source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 15149

Last change on this file since 15149 was 14992, checked in by Henrik Bettermann, 7 years ago

Allow lecturer role assignment also at department level.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 26.7 KB
Line 
1# $Id: permissions.py 14992 2018-04-26 08:50:56Z henrik $
2#
3# Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation; either version 2 of the License, or
7# (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17#
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24
25class Public(grok.Permission):
26    """The Public or everyone-can-do-this-permission is being applied
27    to views/pages that are used by everyone.
28    """
29    grok.name('waeup.Public')
30
31
32class Anonymous(grok.Permission):
33    """The Anonymous permission is applied to
34    views/pages which are dedicated to anonymous users only.
35    Logged-in users can't access these views.
36    """
37    grok.name('waeup.Anonymous')
38
39
40class Authenticated(grok.Permission):
41    """The Authenticated permission is applied to pages
42    which can only be used by logged-in users and not by anonymous users.
43    """
44    grok.name('waeup.Authenticated')
45
46
47class ViewAcademics(grok.Permission):
48    """The ViewAcademics permission is applied to all
49    views of the Academic Section. Users with this permission can view but
50    not edit content in the Academic Section.
51    """
52    grok.name('waeup.viewAcademics')
53
54
55class ManageAcademics(grok.Permission):
56    """The ManageAcademics permission is applied to all edit/manage
57    pages in the Academic Section. Users who have this permission
58    can change/edit context objects.
59    """
60    grok.name('waeup.manageAcademics')
61
62
63class ManagePortal(grok.Permission):
64    """The ManagePortal permission is used for very few pages
65    (e.g. the DatacenterSettings page). Only PortalManagers have this
66    permission. It is furthermore used to control delete methods of container
67    pages in the Academic Section. The ManageAcademics permission,
68    described above, does enable users to edit content but not to
69    remove sub-containers, like faculties, departments or certificates.
70    Users must have the ManagePortal permission too to remove
71    entire containers.
72    """
73    grok.name('waeup.managePortal')
74
75
76class ManageUsers(grok.Permission):
77    """The ManageUsers permission is a real superuser permission
78    and therefore very 'dangerous'. It allows to add, remove or edit
79    user accounts. Editing a user account includes the option to assign
80    or remove roles. That means that a user with this permission can lock out
81    other users by either removing their account or by removing
82    permissions.
83    """
84    grok.name('waeup.manageUsers')
85
86
87class ShowStudents(grok.Permission):
88    """Users with this permission do not neccessarily see the 'Students' tab
89    but they can search for students at department, certificate or course
90    level. If they additionally have the ExportData permission they can
91    export the data as csv files.
92
93    Bursary or Department Officers don't have the ExportData
94    permission (see Roles section) and are only allowed to export bursary
95    or payments overview data respectively.
96    """
97    grok.name('waeup.showStudents')
98
99
100class ClearAllStudents(grok.Permission):
101    """The ClearAllStudents permission allows to clear all students
102    in a department at one sweep.
103    """
104    grok.name('waeup.clearAllStudents')
105
106
107class EditScores(grok.Permission):
108    """The EditScores permission allows to edit scores in course tickets.
109    """
110    grok.name('waeup.editScores')
111
112
113class TriggerTransition(grok.Permission):
114    """The TriggerTransition permission allows to trigger workflow transitions
115    of student and document objects.
116    """
117    grok.name('waeup.triggerTransition')
118
119
120class EditUser(grok.Permission):
121    """The EditUser permission is required for editing
122    single user accounts.
123    """
124    grok.name('waeup.editUser')
125
126
127class ManageDataCenter(grok.Permission):
128    """The ManageDataCenter permission allows to access all pages
129    in the Data Center and to upload files. It does not automatically
130    allow to process uploaded data files.
131    """
132    grok.name('waeup.manageDataCenter')
133
134
135class ImportData(grok.Permission):
136    """The ImportData permission allows to batch process (import) any kind of
137    portal data except for user data. The User Data processor
138    requires also the ManageUsers permission.
139    """
140    grok.name('waeup.importData')
141
142
143class ExportData(grok.Permission):
144    """The ExportData permission allows to export any kind of portal data.
