def security (db, ** kw) :
roles = \
[ ("Guest", "Allowed to view everything")
, ("Logger", "Allowed to add and change measurements")
]
classes = \
[ ("device", ["User", "Guest", "Logger"], ["Logger"])
, ("device_group", ["User", "Guest", "Logger"], ["User"])
, ("logstyle", ["User", "Guest", "Logger"], [])
, ("measurement", ["User", "Guest", "Logger"], ["Logger"])
, ("sensor", ["User", "Guest", "Logger"], ["Logger"])
, ("transceiver", ["User", "Guest", "Logger"], ["Logger"])
, ("alarm", ["User", "Guest", "Logger"], ["User", "Logger"])
]
prop_perms = \
[ ( "device", "Edit", ["User"]
, ( "name", "sint", "mint", "gapint", "rec", "device_group"
, "mint_pending", "sint_pending"
)
)
, ( "sensor", "Edit", ["User"]
, ("almin", "almax", "do_logging"
)
)
, ( "transceiver", "Edit", ["User"]
, ("name", "tty", "sint", "mint", "mint_pending", "sint_pending")
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) :
roles = \
[ ("Discount" , "Allowed to add/change discounts")
, ("Letter" , "Allowed to add/change templates and letters")
, ("Product" , "Allowed to add/change product data")
]
classes = \
[ ("address", ["User"], ["Contact"])
, ("bank_account", ["User"], ["Contact"])
, ("cust_supp", ["User"], ["Contact"])
, ("customer_group", ["User"], [])
, ("customer_status", ["User"], [])
, ("customer_type", ["User"], [])
, ("discount_group", ["User"], ["Discount"])
, ("dispatch_type", ["User"], [])
, ("group_discount", ["User"], ["Discount"])
, ("invoice_dispatch", ["User"], [])
, ("letter", ["User"], ["Letter"])
, ("measuring_unit", ["User"], [])
, ("overall_discount", ["User"], ["Discount"])
, ("packaging_unit", ["User"], [])
, ("pharma_ref", ["User"], [])
, ("proceeds_group", ["User"], [])
, ("product", ["User"], ["Product"])
, ("product_group", ["User"], ["Product"])
, ("product_status", ["User"], [])
, ("sales_conditions", ["User"], [])
, ("shelf_life_code", ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("file", ["User", "Adr_Readonly"], ["User"])
, ("msg", ["User", "Adr_Readonly"], ["User"])
, ("address", ["Contact", "Adr_Readonly", "User"], ["User"])
, ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"])
, ("weekday", ["Contact", "Adr_Readonly", "User"], [])
, ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"])
]
prop_perms = \
[ ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "creation", "creator", "id", "queries", "realname"
, "status", "timezone", "username"
)
)
, ( "user", "View", ["Adr_Readonly"]
, ( "username", "realname")
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details \
(db, 'User', 'Edit', 'address', 'alternate_addresses')
schemadef.allow_user_details \
(db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) :
roles = \
[ ("Abo" , "Allowed to modify subscriptions")
, ("Invoice" , "Allowed to change financial data")
, ("Letter" , "Allowed to add/change templates and letters")
, ("Product" , "Allowed to create/edit products")
]
classes = \
[ ("abo_price" , ["User"], ["Product"])
, ("abo_type" , ["Abo", "Product", "Invoice"],
["Product", "Abo", "Invoice"])
, ("abo" , ["Abo", "Product", "Invoice"],
["Abo"])
, ("address" , ["User"], ["User"])
, ("contact_type" , ["User"], [])
, ("currency" , ["User"], ["Product"])
, ("invoice_group" , ["Invoice"], ["Invoice"])
, ("invoice_template" , ["Invoice"], ["Invoice"])
, ("invoice" , ["Invoice"], ["Invoice"])
, ("letter" , ["User"], ["Abo", "Letter"])
, ("query" , ["User"], ["User"])
, ("tmplate" , ["User"], ["Abo", "Invoice", "Letter"])
, ("valid" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = \
[ ("MsgEdit", "Allowed to edit message properties")
, ("MsgSync", "Allowed to sync message with ext. tracker")
, ("Issue_Admin", "Admin for issue tracker")
]
# classname allowed to view
# allowed to edit
classes = \
[ ("ext_tracker", ["User"],
["Issue_Admin"]
)
, ("ext_msg", ["MsgEdit", "MsgSync"],
["MsgSync"]
)
, ("ext_tracker_type", ["MsgEdit", "MsgSync", "User"],
[]
)
, ("ext_tracker_state", ["MsgEdit", "MsgSync", "User"],
["MsgSync", "User"]
)
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
p = db.security.addPermission \
( name = 'Search'
, klass = 'msg'
, properties = ("date", "id")
)
db.security.addPermissionToRole ('MsgEdit', p)
db.security.addPermissionToRole ('MsgSync', p)
def security (db, ** kw) :
roles = \
[ ("IT" , "IT-Department" )
, ("ITView" , "View but not change IT data" )
]
# classname allowed to view / edit
classes = \
[ ("alias", ["IT", "ITView"], ["IT"])
, ("dns_record_type", ["IT", "ITView"], [])
, ("group", ["IT", "ITView"], ["IT"])
, ("ip_subnet", ["IT", "ITView"], ["IT"])
, ("machine", ["IT", "ITView"], ["IT"])
, ("machine_name", ["IT", "ITView"], ["IT"])
, ("network_address", ["IT", "ITView"], ["IT"])
, ("network_interface", ["IT", "ITView"], ["IT"])
, ("operating_system", ["IT", "ITView"], ["IT"])
, ("smb_domain", ["IT", "ITView"], ["IT"])
, ("smb_machine", ["IT", "ITView"], ["IT"])
]
prop_perms = \
[ ( "location", "Edit", ["IT"]
, ("domain_part",)
)
, ( "org_location", "Edit", ["IT"]
, ("smb_domain", "dhcp_server", "domino_dn")
)
, ( "organisation", "Edit", ["IT"]
, ("domain_part",)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain")
]
# classname allowed to view / edit
classes = \
[ ("job_log", ["User"], ["Dom-User-Edit-GTT"])
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
]
# classname allowed to view / edit
classes = \
[ ("doc_issue_status", ["User"], ["Issue_Admin"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, ())
def security(db, **kw):
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
]
# classname allowed to view / edit
classes = \
[ ("keyword", ["User"], ["Issue_Admin"])
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) :
roles = \
[ ("Letter" , "Allowed to add/change templates and letters")
]
classes = \
[ ("tmplate" , ["User"], ["Letter"])
, ("tmplate_status" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("opening_hours" , ["User"], ["Contact"])
, ("weekday" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = [ ("SupportAdmin", "Customer support department") ]
# classname allowed to view / edit
classes = \
[ ("sup_status", ["User"], [])
