Changeset 12843 for main

Timestamp:

1 Apr 2015, 10:51:35 (10 years ago)

Author:

Henrik Bettermann

Message:

Documentation work in progress.

Remove redundant waeup.viewStudentsTab permission.

Location:

main/waeup.kofa/trunk

Files:

• docs/source/userdocs/security.rst (modified) (4 diffs)
• src/waeup/kofa/permissions.py (modified) (28 diffs)
• src/waeup/kofa/students/permissions.py (modified) (7 diffs)
• src/waeup/kofa/students/viewlets.py (modified) (1 diff)

main/waeup.kofa/trunk/docs/source/userdocs/security.rst

@@ -13 +13 @@
 ===========
 
-The whole set of permissions and roles are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are crucial to configure the security settings properly.
+The whole set of permissions and roles are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are essential for the security settings configuration.
 
 General Permissions
 -------------------
 
-.. autoclass:: waeup.kofa.permissions.Public
+.. autoclass:: waeup.kofa.permissions.Public()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.Anonymous
+.. autoclass:: waeup.kofa.permissions.Anonymous()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.Authenticated
+.. autoclass:: waeup.kofa.permissions.Authenticated()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ManageUsers
+.. autoclass:: waeup.kofa.permissions.ManageUsers()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.EditUser
+.. autoclass:: waeup.kofa.permissions.EditUser()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ManagePortal
+.. autoclass:: waeup.kofa.permissions.ManagePortal()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ViewAcademics
+.. autoclass:: waeup.kofa.permissions.ViewAcademics()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ManageAcademics
+.. autoclass:: waeup.kofa.permissions.ManageAcademics()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration
+.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ManageDataCenter
+.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ExportData
+.. autoclass:: waeup.kofa.permissions.ExportData()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ImportData
+.. autoclass:: waeup.kofa.permissions.ImportData()
+   :noindex:
+
+.. autoclass:: waeup.kofa.permissions.TriggerTransition()
+   :noindex:
+
+.. autoclass:: waeup.kofa.permissions.ShowStudents()
+   :noindex:
+
+Application Section Permissions
+-------------------------------
+
+.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
+   :noindex:
+
+.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
+   :noindex:
+
+.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
+   :noindex:
+
+.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
+   :noindex:
+
+.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
    :noindex:
 
@@ -57 +81 @@
 ---------------------------
 
-.. autoclass:: waeup.kofa.permissions.ShowStudents
+.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
    :noindex:
 
+.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.PayStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.TriggerTransition()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
+   :noindex:
+
+.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
+   :noindex:
 
 Global Roles
@@ -70 +129 @@
 The highly specialized roles are:
 
-.. autoclass:: waeup.kofa.permissions.AcademicsOfficer
+.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.AcademicsManager
+.. autoclass:: waeup.kofa.permissions.AcademicsManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.DataCenterManager
+.. autoclass:: waeup.kofa.permissions.DataCenterManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ImportManager
+.. autoclass:: waeup.kofa.permissions.ImportManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ExportManager
+.. autoclass:: waeup.kofa.permissions.ExportManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.ACManager
+.. autoclass:: waeup.kofa.permissions.ACManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.UsersManager
+.. autoclass:: waeup.kofa.permissions.UsersManager()
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.WorkflowManager
+.. autoclass:: waeup.kofa.permissions.WorkflowManager()
    :noindex:
 
@@ -99 +158 @@
    :noindex:
 
-.. autoclass:: waeup.kofa.permissions.CCOfficer
+.. autoclass:: waeup.kofa.permissions.CCOfficer()
    :noindex:
 

main/waeup.kofa/trunk/src/waeup/kofa/permissions.py

@@ -29 +29 @@
 
 class Anonymous(grok.Permission):
-    """The waeup.Anonymous permission is applied to
+    """The Anonymous permission is applied to
     views/pages which are dedicated to anonymous users only. Logged-in users
     can't access these views.
@@ -36 +36 @@
 
 class Authenticated(grok.Permission):
-    """The waeup.Authenticated permission is applied to pages
+    """The Authenticated permission is applied to pages
     which can only be used by logged-in users and not by anonymous users.
     """
@@ -42 +42 @@
 