145    """
146    grok.name('waeup.exportData')
147
148
149class ExportPaymentsOverview(grok.Permission):
150    grok.name('waeup.exportPaymentsOverview')
151
152
153class ExportBursaryData(grok.Permission):
154    grok.name('waeup.exportBursaryData')
155
156
157class ViewTranscript(grok.Permission):
158    grok.name('waeup.viewTranscript')
159
160
161class ManagePortalConfiguration(grok.Permission):
162    """The ManagePortalConfiguration permission allows to
163    edit global and sessional portal configuration data.
164    """
165    grok.name('waeup.managePortalConfiguration')
166
167
168class ManageACBatches(grok.Permission):
169    """The ManageACBatches permission allows to view and
170    manage accesscodes.
171    """
172    grok.name('waeup.manageACBatches')
173
174
175class PutBiometricDataPermission(grok.Permission):
176    """This permission allows to upload/change biometric data.
177    """
178    grok.name('waeup.putBiometricData')
179
180
181class GetBiometricDataPermission(grok.Permission):
182    """This permission allows to read biometric data.
183    """
184    grok.name('waeup.getBiometricData')
185
186
187# Local Roles
188
189class ApplicationsManager(grok.Role):
190    """The local ApplicationsManager role can be assigned at applicants
191    container and at department level. At department level an Applications
192    Manager can manage all applicants which desire to study a programme
193    offered by the department (1st Choice Course of Study).
194
195    At container level (local) Applications Managers gain permissions which
196    allow to manage the container and all applicants inside the container.  At
197    container level the permission set of this local role corresonds with the
198    permission set of the same-named global role.
199    """
200    grok.name('waeup.local.ApplicationsManager')
201    grok.title(u'Applications Manager')
202    grok.permissions('waeup.viewAcademics',
203                     'waeup.manageApplication', 'waeup.viewApplication',
204                     'waeup.payApplicant')
205
206
207class DepartmentOfficer(grok.Role):
208    """The local DepartmentOfficer role can be assigned at faculty or
209    department level. The role allows to list all student data within the
210    faculty/department the local role is assigned.
211    """
212    grok.name('waeup.local.DepartmentOfficer')
213    grok.title(u'Department Officer')
214    grok.permissions('waeup.showStudents',
215                     'waeup.viewAcademics',
216                     'waeup.exportPaymentsOverview')
217
218
219class DepartmentManager(grok.Role):
220    """The local DepartmentManager role can be assigned at faculty or
221    department level. The role allows to edit all data within this container.
222    It does not automatically allow to remove sub-containers.
223
224    Department Managers (Dean of Faculty or Head of Department respectively)
225    can also list student data but not access student pages.
226    """
227    grok.name('waeup.local.DepartmentManager')
228    grok.title(u'Department Manager')
229    grok.permissions('waeup.manageAcademics',
230                     'waeup.showStudents',
231                     'waeup.exportData')
232
233
234class ClearanceOfficer(grok.Role):
235    """The local ClearanceOfficer role can be assigned at faculty or
236    department level. The role allows to list or export all student
237    data within the faculty/department the local role is assigned.
238
239    Clearance Officers can furthermore clear all students or reject clearance
240    of all students in their faculty/department. They get the
241    StudentsClearanceOfficer role for this subset of students.
242    """
243    grok.name('waeup.local.ClearanceOfficer')
244    grok.title(u'Clearance Officer')
245    grok.permissions('waeup.showStudents',
246                     'waeup.viewAcademics',
247                     'waeup.exportData',
248                     'waeup.clearAllStudents')
249
250
251class LocalStudentsManager(grok.Role):
252    """The local LocalStudentsManager role can be assigned at faculty or
253    department level. The role allows to view all data and to view or export
254    all student data within the faculty/department the local role is assigned.
255
256    Local Students Managers can furthermore manage data of students
257    in their faculty/department. They get the StudentsManager role for
258    this subset of students.
259    """
260    grok.name('waeup.local.LocalStudentsManager')
261    grok.title(u'Students Manager')
262    grok.permissions('waeup.showStudents',
263                     'waeup.viewAcademics',
264                     'waeup.exportData')
265
266
267class LocalWorkflowManager(grok.Role):
268    """The local LocalWorkflowManager role can be assigned at faculty level.
269    The role allows to view all data and to list or export
270    all student data within the faculty the local role is assigned.
271
272    Local Workflow Managers can trigger transition of students in their
273    faculty/department. They get the WorkflowManager role for
274    this subset of students.
