source: main/waeup.kofa/trunk/src/waeup/kofa/permissions.py @ 8970

Last change on this file since 8970 was 8962, checked in by Henrik Bettermann, 12 years ago

Add local roles UGClearanceOfficer and PGClearanceOfficer.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 11.0 KB
Line 
1## $Id: permissions.py 8962 2012-07-10 05:37:41Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.kofa.interfaces import ILocalRolesAssignable
23
24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
35
36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
39    grok.name('waeup.Anonymous')
40
41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
45
46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
49class ManageAcademicsPermission(grok.Permission):
50    grok.name('waeup.manageAcademics')
51
52class ManagePortal(grok.Permission):
53    grok.name('waeup.managePortal')
54
55class ManageUsers(grok.Permission):
56    grok.name('waeup.manageUsers')
57
58class ShowStudents(grok.Permission):
59    grok.name('waeup.showStudents')
60
61class EditUser(grok.Permission):
62    grok.name('waeup.editUser')
63
64class ManageDataCenter(grok.Permission):
65    grok.name('waeup.manageDataCenter')
66
67class ImportData(grok.Permission):
68    grok.name('waeup.importData')
69
70class ManagePortalConfiguration(grok.Permission):
71    grok.name('waeup.managePortalConfiguration')
72
73class ManageACBatches(grok.Permission):
74    grok.name('waeup.manageACBatches')
75
76# Local Roles
77class DepartmentManager(grok.Role):
78    grok.name('waeup.local.DepartmentManager')
79    grok.title(u'Department Manager')
80    grok.permissions('waeup.manageAcademics','waeup.showStudents')
81
82class ClearanceOfficer(grok.Role):
83    """The clearance officer role is meant for the
84    assignment of dynamic roles only.
85    """
86    grok.name('waeup.local.ClearanceOfficer')
87    grok.title(u'Clearance Officer')
88    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
89
90class UGClearanceOfficer(grok.Role):
91    """The clearance officer role is meant for the
92    assignment of dynamic roles only.
93    """
94    grok.name('waeup.local.UGClearanceOfficer')
95    grok.title(u'UG Clearance Officer')
96    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
97
98class PGClearanceOfficer(grok.Role):
99    """The clearance officer role is meant for the
100    assignment of dynamic roles only.
101    """
102    grok.name('waeup.local.PGClearanceOfficer')
103    grok.title(u'PG Clearance Officer')
104    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
105
106class CourseAdviser100(grok.Role):
107    """The 100 level course adviser role is meant for the
108    assignment of dynamic roles only.
109    """
110    grok.name('waeup.local.CourseAdviser100')
111    grok.title(u'Course Adviser 100L')
112    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
113
114class CourseAdviser200(grok.Role):
115    """The course 200 level adviser role is meant for the
116    assignment of dynamic roles only.
117    """
118    grok.name('waeup.local.CourseAdviser200')
119    grok.title(u'Course Adviser 200L')
120    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
121
122class CourseAdviser300(grok.Role):
123    """The 300 level course adviser role is meant for the
124    assignment of dynamic roles only.
125    """
126    grok.name('waeup.local.CourseAdviser300')
127    grok.title(u'Course Adviser 300L')
128    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
129
130class CourseAdviser400(grok.Role):
131    """The 400 level course adviser role is meant for the
132    assignment of dynamic roles only.
133    """
134    grok.name('waeup.local.CourseAdviser400')
135    grok.title(u'Course Adviser 400L')
136    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
137
138class CourseAdviser500(grok.Role):
139    """The 500 level course adviser role is meant for the
140    assignment of dynamic roles only.
141    """
142    grok.name('waeup.local.CourseAdviser500')
143    grok.title(u'Course Adviser 500L')
144    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
145
146class CourseAdviser600(grok.Role):
147    """The 600 level course adviser role is meant for the
148    assignment of dynamic roles only.
