Changeset 12847
- Timestamp:
- 3 Apr 2015, 17:45:48 (10 years ago)
- Location:
- main/waeup.kofa/trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup.kofa/trunk/docs/source/userdocs/security.rst
r12844 r12847 13 13 =========== 14 14 15 The whole set of permission s and roles are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are essential for the security settings configuration.15 The whole set of permission and role classes are described in the :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here we describe only a subset of permission classes which are essential for the security settings configuration. 16 16 17 17 General Permissions … … 130 130 Many global roles do only bundle one or two permissions. The objective behind is to share responsibilities and distribute tasks. 131 131 132 Global roles are being assigned via the user manage form page. 133 132 134 Global General Roles 133 135 -------------------- … … 171 173 -------------------------------- 172 174 175 Global Application Section Roles are assigned portal-wide (globally) but do actually only allocate permissions in the Application Section. 176 173 177 .. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole() 174 178 :noindex: … … 183 187 ---------------------------- 184 188 189 Global Student Section Roles are assigned portal-wide (globally) but do actually only allocate permissions in the Student Section. 190 185 191 .. autoclass:: waeup.kofa.students.permissions.StudentRole() 186 192 :noindex: … … 201 207 :noindex: 202 208 203 Local Roles 204 =========== 205 206 Dynamic Roles 207 ============= 209 Local Roles and Dynamic Role Assignment 210 ======================================= 211 212 In contrast to global roles, which are assigned portal-wide, local role permissions are gained for a specific context. 213 214 Some local roles serve a second purpose. At first glance it appears strange that some of these 'odd' roles do not give more permissions than the user already has due to other roles. Their real purpose is to delegate permissions to the students or application section. If a user has for example the LocalStudentsManager role described below at department level, s/he automatically gets the StudentsManager role for those students studying in this department. We call this a **dynamic role**. In contrast to static global or local roles, dynamic roles are not stored in the database, they are dynamically assigned. 215 216 Local roles are assigned either automatically by the system during user object setup or manually through the web interface. The automatically assigned local roles are: 217 218 .. autoclass:: waeup.kofa.permissions.Owner() 219 :noindex: 220 221 .. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner() 222 :noindex: 223 224 .. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner() 225 :noindex: 226 227 All other local roles must be assigned manually via context manage form pages. 228 229 .. autoclass:: waeup.kofa.permissions.ApplicationManager() 230 :noindex: 231 232 .. autoclass:: waeup.kofa.permissions.DepartmentOfficer() 233 :noindex: 234 235 .. autoclass:: waeup.kofa.permissions.DepartmentManager() 236 :noindex: 237 238 .. autoclass:: waeup.kofa.permissions.Lecturer() 239 :noindex: 240 241 The following local roles do also delegate permissions to the student section. In other words, dynamic roles are assigned. 242 243 .. autoclass:: waeup.kofa.permissions.ClearanceOfficer() 244 :noindex: 245 246 .. autoclass:: waeup.kofa.permissions.LocalStudentsManager() 247 :noindex: 248 249 .. autoclass:: waeup.kofa.permissions.LocalWorkflowManager() 250 :noindex: 251 252 .. autoclass:: waeup.kofa.permissions.UGClearanceOfficer() 253 :noindex: 254 255 .. autoclass:: waeup.kofa.permissions.PGClearanceOfficer() 256 :noindex: 257 258 .. autoclass:: waeup.kofa.permissions.CourseAdviser100() 259 :noindex: -
main/waeup.kofa/trunk/src/waeup/kofa/applicants/permissions.py
