matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add acl revokation view

Browse Source
This commit is contained in:
Roberto Rosario
2011-12-13 11:45:49 -04:00
parent 418312bc8a
commit 796a8fbdb5
3 changed files with 216 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/acls/__init__.py
View File

@@ -13,6 +13,7 @@ ACLS_VIEW_ACL = Permission.objects.register(acls_namespace, 'acl_view', _(u'View
acl_list = {'text': _(u'ACLs'), 'view': 'acl_list', 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]}
acl_detail = {'text': _(u'edit'), 'view': 'acl_detail', 'args': ['access_object.gid', 'object.gid'], 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]}
acl_grant = {'text': _(u'grant'), 'view': 'acl_multiple_grant', 'famfam': 'key_add', 'permissions': [ACLS_EDIT_ACL]}
acl_revoke = {'text': _(u'revoke'), 'view': 'acl_multiple_revoke', 'famfam': 'key_delete', 'permissions': [ACLS_EDIT_ACL]}
register_links(AccessHolder, [acl_detail])
register_multi_item_links(['acl_detail'], [acl_grant])#, permission_revoke])
register_multi_item_links(['acl_detail'], [acl_grant, acl_revoke])

12
apps/acls/urls.py
View File

@@ -1,17 +1,11 @@
from django.conf.urls.defaults import patterns, url
urlpatterns = patterns('acls.views',
url(r'^new_holder_for/(?P<app_label>[-\w]+)/(?P<model_name>[-\w]+)/(?P<object_id>\d+)/$', 'acl_new_holder_for', (), 'acl_new_holder_for'),
url(r'^list_for/(?P<app_label>[-\w]+)/(?P<model_name>[-\w]+)/(?P<object_id>\d+)/$', 'acl_list', (), 'acl_list'),
#url(r'^object/(?P<app_label>[-\w]+)/(?P<model_name>[-\w]+)/(?P<object_id>\d+)/holder/(?P<holder_app_label>[-\w]+)/(?P<holder_model_name>[-\w]+)/(?P<holder_id>\d+)/$', 'acl_detail', (), 'acl_detail'),
url(r'^details/(?P<access_object_gid>[.\w]+)/holder/(?P<holder_object_gid>[.\w]+)/$', 'acl_detail', (), 'acl_detail'),
# url(r'^role/list/$', 'role_list', (), 'role_list'),
# url(r'^role/create/$', 'role_create', (), 'role_create'),
# url(r'^role/(?P<role_id>\d+)/permissions/$', 'role_permissions', (), 'role_permissions'),
# url(r'^role/(?P<role_id>\d+)/edit/$', 'role_edit', (), 'role_edit'),
# url(r'^role/(?P<role_id>\d+)/delete/$', 'role_delete', (), 'role_delete'),
# url(r'^role/(?P<role_id>\d+)/members/$', 'role_members', (), 'role_members'),
#
url(r'^multiple/grant/$', 'acl_grant', (), 'acl_multiple_grant'),
# url(r'^permissions/multiple/revoke/$', 'permission_revoke', (), 'permission_multiple_revoke'),
url(r'^multiple/revoke/$', 'acl_revoke', (), 'acl_multiple_revoke'),
)

280
apps/acls/views.py
View File

@@ -1,3 +1,4 @@
import logging
import operator
import itertools
@@ -14,41 +15,36 @@ from django.contrib.auth.models import User, Group
from django.core.exceptions import ObjectDoesNotExist
from django.utils.simplejson import loads
from permissions.api import check_permissions, namespace_titles, get_permission_label, get_permission_namespace_label
from permissions.models import Permission
from permissions.models import Permission, Role
from common.utils import generate_choices_w_labels, encapsulate
from common.widgets import two_state_template
from acls import ACLS_EDIT_ACL, ACLS_VIEW_ACL
from acls.models import AccessEntry, AccessObject, AccessHolder
from acls.widgets import object_w_content_type_icon
from acls.forms import HolderSelectionForm
logger = logging.getLogger(__name__)
def _permission_titles(permission_list):
return u', '.join([get_permission_label(permission) for permission in permission_list])
return u', '.join([unicode(permission) for permission in permission_list])
def acl_list_for(request, obj, extra_context=None):
#check_permissions(request.user, [ACLS_VIEW_ACL])
Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL])
ct = ContentType.objects.get_for_model(obj)
context = {
#'app_label': ct.app_label,
#'model_name': ct.model,
'object_list': AccessEntry.objects.get_holders_for(obj),
'title': _(u'access control lists for: %s' % obj),
#'multi_select_as_buttons': True,
#'hide_links': True,
'extra_columns': [
#{'name': _(u'holder'), 'attribute': 'label'},
#{'name': _(u'obj'), 'attribute': 'holder_object'},
#{'name': _(u'gid'), 'attribute': 'gid'},
{'name': _(u'holder'), 'attribute': encapsulate(lambda x: object_w_content_type_icon(x.source_object))},
