def security (db, ** kw) : roles = \ [ ("Discount" , "Allowed to add/change discounts") , ("Letter" , "Allowed to add/change templates and letters") , ("Product" , "Allowed to add/change product data") ] classes = \ [ ("address", ["User"], ["Contact"]) , ("bank_account", ["User"], ["Contact"]) , ("cust_supp", ["User"], ["Contact"]) , ("customer_group", ["User"], []) , ("customer_status", ["User"], []) , ("customer_type", ["User"], []) , ("discount_group", ["User"], ["Discount"]) , ("dispatch_type", ["User"], []) , ("group_discount", ["User"], ["Discount"]) , ("invoice_dispatch", ["User"], []) , ("letter", ["User"], ["Letter"]) , ("measuring_unit", ["User"], []) , ("overall_discount", ["User"], ["Discount"]) , ("packaging_unit", ["User"], []) , ("pharma_ref", ["User"], []) , ("proceeds_group", ["User"], []) , ("product", ["User"], ["Product"]) , ("product_group", ["User"], ["Product"]) , ("product_status", ["User"], []) , ("sales_conditions", ["User"], []) , ("shelf_life_code", ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = \ [ ("Guest", "Allowed to view everything") , ("Logger", "Allowed to add and change measurements") ] classes = \ [ ("device", ["User", "Guest", "Logger"], ["Logger"]) , ("device_group", ["User", "Guest", "Logger"], ["User"]) , ("logstyle", ["User", "Guest", "Logger"], []) , ("measurement", ["User", "Guest", "Logger"], ["Logger"]) , ("sensor", ["User", "Guest", "Logger"], ["Logger"]) , ("transceiver", ["User", "Guest", "Logger"], ["Logger"]) , ("alarm", ["User", "Guest", "Logger"], ["User", "Logger"]) ] prop_perms = \ [ ( "device", "Edit", ["User"] , ( "name", "sint", "mint", "gapint", "rec", "device_group" , "mint_pending", "sint_pending" ) ) , ( "sensor", "Edit", ["User"] , ("almin", "almax", "do_logging" ) ) , ( "transceiver", "Edit", ["User"] , ("name", "tty", "sint", "mint", "mint_pending", "sint_pending") ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("file", ["User", "Adr_Readonly"], ["User"]) , ("msg", ["User", "Adr_Readonly"], ["User"]) , ("address", ["Contact", "Adr_Readonly", "User"], ["User"]) , ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"]) , ("weekday", ["Contact", "Adr_Readonly", "User"], []) , ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"]) ] prop_perms = \ [ ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "creation", "creator", "id", "queries", "realname" , "status", "timezone", "username" ) ) , ( "user", "View", ["Adr_Readonly"] , ( "username", "realname") ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details \ (db, 'User', 'Edit', 'address', 'alternate_addresses') schemadef.allow_user_details \ (db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) : roles = \ [ ("Abo" , "Allowed to modify subscriptions") , ("Invoice" , "Allowed to change financial data") , ("Letter" , "Allowed to add/change templates and letters") , ("Product" , "Allowed to create/edit products") ] classes = \ [ ("abo_price" , ["User"], ["Product"]) , ("abo_type" , ["Abo", "Product", "Invoice"], ["Product", "Abo", "Invoice"]) , ("abo" , ["Abo", "Product", "Invoice"], ["Abo"]) , ("address" , ["User"], ["User"]) , ("contact_type" , ["User"], []) , ("currency" , ["User"], ["Product"]) , ("invoice_group" , ["Invoice"], ["Invoice"]) , ("invoice_template" , ["Invoice"], ["Invoice"]) , ("invoice" , ["Invoice"], ["Invoice"]) , ("letter" , ["User"], ["Abo", "Letter"]) , ("query" , ["User"], ["User"]) , ("tmplate" , ["User"], ["Abo", "Invoice", "Letter"]) , ("valid" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = \ [ ("MsgEdit", "Allowed to edit message properties") , ("MsgSync", "Allowed to sync message with ext. tracker") , ("Issue_Admin", "Admin for issue tracker") ] # classname allowed to view # allowed to edit classes = \ [ ("ext_tracker", ["User"], ["Issue_Admin"] ) , ("ext_msg", ["MsgEdit", "MsgSync"], ["MsgSync"] ) , ("ext_tracker_type", ["MsgEdit", "MsgSync", "User"], [] ) , ("ext_tracker_state", ["MsgEdit", "MsgSync", "User"], ["MsgSync", "User"] ) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) p = db.security.addPermission \ ( name = 'Search' , klass = 'msg' , properties = ("date", "id") ) db.security.addPermissionToRole ('MsgEdit', p) db.security.addPermissionToRole ('MsgSync', p)