, ("sup_prio", ["User"], [])
, ("sup_type", ["User"], [])
, ("sup_warranty", ["User"], [])
, ("sup_execution", ["User"], [])
, ("business_unit", ["User"], [])
, ("product", ["User"], [])
, ("support", ["SupportAdmin"], ["SupportAdmin"])
, ("customer", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("contact", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("mailgroup", ["User", "SupportAdmin"], ["SupportAdmin", "IT"])
, ("sup_classification",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("customer_agreement",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("analysis_result",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("return_type",
["User", "SupportAdmin"], ["SupportAdmin"])
]
if 'adr_type' in db.classes :
classes.append (( "adr_type"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
classes.append (( "adr_type_cat"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
db.security.addPermissionToRole ('User', 'Create', 'support')
db.security.addPermissionToRole ('SupportAdmin', 'Create', 'support')
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('View',))
exc_props = dict.fromkeys (('first_reply', 'satisfied'))
props = dict (db.support.properties)
for p in exc_props :
del props [p]
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('Edit',), * props.keys ())
schemadef.register_nosy_classes (db, ['support'])
schemadef.add_search_permission (db, 'support', 'User')
def security (db, ** kw) :
roles = \
[ ("Invoice" , "Allowed to change financial data")
]
classes = \
[ ("currency", ["User"], [])
, ("invoice_template", ["Invoice"], ["Invoice"])
, ("payment", ["Invoice"], ["Invoice"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("contact_type", ["User"], [])
, ("contact", ["User"], ["Contact"])
]
if 'adr_readonly' in db.security.role:
classes[0][1].append('Adr_Readonly')
classes[1][1].append('Adr_Readonly')
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, [])
def security (db, ** kw) :
roles = ( ("Doc_Admin", "Admin for documents (e.g. QM)")
, ("Nosy", "Allowed on nosy list")
)
prop_perms = (("department", "Edit", ("Doc_Admin", ), ("doc_num", )), )
classes = \
( ("doc" , ("User",), ("Doc_Admin", "User"))
, ("artefact" , ("User",), ("Doc_Admin",))
, ("product_type", ("User",), ("Doc_Admin",))
, ("reference" , ("User",), ("Doc_Admin",))
, ("doc_status" , ("User",), ("Doc_Admin",))
)
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
schemadef.register_nosy_classes (db, ['doc'])
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
]
# classname allowed to view / edit
classes = \
[ ("issue", ["Issue_Admin"], ["Issue_Admin"])
, ("status", ["User"], ["Issue_Admin"])
, ("prio", ["User"], ["Issue_Admin"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, ())
schemadef.register_nosy_classes (db, ['issue'])
db.security.addPermissionToRole ('User', 'Create', 'issue')
schemadef.add_search_permission (db, 'issue', 'User')
def security (db, ** kw) :
roles = \
[ ("Type" , "Allowed to add/change type codes")
, ("Adr_Readonly" , "Allowed to read address and contact data")
]
classes = \
[ ("adr_type" , ["User", "Adr_Readonly"], ["Type"])
, ("adr_type_cat" , ["User", "Adr_Readonly"], ["Type"])
, ("valid" , ["User", "Adr_Readonly"], [])
]
if 'address' in db.classes :
classes.append (("address", ["Adr_Readonly"], []))
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
db.security.addPermissionToRole ('Adr_Readonly', 'Web Access')
def security (db, ** kw) :
roles = \
[ ("KPM-Admin", "Admin for KPM multiselect fields")
]
# classname allowed to view / edit
classes = \
[ ("fault_frequency", ["User"], [])
, ("kpm_function", ["User"], ["KPM-Admin"])
, ("kpm_hw_variant", ["User"], ["KPM-Admin"])
, ("kpm_occurrence", ["User"], ["KPM-Admin"])
, ("kpm_release", ["User"], ["KPM-Admin"])
, ("kpm_tag", ["User"], ["KPM-Admin"])
, ("kpm", ["User"], ["User"])
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("HR", "Human Resources team")
, ("HR-Org-Location", "Human Resources team in this Org-Location")
, ("Controlling", "Controlling")
, ("Office", "Member of Office")
, ("Facility", "Role to edit room assignments")
]
# classname allowed to view / edit
classes = \
[ ("department", ["User"], ["Controlling"])
, ("location", ["User"], ["HR"])
, ("organisation", ["User"], ["HR", "Controlling"])
, ("org_location", ["User"], ["HR"])
, ("room", ["User"], ["HR", "Office", "Facility"])
, ("sex", ["User"], [])
# , ("user", See below -- individual fields)
]
prop_perms = \
[ ( "user", "View", ["Controlling"], ("roles",))
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
# HR should be able to create new users:
db.security.addPermissionToRole ("HR", "Create", "user")
# Retire/Restore permission for room
for perm in 'Retire', 'Restore' :
p = db.security.addPermission \
( name = perm
, klass = 'room'
)
for role in ("HR", "Office", "Facility") :
db.security.addPermissionToRole (role, p)
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("Controlling", "Controlling")
]
# classname allowed to view / edit
classes = \
[ ("organisation", ["User"], ["Controlling"])
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("PBX", "Allowed to edit pbx data")
]
classes = \
[ ("sip_device", ["PBX"], ["PBX"])
]
prop_perms = \
[ ("sip_device", "View", ["User"]
, ("name", "id")
)
, ("user", "View", ["PBX", "User"]
, ("sip_device",)
)
, ("user", "Edit", ["PBX"]
, ("sip_device",)
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
def init(db, Ext_Class, String, Link, Multilink, **kw):
class Ext_Issue_Class(Ext_Class):
""" extends the Ext_Class with some attributes
"""
def __init__(self, db, classname, **properties):
self.update_properties \
( title = String (indexme = "yes")
, responsible = Link ("user"
, msg_header_property = 'username'
)
, nosy = Multilink ("user", do_journal = "no")
, messages = Multilink ("msg")
)
Ext_Class.__init__(self, db, classname, **properties)
# end def __init__
# end class Ext_Issue_Class
roles = [("Nosy", "Allowed on nosy list")]
register_roles(db, roles)
return dict(Ext_Issue_Class=Ext_Issue_Class)
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("file", ["User", "Adr_Readonly"], ["User"])
