source: main/waeup.sirp/trunk/src/waeup/sirp/students/dynamicroles.py @ 7220

Last change on this file since 7220 was 7220, checked in by Henrik Bettermann, 13 years ago

Use rolename_mapping dictionary instead of external_rolenames and additional_rolename.
  • Property svn:keywords set to Id
File size: 5.1 KB
Line 
1## $Id: dynamicroles.py 7220 2011-11-26 22:19:41Z henrik $
2##
3## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4## This program is free software; you can redistribute it and/or modify
5## it under the terms of the GNU General Public License as published by
6## the Free Software Foundation; either version 2 of the License, or
7## (at your option) any later version.
8##
9## This program is distributed in the hope that it will be useful,
10## but WITHOUT ANY WARRANTY; without even the implied warranty of
11## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12## GNU General Public License for more details.
13##
14## You should have received a copy of the GNU General Public License
15## along with this program; if not, write to the Free Software
16## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17##
18"""Security policy components for students.
19
20Students need special security policy treatment, as officers with
21local roles for departments and faculties might have additional
22permissions (local roles on depts/faculties) here.
23"""
24import grok
25from zope.securitypolicy.interfaces import (
26    IPrincipalRoleManager, IPrincipalPermissionManager,)
27from zope.securitypolicy.principalrole import AnnotationPrincipalRoleManager
28from zope.securitypolicy.principalpermission import (
29    AnnotationPrincipalPermissionManager,)
30from zope.securitypolicy.settings import Allow, Deny, Unset
31from waeup.sirp.students.interfaces import IStudent
32
33# All components in here have the same context: Student instances
34grok.context(IStudent)
35
36class StudentPrincipalRoleManager(AnnotationPrincipalRoleManager,
37                                    grok.Adapter):
38    grok.provides(IPrincipalRoleManager)
39
40    #: The attribute name to lookup for additional roles
41    extra_attrib = 'certificate'
42    subcontainer = 'studycourse'
43
44    # Role name mapping:
45    # role name to look for in `extra_attrib` and parents
46    # to
47    # role to add in case this role was found
48    rolename_mapping = {
49        'waeup.local.ClearanceOfficer':'waeup.StudentsClearanceOfficer',
50        'waeup.local.CourseAdviser100':'waeup.StudentsCourseAdviser100',
51        'waeup.local.CourseAdviser200':'waeup.StudentsCourseAdviser200',
52        'waeup.local.CourseAdviser300':'waeup.StudentsCourseAdviser300',
53        'waeup.local.CourseAdviser400':'waeup.StudentsCourseAdviser400',
54        'waeup.local.CourseAdviser500':'waeup.StudentsCourseAdviser500',
55        'waeup.local.CourseAdviser600':'waeup.StudentsCourseAdviser600'
56        }
57
58    def getRolesForPrincipal(self, principal_id):
59        """Get roles for principal with id `principal_id`.
60
61        Different to the default implementation, this method also
62        takes into account local roles set on any department connected
63        to the context student.
64
65        If the given principal has at least one of the
66        `external_rolenames` roles granted for the external object, it
67        additionally gets `additional_rolename` role for the context
68        student.
69
70        For the additional roles the `extra_attrib` and all its parent
71        objects are looked up, because 'role inheritance' does not
72        work on that basic level of permission handling.
73
74        Some advantages of this approach:
75
76        - we don't have to store extra local roles for clearance
77          officers in ZODB for each student
78
79        - when local roles on a department change, we don't have to
80          update thousands of students; the local role is assigned
81          dynamically.
82
83        Disadvantage:
84
85        - More expensive role lookups when a clearance officer wants
86          to see an student form.
87
88        This implementation is designed to be usable also for other
89        contexts than students. You can inherit from it and set
90        different role names to lookup/set easily via the static class
91        attributes.
92        """
93        apr_manager = AnnotationPrincipalRoleManager(self._context)
94        result = apr_manager.getRolesForPrincipal(principal_id)
95        if result != []:
96            # If there are local roles defined here, no additional
97            # lookup is done.
98            return result
99        # The principal has no local roles yet. Let's lookup the
100        # connected course, dept, etc.
101        if self.subcontainer:
102            obj = getattr(
103                self._context[self.subcontainer], self.extra_attrib, None)
104        else:
105            obj = getattr(self._context, self.extra_attrib, None)
106        # lookup local roles for connected course and all parent
107        # objects. This way we fake 'role inheritance'.
108        while obj is not None:
109            extra_roles = IPrincipalRoleManager(obj).getRolesForPrincipal(
110                principal_id)
111            for role_id, setting in extra_roles:
112                if role_id in self.rolename_mapping.keys():
113                    # Found role in external attribute or parent
114                    # thereof. 'Grant' additional role
115                    # permissions (allow, deny or unset) for the
116                    # passed in principal id.
117                    result.append(
118                        (self.rolename_mapping[role_id], setting))
119                    return result
120            obj = getattr(obj, '__parent__', None)
121        return result
Note: See TracBrowser for help on using the repository browser.