Changeset 12900 for main

Timestamp:

3 May 2015, 06:49:12 (9 years ago)

Author:

Henrik Bettermann

Message:

Add ReportsOfficer? role. The RO is allowed to view and remove only his/her reports.

Location:

main/waeup.kofa/trunk

Files:

• CHANGES.txt (modified) (1 diff)
• docs/source/userdocs/security.rst (modified) (2 diffs)
• src/waeup/kofa/browser/reports.py (modified) (4 diffs)
• src/waeup/kofa/browser/tests/test_permissions.py (modified) (5 diffs)
• src/waeup/kofa/browser/viewlets.py (modified) (1 diff)
• src/waeup/kofa/permissions.py (modified) (2 diffs)
• src/waeup/kofa/permissions.txt (modified) (2 diffs)
• src/waeup/kofa/reports.py (modified) (1 diff)
• src/waeup/kofa/students/reports/level_report.py (modified) (1 diff)
• src/waeup/kofa/students/reports/student_statistics.py (modified) (1 diff)

main/waeup.kofa/trunk/CHANGES.txt

@@ -18 +18 @@
   in accordance with other exporter names.
 
-* Add `ReportsManager` role.
+* Add `ReportsOfficer` and `ReportsManager` roles with corresponding
+  permissions.
 
 * Do not automatically allow import managers to import user data.

main/waeup.kofa/trunk/docs/source/userdocs/security.rst

@@ -79 +79 @@
    :noindex:
 
+.. autoclass:: waeup.kofa.reports.HandleReports()
+   :noindex:
+
 .. autoclass:: waeup.kofa.reports.ManageReports()
    :noindex:
@@ -175 +178 @@
 
 .. autoclass:: waeup.kofa.permissions.WorkflowManager()
+   :noindex:
+
+.. autoclass:: waeup.kofa.reports.ReportsOfficer()
    :noindex:
 

main/waeup.kofa/trunk/src/waeup/kofa/browser/reports.py

@@ -21 +21 @@
 from zope.component import getUtility, queryUtility
 from zope.location.location import located
+from zope.security import checkPermission
 from waeup.kofa.interfaces import IJobManager, IKofaUtils
 from waeup.kofa.interfaces import MessageFactory as _
 from waeup.kofa.browser.layout import KofaPage
-from waeup.kofa.reports import IReportsContainer, IReportGenerator
-from waeup.kofa.reports import get_generators
+from waeup.kofa.utils.helpers import get_current_principal
+from waeup.kofa.reports import (
+    IReportsContainer, IReportGenerator, get_generators)
 
 
@@ -36 +38 @@
     grok.name('index')
     grok.context(IReportsContainer)
-    grok.require('waeup.manageReports')
+    grok.require('waeup.handleReports')
     label = _('Reports')
 
@@ -54 +56 @@
             grok.getSite().logger.info(
                 '%s - report %s discarded' % (ob_class, job_id))
-        self.entries = self._generate_entries(user_id=None)
+        if not checkPermission('waeup.manageReports', self.context):
+            user = get_current_principal()
+            self.entries = self._generate_entries(user_id=user.id)
+        else:
+            self.entries = self._generate_entries(user_id=None)
         if job_id and DOWNLOAD:
             self.redirect(self._report_url(job_id))
@@ -114 +120 @@
     grok.name('create')
     grok.context(IReportsContainer)
-    grok.require('waeup.manageReports')
+    grok.require('waeup.handleReports')
     label = _('Create report')
 

main/waeup.kofa/trunk/src/waeup/kofa/browser/tests/test_permissions.py

@@ -26 +26 @@
 import shutil
 import tempfile
+from zc.async.testing import wait_for_result
 from zope.app.testing.functional import HTTPCaller as http
-from zope.component import createObject
+from zope.securitypolicy.interfaces import IPrincipalRoleManager
+from zope.component import createObject, getUtility
 from zope.component.hooks import setSite, clearSite
 from zope.security.interfaces import Unauthorized
 from zope.testbrowser.testing import Browser
+from waeup.kofa.interfaces import IJobManager
 from waeup.kofa.app import University
 from waeup.kofa.testing import (
     FunctionalLayer, FunctionalTestCase, get_all_loggers, remove_new_loggers,
     remove_logger)
+from waeup.kofa.tests.test_async import FunctionalAsyncTestCase
+
+
 
 manager_pages = [
@@ -63 +69 @@
     ]
 
