source: main/waeup.sirp/trunk/src/waeup/sirp/permissions.py @ 7193

Last change on this file since 7193 was 7193, checked in by Henrik Bettermann, 13 years ago

More copyright adjustments.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 7.4 KB
Line 
1## $Id: permissions.py 7193 2011-11-25 07:21:29Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.sirp.interfaces import ILocalRolesAssignable
23from waeup.sirp.utils.helpers import get_user_account
24
25class Public(grok.Permission):
26    """Everyone-can-do-this-permission.
27
28    This permission is meant to be applied to objects/views/pages
29    etc., that should be usable/readable by everyone.
30
31    We need this to be able to tune default permissions more
32    restrictive and open up some dedicated objects like the front
33    page.
34    """
35    grok.name('waeup.Public')
36
37class Anonymous(grok.Permission):
38    """Only-anonymous-can-do-this-permission.
39    """
40    grok.name('waeup.Anonymous')
41
42class Authenticated(grok.Permission):
43    """Only-logged-in-users-can-do-this-permission.
44    """
45    grok.name('waeup.Authenticated')
46
47class ViewAcademicsPermission(grok.Permission):
48    grok.name('waeup.viewAcademics')
49
50class ManageUniversity(grok.Permission):
51    grok.name('waeup.manageUniversity')
52
53class ManageUsers(grok.Permission):
54    grok.name('waeup.manageUsers')
55
56class EditUser(grok.Permission):
57    grok.name('waeup.editUser')
58
59class ManageDataCenter(grok.Permission):
60    grok.name('waeup.manageDataCenter')
61
62class ManagePortalConfiguration(grok.Permission):
63    grok.name('waeup.managePortalConfiguration')
64
65class ManageACBatches(grok.Permission):
66    grok.name('waeup.manageACBatches')
67
68# Local Roles
69class DepartmentManager(grok.Role):
70    grok.name('waeup.local.DepartmentManager')
71    grok.title(u'Department Manager')
72    grok.permissions('waeup.manageUniversity')
73
74class ClearanceOfficer(grok.Role):
75    """The clearance officer role is meant for the
76    assignment of dynamic roles only.
77    """
78    grok.name('waeup.local.ClearanceOfficer')
79    grok.title(u'Clearance Officer')
80
81class CourseAdviser(grok.Role):
82    """The course adviser role is meant for the
83    assignment of dynamic roles only.
84    """
85    grok.name('waeup.local.CourseAdviser')
86    grok.title(u'Course Adviser')
87
88class Owner(grok.Role):
89    grok.name('waeup.local.Owner')
90    grok.title(u'Owner')
91    grok.permissions('waeup.editUser')
92
93# Site Roles
94class AcademicsOfficer(grok.Role):
95    grok.name('waeup.AcademicsOfficer')
96    grok.title(u'Academics Officer (view only)')
97    grok.permissions('waeup.viewAcademics')
98
99class ACManager(grok.Role):
100    grok.name('waeup.ACManager')
101    grok.title(u'Access Code Manager')
102    grok.permissions('waeup.manageACBatches')
103
104class PortalManager(grok.Role):
105    grok.name('waeup.PortalManager')
106    grok.title(u'Portal Manager')
107    grok.permissions('waeup.manageUniversity', 'waeup.manageUsers',
108                     'waeup.viewAcademics', 'waeup.manageACBatches',
109                     'waeup.manageDataCenter','waeup.managePortalSettings',
110                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
111                     'waeup.manageApplication', 'waeup.handleApplication',
112                     'waeup.viewStudent', 'waeup.manageStudent', 'clearStudent',
113                     'waeup.uploadStudentFile', 'waeup.viewStudents',
114                     'waeup.viewHostels', 'waeup.manageHostels')
115
116def get_all_roles():
117    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
118    """
119    return getUtilitiesFor(IRole)
120
121def get_waeup_roles(also_local=False):
122    """Get all WAeUP roles.
123
124    WAeUP roles are ordinary roles whose id by convention starts with
125    a ``waeup.`` prefix.
126
127    If `also_local` is ``True`` (``False`` by default), also local
128    roles are returned. Local WAeUP roles are such whose id starts
129    with ``waeup.local.`` prefix (this is also a convention).
130
131    Returns a generator of the found roles.
132    """
133    for name, item in get_all_roles():
134        if not name.startswith('waeup.'):
135            # Ignore non-WAeUP roles...
136            continue
137        if not also_local and name.startswith('waeup.local.'):
138            # Ignore local roles...
139            continue
140        yield item
141
142def get_waeup_role_names():
143    """Get the ids of all WAeUP roles.
144
145    See :func:`get_waeup_roles` for what a 'WAeUPRole' is.
146
147    This function returns a sorted list of WAeUP role names.
148    """
149    return sorted([x.id for x in get_waeup_roles()])
150
151class LocalRolesAssignable(grok.Adapter):
152    """Default implementation for `ILocalRolesAssignable`.
153
154    This adapter returns a list for dictionaries for objects for which
155    we want to know the roles assignable to them locally.
156
157    The returned dicts contain a ``name`` and a ``title`` entry which
158    give a role (``name``) and a description, for which kind of users
159    the permission is meant to be used (``title``).
160
161    Having this adapter registered we make sure, that for each normal
162    object we get a valid `ILocalRolesAssignable` adapter.
163
164    Objects that want to offer certain local roles, can do so by
165    setting a (preferably class-) attribute to a list of role ids.
166
167    You can also define different adapters for different contexts to
168    have different role lookup mechanisms become available. But in
169    normal cases it should be sufficient to use this basic adapter.
170    """
171    grok.context(Interface)
172    grok.provides(ILocalRolesAssignable)
173
174    _roles = []
175
176    def __init__(self, context):
177        self.context = context
178        role_ids = getattr(context, 'local_roles', self._roles)
179        self._roles = [(name, role) for name, role in get_all_roles()
180                       if name in role_ids]
181        return
182
183    def __call__(self):
184        """Get a list of dictionaries containing ``names`` (the roles to
185        assign) and ``titles`` (some description of the type of user
186        to assign each role to).
187        """
188        return [
189            dict(
190                name=name,
191                title=role.title,
192                description=role.description)
193            for name, role in self._roles]
194
195def get_users_with_local_roles(context):
196    """Get a list of dicts representing the local roles set for `context`.
197
198    Each dict returns `user_name`, `user_title`, `local_role`,
199    `local_role_title`, and `setting` for each entry in the local
200    roles map of the `context` object.
201    """
202    try:
203        role_map = IPrincipalRoleMap(context)
204    except TypeError:
205        # no map no roles.
206        raise StopIteration
207    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
208        user = grok.getSite()['users'].get(user_name,None)
209        user_title = getattr(user, 'description', user_name)
210        local_role_title = dict(get_all_roles())[local_role].title
211        yield dict(user_name = user_name,
212                   user_title = user_title,
213                   local_role = local_role,
214                   local_role_title = local_role_title,
215                   setting = setting)
Note: See TracBrowser for help on using the repository browser.