import rules
# Predicates
@rules.predicate
def is_book_author(user, book):
if not book:
return False
return book.author == user
@rules.predicate
def is_boss(user):
return user.is_superuser
is_editor = rules.is_group_member('editors')
# Rules
rules.add_rule('change_book', is_book_author | is_editor)
rules.add_rule('delete_book', is_book_author)
rules.add_rule('create_book', is_boss)
# Permissions
rules.add_perm('testapp.change_book', is_book_author | is_editor)
rules.add_perm('testapp.delete_book', is_book_author)
def review_in_progress(user, obj: Review):
if obj:
if obj.status in [Review.NEW, Review.IN_PROGRESS]:
return True
elif obj.status in [Review.ACCEPTED, Review.DECLINED]:
return False
@rules.predicate
def content_review_in_progress(user, obj: Content):
review = getattr(obj, "review", None)
return review_in_progress(user, review)
is_authenticated = rules.is_authenticated
is_bsb_reviewer = rules.is_group_member("BSB-Reviewer")
is_tuhh_reviewer = rules.is_group_member("TUHH-Reviewer")
def can_assign_reviewer(user, content: Content):
return is_bsb_reviewer(user) or is_tuhh_reviewer(user)
def check_content_for_review(user, content: Content):
if is_bsb_reviewer(user) and isinstance(content, TeachingModule):
return True
elif is_tuhh_reviewer(user) and (isinstance(content, Tool)
or isinstance(content, Trend)):
return True
else:
return False
import rules
is_faculty = rules.is_group_member('faculty')
can_access_media_files = is_faculty | rules.is_superuser
has_faculty_privilege = is_faculty | rules.is_superuser
can_access_unreleased_problems = has_faculty_privilege
@rules.predicate
def can_access_problem(user, problem):
return problem.released or can_access_unreleased_problems(user)
@rules.predicate
def can_view_submit(user, submit):
return has_faculty_privilege(user) or submit.user == user
rules.add_rule('is_faculty', is_faculty)
rules.add_rule('can_access_media_files', can_access_media_files)
rules.add_rule('can_access_unreleased_problems',
can_access_unreleased_problems)
rules.add_rule('can_access_problem', can_access_problem)
rules.add_rule('can_view_submit', can_view_submit)
if project_user is None:
return False
else:
return True
@rules.predicate
def is_own_profile(user, platform_user_object):
if platform_user_object is None:
return False
if user.id == platform_user_object.id:
return True
else:
return False
@rules.predicate
def is_own_vote(user, vote_object):
if vote_object is None:
return False
if user.id == vote_object.user.id:
return True
else:
return False
is_admin = rules.is_group_member('admin')
is_default_user = rules.is_group_member('standard')
can_change_user = is_admin | is_own_profile
def remittance_less_than_usd1500(user, remittance):
return remittance.amount < 150000
@rules.predicate
def remittance_cash_incentive_paid(user, remittance):
return not remittance.check_unpaid_cash_incentive()
@rules.predicate
def is_thirdparty_exchange_house(user, remittance):
return remittance.exchange.name != 'SWIFT'
#is_branch_report_user = rules.is_group_member('branch user')
is_branch_remittance_user = rules.is_group_member(
'Branch Remittance Info Submission User')
is_branch_report_observer_user = rules.is_group_member(
'Branch Report Observer User')
is_booth_remittance_user = rules.is_group_member(
'Booth Remittance Info Submission User')
is_booth_report_observer_user = rules.is_group_member(
'Booth Report Observer User')
is_ho_settlement_user = rules.is_group_member('HO Settlement User')
is_ho_report_user = rules.is_group_member('HO Report Observer User')
can_change_benifciary_of_remittance = rules.is_group_member(
'Change remittance benificiary')
is_api_user = rules.is_group_member('API User')
#is_super = rules.is_superuser(user)
"""@rules.predicate
def is_same_domain_user(user,request):
def can_view_project(user, project):
if not project:
return False
return rules.is_group_member(f'projman-{project.namespace}')(user)
import rules
from rules import is_superuser
# An full admin is also a restricted admin logically speaking, but full admins only belong to the full admin group.
# Therefore, writing is_mygym_restricted_admin to detect whether a full admin is at least a restricted admin won't work!
from flexipages.constants import FLEXIPAGES_EDITOR_GROUP_NAME, FLEXIPAGES_SITE_DESIGNER_GROUP_NAME, FLEXIPAGES_ADMIN_GROUP_NAME
is_cms_admin = rules.is_group_member(FLEXIPAGES_ADMIN_GROUP_NAME)
is_cms_editor = rules.is_group_member(FLEXIPAGES_EDITOR_GROUP_NAME)
is_cms_designer = rules.is_group_member(FLEXIPAGES_SITE_DESIGNER_GROUP_NAME)