149    """
150    grok.name('waeup.local.CourseAdviser600')
151    grok.title(u'Course Adviser 600L')
152    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
153
154class Owner(grok.Role):
155    grok.name('waeup.local.Owner')
156    grok.title(u'Owner')
157    grok.permissions('waeup.editUser')
158
159# Site Roles
160class AcademicsOfficer(grok.Role):
161    grok.name('waeup.AcademicsOfficer')
162    grok.title(u'Academics Officer (view only)')
163    grok.permissions('waeup.viewAcademics')
164
165class AcademicsManager(grok.Role):
166    grok.name('waeup.AcademicsManager')
167    grok.title(u'Academics Manager')
168    grok.permissions('waeup.viewAcademics',
169                     'waeup.manageAcademics')
170
171class ACManager(grok.Role):
172    grok.name('waeup.ACManager')
173    grok.title(u'Access Code Manager')
174    grok.permissions('waeup.manageACBatches')
175
176class DataCenterManager(grok.Role):
177    grok.name('waeup.DataCenterManager')
178    grok.title(u'Datacenter Manager')
179    grok.permissions('waeup.manageDataCenter')
180
181class ImportManager(grok.Role):
182    grok.name('waeup.ImportManager')
183    grok.title(u'Import Manager')
184    grok.permissions('waeup.manageDataCenter',
185                     'waeup.importData')
186
187class UsersManager(grok.Role):
188    grok.name('waeup.UsersManager')
189    grok.title(u'Users Manager')
190    grok.permissions('waeup.manageUsers')
191
192class PortalManager(grok.Role):
193    grok.name('waeup.PortalManager')
194    grok.title(u'Portal Manager')
195    grok.permissions('waeup.managePortal', 'waeup.manageUsers',
196                     'waeup.viewAcademics', 'waeup.manageAcademics',
197                     'waeup.manageACBatches',
198                     'waeup.manageDataCenter', 'waeup.importData',
199                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
200                     'waeup.manageApplication', 'waeup.handleApplication',
201                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
202                     'waeup.viewApplicationStatistics',
203                     'waeup.viewStudent', 'waeup.manageStudent',
204                     'waeup.clearStudent', 'waeup.payStudent',
205                     'waeup.uploadStudentFile', 'waeup.showStudents',
206                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
207                     'waeup.viewHostels', 'waeup.manageHostels',
208                     'waeup.editUser'
209                     )
210
211def get_all_roles():
212    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
213    """
214    return getUtilitiesFor(IRole)
215
216def get_waeup_roles(also_local=False):
217    """Get all Kofa roles.
218
219    Kofa roles are ordinary roles whose id by convention starts with
220    a ``waeup.`` prefix.
221
222    If `also_local` is ``True`` (``False`` by default), also local
223    roles are returned. Local Kofa roles are such whose id starts
224    with ``waeup.local.`` prefix (this is also a convention).
225
226    Returns a generator of the found roles.
227    """
228    for name, item in get_all_roles():
229        if not name.startswith('waeup.'):
230            # Ignore non-Kofa roles...
231            continue
232        if not also_local and name.startswith('waeup.local.'):
233            # Ignore local roles...
234            continue
235        yield item
236
237def get_waeup_role_names():
238    """Get the ids of all Kofa roles.
239
240    See :func:`get_waeup_roles` for what a 'KofaRole' is.
241
242    This function returns a sorted list of Kofa role names.
243    """
244    return sorted([x.id for x in get_waeup_roles()])
245
246class LocalRolesAssignable(grok.Adapter):
247    """Default implementation for `ILocalRolesAssignable`.
248
249    This adapter returns a list for dictionaries for objects for which
250    we want to know the roles assignable to them locally.
251
252    The returned dicts contain a ``name`` and a ``title`` entry which
253    give a role (``name``) and a description, for which kind of users
254    the permission is meant to be used (``title``).
255
256    Having this adapter registered we make sure, that for each normal
257    object we get a valid `ILocalRolesAssignable` adapter.
258
259    Objects that want to offer certain local roles, can do so by
260    setting a (preferably class-) attribute to a list of role ids.
261
262    You can also define different adapters for different contexts to
263    have different role lookup mechanisms become available. But in
264    normal cases it should be sufficient to use this basic adapter.
265    """
266    grok.context(Interface)
267    grok.provides(ILocalRolesAssignable)
268
269    _roles = []
270
271    def __init__(self, context):
272        self.context = context
273        role_ids = getattr(context, 'local_roles', self._roles)
274        self._roles = [(name, role) for name, role in get_all_roles()
275                       if name in role_ids]
276        return
277
278    def __call__(self):
279        """Get a list of dictionaries containing ``names`` (the roles to
280        assign) and ``titles`` (some description of the type of user
281        to assign each role to).
282        """
283        list_of_dict = [dict(
284                name=name,
285                title=role.title,
286                description=role.description)
287                for name, role in self._roles]
288        return sorted(list_of_dict, key=lambda x: x['name'])
289
290def get_all_users():
291    """Get a list of dictionaries.
292    """
293    users = sorted(grok.getSite()['users'].items(), key=lambda x: x[1].title)
294    for key, val in users:
295        yield(dict(name=key, val=val))
296
297def get_users_with_local_roles(context):
298    """Get a list of dicts representing the local roles set for `context`.
299
300    Each dict returns `user_name`, `user_title`, `local_role`,
301    `local_role_title`, and `setting` for each entry in the local
302    roles map of the `context` object.
303    """
304    try:
305        role_map = IPrincipalRoleMap(context)
306    except TypeError:
307        # no map no roles.
308        raise StopIteration
309    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
310        user = grok.getSite()['users'].get(user_name,None)
311        user_title = getattr(user, 'title', user_name)
312        local_role_title = dict(get_all_roles())[local_role].title
313        yield dict(user_name = user_name,
314                   user_title = user_title,
315                   local_role = local_role,
316                   local_role_title = local_role_title,
317                   setting = setting)
Note: See TracBrowser for help on using the repository browser.