source: main/waeup.sirp/trunk/src/waeup/sirp/permissions.py @ 7220

Last change on this file since 7220 was 7217, checked in by Henrik Bettermann, 13 years ago

Add permission waeup.viewAcademics to local ClearanceOfficer? role so that clearance officers can browse their own department, even if the AcademicsOfficer? site role has been removed. This is necessary, otherwise clearance officers can't find the list of their students.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 7.7 KB
Line 
1## $Id: permissions.py 7217 2011-11-26 21:37:34Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18import grok
19from zope.component import getUtilitiesFor
20from zope.interface import Interface
21from zope.securitypolicy.interfaces import IRole, IPrincipalRoleMap
22from waeup.sirp.interfaces import ILocalRolesAssignable
23from waeup.sirp.utils.helpers import get_user_account
24
25class Public(grok.Permission):
26    """Everyone-can-do-this-permission.
27
28    This permission is meant to be applied to objects/views/pages
29    etc., that should be usable/readable by everyone.
30
31    We need this to be able to tune default permissions more
32    restrictive and open up some dedicated objects like the front
33    page.
34    """
35    grok.name('waeup.Public')
36
37class Anonymous(grok.Permission):
38    """Only-anonymous-can-do-this-permission.
39    """
40    grok.name('waeup.Anonymous')
41
42class Authenticated(grok.Permission):
43    """Only-logged-in-users-can-do-this-permission.
44    """
45    grok.name('waeup.Authenticated')
46
47class ViewAcademicsPermission(grok.Permission):
48    grok.name('waeup.viewAcademics')
49
50class ManageUniversity(grok.Permission):
51    grok.name('waeup.manageUniversity')
52
53class ManageUsers(grok.Permission):
54    grok.name('waeup.manageUsers')
55
56class ShowStudents(grok.Permission):
57    grok.name('waeup.showStudents')
58
59class EditUser(grok.Permission):
60    grok.name('waeup.editUser')
61
62class ManageDataCenter(grok.Permission):
63    grok.name('waeup.manageDataCenter')
64
65class ManagePortalConfiguration(grok.Permission):
66    grok.name('waeup.managePortalConfiguration')
67
68class ManageACBatches(grok.Permission):
69    grok.name('waeup.manageACBatches')
70
71# Local Roles
72class DepartmentManager(grok.Role):
73    grok.name('waeup.local.DepartmentManager')
74    grok.title(u'Department Manager')
75    grok.permissions('waeup.manageUniversity','waeup.showStudents')
76
77class ClearanceOfficer(grok.Role):
78    """The clearance officer role is meant for the
79    assignment of dynamic roles only.
80    """
81    grok.name('waeup.local.ClearanceOfficer')
82    grok.title(u'Clearance Officer')
83    grok.permissions('waeup.showStudents', 'waeup.viewAcademics')
84
85class CourseAdviser(grok.Role):
86    """The course adviser role is meant for the
87    assignment of dynamic roles only.
88    """
89    grok.name('waeup.local.CourseAdviser')
90    grok.title(u'Course Adviser')
91    grok.permissions('waeup.showStudents')
92
93class Owner(grok.Role):
94    grok.name('waeup.local.Owner')
95    grok.title(u'Owner')
96    grok.permissions('waeup.editUser')
97
98# Site Roles
99class AcademicsOfficer(grok.Role):
100    grok.name('waeup.AcademicsOfficer')
101    grok.title(u'Academics Officer (view only)')
102    grok.permissions('waeup.viewAcademics')
103
104class ACManager(grok.Role):
105    grok.name('waeup.ACManager')
106    grok.title(u'Access Code Manager')
107    grok.permissions('waeup.manageACBatches')
108
109class PortalManager(grok.Role):
110    grok.name('waeup.PortalManager')
111    grok.title(u'Portal Manager')
112    grok.permissions('waeup.manageUniversity', 'waeup.manageUsers',
113                     'waeup.viewAcademics', 'waeup.manageACBatches',
114                     'waeup.manageDataCenter','waeup.managePortalSettings',
115                     'waeup.managePortalConfiguration', 'waeup.viewApplication',
116                     'waeup.manageApplication', 'waeup.handleApplication',
117                     'waeup.viewStudent', 'waeup.manageStudent', 'clearStudent',
118                     'waeup.uploadStudentFile', 'waeup.viewStudents',
119                     'waeup.viewHostels', 'waeup.manageHostels',
120                     'waeup.showStudents')
121
122def get_all_roles():
123    """Return a list of tuples ``<ROLE-NAME>, <ROLE>``.