, ("msg", ["User", "Adr_Readonly"], ["User"])
, ("address", ["Contact", "Adr_Readonly", "User"], ["User"])
, ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"])
, ("weekday", ["Contact", "Adr_Readonly", "User"], [])
, ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"])
]
prop_perms = \
[ ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "clearance_by", "creation", "creator", "department"
, "firstname", "id", "job_description", "lastname"
, "lunch_duration", "lunch_start", "nickname"
, "pictures", "position", "queries", "realname", "room", "sex"
, "status", "subst_active", "subst_until", "substitute"
, "supervisor", "timezone"
, "title", "username", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path"
)
)
, ( "user", "View", ["Adr_Readonly"]
, ( "username", "realname")
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details \
(db, 'User', 'Edit', 'address', 'alternate_addresses')
schemadef.allow_user_details \
(db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) :
roles = \
[ ("IT", "IT-Department")
, ("ITView", "View but not change IT data")
, ("Nosy", "Allowed on nosy list")
, ("Sec-Incident-Responsible", "Responsible for Security-Incident")
, ("Sec-Incident-Nosy", "Nosy-List for Security-Incident")
]
# classname allowed to view / edit
classes = \
[ ("it_category", ["User"], ["IT"])
, ("it_int_prio", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_issue_status", ["User"], [])
, ("it_issue", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_prio", ["User"], [])
, ("it_project", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_project_status", ["User"], [])
, ("it_request_type", ["User"], ["IT"])
]
prop_perms = \
[ ( "file", "Edit", ["IT"]
, ("type", "name")
)
, ( "location", "Edit", ["IT"]
, ("domain_part",)
)
, ( "organisation", "Edit", ["IT"]
, ("domain_part",)
)
, ( "user", "Edit", ["IT"]
, ( "address", "alternate_addresses", "nickname"
, "password", "timezone", "username"
)
)
, ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "creation", "creator", "id", "queries", "realname"
, "status", "timezone", "username"
)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def is_responsible (db, userid, itemid) :
"""Determine whether the user is responsible for an issue
"""
return db.it_issue.get (itemid, 'responsible') == userid
# end def is_responsible
def responsible_or_stakeholder (db, userid, itemid) :
"""Determine whether the user is responsible for or the
stakeholder of an issue
"""
return \
( db.it_issue.get (itemid, 'responsible') == userid
or db.it_issue.get (itemid, 'stakeholder') == userid
)
# end def responsible_or_stakeholder
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = responsible_or_stakeholder
, description = \
"User is allowed to edit several fields if he is "
"Stakeholder/Responsible for an it_issue"
, properties = ('deadline', 'status', 'title')
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = is_responsible
, description = \
"User is allowed to edit several fields if he is "
"Responsible for an it_issue"
, properties = ('responsible',)
)
db.security.addPermissionToRole ('User', p)
db.security.addPermissionToRole ('User', 'Create', 'it_issue')
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('Edit',), "messages", "files", "nosy")
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('Edit',), "messages", "files", "nosy")
schemadef.register_nosy_classes (db, ['it_issue', 'it_project'])
schemadef.add_search_permission (db, 'it_issue', 'User')
schemadef.add_search_permission (db, 'it_project', 'User')
def security (db, ** kw) :
roles = \
[ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain")
, ("Dom-User-Edit-HR", "Edit users with specific AD domain")
, ("Dom-User-Edit-Office", "Edit users with specific AD domain")
, ("Dom-User-Edit-Facility", "Edit users with specific AD domain")
, ("IT", "IT-Department")
]
schemadef.register_roles (db, roles)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', 'Create', 'user')
# Editable user fields for the Domain-User-Edit roles
user_props = \
[ 'contacts'
, 'csv_delimiter'
, 'entry_date'
, 'firstname'
, 'hide_message_files'
, 'job_description'
, 'lastname'
, 'lunch_duration'
, 'lunch_start'
, 'nickname'
, 'pictures'
, 'position_text'
, 'room'
, 'sex'
, 'status'
, 'subst_active'
, 'substitute'
, 'supervisor'
, 'timezone'
, 'tt_lines'
, 'vie_user'
]
user_props_hr = user_props + \
['clearance_by', 'roles', 'reduced_activity_list']
user_props_gtt = user_props + \
['username', 'sync_foreign_key', 'department_temp']
user_props_office = ['contacts', 'position_text', 'room']
user_props_facility = ['room']
role_perms = \
[ ("Dom-User-Edit-GTT", user_props_gtt)
, ("Dom-User-Edit-HR", user_props_hr)
, ("Dom-User-Edit-Office", user_props_office)
, ("Dom-User-Edit-Facility", user_props_facility)
]
classes = \
[ ( "domain_permission"
, ["IT"]
, ["IT"]
)
]
if 'contract_type' in db.classes :
classes.append \
( ( "contract_type"
, ["Dom-User-Edit-GTT", "Dom-User-Edit-HR"]
, []
)
)
if 'user_contact' in db.classes :
for role, x in role_perms [:3] :
classes.append \
( ( "user_contact"
, []
, [role]
)
)
db.security.addPermissionToRole (role, 'Create', 'user_contact')
prop_perms = []
schemadef.register_class_permissions (db, classes, prop_perms)
fixdoc = schemadef.security_doc_from_docstring
if 'user_dynamic' in db.classes :
def user_dynamic_dom (db, userid, itemid) :
""" May only view/edit records with the correct domain
"""
dyn = db.user_dynamic.getnode (itemid)
user = db.user.getnode (dyn.user)
return check_domain_permission (db, userid, user.ad_domain)
# end def user_dynamic_dom
for role in ("Dom-User-Edit-GTT", "Dom-User-Edit-HR") :
db.security.addPermissionToRole (role, 'Create', 'user_dynamic')
for perm in ('View', 'Edit') :
p = db.security.addPermission \
( name = perm
, klass = 'user_dynamic'
, check = user_dynamic_dom
, description = fixdoc (user_dynamic_dom.__doc__)
)
db.security.addPermissionToRole (role, p)
def domain_access_user (db, userid, itemid) :
""" Users may view/edit user records for ad_domain for which they
are in the domain_permission for the user.
