok.Role):
189    """The course 200 level adviser role is meant for the
190    assignment of dynamic roles only.
191    """
192    grok.name('waeup.local.CourseAdviser200')
193    grok.title(u'Course Adviser 200L')
194    grok.permissions('waeup.showStudents',
195                     'waeup.viewAcademics',
196                     'waeup.exportData')
197
198class CourseAdviser300(grok.Role):
199    """The 300 level course adviser role is meant for the
200    assignment of dynamic roles only.
201    """
202    grok.name('waeup.local.CourseAdviser300')
203    grok.title(u'Course Adviser 300L')
204    grok.permissions('waeup.showStudents',
205                     'waeup.viewAcademics',
206                     'waeup.exportData')
207
208class CourseAdviser400(grok.Role):
209    """The 400 level course adviser role is meant for the
210    assignment of dynamic roles only.
211    """
212    grok.name('waeup.local.CourseAdviser400')
213    grok.title(u'Course Adviser 400L')
214    grok.permissions('waeup.showStudents',
215                     'waeup.viewAcademics',
216                     'waeup.exportData')
217
218class CourseAdviser500(grok.Role):
219    """The 500 level course adviser role is meant for the
220    assignment of dynamic roles only.
221    """
222    grok.name('waeup.local.CourseAdviser500')
223    grok.title(u'Course Adviser 500L')
224    grok.permissions('waeup.showStudents',
225                     'waeup.viewAcademics',
226                     'waeup.exportData')
227
228class CourseAdviser600(grok.Role):
229    """The 600 level course adviser role is meant for the
230    assignment of dynamic roles only.
231    """
232    grok.name('waeup.local.CourseAdviser600')
233    grok.title(u'Course Adviser 600L')
234    grok.permissions('waeup.showStudents',
235                     'waeup.viewAcademics',
236                     'waeup.exportData')
237
238class CourseAdviser700(grok.Role):
239    """The 700 level course adviser role is meant for the
240    assignment of dynamic roles only.
241    """
242    grok.name('waeup.local.CourseAdviser700')
243    grok.title(u'Course Adviser 700L')
244    grok.permissions('waeup.showStudents',
245                     'waeup.viewAcademics',
246                     'waeup.exportData')
247
248class CourseAdviser800(grok.Role):
249    """The 800 level course adviser role is meant for the
250    assignment of dynamic roles only.
251    """
252    grok.name('waeup.local.CourseAdviser800')
253    grok.title(u'Course Adviser 800L')
254    grok.permissions('waeup.showStudents',
255                     'waeup.viewAcademics',
256                     'waeup.exportData')
257
258class Lecturer(grok.Role):
259    """The lecturer role is meant for the
260    assignment of dynamic roles only.
261    """
262    grok.name('waeup.local.Lecturer')
263    grok.title(u'Lecturer')
264    grok.permissions('waeup.showStudents',
265                     'waeup.editScores',
266                     'waeup.viewAcademics',
267                     'waeup.exportData')
268
269class Owner(grok.Role):
270    grok.name('waeup.local.Owner')
271    grok.title(u'Owner')
272    grok.permissions('waeup.editUser')
273
274# Site Roles
275class AcademicsOfficer(grok.Role):
276    grok.name('waeup.AcademicsOfficer')
277    grok.title(u'Academics Officer (view only)')
278    grok.permissions('waeup.viewAcademics')
279
280class AcademicsManager(grok.Role):
281    grok.name('waeup.AcademicsManager')
282    grok.title(u'Academics Manager')
283    grok.permissions('waeup.viewAcademics',
284                     'waeup.manageAcademics')
285
286class ACManager(grok.Role):
287    grok.name('waeup.ACManager')
288    grok.title(u'Access Code Manager')
289    grok.permissions('waeup.manageACBatches')
290
291class DataCenterManager(grok.Role):
292    grok.name('waeup.DataCenterManager')
293    grok.title(u'Datacenter Manager')
294    grok.permissions('waeup.manageDataCenter')
295
296class ImportManager(grok.Role):
297    grok.name('waeup.ImportManager')
298    grok.title(u'Import Manager')
299    grok.permissions('waeup.manageDataCenter',
300                     'waeup.importData')
301
302class ExportManager(grok.Role):
303    grok.name('waeup.ExportManager')
304    grok.title(u'Export Manager')
305    grok.permissions('waeup.manageDataCenter',