# Special general managers.
# NB: It is required to be able to manage notifications in order to fully manage events (i.e. create and send
# invitation, reminders, schedule, etc.). Therefore, any events manager is can implicitly manage notifications.
can_edit_content = is_superuser or is_cms_admin or is_cms_designer or is_cms_editor,
can_edit_template = is_superuser or is_cms_designer,
can_edit_page = is_superuser or is_cms_admin
# Standard permissions.
rules.add_perm('flexipages.add_page', can_edit_page)
rules.add_perm('flexipages.change_page', can_edit_page)
rules.add_perm('flexipages.delete_page', can_edit_page)
rules.add_perm('flexipages.view_page', can_edit_content)
rules.add_perm('flexipages.add_pageitem', can_edit_content)
rules.add_perm('flexipages.change_pageitem', can_edit_content)
def is_reviewer(self):
# todo: rewrite this as rule
return (self.is_superuser
or rules.is_group_member("BSB-Reviewer")(self)
or rules.is_group_member("TUHH-Reviewer")(self))
def is_reviewer(self):
# todo: rewrite this as rule
return self.is_superuser or rules.is_group_member('BSB-Reviewer')(self) or \
rules.is_group_member('TUHH-Reviewer')(self)
# Check for objects which have a direct flag:
if hasattr(obj, "suppressed"):
return not obj.suppressed
# Normally, suppression is recorded in the 'meta' model attached to
# a 'revision' that collects 'versions' of one or more models that were
# changed under revision tracking.
if not hasattr(obj, "revision"):
return False
if not hasattr(obj.revision, "meta"):
return False
return not getattr(obj.revision.meta, "suppressed", False)
# User group based permissions
is_administrator = rules.is_group_member("Administrators")
is_bureaucrat = rules.is_group_member("Bureaucrats")
is_oversighter = rules.is_group_member("Oversighters")
is_patroller = rules.is_group_member("Patrollers")
is_admin_or_crat = is_bureaucrat | is_administrator
is_admin_or_oversighter = is_oversighter | is_administrator
is_admin_or_patroller = is_patroller | is_administrator
# Convenience permission combinations
is_authed = rules.is_authenticated
is_creator_or_admin = is_authed & (is_creator | is_administrator)
is_creator_or_oversighter = is_authed & (is_creator | is_admin_or_oversighter)
is_obj_user_or_admin = is_authed & (is_obj_user | is_administrator)
is_self_or_admin = is_authed & (is_self | is_administrator)
not_suppressed_or_is_oversighter = is_not_suppressed | is_admin_or_oversighter
# By default we do not show suggestion on the start-project page
PROJECT_SUGGESTIONS = False
# Social share options in project/fundraiser detail
SHARE_OPTIONS = {
'twitter': True,
'facebook': True,
'linkedin': False,
'embedded': False,
'link': False,
'flyer': False
}
SHOW_DONATION_AMOUNTS = True
EXPORTDB_PERMISSION = rules.is_group_member('Staff') | rules.is_superuser
# Salesforce connection settings
SALESFORCE_QUERY_TIMEOUT = 15
REQUESTS_MAX_RETRIES = 0
SF_LAZY_CONNECT = True
SOCIAL_AUTH_FACEBOOK_PROFILE_EXTRA_PARAMS = {
'fields': 'id,name,email,first_name,last_name,link', # needed starting from protocol v2.4
}
SURVEYGIZMO_API_TOKEN = ''
SURVEYGIZMO_API_SECRET = ''
GEOPOSITION_GOOGLE_MAPS_API_KEY = ''
"""Permissions for accessing prize related resources and info
These permissions are kept in memory, they do not need to be stored in the db
"""
import logging
import rules
from profiles import rules as profile_rules
logger = logging.getLogger(__name__)
is_competition_moderator = rules.is_group_member("competition_moderators")
rules.add_perm("prizes", is_competition_moderator)
for perm, predicate in {
"can_list_competitions": profile_rules.is_privileged_user,
"can_list_own_competitions": profile_rules.is_end_user,
"view_sponsor": is_competition_moderator,
"add_sponsor": is_competition_moderator,
"change_sponsor": is_competition_moderator,
"view_competition": is_competition_moderator,
"add_prize": is_competition_moderator,
"change_prize": is_competition_moderator,
"view_prize": is_competition_moderator,
"add_competition": is_competition_moderator,
"change_competition": is_competition_moderator,
import rules
from rules import predicate, is_group_member, is_authenticated
####################################################################################################
# Predicates
is_moderator = is_group_member('moderators')
is_admin = is_group_member('administrators')
is_admin_or_mod = is_admin | is_admin
@predicate
def is_object_public(user, object):
return object.is_public
@predicate
def is_owner(user, object):
return object.owner.pk is user.pk
@predicate
def is_parent_public(user, object):
return object._parent.is_public
@predicate
def is_parent_owner(user, object):
return object._parent.owner.pk is user.pk
if business is None:
return False
return user.municipality_set.filter(pk=business.region.municipality.pk).exists()
@rules.predicate
def is_muni_admin(user):
"""
Is an admin of SOME municipality
"""
logger.debug(f"Predicate {is_muni_admin.__name__}")
return user.is_staff and user.municipality_set.exists()
is_integration_admin = rules.is_group_member("Integration Admins")
is_muni_or_integration_admin = is_integration_admin | is_muni_admin
is_business_muni_or_integration_admin = is_integration_admin | is_business_muni_admin
rules.add_perm("portal", rules.always_allow)
rules.add_perm("portal.view_business", rules.always_allow)