"""
u = db.user.getnode (itemid)
return check_domain_permission (db, userid, u.ad_domain)
# end def domain_access_user
for role, props in role_perms :
for perm in 'Edit', 'View' :
p = db.security.addPermission \
( name = perm
, klass = 'user'
, check = domain_access_user
, description = fixdoc (domain_access_user.__doc__)
, properties = props
)
db.security.addPermissionToRole (role, p)
def domain_view_user_dynamic (db, userid, itemid) :
""" Users may view user_dynamic records for ad_domain for which
they are in the domain_permission for the user
"""
ud = db.user_dynamic.getnode (itemid)
u = db.user.getnode (ud.user)
return check_domain_permission (db, userid, u.ad_domain)
# end def domain_view_user_dynamic
p = db.security.addPermission \
( name = 'View'
, klass = 'user_dynamic'
, check = domain_view_user_dynamic
, description = fixdoc (domain_view_user_dynamic.__doc__)
)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', p)
db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user_dynamic'
)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', p)
db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
def security (db, ** kw) :
roles = \
[ ("Project", "Project Office")
, ("Project_View", "May view project data")
, ("Controlling", "Controlling")
, ("Procurement", "Purchasing/Procurement")
]
# classname
# allowed to view / edit
# For daily_record, time_record, additional restrictions apply
classes = \
[ ( "time_project_status"
, ["User"]
, ["Project"]
)
, ( "time_project"
, ["Project_View", "Project", "Controlling"]
, []
)
, ( "sap_cc"
, ["User"]
, []
)
]
prop_perms = \
[ ( "time_project", "Edit", ["Project"]
, ( "cost_center", "deputy", "description", "department", "name"
, "nosy", "organisation", "responsible", "status"
)
)
, ( "time_project", "Edit", ["Procurement"]
, ( "purchasing_agents"
, "deputy_gets_mail"
)
)
, ( "sap_cc", "Edit", ["Procurement"]
, ( "purchasing_agents"
, "deputy_gets_mail"
)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
fixdoc = schemadef.security_doc_from_docstring
p = db.security.addPermission \
( name = 'View'
, klass = 'time_project'
, check = sum_common.time_project_viewable
, description = fixdoc (sum_common.time_project_viewable.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'time_project'
)
db.security.addPermissionToRole ('Procurement', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'sap_cc'
)
db.security.addPermissionToRole ('Procurement', p)
db.security.addPermissionToRole ('Project', 'Create', 'time_project')
def security(db, **kw):
roles = \
[ ("Readonly-User" , "User with less access")
]
classes = \
[ ("area", ["Readonly-User"], [])
, ("doc_issue_status", ["Readonly-User"], [])
, ("keyword", ["Readonly-User"], [])
, ("kind", ["Readonly-User"], [])
, ("msg_keyword", ["Readonly-User"], [])
, ("severity", ["Readonly-User"], [])
, ("status", ["Readonly-User"], [])
, ("status_transition", ["Readonly-User"], [])
, ("ext_tracker_state", ["Readonly-User"], [])
, ("safety_level", ["Readonly-User"], [])
, ("test_level", ["Readonly-User"], [])
]
if 'fault_frequency' in db.classes:
classes.append \
(("fault_frequency", ["Readonly-User"], []))
if 'kpm' in db.classes:
classes.append \
(("kpm", ["Readonly-User"], []))
if 'kpm_function' in db.classes:
classes.append \
(("kpm_function", ["Readonly-User"], []))
if 'kpm_hw_variant' in db.classes:
classes.append \
(("kpm_hw_variant", ["Readonly-User"], []))
if 'kpm_occurrence' in db.classes:
classes.append \
(("kpm_occurrence", ["Readonly-User"], []))
if 'kpm_release' in db.classes:
classes.append \
(("kpm_release", ["Readonly-User"], []))
if 'kpm_tag' in db.classes:
classes.append \
(("kpm_tag", ["Readonly-User"], []))
if 'ext_tracker_type' in db.classes:
classes.append \
(("ext_tracker_type", ["Readonly-User"], []))
prop_perms = \
[ ( "user", "View", ["Readonly-User"]
, ("username", "nickname", "status")
)
, ( "category", "View", ["Readonly-User"]
, ("name", "id")
)
, ( "user_status", "View", ["Readonly-User"]
, ("name", )
)
]
linkperms = \
[ ("file", ["Readonly-User"], ['View'], linkclass_iter (db, "file"))
, ("msg", ["Readonly-User"], ['View'], linkclass_iter (db, "msg"))
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
core.register_linkperms(db, linkperms)
# don't allow Readonly-User for some issue attributes
exceptions = dict.fromkeys \
(('external_company', 'confidential'))
issue_props = [
p for p in db.issue.getprops().iterkeys() if p not in exceptions
]
if 'external_users' in db.issue.properties:
def ro_user_access(db, userid, itemid):
""" Read-only users are allowed to view issue
if they are on the list of allowed external users or
there is a transitive permission via containers.
