source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 15888

Last change on this file since 15888 was 15539, checked in by Henrik Bettermann, 5 years ago

Add permission to BursaryOfficer? role.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 28.2 KB
Line 
1# $Id: permissions.py 15539 2019-08-07 06:03:35Z henrik $
2#
3# Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4# This program is free software; you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation; either version 2 of the License, or
7# (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17#
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24
25class Public(grok.Permission):
26    """The Public or everyone-can-do-this-permission is being applied
27    to views/pages that are used by everyone.
28    """
29    grok.name('waeup.Public')
30
31
32class Anonymous(grok.Permission):
33    """The Anonymous permission is applied to
34    views/pages which are dedicated to anonymous users only.
35    Logged-in users can't access these views.
36    """
37    grok.name('waeup.Anonymous')
38
39
40class Authenticated(grok.Permission):
41    """The Authenticated permission is applied to pages
42    which can only be used by logged-in users and not by anonymous users.
43    """
44    grok.name('waeup.Authenticated')
45
46
47class ViewAcademics(grok.Permission):
48    """The ViewAcademics permission is applied to all
49    views of the Academic Section. Users with this permission can view but
50    not edit content in the Academic Section.
51    """
52    grok.name('waeup.viewAcademics')
53
54
55class ManageAcademics(grok.Permission):
56    """The ManageAcademics permission is applied to all edit/manage
57    pages in the Academic Section. Users who have this permission
58    can change/edit context objects.
59    """
60    grok.name('waeup.manageAcademics')
61
62
63class ManagePortal(grok.Permission):
64    """The ManagePortal permission is used for very few pages
65    (e.g. the DatacenterSettings page). Only PortalManagers have this
66    permission. It is furthermore used to control delete methods of container
67    pages in the Academic Section. The ManageAcademics permission,
68    described above, does enable users to edit content but not to
69    remove sub-containers, like faculties, departments or certificates.
70    Users must have the ManagePortal permission too to remove
71    entire containers.
72    """
73    grok.name('waeup.managePortal')
74
75
76class ManageUsers(grok.Permission):
77    """The ManageUsers permission is a real superuser permission
78    and therefore very 'dangerous'. It allows to add, remove or edit
79    user accounts. Editing a user account includes the option to assign
80    or remove roles. That means that a user with this permission can lock out
81    other users by either removing their account or by removing
82    permissions.
83    """
84    grok.name('waeup.manageUsers')
85
86
87class ShowStudents(grok.Permission):
88    """Users with this permission do not neccessarily see the 'Students' tab
89    but they can search for students at department, certificate or course
90    level. If they additionally have the ExportData permission they can
91    export the data as csv files.
92
93    Bursary or Department Officers don't have the ExportData
94    permission (see Roles section) and are only allowed to export bursary
95    or payments overview data respectively.
96    """
97    grok.name('waeup.showStudents')
98
99
100class ClearAllStudents(grok.Permission):
101    """The ClearAllStudents permission allows to clear all students
102    in a department at one sweep.
103    """
104    grok.name('waeup.clearAllStudents')
105
106
107class EditScores(grok.Permission):
108    """The EditScores permission allows to edit scores in course tickets.
109    """
110    grok.name('waeup.editScores')
111
112
113class TriggerTransition(grok.Permission):
114    """The TriggerTransition permission allows to trigger workflow transitions
115    of student and document objects.
116    """
117    grok.name('waeup.triggerTransition')
118
119
120class EditUser(grok.Permission):
121    """The EditUser permission is required for editing
122    single user accounts.
123    """
124    grok.name('waeup.editUser')
125
126
127class ManageDataCenter(grok.Permission):
128    """The ManageDataCenter permission allows to access all pages
129    in the Data Center and to upload files. It does not automatically
130    allow to process uploaded data files.
131    """
132    grok.name('waeup.manageDataCenter')
133
134
135class ImportData(grok.Permission):
136    """The ImportData permission allows to batch process (import) any kind of
137    portal data except for user data. The User Data processor
138    requires also the ManageUsers permission.
