def security (db, ** kw) :
roles = \
[ ("Discount" , "Allowed to add/change discounts")
, ("Letter" , "Allowed to add/change templates and letters")
, ("Product" , "Allowed to add/change product data")
]
classes = \
[ ("address", ["User"], ["Contact"])
, ("bank_account", ["User"], ["Contact"])
, ("cust_supp", ["User"], ["Contact"])
, ("customer_group", ["User"], [])
, ("customer_status", ["User"], [])
, ("customer_type", ["User"], [])
, ("discount_group", ["User"], ["Discount"])
, ("dispatch_type", ["User"], [])
, ("group_discount", ["User"], ["Discount"])
, ("invoice_dispatch", ["User"], [])
, ("letter", ["User"], ["Letter"])
, ("measuring_unit", ["User"], [])
, ("overall_discount", ["User"], ["Discount"])
, ("packaging_unit", ["User"], [])
, ("pharma_ref", ["User"], [])
, ("proceeds_group", ["User"], [])
, ("product", ["User"], ["Product"])
, ("product_group", ["User"], ["Product"])
, ("product_status", ["User"], [])
, ("sales_conditions", ["User"], [])
, ("shelf_life_code", ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = \
[ ("Guest", "Allowed to view everything")
, ("Logger", "Allowed to add and change measurements")
]
classes = \
[ ("device", ["User", "Guest", "Logger"], ["Logger"])
, ("device_group", ["User", "Guest", "Logger"], ["User"])
, ("logstyle", ["User", "Guest", "Logger"], [])
, ("measurement", ["User", "Guest", "Logger"], ["Logger"])
, ("sensor", ["User", "Guest", "Logger"], ["Logger"])
, ("transceiver", ["User", "Guest", "Logger"], ["Logger"])
, ("alarm", ["User", "Guest", "Logger"], ["User", "Logger"])
]
prop_perms = \
[ ( "device", "Edit", ["User"]
, ( "name", "sint", "mint", "gapint", "rec", "device_group"
, "mint_pending", "sint_pending"
)
)
, ( "sensor", "Edit", ["User"]
, ("almin", "almax", "do_logging"
)
)
, ( "transceiver", "Edit", ["User"]
, ("name", "tty", "sint", "mint", "mint_pending", "sint_pending")
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("file", ["User", "Adr_Readonly"], ["User"])
, ("msg", ["User", "Adr_Readonly"], ["User"])
, ("address", ["Contact", "Adr_Readonly", "User"], ["User"])
, ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"])
, ("weekday", ["Contact", "Adr_Readonly", "User"], [])
, ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"])
]
prop_perms = \
[ ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "creation", "creator", "id", "queries", "realname"
, "status", "timezone", "username"
)
)
, ( "user", "View", ["Adr_Readonly"]
, ( "username", "realname")
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details \
(db, 'User', 'Edit', 'address', 'alternate_addresses')
schemadef.allow_user_details \
(db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
def security (db, ** kw) :
roles = \
[ ("Abo" , "Allowed to modify subscriptions")
, ("Invoice" , "Allowed to change financial data")
, ("Letter" , "Allowed to add/change templates and letters")
, ("Product" , "Allowed to create/edit products")
]
classes = \
[ ("abo_price" , ["User"], ["Product"])
, ("abo_type" , ["Abo", "Product", "Invoice"],
["Product", "Abo", "Invoice"])
, ("abo" , ["Abo", "Product", "Invoice"],
["Abo"])
, ("address" , ["User"], ["User"])
, ("contact_type" , ["User"], [])
, ("currency" , ["User"], ["Product"])
, ("invoice_group" , ["Invoice"], ["Invoice"])
, ("invoice_template" , ["Invoice"], ["Invoice"])
, ("invoice" , ["Invoice"], ["Invoice"])
, ("letter" , ["User"], ["Abo", "Letter"])
, ("query" , ["User"], ["User"])
, ("tmplate" , ["User"], ["Abo", "Invoice", "Letter"])
, ("valid" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = \
[ ("MsgEdit", "Allowed to edit message properties")
, ("MsgSync", "Allowed to sync message with ext. tracker")
, ("Issue_Admin", "Admin for issue tracker")
]
# classname allowed to view
# allowed to edit
classes = \
[ ("ext_tracker", ["User"],
["Issue_Admin"]
)
, ("ext_msg", ["MsgEdit", "MsgSync"],
["MsgSync"]
)
, ("ext_tracker_type", ["MsgEdit", "MsgSync", "User"],
[]
)
, ("ext_tracker_state", ["MsgEdit", "MsgSync", "User"],
["MsgSync", "User"]
)
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
p = db.security.addPermission \
( name = 'Search'
, klass = 'msg'
, properties = ("date", "id")
)
db.security.addPermissionToRole ('MsgEdit', p)
db.security.addPermissionToRole ('MsgSync', p)
def security (db, ** kw) :
roles = \
[ ("IT" , "IT-Department" )
, ("ITView" , "View but not change IT data" )
]
