source: main/waeup.kofa/trunk/src/waeup/kofa/students/dynamicroles.py @ 10874

Last change on this file since 10874 was 10639, checked in by Henrik Bettermann, 11 years ago

Define new local roles (see uniben ticket 900).

Allow the dynamical assignment of multiple local roles.

  • Property svn:keywords set to Id
File size: 5.3 KB
Line 
1## $Id: dynamicroles.py 10639 2013-09-22 08:54:03Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18"""Security policy components for students.
19
20Students need special security policy treatment, as officers with
21local roles for departments and faculties might have additional
22permissions (local roles on depts/faculties) here.
23"""
24import grok
25from zope.securitypolicy.interfaces import IPrincipalRoleManager
26from zope.securitypolicy.principalpermission import (
27    AnnotationPrincipalPermissionManager,)
28from zope.securitypolicy.principalrole import AnnotationPrincipalRoleManager
29from waeup.kofa.students.interfaces import IStudent
30
31class StudentPrincipalRoleManager(AnnotationPrincipalRoleManager,
32                                    grok.Adapter):
33    grok.provides(IPrincipalRoleManager)
34    grok.context(IStudent)
35
36    #: The attribute name to lookup for additional roles
37    extra_attrib = 'certificate'
38    subcontainer = 'studycourse'
39
40    # Role name mapping:
41    # role name to look for in `extra_attrib` and parents
42    # to
43    # role to add in case this role was found
44    rolename_mapping = {
45        'waeup.local.ClearanceOfficer':'waeup.StudentsClearanceOfficer',
46        'waeup.local.LocalStudentsManager': 'waeup.StudentsManager',
47        'waeup.local.LocalWorkflowManager': 'waeup.WorkflowManager',
48        }
49
50    def getRolesForPrincipal(self, principal_id):
51        """Get roles for principal with id `principal_id`.
52
53        See waeup.kofa.applicants.dynamicroles.ApplicantPrincipalRoleManager
54        for further information.
55        """
56        apr_manager = AnnotationPrincipalRoleManager(self._context)
57        result = apr_manager.getRolesForPrincipal(principal_id)
58        if result != []:
59            # If there are local roles defined here, no additional
60            # lookup is done.
61            return result
62        # The principal has no local roles yet. Let's lookup the
63        # connected course, dept, etc.
64        if self.subcontainer:
65            obj = getattr(
66                self._context[self.subcontainer], self.extra_attrib, None)
67            current_level = getattr(
68                self._context[self.subcontainer], 'current_level', 0)
69        else:
70            obj = getattr(self._context, self.extra_attrib, None)
71            current_level = 0
72        # Lookup local roles for connected certificate and all parent
73        # objects. This way we fake 'role inheritance'.
74        while obj is not None:
75            extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal(
76                principal_id)
77            for role_id, setting in extra_roles:
78                if 'CourseAdviser' in role_id:
79                    # Found a Course Adviser role in external attribute or parent
80                    # thereof. We need a special treatment for Course Advisers.
81                    if str(100*(current_level/100)) in role_id:
82                        # Grant additional role, which allows to validate or reject
83                        # course lists, only if external role corresponds
84                        # with current_level of student.
85                        result.append(
86                            ('waeup.StudentsCourseAdviser', setting))
87                    else:
88                        # Otherwise grant at least view permissions.
89                        result.append(
90                            ('waeup.StudentsOfficer', setting))
91                elif 'UGClearanceOfficer' in role_id:
92                    if not self._context.is_postgrad:
93                        result.append(
94                            ('waeup.StudentsClearanceOfficer', setting))
95                    else:
96                        # Otherwise grant at least view permissions.
97                        result.append(
98                            ('waeup.StudentsOfficer', setting))
99                elif 'PGClearanceOfficer' in role_id:
100                    if self._context.is_postgrad:
101                        result.append(
102                            ('waeup.StudentsClearanceOfficer', setting))
103                    else:
104                        # Otherwise grant at least view permissions.
105                        result.append(
106                            ('waeup.StudentsOfficer', setting))
107                elif role_id in self.rolename_mapping.keys():
108                    # Grant additional role
109                    # permissions (allow, deny or unset)
110                    # according to the rolename mapping above.
111                    result.append(
112                        (self.rolename_mapping[role_id], setting))
113                    # Local roles have been found, no need to climb up further.
114                    obj = None
115            obj = getattr(obj, '__parent__', None)
116        return result
Note: See TracBrowser for help on using the repository browser.