139    """
140    grok.name('waeup.importData')
141
142
143class ExportData(grok.Permission):
144    """The ExportData permission allows to export any kind of portal data.
145    """
146    grok.name('waeup.exportData')
147
148
149class ExportPaymentsOverview(grok.Permission):
150    """Department Officers don't have the general exportData
151    permission and are only allowed to export payments overviews.
152    The ExportPaymentsOverview permission is only used to filter the
153    respective exporters in the ExportJobContainerJobConfig view.
154    """
155    grok.name('waeup.exportPaymentsOverview')
156
157
158class ExportBursaryData(grok.Permission):
159    """Bursary Officers don't have the general exportData
160    permission and are only allowed to export bursary data.
161    The ExportBursaryData permission is only used to filter the
162    respective exporter in the ExportJobContainerJobConfig view.
163    """
164    grok.name('waeup.exportBursaryData')
165
166
167class ManagePortalConfiguration(grok.Permission):
168    """The ManagePortalConfiguration permission allows to
169    edit global and sessional portal configuration data.
170    """
171    grok.name('waeup.managePortalConfiguration')
172
173
174class ManageACBatches(grok.Permission):
175    """The ManageACBatches permission allows to view and
176    manage accesscodes.
177    """
178    grok.name('waeup.manageACBatches')
179
180
181class PutBiometricDataPermission(grok.Permission):
182    """This permission allows to upload/change biometric data.
183    """
184    grok.name('waeup.putBiometricData')
185
186
187class GetBiometricDataPermission(grok.Permission):
188    """This permission allows to read biometric data.
189    """
190    grok.name('waeup.getBiometricData')
191
192
193# Local Roles
194
195class ApplicationsManager(grok.Role):
196    """The local ApplicationsManager role can be assigned at applicants
197    container and at department level. At department level an Applications
198    Manager can manage all applicants which desire to study a programme
199    offered by the department (1st Choice Course of Study).
200
201    At container level (local) Applications Managers gain permissions which
202    allow to manage the container and all applicants inside the container.  At
203    container level the permission set of this local role corresonds with the
204    permission set of the same-named global role.
205    """
206    grok.name('waeup.local.ApplicationsManager')
207    grok.title(u'Applications Manager')
208    grok.permissions('waeup.viewAcademics',
209                     'waeup.manageApplication', 'waeup.viewApplication',
210                     'waeup.payApplicant')
211
212
213class DepartmentOfficer(grok.Role):
214    """The local DepartmentOfficer role can be assigned at faculty or
215    department level. The role allows to list all student data within the
216    faculty/department the local role is assigned. And it allows to export
217    payment data overviews.
218    """
219    grok.name('waeup.local.DepartmentOfficer')
220    grok.title(u'Department Officer')
221    grok.permissions('waeup.showStudents',
222                     'waeup.viewAcademics',
223                     'waeup.exportPaymentsOverview')
224
225
226class DepartmentManager(grok.Role):
227    """The local DepartmentManager role can be assigned at faculty or
228    department level. The role allows to edit all data within this container.
229    It does not automatically allow to remove sub-containers.
230
231    Department Managers (Dean of Faculty or Head of Department respectively)
232    can also list student data but not access student pages.
233    """
234    grok.name('waeup.local.DepartmentManager')
235    grok.title(u'Department Manager')
236    grok.permissions('waeup.manageAcademics',
237                     'waeup.showStudents',
238                     'waeup.exportData')
239
240
241class ClearanceOfficer(grok.Role):
242    """The local ClearanceOfficer role can be assigned at faculty or
243    department level. The role allows to list or export all student
244    data within the faculty/department the local role is assigned.
