def get_admin_role(self, instance, name, slug, ou=None, operation=ADMIN_OP,
update_name=False, update_slug=False, permissions=(),
self_administered=False):
'''Get or create the role of manager's of this object instance'''
kwargs = {}
if ou or getattr(instance, 'ou', None):
ou = kwargs['ou'] = ou or instance.ou
else:
kwargs['ou__isnull'] = True
# find an operation matching the template
op = get_operation(operation)
Permission = rbac_utils.get_permission_model()
perm, created = Permission.objects.get_or_create(
operation=op,
target_ct=ContentType.objects.get_for_model(instance),
target_id=instance.pk,
**kwargs)
admin_role = self.get_mirror_role(perm, name, slug, ou=ou,
update_name=update_name,
update_slug=update_slug)
permissions = set(permissions)
permissions.add(perm)
if self_administered:
self_perm = admin_role.add_self_administration()
permissions.add(self_perm)
if set(admin_role.permissions.all()) != permissions:
for permission in permissions:
admin_role.permissions.through.objects.get_or_create(role=admin_role,
permission=permission)
return admin_role
def has_self_administration(self, op=CHANGE_OP):
Permission = rbac_utils.get_permission_model()
admin_op = rbac_utils.get_operation(op)
self_perm, created = Permission.objects.get_or_create(
operation=admin_op,
target_ct=ContentType.objects.get_for_model(self),
target_id=self.pk)
return self.permissions.filter(pk=self_perm.pk).exists()
def get_search_ou_perm(ou=None):
if ou:
Permission = rbac_utils.get_permission_model()
view_ou_perm, created = Permission.objects.get_or_create(
operation=rbac_utils.get_operation(SEARCH_OP),
target_ct=ContentType.objects.get_for_model(ou),
target_id=ou.pk,
ou__isnull=True)
else:
OU = rbac_utils.get_ou_model()
Permission = rbac_utils.get_permission_model()
view_ou_perm, created = Permission.objects.get_or_create(
operation=rbac_utils.get_operation(SEARCH_OP),
target_ct=ContentType.objects.get_for_model(ContentType),
target_id=ContentType.objects.get_for_model(OU).pk,
ou__isnull=True)
return view_ou_perm
def add_self_administration(self, op=CHANGE_OP):
'Add permission to role so that it is self-administered'
Permission = rbac_utils.get_permission_model()
admin_op = rbac_utils.get_operation(op)
self_perm, created = Permission.objects.get_or_create(
operation=admin_op,
target_ct=ContentType.objects.get_for_model(self),
target_id=self.pk)
self.permissions.add(self_perm)
return self_perm
def add_self_administration(self, op=CHANGE_OP):
'Add permission to role so that it is self-administered'
Permission = rbac_utils.get_permission_model()
admin_op = rbac_utils.get_operation(op)
self_perm, created = Permission.objects.get_or_create(
operation=admin_op,
target_ct=ContentType.objects.get_for_model(self),
target_id=self.pk)
self.permissions.through.objects.get_or_create(role=self, permission=self_perm)
return self_perm
def get_view_user_perm(ou=None):
User = get_user_model()
Permission = rbac_utils.get_permission_model()
view_user_perm, created = Permission.objects.get_or_create(
operation=rbac_utils.get_operation(VIEW_OP),
target_ct=ContentType.objects.get_for_model(ContentType),
target_id=ContentType.objects.get_for_model(User).pk,
ou__isnull=ou is None,
ou=ou)
return view_user_perm
def create_default_permissions(app_config,
verbosity=2,
interactive=True,
using=DEFAULT_DB_ALIAS,
**kwargs):
from .models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP
if not router.allow_migrate(using, get_ou_model()):
return
with override(settings.LANGUAGE_CODE):
get_operation(CHANGE_PASSWORD_OP)
get_operation(RESET_PASSWORD_OP)
get_operation(ACTIVATE_OP)
get_operation(CHANGE_EMAIL_OP)