-class PermissionTest(FunctionalTestCase):
+class PermissionTest(FunctionalAsyncTestCase, FunctionalTestCase):
     """Here we try to request all pages and check, whether they are
     accessible.
@@ -92 +98 @@
         dept.certificates.addCertificate(cert)
         cert.addCertCourse(course)
+        self.app = app
 
         self.browser = Browser()
@@ -110 +117 @@
         except Unauthorized:
             return False
+        return
+
+    def wait_for_report_job_completed(self, number):
+        # helper function waiting until the current export job is completed
+        manager = getUtility(IJobManager)
+        job_id = self.app['reports'].running_report_jobs[number][0]
+        job = manager.get(job_id)
+        wait_for_result(job)
+        return job_id
+
+    def stored_in_reports(self, job_id):
+        # tell whether job_id is stored in reports's running jobs list
+        for entry in list(self.app['reports'].running_report_jobs):
+            if entry[0] == job_id:
+                return True
+        return False
+
+    def trigger_report_creation(self, session):
+        self.browser.open('http://localhost/app/reports')
+        self.assertEqual(self.browser.headers['Status'], '200 Ok')
+        self.browser.getLink("Create new report").click()
+        self.browser.getControl(name="generator").value = ['student_stats']
+        self.browser.getControl("Configure").click()
+        self.browser.getControl(name="breakdown").value = ['depcode']
+        self.browser.getControl(name="mode").value = ['All']
+        self.browser.getControl(name="session").value = [session]
+        self.browser.getControl("Create").click()
         return
 
@@ -122 +156 @@
             self.fail('Path %s cannot be accessed by anonymous.' % path)
         return
+
+    def testReportsPermissions(self):
+        # Create reports officer
+        self.app['users'].addUser('mrofficer', 'mrofficer')
+        self.app['users']['mrofficer'].email = 'mrofficer@foo.ng'
+        self.app['users']['mrofficer'].title = 'Otto Report'
+        prmglobal = IPrincipalRoleManager(self.app)
+        prmglobal.assignRoleToPrincipal('waeup.ReportsOfficer', 'mrofficer')
+        # Create reports manager
+        self.app['users'].addUser('mrmanager', 'mrmanager')
+        self.app['users']['mrmanager'].email = 'mrmanager@foo.ng'
+        self.app['users']['mrmanager'].title = 'Manfred Report'
+        prmglobal.assignRoleToPrincipal('waeup.ReportsManager', 'mrmanager')
+        # The reports officer creates a report which the reports manager
+        # can see.
+        self.browser.open('http://localhost/app/login')
+        self.browser.getControl(name="form.login").value = 'mrofficer'
+        self.browser.getControl(name="form.password").value = 'mrofficer'
+        self.browser.getControl("Login").click()
+        self.trigger_report_creation('2004')
+        job_id = self.wait_for_report_job_completed(0)
+        self.browser.open('http://localhost/app/reports')
+        self.assertTrue(
+            'Student Statistics (depcode, 2004, All, 0)'
+            in self.browser.contents)
+        self.browser.open('http://localhost/app/logout')
+        # The reports manager creates a report which the reports officer
+        # can't see.
+        self.browser.open('http://localhost/app/login')
+        self.browser.getControl(name="form.login").value = 'mrmanager'
+        self.browser.getControl(name="form.password").value = 'mrmanager'
+        self.browser.getControl("Login").click()
+        self.trigger_report_creation('2005')
+        job_id = self.wait_for_report_job_completed(1)
+        self.browser.open('http://localhost/app/reports')
+        # Manager can see both reports.
+        self.assertTrue(
+            'Student Statistics (depcode, 2004, All, 0)'
+            in self.browser.contents)
+        self.assertTrue(
+            'Student Statistics (depcode, 2005, All, 0)'
+            in self.browser.contents)
+        self.browser.open('http://localhost/app/logout')
+        self.browser.open('http://localhost/app/login')
+        self.browser.getControl(name="form.login").value = 'mrofficer'
+        self.browser.getControl(name="form.password").value = 'mrofficer'
+        self.browser.getControl("Login").click()
+        self.browser.open('http://localhost/app/reports')
+        # Officer can only see his report.
+        self.assertTrue(
+            'Student Statistics (depcode, 2004, All, 0)'
+            in self.browser.contents)
+        self.assertFalse(
+            'Student Statistics (depcode, 2005, All, 0)'
+            in self.browser.contents)
+        return