def security (db, ** kw) : roles = \ [ ("IT" , "IT-Department" ) , ("ITView" , "View but not change IT data" ) ] # classname allowed to view / edit classes = \ [ ("alias", ["IT", "ITView"], ["IT"]) , ("dns_record_type", ["IT", "ITView"], []) , ("group", ["IT", "ITView"], ["IT"]) , ("ip_subnet", ["IT", "ITView"], ["IT"]) , ("machine", ["IT", "ITView"], ["IT"]) , ("machine_name", ["IT", "ITView"], ["IT"]) , ("network_address", ["IT", "ITView"], ["IT"]) , ("network_interface", ["IT", "ITView"], ["IT"]) , ("operating_system", ["IT", "ITView"], ["IT"]) , ("smb_domain", ["IT", "ITView"], ["IT"]) , ("smb_machine", ["IT", "ITView"], ["IT"]) ] prop_perms = \ [ ( "location", "Edit", ["IT"] , ("domain_part",) ) , ( "org_location", "Edit", ["IT"] , ("smb_domain", "dhcp_server", "domino_dn") ) , ( "organisation", "Edit", ["IT"] , ("domain_part",) ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain") ] # classname allowed to view / edit classes = \ [ ("job_log", ["User"], ["Dom-User-Edit-GTT"]) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) : roles = \ [ ("Issue_Admin", "Admin for issue tracker") ] # classname allowed to view / edit classes = \ [ ("doc_issue_status", ["User"], ["Issue_Admin"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, ())
def security(db, **kw): roles = \ [ ("Issue_Admin", "Admin for issue tracker") , ("Nosy", "Allowed on nosy list") ] # classname allowed to view / edit classes = \ [ ("keyword", ["User"], ["Issue_Admin"]) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) : roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("opening_hours" , ["User"], ["Contact"]) , ("weekday" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = \ [ ("Letter" , "Allowed to add/change templates and letters") ] classes = \ [ ("tmplate" , ["User"], ["Letter"]) , ("tmplate_status" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = [ ("SupportAdmin", "Customer support department") ] # classname allowed to view / edit classes = \ [ ("sup_status", ["User"], []) , ("sup_prio", ["User"], []) , ("sup_type", ["User"], []) , ("sup_warranty", ["User"], []) , ("sup_execution", ["User"], []) , ("business_unit", ["User"], []) , ("product", ["User"], []) , ("support", ["SupportAdmin"], ["SupportAdmin"]) , ("customer", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("contact", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("mailgroup", ["User", "SupportAdmin"], ["SupportAdmin", "IT"]) , ("sup_classification", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("customer_agreement", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("analysis_result", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("return_type", ["User", "SupportAdmin"], ["SupportAdmin"]) ] if 'adr_type' in db.classes : classes.append (( "adr_type" , ["User", "SupportAdmin"] , ["SupportAdmin"] )) classes.append (( "adr_type_cat" , ["User", "SupportAdmin"] , ["SupportAdmin"] )) prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) db.security.addPermissionToRole ('User', 'Create', 'support') db.security.addPermissionToRole ('SupportAdmin', 'Create', 'support') schemadef.register_confidentiality_check \ (db, 'User', 'support', ('View',)) exc_props = dict.fromkeys (('first_reply', 'satisfied')) props = dict (db.support.properties) for p in exc_props : del props [p] schemadef.register_confidentiality_check \ (db, 'User', 'support', ('Edit',), * props.keys ()) schemadef.register_nosy_classes (db, ['support']) schemadef.add_search_permission (db, 'support', 'User')