r10226 r12847 24 24 25 25 class HandleApplication(grok.Permission): 26 """The HandleApplication permission is reserved for applicants. 27 Applicants 'handle' their data. Officers 'manage' the data. 28 """ 26 29 grok.name('waeup.handleApplication') 27 30 28 31 class ViewApplication(grok.Permission): 32 """The ViewApplication permission allows to view application records. 33 """ 29 34 grok.name('waeup.viewApplication') 30 35 … … 36 41 37 42 class ManageApplication(grok.Permission): 43 """The ManageApplication permission allows to edit the data. This 44 permission is reserved for officers and portal managers. 45 """ 38 46 grok.name('waeup.manageApplication') 39 47 40 48 class ViewApplicationStatistics(grok.Permission): 49 """The ViewApplicationStatistics permission allows to perform statistical 50 evaluations. Only portal managers have this permission. 51 """ 41 52 grok.name('waeup.viewApplicationStatistics') 42 53 43 54 class PayApplicant(grok.Permission): 55 """The PayApplicant permission allows to add an online payment ticket. 56 """ 44 57 grok.name('waeup.payApplicant') 45 58 46 59 # Local role 60 47 61 class ApplicationOwner(grok.Role): 62 """An applicant 'owns' her/his application record and 63 gains permissions to handle the record, upload a passport picture or 64 add payment tickets. 65 """ 48 66 grok.name('waeup.local.ApplicationOwner') 49 67 grok.title(u'Application Owner') 50 grok.permissions('waeup.handleApplication', 'waeup.viewApplication', 68 grok.permissions('waeup.handleApplication', 69 'waeup.viewApplication', 51 70 'waeup.payApplicant') 52 71 53 # Site role 72 # Site roles 54 73 55 74 class ApplicantRole(grok.Role): 75 """This role is dedicated to applicants only. It defines the permissions 76 an applicant gains portal-wide. 77 """ 56 78 grok.name('waeup.Applicant') 57 79 grok.permissions('waeup.viewAcademics', 'waeup.viewMyApplicationDataTab', … … 59 81 60 82 class ApplicationsOfficer(grok.Role): 83 """The Applications Officer is allowed to view all application records. 84 """ 61 85 grok.name('waeup.ApplicationsOfficer') 62 86 grok.title(u'Applications Officer (view only)') … … 64 88 65 89 class ApplicationsManager(grok.Role): 90 """The Applications Officer is allowed to edit all application records. 91 The role allows also to add payment tickets. 92 """ 66 93 grok.name('waeup.ApplicationsManager') 67 94 grok.title(u'Applications Manager') -
main/waeup.kofa/trunk/src/waeup/kofa/permissions.py
r12844 r12847 115 115 """The ManageDataCenter permission allows to access all pages 116 116 in the Data Center and to upload files. It does not automatically 117 allow to process uploaded data .117 allow to process uploaded data files. 118 118 """ 119 119 grok.name('waeup.manageDataCenter') … … 121 121 class ImportData(grok.Permission): 122 122 """The ImportData permission allows to batch process (import) any kind of 123 portal data except for user data. Th isUser Data processor123 portal data except for user data. The User Data processor 124 124 requires also the ManageUsers permission. 125 125 """ … … 164 164 165 165 # Local Roles 166 166 167 class ApplicationsManager(grok.Role): 167 """ 168 """The local ApplicationsManager role can be assigned at department level. 169 Local Applications Managers do not gain further permissions. This role is 170 meant for the assignment of dynamic roles only, see below. 168 171 """ 169 172 grok.name('waeup.local.ApplicationsManager') … … 172 175 173 176 class DepartmentManager(grok.Role): 174 """ 177 """The local DepartmentManager role can be assigned at faculty or 178 department level. The role allows to edit all data within this container. 179 It does not automatically allow to remove sub-containers. 180 181 Department Managers (Dean of Faculty or Head of Department respectively) 182 can also list student data but not access student pages. 175 183 """ 176 184 grok.name('waeup.local.DepartmentManager') … … 181 189 182 190 class DepartmentOfficer(grok.Role): 183 """ 191 """The local DepartmentOfficer role can be assigned at faculty or 192 department level. The role allows to list all student data within the 193 faculty/department the local role is assigned. 194 195 Department Managers (Dean of Faculty or Head of Department respectively) 196 can also list student data but not access student pages. They can 197 furthermore export payment overviews. 184 198 """ 185 199 grok.name('waeup.local.DepartmentOfficer') … … 190 204 191 205 class ClearanceOfficer(grok.Role): 192 """The clearance officer role is meant for the 193 assignment of dynamic roles only. 206 """The local ClearanceOfficer role can be assigned at faculty or 207 department level. The role allows to list or export all student 208 data within the faculty/department the local role is assigned. 209 210 Clearance Officers can furthermore clear all students or reject clearance 211 of all students in their faculty/department. They get the 212 StudentsClearanceOfficer role for this subset of students. 