# This rule can't restrict addition of business to the munis the user can
# admin so we rely on that being enforced in the ModelAdmin.
rules.add_perm("portal.add_business", is_muni_or_integration_admin)
rules.add_perm("portal.change_business", is_business_muni_or_integration_admin)
rules.add_perm("portal.delete_business", is_business_muni_or_integration_admin)
rules.add_perm("portal.add_businessmembership", is_business_muni_or_integration_admin)
rules.add_perm(
"portal.change_businessmembership", is_business_muni_or_integration_admin
)
rules.add_perm("portal.view_businessmembership", rules.always_allow)
import rules
# Predicates
@rules.predicate
def is_book_author(user, book):
if not book:
return False
return book.author == user
@rules.predicate
def is_boss(user):
return user.is_superuser
is_editor = rules.is_group_member("editors")
# Rules
rules.add_rule("change_book", is_book_author | is_editor)
rules.add_rule("delete_book", is_book_author)
rules.add_rule("create_book", is_boss)
# Permissions
rules.add_perm("testapp.change_book", is_book_author | is_editor)
rules.add_perm("testapp.delete_book", is_book_author)
import rules
logger = logging.getLogger(__name__)
@rules.predicate
def is_owner(user, obj):
return obj.owner == user
@rules.predicate
def is_profile_owner(user, profile_obj):
return user.profile == profile_obj if user.is_authenticated else False
@rules.predicate
def has_profile(user):
return bool(user.profile) if user.is_authenticated else False
is_end_user = rules.is_group_member("end_users")
is_privileged_user = rules.is_group_member("privileged_users")
for perm, predicate in {
"can_list_users": is_privileged_user,
"can_create_profile": ~has_profile,
"can_view_profile": has_profile,
"can_edit_profile": has_profile & is_profile_owner,
}.items():
rules.add_perm("profiles.{}".format(perm), predicate)
def review_in_progress(user, obj: Review):
if obj:
if obj.status in [Review.NEW, Review.IN_PROGRESS]:
return True
elif obj.status in [Review.ACCEPTED, Review.DECLINED]:
return False
@rules.predicate
def content_review_in_progress(user, obj: Content):
review = getattr(obj, 'review', None)
return review_in_progress(user, review)
is_authenticated = rules.is_authenticated
is_bsb_reviewer = rules.is_group_member('BSB-Reviewer')
is_tuhh_reviewer = rules.is_group_member('TUHH-Reviewer')
def can_assign_reviewer(user, content: Content):
return is_bsb_reviewer(user) or is_tuhh_reviewer(user)
def check_content_for_review(user, content: Content):
if is_bsb_reviewer(user) and isinstance(content, TeachingModule):
return True
elif is_tuhh_reviewer(user) and (isinstance(content, Tool)
or isinstance(content, Trend)):
return True
else:
return False
from __future__ import absolute_import
import rules
@rules.predicate
def is_author(user, authored_object):
print("Testing {} for authorship of {}".format(user, authored_object))
if authored_object is None:
return None
return user.pk == authored_object.author.pk
is_manager = rules.is_group_member('manager')
is_editor = rules.is_group_member('editor') | is_manager
is_author_group = rules.is_group_member('author') | is_editor
from rules import is_group_member, predicate
# BASIC ACCESS RULES
@predicate
def is_author(user, obj=None):
if obj:
return obj.author == user
else:
return False
is_moderator = is_group_member('moderators')
is_editor = is_group_member('editors')
is_owner_or_moderator = is_author | is_editor | is_moderator
is_owner_or_editor = is_author | is_editor
def is_project_admin(user, project):
if not project:
return False
return rules.is_group_member(f'projman-{project.namespace}-admin')(user)
""" Rules for permissions of ADG admins """
import rules
from openedx.adg.lms.applications.constants import ADG_ADMIN_GROUP_NAME
# Create rule for ADG specific admin
is_adg_admin = rules.is_group_member(ADG_ADMIN_GROUP_NAME)
# Show Applications section on home screen
rules.add_perm('applications', rules.is_staff)