def security (db, ** kw) : roles = \ [ ("Invoice" , "Allowed to change financial data") ] classes = \ [ ("currency", ["User"], []) , ("invoice_template", ["Invoice"], ["Invoice"]) , ("payment", ["Invoice"], ["Invoice"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("contact_type", ["User"], []) , ("contact", ["User"], ["Contact"]) ] if 'adr_readonly' in db.security.role: classes[0][1].append('Adr_Readonly') classes[1][1].append('Adr_Readonly') schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, [])
def security(db, **kw): classes = \ [ ("substance", ["User"], ["User"]) , ("ingredient_used_by_substance", ["User"], ["User"]) , ("rc_product_type", ["User"], ["User"]) , ("rc_application", ["User"], ["User"]) , ("rc_substrate", ["User"], ["User"]) , ("rc_suitability", ["User"], ["User"]) , ("rc_brand", ["User"], ["User"]) , ("rc_capability", ["User"], ["User"]) , ("rc_product", ["User"], []) ] schemadef.register_class_permissions(db, classes, []) # Allow creation but not modification db.security.addPermissionToRole('User', 'Create', 'rc_product')
def security (db, ** kw) : roles = ( ("Doc_Admin", "Admin for documents (e.g. QM)") , ("Nosy", "Allowed on nosy list") ) prop_perms = (("department", "Edit", ("Doc_Admin", ), ("doc_num", )), ) classes = \ ( ("doc" , ("User",), ("Doc_Admin", "User")) , ("artefact" , ("User",), ("Doc_Admin",)) , ("product_type", ("User",), ("Doc_Admin",)) , ("reference" , ("User",), ("Doc_Admin",)) , ("doc_status" , ("User",), ("Doc_Admin",)) ) schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) schemadef.register_nosy_classes (db, ['doc'])
def security (db, ** kw) : roles = \ [ ("Type" , "Allowed to add/change type codes") , ("Adr_Readonly" , "Allowed to read address and contact data") ] classes = \ [ ("adr_type" , ["User", "Adr_Readonly"], ["Type"]) , ("adr_type_cat" , ["User", "Adr_Readonly"], ["Type"]) , ("valid" , ["User", "Adr_Readonly"], []) ] if 'address' in db.classes : classes.append (("address", ["Adr_Readonly"], [])) schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, []) db.security.addPermissionToRole ('Adr_Readonly', 'Web Access')
def security (db, ** kw) : roles = \ [ ("Issue_Admin", "Admin for issue tracker") , ("Nosy", "Allowed on nosy list") ] # classname allowed to view / edit classes = \ [ ("issue", ["Issue_Admin"], ["Issue_Admin"]) , ("status", ["User"], ["Issue_Admin"]) , ("prio", ["User"], ["Issue_Admin"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, ()) schemadef.register_nosy_classes (db, ['issue']) db.security.addPermissionToRole ('User', 'Create', 'issue') schemadef.add_search_permission (db, 'issue', 'User')
def security (db, ** kw) : roles = \ [ ("KPM-Admin", "Admin for KPM multiselect fields") ] # classname allowed to view / edit classes = \ [ ("fault_frequency", ["User"], []) , ("kpm_function", ["User"], ["KPM-Admin"]) , ("kpm_hw_variant", ["User"], ["KPM-Admin"]) , ("kpm_occurrence", ["User"], ["KPM-Admin"]) , ("kpm_release", ["User"], ["KPM-Admin"]) , ("kpm_tag", ["User"], ["KPM-Admin"]) , ("kpm", ["User"], ["User"]) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. """ roles = \ [ ("Controlling", "Controlling") ] # classname allowed to view / edit classes = \ [ ("organisation", ["User"], ["Controlling"]) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. """ roles = \ [ ("HR", "Human Resources team") , ("HR-Org-Location", "Human Resources team in this Org-Location") , ("Controlling", "Controlling") , ("Office", "Member of Office") , ("Facility", "Role to edit room