275    """
276    grok.name('waeup.local.LocalWorkflowManager')
277    grok.title(u'Student Workflow Manager')
278    grok.permissions('waeup.showStudents',
279                     'waeup.viewAcademics',
280                     'waeup.exportData')
281
282
283class UGClearanceOfficer(grok.Role):
284    """UG Clearance Officers are regular Clearance Officers with restricted
285    dynamic permission assignment. They can only access undergraduate
286    students.
287    """
288    grok.name('waeup.local.UGClearanceOfficer')
289    grok.title(u'UG Clearance Officer')
290    grok.permissions('waeup.showStudents',
291                     'waeup.viewAcademics',
292                     'waeup.exportData',
293                     'waeup.clearAllStudents')
294
295
296class PGClearanceOfficer(grok.Role):
297    """PG Clearance Officers are regular Clearance Officers with restricted
298    dynamic permission assignment. They can only access postgraduate
299    students.
300    """
301    grok.name('waeup.local.PGClearanceOfficer')
302    grok.title(u'PG Clearance Officer')
303    grok.permissions('waeup.showStudents',
304                     'waeup.viewAcademics',
305                     'waeup.exportData',
306                     'waeup.clearAllStudents')
307
308
309class CourseAdviser100(grok.Role):
310    """The local CourseAdviser100 role can be assigned at faculty,
311    department or certificate level. The role allows to view all data and
312    to list or export all student data within the faculty, department
313    or certificate the local role is assigned.
314
315    Local Course Advisers can validate or reject course lists of students
316    in ther faculty/department/certificate at level 100.
317    They get the StudentsCourseAdviser role for this subset of students.
318    """
319    grok.name('waeup.local.CourseAdviser100')
320    grok.title(u'Course Adviser 100L')
321    grok.permissions('waeup.showStudents',
322                     'waeup.viewAcademics',
323                     'waeup.exportData')
324
325
326class CourseAdviser200(grok.Role):
327    """Same as CourseAdviser100 but for level 200.
328    """
329    grok.name('waeup.local.CourseAdviser200')
330    grok.title(u'Course Adviser 200L')
331    grok.permissions('waeup.showStudents',
332                     'waeup.viewAcademics',
333                     'waeup.exportData')
334
335
336class CourseAdviser300(grok.Role):
337    """Same as CourseAdviser100 but for level 300.
338    """
339    grok.name('waeup.local.CourseAdviser300')
340    grok.title(u'Course Adviser 300L')
341    grok.permissions('waeup.showStudents',
342                     'waeup.viewAcademics',
343                     'waeup.exportData')
344
345
346class CourseAdviser400(grok.Role):
347    """Same as CourseAdviser100 but for level 400.
348    """
349    grok.name('waeup.local.CourseAdviser400')
350    grok.title(u'Course Adviser 400L')
351    grok.permissions('waeup.showStudents',
352                     'waeup.viewAcademics',
353                     'waeup.exportData')
354
355
356class CourseAdviser500(grok.Role):
357    """Same as CourseAdviser100 but for level 500.
358    """
359    grok.name('waeup.local.CourseAdviser500')
360    grok.title(u'Course Adviser 500L')
361    grok.permissions('waeup.showStudents',
362                     'waeup.viewAcademics',
363                     'waeup.exportData')
364
365
366class CourseAdviser600(grok.Role):
367    """Same as CourseAdviser100 but for level 600.
368    """
369    grok.name('waeup.local.CourseAdviser600')
370    grok.title(u'Course Adviser 600L')
371    grok.permissions('waeup.showStudents',
372                     'waeup.viewAcademics',
373                     'waeup.exportData')
374
375
376class CourseAdviser700(grok.Role):
377    """Same as CourseAdviser100 but for level 700.
378    """
379    grok.name('waeup.local.CourseAdviser700')
380    grok.title(u'Course Adviser 700L')
381    grok.permissions('waeup.showStudents',
382                     'waeup.viewAcademics',
383                     'waeup.exportData')
384
385
386class CourseAdviser800(grok.Role):
387    """Same as CourseAdviser100 but for level 800.
388    """
389    grok.name('waeup.local.CourseAdviser800')
390    grok.title(u'Course Adviser 800L')
391    grok.permissions('waeup.showStudents',
392                     'waeup.viewAcademics',
393                     'waeup.exportData')
394
395
396class Lecturer(grok.Role):
397    """The local Lecturer role can be assigned at course level.
