def security (db, ** kw) : roles = \ [ ("Guest", "Allowed to view everything") , ("Logger", "Allowed to add and change measurements") ] classes = \ [ ("device", ["User", "Guest", "Logger"], ["Logger"]) , ("device_group", ["User", "Guest", "Logger"], ["User"]) , ("logstyle", ["User", "Guest", "Logger"], []) , ("measurement", ["User", "Guest", "Logger"], ["Logger"]) , ("sensor", ["User", "Guest", "Logger"], ["Logger"]) , ("transceiver", ["User", "Guest", "Logger"], ["Logger"]) , ("alarm", ["User", "Guest", "Logger"], ["User", "Logger"]) ] prop_perms = \ [ ( "device", "Edit", ["User"] , ( "name", "sint", "mint", "gapint", "rec", "device_group" , "mint_pending", "sint_pending" ) ) , ( "sensor", "Edit", ["User"] , ("almin", "almax", "do_logging" ) ) , ( "transceiver", "Edit", ["User"] , ("name", "tty", "sint", "mint", "mint_pending", "sint_pending") ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) : roles = \ [ ("Discount" , "Allowed to add/change discounts") , ("Letter" , "Allowed to add/change templates and letters") , ("Product" , "Allowed to add/change product data") ] classes = \ [ ("address", ["User"], ["Contact"]) , ("bank_account", ["User"], ["Contact"]) , ("cust_supp", ["User"], ["Contact"]) , ("customer_group", ["User"], []) , ("customer_status", ["User"], []) , ("customer_type", ["User"], []) , ("discount_group", ["User"], ["Discount"]) , ("dispatch_type", ["User"], []) , ("group_discount", ["User"], ["Discount"]) , ("invoice_dispatch", ["User"], []) , ("letter", ["User"], ["Letter"]) , ("measuring_unit", ["User"], []) , ("overall_discount", ["User"], ["Discount"]) , ("packaging_unit", ["User"], []) , ("pharma_ref", ["User"], []) , ("proceeds_group", ["User"], []) , ("product", ["User"], ["Product"]) , ("product_group", ["User"], ["Product"]) , ("product_status", ["User"], []) , ("sales_conditions", ["User"], []) , ("shelf_life_code", ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("file", ["User", "Adr_Readonly"], ["User"]) , ("msg", ["User", "Adr_Readonly"], ["User"]) , ("address", ["Contact", "Adr_Readonly", "User"], ["User"]) , ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"]) , ("weekday", ["Contact", "Adr_Readonly", "User"], []) , ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"]) ] prop_perms = \ [ ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "creation", "creator", "id", "queries", "realname" , "status", "timezone", "username" ) ) , ( "user", "View", ["Adr_Readonly"] , ( "username", "realname") ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details \ (db, 'User', 'Edit', 'address', 'alternate_addresses') schemadef.allow_user_details \ (db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) : roles = \ [ ("Abo" , "Allowed to modify subscriptions") , ("Invoice" , "Allowed to change financial data") , ("Letter" , "Allowed to add/change templates and letters") , ("Product" , "Allowed to create/edit products") ] classes = \ [ ("abo_price" , ["User"], ["Product"]) , ("abo_type" , ["Abo", "Product", "Invoice"], ["Product", "Abo", "Invoice"]) , ("abo" , ["Abo", "Product", "Invoice"], ["Abo"]) , ("address" , ["User"], ["User"]) , ("contact_type" , ["User"], []) , ("currency" , ["User"], ["Product"]) , ("invoice_group" , ["Invoice"], ["Invoice"]) , ("invoice_template" , ["Invoice"], ["Invoice"]) , ("invoice" , ["Invoice"], ["Invoice"]) , ("letter" , ["User"], ["Abo", "Letter"]) , ("query" , ["User"], ["User"]) , ("tmplate" , ["User"], ["Abo", "Invoice", "Letter"]) , ("valid" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = \ [ ("MsgEdit", "Allowed to edit message properties") , ("MsgSync", "Allowed to sync message with ext. tracker") , ("Issue_Admin", "Admin for issue tracker") ] # classname allowed to view # allowed to edit classes = \ [ ("ext_tracker", ["User"], ["Issue_Admin"] ) , ("ext_msg", ["MsgEdit", "MsgSync"], ["MsgSync"] ) , ("ext_tracker_type", ["MsgEdit", "MsgSync", "User"], [] ) , ("ext_tracker_state", ["MsgEdit", "MsgSync", "User"], ["MsgSync", "User"] ) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) p = db.security.addPermission \ ( name = 'Search' , klass = 'msg' , properties = ("date", "id") ) db.security.addPermissionToRole ('MsgEdit', p) db.security.addPermissionToRole ('MsgSync', p)
def security (db, ** kw) : roles = \ [ ("IT" , "IT-Department" ) , ("ITView" , "View but not change IT data" ) ] # classname allowed to view / edit classes = \ [ ("alias", ["IT", "ITView"], ["IT"]) , ("dns_record_type", ["IT", "ITView"], []) , ("group", ["IT", "ITView"], ["IT"]) , ("ip_subnet", ["IT", "ITView"], ["IT"]) , ("machine", ["IT", "ITView"], ["IT"]) , ("machine_name", ["IT", "ITView"], ["IT"]) , ("network_address", ["IT", "ITView"], ["IT"]) , ("network_interface", ["IT", "ITView"], ["IT"]) , ("operating_system", ["IT", "ITView"], ["IT"]) , ("smb_domain", ["IT", "ITView"], ["IT"]) , ("smb_machine", ["IT", "ITView"], ["IT"]) ] prop_perms = \ [ ( "location", "Edit", ["IT"] , ("domain_part",) ) , ( "org_location", "Edit", ["IT"] , ("smb_domain", "dhcp_server", "domino_dn") ) , ( "organisation", "Edit", ["IT"] , ("domain_part",) ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain") ] # classname allowed to view / edit classes = \ [ ("job_log", ["User"], ["Dom-User-Edit-GTT"]) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) : roles = \ [ ("Issue_Admin", "Admin for issue tracker") ] # classname allowed to view / edit classes = \ [ ("doc_issue_status", ["User"], ["Issue_Admin"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, ())
def security(db, **kw): roles = \ [ ("Issue_Admin", "Admin for issue tracker") , ("Nosy", "Allowed on nosy list") ] # classname allowed to view / edit classes = \ [ ("keyword", ["User"], ["Issue_Admin"]) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) : roles = \ [ ("Letter" , "Allowed to add/change templates and letters") ] classes = \ [ ("tmplate" , ["User"], ["Letter"]) , ("tmplate_status" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("opening_hours" , ["User"], ["Contact"]) , ("weekday" , ["User"], []) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) : roles = [ ("SupportAdmin", "Customer support department") ] # classname allowed to view / edit classes = \ [ ("sup_status", ["User"], []) , ("sup_prio", ["User"], []) , ("sup_type", ["User"], []) , ("sup_warranty", ["User"], []) , ("sup_execution", ["User"], []) , ("business_unit", ["User"], []) , ("product", ["User"], []) , ("support", ["SupportAdmin"], ["SupportAdmin"]) , ("customer", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("contact", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("mailgroup", ["User", "SupportAdmin"], ["SupportAdmin", "IT"]) , ("sup_classification", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("customer_agreement", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("analysis_result", ["User", "SupportAdmin"], ["SupportAdmin"]) , ("return_type", ["User", "SupportAdmin"], ["SupportAdmin"]) ] if 'adr_type' in db.classes : classes.append (( "adr_type" , ["User", "SupportAdmin"] , ["SupportAdmin"] )) classes.append (( "adr_type_cat" , ["User", "SupportAdmin"] , ["SupportAdmin"] )) prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) db.security.addPermissionToRole ('User', 'Create', 'support') db.security.addPermissionToRole ('SupportAdmin', 'Create', 'support') schemadef.register_confidentiality_check \ (db, 'User', 'support', ('View',)) exc_props = dict.fromkeys (('first_reply', 'satisfied')) props = dict (db.support.properties) for p in exc_props : del props [p] schemadef.register_confidentiality_check \ (db, 'User', 'support', ('Edit',), * props.keys ()) schemadef.register_nosy_classes (db, ['support']) schemadef.add_search_permission (db, 'support', 'User')