194 213 """ 195 214 grok.name('waeup.local.ClearanceOfficer') … … 201 220 202 221 class LocalStudentsManager(grok.Role): 203 """The local students manager role is meant for the 204 assignment of dynamic roles only. 222 """The local LocalStudentsManager role can be assigned at faculty or 223 department level. The role allows to view all data and to view or export 224 all student data within the faculty/department the local role is assigned. 225 226 Local Students Managers can furthermore manage data of students 227 in their faculty/department. They get the StudentsManager role for 228 this subset of students. 205 229 """ 206 230 grok.name('waeup.local.LocalStudentsManager') … … 211 235 212 236 class LocalWorkflowManager(grok.Role): 213 """The local workflow manager role is meant for the 214 assignment of dynamic roles only. 237 """The local LocalWorkflowManager role can be assigned at faculty level. 238 The role allows to view all data and to list or export 239 all student data within the faculty the local role is assigned. 240 241 Local Workflow Managers can trigger transition of students in their 242 faculty/department. They get the WorkflowManager role for 243 this subset of students. 215 244 """ 216 245 grok.name('waeup.local.LocalWorkflowManager') … … 221 250 222 251 class UGClearanceOfficer(grok.Role): 223 """The clearance officer role is meant for the 224 assignment of dynamic roles only. 252 """UG Clearance Officers are regular Clearance Officers with restricted 253 dynamic permission assignment. They can only access undergraduate 254 students. 225 255 """ 226 256 grok.name('waeup.local.UGClearanceOfficer') … … 232 262 233 263 class PGClearanceOfficer(grok.Role): 234 """The clearance officer role is meant for the 235 assignment of dynamic roles only. 264 """PG Clearance Officers are regular Clearance Officers with restricted 265 dynamic permission assignment. They can only access postgraduate 266 students. 236 267 """ 237 268 grok.name('waeup.local.PGClearanceOfficer') … … 243 274 244 275 class CourseAdviser100(grok.Role): 245 """The 100 level course adviser role is meant for the 246 assignment of dynamic roles only. 276 """The local CourseAdviser100 role can be assigned at faculty, 277 department or certificate level. The role allows to view all data and 278 to list or export all student data within the faculty, department 279 or certificate the local role is assigned. 280 281 Local Course Advisers can validate or reject course lists of students 282 in ther faculty/department/certificate at level 100. 283 They get the StudentsCourseAdviser role for this subset of students. 247 284 """ 248 285 grok.name('waeup.local.CourseAdviser100') … … 253 290 254 291 class CourseAdviser200(grok.Role): 255 """The course 200 level adviser role is meant for the 256 assignment of dynamic roles only. 292 """Same as CourseAdviser100 but for level 200. 257 293 """ 258 294 grok.name('waeup.local.CourseAdviser200') … … 263 299 264 300 class CourseAdviser300(grok.Role): 265 """The 300 level course adviser role is meant for the 266 assignment of dynamic roles only. 301 """Same as CourseAdviser100 but for level 300. 267 302 """ 268 303 grok.name('waeup.local.CourseAdviser300') … … 273 308 274 309 class CourseAdviser400(grok.Role): 275 """The 400 level course adviser role is meant for the 276 assignment of dynamic roles only. 310 """Same as CourseAdviser100 but for level 400. 277 311 """ 278 312 grok.name('waeup.local.CourseAdviser400') … … 283 317 284 318 class CourseAdviser500(grok.Role): 285 """The 500 level course adviser role is meant for the 286 assignment of dynamic roles only. 319 """Same as CourseAdviser100 but for level 500. 287 320 """ 288 321 grok.name('waeup.local.CourseAdviser500') … … 293 326 294 327 class CourseAdviser600(grok.Role): 295 """The 600 level course adviser role is meant for the 296 assignment of dynamic roles only. 328 """Same as CourseAdviser100 but for level 600. 297 329 """ 298 330 grok.name('waeup.local.CourseAdviser600') … … 303 335 304 336 class CourseAdviser700(grok.Role): 305 """The 700 level course adviser role is meant for the 306 assignment of dynamic roles only. 337 """Same as CourseAdviser100 but for level 700. 307 338 """ 308 339 grok.name('waeup.local.CourseAdviser700') … … 313 344 314 345 class CourseAdviser800(grok.Role): 315 """The 800 level course adviser role is meant for the 316 assignment of dynamic roles only. 346 """Same as CourseAdviser100 but for level 800. 