398    The role allows to export some student
399    data within the course the local role is assigned. Lecturers can't access
400    student data directly but they can edit the scores in course tickets.
401    """
402    grok.name('waeup.local.Lecturer')
403    grok.title(u'Lecturer')
404    grok.permissions('waeup.editScores',
405                     'waeup.viewAcademics',
406                     'waeup.exportData')
407
408
409class Owner(grok.Role):
410    """Each user 'owns' her/his user object and gains permission to edit
411    some of the user attributes.
412    """
413    grok.name('waeup.local.Owner')
414    grok.title(u'Owner')
415    grok.permissions('waeup.editUser')
416
417
418# Site Roles
419class AcademicsOfficer(grok.Role):
420    """An Academics Officer can view but not edit data in the
421    academic section.
422
423    This is the default role which is automatically assigned to all
424    officers of the portal. A user with this role can access all display pages
425    at faculty, department, course, certificate and certificate course level.
426    """
427    grok.name('waeup.AcademicsOfficer')
428    grok.title(u'Academics Officer (view only)')
429    grok.permissions('waeup.viewAcademics')
430
431
432class AcademicsManager(grok.Role):
433    """An Academics Manager can view and edit all data in the
434    scademic section, i.e. access all manage pages
435    at faculty, department, course, certificate and certificate course level.
436    """
437    grok.name('waeup.AcademicsManager')
438    grok.title(u'Academics Manager')
439    title = u'Academics Manager'
440    grok.permissions('waeup.viewAcademics',
441                     'waeup.manageAcademics')
442
443
444class ACManager(grok.Role):
445    """This is the role for Access Code Managers.
446    An AC Manager can view and manage the Accesscodes Section, see
447    ManageACBatches permission above.
448    """
449    grok.name('waeup.ACManager')
450    grok.title(u'Access Code Manager')
451    grok.permissions('waeup.manageACBatches')
452
453
454class DataCenterManager(grok.Role):
455    """This single-permission role is dedicated to those users
456    who are charged with batch processing of portal data.
457    A Data Center Manager can access all pages in the Data Center,
458    see ManageDataCenter permission above.
459    """
460    grok.name('waeup.DataCenterManager')
461    grok.title(u'Datacenter Manager')
462    grok.permissions('waeup.manageDataCenter')
463
464
465class ImportManager(grok.Role):
466    """An Import Manager is a Data Center Manager who is also allowed
467    to batch process (import) data. All batch processors (importers) are
468    available except for the User Processor. This processor requires the
469    Users Manager role too. The ImportManager role includes the
470    DataCenterManager role but not vice versa.
471    """
472    grok.name('waeup.ImportManager')
473    grok.title(u'Import Manager')
474    grok.permissions('waeup.manageDataCenter',
475                     'waeup.importData')
476
477
478class ExportManager(grok.Role):
479    """An Export Manager is a Data Center Manager who is also allowed
480    to export all kind of portal data. The ExportManager role includes the
481    DataCenterManager role but not vice versa.
482    """
483    grok.name('waeup.ExportManager')
484    grok.title(u'Export Manager')
485    grok.permissions('waeup.manageDataCenter',
486                     'waeup.exportData',
487                     'waeup.showStudents')
488
489
490class BursaryOfficer(grok.Role):
491    """Bursary Officers can export bursary data. They can't access the
492    Data Center but see student data export buttons in the Academic Section.
493    """
494    grok.name('waeup.BursaryOfficer')
495    grok.title(u'Bursary Officer')
496    grok.permissions('waeup.showStudents',
497                     'waeup.viewAcademics',
498                     'waeup.exportBursaryData')
499
500
501class UsersManager(grok.Role):
502    """A Users Manager can add, remove or edit
503    user accounts, see ManageUsers permission for further information.
504    Be very careful with this role.
505    """
506    grok.name('waeup.UsersManager')
507    grok.title(u'Users Manager')
508    grok.permissions('waeup.manageUsers',
509                     'waeup.editUser')
510
511
512class WorkflowManager(grok.Role):
513    """The Workflow Manager can trigger workflow transitions
514    of student and document objects, see TriggerTransition permission
515    for further information.
516    """
517    grok.name('waeup.WorkflowManager')
518    grok.title(u'Workflow Manager')
519    grok.permissions('waeup.triggerTransition')
520
521
522class FingerprintReaderDeviceRole(grok.Role):
523    """Fingerprint Reader Devices.
