source: main/waeup.sirp/trunk/src/waeup/sirp/permissions.py @ 7318

## $Id: permissions.py 7250 2011-12-02 12:46:36Z henrik $
##
## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
import grok
from zope.component import getUtilitiesFor
from zope.interface import Interface
from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
from waeup.sirp.interfaces import ILocalRolesAssignable

class Public(grok.Permission):
    """Everyone-can-do-this-permission.

    This permission is meant to be applied to objects/views/pages
    etc., that should be usable/readable by everyone.

    We need this to be able to tune default permissions more
    restrictive and open up some dedicated objects like the front
    page.
    """
    grok.name('waeup.Public')

class Anonymous(grok.Permission):
    """Only-anonymous-can-do-this-permission.
    """
    grok.name('waeup.Anonymous')

class Authenticated(grok.Permission):
    """Only-logged-in-users-can-do-this-permission.
    """
    grok.name('waeup.Authenticated')

class ViewAcademicsPermission(grok.Permission):
    grok.name('waeup.viewAcademics')

class ManageUniversity(grok.Permission):
    grok.name('waeup.manageUniversity')

class ManageUsers(grok.Permission):
    grok.name('waeup.manageUsers')

class ShowStudents(grok.Permission):
    grok.name('waeup.showStudents')

class EditUser(grok.Permission):
    grok.name('waeup.editUser')

class ManageDataCenter(grok.Permission):
    grok.name('waeup.manageDataCenter')

class ManagePortalConfiguration(grok.Permission):
    grok.name('waeup.managePortalConfiguration')

class ManageACBatches(grok.Permission):
    grok.name('waeup.manageACBatches')

# Local Roles
class DepartmentManager(grok.Role):
    grok.name('waeup.local.DepartmentManager')
    grok.title(u'Department Manager')
    grok.permissions('waeup.manageUniversity','waeup.showStudents')

class ClearanceOfficer(grok.Role):
    """The clearance officer role is meant for the
    assignment of dynamic roles only.
    """
    grok.name('waeup.local.ClearanceOfficer')
    grok.title(u'Clearance Officer')
    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')

class CourseAdviser(grok.Role):
    """The course adviser role is meant for the
    assignment of dynamic roles only.
    """
    grok.name('waeup.local.CourseAdviser')
    grok.title(u'Course Adviser')
    grok.permissions('waeup.showStudents')

class Owner(grok.Role):
    grok.name('waeup.local.Owner')
    grok.title(u'Owner')
    grok.permissions('waeup.editUser')

# Site Roles
class AcademicsOfficer(grok.Role):
    grok.name('waeup.AcademicsOfficer')
    grok.title(u'Academics Officer (view only)')
    grok.permissions('waeup.viewAcademics')

class ACManager(grok.Role):
    grok.name('waeup.ACManager')
    grok.title(u'Access Code Manager')
    grok.permissions('waeup.manageACBatches')

class PortalManager(grok.Role):
    grok.name('waeup.PortalManager')
    grok.title(u'Portal Manager')
    grok.permissions('waeup.manageUniversity', 'waeup.manageUsers',
                     'waeup.viewAcademics', 'waeup.manageACBatches',
                     'waeup.manageDataCenter','waeup.managePortalSettings',
                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
                     'waeup.manageApplication', 'waeup.handleApplication',
                     'waeup.viewApplicantsTab', 'waeup.payApplicant',
                     'waeup.viewStudent', 'waeup.manageStudent',
                     'waeup.clearStudent', 'waeup.payStudent',
                     'waeup.uploadStudentFile', 'waeup.showStudents',
                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
                     'waeup.viewHostels', 'waeup.manageHostels',
                     )

def get_all_roles():
    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
    """
    return getUtilitiesFor(IRole)

def get_waeup_roles(also_local=False):
    """Get all WAeUP roles.

    WAeUP roles are ordinary roles whose id by convention starts with
    a ``waeup.`` prefix.

    If `also_local` is ``True`` (``False`` by default), also local
    roles are returned. Local WAeUP roles are such whose id starts
    with ``waeup.local.`` prefix (this is also a convention).

    Returns a generator of the found roles.
    """
    for name, item in get_all_roles():
        if not name.startswith('waeup.'):
            # Ignore non-WAeUP roles...
            continue
        if not also_local and name.startswith('waeup.local.'):
            # Ignore local roles...
            continue
        yield item

def get_waeup_role_names():
    """Get the ids of all WAeUP roles.

    See :func:`get_waeup_roles` for what a 'WAeUPRole' is.

    This function returns a sorted list of WAeUP role names.
    """
    return sorted([x.id for x in get_waeup_roles()])

class LocalRolesAssignable(grok.Adapter):
    """Default implementation for `ILocalRolesAssignable`.

    This adapter returns a list for dictionaries for objects for which
    we want to know the roles assignable to them locally.

    The returned dicts contain a ``name`` and a ``title`` entry which
    give a role (``name``) and a description, for which kind of users
    the permission is meant to be used (``title``).

    Having this adapter registered we make sure, that for each normal
    object we get a valid `ILocalRolesAssignable` adapter.

    Objects that want to offer certain local roles, can do so by
    setting a (preferably class-) attribute to a list of role ids.

    You can also define different adapters for different contexts to
    have different role lookup mechanisms become available. But in
    normal cases it should be sufficient to use this basic adapter.
    """
    grok.context(Interface)
    grok.provides(ILocalRolesAssignable)

    _roles = []

    def __init__(self, context):
        self.context = context
        role_ids = getattr(context, 'local_roles', self._roles)
        self._roles = [(name, role) for name, role in get_all_roles()
                       if name in role_ids]
        return

    def __call__(self):
        """Get a list of dictionaries containing ``names`` (the roles to
        assign) and ``titles`` (some description of the type of user
        to assign each role to).
        """
        return [
            dict(
                name=name,
                title=role.title,
                description=role.description)
            for name, role in self._roles]

def get_users_with_local_roles(context):
    """Get a list of dicts representing the local roles set for `context`.

    Each dict returns `user_name`, `user_title`, `local_role`,
    `local_role_title`, and `setting` for each entry in the local
    roles map of the `context` object.
    """
    try:
        role_map = IPrincipalRoleMap(context)
    except TypeError:
        # no map no roles.
        raise StopIteration
    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
        user = grok.getSite()['users'].get(user_name,None)
        user_title = getattr(user, 'title', user_name)
        local_role_title = dict(get_all_roles())[local_role].title
        yield dict(user_name = user_name,
                   user_title = user_title,
                   local_role = local_role,
                   local_role_title = local_role_title,
                   setting = setting)