124    """
125    return getUtilitiesFor(IRole)
126
127def get_waeup_roles(also_local=False):
128    """Get all WAeUP roles.
129
130    WAeUP roles are ordinary roles whose id by convention starts with
131    a ``waeup.`` prefix.
132
133    If `also_local` is ``True`` (``False`` by default), also local
134    roles are returned. Local WAeUP roles are such whose id starts
135    with ``waeup.local.`` prefix (this is also a convention).
136
137    Returns a generator of the found roles.
138    """
139    for name, item in get_all_roles():
140        if not name.startswith('waeup.'):
141            # Ignore non-WAeUP roles...
142            continue
143        if not also_local and name.startswith('waeup.local.'):
144            # Ignore local roles...
145            continue
146        yield item
147
148def get_waeup_role_names():
149    """Get the ids of all WAeUP roles.
150
151    See :func:`get_waeup_roles` for what a 'WAeUPRole' is.
152
153    This function returns a sorted list of WAeUP role names.
154    """
155    return sorted([x.id for x in get_waeup_roles()])
156
157class LocalRolesAssignable(grok.Adapter):
158    """Default implementation for `ILocalRolesAssignable`.
159
160    This adapter returns a list for dictionaries for objects for which
161    we want to know the roles assignable to them locally.
162
163    The returned dicts contain a ``name`` and a ``title`` entry which
164    give a role (``name``) and a description, for which kind of users
165    the permission is meant to be used (``title``).
166
167    Having this adapter registered we make sure, that for each normal
168    object we get a valid `ILocalRolesAssignable` adapter.
169
170    Objects that want to offer certain local roles, can do so by
171    setting a (preferably class-) attribute to a list of role ids.
172
173    You can also define different adapters for different contexts to
174    have different role lookup mechanisms become available. But in
175    normal cases it should be sufficient to use this basic adapter.
176    """
177    grok.context(Interface)
178    grok.provides(ILocalRolesAssignable)
179
180    _roles = []
181
182    def __init__(self, context):
183        self.context = context
184        role_ids = getattr(context, 'local_roles', self._roles)
185        self._roles = [(name, role) for name, role in get_all_roles()
186                       if name in role_ids]
187        return
188
189    def __call__(self):
190        """Get a list of dictionaries containing ``names`` (the roles to
191        assign) and ``titles`` (some description of the type of user
192        to assign each role to).
193        """
194        return [
195            dict(
196                name=name,
197                title=role.title,
198                description=role.description)
199            for name, role in self._roles]
200
201def get_users_with_local_roles(context):
202    """Get a list of dicts representing the local roles set for `context`.
203
204    Each dict returns `user_name`, `user_title`, `local_role`,
205    `local_role_title`, and `setting` for each entry in the local
206    roles map of the `context` object.
207    """
208    try:
209        role_map = IPrincipalRoleMap(context)
210    except TypeError:
211        # no map no roles.
212        raise StopIteration
213    for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
214        user = grok.getSite()['users'].get(user_name,None)
215        user_title = getattr(user, 'title', user_name)
216        local_role_title = dict(get_all_roles())[local_role].title
217        yield dict(user_name = user_name,
218                   user_title = user_title,
219                   local_role = local_role,
220                   local_role_title = local_role_title,
221                   setting = setting)
Note: See TracBrowser for help on using the repository browser.