def security (db, ** kw) : roles = \ [ ("Invoice" , "Allowed to change financial data") ] classes = \ [ ("currency", ["User"], []) , ("invoice_template", ["Invoice"], ["Invoice"]) , ("payment", ["Invoice"], ["Invoice"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, [])
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("contact_type", ["User"], []) , ("contact", ["User"], ["Contact"]) ] if 'adr_readonly' in db.security.role: classes[0][1].append('Adr_Readonly') classes[1][1].append('Adr_Readonly') schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, [])
def security (db, ** kw) : roles = ( ("Doc_Admin", "Admin for documents (e.g. QM)") , ("Nosy", "Allowed on nosy list") ) prop_perms = (("department", "Edit", ("Doc_Admin", ), ("doc_num", )), ) classes = \ ( ("doc" , ("User",), ("Doc_Admin", "User")) , ("artefact" , ("User",), ("Doc_Admin",)) , ("product_type", ("User",), ("Doc_Admin",)) , ("reference" , ("User",), ("Doc_Admin",)) , ("doc_status" , ("User",), ("Doc_Admin",)) ) schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) schemadef.register_nosy_classes (db, ['doc'])
def security (db, ** kw) : roles = \ [ ("Issue_Admin", "Admin for issue tracker") , ("Nosy", "Allowed on nosy list") ] # classname allowed to view / edit classes = \ [ ("issue", ["Issue_Admin"], ["Issue_Admin"]) , ("status", ["User"], ["Issue_Admin"]) , ("prio", ["User"], ["Issue_Admin"]) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, ()) schemadef.register_nosy_classes (db, ['issue']) db.security.addPermissionToRole ('User', 'Create', 'issue') schemadef.add_search_permission (db, 'issue', 'User')
def security (db, ** kw) : roles = \ [ ("Type" , "Allowed to add/change type codes") , ("Adr_Readonly" , "Allowed to read address and contact data") ] classes = \ [ ("adr_type" , ["User", "Adr_Readonly"], ["Type"]) , ("adr_type_cat" , ["User", "Adr_Readonly"], ["Type"]) , ("valid" , ["User", "Adr_Readonly"], []) ] if 'address' in db.classes : classes.append (("address", ["Adr_Readonly"], [])) schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, []) db.security.addPermissionToRole ('Adr_Readonly', 'Web Access')
def security (db, ** kw) : roles = \ [ ("KPM-Admin", "Admin for KPM multiselect fields") ] # classname allowed to view / edit classes = \ [ ("fault_frequency", ["User"], []) , ("kpm_function", ["User"], ["KPM-Admin"]) , ("kpm_hw_variant", ["User"], ["KPM-Admin"]) , ("kpm_occurrence", ["User"], ["KPM-Admin"]) , ("kpm_release", ["User"], ["KPM-Admin"]) , ("kpm_tag", ["User"], ["KPM-Admin"]) , ("kpm", ["User"], ["User"]) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. """ roles = \ [ ("HR", "Human Resources team") , ("HR-Org-Location", "Human Resources team in this Org-Location") , ("Controlling", "Controlling") , ("Office", "Member of Office") , ("Facility", "Role to edit room assignments") ] # classname allowed to view / edit classes = \ [ ("department", ["User"], ["Controlling"]) , ("location", ["User"], ["HR"]) , ("organisation", ["User"], ["HR", "Controlling"]) , ("org_location", ["User"], ["HR"]) , ("room", ["User"], ["HR", "Office", "Facility"]) , ("sex", ["User"], []) # , ("user", See below -- individual fields) ] prop_perms = \ [ ( "user", "View", ["Controlling"], ("roles",)) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) # HR should be able to create new users: db.security.addPermissionToRole ("HR", "Create", "user") # Retire/Restore permission for room for perm in 'Retire', 'Restore' : p = db.security.addPermission \ ( name = perm , klass = 'room' ) for role in ("HR", "Office", "Facility") : db.security.addPermissionToRole (role, p)
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. """ roles = \ [ ("Controlling", "Controlling") ] # classname allowed to view / edit classes = \ [ ("organisation", ["User"], ["Controlling"]) ] prop_perms = [] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw): roles = \ [ ("PBX", "Allowed to edit pbx data") ] classes = \ [ ("sip_device", ["PBX"], ["PBX"]) ] prop_perms = \ [ ("sip_device", "View", ["User"] , ("name", "id") ) , ("user", "View", ["PBX", "User"] , ("sip_device",) ) , ("user", "Edit", ["PBX"] , ("sip_device",) ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms)
def init(db, Ext_Class, String, Link, Multilink, **kw): class Ext_Issue_Class(Ext_Class): """ extends the Ext_Class with some attributes """ def __init__(self, db, classname, **properties): self.update_properties \ ( title = String (indexme = "yes") , responsible = Link ("user" , msg_header_property = 'username' ) , nosy = Multilink ("user", do_journal = "no") , messages = Multilink ("msg") ) Ext_Class.__init__(self, db, classname, **properties) # end def __init__ # end class Ext_Issue_Class roles = [("Nosy", "Allowed on nosy list")] register_roles(db, roles) return dict(Ext_Issue_Class=Ext_Issue_Class)
def security(db, **kw): roles = \ [ ("Contact" , "Allowed to add/change address data") ] classes = \ [ ("file", ["User", "Adr_Readonly"], ["User"]) , ("msg", ["User", "Adr_Readonly"], ["User"]) , ("address", ["Contact", "Adr_Readonly", "User"], ["User"]) , ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"]) , ("weekday", ["Contact", "Adr_Readonly", "User"], []) , ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"]) ] prop_perms = \ [ ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "clearance_by", "creation", "creator", "department" , "firstname", "id", "job_description", "lastname" , "lunch_duration", "lunch_start", "nickname" , "pictures", "position", "queries", "realname", "room", "sex" , "status", "subst_active", "subst_until", "substitute" , "supervisor", "timezone" , "title", "username", "home_directory", "login_shell" , "samba_home_drive", "samba_home_path" ) ) , ( "user", "View", ["Adr_Readonly"] , ( "username", "realname") ) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details \ (db, 'User', 'Edit', 'address', 'alternate_addresses') schemadef.allow_user_details \ (db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) : roles = \ [ ("IT", "IT-Department") , ("ITView", "View but not change IT data") , ("Nosy", "Allowed on nosy list") , ("Sec-Incident-Responsible", "Responsible for Security-Incident") , ("Sec-Incident-Nosy", "Nosy-List for Security-Incident") ] # classname allowed to view / edit classes = \ [ ("it_category", ["User"], ["IT"]) , ("it_int_prio", [ "IT", "ITView" , "Sec-Incident-Nosy" , "Sec-Incident-Responsible"], ["IT"]) , ("it_issue_status", ["User"], []) , ("it_issue", [ "IT", "ITView" , "Sec-Incident-Nosy" , "Sec-Incident-Responsible"], ["IT"]) , ("it_prio", ["User"], []) , ("it_project", [ "IT", "ITView" , "Sec-Incident-Nosy" , "Sec-Incident-Responsible"], ["IT"]) , ("it_project_status", ["User"], []) , ("it_request_type", ["User"], ["IT"]) ] prop_perms = \ [ ( "file", "Edit", ["IT"] , ("type", "name") ) , ( "location", "Edit", ["IT"] , ("domain_part",) ) , ( "organisation", "Edit", ["IT"] , ("domain_part",) ) , ( "user", "Edit", ["IT"] , ( "address", "alternate_addresses", "nickname" , "password", "timezone", "username" ) ) , ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "creation", "creator", "id", "queries", "realname" , "status", "timezone", "username" ) ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) def is_responsible (db, userid, itemid) : """Determine whether the user is responsible for an issue """ return db.it_issue.get (itemid, 'responsible') == userid # end def is_responsible def responsible_or_stakeholder (db, userid, itemid) : """Determine whether the user is responsible for or the stakeholder of an issue """ return \ ( db.it_issue.get (itemid, 'responsible') == userid or db.it_issue.get (itemid, 'stakeholder') == userid ) # end def responsible_or_stakeholder p = db.security.addPermission \ ( name = 'Edit' , klass = 'it_issue' , check = responsible_or_stakeholder , description = \ "User is allowed to edit several fields if he is " "Stakeholder/Responsible for an it_issue" , properties = ('deadline', 'status', 'title') ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'it_issue' , check = is_responsible , description = \ "User is allowed to edit several fields if he is " "Responsible for an it_issue" , properties = ('responsible',) ) db.security.addPermissionToRole ('User', p) db.security.addPermissionToRole ('User', 'Create', 'it_issue') schemadef.register_confidentiality_check \ (db, 'User', 'it_issue', ('View',)) schemadef.register_confidentiality_check \ (db, 'User', 'it_issue', ('Edit',), "messages", "files", "nosy") schemadef.register_confidentiality_check \ (db, 'User', 'it_project', ('View',)) schemadef.register_confidentiality_check \ (db, 'User', 'it_project', ('Edit',), "messages", "files", "nosy") schemadef.register_nosy_classes (db, ['it_issue', 'it_project']) schemadef.add_search_permission (db, 'it_issue', 'User') schemadef.add_search_permission (db, 'it_project', 'User')
def security (db, ** kw) : roles = \ [ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain") , ("Dom-User-Edit-HR", "Edit users with specific AD domain") , ("Dom-User-Edit-Office", "Edit users with specific AD domain") , ("Dom-User-Edit-Facility", "Edit users with specific AD domain") , ("IT", "IT-Department") ] schemadef.register_roles (db, roles) db.security.addPermissionToRole ('Dom-User-Edit-GTT', 'Create', 'user') # Editable user fields for the Domain-User-Edit roles user_props = \ [ 'contacts' , 'csv_delimiter' , 'entry_date' , 'firstname' , 'hide_message_files' , 'job_description' , 'lastname' , 'lunch_duration' , 'lunch_start' , 'nickname' , 'pictures' , 'position_text' , 'room' , 'sex' , 'status' , 'subst_active' , 'substitute' , 'supervisor' , 'timezone' , 'tt_lines' , 'vie_user' ] user_props_hr = user_props + \ ['clearance_by', 'roles', 'reduced_activity_list'] user_props_gtt = user_props + \ ['username', 'sync_foreign_key', 'department_temp'] user_props_office = ['contacts', 'position_text', 'room'] user_props_facility = ['room'] role_perms = \ [ ("Dom-User-Edit-GTT", user_props_gtt) , ("Dom-User-Edit-HR", user_props_hr) , ("Dom-User-Edit-Office", user_props_office) , ("Dom-User-Edit-Facility", user_props_facility) ] classes = \ [ ( "domain_permission" , ["IT"] , ["IT"] ) ] if 'contract_type' in db.classes : classes.append \ ( ( "contract_type" , ["Dom-User-Edit-GTT", "Dom-User-Edit-HR"] , [] ) ) if 'user_contact' in db.classes : for role, x in role_perms [:3] : classes.append \ ( ( "user_contact" , [] , [role] ) ) db.security.addPermissionToRole (role, 'Create', 'user_contact') prop_perms = [] schemadef.register_class_permissions (db, classes, prop_perms) fixdoc = schemadef.security_doc_from_docstring if 'user_dynamic' in db.classes : def user_dynamic_dom (db, userid, itemid) : """ May only view/edit records with the correct domain """ dyn = db.user_dynamic.getnode (itemid) user = db.user.getnode (dyn.user) return check_domain_permission (db, userid, user.ad_domain) # end def user_dynamic_dom for role in ("Dom-User-Edit-GTT", "Dom-User-Edit-HR") : db.security.addPermissionToRole (role, 'Create', 'user_dynamic') for perm in ('View', 'Edit') : p = db.security.addPermission \ ( name = perm , klass = 'user_dynamic' , check = user_dynamic_dom , description = fixdoc (user_dynamic_dom.__doc__) ) db.security.addPermissionToRole (role, p) def domain_access_user (db, userid, itemid) : """ Users may view/edit user records for ad_domain for which they are in the domain_permission for the user. """ u = db.user.getnode (itemid) return check_domain_permission (db, userid, u.ad_domain) # end def domain_access_user for role, props in role_perms : for perm in 'Edit', 'View' : p = db.security.addPermission \ ( name = perm , klass = 'user' , check = domain_access_user , description = fixdoc (domain_access_user.__doc__) , properties = props ) db.security.addPermissionToRole (role, p) def domain_view_user_dynamic (db, userid, itemid) : """ Users may view user_dynamic records for ad_domain for which they are in the domain_permission for the user """ ud = db.user_dynamic.getnode (itemid) u = db.user.getnode (ud.user) return check_domain_permission (db, userid, u.ad_domain) # end def domain_view_user_dynamic p = db.security.addPermission \ ( name = 'View' , klass = 'user_dynamic' , check = domain_view_user_dynamic , description = fixdoc (domain_view_user_dynamic.__doc__) ) db.security.addPermissionToRole ('Dom-User-Edit-GTT', p) db.security.addPermissionToRole ('Dom-User-Edit-HR', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'user_dynamic' ) db.security.addPermissionToRole ('Dom-User-Edit-GTT', p) db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