"""
issue = db.issue.getnode(itemid)
while True:
if issue.external_users and userid in issue.external_users:
return True
if not issue.part_of:
break
issue = db.issue.getnode(issue.part_of)
return False
# end def ext_user_access
p = db.security.addPermission \
( name = 'View'
, klass = 'issue'
, check = ro_user_access
, description = schemadef.security_doc_from_docstring
(ro_user_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to edit some of their details"
, properties = ("timezone", "csv_delimiter", "hide_message_files")
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties =
( "username", "realname", "firstname", "lastname"
, "creation", "creator", "activity", "actor"
)
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'file')
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('View', 'file', check=core.view_file)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'issue')
db.security.addPermissionToRole('Readonly-User', p)
# need search permission on username + id if we want to search for
# user Link/Multilink properties on issue (e.g. responsible, nosy, ..)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
, properties = ("username", "nickname", "id")
)
db.security.addPermissionToRole('Readonly-User', p)
# Need search-permission on ext_tracker_state
p = db.security.addPermission \
( name = 'Search'
, klass = 'ext_tracker_state'
, properties = ("issue", "id")
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('View', 'ext_tracker')
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'msg')
db.security.addPermissionToRole('Readonly-User', p)
db.security.addPermissionToRole('Readonly-User', 'Web Access')
db.security.addPermissionToRole('Readonly-User', 'Email Access')
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("Board", "Approvals over certain limits")
, ("Nosy", "Nosy list")
, ("Finance", "Finance-related approvals")
, ("HR", "Approvals for staff/subcontracting")
, ("HR-Approval", "Approvals for HR-related issues")
, ("IT-Approval", "Approve IT-Related PRs")
, ("Procurement", "Procurement department")
, ("Procurement-Admin", "Procurement administration")
, ("Procure-Approval", "Procurement approvals")
, ("Quality", "Approvals for Safety issues")
, ("Subcontract", "Approvals for staff/subcontracting")
, ("PR-View", "See all Purchase Requests")
, ("Measurement-Approval", "Responsible for Measurement-Equipment")
, ("Training-Approval", "Approvals for Training")
, ("Subcontract-Org", "Approvals for Subcontracting")
, ("CISO", "Editing of Security Tables")
]
# classname allowed to view / edit
classes = \
[ ("department", ["User"], [])
, ("infosec_level", ["User"], ["Procurement-Admin"])
, ("location", ["User"], [])
, ("organisation", ["User"], [])
, ("org_location", ["User"], [])
, ("part_of_budget", ["User"], [])
, ("pr_approval_config", ["Procurement"], ["Procurement-Admin"])
, ("pr_approval_order", ["Procurement"], ["Procurement-Admin"])
, ("pr_approval", ["Procurement","PR-View"], [])
, ("pr_approval_status", ["User"], [])
, ("pr_currency", ["User"], ["Procurement-Admin"])
, ("pr_status", ["User"], [])
, ("pr_supplier", ["User"], ["Procurement-Admin"])
, ("pr_rating_category", ["User"], ["Procurement-Admin"])
, ("pr_supplier_rating", ["User"], ["Procurement-Admin"])
, ("purchase_type", ["User"], ["Procurement-Admin"])
, ("terms_conditions", ["User"], [])
, ("time_project", ["User"], [])
, ("user", ["Procurement-Admin"], [])
, ("purchase_request", ["PR-View"], [])
, ("pr_offer_item", ["PR-View"], [])
, ("internal_order", ["User"], [])
, ("pr_ext_resource", ["User"], [])
, ("security_req_group", ["User"], ["Procurement-Admin", "CISO"])
, ("product_group", ["User"], ["Procurement-Admin"])
, ("pg_category", ["User"], ["Procurement-Admin"])
, ("supplier_risk_category", ["User"], [])
, ("purchase_risk_type", ["User"], [])
, ("pr_supplier_risk", ["User"], ["Procurement-Admin", "CISO"])
, ("payment_type", ["User"], [])
, ("purchase_security_risk", ["User"], [])
]
prop_perms = \
[ ( "user", "Edit", ["Procurement-Admin"]
, ("roles", "password", "substitute", "subst_until", "clearance_by")
)
, ( "user", "View", ["User"]
, ("username", "id", "realname", "status")
)
, ( "user", "Edit", ["Procurement-Admin"]
, ("want_no_messages",)
)
# Allow anybody to edit purchase_request but do not allow change
# (in reactor): This is used for ordering actions in the web
# interface via links (!)
, ( "pr_approval", "Edit", ["User"]
, ("purchase_request", "date")
)
, ( "purchase_request", "Edit", ["Procurement", "Procurement-Admin"]
, ("renew_until",)
)
, ( "time_project", "Edit", ["Procurement"]
, ("deputy_gets_mail",)
)
, ( "sap_cc", "Edit", ["Procurement"]
, ("deputy_gets_mail",)
)
, ( "pr_approval_order", "View", ["User"]
, ("role", "id")
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
# Retire/Restore permission for pr_approval_order
for n in 'Retire', 'Restore' :
p = db.security.addPermission \
( name = n
, klass = 'pr_approval_order'
)
db.security.addPermissionToRole ('Procurement-Admin', p)
tp_properties = \
( 'name', 'description', 'responsible', 'deputy', 'organisation'
, 'status', 'id'
, 'creation', 'creator', 'activity', 'actor'
)
# Search permission
p = db.security.addPermission \
( name = 'Search'
, klass = 'time_project'
, properties = tp_properties
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
)
db.security.addPermissionToRole ('Procurement-Admin', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'purchase_request'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_approval'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_offer_item'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_approval_order'
)
db.security.addPermissionToRole ('User', p)
db.security.addPermissionToRole ('User', 'Create', 'pr_offer_item')
db.security.addPermissionToRole ('User', 'Create', 'purchase_request')
fixdoc = schemadef.security_doc_from_docstring
def pr_pt_role (db, userid, itemid) :
""" Users are allowed if they have one of the view roles
of the purchase type or one of the (forced) approval roles.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
if not pr.purchase_type :
return False
pt = db.purchase_type.getnode (pr.purchase_type)
roles = set (pt.pr_view_roles)
roles.update (pt.pr_roles)
roles.update (pt.pr_forced_roles)
for r in roles :
if prlib.has_pr_role (db, userid, r) :
return True
return False
# end def pr_pt_role
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = pr_pt_role
, description = fixdoc (pr_pt_role.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = pr_pt_role
, description = fixdoc (pr_pt_role.__doc__)
, properties =
( 'sap_reference', 'terms_conditions', 'frame_purchase'
, 'frame_purchase_end', 'nosy', 'messages', 'purchasing_agents'
, 'internal_order', 'special_approval', 'payment_type'
)
)
db.security.addPermissionToRole ('User', p)
def pt_role_offer_item (db, userid, itemid) :
""" Users are allowed to view if they have one of the view roles
of the purchase type
"""
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return pr_pt_role (db, userid, pr.id)
# end def pt_role_offer_item
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = pt_role_offer_item
, description = fixdoc (pt_role_offer_item.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = pt_role_offer_item
, description = fixdoc (pt_role_offer_item.__doc__)
, properties =
( 'add_to_las'
, 'supplier'
, 'pr_supplier'
, 'is_asset'
, 'payment_type'
, 'internal_order'
)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, properties =
( 'add_to_las'
,
)
)
db.security.addPermissionToRole ('CISO', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, properties =
( 'add_to_las'
, 'supplier'
, 'pr_supplier'
, 'creation'
, 'creator'
, 'activity'
, 'actor'
)
)
db.security.addPermissionToRole ('CISO', p)
def view_role_approval (db, userid, itemid) :
""" Users are allowed to view if they have one of the view roles
of the purchase type
"""
sp = db.pr_approval.getnode (itemid)
pr = db.purchase_request.getnode (sp.purchase_request)
if pr is None :
return False
return pr_pt_role (db, userid, pr.id)
# end def view_role_approval
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = view_role_approval
, description = fixdoc (view_role_approval.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approver_non_finance (db, userid, itemid) :
""" Approvers are allowed if not finance and PR not yet approved
by finance.