245
246    Clearance Officers can furthermore clear all students or reject clearance
247    of all students in their faculty/department. They get the
248    StudentsClearanceOfficer role for this subset of students.
249    """
250    grok.name('waeup.local.ClearanceOfficer')
251    grok.title(u'Clearance Officer')
252    grok.permissions('waeup.showStudents',
253                     'waeup.viewAcademics',
254                     'waeup.exportData',
255                     'waeup.clearAllStudents')
256
257
258class LocalStudentsManager(grok.Role):
259    """The local LocalStudentsManager role can be assigned at faculty or
260    department level. The role allows to view all data and to view or export
261    all student data within the faculty/department the local role is assigned.
262
263    Local Students Managers can furthermore manage data of students
264    in their faculty/department. They get the StudentsManager role for
265    this subset of students.
266    """
267    grok.name('waeup.local.LocalStudentsManager')
268    grok.title(u'Students Manager')
269    grok.permissions('waeup.showStudents',
270                     'waeup.viewAcademics',
271                     'waeup.exportData')
272
273
274class LocalWorkflowManager(grok.Role):
275    """The local LocalWorkflowManager role can be assigned at faculty level.
276    The role allows to view all data and to list or export
277    all student data within the faculty the local role is assigned.
278
279    Local Workflow Managers can trigger transition of students in their
280    faculty/department. They get the WorkflowManager role for
281    this subset of students.
282    """
283    grok.name('waeup.local.LocalWorkflowManager')
284    grok.title(u'Student Workflow Manager')
285    grok.permissions('waeup.showStudents',
286                     'waeup.viewAcademics',
287                     'waeup.exportData')
288
289
290class UGClearanceOfficer(grok.Role):
291    """UG Clearance Officers are regular Clearance Officers with restricted
292    dynamic permission assignment. They can only access undergraduate
293    students.
294    """
295    grok.name('waeup.local.UGClearanceOfficer')
296    grok.title(u'UG Clearance Officer')
297    grok.permissions('waeup.showStudents',
298                     'waeup.viewAcademics',
299                     'waeup.exportData',
300                     'waeup.clearAllStudents')
301
302
303class PGClearanceOfficer(grok.Role):
304    """PG Clearance Officers are regular Clearance Officers with restricted
305    dynamic permission assignment. They can only access postgraduate
306    students.
307    """
308    grok.name('waeup.local.PGClearanceOfficer')
309    grok.title(u'PG Clearance Officer')
310    grok.permissions('waeup.showStudents',
311                     'waeup.viewAcademics',
312                     'waeup.exportData',
313                     'waeup.clearAllStudents')
314
315
316class CourseAdviser100(grok.Role):
317    """The local CourseAdviser100 role can be assigned at faculty,
318    department or certificate level. The role allows to view all data and
319    to list or export all student data within the faculty, department
320    or certificate the local role is assigned.
321
322    Local Course Advisers can validate or reject course lists of students
323    in ther faculty/department/certificate at level 100.
324    They get the StudentsCourseAdviser role for this subset of students.
325    """
326    grok.name('waeup.local.CourseAdviser100')
327    grok.title(u'Course Adviser 100L')
328    grok.permissions('waeup.showStudents',
329                     'waeup.viewAcademics',
330                     'waeup.exportData')
331
332
333class CourseAdviser200(grok.Role):
334    """Same as CourseAdviser100 but for level 200.
335    """
336    grok.name('waeup.local.CourseAdviser200')
337    grok.title(u'Course Adviser 200L')
338    grok.permissions('waeup.showStudents',
339                     'waeup.viewAcademics',
340                     'waeup.exportData')
341
342
343class CourseAdviser300(grok.Role):
344    """Same as CourseAdviser100 but for level 300.
345    """
346    grok.name('waeup.local.CourseAdviser300')
347    grok.title(u'Course Adviser 300L')
348    grok.permissions('waeup.showStudents',
349                     'waeup.viewAcademics',
350                     'waeup.exportData')
351
352
353class CourseAdviser400(grok.Role):
354    """Same as CourseAdviser100 but for level 400.