def security (db, ** kw) : roles = \ [ ("Project", "Project Office") , ("Project_View", "May view project data") , ("Controlling", "Controlling") , ("Procurement", "Purchasing/Procurement") ] # classname # allowed to view / edit # For daily_record, time_record, additional restrictions apply classes = \ [ ( "time_project_status" , ["User"] , ["Project"] ) , ( "time_project" , ["Project_View", "Project", "Controlling"] , [] ) , ( "sap_cc" , ["User"] , [] ) ] prop_perms = \ [ ( "time_project", "Edit", ["Project"] , ( "cost_center", "deputy", "description", "department", "name" , "nosy", "organisation", "responsible", "status" ) ) , ( "time_project", "Edit", ["Procurement"] , ( "purchasing_agents" , "deputy_gets_mail" ) ) , ( "sap_cc", "Edit", ["Procurement"] , ( "purchasing_agents" , "deputy_gets_mail" ) ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) fixdoc = schemadef.security_doc_from_docstring p = db.security.addPermission \ ( name = 'View' , klass = 'time_project' , check = sum_common.time_project_viewable , description = fixdoc (sum_common.time_project_viewable.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'time_project' ) db.security.addPermissionToRole ('Procurement', p) p = db.security.addPermission \ ( name = 'View' , klass = 'sap_cc' ) db.security.addPermissionToRole ('Procurement', p) db.security.addPermissionToRole ('Project', 'Create', 'time_project')
def security(db, **kw): roles = \ [ ("Readonly-User" , "User with less access") ] classes = \ [ ("area", ["Readonly-User"], []) , ("doc_issue_status", ["Readonly-User"], []) , ("keyword", ["Readonly-User"], []) , ("kind", ["Readonly-User"], []) , ("msg_keyword", ["Readonly-User"], []) , ("severity", ["Readonly-User"], []) , ("status", ["Readonly-User"], []) , ("status_transition", ["Readonly-User"], []) , ("ext_tracker_state", ["Readonly-User"], []) , ("safety_level", ["Readonly-User"], []) , ("test_level", ["Readonly-User"], []) ] if 'fault_frequency' in db.classes: classes.append \ (("fault_frequency", ["Readonly-User"], [])) if 'kpm' in db.classes: classes.append \ (("kpm", ["Readonly-User"], [])) if 'kpm_function' in db.classes: classes.append \ (("kpm_function", ["Readonly-User"], [])) if 'kpm_hw_variant' in db.classes: classes.append \ (("kpm_hw_variant", ["Readonly-User"], [])) if 'kpm_occurrence' in db.classes: classes.append \ (("kpm_occurrence", ["Readonly-User"], [])) if 'kpm_release' in db.classes: classes.append \ (("kpm_release", ["Readonly-User"], [])) if 'kpm_tag' in db.classes: classes.append \ (("kpm_tag", ["Readonly-User"], [])) if 'ext_tracker_type' in db.classes: classes.append \ (("ext_tracker_type", ["Readonly-User"], [])) prop_perms = \ [ ( "user", "View", ["Readonly-User"] , ("username", "nickname", "status") ) , ( "category", "View", ["Readonly-User"] , ("name", "id") ) , ( "user_status", "View", ["Readonly-User"] , ("name", ) ) ] linkperms = \ [ ("file", ["Readonly-User"], ['View'], linkclass_iter (db, "file")) , ("msg", ["Readonly-User"], ['View'], linkclass_iter (db, "msg")) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) core.register_linkperms(db, linkperms) # don't allow Readonly-User for some issue attributes exceptions = dict.fromkeys \ (('external_company', 'confidential')) issue_props = [ p for p in db.issue.getprops().iterkeys() if p not in exceptions ] if 'external_users' in db.issue.properties: def ro_user_access(db, userid, itemid): """ Read-only users are allowed to view issue if they are on the list of allowed external users or there is a transitive permission via containers. """ issue = db.issue.getnode(itemid) while True: if issue.external_users and userid in issue.external_users: return True if not issue.part_of: break issue = db.issue.getnode(issue.part_of) return False # end def ext_user_access p = db.security.addPermission \ ( name = 'View' , klass = 'issue' , check = ro_user_access , description = schemadef.security_doc_from_docstring (ro_user_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to edit some of their details" , properties = ("timezone", "csv_delimiter", "hide_message_files") ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to view some of their details" , properties = ( "username", "realname", "firstname", "lastname" , "creation", "creator", "activity", "actor" ) ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'file') db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('View', 'file', check=core.view_file) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'issue') db.security.addPermissionToRole('Readonly-User', p) # need search permission on username + id if we want to search for # user Link/Multilink properties on issue (e.g. responsible, nosy, ..) p = db.security.addPermission \ ( name = 'Search' , klass = 'user' , properties = ("username", "nickname", "id") ) db.security.addPermissionToRole('Readonly-User', p) # Need search-permission on ext_tracker_state p = db.security.addPermission \ ( name = 'Search' , klass = 'ext_tracker_state' , properties = ("issue", "id") ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('View', 'ext_tracker') db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'msg') db.security.addPermissionToRole('Readonly-User', p) db.security.addPermissionToRole('Readonly-User', 'Web Access') db.security.addPermissionToRole('Readonly-User', 'Email Access')
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. """ roles = \ [ ("Board", "Approvals over certain limits") , ("Nosy", "Nosy list") , ("Finance", "Finance-related approvals") , ("HR", "Approvals for staff/subcontracting") , ("HR-Approval", "Approvals for HR-related issues") , ("IT-Approval", "Approve IT-Related PRs") , ("Procurement", "Procurement department") , ("Procurement-Admin", "Procurement administration") , ("Procure-Approval", "Procurement approvals") , ("Quality", "Approvals for Safety issues") , ("Subcontract", "Approvals for staff/subcontracting") , ("PR-View", "See all Purchase Requests") , ("Measurement-Approval", "Responsible for Measurement-Equipment") , ("Training-Approval", "Approvals for Training") , ("Subcontract-Org", "Approvals for Subcontracting") , ("CISO", "Editing of Security Tables") ] # classname allowed to view / edit classes = \ [ ("department", ["User"], []) , ("infosec_level", ["User"], ["Procurement-Admin"]) , ("location", ["User"], []) , ("organisation", ["User"], []) , ("org_location", ["User"], []) , ("part_of_budget", ["User"], []) , ("pr_approval_config", ["Procurement"], ["Procurement-Admin"]) , ("pr_approval_order", ["Procurement"], ["Procurement-Admin"]) , ("pr_approval", ["Procurement","PR-View"], []) , ("pr_approval_status", ["User"], []) , ("pr_currency", ["User"], ["Procurement-Admin"]) , ("pr_status", ["User"], []) , ("pr_supplier", ["User"], ["Procurement-Admin"]) , ("pr_rating_category", ["User"], ["Procurement-Admin"]) , ("pr_supplier_rating", ["User"], ["Procurement-Admin"]) , ("purchase_type", ["User"], ["Procurement-Admin"]) , ("terms_conditions", ["User"], []) , ("time_project", ["User"], []) , ("user", ["Procurement-Admin"], []) , ("purchase_request", ["PR-View"], []) , ("pr_offer_item", ["PR-View"], []) , ("internal_order", ["User"], []) , ("pr_ext_resource", ["User"], []) , ("security_req_group", ["User"], ["Procurement-Admin", "CISO"]) , ("product_group", ["User"], ["Procurement-Admin"]) , ("pg_category", ["User"], ["Procurement-Admin"]) , ("supplier_risk_category", ["User"], []) , ("purchase_risk_type", ["User"], []) , ("pr_supplier_risk", ["User"], ["Procurement-Admin", "CISO"]) , ("payment_type", ["User"], []) , ("purchase_security_risk", ["User"], []) ] prop_perms = \ [ ( "user", "Edit", ["Procurement-Admin"] , ("roles", "password", "substitute", "subst_until", "clearance_by") ) , ( "user", "View", ["User"] , ("username", "id", "realname", "status") ) , ( "user", "Edit", ["Procurement-Admin"] , ("want_no_messages",) ) # Allow anybody to edit purchase_request but do not allow change # (in reactor): This is used for ordering actions in the web # interface via links (!) , ( "pr_approval", "Edit", ["User"] , ("purchase_request", "date") ) , ( "purchase_request", "Edit", ["Procurement", "Procurement-Admin"] , ("renew_until",) ) , ( "time_project", "Edit", ["Procurement"] , ("deputy_gets_mail",) ) , ( "sap_cc", "Edit", ["Procurement"] , ("deputy_gets_mail",) ) , ( "pr_approval_order", "View", ["User"] , ("role", "id") ) ] schemadef.register_roles (db, roles) schemadef.register_class_permissions (db, classes, prop_perms) # Retire/Restore permission for pr_approval_order for n in 'Retire', 'Restore' : p = db.security.addPermission \ ( name = n , klass = 'pr_approval_order' ) db.security.addPermissionToRole ('Procurement-Admin', p) tp_properties = \ ( 'name', 'description', 'responsible', 'deputy', 'organisation' , 'status', 'id' , 'creation', 'creator', 'activity', 'actor' ) # Search permission p = db.security.addPermission \ ( name = 'Search' , klass = 'time_project' , properties = tp_properties ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'user' ) db.security.addPermissionToRole ('Procurement-Admin', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'purchase_request' ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'pr_approval' ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'pr_offer_item' ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'pr_approval_order' ) db.security.addPermissionToRole ('User', p) db.security.addPermissionToRole ('User', 'Create', 'pr_offer_item') db.security.addPermissionToRole ('User', 'Create', 'purchase_request') fixdoc = schemadef.security_doc_from_docstring def pr_pt_role (db, userid, itemid) : """ Users are allowed if they have one of the view roles of the purchase type or one of the (forced) approval roles. """ if not itemid or itemid < 1 : return False pr = db.purchase_request.getnode (itemid) if not pr.purchase_type : return False pt = db.purchase_type.getnode (pr.purchase_type) roles = set (pt.pr_view_roles) roles.update (pt.pr_roles) roles.update (pt.pr_forced_roles) for r in roles : if prlib.has_pr_role (db, userid, r) : return True return False # end def pr_pt_role p = db.security.addPermission \ ( name = 'View' , klass = 'purchase_request' , check = pr_pt_role , description = fixdoc (pr_pt_role.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = pr_pt_role , description = fixdoc (pr_pt_role.__doc__) , properties = ( 'sap_reference', 'terms_conditions', 'frame_purchase' , 'frame_purchase_end', 'nosy', 'messages', 'purchasing_agents' , 'internal_order', 'special_approval', 'payment_type' ) ) db.security.addPermissionToRole ('User', p) def pt_role_offer_item (db, userid, itemid) : """ Users are allowed to view if they have one of the view roles of the purchase type """ pr = get_pr_from_offer_item (db, itemid) if pr is None : return False return pr_pt_role (db, userid, pr.id) # end def pt_role_offer_item p = db.security.addPermission \ ( name = 'View' , klass = 'pr_offer_item' , check = pt_role_offer_item , description = fixdoc (pt_role_offer_item.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_offer_item' , check = pt_role_offer_item , description = fixdoc (pt_role_offer_item.__doc__) , properties = ( 'add_to_las' , 'supplier' , 'pr_supplier' , 'is_asset' , 'payment_type' , 'internal_order' ) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_offer_item' , properties = ( 'add_to_las' , ) ) db.security.addPermissionToRole ('CISO', p) p = db.security.addPermission \ ( name = 'View' , klass = 'pr_offer_item' , properties = ( 'add_to_las' , 'supplier' , 'pr_supplier' , 'creation' , 'creator' , 'activity' , 'actor' ) ) db.security.addPermissionToRole ('CISO', p) def view_role_approval (db, userid, itemid) : """ Users are allowed to view if they have one of the view roles of the purchase type """ sp = db.pr_approval.getnode (itemid) pr = db.purchase_request.getnode (sp.purchase_request) if pr is None : return False return pr_pt_role (db, userid, pr.id) # end def view_role_approval p = db.security.addPermission \ ( name = 'View' , klass = 'pr_approval' , check = view_role_approval , description = fixdoc (view_role_approval.__doc__) ) db.security.addPermissionToRole ('User', p) def approver_non_finance (db, userid, itemid) : """ Approvers are allowed if not finance and PR not yet approved by finance. """ if not itemid or itemid < 1 : return False # User may not change if own_pr (db, userid, itemid) : return False # Finance may not change if common.user_has_role (db, userid, 'finance') : return False pr = db.purchase_request.getnode (itemid) st_approving = db.pr_status.lookup ('approving') if pr.status != st_approving : return False un = db.pr_approval_status.lookup ('undecided') ap = db.pr_approval.filter (None, dict (purchase_request = itemid)) for id in ap : a = db.pr_approval.getnode (id) # already signed by finance? finance = db.pr_approval_order.lookup ('finance') if a.status != un and a.role_id == finance : return False return linked_pr (db, userid, itemid) # end def approver_non_finance p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = approver_non_finance , description = fixdoc (approver_non_finance.__doc__) , properties = ( 'continuous_obligation', 'intended_duration', 'contract_term') ) db.security.addPermissionToRole ('User', p) def approver_non_finance_offer (db, userid, itemid) : """ Approvers are allowed if not finance and PR not yet approved by finance. """ pr = get_pr_from_offer_item (db, itemid) if pr is None : return False return approver_non_finance (db, userid, pr.id) # end def approver_non_finance_offer p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_offer_item' , check = approver_non_finance_offer , description = fixdoc (approver_non_finance_offer.