def get_admin_role(self, instance, name, slug, ou=None, operation=ADMIN_OP, update_name=False, update_slug=False, permissions=(), self_administered=False): '''Get or create the role of manager's of this object instance''' kwargs = {} if ou or getattr(instance, 'ou', None): ou = kwargs['ou'] = ou or instance.ou else: kwargs['ou__isnull'] = True # find an operation matching the template op = get_operation(operation) Permission = rbac_utils.get_permission_model() perm, created = Permission.objects.get_or_create( operation=op, target_ct=ContentType.objects.get_for_model(instance), target_id=instance.pk, **kwargs) admin_role = self.get_mirror_role(perm, name, slug, ou=ou, update_name=update_name, update_slug=update_slug) permissions = set(permissions) permissions.add(perm) if self_administered: self_perm = admin_role.add_self_administration() permissions.add(self_perm) if set(admin_role.permissions.all()) != permissions: for permission in permissions: admin_role.permissions.through.objects.get_or_create(role=admin_role, permission=permission) return admin_role
def has_self_administration(self, op=CHANGE_OP): Permission = rbac_utils.get_permission_model() admin_op = rbac_utils.get_operation(op) self_perm, created = Permission.objects.get_or_create( operation=admin_op, target_ct=ContentType.objects.get_for_model(self), target_id=self.pk) return self.permissions.filter(pk=self_perm.pk).exists()
def get_search_ou_perm(ou=None): if ou: Permission = rbac_utils.get_permission_model() view_ou_perm, created = Permission.objects.get_or_create( operation=rbac_utils.get_operation(SEARCH_OP), target_ct=ContentType.objects.get_for_model(ou), target_id=ou.pk, ou__isnull=True) else: OU = rbac_utils.get_ou_model() Permission = rbac_utils.get_permission_model() view_ou_perm, created = Permission.objects.get_or_create( operation=rbac_utils.get_operation(SEARCH_OP), target_ct=ContentType.objects.get_for_model(ContentType), target_id=ContentType.objects.get_for_model(OU).pk, ou__isnull=True) return view_ou_perm
def add_self_administration(self, op=CHANGE_OP): 'Add permission to role so that it is self-administered' Permission = rbac_utils.get_permission_model() admin_op = rbac_utils.get_operation(op) self_perm, created = Permission.objects.get_or_create( operation=admin_op, target_ct=ContentType.objects.get_for_model(self), target_id=self.pk) self.permissions.add(self_perm) return self_perm
def add_self_administration(self, op=CHANGE_OP): 'Add permission to role so that it is self-administered' Permission = rbac_utils.get_permission_model() admin_op = rbac_utils.get_operation(op) self_perm, created = Permission.objects.get_or_create( operation=admin_op, target_ct=ContentType.objects.get_for_model(self), target_id=self.pk) self.permissions.through.objects.get_or_create(role=self, permission=self_perm) return self_perm
def get_view_user_perm(ou=None): User = get_user_model() Permission = rbac_utils.get_permission_model() view_user_perm, created = Permission.objects.get_or_create( operation=rbac_utils.get_operation(VIEW_OP), target_ct=ContentType.objects.get_for_model(ContentType), target_id=ContentType.objects.get_for_model(User).pk, ou__isnull=ou is None, ou=ou) return view_user_perm
def create_default_permissions(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs): from .models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP if not router.allow_migrate(using, get_ou_model()): return with override(settings.LANGUAGE_CODE): get_operation(CHANGE_PASSWORD_OP) get_operation(RESET_PASSWORD_OP) get_operation(ACTIVATE_OP) get_operation(CHANGE_EMAIL_OP)