355    """
356    grok.name('waeup.local.CourseAdviser400')
357    grok.title(u'Course Adviser 400L')
358    grok.permissions('waeup.showStudents',
359                     'waeup.viewAcademics',
360                     'waeup.exportData')
361
362
363class CourseAdviser500(grok.Role):
364    """Same as CourseAdviser100 but for level 500.
365    """
366    grok.name('waeup.local.CourseAdviser500')
367    grok.title(u'Course Adviser 500L')
368    grok.permissions('waeup.showStudents',
369                     'waeup.viewAcademics',
370                     'waeup.exportData')
371
372
373class CourseAdviser600(grok.Role):
374    """Same as CourseAdviser100 but for level 600.
375    """
376    grok.name('waeup.local.CourseAdviser600')
377    grok.title(u'Course Adviser 600L')
378    grok.permissions('waeup.showStudents',
379                     'waeup.viewAcademics',
380                     'waeup.exportData')
381
382
383class CourseAdviser700(grok.Role):
384    """Same as CourseAdviser100 but for level 700.
385    """
386    grok.name('waeup.local.CourseAdviser700')
387    grok.title(u'Course Adviser 700L')
388    grok.permissions('waeup.showStudents',
389                     'waeup.viewAcademics',
390                     'waeup.exportData')
391
392
393class CourseAdviser800(grok.Role):
394    """Same as CourseAdviser100 but for level 800.
395    """
396    grok.name('waeup.local.CourseAdviser800')
397    grok.title(u'Course Adviser 800L')
398    grok.permissions('waeup.showStudents',
399                     'waeup.viewAcademics',
400                     'waeup.exportData')
401
402
403class LocalTranscriptOfficer(grok.Role):
404    """The LocalTranscriptOfficer role can be assigned at faculty
405    level. The role allows to view, to validate and to
406    release student transcripts at faculty level.
407    Local Transcript Officers get the TranscriptOfficer role
408    for this subset of students.
409    """
410    grok.name('waeup.local.TranscriptOfficer')
411    grok.title(u'Transcript Officer')
412    grok.permissions('waeup.viewAcademics',)
413
414
415class LocalTranscriptSignee(grok.Role):
416    """The LocalTranscriptSignee role can be assigned at faculty
417    level. The role allows to view and to sign student transcripts
418    at faculty level. Local Transcript Signees  get the TranscriptSignee role
419    for this subset of students.
420    """
421    grok.name('waeup.local.TranscriptSignee')
422    grok.title(u'Transcript Signee')
423    grok.permissions('waeup.viewAcademics',)
424
425
426class Lecturer(grok.Role):
427    """The local Lecturer role can be assigned at course level.
428    The role allows to export some student
429    data within the course the local role is assigned. Lecturers can't access
430    student data directly but they can edit the scores in course tickets.
431    """
432    grok.name('waeup.local.Lecturer')
433    grok.title(u'Lecturer')
434    grok.permissions('waeup.editScores',
435                     'waeup.showStudents',
436                     'waeup.viewAcademics',
437                     'waeup.exportData')
438
439
440class Owner(grok.Role):
441    """Each user 'owns' her/his user object and gains permission to edit
442    some of the user attributes.
443    """
444    grok.name('waeup.local.Owner')
445    grok.title(u'Owner')
446    grok.permissions('waeup.editUser')
447
448
449# Site Roles
450class AcademicsOfficer(grok.Role):
451    """An Academics Officer can view but not edit data in the
452    academic section.
453
454    This is the default role which is automatically assigned to all
455    officers of the portal. A user with this role can access all display pages
456    at faculty, department, course, certificate and certificate course level.
457    """
458    grok.name('waeup.AcademicsOfficer')
459    grok.title(u'Academics Officer (view only)')
460    grok.permissions('waeup.viewAcademics')
461
462
463class AcademicsManager(grok.Role):
464    """An Academics Manager can view and edit all data in the
465    scademic section, i.e. access all manage pages
466    at faculty, department, course, certificate and certificate course level.