__doc__) , properties = ( 'vat',) ) db.security.addPermissionToRole ('User', p) def own_pr (db, userid, itemid) : """ User is allowed permission on their own PRs if either creator or requester or supervisor of requester. """ if not itemid or itemid < 1 : return False pr = db.purchase_request.getnode (itemid) if pr.creator == userid or pr.requester == userid : return True sup = db.user.get (pr.requester, 'supervisor') if sup and sup == userid : return True return False # end def own_pr p = db.security.addPermission \ ( name = 'View' , klass = 'purchase_request' , check = own_pr , description = fixdoc (own_pr.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = own_pr , description = fixdoc (own_pr.__doc__) , properties = ('messages', 'nosy', 'files', 'renew_until') ) db.security.addPermissionToRole ('User', p) def open_or_approving (db, userid, itemid) : st_open = db.pr_status.lookup ('open') st_approving = db.pr_status.lookup ('approving') pr = db.purchase_request.getnode (itemid) if pr.status in (st_open, st_approving) : return True return False # end def open_or_approving def cancel_own_pr (db, userid, itemid) : """ User is allowed to cancel their own PR. """ if not own_pr (db, userid, itemid) : return False return open_or_approving (db, userid, itemid) # end def cancel_own_pr p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = cancel_own_pr , description = fixdoc (cancel_own_pr.__doc__) , properties = ('status', 'messages', 'nosy') ) db.security.addPermissionToRole ('User', p) def edit_pr_justification (db, userid, itemid) : """ User is allowed to edit PR Justification if the PR has appropriate status and the user is creator or owner of the PR or has one of the view roles. """ st_open = db.pr_status.lookup ('open') st_approving = db.pr_status.lookup ('approving') st_rejected = db.pr_status.lookup ('rejected') st_approved = db.pr_status.lookup ('approved') stati = (st_open, st_approving, st_rejected, st_approved) pr = db.purchase_request.getnode (itemid) if pr.status not in stati : return False if own_pr (db, userid, itemid) : return True if pr_pt_role (db, userid, itemid) : return True return False # end def edit_pr_justification p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = edit_pr_justification , description = fixdoc (edit_pr_justification.__doc__) , properties = ('pr_justification',) ) db.security.addPermissionToRole ('User', p) def cancel_open_pr (db, userid, itemid) : """ User is allowed to cancel a PR if it is open """ st_open = db.pr_status.lookup ('open') pr = db.purchase_request.getnode (itemid) if pr.status == st_open : return True return False # end def cancel_own_pr p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = cancel_open_pr , description = fixdoc (cancel_open_pr.__doc__) , properties = ('status', 'messages') ) db.security.addPermissionToRole ('Procurement-Admin', p) def approving_or_approved (db, userid, itemid) : """ User is allowed to reject PR in state approving or approved """ st_approving = db.pr_status.lookup ('approving') st_approved = db.pr_status.lookup ('approved') pr = db.purchase_request.getnode (itemid) if pr.status in (st_approving, st_approved) : return True return False # end def approving_or_approved p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = approving_or_approved , description = fixdoc (approving_or_approved.__doc__) , properties = ('status', 'messages') ) for r in prlib.reject_roles : db.security.addPermissionToRole (r, p) def reopen_rejected_pr (db, userid, itemid) : """ User is allowed to reopen their own rejected PR. """ if not own_pr (db, userid, itemid) : return False st_rejected = db.pr_status.lookup ('rejected') pr = db.purchase_request.getnode (itemid) if pr.status == st_rejected : return True return False # end def reopen_rejected_pr p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = reopen_rejected_pr , description = fixdoc (reopen_rejected_pr.__doc__) , properties = ('status', 'messages', 'nosy') ) db.security.addPermissionToRole ('User', p) def own_pr_and_open_or_rej (db, userid, itemid) : """ User is allowed to edit their own PRs (creator or requester or supervisor of requester) while PR is open or rejected. """ if not own_pr (db, userid, itemid) : return False open = db.pr_status.lookup ('open') rej = db.pr_status.lookup ('rejected') pr = db.purchase_request.getnode (itemid) if pr.status == open or pr.status == rej : return True return False # end def own_pr_and_open_or_rej p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = own_pr_and_open_or_rej , description = fixdoc (own_pr_and_open_or_rej.__doc__) ) db.security.addPermissionToRole ('User', p) def linked_pr (db, userid, itemid) : """ Users are allowed if an approval from them is linked to the PR. """ if not itemid or itemid < 1 : return False pr = db.purchase_request.getnode (itemid) ap = db.pr_approval.filter (None, dict (purchase_request = itemid)) for id in ap : a = db.pr_approval.getnode (id) # User or deputy or delegated? if userid in common.approval_by (db, a.user) : return True if userid in common.approval_by (db, a.deputy) : return True if a.role_id and prlib.has_pr_role (db, userid, a.role_id) : return True return False # end def linked_pr p = db.security.addPermission \ ( name = 'View' , klass = 'purchase_request' , check = linked_pr , description = fixdoc (linked_pr.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = linked_pr , description = fixdoc (linked_pr.__doc__) , properties = ('messages', 'nosy', 'files') ) db.security.addPermissionToRole ('User', p) def pending_approval (db, userid, itemid) : """ Users are allowed to edit message if a pending approval from them is linked to the PR. """ if not linked_pr (db, userid, itemid) : return False if open_or_approving (db, userid, itemid) : return True # Also allow for reject because message is tried to attach twice # We allow this only for some time (5 min after last change) st_reject = db.pr_status.lookup ('rejected') pr = db.purchase_request.getnode (itemid) if pr.status != st_reject : return False now = date.Date ('.') if pr.activity + date.Interval ('00:05:00') > now : return True return False # end def pending_approval p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = pending_approval , description = fixdoc (pending_approval.__doc__) , properties = ('messages', 'nosy', 'files') ) db.security.addPermissionToRole ('User', p) def linked_to_pr (db, userid, itemid) : """ Users are allowed to view if approval is linked to viewable PR. """ if not itemid or itemid < 1 : return False ap = db.pr_approval.getnode (itemid) pr = ap.purchase_request if own_pr (db, userid, pr) : return True if linked_pr (db, userid, pr) : return True return False # end def linked_to_pr p = db.security.addPermission \ ( name = 'View' , klass = 'pr_approval' , check = linked_to_pr , description = fixdoc (linked_to_pr.