317 347 """ 318 348 grok.name('waeup.local.CourseAdviser800') … … 323 353 324 354 class Lecturer(grok.Role): 325 """The lecturer role is meant for the 326 assignment of dynamic roles only. 355 """The local Lecturer role can be assigned at course level. 356 The role allows to view all data and to list or export all student 357 ata within course the local role is assigned. Lecturers can't access 358 student data directly but they can edit the scores in course tickets. 327 359 """ 328 360 grok.name('waeup.local.Lecturer') … … 334 366 335 367 class Owner(grok.Role): 368 """Each user 'owns' her/his user object and gains permission to edit 369 some of the user attributes. 370 """ 336 371 grok.name('waeup.local.Owner') 337 372 grok.title(u'Owner') … … 339 374 340 375 # Site Roles 376 341 377 class AcademicsOfficer(grok.Role): 342 378 """An Academics Officer can view but not edit data in the … … 364 400 class ACManager(grok.Role): 365 401 """This is the role for Access Code Managers. 366 An AC Manager can view and manage the Accesscodes Section, see402 An AC Manager can view and manage the Accesscodes Section, see 367 403 ManageACBatches permission above. 368 404 """ … … 374 410 """This single-permission role is dedicated to those users 375 411 who are charged with batch processing of portal data. 376 A Data CenterManager manager can access all pages in the Data Center,412 A Data Center Manager can access all pages in the Data Center, 377 413 see ManageDataCenter permission above. 378 414 """ … … 382 418 383 419 class ImportManager(grok.Role): 384 """An Import Manager is a DataCenterManager who is also allowed420 """An Import Manager is a Data Center Manager who is also allowed 385 421 to batch process (import) data. All batch processors (importers) are 386 422 available except for the User Processor. This processor requires the 387 Users Manager role too. The ImportManager role includes the423 Users Manager role too. The ImportManager role includes the 388 424 DataCenterManager role but not vice versa. 389 425 """ … … 394 430 395 431 class ExportManager(grok.Role): 396 """An Export Manager is a DataCenterManager who is also allowed432 """An Export Manager is a Data Center Manager who is also allowed 397 433 to export all kind of portal data. The ExportManager role includes the 398 434 DataCenterManager role but not vice versa. … … 404 440 405 441 class BursaryOfficer(grok.Role): 406 """Bursary Officers can export bursary data. They can't access the442 """Bursary Officers can export bursary data. They can't access the 407 443 Data Center but see student data export buttons in the Academic Section. 408 444 """ … … 414 450 415 451 class UsersManager(grok.Role): 416 """A Users Manager can add, remove or edit452 """A Users Manager can add, remove or edit 417 453 user accounts, see ManageUsers permission for further information. 418 454 Be very careful with this role. … … 424 460 425 461 class WorkflowManager(grok.Role): 426 """The Workflow Manager can trigger workflow transitions462 """The Workflow Manager can trigger workflow transitions 427 463 of student and document objects, see TriggerTransition permission 428 464 for further information. … … 433 469 434 470 class PortalManager(grok.Role): 435 """The portal manager role is the maximum set of Kofa permissions471 """The PortalManager role is the maximum set of Kofa permissions 436 472 which are needed to manage the entire portal. This set must not 437 473 be customized. It is recommended to assign this role only -
main/waeup.kofa/trunk/src/waeup/kofa/students/permissions.py
r12843 r12847 24 24 25 25 class HandleStudent(grok.Permission): 26 """ 27 The HandleStudent permission is reserved for students. 28 Students 'handle' their data. Officers 'manage' the data. 29 """ 26 30 grok.name('waeup.handleStudent') 27 31 28 32 class ViewStudent(grok.Permission): 33 """ 34 The ViewStudent permission allows to view all student data. 35 """ 29 36 grok.name('waeup.viewStudent') 30 37 … … 33 40 34 41 class ViewStudentsContainer(grok.Permission): 42 """The ViewStudentsContainer permission allows to view the students root 43 container page. 44 """ 35 45 grok.name('waeup.viewStudentsContainer') 36 46 37 47 class PayStudent(grok.Permission): 48 """The PayStudent permission allows to add an online payment ticket and to 49 manage tickets. 50 """ 38 51 grok.name('waeup.payStudent') 39 52 40 53 class HandleAccommodation(grok.Permission): 54 """The HandleAccommodation allows to manage bed tickets. 55 """ 41 56 grok.name('waeup.handleAccommodation') 42 57 43 58 class UploadStudentFile(grok.Permission): 59 """The UploadStudentFile permissions allows to upload the passport picture. 