diff --git a/apps/acls/__init__.py b/apps/acls/__init__.py index 283a75c662..6753b2779b 100644 --- a/apps/acls/__init__.py +++ b/apps/acls/__init__.py @@ -13,6 +13,7 @@ ACLS_VIEW_ACL = Permission.objects.register(acls_namespace, 'acl_view', _(u'View acl_list = {'text': _(u'ACLs'), 'view': 'acl_list', 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]} acl_detail = {'text': _(u'edit'), 'view': 'acl_detail', 'args': ['access_object.gid', 'object.gid'], 'famfam': 'lock', 'permissions': [ACLS_VIEW_ACL]} acl_grant = {'text': _(u'grant'), 'view': 'acl_multiple_grant', 'famfam': 'key_add', 'permissions': [ACLS_EDIT_ACL]} +acl_revoke = {'text': _(u'revoke'), 'view': 'acl_multiple_revoke', 'famfam': 'key_delete', 'permissions': [ACLS_EDIT_ACL]} register_links(AccessHolder, [acl_detail]) -register_multi_item_links(['acl_detail'], [acl_grant])#, permission_revoke]) +register_multi_item_links(['acl_detail'], [acl_grant, acl_revoke]) diff --git a/apps/acls/urls.py b/apps/acls/urls.py index 1570140c5e..2f70970766 100644 --- a/apps/acls/urls.py +++ b/apps/acls/urls.py @@ -1,17 +1,11 @@ from django.conf.urls.defaults import patterns, url urlpatterns = patterns('acls.views', + url(r'^new_holder_for/(?P[-\w]+)/(?P[-\w]+)/(?P\d+)/$', 'acl_new_holder_for', (), 'acl_new_holder_for'), url(r'^list_for/(?P[-\w]+)/(?P[-\w]+)/(?P\d+)/$', 'acl_list', (), 'acl_list'), #url(r'^object/(?P[-\w]+)/(?P[-\w]+)/(?P\d+)/holder/(?P[-\w]+)/(?P[-\w]+)/(?P\d+)/$', 'acl_detail', (), 'acl_detail'), url(r'^details/(?P[.\w]+)/holder/(?P[.\w]+)/$', 'acl_detail', (), 'acl_detail'), - -# url(r'^role/list/$', 'role_list', (), 'role_list'), -# url(r'^role/create/$', 'role_create', (), 'role_create'), -# url(r'^role/(?P\d+)/permissions/$', 'role_permissions', (), 'role_permissions'), -# url(r'^role/(?P\d+)/edit/$', 'role_edit', (), 'role_edit'), -# url(r'^role/(?P\d+)/delete/$', 'role_delete', (), 'role_delete'), -# url(r'^role/(?P\d+)/members/$', 'role_members', (), 'role_members'), -# + url(r'^multiple/grant/$', 'acl_grant', (), 'acl_multiple_grant'), -# url(r'^permissions/multiple/revoke/$', 'permission_revoke', (), 'permission_multiple_revoke'), + url(r'^multiple/revoke/$', 'acl_revoke', (), 'acl_multiple_revoke'), ) diff --git a/apps/acls/views.py b/apps/acls/views.py index eab8f25f73..6bad2858c7 100644 --- a/apps/acls/views.py +++ b/apps/acls/views.py @@ -1,3 +1,4 @@ +import logging import operator import itertools @@ -14,41 +15,36 @@ from django.contrib.auth.models import User, Group from django.core.exceptions import ObjectDoesNotExist from django.utils.simplejson import loads -from permissions.api import check_permissions, namespace_titles, get_permission_label, get_permission_namespace_label -from permissions.models import Permission +from permissions.models import Permission, Role from common.utils import generate_choices_w_labels, encapsulate from common.widgets import two_state_template from acls import ACLS_EDIT_ACL, ACLS_VIEW_ACL from acls.models import AccessEntry, AccessObject, AccessHolder from acls.widgets import object_w_content_type_icon +from acls.forms import HolderSelectionForm + +logger = logging.getLogger(__name__) def _permission_titles(permission_list): - return u', '.join([get_permission_label(permission) for permission in permission_list]) + return u', '.join([unicode(permission) for permission in permission_list]) def acl_list_for(request, obj, extra_context=None): - #check_permissions(request.user, [ACLS_VIEW_ACL]) + Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL]) ct = ContentType.objects.get_for_model(obj) context = { - #'app_label': ct.app_label, - #'model_name': ct.model, 'object_list': AccessEntry.objects.get_holders_for(obj), 'title': _(u'access control lists for: %s' % obj), #'multi_select_as_buttons': True, #'hide_links': True, 'extra_columns': [ - #{'name': _(u'holder'), 'attribute': 'label'}, - #{'name': _(u'obj'), 'attribute': 'holder_object'}, - #{'name': _(u'gid'), 'attribute': 'gid'}, {'name': _(u'holder'), 'attribute': encapsulate(lambda x: object_w_content_type_icon(x.source_object))}, - {'name': _(u'permissions'), 'attribute': encapsulate(lambda x: _permission_titles(AccessEntry.objects.get_permissions_for_holder(obj, x.source_object)))}, - #{'name': _(u'arguments'), 'attribute': 'arguments'} + {'name': _(u'permissions'), 'attribute': encapsulate(lambda x: _permission_titles(AccessEntry.objects.get_holder_permissions_for(obj, x.source_object)))}, ], - #'hide_link': True, 'hide_object': True, 'access_object': AccessObject.encapsulate(obj) } @@ -67,7 +63,7 @@ def acl_list(request, app_label, model_name, object_id): def acl_detail(request, access_object_gid, holder_object_gid): - #check_permissions(request.user, [ACLS_VIEW_ACL, ACLS_EDIT_ACL]) + Permission.objects.check_permissions(request.user, [ACLS_VIEW_ACL, ACLS_EDIT_ACL]) try: holder = AccessHolder.get(gid=holder_object_gid) @@ -75,7 +71,7 @@ def acl_detail(request, access_object_gid, holder_object_gid): except ObjectDoesNotExist: raise Http404 - permission_list = list(set(AccessEntry.objects.get_permissions_for_holder(access_object.source_object, request.user))) + permission_list = list(access_object.get_class_permissions()) #TODO : get all globally assigned permission, new function get_permissions_for_holder (roles aware) subtemplates_list = [ { @@ -84,8 +80,8 @@ def acl_detail(request, access_object_gid, holder_object_gid): 'title': _(u'permissions held by: %s for %s' % (holder, access_object)), 'object_list': permission_list, 'extra_columns': [ - {'name': _(u'namespace'), 'attribute': encapsulate(lambda x: get_permission_namespace_label(x))}, - {'name': _(u'name'), 'attribute': encapsulate(lambda x: get_permission_label(x))}, + {'name': _(u'namespace'), 'attribute': 'namespace'}, + {'name': _(u'label'), 'attribute': 'label'}, { 'name':_(u'has permission'), 'attribute': encapsulate(lambda x: two_state_template(AccessEntry.objects.has_accesses(x, holder.source_object, access_object.source_object))) @@ -98,7 +94,6 @@ def acl_detail(request, access_object_gid, holder_object_gid): ] return render_to_response('generic_detail.html', { - #'form': form, 'object': access_object.obj, 'subtemplates_list': subtemplates_list, 'multi_select_as_buttons': True, @@ -106,15 +101,12 @@ def acl_detail(request, access_object_gid, holder_object_gid): 'permission_pk': lambda x: x.pk, 'holder_gid': lambda x: holder.gid, 'object_gid': lambda x: access_object.gid, - #'requester_id': lambda x: role.pk, - #'requester_app_label': lambda x: ContentType.objects.get_for_model(role).app_label, - #'requester_model': lambda x: ContentType.objects.get_for_model(role).model, }, }, context_instance=RequestContext(request)) def acl_grant(request): - check_permissions(request.user, [ACLS_EDIT_ACL]) + Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) items_property_list = loads(request.GET.get('items_property_list', [])) post_action_redirect = None @@ -122,8 +114,15 @@ def acl_grant(request): previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None))) items = {} + title_suffix = [] + navigation_object = None + navigation_object_count = 0 + for item_properties in items_property_list: - permission = get_object_or_404(Permission, pk=item_properties['permission_pk']) + try: + permission = Permission.objects.get({'pk': item_properties['permission_pk']}) + except Permission.DoesNotExist: + raise Http404 try: requester = AccessHolder.get(gid=item_properties['holder_gid']) access_object = AccessObject.get(gid=item_properties['object_gid']) @@ -133,52 +132,36 @@ def acl_grant(request): items.setdefault(requester, {}) items[requester].setdefault(access_object, []) items[requester][access_object].append(permission) + navigation_object = access_object + navigation_object_count += 1 - title_suffix = [] - for requester, access_objects_dict in items.items(): - title_suffix.append(unicode(requester)) - for access_object, permissions in access_objects_dict.items(): - if len(permissions) == 1: - permissions_label = _(u'permission') - else: - permissions_label = _(u'permissions') - - title_suffix.append(permission for permission in permissions) - - - title_suffix.append(unicode(access_object)) - #title_suffix.append(_(u'the permissions')) + for requester, obj_ps in items.items(): + for obj, ps in obj_ps.items(): + title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps])) + title_suffix.append(_(u' for %s') % obj) + title_suffix.append(_(u' to %s') % requester) - - #items = access_objects[access_object] - #sorted_items = sorted(items, key=operator.itemgetter('requester')) - - # Group items by requester - #groups = itertools.groupby(sorted_items, key=operator.itemgetter('requester')) - #grouped_items = [(grouper, [permission['permission'] for permission in group_data]) for grouper, group_data in groups] - - #title_suffix - # Warning: trial and error black magic ahead - #title_suffix.append(_(u' and ').join([_(u'%s to %s') % (', '.join(['"%s"' % unicode(ps) for ps in p]), unicode(r)) for r, p in grouped_items])) - - #if len(grouped_items) == 1 and len(grouped_items[0][1]) == 1: - # permissions_label = _(u'permission') - #else: - # permissions_label = _(u'permissions') - #title_suffix.append(_(t - - print title_suffix - #title_suffix = _(u' and ').join(title_suffix) - permissions_label = _(u'permissions') + if len(items_property_list) == 1: + title_prefix = _(u'Are you sure you wish to grant the permission %(title_suffix)s?') + else: + title_prefix = _(u'Are you sure you wish to grant the permissions %(title_suffix)s?') if request.method == 'POST': - for item in items: - if item['permission'].grant_to(item['requester']): - messages.success(request, _(u'Permission "%(permission)s" granted to: %(requester)s.') % { - 'permission': item['permission'], 'requester': item['requester']}) - else: - messages.warning(request, _(u'%(requester)s, already had the permission "%(permission)s" granted.') % { - 'requester': item['requester'], 'permission': item['permission']}) + for requester, object_permissions in items.items(): + for obj, permissions in object_permissions.items(): + for permission in permissions: + if AccessEntry.objects.grant(permission, requester.source_object, obj.source_object): + messages.success(request, _(u'Permission "%(permission)s" granted to %(requester)s for %(object)s.') % { + 'permission': permission, + 'requester': requester, + 'object': obj + }) + else: + messages.warning(request, _(u'%(requester)s, already had the permission "%(permission)s" granted for %(object)s.') % { + 'requester': requester, + 'permission': permission, + 'object': obj, + }) return HttpResponseRedirect(next) @@ -189,13 +172,172 @@ def acl_grant(request): 'form_icon': u'key_add.png', } - context['title'] = _(u'Are you sure you wish to grant the %(permissions_label)s %(title_suffix)s?') % { - 'permissions_label': permissions_label, - 'title_suffix': title_suffix, + context['title'] = title_prefix % { + 'title_suffix': u''.join(title_suffix), } - if len(grouped_items) == 1: - context['object'] = grouped_items[0][0] + logger.debug('navigation_object_count: %d' % navigation_object_count) + logger.debug('navigation_object: %s' % navigation_object) + if navigation_object_count == 1: + context['object'] = navigation_object.source_object return render_to_response('generic_confirm.html', context, context_instance=RequestContext(request)) + + +def acl_revoke(request): + Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) + items_property_list = loads(request.GET.get('items_property_list', [])) + post_action_redirect = None + + next = request.POST.get('next', request.GET.get('next', request.META.get('HTTP_REFERER', None))) + previous = request.POST.get('previous', request.GET.get('previous', request.META.get('HTTP_REFERER', None))) + + items = {} + title_suffix = [] + navigation_object = None + navigation_object_count = 0 + + for item_properties in items_property_list: + try: + permission = Permission.objects.get({'pk': item_properties['permission_pk']}) + except Permission.DoesNotExist: + raise Http404 + try: + requester = AccessHolder.get(gid=item_properties['holder_gid']) + access_object = AccessObject.get(gid=item_properties['object_gid']) + except ObjectDoesNotExist: + raise Http404 + + items.setdefault(requester, {}) + items[requester].setdefault(access_object, []) + items[requester][access_object].append(permission) + navigation_object = access_object + navigation_object_count += 1 + + for requester, obj_ps in items.items(): + for obj, ps in obj_ps.items(): + title_suffix.append(_(u' and ').join([u'"%s"' % unicode(p) for p in ps])) + title_suffix.append(_(u' for %s') % obj) + title_suffix.append(_(u' from %s') % requester) + + if len(items_property_list) == 1: + title_prefix = _(u'Are you sure you wish to revoke the permission %(title_suffix)s?') + else: + title_prefix = _(u'Are you sure you wish to revoke the permissions %(title_suffix)s?') + + if request.method == 'POST': + for requester, object_permissions in items.items(): + for obj, permissions in object_permissions.items(): + for permission in permissions: + if AccessEntry.objects.revoke(permission, requester.source_object, obj.source_object): + messages.success(request, _(u'Permission "%(permission)s" revoked of %(requester)s for %(object)s.') % { + 'permission': permission, + 'requester': requester, + 'object': obj + }) + else: + messages.warning(request, _(u'%(requester)s, didn\'t had the permission "%(permission)s" for %(object)s.') % { + 'requester': requester, + 'permission': permission, + 'object': obj, + }) + + return HttpResponseRedirect(next) + + context = { + 'delete_view': True, + 'previous': previous, + 'next': next, + 'form_icon': u'key_delete.png', + } + + context['title'] = title_prefix % { + 'title_suffix': u''.join(title_suffix), + } + + logger.debug('navigation_object_count: %d' % navigation_object_count) + logger.debug('navigation_object: %s' % navigation_object) + if navigation_object_count == 1: + context['object'] = navigation_object.source_object + + return render_to_response('generic_confirm.html', context, + context_instance=RequestContext(request)) + +''' +def get_role_members(role): + user_ct = ContentType.objects.get(model='user') + group_ct = ContentType.objects.get(model='group') + return [member.member_object for member in role.rolemember_set.filter(member_type__in=[user_ct, group_ct])] + + +def get_non_role_members(role): + #non members = all users - members - staff - super users + staff_users = User.objects.filter(is_staff=True) + super_users = User.objects.filter(is_superuser=True) + users = set(User.objects.exclude(pk__in=[member.pk for member in get_role_members(role)])) - set(staff_users) - set(super_users) + groups = set(Group.objects.exclude(pk__in=[member.pk for member in get_role_members(role)])) + return list(users | groups) + + +def add_role_member(role, selection): + model, pk = selection.split(u',') + ct = ContentType.objects.get(model=model) + new_member, created = RoleMember.objects.get_or_create(role=role, member_type=ct, member_id=pk) + if not created: + raise Exception + + +def remove_role_member(role, selection): + model, pk = selection.split(u',') + ct = ContentType.objects.get(model=model) + member = RoleMember.objects.get(role=role, member_type=ct, member_id=pk) + member.delete() + +def role_members(request, role_id): + check_permissions(request.user, [PERMISSION_ROLE_EDIT]) + role = get_object_or_404(Role, pk=role_id) + + return assign_remove( + request, + left_list=lambda: generate_choices_w_labels(get_non_role_members(role)), + right_list=lambda: generate_choices_w_labels(get_role_members(role)), + add_method=lambda x: add_role_member(role, x), + remove_method=lambda x: remove_role_member(role, x), + left_list_title=_(u'non members of role: %s') % role, + right_list_title=_(u'members of role: %s') % role, + extra_context={ + 'object': role, + 'object_name': _(u'role'), + } + ) +''' + + +def acl_new_holder_for(request, obj, extra_context=None): + Permission.objects.check_permissions(request.user, [ACLS_EDIT_ACL]) + + if request.method == 'POST': + form = HolderSelectionForm(request.POST) + if form.is_valid(): + try: + access_object = AccessObject.encapsulate(obj) + access_holder = AccessHolder.get(form.cleaned_data['holder_gid']) + + return HttpResponseRedirect(reverse('acl_detail', args=[access_object.gid, access_holder.gid])) + except ObjectDoesNotExist: + raise Http404 + else: + form = HolderSelectionForm() + + context = { + 'form': form, + 'title': _(u'add new holder for: %s') % obj, + } + + if extra_context: + context.update(extra_context) + + return render_to_response('generic_form.html', context, + context_instance=RequestContext(request)) +