assignments") ] # classname allowed to view / edit classes = \ [ ("department", ["User"], ["Controlling"]) , ("location", ["User"], ["HR"]) , ("organisation", ["User"], ["HR", "Controlling"]) , ("org_location", ["User"], ["HR"]) , ("room", ["User"], ["HR", "Office", "Facility"]) , ("sex", ["User"], []) # , ("user", See below -- individual fields) ] prop_perms = \ [ ( "user", "View", ["Controlling"], ("roles",)) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) # HR should be able to create new users: db.security.addPermissionToRole ("HR", "Create", "user") # Retire/Restore permission for room for perm in 'Retire', 'Restore' : p = db.security.addPermission \ ( name = perm , klass = 'room' ) for role in ("HR", "Office", "Facility") : db.security.addPermissionToRole (role, p)
def security (db, ** kw) : classes = \ [ ("ham_call", ["User"], ["User"]) , ("ham_mode", ["User"], ["User"]) , ("ham_band", ["User"], ["User"]) , ("qsl_type", ["User"], ["User"]) , ("qsl_status", ["User"], ["User"]) , ("antenna", ["User"], ["User"]) , ("continent", ["User"], ["User"]) , ("dxcc_entity", ["User"], ["User"]) , ("qsl", ["User"], ["User"]) , ("qso", ["User"], ["User"]) , ("user", ["User"], ["Admin"]) ] prop_perms = \ [ ( "user", "View", ["User"], ("call",)) ] schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("PBX", "Allowed to edit pbx data") ] classes = \ [ ("sip_device", ["PBX"], ["PBX"]) ] prop_perms = \ [ ("sip_device", "View", ["User"] , ("name", "id") ) , ("user", "View", ["PBX", "User"] , ("sip_device",) ) , ("user", "Edit", ["PBX"] , ("sip_device",) ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("file", ["User", "Adr_Readonly"], ["User"]) , ("msg", ["User", "Adr_Readonly"], ["User"]) , ("address", ["Contact", "Adr_Readonly", "User"], ["User"]) , ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"]) , ("weekday", ["Contact", "Adr_Readonly", "User"], []) , ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"]) ] prop_perms = \ [ ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "clearance_by", "creation", "creator", "department" , "firstname", "id", "job_description", "lastname" , "lunch_duration", "lunch_start", "nickname" , "pictures", "position", "queries", "realname", "room", "sex" , "status", "subst_active", "subst_until", "substitute" , "supervisor", "timezone" , "title", "username", "home_directory", "login_shell" , "samba_home_drive", "samba_home_path" ) ) , ( "user", "View", ["Adr_Readonly"] , ( "username", "realname") ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details \ (db, 'User', 'Edit', 'address', 'alternate_addresses') schemadef.allow_user_details \ (db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
, "clearance_by", "creation", "creator", "department" , "firstname", "job_description", "lastname" , "id", "lunch_duration", "lunch_start", "nickname" , "pictures", "position", "queries", "realname", "room", "sex" , "status", "subst_active", "substitute", "supervisor", "timezone" , "title", "username", "home_directory", "login_shell" , "samba_home_drive", "samba_home_path", "tt_lines" ) ) ] # For PGP-Processing we need a role schemadef.register_roles \ ( db , [ ('PGP', 'Roles that require PGP') , ('IT', 'IT: edit some permissions') ] ) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details(db, 'User', 'Edit') # the following is further checked in an auditor: db.security.addPermissionToRole('User', 'Create', 'time_wp') # editing of roles: for r in "HR", : db.security.addPermissionToRole(r, 'Web Roles') # oh, g'wan, let anonymous access the web interface too # NOT really !!! db.security.addPermissionToRole('Anonymous', 'Web Access')