"""
if not itemid or itemid < 1 :
return False
# User may not change
if own_pr (db, userid, itemid) :
return False
# Finance may not change
if common.user_has_role (db, userid, 'finance') :
return False
pr = db.purchase_request.getnode (itemid)
st_approving = db.pr_status.lookup ('approving')
if pr.status != st_approving :
return False
un = db.pr_approval_status.lookup ('undecided')
ap = db.pr_approval.filter (None, dict (purchase_request = itemid))
for id in ap :
a = db.pr_approval.getnode (id)
# already signed by finance?
finance = db.pr_approval_order.lookup ('finance')
if a.status != un and a.role_id == finance :
return False
return linked_pr (db, userid, itemid)
# end def approver_non_finance
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approver_non_finance
, description = fixdoc (approver_non_finance.__doc__)
, properties =
( 'continuous_obligation', 'intended_duration', 'contract_term')
)
db.security.addPermissionToRole ('User', p)
def approver_non_finance_offer (db, userid, itemid) :
""" Approvers are allowed if not finance and PR not yet approved
by finance.
"""
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return approver_non_finance (db, userid, pr.id)
# end def approver_non_finance_offer
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = approver_non_finance_offer
, description = fixdoc (approver_non_finance_offer.__doc__)
, properties = ( 'vat',)
)
db.security.addPermissionToRole ('User', p)
def own_pr (db, userid, itemid) :
""" User is allowed permission on their own PRs if either creator or
requester or supervisor of requester.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
if pr.creator == userid or pr.requester == userid :
return True
sup = db.user.get (pr.requester, 'supervisor')
if sup and sup == userid :
return True
return False
# end def own_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = own_pr
, description = fixdoc (own_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = own_pr
, description = fixdoc (own_pr.__doc__)
, properties = ('messages', 'nosy', 'files', 'renew_until')
)
db.security.addPermissionToRole ('User', p)
def open_or_approving (db, userid, itemid) :
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
pr = db.purchase_request.getnode (itemid)
if pr.status in (st_open, st_approving) :
return True
return False
# end def open_or_approving
def cancel_own_pr (db, userid, itemid) :
""" User is allowed to cancel their own PR.
"""
if not own_pr (db, userid, itemid) :
return False
return open_or_approving (db, userid, itemid)
# end def cancel_own_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = cancel_own_pr
, description = fixdoc (cancel_own_pr.__doc__)
, properties = ('status', 'messages', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def edit_pr_justification (db, userid, itemid) :
""" User is allowed to edit PR Justification
if the PR has appropriate status
and the user is creator or owner of the PR or has one of the
view roles.
"""
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
st_rejected = db.pr_status.lookup ('rejected')
st_approved = db.pr_status.lookup ('approved')
stati = (st_open, st_approving, st_rejected, st_approved)
pr = db.purchase_request.getnode (itemid)
if pr.status not in stati :
return False
if own_pr (db, userid, itemid) :
return True
if pr_pt_role (db, userid, itemid) :
return True
return False
# end def edit_pr_justification
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = edit_pr_justification
, description = fixdoc (edit_pr_justification.__doc__)
, properties = ('pr_justification',)
)
db.security.addPermissionToRole ('User', p)
def cancel_open_pr (db, userid, itemid) :
""" User is allowed to cancel a PR if it is open
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return True
return False
# end def cancel_own_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = cancel_open_pr
, description = fixdoc (cancel_open_pr.__doc__)
, properties = ('status', 'messages')
)
db.security.addPermissionToRole ('Procurement-Admin', p)
def approving_or_approved (db, userid, itemid) :
""" User is allowed to reject PR in state approving or approved
"""
st_approving = db.pr_status.lookup ('approving')
st_approved = db.pr_status.lookup ('approved')
pr = db.purchase_request.getnode (itemid)
if pr.status in (st_approving, st_approved) :
return True
return False
# end def approving_or_approved
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approving_or_approved
, description = fixdoc (approving_or_approved.__doc__)
, properties = ('status', 'messages')
)
for r in prlib.reject_roles :
db.security.addPermissionToRole (r, p)
def reopen_rejected_pr (db, userid, itemid) :
""" User is allowed to reopen their own rejected PR.
"""
if not own_pr (db, userid, itemid) :
return False
st_rejected = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_rejected :
return True
return False
# end def reopen_rejected_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = reopen_rejected_pr
, description = fixdoc (reopen_rejected_pr.__doc__)
, properties = ('status', 'messages', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def own_pr_and_open_or_rej (db, userid, itemid) :
""" User is allowed to edit their own PRs (creator or requester
or supervisor of requester) while PR is open or rejected.
"""
if not own_pr (db, userid, itemid) :
return False
open = db.pr_status.lookup ('open')
rej = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status == open or pr.status == rej :
return True
return False
# end def own_pr_and_open_or_rej
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = own_pr_and_open_or_rej
, description = fixdoc (own_pr_and_open_or_rej.__doc__)
)
db.security.addPermissionToRole ('User', p)
def linked_pr (db, userid, itemid) :
""" Users are allowed if an approval from them is
linked to the PR.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
ap = db.pr_approval.filter (None, dict (purchase_request = itemid))
for id in ap :
a = db.pr_approval.getnode (id)
# User or deputy or delegated?
if userid in common.approval_by (db, a.user) :
return True
if userid in common.approval_by (db, a.deputy) :
return True
if a.role_id and prlib.has_pr_role (db, userid, a.role_id) :
return True
return False
# end def linked_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = linked_pr
, description = fixdoc (linked_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = linked_pr
, description = fixdoc (linked_pr.__doc__)
, properties = ('messages', 'nosy', 'files')
)
db.security.addPermissionToRole ('User', p)
def pending_approval (db, userid, itemid) :
""" Users are allowed to edit message if a pending
approval from them is linked to the PR.