306                     'waeup.exportData')
307
308class BursaryOfficer(grok.Role):
309    grok.name('waeup.BursaryOfficer')
310    grok.title(u'Bursary Officer')
311    grok.permissions('waeup.showStudents',
312                     'waeup.viewAcademics',
313                     'waeup.exportBursaryData')
314
315class UsersManager(grok.Role):
316    grok.name('waeup.UsersManager')
317    grok.title(u'Users Manager')
318    grok.permissions('waeup.manageUsers',
319                     'waeup.editUser')
320
321class WorkflowManager(grok.Role):
322    grok.name('waeup.WorkflowManager')
323    grok.title(u'Workflow Manager')
324    grok.permissions('waeup.triggerTransition')
325
326class PortalManager(grok.Role):
327    grok.name('waeup.PortalManager')
328    grok.title(u'Portal Manager')
329    grok.permissions('waeup.managePortal',
330                     'waeup.manageUsers',
331                     'waeup.viewAcademics', 'waeup.manageAcademics',
332                     'waeup.manageACBatches',
333                     'waeup.manageDataCenter',
334                     'waeup.importData',
335                     'waeup.exportData',
336                     'waeup.viewTranscript',
337                     'waeup.viewDocuments', 'waeup.manageDocuments',
338                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
339                     'waeup.manageApplication', 'waeup.handleApplication',
340                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
341                     'waeup.viewApplicationStatistics',
342                     'waeup.viewStudent', 'waeup.manageStudent',
343                     'waeup.clearStudent', 'waeup.payStudent',
344                     'waeup.uploadStudentFile', 'waeup.showStudents',
345                     'waeup.clearAllStudents',
346                     'waeup.editScores',
347                     'waeup.triggerTransition',
348                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
349                     'waeup.handleAccommodation',
350                     'waeup.viewHostels', 'waeup.manageHostels',
351                     'waeup.editUser',
352                     'waeup.loginAsStudent',
353                     'waeup.manageReports',
354                     'waeup.manageJobs',
355                     )
356
357class CCOfficer(grok.Role):
358    """This is basically a copy of the the PortalManager class. We exclude some
359    'dangerous' permissions by commenting them out.
360    """
361    grok.baseclass()
362    grok.name('waeup.CCOfficer')
363    grok.title(u'Computer Center Officer')
364    grok.permissions(#'waeup.managePortal',
365                     #'waeup.manageUsers',
366                     'waeup.viewAcademics', 'waeup.manageAcademics',
367                     #'waeup.manageACBatches',
368                     'waeup.manageDataCenter',
369                     #'waeup.importData',
370                     'waeup.exportData',
371                     'waeup.viewTranscript',
372                     'waeup.viewDocuments', 'waeup.manageDocuments',
373                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
374                     'waeup.manageApplication', 'waeup.handleApplication',
375                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
376                     'waeup.viewApplicationStatistics',
377                     'waeup.viewStudent', 'waeup.manageStudent',
378                     'waeup.clearStudent', 'waeup.payStudent',
379                     'waeup.uploadStudentFile', 'waeup.showStudents',
380                     'waeup.clearAllStudents',
381                     'waeup.editScores',
382                     #'waeup.triggerTransition',
383                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
384                     'waeup.handleAccommodation',
385                     'waeup.viewHostels', 'waeup.manageHostels',
386                     #'waeup.editUser',
387                     #'waeup.loginAsStudent',
388                     'waeup.manageReports',
389                     #'waeup.manageJobs',
390                     )
391
392def get_all_roles():
393    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
394    """
395    return getUtilitiesFor(IRole)
396
397def get_waeup_roles(also_local=False):
398    """Get all Kofa roles.