467    """
468    grok.name('waeup.AcademicsManager')
469    grok.title(u'Academics Manager')
470    title = u'Academics Manager'
471    grok.permissions('waeup.viewAcademics',
472                     'waeup.manageAcademics')
473
474
475class ACManager(grok.Role):
476    """This is the role for Access Code Managers.
477    An AC Manager can view and manage the Accesscodes Section, see
478    ManageACBatches permission above.
479    """
480    grok.name('waeup.ACManager')
481    grok.title(u'Access Code Manager')
482    grok.permissions('waeup.manageACBatches')
483
484
485class DataCenterManager(grok.Role):
486    """This single-permission role is dedicated to those users
487    who are charged with batch processing of portal data.
488    A Data Center Manager can access all pages in the Data Center,
489    see ManageDataCenter permission above.
490    """
491    grok.name('waeup.DataCenterManager')
492    grok.title(u'Datacenter Manager')
493    grok.permissions('waeup.manageDataCenter')
494
495
496class ImportManager(grok.Role):
497    """An Import Manager is a Data Center Manager who is also allowed
498    to batch process (import) data. All batch processors (importers) are
499    available except for the User Processor. This processor requires the
500    Users Manager role too. The ImportManager role includes the
501    DataCenterManager role but not vice versa.
502    """
503    grok.name('waeup.ImportManager')
504    grok.title(u'Import Manager')
505    grok.permissions('waeup.manageDataCenter',
506                     'waeup.importData')
507
508
509class ExportManager(grok.Role):
510    """An Export Manager is a Data Center Manager who is also allowed
511    to export all kind of portal data. The ExportManager role includes the
512    DataCenterManager role but not vice versa.
513    """
514    grok.name('waeup.ExportManager')
515    grok.title(u'Export Manager')
516    grok.permissions('waeup.manageDataCenter',
517                     'waeup.exportData',
518                     'waeup.showStudents')
519
520
521class BursaryOfficer(grok.Role):
522    """Bursary Officers can export bursary and payments data. They can't 
523    access the Data Center but see student data export buttons in the
524    Academic Section.
525    """
526    grok.name('waeup.BursaryOfficer')
527    grok.title(u'Bursary Officer')
528    grok.permissions('waeup.showStudents',
529                     'waeup.viewAcademics',
530                     'waeup.exportBursaryData',
531                     'waeup.exportPaymentsOverview',
532                     'waeup.viewApplicantsTab')
533
534
535class UsersManager(grok.Role):
536    """A Users Manager can add, remove or edit
537    user accounts, see ManageUsers permission for further information.
538    Be very careful with this role.
539    """
540    grok.name('waeup.UsersManager')
541    grok.title(u'Users Manager')
542    grok.permissions('waeup.manageUsers',
543                     'waeup.editUser')
544
545
546class WorkflowManager(grok.Role):
547    """The Workflow Manager can trigger workflow transitions
548    of student and document objects, see TriggerTransition permission
549    for further information.
550    """
551    grok.name('waeup.WorkflowManager')
552    grok.title(u'Workflow Manager')
553    grok.permissions('waeup.triggerTransition')
554
555
556class FingerprintReaderDeviceRole(grok.Role):
557    """Fingerprint Reader Devices.
558
559    Fingerprint readers are remote devices that can store and retrieve
560    fingerprint data.
561    """
562    grok.name('waeup.FingerprintDevice')
563    grok.title(u'Fingerprint Reader')
564    grok.permissions(
565        'waeup.getBiometricData',
566        'waeup.putBiometricData',
567    )
568
569
570class PortalManager(grok.Role):
571    """The PortalManager role is the maximum set of Kofa permissions
572    which are needed to manage the entire portal. This set must not
573    be customized. It is recommended to assign this role only
574    to a few certified Kofa administrators.