524
525    Fingerprint readers are remote devices that can store and retrieve
526    fingerprint data.
527    """
528    grok.name('waeup.FingerprintDevice')
529    grok.title(u'Fingerprint Reader')
530    grok.permissions(
531        'waeup.getBiometricData',
532        'waeup.putBiometricData',
533    )
534
535
536class PortalManager(grok.Role):
537    """The PortalManager role is the maximum set of Kofa permissions
538    which are needed to manage the entire portal. This set must not
539    be customized. It is recommended to assign this role only
540    to a few certified Kofa administrators.
541    A less dangerous manager role is the CCOfficer role described below.
542    For the most tasks the CCOfficer role is sufficient.
543    """
544    grok.name('waeup.PortalManager')
545    grok.title(u'Portal Manager')
546    grok.permissions('waeup.managePortal',
547                     'waeup.manageUsers',
548                     'waeup.viewAcademics', 'waeup.manageAcademics',
549                     'waeup.manageACBatches',
550                     'waeup.manageDataCenter',
551                     'waeup.importData',
552                     'waeup.exportData',
553                     'waeup.viewTranscript',
554                     'waeup.viewDocuments', 'waeup.manageDocuments',
555                     'waeup.managePortalConfiguration',
556                     'waeup.viewApplication',
557                     'waeup.manageApplication', 'waeup.handleApplication',
558                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
559                     'waeup.viewApplicationStatistics',
560                     'waeup.viewStudent', 'waeup.manageStudent',
561                     'waeup.clearStudent', 'waeup.payStudent',
562                     'waeup.clearStudentFinancially',  # not used in base pkg
563                     'waeup.uploadStudentFile', 'waeup.showStudents',
564                     'waeup.clearAllStudents',
565                     'waeup.createStudents',
566                     'waeup.editScores',
567                     'waeup.triggerTransition',
568                     'waeup.validateStudent',
569                     'waeup.viewStudentsContainer',
570                     'waeup.handleAccommodation',
571                     'waeup.viewHostels', 'waeup.manageHostels',
572                     'waeup.editUser',
573                     'waeup.loginAsStudent',
574                     'waeup.handleReports',
575                     'waeup.manageReports',
576                     'waeup.manageJobs',
577                     )
578
579
580class CCOfficer(grok.Role):
581    """The role of the Computer Center Officer is basically a copy
582    of the the PortalManager role. Some 'dangerous' permissions are excluded
583    by commenting them out (see source code). If officers need to gain more
584    access rights than defined in this role, do not hastily switch to the
585    PortalManager role but add further manager roles instead. Additional
586    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
587    or StudentImpersonator.
588
589    CCOfficer is a base class which means that this role is subject to
590    customization. It is not used in the ``waeup.kofa`` base package.
591    """
592    grok.baseclass()
593    grok.name('waeup.CCOfficer')
594    grok.title(u'Computer Center Officer')
595    grok.permissions(
596        # 'waeup.managePortal',
597        # 'waeup.manageUsers',
598        'waeup.viewAcademics',
599        'waeup.manageAcademics',
600        # 'waeup.manageACBatches',
601        'waeup.manageDataCenter',
602        # 'waeup.importData',
603        'waeup.exportData',
604        'waeup.viewTranscript',
605        'waeup.viewDocuments', 'waeup.manageDocuments',
606        'waeup.managePortalConfiguration', 'waeup.viewApplication',
607        'waeup.manageApplication', 'waeup.handleApplication',
608        'waeup.viewApplicantsTab', 'waeup.payApplicant',
609        'waeup.viewApplicationStatistics',
610        'waeup.viewStudent', 'waeup.manageStudent',
611        'waeup.clearStudent', 'waeup.payStudent',
612        'waeup.uploadStudentFile', 'waeup.showStudents',
613        'waeup.clearAllStudents',
614        # 'waeup.createStudents',
615        'waeup.editScores',
616        # 'waeup.triggerTransition',
617        'waeup.validateStudent',
618        'waeup.viewStudentsContainer',
619        'waeup.handleAccommodation',
620        'waeup.viewHostels', 'waeup.manageHostels',
621        # 'waeup.editUser',
622        # 'waeup.loginAsStudent',
623        'waeup.handleReports',
624        'waeup.manageReports',
625        # 'waeup.manageJobs',
626        )
627
628
629def get_all_roles():
630    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
631    """
632    return getUtilitiesFor(IRole)
633
634
635def get_waeup_roles(also_local=False):
636    """Get all Kofa roles.