 class ViewAcademics(grok.Permission):
-    """The waeup.viewAcademics permission is applied to all
+    """The ViewAcademics permission is applied to all
     views of the Academic Section. Users with this permission can view but
     not edit content in the Academic Section.
@@ -49 +49 @@
 
 class ManageAcademics(grok.Permission):
-    """The waeup.manageAcademics permission is applied to all edit
+    """The ManageAcademics permission is applied to all edit
     pages in the Academic Section. Users who have this permission
     can change/edit context objects.
@@ -56 +56 @@
 
 class ManagePortal(grok.Permission):
-    """The waeup.managePortal permission is used for very few pages
+    """The ManagePortal permission is used for very few pages
     (e.g. the DatacenterSettings page) and is dedicated to portal managers.
     It is furthermore used to control delete methods of container
-    pages in the Academic Section. The waeup.manageAcademics permission,
+    pages in the Academic Section. The ManageAcademics permission,
     described above, does enable users to edit content but not to
     remove sub-containers, like faculties, departments or certificates.
-    Users must have the waeup.managePorta permission too to remove
+    Users must have the ManagePortal permission too to remove
     entire containers.
     """
@@ -68 +68 @@
 
 class ManageUsers(grok.Permission):
-    """The waeup.manageUsers permission is a real superuser permission
+    """The ManageUsers permission is a real superuser permission
     and therefore very 'dangerous'. It allows to add, remove or edit
     user accounts. Editing a user account includes the option to assign
@@ -78 +78 @@
 
 class ShowStudents(grok.Permission):
-    """Users with this permission can see the 'Students' tab and
-    search and browse all students. If they also have the waeup.exportData
-    permission they can export all student data too.
-
-    Bursary or Department Officers don't have the general waeup.exportData
+    """Users with this permission do not neccessarily see the 'Students' tab
+    but they can search for students at department, certificate or course
+    level. If they additionally have the ExportData permission they can
+    export the data as csv files.
+
+    Bursary or Department Officers don't have the general ExportData
     permission (see Roles section) and are only allowed to export bursary
     or payments overview data respectively.
@@ -89 +90 @@
 
 class ClearAllStudents(grok.Permission):
-    """The waeup.clearAllStudents permission allows to clear all students
+    """The ClearAllStudents permission allows to clear all students
     in a department.
     """
@@ -95 +96 @@
 
 class EditScores(grok.Permission):
-    """The waeup.editScores permission allows to edit scores in course tickets.
+    """The EditScores permission allows to edit scores in course tickets.
     """
     grok.name('waeup.editScores')
 
+class TriggerTransition(grok.Permission):
+    """The TriggerTransition permission allows to trigger workflow transitions
+    of student and document objects.
+    """
+    grok.name('waeup.triggerTransition')
+
 class EditUser(grok.Permission):
-    """The waeup.editUser permission is required for editing
+    """The EditUser permission is required for editing
     single user accounts.
     """
@@ -106 +113 @@
 
 class ManageDataCenter(grok.Permission):
-    """The waeup.manageDataCenter permission allows to access all pages
+    """The ManageDataCenter permission allows to access all pages
     in the data center. It does not automatically allow to process data.
     """
@@ -112 +119 @@
 
 class ImportData(grok.Permission):
-    """The waeup.importData permission allows to import any kind of portal
-    data.
+    """The ImportData permission allows to batch process (import) any kind of 
+    portal data except for user data. This processor requires the ManageUsers
+    permission too.
     """
     grok.name('waeup.importData')
 
 class ExportData(grok.Permission):
-    """The waeup.exportData permission allows to export any kind of portal
+    """The ExportData permission allows to export any kind of portal
     data.
     """
@@ -133 +141 @@
 
 class ManagePortalConfiguration(grok.Permission):
-    """The waeup.managePortalConfiguration permission allows to
+    """The ManagePortalConfiguration permission allows to
     edit global and sessional portal configuration data.
     """
@@ -139 +147 @@
 
 class ManageACBatches(grok.Permission):
-    """The waeup.manageACBatches permission allows to view and
+    """The ManageACBatches permission allows to view and
     manage accesscodes.
     """
@@ -157 +165 @@
 # Local Roles
 class ApplicationsManager(grok.Role):
+    """
+    """
     grok.name('waeup.local.ApplicationsManager')
     grok.title(u'Applications Manager')
@@ -162 +172 @@
 
