source: main/waeup.sirp/trunk/src/waeup/sirp/permissions.py @ 9003

Last change on this file since 9003 was 7335, checked in by Henrik Bettermann, 13 years ago

Make local roles assignable in certificate containers.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 9.3 KB
RevLine 
[7193]1## $Id: permissions.py 7335 2011-12-13 07:30:25Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
[3521]18import grok
[6157]19from zope.component import getUtilitiesFor
[6144]20from zope.interface import Interface
[6163]21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
[6144]22from waeup.sirp.interfaces import ILocalRolesAssignable
[3521]23
[4789]24class Public(grok.Permission):
25    """Everyone-can-do-this-permission.
26
27    This permission is meant to be applied to objects/views/pages
28    etc., that should be usable/readable by everyone.
29
30    We need this to be able to tune default permissions more
31    restrictive and open up some dedicated objects like the front
32    page.
33    """
34    grok.name('waeup.Public')
[6142]35
[5433]36class Anonymous(grok.Permission):
37    """Only-anonymous-can-do-this-permission.
38    """
[6142]39    grok.name('waeup.Anonymous')
[4789]40
[7184]41class Authenticated(grok.Permission):
42    """Only-logged-in-users-can-do-this-permission.
43    """
44    grok.name('waeup.Authenticated')
[4789]45
[7184]46class ViewAcademicsPermission(grok.Permission):
47    grok.name('waeup.viewAcademics')
48
[4789]49class ManageUniversity(grok.Permission):
50    grok.name('waeup.manageUniversity')
51
52class ManageUsers(grok.Permission):
53    grok.name('waeup.manageUsers')
[6142]54
[7205]55class ShowStudents(grok.Permission):
56    grok.name('waeup.showStudents')
57
[7163]58class EditUser(grok.Permission):
59    grok.name('waeup.editUser')
60
[6127]61class ManageDataCenter(grok.Permission):
62    grok.name('waeup.manageDataCenter')
[6142]63
[6907]64class ManagePortalConfiguration(grok.Permission):
65    grok.name('waeup.managePortalConfiguration')
[6155]66
[7181]67class ManageACBatches(grok.Permission):
68    grok.name('waeup.manageACBatches')
69
[6125]70# Local Roles
[7185]71class DepartmentManager(grok.Role):
72    grok.name('waeup.local.DepartmentManager')
73    grok.title(u'Department Manager')
[7205]74    grok.permissions('waeup.manageUniversity','waeup.showStudents')
[6142]75
[6655]76class ClearanceOfficer(grok.Role):
[7168]77    """The clearance officer role is meant for the
78    assignment of dynamic roles only.
79    """
[6655]80    grok.name('waeup.local.ClearanceOfficer')
81    grok.title(u'Clearance Officer')
[7217]82    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
[6655]83
[7334]84class CourseAdviser100(grok.Role):
[7335]85    """The 100 level course adviser role is meant for the
[7168]86    assignment of dynamic roles only.
87    """
[7334]88    grok.name('waeup.local.CourseAdviser100')
89    grok.title(u'Course Adviser 100L')
90    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
[6655]91
[7334]92class CourseAdviser200(grok.Role):
[7335]93    """The course 200 level adviser role is meant for the
[7334]94    assignment of dynamic roles only.
95    """
96    grok.name('waeup.local.CourseAdviser200')
97    grok.title(u'Course Adviser 200L')
98    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
99
100class CourseAdviser300(grok.Role):
[7335]101    """The 300 level course adviser role is meant for the
[7334]102    assignment of dynamic roles only.
103    """
104    grok.name('waeup.local.CourseAdviser300')
105    grok.title(u'Course Adviser 300L')
106    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
107
108class CourseAdviser400(grok.Role):
[7335]109    """The 400 level course adviser role is meant for the
[7334]110    assignment of dynamic roles only.
111    """
112    grok.name('waeup.local.CourseAdviser400')
113    grok.title(u'Course Adviser 400L')
114    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
115
116class CourseAdviser500(grok.Role):
[7335]117    """The 500 level course adviser role is meant for the
[7334]118    assignment of dynamic roles only.
119    """
120    grok.name('waeup.local.CourseAdviser500')
121    grok.title(u'Course Adviser 500L')
122    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
123
124class CourseAdviser600(grok.Role):
[7335]125    """The 600 level course adviser role is meant for the
[7334]126    assignment of dynamic roles only.