575    A less dangerous manager role is the CCOfficer role described below.
576    For the most tasks the CCOfficer role is sufficient.
577    """
578    grok.name('waeup.PortalManager')
579    grok.title(u'Portal Manager')
580    grok.permissions('waeup.managePortal',
581                     'waeup.manageUsers',
582                     'waeup.viewAcademics', 'waeup.manageAcademics',
583                     'waeup.manageACBatches',
584                     'waeup.manageDataCenter',
585                     'waeup.importData',
586                     'waeup.exportData',
587                     'waeup.viewTranscript',
588                     'waeup.processTranscript',
589                     'waeup.viewDocuments', 'waeup.manageDocuments',
590                     'waeup.managePortalConfiguration',
591                     'waeup.viewApplication',
592                     'waeup.manageApplication', 'waeup.handleApplication',
593                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
594                     'waeup.viewApplicationStatistics',
595                     'waeup.viewStudent', 'waeup.manageStudent',
596                     'waeup.clearStudent', 'waeup.payStudent',
597                     'waeup.clearStudentFinancially',  # not used in base pkg
598                     'waeup.uploadStudentFile', 'waeup.showStudents',
599                     'waeup.clearAllStudents',
600                     'waeup.createStudents',
601                     'waeup.editScores',
602                     'waeup.triggerTransition',
603                     'waeup.validateStudent',
604                     'waeup.viewStudentsContainer',
605                     'waeup.handleAccommodation',
606                     'waeup.viewHostels', 'waeup.manageHostels',
607                     'waeup.editUser',
608                     'waeup.loginAsStudent',
609                     'waeup.handleReports',
610                     'waeup.manageReports',
611                     'waeup.manageJobs',
612                     )
613
614
615class CCOfficer(grok.Role):
616    """The role of the Computer Center Officer is basically a copy
617    of the the PortalManager role. Some 'dangerous' permissions are excluded
618    by commenting them out (see source code). If officers need to gain more
619    access rights than defined in this role, do not hastily switch to the
620    PortalManager role but add further manager roles instead. Additional
621    roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
622    or StudentImpersonator.
623
624    CCOfficer is a base class which means that this role is subject to
625    customization. It is not used in the ``waeup.kofa`` base package.
626    """
627    grok.baseclass()
628    grok.name('waeup.CCOfficer')
629    grok.title(u'Computer Center Officer')
630    grok.permissions(
631        # 'waeup.managePortal',
632        # 'waeup.manageUsers',
633        'waeup.viewAcademics',
634        'waeup.manageAcademics',
635        # 'waeup.manageACBatches',
636        'waeup.manageDataCenter',
637        # 'waeup.importData',
638        'waeup.exportData',
639        'waeup.viewTranscript',
640        'waeup.processTranscript',
641        'waeup.viewDocuments', 'waeup.manageDocuments',
642        'waeup.managePortalConfiguration', 'waeup.viewApplication',
643        'waeup.manageApplication', 'waeup.handleApplication',
644        'waeup.viewApplicantsTab', 'waeup.payApplicant',
645        'waeup.viewApplicationStatistics',
646        'waeup.viewStudent', 'waeup.manageStudent',
647        'waeup.clearStudent', 'waeup.payStudent',
648        'waeup.uploadStudentFile', 'waeup.showStudents',
649        'waeup.clearAllStudents',
650        # 'waeup.createStudents',
651        'waeup.editScores',
652        # 'waeup.triggerTransition',
653        'waeup.validateStudent',
654        'waeup.viewStudentsContainer',
655        'waeup.handleAccommodation',
656        'waeup.viewHostels', 'waeup.manageHostels',
657        # 'waeup.editUser',
658        # 'waeup.loginAsStudent',
659        'waeup.handleReports',
660        'waeup.manageReports',
661        # 'waeup.manageJobs',
662        )
663
664
665def get_all_roles():
666    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
667    """
668    return getUtilitiesFor(IRole)
669
670
671def get_waeup_roles(also_local=False):
672    """Get all Kofa roles.
673
674    Kofa roles are ordinary roles whose id by convention starts with
675    a ``waeup.`` prefix.
