def security(db, **kw):
roles = \
[ ("External" , "External user with less access")
]
classes = \
[ ("area", ["External"], [])
, ("doc_issue_status", ["External"], [])
, ("keyword", ["External"], [])
, ("kind", ["External"], [])
, ("msg_keyword", ["External"], [])
, ("severity", ["External"], [])
, ("status", ["External"], [])
, ("status_transition", ["External"], [])
, ("ext_tracker_state", ["External"], [])
, ("safety_level", ["External"], [])
, ("test_level", ["External"], [])
]
if 'fault_frequency' in db.classes:
classes.append \
(("fault_frequency", ["External"], []))
if 'kpm' in db.classes:
classes.append \
(("kpm", ["External"], ["External"]))
if 'kpm_function' in db.classes:
classes.append \
(("kpm_function", ["External"], []))
if 'kpm_hw_variant' in db.classes:
classes.append \
(("kpm_hw_variant", ["External"], []))
if 'kpm_occurrence' in db.classes:
classes.append \
(("kpm_occurrence", ["External"], []))
if 'kpm_release' in db.classes:
classes.append \
(("kpm_release", ["External"], []))
if 'kpm_tag' in db.classes:
classes.append \
(("kpm_tag", ["External"], []))
if 'ext_tracker_type' in db.classes:
classes.append \
(("ext_tracker_type", ["External"], []))
prop_perms = \
[ ( "user", "View", ["External"]
, ("username", "nickname", "status")
)
, ( "category", "View", ["External"]
, ("name", "id")
)
, ( "user_status", "View", ["External"]
, ("name", )
)
]
linkperms = \
[ ("file", ["External"], ['View'], linkclass_iter (db, "file"))
, ("msg", ["External"], ['View'], linkclass_iter (db, "msg"))
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
core.register_linkperms(db, linkperms)
# don't allow external_company or External for some issue attributes
exceptions = dict.fromkeys \
(('external_company', 'confidential', 'external_users', 'inherit_ext'))
issue_props = [
p for p in db.issue.getprops().iterkeys() if p not in exceptions
]
if 'external_company' in db.issue.properties:
def ext_company_access(db, userid, itemid):
""" Users are allowed to access issue
if their external company has access
"""
ec = db.user.get(userid, 'external_company')
ecs = db.issue.get(itemid, 'external_company')
return ecs and ec in ecs
# end def ext_company_access
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = ext_company_access
, description = schemadef.security_doc_from_docstring
(ext_company_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
if 'external_users' in db.issue.properties:
issue_props.append('external_users')
def ext_user_access(db, userid, itemid):
""" External users are allowed to access issue
if they are on the list of allowed external users or
there is a transitive permission via containers.
"""
issue = db.issue.getnode(itemid)
while True:
if issue.external_users and userid in issue.external_users:
return True
if not issue.part_of:
break
# check parent permissions for non-container or if the
# container defines inherit_ext
if issue.composed_of and not issue.inherit_ext:
break
issue = db.issue.getnode(issue.part_of)
return False
# end def ext_user_access
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = ext_user_access
, description = schemadef.security_doc_from_docstring
(ext_user_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
# Currently *never* allow any rights from being on nosy list
if False:
def is_on_nosy(db, userid, itemid):
"User is allowed to access issue if on nosy list"
item = db.issue.getnode(itemid)
return userid in item.nosy
# end def is_on_nosy
for perm in ('View', 'Edit'):
p = db.security.addPermission \
( name = perm
, klass = 'issue'
, check = is_on_nosy
, description = schemadef.security_doc_from_docstring
(is_on_nosy.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('External', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to edit some of their details"
, properties = ( "password", "timezone", "csv_delimiter"
, "hide_message_files"
)
)
db.security.addPermissionToRole('External', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties =
( "username", "realname", "firstname", "lastname"
, "creation", "creator", "activity", "actor"
)
)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'file')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'file')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'file', check=core.view_file)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'issue')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'issue')
db.security.addPermissionToRole('External', p)
# need search permission on username + id if we want to search for
# user Link/Multilink properties on issue (e.g. responsible, nosy, ..)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
, properties = ("username", "nickname", "id")
)
db.security.addPermissionToRole('External', p)
# Need search-permission on ext_tracker_state
p = db.security.addPermission \
( name = 'Search'
, klass = 'ext_tracker_state'
, properties = ("issue", "id")
)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'ext_tracker')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'msg')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'msg')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Create', 'query')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Edit', 'query', check=core.edit_query)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Retire', 'query', check=core.edit_query)
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('Search', 'query')
db.security.addPermissionToRole('External', p)
p = db.security.getPermission('View', 'query', check=core.view_query)
db.security.addPermissionToRole('External', p)
db.security.addPermissionToRole('External', 'Web Access')
db.security.addPermissionToRole('External', 'Email Access')
def security(db, **kw):
roles = \
[ ("Readonly-User" , "User with less access")
]
classes = \
[ ("area", ["Readonly-User"], [])
, ("doc_issue_status", ["Readonly-User"], [])
, ("keyword", ["Readonly-User"], [])
, ("kind", ["Readonly-User"], [])
, ("msg_keyword", ["Readonly-User"], [])
, ("severity", ["Readonly-User"], [])
, ("status", ["Readonly-User"], [])
, ("status_transition", ["Readonly-User"], [])
, ("ext_tracker_state", ["Readonly-User"], [])
, ("safety_level", ["Readonly-User"], [])