{'name': _(u'permissions'), 'attribute': encapsulate(lambda x: _permission_titles(AccessEntry.objects.get_permissions_for_holder(obj, x.source_object)))},
#{'name': _(u'arguments'), 'attribute': 'arguments'}
{'name': _(u'permissions'), 'attribute': encapsulate(lambda x: _permission_titles(AccessEntry.objects.get_holder_permissions_for(obj, x.source_object)))},
],
#'hide_link': True,
'hide_object': True,
'access_object': AccessObject.encapsulate(obj)
}
@@ -67,7 +63,7 @@ def acl_list(request, app_label, model_name, object_id):
def acl_detail(request, access_object_gid, holder_object_gid):
#check_permissions(request.user, [ACLS_VIEW_ACL, ACLS_EDIT_ACL])
Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL, ACLS_EDIT_ACL])
try:
holder = AccessHolder.get(gid=holder_object_gid)
@@ -75,7 +71,7 @@ def acl_detail(request, access_object_gid, holder_object_gid):
except ObjectDoesNotExist:
raise Http404
permission_list = list(set(AccessEntry.objects.get_permissions_for_holder(access_object.source_object, request.user)))
permission_list = list(access_object.get_class_permissions())
#TODO : get all globally assigned permission, new function get_permissions_for_holder (roles aware)
subtemplates_list = [
{
@@ -84,8 +80,8 @@ def acl_detail(request, access_object_gid, holder_object_gid):
'title': _(u'permissions held by: %s for %s' % (holder, access_object)),
'object_list': permission_list,
'extra_columns': [
{'name': _(u'namespace'), 'attribute': encapsulate(lambda x: get_permission_namespace_label(x))},
{'name': _(u'name'), 'attribute': encapsulate(lambda x: get_permission_label(x))},
{'name': _(u'namespace'), 'attribute': 'namespace'},
{'name': _(u'label'), 'attribute': 'label'},
{
'name':_(u'has permission'),
'attribute': encapsulate(lambda x: two_state_template(AccessEntry.objects.has_accesses(x, holder.source_object, access_object.source_object)))
@@ -98,7 +94,6 @@ def acl_detail(request, access_object_gid, holder_object_gid):
]
return render_to_response('generic_detail.html', {
#'form': form,
'object': access_object.obj,
'subtemplates_list': subtemplates_list,
'multi_select_as_buttons': True,
@@ -106,15 +101,12 @@ def acl_detail(request, access_object_gid, holder_object_gid):
'permission_pk': lambda x: x.pk,
'holder_gid': lambda x: holder.gid,
'object_gid': lambda x: access_object.gid,
#'requester_id': lambda x: role.pk,
#'requester_app_label': lambda x: ContentType.objects.get_for_model(role).app_label,
#'requester_model': lambda x: ContentType.objects.get_for_model(role).model,
},
}, context_instance=RequestContext(request))
def acl_grant(request):
check_permissions(request.user, [ACLS_EDIT_ACL])
Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL])
items_property_list = loads(request.GET.get('items_property_list', []))
post_action_redirect = None
@@ -122,8 +114,15 @@ def acl_grant(request):
previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None)))
items = {}
title_suffix = []
navigation_object = None
navigation_object_count = 0
for item_properties in items_property_list:
permission = get_object_or_404(Permission, pk=item_properties['permission_pk'])
try:
permission = Permission.objects.get({'pk': item_properties['permission_pk']})
except Permission.DoesNotExist:
raise Http404
try:
requester = AccessHolder.get(gid=item_properties['holder_gid'])
access_object = AccessObject.get(gid=item_properties['object_gid'])
@@ -133,52 +132,36 @@ def acl_grant(request):
items.setdefault(requester, {})
items[requester].setdefault(access_object, [])
items[requester][access_object].append(permission)
navigation_object = access_object
navigation_object_count += 1
title_suffix = []
for requester, access_objects_dict in items.items():
title_suffix.append(unicode(requester))
for access_object, permissions in access_objects_dict.items():
if len(permissions) == 1:
permissions_label = _(u'permission')
else:
permissions_label = _(u'permissions')
title_suffix.append(permission for permission in permissions)
title_suffix.append(unicode(access_object))
#title_suffix.append(_(u'the permissions'))
for requester, obj_ps in items.items():
for obj, ps in obj_ps.items():
title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps]))