399
400    Kofa roles are ordinary roles whose id by convention starts with
401    a ``waeup.`` prefix.
402
403    If `also_local` is ``True`` (``False`` by default), also local
404    roles are returned. Local Kofa roles are such whose id starts
405    with ``waeup.local.`` prefix (this is also a convention).
406
407    Returns a generator of the found roles.
408    """
409    for name, item in get_all_roles():
410        if not name.startswith('waeup.'):
411            # Ignore non-Kofa roles...
412            continue
413        if not also_local and name.startswith('waeup.local.'):
414            # Ignore local roles...
415            continue
416        yield item
417
418def get_waeup_role_names():
419    """Get the ids of all Kofa roles.
420
421    See :func:`get_waeup_roles` for what a 'KofaRole' is.
422
423    This function returns a sorted list of Kofa role names.
424    """
425    return sorted([x.id for x in get_waeup_roles()])
426
427class LocalRolesAssignable(grok.Adapter):
428    """Default implementation for `ILocalRolesAssignable`.
429
430    This adapter returns a list for dictionaries for objects for which
431    we want to know the roles assignable to them locally.
432
433    The returned dicts contain a ``name`` and a ``title`` entry which
434    give a role (``name``) and a description, for which kind of users
435    the permission is meant to be used (``title``).
436
437    Having this adapter registered we make sure, that for each normal
438    object we get a valid `ILocalRolesAssignable` adapter.
439
440    Objects that want to offer certain local roles, can do so by
441    setting a (preferably class-) attribute to a list of role ids.
442
443    You can also define different adapters for different contexts to
444    have different role lookup mechanisms become available. But in
445    normal cases it should be sufficient to use this basic adapter.
446    """
447    grok.context(Interface)
448    grok.provides(ILocalRolesAssignable)
449
450    _roles = []
451
452    def __init__(self, context):
453        self.context = context
454        role_ids = getattr(context, 'local_roles', self._roles)
455        self._roles = [(name, role) for name, role in get_all_roles()
456                       if name in role_ids]
457        return
458
459    def __call__(self):
460        """Get a list of dictionaries containing ``names`` (the roles to
461        assign) and ``titles`` (some description of the type of user
462        to assign each role to).
463        """
464        list_of_dict = [dict(
465                name=name,
466                title=role.title,
467                description=role.description)
468                for name, role in self._roles]
469        return sorted(list_of_dict, key=lambda x: x['name'])
470
471def get_all_users():
472    """Get a list of dictionaries.
473    """
474    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
475    for key, val in users:
476        yield(dict(name=key, val=val))
477
478def get_users_with_local_roles(context):
479    """Get a list of dicts representing the local roles set for `context`.
480
481    Each dict returns `user_name`, `user_title`, `local_role`,
482    `local_role_title`, and `setting` for each entry in the local
483    roles map of the `context` object.
484    """
485    try:
486        role_map = IPrincipalRoleMap(context)
487    except TypeError:
488        # no map no roles.
489        raise StopIteration
490    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
491        user = grok.getSite()['users'].get(user_name,None)
492        user_title = getattr(user, 'title', user_name)
493        local_role_title = getattr(
494            dict(get_all_roles()).get(local_role, None), 'title', None)
495        yield dict(user_name = user_name,
496                   user_title = user_title,
497                   local_role = local_role,
498                   local_role_title = local_role_title,
499                   setting = setting)
500
501def get_users_with_role(role, context):
502    """Get a list of dicts representing the usres who have been granted
503    a role for `context`.
504    """
505    try:
506        role_map = IPrincipalRoleMap(context)
507    except TypeError:
508        # no map no roles.
509        raise StopIteration
510    for user_name, setting in role_map.getPrincipalsForRole(role):
511        user = grok.getSite()['users'].get(user_name,None)
512        user_title = getattr(user, 'title', user_name)
513        user_email = getattr(user, 'email', None)
514        yield dict(user_name = user_name,
515                   user_title = user_title,
516                   user_email = user_email,
517                   setting = setting)
Note: See TracBrowser for help on using the repository browser.