, ("test_level", ["Readonly-User"], [])
]
if 'fault_frequency' in db.classes:
classes.append \
(("fault_frequency", ["Readonly-User"], []))
if 'kpm' in db.classes:
classes.append \
(("kpm", ["Readonly-User"], []))
if 'kpm_function' in db.classes:
classes.append \
(("kpm_function", ["Readonly-User"], []))
if 'kpm_hw_variant' in db.classes:
classes.append \
(("kpm_hw_variant", ["Readonly-User"], []))
if 'kpm_occurrence' in db.classes:
classes.append \
(("kpm_occurrence", ["Readonly-User"], []))
if 'kpm_release' in db.classes:
classes.append \
(("kpm_release", ["Readonly-User"], []))
if 'kpm_tag' in db.classes:
classes.append \
(("kpm_tag", ["Readonly-User"], []))
if 'ext_tracker_type' in db.classes:
classes.append \
(("ext_tracker_type", ["Readonly-User"], []))
prop_perms = \
[ ( "user", "View", ["Readonly-User"]
, ("username", "nickname", "status")
)
, ( "category", "View", ["Readonly-User"]
, ("name", "id")
)
, ( "user_status", "View", ["Readonly-User"]
, ("name", )
)
]
linkperms = \
[ ("file", ["Readonly-User"], ['View'], linkclass_iter (db, "file"))
, ("msg", ["Readonly-User"], ['View'], linkclass_iter (db, "msg"))
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
core.register_linkperms(db, linkperms)
# don't allow Readonly-User for some issue attributes
exceptions = dict.fromkeys \
(('external_company', 'confidential'))
issue_props = [
p for p in db.issue.getprops().iterkeys() if p not in exceptions
]
if 'external_users' in db.issue.properties:
def ro_user_access(db, userid, itemid):
""" Read-only users are allowed to view issue
if they are on the list of allowed external users or
there is a transitive permission via containers.
"""
issue = db.issue.getnode(itemid)
while True:
if issue.external_users and userid in issue.external_users:
return True
if not issue.part_of:
break
issue = db.issue.getnode(issue.part_of)
return False
# end def ext_user_access
p = db.security.addPermission \
( name = 'View'
, klass = 'issue'
, check = ro_user_access
, description = schemadef.security_doc_from_docstring
(ro_user_access.__doc__)
, properties = issue_props
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to edit some of their details"
, properties = ("timezone", "csv_delimiter", "hide_message_files")
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties =
( "username", "realname", "firstname", "lastname"
, "creation", "creator", "activity", "actor"
)
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'file')
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('View', 'file', check=core.view_file)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'issue')
db.security.addPermissionToRole('Readonly-User', p)
# need search permission on username + id if we want to search for
# user Link/Multilink properties on issue (e.g. responsible, nosy, ..)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
, properties = ("username", "nickname", "id")
)
db.security.addPermissionToRole('Readonly-User', p)
# Need search-permission on ext_tracker_state
p = db.security.addPermission \
( name = 'Search'
, klass = 'ext_tracker_state'
, properties = ("issue", "id")
)
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('View', 'ext_tracker')
db.security.addPermissionToRole('Readonly-User', p)
p = db.security.getPermission('Search', 'msg')
db.security.addPermissionToRole('Readonly-User', p)
db.security.addPermissionToRole('Readonly-User', 'Web Access')
db.security.addPermissionToRole('Readonly-User', 'Email Access')
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup. Assign the access and edit Permissions for
issue, file and message to regular users now
"""
# Will have special handling for queries, see below
# classname allowed to view / edit
classes = \
[ ("user_status", ["User"], [])
, ("query", [], [])
]
linkperms = \
[ ("file", ['User'], ['View', 'Edit'], linkclass_iter (db, "file"))
, ("file", ['IT'], ['View', 'Edit'], linkclass_iter (db, "file"))
, ("msg", ['User'], ['View'], linkclass_iter (db, "msg"))
, ("msg", ['Issue_Admin', 'IT'], ['Edit'], linkclass_iter (db, "msg"))
]
schemadef.register_class_permissions (db, classes, [])
# Allow creation of file and msg for normal users:
db.security.addPermissionToRole ('User', 'Create', 'file')
db.security.addPermissionToRole ('User', 'Create', 'msg')
def view_msg(db, userid, itemid):
return userid == db.msg.get(itemid, 'creator')
# end def view_msg
p = db.security.addPermission \
( name = 'View'
, klass = 'msg'
, check = view_msg
, description = "User is allowed to view their own messages"
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'msg'
, description = "User is allowed to search for their own messages"
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'file'
, check = view_file
, description = "User is allowed to view their own files"
)
db.security.addPermissionToRole('User', p)
register_linkperms (db, linkperms)
p = db.security.addPermission \
( name = 'Search'
, klass = 'file'
, description = "User is allowed to search for their own files"
)
db.security.addPermissionToRole('User', p)
### Query permissions ###
p = db.security.addPermission \
( name = 'Search'
, klass = 'query'
, description = "User is allowed to search for their queries"
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'query'
, check = view_query
, description = schemadef.security_doc_from_docstring
(view_query.__doc__)
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'query'
, check = edit_query
, description = "User is allowed to edit their queries"
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'Retire'
, klass = 'query'
, check = edit_query
, description = "User is allowed to retire their queries"
)
db.security.addPermissionToRole('User', p)
p = db.security.addPermission \
( name = 'Create'
, klass = 'query'
, description = "User is allowed to create queries"
)
db.security.addPermissionToRole('User', p)
# and give the regular users access to the web and email interface
db.security.addPermissionToRole ('User', 'Web Access')
db.security.addPermissionToRole ('User', 'Email Access')
db.security.addPermissionToRole ('User', 'Rest Access')
db.security.addPermissionToRole ('User', 'Xmlrpc Access')