# Purpose # Specify the DB-Schema for legalclient # Link this file to schema.py #-- # import sys, os sys.path.insert(0, os.path.join(db.config.HOME, 'lib')) from schemacfg import schemadef # sub-schema definitins to include # Note: order matters, core is always last. schemas = \ ( 'legalclient' , 'core' ) importer = schemadef.Importer(globals(), schemas) del sys.path[0:1] importer.update_security() classes = [("user", ["User"], [])] schemadef.register_class_permissions(db, classes, []) schemadef.allow_user_details(db, 'User', 'Edit') # oh, g'wan, let anonymous access the web interface too # NOT really !!! db.security.addPermissionToRole('Anonymous', 'Web Access')
def security (db, ** kw) : roles = \ [ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain") , ("Dom-User-Edit-HR", "Edit users with specific AD domain") , ("Dom-User-Edit-Office", "Edit users with specific AD domain") , ("Dom-User-Edit-Facility", "Edit users with specific AD domain") , ("IT", "IT-Department") ] schemadef.register_roles (db, roles) db.security.addPermissionToRole ('Dom-User-Edit-GTT', 'Create', 'user') # Editable user fields for the Domain-User-Edit roles user_props = \ [ 'contacts' , 'csv_delimiter' , 'entry_date' , 'firstname' , 'hide_message_files' , 'job_description' , 'lastname' , 'lunch_duration' , 'lunch_start' , 'nickname' , 'pictures' , 'position_text' , 'room' , 'sex' , 'status' , 'subst_active' , 'substitute' , 'supervisor' , 'timezone' , 'tt_lines' , 'vie_user' ] user_props_hr = user_props + \ ['clearance_by', 'roles', 'reduced_activity_list'] user_props_gtt = user_props + \ ['username', 'sync_foreign_key', 'department_temp'] user_props_office = ['contacts', 'position_text', 'room'] user_props_facility = ['room'] role_perms = \ [ ("Dom-User-Edit-GTT", user_props_gtt) , ("Dom-User-Edit-HR", user_props_hr) , ("Dom-User-Edit-Office", user_props_office) , ("Dom-User-Edit-Facility", user_props_facility) ] classes = \ [ ( "domain_permission" , ["IT"] , ["IT"] ) ] if 'contract_type' in db.classes : classes.append \ ( ( "contract_type" , ["Dom-User-Edit-GTT", "Dom-User-Edit-HR"] , [] ) ) if 'user_contact' in db.classes : for role, x in role_perms [:3] : classes.append \ ( ( "user_contact" , [] , [role] ) ) db.security.addPermissionToRole (role, 'Create', 'user_contact') prop_perms = [] schemadef.register_class_permissions (db, classes, prop_perms) fixdoc = schemadef.security_doc_from_docstring if 'user_dynamic' in db.classes : def user_dynamic_dom (db, userid, itemid) : """ May only view/edit records with the correct domain """ dyn = db.user_dynamic.getnode (itemid) user = db.user.getnode (dyn.user) return check_domain_permission (db, userid, user.ad_domain) # end def user_dynamic_dom for role in ("Dom-User-Edit-GTT", "Dom-User-Edit-HR") : db.security.addPermissionToRole (role, 'Create', 'user_dynamic') for perm in ('View', 'Edit') : p = db.security.addPermission \ ( name = perm , klass = 'user_dynamic' , check = user_dynamic_dom , description = fixdoc (user_dynamic_dom.__doc__) ) db.security.addPermissionToRole (role, p) def domain_access_user (db, userid, itemid) : """ Users may view/edit user records for ad_domain for which they are in the domain_permission for the user. """ u = db.user.getnode (itemid) return check_domain_permission (db, userid, u.ad_domain) # end def domain_access_user for role, props in role_perms : for perm in 'Edit', 'View' : p = db.security.addPermission \ ( name = perm , klass = 'user' , check = domain_access_user , description = fixdoc (domain_access_user.__doc__) , properties = props ) db.security.addPermissionToRole (role, p) def domain_view_user_dynamic (db, userid, itemid) : """ Users may view user_dynamic records for ad_domain for which they are in the domain_permission for the user """ ud = db.user_dynamic.getnode (itemid) u = db.user.getnode (ud.user) return check_domain_permission (db, userid, u.ad_domain) # end def domain_view_user_dynamic p = db.security.addPermission \ ( name = 'View' , klass = 'user_dynamic' , check = domain_view_user_dynamic , description = fixdoc (domain_view_user_dynamic.__doc__) ) db.security.addPermissionToRole ('Dom-User-Edit-GTT', p) db.security.addPermissionToRole ('Dom-User-Edit-HR', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'user_dynamic' ) db.security.addPermissionToRole ('Dom-User-Edit-GTT', p) db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