 class DepartmentManager(grok.Role):
+    """
+    """
     grok.name('waeup.local.DepartmentManager')
     grok.title(u'Department Manager')
@@ -169 +181 @@
 
 class DepartmentOfficer(grok.Role):
+    """
+    """
     grok.name('waeup.local.DepartmentOfficer')
     grok.title(u'Department Officer')
@@ -326 +340 @@
 # Site Roles
 class AcademicsOfficer(grok.Role):
+    """An Academics Officer can  can view but not edit data in the
+    Academics Section. 
+
+    This is the default role which is automatically assigned to all
+    officers of the portal. A user with this role can access all display pages
+    at faculty, department, course, certificate and certificate course level.
+    """
     grok.name('waeup.AcademicsOfficer')
     grok.title(u'Academics Officer (view only)')
@@ -331 +352 @@
 
 class AcademicsManager(grok.Role):
+    """An Academics Manager can view and edit all data in the
+    Academics section. A user with this role can access all manage pages
+    at faculty, department, course, certificate and certificate course level.
+    """
     grok.name('waeup.AcademicsManager')
     grok.title(u'Academics Manager')
@@ -338 +363 @@
 
 class ACManager(grok.Role):
+    """This is the role for Access Code Managers.
+    An ACManager can view and manage the Accesscodes Section.
+    """
     grok.name('waeup.ACManager')
     grok.title(u'Access Code Manager')
@@ -343 +371 @@
 
 class DataCenterManager(grok.Role):
+    """This single-permission role is dedicated to those users
+    who are charged with batch processing of portal data.
+    A DataCenterManager manager can access all pages in the Data Center
+    (see ManageDataCenter permission above).
+    """
     grok.name('waeup.DataCenterManager')
     grok.title(u'Datacenter Manager')
@@ -348 +381 @@
 
 class ImportManager(grok.Role):
+    """An ImportManager is a DataCenterManager who is also allowed
+    to batch process (import) data. All batch processors (importers) are 
+    available except for the User Processor. This processor requires the
+    UsersManager role too. The ImportManager role includes the
+    DataCenterManager role.
+    """
     grok.name('waeup.ImportManager')
     grok.title(u'Import Manager')
@@ -354 +393 @@
 
 class ExportManager(grok.Role):
+    """An ExportManager is a DataCenterManager who is also allowed
+    to export all kind of portal data. The ExportManager role includes the
+    DataCenterManager role.
+    """
     grok.name('waeup.ExportManager')
     grok.title(u'Export Manager')
@@ -360 +403 @@
 
 class BursaryOfficer(grok.Role):
+    """BursaryOfficers can export bursary data. They can't access the
+    Data Center but see export buttons in the Academic Section.
+    """
     grok.name('waeup.BursaryOfficer')
     grok.title(u'Bursary Officer')
@@ -367 +413 @@
 
 class UsersManager(grok.Role):
+    """See ManageUsers permission.
+    """
     grok.name('waeup.UsersManager')
     grok.title(u'Users Manager')
@@ -373 +421 @@
 
 class WorkflowManager(grok.Role):
+    """See TriggerTransition permission.
+    """
     grok.name('waeup.WorkflowManager')
     grok.title(u'Workflow Manager')
@@ -406 +456 @@
                      'waeup.editScores',
                      'waeup.triggerTransition',
-                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
+                     'waeup.viewStudentsContainer',
                      'waeup.handleAccommodation',
                      'waeup.viewHostels', 'waeup.manageHostels',
@@ -416 +466 @@
 
 class CCOfficer(grok.Role):
-    """The Computer Center Officer role is basically a copy
+    """The role of the Computer Center Officer is basically a copy
     of the the PortalManager role. Some 'dangerous' permissions are excluded
     by commenting them out (see source code). If officers need to gain more
     access rights than defined in this role, do not hastily switch to the
-    PortalManager role but add further manager roles instead. These additional
+    PortalManager role but add further manager roles instead. Additional
     roles could be: UsersManager, ACManager, ImportManager, WorkflowManager
     or StudentImpersonator.
+
+    CCOfficer is a base class which means that this role is meant
+    for customization. It is not used in the `waeup.kofa` base package.
     """
     grok.baseclass()
@@ -446 +499 @@
                      'waeup.editScores',
                      #'waeup.triggerTransition',
-                     'waeup.viewStudentsContainer','waeup.viewStudentsTab',
+                     'waeup.viewStudentsContainer',
                      'waeup.handleAccommodation',
                      'waeup.viewHostels', 'waeup.manageHostels',

main/waeup.kofa/trunk/src/waeup/kofa/students/permissions.py

@@ -29 +29 @@
     grok.name('waeup.viewStudent')
 
