matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
0267c79b07a1a5e811a55dd4028ea099f497aa00
mayan-edms/mayan/apps/permissions/models.py
Roberto Rosario 0267c79b07 Backport test improvements 
Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
2019-04-20 02:39:57 -04:00

124 lines
3.8 KiB
Python
Raw Blame History

from __future__ import unicode_literals
import logging
from django.contrib.auth.models import Group
from django.db import models
from django.urls import reverse
from django.utils.encoding import force_text, python_2_unicode_compatible
from django.utils.translation import ugettext_lazy as _
from .classes import Permission
from .managers import RoleManager, StoredPermissionManager
logger = logging.getLogger(__name__)
@python_2_unicode_compatible
class StoredPermission(models.Model):
"""
This model is the counterpart of the permissions.classes.Permission
class. Allows storing a database counterpart of a permission class.
It is used to store the permissions help by a role or in an ACL.
"""
namespace = models.CharField(max_length=64, verbose_name=_('Namespace'))
name = models.CharField(max_length=64, verbose_name=_('Name'))
objects = StoredPermissionManager()
class Meta:
ordering = ('namespace',)
unique_together = ('namespace', 'name')
verbose_name = _('Permission')
verbose_name_plural = _('Permissions')
def __str__(self):
try:
return force_text(self.volatile_permission)
except KeyError:
return self.name
@property
def volatile_permission_id(self):
"""
Return the identifier of the real permission class represented by
this model instance.
"""
return '{}.{}'.format(self.namespace, self.name)
@property
def volatile_permission(self):
"""
Returns the real class of the permission represented by this model
instance.
"""
return Permission.get(
pk=self.volatile_permission_id, proxy_only=True
)
def natural_key(self):
return (self.namespace, self.name)
def user_has_this(self, user):
"""
Helper method to check if an user has been granted this permission.
The check is done sequentially over all of the user's groups and
roles. The check is interrupted at the first positive result.
The check always returns True for superusers or staff users.
"""
if user.is_superuser or user.is_staff:
logger.debug(
'Permission "%s" granted to user "%s" as superuser or staff',
self, user
)
return True
if Role.objects.filter(groups__user=user, permissions=self).exists():
return True
else:
logger.debug(
'Fallthru: Permission "%s" not granted to user "%s"', self, user
)
return False
@python_2_unicode_compatible
class Role(models.Model):
"""
This model represents a Role. Roles are permission units. They are the
only object to which permissions can be granted. They are themselves
containers too, containing Groups, which are organization units. Roles
are the basic method to grant a permission to a group. Permissions granted
to a group using a role, are granted for the entire system.
"""
label = models.CharField(
max_length=64, unique=True, verbose_name=_('Label')
)
permissions = models.ManyToManyField(
related_name='roles', to=StoredPermission,
verbose_name=_('Permissions')
)
groups = models.ManyToManyField(
related_name='roles', to=Group, verbose_name=_('Groups')
)
objects = RoleManager()
class Meta:
ordering = ('label',)
verbose_name = _('Role')
verbose_name_plural = _('Roles')
def __str__(self):
return self.label
def get_absolute_url(self):
return reverse(viewname='permissions:role_list')
def grant(self, permission):
self.permissions.add(permission.stored_permission)
def natural_key(self):
return (self.label,)
natural_key.dependencies = ['auth.Group', 'permissions.StoredPermission']
Reference in New Issue View Git Blame Copy Permalink