main/waeup.kofa/trunk/src/waeup/kofa/browser/viewlets.py

@@ -344 +344 @@
     """
     grok.order(4)
-    grok.require('waeup.manageReports')
+    grok.require('waeup.handleReports')
 
     link = u'reports'

main/waeup.kofa/trunk/src/waeup/kofa/permissions.py

@@ -502 +502 @@
                      'waeup.editUser',
                      'waeup.loginAsStudent',
+                     'waeup.handleReports',
                      'waeup.manageReports',
                      'waeup.manageJobs',
@@ -545 +546 @@
                      #'waeup.editUser',
                      #'waeup.loginAsStudent',
+                     'waeup.handleReports',
                      'waeup.manageReports',
                      #'waeup.manageJobs',

main/waeup.kofa/trunk/src/waeup/kofa/permissions.txt

@@ -39 +39 @@
     >>> from waeup.kofa.permissions import get_waeup_roles
     >>> len(list(get_waeup_roles()))
-    25
+    26
 
     >>> len(list(get_waeup_roles(also_local=True)))
-    46
+    47
 
 
@@ -68 +68 @@
      u'waeup.PortalManager',
      u'waeup.ReportsManager',
+     u'waeup.ReportsOfficer',
      u'waeup.Student',
      u'waeup.StudentImpersonator',

main/waeup.kofa/trunk/src/waeup/kofa/reports.py

@@ -139 +139 @@
     """
 
+class HandleReports(grok.Permission):
+    """The HandleReports permission allows to add any kind of report
+    and to view and remove own reports, i.e. reports which were created by
+    the logged-in user.
+    """
+    grok.name('waeup.handleReports')
+
 class ManageReports(grok.Permission):
-    """The ManageReports permission allows to view, add and remove reports.
+    """The ManageReports permission allows to view, add and remove also
+    the reports of other users. It requires the permission to handle reports.
     """
     grok.name('waeup.manageReports')
 
+class ReportsOfficer(grok.Role):
+    """The Reports Officer has the permission to to view, add and remove
+    **own** reports.
+    """
+    grok.name('waeup.ReportsOfficer')
+    grok.title(u'Reports Officer')
+    grok.permissions('waeup.handleReports')
+
 class ReportsManager(grok.Role):
-    """The ReportsManager has the permission to manage reports.
+    """The Reports Manager has the permission to to view, add and remove
+    **all** reports.
     """
     grok.name('waeup.ReportsManager')
     grok.title(u'Reports Manager')
-    grok.permissions('waeup.manageReports')
+    grok.permissions('waeup.handleReports', 'waeup.manageReports')
 
 def get_generators():

main/waeup.kofa/trunk/src/waeup/kofa/students/reports/level_report.py

@@ -225 +225 @@
     grok.context(LevelReportGenerator)
     grok.name('index.html')
-    grok.require('waeup.manageReports')
+    grok.require('waeup.handleReports')
 
     label = _('Create level report')

main/waeup.kofa/trunk/src/waeup/kofa/students/reports/student_statistics.py

@@ -215 +215 @@
     grok.context(StudentStatisticsReportGenerator)
     grok.name('index.html')
-    grok.require('waeup.manageReports')
+    grok.require('waeup.handleReports')
 
     label = _('Create student statistics report')