"""
if not linked_pr (db, userid, itemid) :
return False
if open_or_approving (db, userid, itemid) :
return True
# Also allow for reject because message is tried to attach twice
# We allow this only for some time (5 min after last change)
st_reject = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status != st_reject :
return False
now = date.Date ('.')
if pr.activity + date.Interval ('00:05:00') > now :
return True
return False
# end def pending_approval
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = pending_approval
, description = fixdoc (pending_approval.__doc__)
, properties = ('messages', 'nosy', 'files')
)
db.security.addPermissionToRole ('User', p)
def linked_to_pr (db, userid, itemid) :
""" Users are allowed to view if approval is linked to viewable PR.
"""
if not itemid or itemid < 1 :
return False
ap = db.pr_approval.getnode (itemid)
pr = ap.purchase_request
if own_pr (db, userid, pr) :
return True
if linked_pr (db, userid, pr) :
return True
return False
# end def linked_to_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = linked_to_pr
, description = fixdoc (linked_to_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approval_undecided (db, userid, itemid) :
""" User is allowed to change status of undecided approval if
they are the owner/deputy or have appropriate role.
In addition this is allowed if they have a delegated
approval or are an active substitute.
We also allow pr.status to be 'rejected': This cannot change
the outcome (once approved or rejected the pr.status cannot
change) but allows for race condition when someone has
several approvals in a single mask and one of that approvals
changed the PR to rejected before the others were processed.
"""
if not itemid or itemid < 1 :
return False
ap = db.pr_approval.getnode (itemid)
pr = db.purchase_request.getnode (ap.purchase_request)
und = db.pr_approval_status.lookup ('undecided')
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
st_reject = db.pr_status.lookup ('rejected')
if ( ap.status == und
and ( userid in common.approval_by (db, ap.user)
or userid in common.approval_by (db, ap.deputy)
or (ap.role_id and prlib.has_pr_role (db, userid, ap.role_id))
)
and pr.status in (st_open, st_approving, st_reject)
) :
return True
return False
# end def approval_undecided
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_approval'
, check = approval_undecided
, description = fixdoc (approval_undecided.__doc__)
, properties = ('status', 'msg')
)
db.security.addPermissionToRole ('User', p)
def get_pr_from_offer_item (db, itemid) :
prs = db.purchase_request.filter (None, dict (offer_items = itemid))
if len (prs) == 0 :
return None
assert len (prs) == 1
return db.purchase_request.getnode (prs [0])
# end def get_pr_from_offer_item
def linked_from_pr (db, userid, itemid) :
""" Users are allowed to view if offer is linked from PR.
"""
if not itemid or itemid < 1 :
return True
off = db.pr_offer_item.getnode (itemid)
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
if own_pr (db, userid, pr.id) :
return True
if linked_pr (db, userid, pr.id) :
return True
return False
# end def linked_from_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = linked_from_pr
, description = fixdoc (linked_from_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
def add_to_las_false (db, userid, itemid) :
""" Allow setting add_to_las from 'None' for orphanes offer items.
"""
if itemid is None :
return False
oi = db.pr_offer_item.getnode (itemid)
pr = get_pr_from_offer_item (db, itemid)
if pr is not None :
return False
if oi.add_to_las is None :
return True
return False
# end def add_to_las_false
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = add_to_las_false
, description = fixdoc (add_to_las_false.__doc__)
, properties = ('add_to_las',)
)
db.security.addPermissionToRole ('User', p)
def linked_and_editable (db, userid, itemid) :
""" Users are allowed to edit if offer is linked from PR and PR
is editable.
"""
if not itemid or itemid < 1 :
return True
if not linked_from_pr (db, userid, itemid) :
return False
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return own_pr_and_open_or_rej (db, userid, pr.id)
# end def linked_and_editable
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = linked_and_editable
, description = fixdoc (linked_and_editable.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approved_or_ordered (db, userid, itemid) :
""" User with view role is allowed editing if status
is 'approved' or 'ordered'
"""
if not pr_pt_role (db, userid, itemid) :
return False
pr = db.purchase_request.getnode (itemid)
stati = []
for n in ('approved', 'ordered') :
try :
st = db.pr_status.lookup (n)
stati.append (st)
except KeyError :
pass
if pr.status in stati :
return True
return False
# end def approved_or_ordered
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approved_or_ordered
, description = fixdoc (approved_or_ordered.__doc__)
, properties = ('status', 'messages', 'files', 'nosy')
)
db.security.addPermissionToRole ('User', p)
schemadef.register_nosy_classes (db, ['purchase_request'])
def user_on_nosy (db, userid, itemid) :
""" User is allowed if on the nosy list
"""
pr = db.purchase_request.getnode (itemid)
if userid in pr.nosy :
return True
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = user_on_nosy
, description = fixdoc (user_on_nosy.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = user_on_nosy
, description = fixdoc (user_on_nosy.__doc__)
, properties = ('messages', 'files', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def user_on_nosy_approval (db, userid, itemid) :
""" User is allowed if on the nosy list of the PR
"""
ap = db.pr_approval.getnode (itemid)
return user_on_nosy (db, userid, ap.purchase_request)
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = user_on_nosy_approval
, description = fixdoc (user_on_nosy_approval.__doc__)
)
db.security.addPermissionToRole ('User', p)
def user_on_nosy_offer (db, userid, itemid) :
""" User is allowed if on the nosy list of the PR
"""
if not itemid or itemid < 1 :
return True
prs = db.purchase_request.filter (None, dict (offer_items = itemid))
assert len (prs) <= 1
if prs :
return user_on_nosy (db, userid, prs [0])
return False
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = user_on_nosy_offer
, description = fixdoc (user_on_nosy_offer.__doc__)
)
db.security.addPermissionToRole ('User', p)
def view_pr_risks (db, userid, itemid) :
""" User is allowed to view special risks
if the PR has appropriate status
and the user is creator or owner of the PR or has one of the
view roles.