title_suffix.append(_(u' for %s') % obj)
title_suffix.append(_(u' to %s') % requester)
#items = access_objects[access_object]
#sorted_items = sorted(items, key=operator.itemgetter('requester'))
# Group items by requester
#groups = itertools.groupby(sorted_items, key=operator.itemgetter('requester'))
#grouped_items = [(grouper, [permission['permission'] for permission in group_data]) for grouper, group_data in groups]
#title_suffix
# Warning: trial and error black magic ahead
#title_suffix.append(_(u' and ').join([_(u'%s to %s') % (', '.join(['"%s"' % unicode(ps) for ps in p]), unicode(r)) for r, p in grouped_items]))
#if len(grouped_items) == 1 and len(grouped_items[0][1]) == 1:
# permissions_label = _(u'permission')
#else:
# permissions_label = _(u'permissions')
#title_suffix.append(_(t
print title_suffix
#title_suffix = _(u' and ').join(title_suffix)
permissions_label = _(u'permissions')
if len(items_property_list) == 1:
title_prefix = _(u'Are you sure you wish to grant the permission %(title_suffix)s?')
else:
title_prefix = _(u'Are you sure you wish to grant the permissions %(title_suffix)s?')
if request.method == 'POST':
for item in items:
if item['permission'].grant_to(item['requester']):
messages.success(request, _(u'Permission "%(permission)s" granted to: %(requester)s.') % {
'permission': item['permission'], 'requester': item['requester']})
else:
messages.warning(request, _(u'%(requester)s, already had the permission "%(permission)s" granted.') % {
'requester': item['requester'], 'permission': item['permission']})
for requester, object_permissions in items.items():
for obj, permissions in object_permissions.items():
for permission in permissions:
if AccessEntry.objects.grant(permission, requester.source_object, obj.source_object):
messages.success(request, _(u'Permission "%(permission)s" granted to %(requester)s for %(object)s.') % {
'permission': permission,
'requester': requester,
'object': obj
})
else:
messages.warning(request, _(u'%(requester)s, already had the permission "%(permission)s" granted for %(object)s.') % {
'requester': requester,
'permission': permission,
'object': obj,
})
return HttpResponseRedirect(next)
@@ -189,13 +172,172 @@ def acl_grant(request):
'form_icon': u'key_add.png',
}
context['title'] = _(u'Are you sure you wish to grant the %(permissions_label)s %(title_suffix)s?') % {
'permissions_label': permissions_label,
'title_suffix': title_suffix,
context['title'] = title_prefix % {
'title_suffix': u''.join(title_suffix),
}
if len(grouped_items) == 1:
context['object'] = grouped_items[0][0]
logger.debug('navigation_object_count: %d' % navigation_object_count)
logger.debug('navigation_object: %s' % navigation_object)
if navigation_object_count == 1:
context['object'] = navigation_object.source_object
return render_to_response('generic_confirm.html', context,
context_instance=RequestContext(request))
def acl_revoke(request):
Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL])
items_property_list = loads(request.GET.get('items_property_list', []))
post_action_redirect = None
next = request.POST.get('next', request.GET.get('next', request.META.get('HTTP_REFERER', None)))
previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None)))
items = {}
title_suffix = []
navigation_object = None
navigation_object_count = 0
for item_properties in items_property_list:
try:
permission = Permission.objects.get({'pk': item_properties['permission_pk']})
except Permission.DoesNotExist:
raise Http404
try:
requester = AccessHolder.get(gid=item_properties['holder_gid'])
access_object = AccessObject.get(gid=item_properties['object_gid'])
except ObjectDoesNotExist:
raise Http404
items.setdefault(requester, {})
items[requester].setdefault(access_object, [])
items[requester][access_object].append(permission)
navigation_object = access_object
navigation_object_count += 1
for requester, obj_ps in items.items():
for obj, ps in obj_ps.items():
title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps]))
title_suffix.append(_(u' for %s') % obj)
title_suffix.append(_(u' from %s') % requester)
if len(items_property_list) == 1:
title_prefix = _(u'Are you sure you wish to revoke the permission %(title_suffix)s?')