676
677    If `also_local` is ``True`` (``False`` by default), also local
678    roles are returned. Local Kofa roles are such whose id starts
679    with ``waeup.local.`` prefix (this is also a convention).
680
681    Returns a generator of the found roles.
682    """
683    for name, item in get_all_roles():
684        if not name.startswith('waeup.'):
685            # Ignore non-Kofa roles...
686            continue
687        if not also_local and name.startswith('waeup.local.'):
688            # Ignore local roles...
689            continue
690        yield item
691
692
693def get_waeup_role_names():
694    """Get the ids of all Kofa roles.
695
696    See :func:`get_waeup_roles` for what a 'KofaRole' is.
697
698    This function returns a sorted list of Kofa role names.
699    """
700    return sorted([x.id for x in get_waeup_roles()])
701
702
703class LocalRolesAssignable(grok.Adapter):
704    """Default implementation for `ILocalRolesAssignable`.
705
706    This adapter returns a list for dictionaries for objects for which
707    we want to know the roles assignable to them locally.
708
709    The returned dicts contain a ``name`` and a ``title`` entry which
710    give a role (``name``) and a description, for which kind of users
711    the permission is meant to be used (``title``).
712
713    Having this adapter registered we make sure, that for each normal
714    object we get a valid `ILocalRolesAssignable` adapter.
715
716    Objects that want to offer certain local roles, can do so by
717    setting a (preferably class-) attribute to a list of role ids.
718
719    You can also define different adapters for different contexts to
720    have different role lookup mechanisms become available. But in
721    normal cases it should be sufficient to use this basic adapter.
722    """
723    grok.context(Interface)
724    grok.provides(ILocalRolesAssignable)
725
726    _roles = []
727
728    def __init__(self, context):
729        self.context = context
730        role_ids = getattr(context, 'local_roles', self._roles)
731        self._roles = [(name, role) for name, role in get_all_roles()
732                       if name in role_ids]
733        return
734
735    def __call__(self):
736        """Get a list of dictionaries containing ``names`` (the roles to
737        assign) and ``titles`` (some description of the type of user
738        to assign each role to).
739        """
740        list_of_dict = [dict(
741                name=name,
742                title=role.title,
743                description=role.description)
744                for name, role in self._roles]
745        return sorted(list_of_dict, key=lambda x: x['name'])
746
747
748def get_all_users():
749    """Get a list of dictionaries.
750    """
751    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
752    for key, val in users:
753        yield(dict(name=key, val=val))
754
755
756def get_users_with_local_roles(context):
757    """Get a list of dicts representing the local roles set for `context`.
758
759    Each dict returns `user_name`, `user_title`, `local_role`,
760    `local_role_title`, and `setting` for each entry in the local
761    roles map of the `context` object.
762    """
763    try:
764        role_map = IPrincipalRoleMap(context)
765    except TypeError:
766        # no map no roles.
767        raise StopIteration
768    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
769        user = grok.getSite()['users'].get(user_name, None)
770        user_title = getattr(user, 'title', user_name)
771        local_role_title = getattr(
772            dict(get_all_roles()).get(local_role, None), 'title', None)
773        yield dict(user_name=user_name,
774                   user_title=user_title,
775                   local_role=local_role,
776                   local_role_title=local_role_title,
777                   setting=setting)
778
779
780def get_users_with_role(role, context):
781    """Get a list of dicts representing the usres who have been granted
782    a role for `context`.
783    """
784    try:
785        role_map = IPrincipalRoleMap(context)
786    except TypeError:
787        # no map no roles.
788        raise StopIteration
789    for user_name, setting in role_map.getPrincipalsForRole(role):
790        user = grok.getSite()['users'].get(user_name, None)
791        user_title = getattr(user, 'title', user_name)
792        user_email = getattr(user, 'email', None)
793        yield dict(user_name=user_name,
794                   user_title=user_title,
795                   user_email=user_email,
796                   setting=setting)
Note: See TracBrowser for help on using the repository browser.