127    """
128    grok.name('waeup.local.CourseAdviser600')
129    grok.title(u'Course Adviser 600L')
130    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
131
[7163]132class Owner(grok.Role):
133    grok.name('waeup.local.Owner')
134    grok.title(u'Owner')
135    grok.permissions('waeup.editUser')
136
[7178]137# Site Roles
[7185]138class AcademicsOfficer(grok.Role):
139    grok.name('waeup.AcademicsOfficer')
[7188]140    grok.title(u'Academics Officer (view only)')
[7184]141    grok.permissions('waeup.viewAcademics')
[3521]142
[7181]143class ACManager(grok.Role):
144    grok.name('waeup.ACManager')
145    grok.title(u'Access Code Manager')
146    grok.permissions('waeup.manageACBatches')
147
[4789]148class PortalManager(grok.Role):
149    grok.name('waeup.PortalManager')
[6159]150    grok.title(u'Portal Manager')
[4789]151    grok.permissions('waeup.manageUniversity', 'waeup.manageUsers',
[7184]152                     'waeup.viewAcademics', 'waeup.manageACBatches',
[6198]153                     'waeup.manageDataCenter','waeup.managePortalSettings',
[7184]154                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
155                     'waeup.manageApplication', 'waeup.handleApplication',
[7250]156                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
157                     'waeup.viewStudent', 'waeup.manageStudent',
158                     'waeup.clearStudent', 'waeup.payStudent',
159                     'waeup.uploadStudentFile', 'waeup.showStudents',
160                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
[7205]161                     'waeup.viewHostels', 'waeup.manageHostels',
[7240]162                     )
[4789]163
[7186]164def get_all_roles():
[6157]165    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
166    """
167    return getUtilitiesFor(IRole)
168
[7186]169def get_waeup_roles(also_local=False):
[7321]170    """Get all SIRP roles.
[6157]171
[7321]172    SIRP roles are ordinary roles whose id by convention starts with
[6157]173    a ``waeup.`` prefix.
174
175    If `also_local` is ``True`` (``False`` by default), also local
[7321]176    roles are returned. Local SIRP roles are such whose id starts
[6157]177    with ``waeup.local.`` prefix (this is also a convention).
178
179    Returns a generator of the found roles.
180    """
[7186]181    for name, item in get_all_roles():
[6157]182        if not name.startswith('waeup.'):
[7321]183            # Ignore non-SIRP roles...
[4789]184            continue
[6157]185        if not also_local and name.startswith('waeup.local.'):
186            # Ignore local roles...
[6045]187            continue
[6157]188        yield item
[4789]189
[7186]190def get_waeup_role_names():
[7321]191    """Get the ids of all SIRP roles.
[6157]192
[7321]193    See :func:`get_waeup_roles` for what a 'SIRPRole' is.
[6157]194
[7321]195    This function returns a sorted list of SIRP role names.
[6157]196    """
[7186]197    return sorted([x.id for x in get_waeup_roles()])
[6157]198
[6144]199class LocalRolesAssignable(grok.Adapter):
200    """Default implementation for `ILocalRolesAssignable`.
201
202    This adapter returns a list for dictionaries for objects for which
203    we want to know the roles assignable to them locally.
204
205    The returned dicts contain a ``name`` and a ``title`` entry which
206    give a role (``name``) and a description, for which kind of users
207    the permission is meant to be used (``title``).
208
209    Having this adapter registered we make sure, that for each normal
210    object we get a valid `ILocalRolesAssignable` adapter.
211
212    Objects that want to offer certain local roles, can do so by
[6162]213    setting a (preferably class-) attribute to a list of role ids.
[6144]214
215    You can also define different adapters for different contexts to
216    have different role lookup mechanisms become available. But in
217    normal cases it should be sufficient to use this basic adapter.
218    """
219    grok.context(Interface)
220    grok.provides(ILocalRolesAssignable)
221
222    _roles = []
223
224    def __init__(self, context):
225        self.context = context
[6162]226        role_ids = getattr(context, 'local_roles', self._roles)
[7186]227        self._roles = [(name, role) for name, role in get_all_roles()
[6162]228                       if name in role_ids]
[6144]229        return
230
231    def __call__(self):
232        """Get a list of dictionaries containing ``names`` (the roles to
233        assign) and ``titles`` (some description of the type of user
234        to assign each role to).
235        """
[7334]236        list_of_dict = [dict(
[6162]237                name=name,
238                title=role.title,
[6163]239                description=role.description)
[7334]240                for name, role in self._roles]
241        return sorted(list_of_dict, key=lambda x: x['name'])
[6144]242
[6163]243def get_users_with_local_roles(context):
244    """Get a list of dicts representing the local roles set for `context`.
245
246    Each dict returns `user_name`, `user_title`, `local_role`,
247    `local_role_title`, and `setting` for each entry in the local
248    roles map of the `context` object.
249    """
[6202]250    try:
251        role_map = IPrincipalRoleMap(context)
252    except TypeError:
253        # no map no roles.
254        raise StopIteration
[6163]255    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
256        user = grok.getSite()['users'].get(user_name,None)
[7213]257        user_title = getattr(user, 'title', user_name)
[7186]258        local_role_title = dict(get_all_roles())[local_role].title
[6163]259        yield dict(user_name = user_name,
260                   user_title = user_title,
261                   local_role = local_role,
262                   local_role_title = local_role_title,
263                   setting = setting)
Note: See TracBrowser for help on using the repository browser.