60 The respective page additionally checks the state of the student. 61 """ 44 62 grok.name('waeup.uploadStudentFile') 45 63 46 64 class ManageStudent(grok.Permission): 65 """The ManageStudent permission allows to edit the data. 66 This permission is meant for clearance officers. 67 """ 47 68 grok.name('waeup.manageStudent') 48 69 49 70 class ClearStudent(grok.Permission): 71 """The ClearStudent permission is needed to clear students 72 or to reject clearance. This permission is meant for course advisers. 73 """ 50 74 grok.name('waeup.clearStudent') 51 75 52 76 class ValidateStudent(grok.Permission): 77 """The ValidateStudent permission is needed to validate or reject 78 course lists. This permission is not needed if users 79 already have the TriggerTransition permission. 80 """ 53 81 grok.name('waeup.validateStudent') 54 82 55 83 class EditStudyLevel(grok.Permission): 84 """The EditStudyLevel permission is needed for editing course lists. 85 Students and course advisers do have this permission. 86 """ 56 87 grok.name('waeup.editStudyLevel') 57 88 58 89 class LoginAsStudent(grok.Permission): 90 """The LoginAsStudent is needed to set temporary student passwords 91 and login as (impersonate) students. 92 """ 59 93 grok.name('waeup.loginAsStudent') 60 94 61 95 # Local role 62 96 class StudentRecordOwner(grok.Role): 97 """A student 'owns' her/his student object and subobjects and 98 gains permissions to handle all data, upload a passport picture, 99 add payment tickets, create and edit course lists and handle accommodation. 100 """ 63 101 grok.name('waeup.local.StudentRecordOwner') 64 102 grok.title(u'Student Record Owner') … … 72 110 # Site Roles 73 111 class StudentRole(grok.Role): 112 """This role is dedicated to students only. 113 It defines the permissions a student gains portal-wide. 114 """ 74 115 grok.name('waeup.Student') 75 116 grok.title(u'Student (do not assign)') … … 79 120 80 121 class StudentsOfficer(grok.Role): 122 """The Students Officer is allowed to view all student data. 123 """ 81 124 grok.name('waeup.StudentsOfficer') 82 125 grok.title(u'Students Officer (view only)') … … 85 128 86 129 class StudentsManager(grok.Role): 130 """The Students Officer is allowed to edit all student data, to 131 create payment tickets, to handle bed tickets and to upload passport 132 pictures. 133 """ 87 134 grok.name('waeup.StudentsManager') 88 135 grok.title(u'Students Manager') … … 104 151 105 152 class StudentsClearanceOfficer(grok.Role): 153 """The global StudentsClearanceOfficer role enables users to view all 154 student data, to clear students and to reject clearance portal-wide. 155 Usually, this role is not assigned manually. 156 We are using the correspondent local role instead which assigns the 157 StudentsClearanceOfficer role dynamically. 158 """ 106 159 grok.name('waeup.StudentsClearanceOfficer') 107 160 grok.title(u'Clearance Officer (all students)') … … 110 163 111 164 class StudentsCourseAdviser(grok.Role): 165 """The global StudentsCourseAdviser role enables users to view all 166 student data, to edit, validate or reject course lists portal-wide. 167 Usually, this role is not assigned manually. 168 We are using the correspondent local role instead which assigns the 169 StudentsCourseAdviser role dynamically. 170 """ 112 171 grok.name('waeup.StudentsCourseAdviser') 113 172 grok.title(u'Course Adviser (all students)') … … 117 176 118 177 class StudentImpersonator(grok.Role): 178 """The Student Impersonator gains the LoginAsStudent permission, 179 nothing else, see description above. 180 """ 119 181 grok.name('waeup.StudentImpersonator') 120 182 grok.title(u'Student Impersonator') -
main/waeup.kofa/trunk/src/waeup/kofa/students/tests/test_browser.py
r12632 r12847 688 688 self.assertEqual(self.browser.headers['Content-Type'], 689 689 'application/pdf') 690 # We want to see the signature fields. 691 IWorkflowState(self.student).setState('cleared') 692 self.browser.open(self.student_path + '/clearance_slip.pdf') 693 self.assertEqual(self.browser.headers['Status'], '200 Ok') 694 self.assertEqual(self.browser.headers['Content-Type'], 695 'application/pdf') 696 path = os.path.join(samples_dir(), 'clearance_slip.pdf') 697 open(path, 'wb').write(self.browser.contents) 698 print "Sample PDF clearance_slip.pdf written to %s" % path 690 699 691 700 def test_manage_course_lists(self):
Note: See TracChangeset for help on using the changeset viewer.