__doc__) ) db.security.addPermissionToRole ('User', p) def approval_undecided (db, userid, itemid) : """ User is allowed to change status of undecided approval if they are the owner/deputy or have appropriate role. In addition this is allowed if they have a delegated approval or are an active substitute. We also allow pr.status to be 'rejected': This cannot change the outcome (once approved or rejected the pr.status cannot change) but allows for race condition when someone has several approvals in a single mask and one of that approvals changed the PR to rejected before the others were processed. """ if not itemid or itemid < 1 : return False ap = db.pr_approval.getnode (itemid) pr = db.purchase_request.getnode (ap.purchase_request) und = db.pr_approval_status.lookup ('undecided') st_open = db.pr_status.lookup ('open') st_approving = db.pr_status.lookup ('approving') st_reject = db.pr_status.lookup ('rejected') if ( ap.status == und and ( userid in common.approval_by (db, ap.user) or userid in common.approval_by (db, ap.deputy) or (ap.role_id and prlib.has_pr_role (db, userid, ap.role_id)) ) and pr.status in (st_open, st_approving, st_reject) ) : return True return False # end def approval_undecided p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_approval' , check = approval_undecided , description = fixdoc (approval_undecided.__doc__) , properties = ('status', 'msg') ) db.security.addPermissionToRole ('User', p) def get_pr_from_offer_item (db, itemid) : prs = db.purchase_request.filter (None, dict (offer_items = itemid)) if len (prs) == 0 : return None assert len (prs) == 1 return db.purchase_request.getnode (prs [0]) # end def get_pr_from_offer_item def linked_from_pr (db, userid, itemid) : """ Users are allowed to view if offer is linked from PR. """ if not itemid or itemid < 1 : return True off = db.pr_offer_item.getnode (itemid) pr = get_pr_from_offer_item (db, itemid) if pr is None : return False if own_pr (db, userid, pr.id) : return True if linked_pr (db, userid, pr.id) : return True return False # end def linked_from_pr p = db.security.addPermission \ ( name = 'View' , klass = 'pr_offer_item' , check = linked_from_pr , description = fixdoc (linked_from_pr.__doc__) ) db.security.addPermissionToRole ('User', p) def add_to_las_false (db, userid, itemid) : """ Allow setting add_to_las from 'None' for orphanes offer items. """ if itemid is None : return False oi = db.pr_offer_item.getnode (itemid) pr = get_pr_from_offer_item (db, itemid) if pr is not None : return False if oi.add_to_las is None : return True return False # end def add_to_las_false p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_offer_item' , check = add_to_las_false , description = fixdoc (add_to_las_false.__doc__) , properties = ('add_to_las',) ) db.security.addPermissionToRole ('User', p) def linked_and_editable (db, userid, itemid) : """ Users are allowed to edit if offer is linked from PR and PR is editable. """ if not itemid or itemid < 1 : return True if not linked_from_pr (db, userid, itemid) : return False pr = get_pr_from_offer_item (db, itemid) if pr is None : return False return own_pr_and_open_or_rej (db, userid, pr.id) # end def linked_and_editable p = db.security.addPermission \ ( name = 'Edit' , klass = 'pr_offer_item' , check = linked_and_editable , description = fixdoc (linked_and_editable.__doc__) ) db.security.addPermissionToRole ('User', p) def approved_or_ordered (db, userid, itemid) : """ User with view role is allowed editing if status is 'approved' or 'ordered' """ if not pr_pt_role (db, userid, itemid) : return False pr = db.purchase_request.getnode (itemid) stati = [] for n in ('approved', 'ordered') : try : st = db.pr_status.lookup (n) stati.append (st) except KeyError : pass if pr.status in stati : return True return False # end def approved_or_ordered p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = approved_or_ordered , description = fixdoc (approved_or_ordered.__doc__) , properties = ('status', 'messages', 'files', 'nosy') ) db.security.addPermissionToRole ('User', p) schemadef.register_nosy_classes (db, ['purchase_request']) def user_on_nosy (db, userid, itemid) : """ User is allowed if on the nosy list """ pr = db.purchase_request.getnode (itemid) if userid in pr.nosy : return True # end def user_on_nosy p = db.security.addPermission \ ( name = 'View' , klass = 'purchase_request' , check = user_on_nosy , description = fixdoc (user_on_nosy.__doc__) ) db.security.addPermissionToRole ('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = user_on_nosy , description = fixdoc (user_on_nosy.__doc__) , properties = ('messages', 'files', 'nosy') ) db.security.addPermissionToRole ('User', p) def user_on_nosy_approval (db, userid, itemid) : """ User is allowed if on the nosy list of the PR """ ap = db.pr_approval.getnode (itemid) return user_on_nosy (db, userid, ap.purchase_request) # end def user_on_nosy p = db.security.addPermission \ ( name = 'View' , klass = 'pr_approval' , check = user_on_nosy_approval , description = fixdoc (user_on_nosy_approval.__doc__) ) db.security.addPermissionToRole ('User', p) def user_on_nosy_offer (db, userid, itemid) : """ User is allowed if on the nosy list of the PR """ if not itemid or itemid < 1 : return True prs = db.purchase_request.filter (None, dict (offer_items = itemid)) assert len (prs) <= 1 if prs : return user_on_nosy (db, userid, prs [0]) return False # end def user_on_nosy p = db.security.addPermission \ ( name = 'View' , klass = 'pr_offer_item' , check = user_on_nosy_offer , description = fixdoc (user_on_nosy_offer.__doc__) ) db.security.addPermissionToRole ('User', p) def view_pr_risks (db, userid, itemid) : """ User is allowed to view special risks if the PR has appropriate status and the user is creator or owner of the PR or has one of the view roles. """ st_open = db.pr_status.lookup ('open') pr = db.purchase_request.getnode (itemid) if pr.status == st_open : return False if own_pr (db, userid, itemid) : return True if pr_pt_role (db, userid, itemid) : return True return False # end def view_pr_risks p = db.security.addPermission \ ( name = 'View' , klass = 'purchase_request' , check = view_pr_risks , description = fixdoc (view_pr_risks.__doc__) , properties = ('pr_risks',) ) db.security.addPermissionToRole ('User', p) def edit_pr_risks (db, userid, itemid) : """ User is allowed to edit special risks if the PR has appropriate status. """ st_open = db.pr_status.lookup ('open') pr = db.purchase_request.getnode (itemid) if pr.status == st_open : return False return True # end def edit_pr_risks p = db.security.addPermission \ ( name = 'Edit' , klass = 'purchase_request' , check = edit_pr_risks , description = fixdoc (edit_pr_risks.__doc__) , properties = ('pr_risks',) ) db.security.addPermissionToRole ('Procurement', p) p = db.security.addPermission \ ( name = 'View' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to view some of their details" , properties = ('supervisor', 'clearance_by', 'want_no_messages') ) db.security.addPermissionToRole ('User', p)