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return False
if own_pr (db, userid, itemid) :
return True
if pr_pt_role (db, userid, itemid) :
return True
return False
# end def view_pr_risks
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = view_pr_risks
, description = fixdoc (view_pr_risks.__doc__)
, properties = ('pr_risks',)
)
db.security.addPermissionToRole ('User', p)
def edit_pr_risks (db, userid, itemid) :
""" User is allowed to edit special risks
if the PR has appropriate status.
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return False
return True
# end def edit_pr_risks
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = edit_pr_risks
, description = fixdoc (edit_pr_risks.__doc__)
, properties = ('pr_risks',)
)
db.security.addPermissionToRole ('Procurement', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties = ('supervisor', 'clearance_by', 'want_no_messages')
)
db.security.addPermissionToRole ('User', p)
)
)
, ( "user", "View", ["Controlling"], ("roles",))
, ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "clearance_by", "creation", "creator", "department"
, "firstname", "job_description", "lastname"
, "id", "lunch_duration", "lunch_start", "nickname"
, "pictures", "position", "queries", "realname", "room", "sex"
, "status", "subst_active", "substitute", "supervisor", "timezone"
, "title", "username", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path", "tt_lines"
)
)
]
# For PGP-Processing we need a role
schemadef.register_roles(db, [('PGP', 'Roles that require PGP')])
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details(db, 'User', 'Edit')
# the following is further checked in an auditor:
db.security.addPermissionToRole('User', 'Create', 'time_wp')
# editing of roles:
for r in "HR", "IT":
db.security.addPermissionToRole(r, 'Web Roles')
# oh, g'wan, let anonymous access the web interface too
# NOT really !!!
db.security.addPermissionToRole('Anonymous', 'Web Access')
def security(db, **kw):
roles = \
[ ("External" , "External user with less access")
]
classes = \
[ ("area", ["External"], [])
, ("doc_issue_status", ["External"], [])
, ("keyword", ["External"], [])
, ("kind", ["External"], [])
, ("msg_keyword", ["External"], [])
, ("severity", ["External"], [])
, ("status", ["External"], [])
, ("status_transition", ["External"], [])
, ("ext_tracker_state", ["External"], [])
, ("safety_level", ["External"], [])
, ("test_level", ["External"], [])
]
if 'fault_frequency' in db.classes:
classes.append \
(("fault_frequency", ["External"], []))
if 'kpm' in db.classes:
classes.append \
(("kpm", ["External"], ["External"]))
if 'kpm_function' in db.classes:
classes.append \
(("kpm_function", ["External"], []))
if 'kpm_hw_variant' in db.classes:
classes.append \
(("kpm_hw_variant", ["External"], []))
if 'kpm_occurrence' in db.classes:
classes.append \
(("kpm_occurrence", ["External"], []))
if 'kpm_release' in db.classes:
classes.append \
(("kpm_release", ["External"], []))
if 'kpm_tag' in db.classes:
classes.append \
(("kpm_tag", ["External"], []))
if 'ext_tracker_type' in db.classes:
classes.append \
(("ext_tracker_type", ["External"], []))
prop_perms = \
[ ( "user", "View", ["External"]
, ("username", "nickname", "status")
)
, ( "category", "View", ["External"]
, ("name", "id")
)
, ( "user_status", "View", ["External"]
, ("name", )
)
]
linkperms = \
[ ("file", ["External"], ['View'], linkclass_iter (db, "file"))
, ("msg", ["External"], ['View'], linkclass_iter (db, "msg"))
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
core.register_linkperms(db, linkperms)
# don't allow external_company or External for some issue attributes
exceptions = dict.fromkeys \
(('external_company', 'confidential', 'external_users', 'inherit_ext'))
issue_props = [
p for p in db.issue.getprops().iterkeys() if p not in exceptions
]
if 'external_company' in db.issue.properties:
def ext_company_access(db, userid, itemid):
""" Users are allowed to access issue
if their external company has access
"""
ec = db.user.get(userid, 'external_company')
ecs = db.issue.get(itemid, 'external_company')
return ecs and ec in ecs
# end def ext_company_access
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = ext_company_access
, description = schemadef.security_doc_from_docstring
(ext_company_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
if 'external_users' in db.issue.properties:
issue_props.append('external_users')
def ext_user_access(db, userid, itemid):
""" External users are allowed to access issue
if they are on the list of allowed external users or
there is a transitive permission via containers.
"""
issue = db.issue.getnode(itemid)
while True:
if issue.external_users and userid in issue.external_users:
return True
if not issue.part_of:
break
# check parent permissions for non-container or if the
# container defines inherit_ext
if issue.composed_of and not issue.inherit_ext:
break
issue = db.issue.getnode(issue.part_of)
return False
# end def ext_user_access
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = ext_user_access
, description = schemadef.security_doc_from_docstring
(ext_user_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
# Currently *never* allow any rights from being on nosy list
if False:
def is_on_nosy(db, userid, itemid):
"User is allowed to access issue if on nosy list"
item = db.issue.getnode(itemid)
return userid in item.nosy
# end def is_on_nosy
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = is_on_nosy
, description = schemadef.security_doc_from_docstring
(is_on_nosy.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to edit some of their details"
, properties = ( "password", "timezone", "csv_delimiter"
, "hide_message_files"
)
)
db.security.addPermissionToRole('External', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties =
( "username", "realname", "firstname", "lastname"
, "creation", "creator", "activity", "actor"
)
)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'file')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'file')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'file', check=core.view_file)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'issue')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'issue')
db.security.addPermissionToRole('External', p)
# need search permission on username + id if we want to search for
# user Link/Multilink properties on issue (e.g. responsible, nosy, ..)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
, properties = ("username", "nickname", "id")
)
db.security.addPermissionToRole('External', p)
# Need search-permission on ext_tracker_state
p = db.security.addPermission \
( name = 'Search'
, klass = 'ext_tracker_state'
, properties = ("issue", "id")
)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'ext_tracker')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'msg')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'msg')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'query')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Edit', 'query', check=core.edit_query)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Retire', 'query', check=core.edit_query)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'query')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'query', check=core.view_query)
db.security.addPermissionToRole('External', p)
db.security.addPermissionToRole('External', 'Web Access')
db.security.addPermissionToRole('External', 'Email Access')