637
638    Kofa roles are ordinary roles whose id by convention starts with
639    a ``waeup.`` prefix.
640
641    If `also_local` is ``True`` (``False`` by default), also local
642    roles are returned. Local Kofa roles are such whose id starts
643    with ``waeup.local.`` prefix (this is also a convention).
644
645    Returns a generator of the found roles.
646    """
647    for name, item in get_all_roles():
648        if not name.startswith('waeup.'):
649            # Ignore non-Kofa roles...
650            continue
651        if not also_local and name.startswith('waeup.local.'):
652            # Ignore local roles...
653            continue
654        yield item
655
656
657def get_waeup_role_names():
658    """Get the ids of all Kofa roles.
659
660    See :func:`get_waeup_roles` for what a 'KofaRole' is.
661
662    This function returns a sorted list of Kofa role names.
663    """
664    return sorted([x.id for x in get_waeup_roles()])
665
666
667class LocalRolesAssignable(grok.Adapter):
668    """Default implementation for `ILocalRolesAssignable`.
669
670    This adapter returns a list for dictionaries for objects for which
671    we want to know the roles assignable to them locally.
672
673    The returned dicts contain a ``name`` and a ``title`` entry which
674    give a role (``name``) and a description, for which kind of users
675    the permission is meant to be used (``title``).
676
677    Having this adapter registered we make sure, that for each normal
678    object we get a valid `ILocalRolesAssignable` adapter.
679
680    Objects that want to offer certain local roles, can do so by
681    setting a (preferably class-) attribute to a list of role ids.
682
683    You can also define different adapters for different contexts to
684    have different role lookup mechanisms become available. But in
685    normal cases it should be sufficient to use this basic adapter.
686    """
687    grok.context(Interface)
688    grok.provides(ILocalRolesAssignable)
689
690    _roles = []
691
692    def __init__(self, context):
693        self.context = context
694        role_ids = getattr(context, 'local_roles', self._roles)
695        self._roles = [(name, role) for name, role in get_all_roles()
696                       if name in role_ids]
697        return
698
699    def __call__(self):
700        """Get a list of dictionaries containing ``names`` (the roles to
701        assign) and ``titles`` (some description of the type of user
702        to assign each role to).
703        """
704        list_of_dict = [dict(
705                name=name,
706                title=role.title,
707                description=role.description)
708                for name, role in self._roles]
709        return sorted(list_of_dict, key=lambda x: x['name'])
710
711
712def get_all_users():
713    """Get a list of dictionaries.
714    """
715    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
716    for key, val in users:
717        yield(dict(name=key, val=val))
718
719
720def get_users_with_local_roles(context):
721    """Get a list of dicts representing the local roles set for `context`.
722
723    Each dict returns `user_name`, `user_title`, `local_role`,
724    `local_role_title`, and `setting` for each entry in the local
725    roles map of the `context` object.
726    """
727    try:
728        role_map = IPrincipalRoleMap(context)
729    except TypeError:
730        # no map no roles.
731        raise StopIteration
732    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
733        user = grok.getSite()['users'].get(user_name, None)
734        user_title = getattr(user, 'title', user_name)
735        local_role_title = getattr(
736            dict(get_all_roles()).get(local_role, None), 'title', None)
737        yield dict(user_name=user_name,
738                   user_title=user_title,
739                   local_role=local_role,
740                   local_role_title=local_role_title,
741                   setting=setting)
742
743
744def get_users_with_role(role, context):
745    """Get a list of dicts representing the usres who have been granted
746    a role for `context`.
747    """
748    try:
749        role_map = IPrincipalRoleMap(context)
750    except TypeError:
751        # no map no roles.
752        raise StopIteration
753    for user_name, setting in role_map.getPrincipalsForRole(role):
754        user = grok.getSite()['users'].get(user_name, None)
755        user_title = getattr(user, 'title', user_name)
756        user_email = getattr(user, 'email', None)
757        yield dict(user_name=user_name,
758                   user_title=user_title,
759                   user_email=user_email,
760                   setting=setting)
Note: See TracBrowser for help on using the repository browser.