-class ViewStudentsTab(grok.Permission):
-    grok.name('waeup.viewStudentsTab')
-
 class ViewMyStudentDataTab(grok.Permission):
     grok.name('waeup.viewMyStudentDataTab')
@@ -59 +56 @@
     grok.name('waeup.editStudyLevel')
 
-class TriggerTransition(grok.Permission):
-    grok.name('waeup.triggerTransition')
-
 class LoginAsStudent(grok.Permission):
     grok.name('waeup.loginAsStudent')
@@ -69 +63 @@
     grok.name('waeup.local.StudentRecordOwner')
     grok.title(u'Student Record Owner')
-    grok.permissions('waeup.handleStudent', 'waeup.uploadStudentFile',
-                     'waeup.viewStudent', 'waeup.payStudent',
-                     'waeup.handleAccommodation', 'waeup.editStudyLevel')
+    grok.permissions('waeup.handleStudent',
+                     'waeup.uploadStudentFile',
+                     'waeup.viewStudent',
+                     'waeup.payStudent',
+                     'waeup.handleAccommodation',
+                     'waeup.editStudyLevel')
 
 # Site Roles
@@ -77 +74 @@
     grok.name('waeup.Student')
     grok.title(u'Student (do not assign)')
-    grok.permissions('waeup.viewAcademics', 'waeup.viewMyStudentDataTab',
+    grok.permissions('waeup.viewAcademics',
+                     'waeup.viewMyStudentDataTab',
                      'waeup.Authenticated')
 
@@ -83 +81 @@
     grok.name('waeup.StudentsOfficer')
     grok.title(u'Students Officer (view only)')
-    grok.permissions('waeup.viewStudent','waeup.viewStudents',
-          'waeup.viewStudentsTab', 'waeup.viewStudentsContainer')
+    grok.permissions('waeup.viewStudent',
+                     'waeup.viewStudentsContainer')
 
 class StudentsManager(grok.Role):
     grok.name('waeup.StudentsManager')
     grok.title(u'Students Manager')
-    grok.permissions('waeup.viewStudent', 'waeup.viewStudents',
-                     'waeup.manageStudent', 'waeup.viewStudentsContainer',
-                     'waeup.payStudent', 'waeup.uploadStudentFile',
-                     'waeup.viewStudentsTab', 'waeup.handleAccommodation')
+    grok.permissions('waeup.viewStudent',
+                     'waeup.manageStudent',
+                     'waeup.viewStudentsContainer',
+                     'waeup.payStudent',
+                     'waeup.uploadStudentFile',
+                     'waeup.handleAccommodation')
 
 class TranscriptOfficer(grok.Role):
@@ -100 +100 @@
                      'waeup.viewTranscript',
                      'waeup.viewStudent',
-                     'waeup.viewStudents',
-                     'waeup.viewStudentsTab',
                      'waeup.viewStudentsContainer',
                      )
@@ -108 +106 @@
     grok.name('waeup.StudentsClearanceOfficer')
     grok.title(u'Clearance Officer (all students)')
-    grok.permissions('waeup.clearStudent','waeup.viewStudent')
+    grok.permissions('waeup.clearStudent',
+                     'waeup.viewStudent')
 
 class StudentsCourseAdviser(grok.Role):
     grok.name('waeup.StudentsCourseAdviser')
     grok.title(u'Course Adviser (all students)')
-    grok.permissions('waeup.validateStudent','waeup.viewStudent',
+    grok.permissions('waeup.validateStudent',
+                     'waeup.viewStudent',
                      'waeup.editStudyLevel')
 

main/waeup.kofa/trunk/src/waeup/kofa/students/viewlets.py

@@ -717 +717 @@
     grok.context(IKofaObject)
     grok.order(4)
-    grok.require('waeup.viewStudentsTab')
+    grok.require('waeup.viewStudentsContainer')
     grok.name('studentstab')