# User Applications
rules.add_perm('applications.view_userapplication', rules.is_staff)
rules.add_perm('applications.change_userapplication', rules.is_staff)
# Education
rules.add_perm('applications.view_education', rules.is_staff)
# Work Experience
rules.add_perm('applications.view_workexperience', rules.is_staff)
# Business Line
rules.add_perm('applications.view_businessline', rules.is_staff)
# References
rules.add_perm('applications.view_reference', rules.is_staff)
('anonymous', 'Anonymous'),
('reward__name', 'Reward'),
('name', 'Name'),
('activity__funding__deadline', 'Activity date'),
('created', 'Donation date'),
('updated', 'Last update'),
),
'resource_class': 'bluebottle.exports.resources.DonationResource',
'title': _('Funding contributions'),
}),
])
}
EXPORTDB_CONFIRM_FORM = 'bluebottle.exports.forms.ExportDBForm'
EXPORTDB_EXPORT_ROOT = os.path.join(MEDIA_ROOT, '%s', 'private', 'exports')
EXPORTDB_PERMISSION = rules.is_group_member('Staff') | rules.is_superuser
EXPORTDB_USE_CELERY = True
EXPORTDB_EXPORT_MEDIA_URL = os.path.join(MEDIA_URL, 'private/exports')
# maximum delta between from/to date for exports
EXPORT_MAX_DAYS = 366 * 3
TOKEN_AUTH_SETTINGS = 'bluebottle.clients.properties'
# FIXME: When caching is made tenant aware, re-enable fluent caching
FLUENT_CONTENTS_CACHE_OUTPUT = False
CACHE_MIDDLEWARE_SECONDS = 0
# Amounts shown in donation modal
DONATION_AMOUNTS = {
if change is not None and change.domain not in user.domains.all():
return False
return True
@rules.predicate
def is_not_domain_admin_of_own_domain(user):
return user.domain not in user.domains.all()
ADMINS = "admins"
DOMAIN_ADMINS = "domainadmins"
ACCOUNT_USERS = "accountusers"
is_admin = rules.Predicate(rules.is_group_member(ADMINS))
is_domain_admin = rules.Predicate(rules.is_group_member(DOMAIN_ADMINS))
is_account_user = rules.Predicate(
rules.is_group_member(ACCOUNT_USERS) | is_domain_admin &
is_not_domain_admin_of_own_domain)
rules.add_perm("djcyradm.is_admin", is_admin)
rules.add_perm("djcyradm.is_domain_admin", is_domain_admin)
rules.add_perm("djcyradm.is_account_user", is_account_user)
rules.add_perm("djcyradm.is_in_djcyradm_group", is_admin |
is_domain_admin | is_account_user)
rules.add_perm('djcyradm.change_mailusers', is_admin & user_is_not_main_admin |
is_domain_admin & is_domain_admin_of_domain)
post_migrate.connect(create_groups, weak=False)
if settings.DJANGO_AUTH_TYPE == 'BASIC':
from .auth_basic import create_user
post_save.connect(create_user, sender=User)
elif settings.DJANGO_AUTH_TYPE == 'LDAP':
import django_auth_ldap.backend
from .auth_ldap import create_user
django_auth_ldap.backend.populate_user.connect(create_user)
# AUTH PREDICATES
has_admin_role = rules.is_group_member(str(AUTH_ROLE.ADMIN))
has_user_role = rules.is_group_member(str(AUTH_ROLE.USER))
has_annotator_role = rules.is_group_member(str(AUTH_ROLE.ANNOTATOR))
has_observer_role = rules.is_group_member(str(AUTH_ROLE.OBSERVER))
@rules.predicate
def is_task_owner(db_user, db_task):
# If owner is None (null) the task can be accessed/changed/deleted
# only by admin. At the moment each task has an owner.
return db_task.owner == db_user
@rules.predicate
def is_task_assignee(db_user, db_task):
return db_task.assignee == db_user
from __future__ import absolute_import
import rules
#from .predicates import *
##@rules.predicate
#def is_company_guest(user,company):
# return user in company.managers.all()
@rules.predicate
def is_authenticated(user):
return user.is_authenticated()
@rules.predicate
def is_editors_group(user):
return user.groups.filter(name='CompanyEditors').exists()
can_change_entry = rules.has_perm('company.views_entry')
is_editors = rules.is_group_member('CompanyEditors')
is_guest = rules.is_group_member('CompanyGuest')
#rules.add_perm('Company', is_editors)
rules.add_perm('company', rules.is_authenticated)
rules.add_perm('company.views_entry', is_editors_group)
#rules.add_perm('Company.change_Company12', is_company_manager) # | is_superuser