) ) , ( "user", "View", ["Controlling"], ("roles",)) , ( "user", "View", ["User"] , ( "activity", "actor", "address", "alternate_addresses" , "clearance_by", "creation", "creator", "department" , "firstname", "job_description", "lastname" , "id", "lunch_duration", "lunch_start", "nickname" , "pictures", "position", "queries", "realname", "room", "sex" , "status", "subst_active", "substitute", "supervisor", "timezone" , "title", "username", "home_directory", "login_shell" , "samba_home_drive", "samba_home_path", "tt_lines" ) ) ] # For PGP-Processing we need a role schemadef.register_roles(db, [('PGP', 'Roles that require PGP')]) schemadef.register_class_permissions(db, classes, prop_perms) schemadef.allow_user_details(db, 'User', 'Edit') # the following is further checked in an auditor: db.security.addPermissionToRole('User', 'Create', 'time_wp') # editing of roles: for r in "HR", "IT": db.security.addPermissionToRole(r, 'Web Roles') # oh, g'wan, let anonymous access the web interface too # NOT really !!! db.security.addPermissionToRole('Anonymous', 'Web Access')
def security(db, **kw): roles = \ [ ("External" , "External user with less access") ] classes = \ [ ("area", ["External"], []) , ("doc_issue_status", ["External"], []) , ("keyword", ["External"], []) , ("kind", ["External"], []) , ("msg_keyword", ["External"], []) , ("severity", ["External"], []) , ("status", ["External"], []) , ("status_transition", ["External"], []) , ("ext_tracker_state", ["External"], []) , ("safety_level", ["External"], []) , ("test_level", ["External"], []) ] if 'fault_frequency' in db.classes: classes.append \ (("fault_frequency", ["External"], [])) if 'kpm' in db.classes: classes.append \ (("kpm", ["External"], ["External"])) if 'kpm_function' in db.classes: classes.append \ (("kpm_function", ["External"], [])) if 'kpm_hw_variant' in db.classes: classes.append \ (("kpm_hw_variant", ["External"], [])) if 'kpm_occurrence' in db.classes: classes.append \ (("kpm_occurrence", ["External"], [])) if 'kpm_release' in db.classes: classes.append \ (("kpm_release", ["External"], [])) if 'kpm_tag' in db.classes: classes.append \ (("kpm_tag", ["External"], [])) if 'ext_tracker_type' in db.classes: classes.append \ (("ext_tracker_type", ["External"], [])) prop_perms = \ [ ( "user", "View", ["External"] , ("username", "nickname", "status") ) , ( "category", "View", ["External"] , ("name", "id") ) , ( "user_status", "View", ["External"] , ("name", ) ) ] linkperms = \ [ ("file", ["External"], ['View'], linkclass_iter (db, "file")) , ("msg", ["External"], ['View'], linkclass_iter (db, "msg")) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) core.register_linkperms(db, linkperms) # don't allow external_company or External for some issue attributes exceptions = dict.fromkeys \ (('external_company', 'confidential', 'external_users', 'inherit_ext')) issue_props = [ p for p in db.issue.getprops().iterkeys() if p not in exceptions ] if 'external_company' in db.issue.properties: def ext_company_access(db, userid, itemid): """ Users are allowed to access issue if their external company has access """ ec = db.user.get(userid, 'external_company') ecs = db.issue.get(itemid, 'external_company') return ecs and ec in ecs # end def ext_company_access for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = ext_company_access , description = schemadef.security_doc_from_docstring (ext_company_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) if 'external_users' in db.issue.properties: issue_props.append('external_users') def ext_user_access(db, userid, itemid): """ External users are allowed to access issue if they are on the list of allowed external users or there is a transitive permission via containers. """ issue = db.issue.getnode(itemid) while True: if issue.external_users and userid in issue.external_users: return True if not issue.part_of: break # check parent permissions for non-container or if the # container defines inherit_ext if issue.composed_of and not issue.inherit_ext: break issue = db.issue.getnode(issue.part_of) return False # end def ext_user_access for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = ext_user_access , description = schemadef.security_doc_from_docstring (ext_user_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) # Currently *never* allow any rights from being on nosy list if False: def is_on_nosy(db, userid, itemid): "User is allowed to access issue if on nosy list" item = db.issue.getnode(itemid) return userid in item.nosy # end def is_on_nosy for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = is_on_nosy , description = schemadef.security_doc_from_docstring (is_on_nosy.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to edit some of their details" , properties = ( "password", "timezone", "csv_delimiter" , "hide_message_files" ) ) db.security.addPermissionToRole('External', p) p = db.security.addPermission \ ( name = 'View' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to view some of their details" , properties = ( "username", "realname", "firstname", "lastname" , "creation", "creator", "activity", "actor" ) ) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'file') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'file') db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'file', check=core.view_file) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'issue') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'issue') db.security.addPermissionToRole('External', p) # need search permission on username + id if we want to search for # user Link/Multilink properties on issue (e.g. responsible, nosy, ..) p = db.security.addPermission \ ( name = 'Search' , klass = 'user' , properties = ("username", "nickname", "id") ) db.security.addPermissionToRole('External', p) # Need search-permission on ext_tracker_state p = db.security.addPermission \ ( name = 'Search' , klass = 'ext_tracker_state' , properties = ("issue", "id") ) db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'ext_tracker') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'msg') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'msg') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'query') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Edit', 'query', check=core.edit_query) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Retire', 'query', check=core.edit_query) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'query') db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'query', check=core.view_query) db.security.addPermissionToRole('External', p) db.security.addPermissionToRole('External', 'Web Access') db.security.addPermissionToRole('External', 'Email Access')