else:
title_prefix = _(u'Are you sure you wish to revoke the permissions %(title_suffix)s?')
if request.method == 'POST':
for requester, object_permissions in items.items():
for obj, permissions in object_permissions.items():
for permission in permissions:
if AccessEntry.objects.revoke(permission, requester.source_object, obj.source_object):
messages.success(request, _(u'Permission "%(permission)s" revoked of %(requester)s for %(object)s.') % {
'permission': permission,
'requester': requester,
'object': obj
})
else:
messages.warning(request, _(u'%(requester)s, didn\'t had the permission "%(permission)s" for %(object)s.') % {
'requester': requester,
'permission': permission,
'object': obj,
})
return HttpResponseRedirect(next)
context = {
'delete_view': True,
'previous': previous,
'next': next,
'form_icon': u'key_delete.png',
}
context['title'] = title_prefix % {
'title_suffix': u''.join(title_suffix),
}
logger.debug('navigation_object_count: %d' % navigation_object_count)
logger.debug('navigation_object: %s' % navigation_object)
if navigation_object_count == 1:
context['object'] = navigation_object.source_object
return render_to_response('generic_confirm.html', context,
context_instance=RequestContext(request))
'''
def get_role_members(role):
user_ct = ContentType.objects.get(model='user')
group_ct = ContentType.objects.get(model='group')
return [member.member_object for member in role.rolemember_set.filter(member_type__in=[user_ct, group_ct])]
def get_non_role_members(role):
#non members = all users - members - staff - super users
staff_users = User.objects.filter(is_staff=True)
super_users = User.objects.filter(is_superuser=True)
users = set(User.objects.exclude(pk__in=[member.pk for member in get_role_members(role)])) - set(staff_users) - set(super_users)
groups = set(Group.objects.exclude(pk__in=[member.pk for member in get_role_members(role)]))
return list(users | groups)
def add_role_member(role, selection):
model, pk = selection.split(u',')
ct = ContentType.objects.get(model=model)
new_member, created = RoleMember.objects.get_or_create(role=role, member_type=ct, member_id=pk)
if not created:
raise Exception
def remove_role_member(role, selection):
model, pk = selection.split(u',')
ct = ContentType.objects.get(model=model)
member = RoleMember.objects.get(role=role, member_type=ct, member_id=pk)
member.delete()
def role_members(request, role_id):
check_permissions(request.user, [PERMISSION_ROLE_EDIT])
role = get_object_or_404(Role, pk=role_id)
return assign_remove(
request,
left_list=lambda: generate_choices_w_labels(get_non_role_members(role)),
right_list=lambda: generate_choices_w_labels(get_role_members(role)),
add_method=lambda x: add_role_member(role, x),
remove_method=lambda x: remove_role_member(role, x),
left_list_title=_(u'non members of role: %s') % role,
right_list_title=_(u'members of role: %s') % role,
extra_context={
'object': role,
'object_name': _(u'role'),
}
)
'''
def acl_new_holder_for(request, obj, extra_context=None):
Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL])
if request.method == 'POST':
form = HolderSelectionForm(request.POST)
if form.is_valid():
try:
access_object = AccessObject.encapsulate(obj)
access_holder = AccessHolder.get(form.cleaned_data['holder_gid'])
return HttpResponseRedirect(reverse('acl_detail', args=[access_object.gid, access_holder.gid]))
except ObjectDoesNotExist:
raise Http404
else:
form = HolderSelectionForm()
context = {
'form': form,
'title': _(u'add new holder for: %s') % obj,
}
if extra_context:
context.update(extra_context)
return render_to_response('generic_form.html', context,
context_instance=RequestContext(request))