def security (db, ** kw) : roles = \ [ ("Project", "Project Office") , ("Project_View", "May view project data") , ("Controlling", "Controlling") , ("Procurement", "Purchasing/Procurement") ] # classname # allowed to view / edit # For daily_record, time_record, additional restrictions apply classes = \ [ ( "time_project_status" , ["User"] , ["Project"] ) , ( "time_project" , ["Project_View", "Project", "Controlling"] , [] ) , ( "sap_cc" , ["User"] , [] ) ] prop_perms = \ [ ( "time_project", "Edit", ["Project"] , ( "cost_center", "deputy", "description", "department", "name" , "nosy", "organisation", "responsible", "status" ) ) , ( "time_project", "Edit", ["Procurement"] , ( "purchasing_agents" , "deputy_gets_mail" ) ) , ( "sap_cc", "Edit", ["Procurement"] , ( "purchasing_agents" , "deputy_gets_mail" ) ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) fixdoc = schemadef.security_doc_from_docstring p = db.security.addPermission \ ( name = 'View' , klass = 'time_project' , check = sum_common.time_project_viewable , description = fixdoc (sum_common.time_project_viewable.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'time_project' ) db.security.addPermissionToRole ('Procurement', p) p = db.security.addPermission \ ( name = 'View' , klass = 'sap_cc' ) db.security.addPermissionToRole ('Procurement', p) db.security.addPermissionToRole ('Project', 'Create', 'time_project')
def security(db, **kw): # classname allowed to view / edit classes = [("legalclient", ["User"], ["User"])] schemadef.register_class_permissions(db, classes, [])
def security (db, ** kw) : user_roles = ["HR", "Office"] if 'it' in db.security.role : user_roles.append ("IT") classes = \ ( ("uc_type", ("User",), ("HR", "Office")) , ("user_contact", ("HR", "Office"), ()) ) prop_perms = \ [ ( "user", "View", ["User", "HR", "Office"] , ("contacts",) ) ] if 'it' in db.security.role : p = db.security.addPermission \ ( name = 'Create' , klass = 'user_contact' , description = 'Create' ) db.security.addPermissionToRole ('IT', p) schemadef.register_class_permissions (db, classes, prop_perms) p = db.security.addPermission \ ( name = 'Search' , klass = 'user_contact' , description = 'Search' ) db.security.addPermissionToRole ('User', p) def contact_visible (db, userid, itemid) : """User is allowed to view contact if he's the owner of the contact or the contact is marked visible """ if not itemid or itemid < 1 : return False c = db.user_contact.getnode (itemid) if userid == c.user : return True return c.visible # end def contact_visible def contact_visible_editable (db, userid, itemid) : """User is allowed to edit if he's the owner of the contact """ if not itemid or itemid < 1 : return False c = db.user_contact.getnode (itemid) if userid == c.user : return True return False # end def contact_visible_editable fixdoc = schemadef.security_doc_from_docstring p = db.security.addPermission \ ( name = 'View' , klass = 'user_contact' , check = contact_visible , description = fixdoc (contact_visible.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'user_contact' , check = contact_visible_editable , description = fixdoc (contact_visible_editable.__doc__) , properties = ('visible',) ) db.security.addPermissionToRole ('User', p)