diff --git a/apps/acls/__init__.py b/apps/acls/__init__.py index f478d84250..a8554290d6 100644 --- a/apps/acls/__init__.py +++ b/apps/acls/__init__.py @@ -11,18 +11,28 @@ acls_namespace = PermissionNamespace('acls', _(u'Access control lists')) ACLS_EDIT_ACL = Permission.objects.register(acls_namespace, 'acl_edit', _(u'Edit ACLs')) ACLS_VIEW_ACL = Permission.objects.register(acls_namespace, 'acl_view', _(u'View ACLs')) +ACLS_CLASS_EDIT_ACL = Permission.objects.register(acls_namespace, 'acl_edit', _(u'Edit class default ACLs')) +ACLS_CLASS_VIEW_ACL = Permission.objects.register(acls_namespace, 'acl_view', _(u'View class default ACLs')) + + acl_list = {'text': _(u'ACLs'), 'view': 'acl_list', 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]} acl_detail = {'text': _(u'edit'), 'view': 'acl_detail', 'args': ['access_object.gid', 'object.gid'], 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]} acl_grant = {'text': _(u'grant'), 'view': 'acl_multiple_grant', 'famfam': 'key_add', 'permissions': [ACLS_EDIT_ACL]} acl_revoke = {'text': _(u'revoke'), 'view': 'acl_multiple_revoke', 'famfam': 'key_delete', 'permissions': [ACLS_EDIT_ACL]} acl_setup_valid_classes = {'text': _(u'Default ACLs'), 'view': 'acl_setup_valid_classes', 'icon': 'lock.png'}#, 'permissions': [ACLS_EDIT_ACL]} +acl_class_list = {'text': _(u'List of classes'), 'view': 'acl_setup_valid_classes', 'famfam': 'package'}#, 'permissions': [ACLS_EDIT_ACL]} acl_class_acl_list = {'text': _(u'ACLs for class'), 'view': 'acl_class_acl_list', 'args': 'object.gid', 'famfam': 'lock'}#, 'permissions': [ACLS_VIEW_ACL]} +acl_class_new_holder_for = {'text': _(u'New holder'), 'view': 'acl_class_new_holder_for', 'args': 'object.gid', 'famfam': 'user'}#, 'permissions': [ACLS_VIEW_ACL]} +acl_class_grant = {'text': _(u'grant'), 'view': 'acl_class_multiple_grant', 'famfam': 'key_add', 'permissions': [ACLS_EDIT_ACL]} +acl_class_revoke = {'text': _(u'revoke'), 'view': 'acl_class_multiple_revoke', 'famfam': 'key_delete', 'permissions': [ACLS_EDIT_ACL]} register_links(AccessHolder, [acl_detail]) register_multi_item_links(['acl_detail'], [acl_grant, acl_revoke]) register_setup(acl_setup_valid_classes) -register_links(['acl_setup_valid_classes', 'acl_class_acl_list',], [acl_setup_valid_classes], menu_name='sidebar') +register_links(['acl_setup_valid_classes', 'acl_class_acl_list', 'acl_class_new_holder_for', 'acls_class_acl_detail'], [acl_class_list], menu_name='sidebar') register_links(AccessObjectClass, [acl_class_acl_list]) +register_links(AccessObjectClass, [acl_class_new_holder_for]) +register_multi_item_links(['acls_class_acl_detail'], [acl_class_grant, acl_class_revoke]) diff --git a/apps/acls/urls.py b/apps/acls/urls.py index 13de21e23f..2ee785071e 100644 --- a/apps/acls/urls.py +++ b/apps/acls/urls.py @@ -9,7 +9,13 @@ urlpatterns = patterns('acls.views', url(r'^multiple/grant/$', 'acl_grant', (), 'acl_multiple_grant'), url(r'^multiple/revoke/$', 'acl_revoke', (), 'acl_multiple_revoke'), - url(r'^class/setup/$', 'acl_setup_valid_classes', (), 'acl_setup_valid_classes'), + url(r'^class/$', 'acl_setup_valid_classes', (), 'acl_setup_valid_classes'), #url(r'^class/list_for/(?P[-\w]+)/(?P[-\w]+)/$', 'acl_class_acl_list', (), 'acl_class_acl_list'), + url(r'^class/details/(?P[.\w]+)/holder/(?P[.\w]+)/$', 'acls_class_acl_detail', (), 'acls_class_acl_detail'), url(r'^class/list_for/(?P[.\w]+)/$', 'acl_class_acl_list', (), 'acl_class_acl_list'), + url(r'^class/holder/new/(?P[.\w]+)/$', 'acl_class_new_holder_for', (), 'acl_class_new_holder_for'), + + url(r'^class/multiple/grant/$', 'acl_class_multiple_grant', (), 'acl_class_multiple_grant'), + url(r'^class/multiple/revoke/$', 'acl_class_multiple_revoke', (), 'acl_class_multiple_revoke'), + ) diff --git a/apps/acls/views.py b/apps/acls/views.py index b3ff2cbcae..25d737b86b 100644 --- a/apps/acls/views.py +++ b/apps/acls/views.py @@ -77,7 +77,7 @@ def acl_detail(request, access_object_gid, holder_object_gid): { 'name': u'generic_list_subtemplate.html', 'context': { - 'title': _(u'permissions held by: %s for %s' % (holder, access_object)), + 'title': _(u'permissions available to: %s for %s' % (holder, access_object)), 'object_list': permission_list, 'extra_columns': [ {'name': _(u'namespace'), 'attribute': 'namespace'}, @@ -293,15 +293,16 @@ def acl_new_holder_for(request, obj, extra_context=None): context_instance=RequestContext(request)) +# Setup views def acl_setup_valid_classes(request): #Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL]) - logger.debug('DefaultAccessEntry.get_classes(): %s' % DefaultAccessEntry.get_classes()) context = { #'object_list': [AccessObjectClass.encapsulate(cls) for cls in DefaultAccessEntry.get_classes()], 'object_list': DefaultAccessEntry.get_classes(), - 'title': _(u'default access control lists'), + #'title': _(u'default access control lists'), + 'title': _(u'classes'), #'hide_links': True, 'extra_columns': [ {'name': _(u'class'), 'attribute': encapsulate(lambda x: object_w_content_type_icon(x.source_object))}, @@ -319,7 +320,7 @@ def acl_class_acl_list(request, access_object_class_gid): access_object_class = AccessObjectClass.get(gid=access_object_class_gid) context = { 'object_list': DefaultAccessEntry.objects.get_holders_for(access_object_class.source_object), - 'title': _(u'default access control lists for: %s' % access_object_class.source_object._meta.verbose_name_plural), + 'title': _(u'default access control lists for class: %s') % access_object_class, #'multi_select_as_buttons': True, #'hide_links': True, #'extra_columns': [ @@ -328,8 +329,240 @@ def acl_class_acl_list(request, access_object_class_gid): # ], #'hide_object': True, #'access_object': AccessObject.encapsulate(ct) + 'object': access_object_class, } return render_to_response('generic_list.html', context, context_instance=RequestContext(request)) + +def acls_class_acl_detail(request, access_object_class_gid, holder_object_gid): + #Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL, ACLS_EDIT_ACL]) + + try: + holder = AccessHolder.get(gid=holder_object_gid) + access_object_class = AccessObjectClass.get(gid=access_object_class_gid) + except ObjectDoesNotExist: + raise Http404 + + permission_list = list(access_object_class.get_class_permissions()) + #TODO : get all globally assigned permission, new function get_permissions_for_holder (roles aware) + subtemplates_list = [ + { + 'name': u'generic_list_subtemplate.html', + 'context': { + 'title': _(u'permissions available to: %s for class %s' % (holder, access_object_class)), + 'object_list': permission_list, + 'extra_columns': [ + {'name': _(u'namespace'), 'attribute': 'namespace'}, + {'name': _(u'label'), 'attribute': 'label'}, + { + 'name':_(u'has permission'), + 'attribute': encapsulate(lambda x: two_state_template(DefaultAccessEntry.objects.has_accesses(x, holder.source_object, access_object_class.source_object))) + }, + ], + #'hide_link': True, + 'hide_object': True, + } + }, + ] + + return render_to_response('generic_detail.html', { + 'object': access_object_class, + 'subtemplates_list': subtemplates_list, + 'multi_select_as_buttons': True, + 'multi_select_item_properties': { + 'permission_pk': lambda x: x.pk, + 'holder_gid': lambda x: holder.gid, + 'access_object_class_gid': lambda x: access_object_class.gid, + }, + }, context_instance=RequestContext(request)) + + +def acl_class_new_holder_for(request, access_object_class_gid): + #Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) + access_object_class = AccessObjectClass.get(gid=access_object_class_gid) + + if request.method == 'POST': + form = HolderSelectionForm(request.POST) + if form.is_valid(): + try: + #access_object = AccessObject.encapsulate(access_object_class) + access_holder = AccessHolder.get(form.cleaned_data['holder_gid']) + + return HttpResponseRedirect(reverse('acls_class_acl_detail', args=[access_object_class.gid, access_holder.gid])) + except ObjectDoesNotExist: + raise Http404 + else: + form = HolderSelectionForm() + + context = { + 'form': form, + 'title': _(u'add new holder for class: %s') % unicode(access_object_class), + 'object': access_object_class, + 'submit_label': _(u'Select'), + 'submit_icon_famfam': 'tick' + } + + return render_to_response('generic_form.html', context, + context_instance=RequestContext(request)) + + +def acl_class_multiple_grant(request): + #Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) + items_property_list = loads(request.GET.get('items_property_list', [])) + post_action_redirect = None + + next = request.POST.get('next', request.GET.get('next', request.META.get('HTTP_REFERER', None))) + previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None))) + + items = {} + title_suffix = [] + navigation_object = None + navigation_object_count = 0 + + for item_properties in items_property_list: + try: + permission = Permission.objects.get({'pk': item_properties['permission_pk']}) + except Permission.DoesNotExist: + raise Http404 + try: + requester = AccessHolder.get(gid=item_properties['holder_gid']) + access_object_class = AccessObjectClass.get(gid=item_properties['access_object_class_gid']) + except ObjectDoesNotExist: + raise Http404 + + items.setdefault(requester, {}) + items[requester].setdefault(access_object_class, []) + items[requester][access_object_class].append(permission) + navigation_object = access_object_class + navigation_object_count += 1 + + for requester, obj_ps in items.items(): + for obj, ps in obj_ps.items(): + title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps])) + title_suffix.append(_(u' for %s') % obj) + title_suffix.append(_(u' to %s') % requester) + + if len(items_property_list) == 1: + title_prefix = _(u'Are you sure you wish to grant the permission %(title_suffix)s?') + else: + title_prefix = _(u'Are you sure you wish to grant the permissions %(title_suffix)s?') + + if request.method == 'POST': + for requester, object_permissions in items.items(): + for obj, permissions in object_permissions.items(): + for permission in permissions: + if DefaultAccessEntry.objects.grant(permission, requester.source_object, obj.source_object): + messages.success(request, _(u'Permission "%(permission)s" granted to %(requester)s for %(object)s.') % { + 'permission': permission, + 'requester': requester, + 'object': obj + }) + else: + messages.warning(request, _(u'%(requester)s, already had the permission "%(permission)s" granted for %(object)s.') % { + 'requester': requester, + 'permission': permission, + 'object': obj, + }) + + return HttpResponseRedirect(next) + + context = { + 'delete_view': True, + 'previous': previous, + 'next': next, + 'form_icon': u'key_add.png', + } + + context['title'] = title_prefix % { + 'title_suffix': u''.join(title_suffix), + } + + logger.debug('navigation_object_count: %d' % navigation_object_count) + logger.debug('navigation_object: %s' % navigation_object) + if navigation_object_count == 1: + context['object'] = navigation_object + + return render_to_response('generic_confirm.html', context, + context_instance=RequestContext(request)) + + +def acl_class_multiple_revoke(request): + #Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) + items_property_list = loads(request.GET.get('items_property_list', [])) + post_action_redirect = None + + next = request.POST.get('next', request.GET.get('next', request.META.get('HTTP_REFERER', None))) + previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None))) + + items = {} + title_suffix = [] + navigation_object = None + navigation_object_count = 0 + + for item_properties in items_property_list: + try: + permission = Permission.objects.get({'pk': item_properties['permission_pk']}) + except Permission.DoesNotExist: + raise Http404 + try: + requester = AccessHolder.get(gid=item_properties['holder_gid']) + access_object_class = AccessObjectClass.get(gid=item_properties['access_object_class_gid']) + except ObjectDoesNotExist: + raise Http404 + + items.setdefault(requester, {}) + items[requester].setdefault(access_object_class, []) + items[requester][access_object_class].append(permission) + navigation_object = access_object_class + navigation_object_count += 1 + + for requester, obj_ps in items.items(): + for obj, ps in obj_ps.items(): + title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps])) + title_suffix.append(_(u' for %s') % obj) + title_suffix.append(_(u' from %s') % requester) + + if len(items_property_list) == 1: + title_prefix = _(u'Are you sure you wish to revoke the permission %(title_suffix)s?') + else: + title_prefix = _(u'Are you sure you wish to revoke the permissions %(title_suffix)s?') + + if request.method == 'POST': + for requester, object_permissions in items.items(): + for obj, permissions in object_permissions.items(): + for permission in permissions: + if DefaultAccessEntry.objects.revoke(permission, requester.source_object, obj.source_object): + messages.success(request, _(u'Permission "%(permission)s" revoked of %(requester)s for %(object)s.') % { + 'permission': permission, + 'requester': requester, + 'object': obj + }) + else: + messages.warning(request, _(u'%(requester)s, didn\'t had the permission "%(permission)s" for %(object)s.') % { + 'requester': requester, + 'permission': permission, + 'object': obj, + }) + + return HttpResponseRedirect(next) + + context = { + 'delete_view': True, + 'previous': previous, + 'next': next, + 'form_icon': u'key_delete.png', + } + + context['title'] = title_prefix % { + 'title_suffix': u''.join(title_suffix), + } + + logger.debug('navigation_object_count: %d' % navigation_object_count) + logger.debug('navigation_object: %s' % navigation_object) + if navigation_object_count == 1: + context['object'] = navigation_object + + return render_to_response('generic_confirm.html', context, + context_instance=RequestContext(request))