source: main/waeup.sirp/trunk/src/waeup/sirp/applicants/securitypolicy.py @ 7124

##
## securitypolicy.py
## Login : <uli@pu.smp.net>
## Started on  Mon Nov 14 09:37:10 2011 Uli Fouquet
## $Id$
## 
## Copyright (C) 2011 Uli Fouquet
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
## 
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
## 
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
"""Security policy components for applicants.

Applicants need special security policy treatment, as officers with
local roles for departments and faculties might have additional
permissions (local roles on depts/faculties) here.
"""
import grok
from zope.securitypolicy.interfaces import (
    IPrincipalRoleManager, IPrincipalPermissionManager,)
from zope.securitypolicy.principalrole import AnnotationPrincipalRoleManager
from zope.securitypolicy.principalpermission import (
    AnnotationPrincipalPermissionManager,)
from zope.securitypolicy.securitymap import AnnotationSecurityMap
from zope.securitypolicy.settings import Allow, Deny, Unset
from waeup.sirp.applicants.interfaces import IApplicant

# All components in here have the same context: Applicant instances
grok.context(IApplicant)

class ApplicantSecurityMap(AnnotationSecurityMap):
    pass

class ApplicantPrincipalRoleManager(AnnotationPrincipalRoleManager,
                                    grok.Adapter):
    grok.provides(IPrincipalRoleManager)

    def getRolesForPrincipal(self, principal_id):
        """Get roles for principal with id `principal_id`.

        Different to the default implementation, this method also
        takes into account local roles set on any department connected
        to the context applicant.

        If the given principal has 'waeup.local.ClearanceOfficer'
        permissions set on the connected department, it additionally
        gets 'waeup.ApplicationsOfficer' role for the context
        applicant.

        Some advantages of this approach:

        - we don't have to store extra local roles for clearance
          officers in ZODB for each applicant

        - when local roles on a department change, we don't have to
          update thousands of applicants; the local role is assigned
          dynamically.

        Disadvantage:

        - More expensive role lookups when a clearance officer wants
          to see an applicant form.
        """
        result = super(ApplicantPrincipalRoleManager, self
                     ).getRolesForPrincipal(principal_id)
        if result != []:
            # If there are local roles defined here, no additional
            # lookup is done.
            return result
        # The principal has no local roles yet. Let's lookup the
        # connected dept.
        course = getattr(self._context, 'course1', None)
        dept = getattr(
            getattr(course, '__parent__', None),
            '__parent__', None)
        if dept is None:
            # No deptartment, no extra roles.
            return result
        dept_roles = IPrincipalRoleManager(dept).getRolesForPrincipal(
            principal_id)
        # 'Grant' 'waeup.ApplicationsOfficer' permissions (allow, deny
        # or unset) for the passed in principal id if it has clearance
        # officer role on the connected department.
        for role_id, setting in dept_roles:
            if role_id == 'waeup.local.ClearanceOfficer':
                result.append(
                    ('waeup.ApplicationsOfficer', setting))
        return result