# classname allowed to view / edit
classes = \
[ ("alias", ["IT", "ITView"], ["IT"])
, ("dns_record_type", ["IT", "ITView"], [])
, ("group", ["IT", "ITView"], ["IT"])
, ("ip_subnet", ["IT", "ITView"], ["IT"])
, ("machine", ["IT", "ITView"], ["IT"])
, ("machine_name", ["IT", "ITView"], ["IT"])
, ("network_address", ["IT", "ITView"], ["IT"])
, ("network_interface", ["IT", "ITView"], ["IT"])
, ("operating_system", ["IT", "ITView"], ["IT"])
, ("smb_domain", ["IT", "ITView"], ["IT"])
, ("smb_machine", ["IT", "ITView"], ["IT"])
]
prop_perms = \
[ ( "location", "Edit", ["IT"]
, ("domain_part",)
)
, ( "org_location", "Edit", ["IT"]
, ("smb_domain", "dhcp_server", "domino_dn")
)
, ( "organisation", "Edit", ["IT"]
, ("domain_part",)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain")
]
# classname allowed to view / edit
classes = \
[ ("job_log", ["User"], ["Dom-User-Edit-GTT"])
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
]
# classname allowed to view / edit
classes = \
[ ("doc_issue_status", ["User"], ["Issue_Admin"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, ())
def security(db, **kw):
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
]
# classname allowed to view / edit
classes = \
[ ("keyword", ["User"], ["Issue_Admin"])
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, ())
def security (db, ** kw) :
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("opening_hours" , ["User"], ["Contact"])
, ("weekday" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = \
[ ("Letter" , "Allowed to add/change templates and letters")
]
classes = \
[ ("tmplate" , ["User"], ["Letter"])
, ("tmplate_status" , ["User"], [])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security (db, ** kw) :
roles = [ ("SupportAdmin", "Customer support department") ]
# classname allowed to view / edit
classes = \
[ ("sup_status", ["User"], [])
, ("sup_prio", ["User"], [])
, ("sup_type", ["User"], [])
, ("sup_warranty", ["User"], [])
, ("sup_execution", ["User"], [])
, ("business_unit", ["User"], [])
, ("product", ["User"], [])
, ("support", ["SupportAdmin"], ["SupportAdmin"])
, ("customer", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("contact", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("mailgroup", ["User", "SupportAdmin"], ["SupportAdmin", "IT"])
, ("sup_classification",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("customer_agreement",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("analysis_result",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("return_type",
["User", "SupportAdmin"], ["SupportAdmin"])
]
if 'adr_type' in db.classes :
classes.append (( "adr_type"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
classes.append (( "adr_type_cat"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
db.security.addPermissionToRole ('User', 'Create', 'support')
db.security.addPermissionToRole ('SupportAdmin', 'Create', 'support')
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('View',))
exc_props = dict.fromkeys (('first_reply', 'satisfied'))
props = dict (db.support.properties)
for p in exc_props :
del props [p]
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('Edit',), * props.keys ())
schemadef.register_nosy_classes (db, ['support'])
schemadef.add_search_permission (db, 'support', 'User')
def security (db, ** kw) :
roles = \
[ ("Invoice" , "Allowed to change financial data")
]
classes = \
[ ("currency", ["User"], [])
, ("invoice_template", ["Invoice"], ["Invoice"])
, ("payment", ["Invoice"], ["Invoice"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("contact_type", ["User"], [])
, ("contact", ["User"], ["Contact"])
]
if 'adr_readonly' in db.security.role:
classes[0][1].append('Adr_Readonly')
classes[1][1].append('Adr_Readonly')
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, [])
def security(db, **kw):
classes = \
[ ("substance", ["User"], ["User"])
, ("ingredient_used_by_substance", ["User"], ["User"])
, ("rc_product_type", ["User"], ["User"])
, ("rc_application", ["User"], ["User"])
, ("rc_substrate", ["User"], ["User"])
, ("rc_suitability", ["User"], ["User"])
, ("rc_brand", ["User"], ["User"])
, ("rc_capability", ["User"], ["User"])
, ("rc_product", ["User"], [])
]
schemadef.register_class_permissions(db, classes, [])
# Allow creation but not modification
db.security.addPermissionToRole('User', 'Create', 'rc_product')
def security (db, ** kw) :
roles = ( ("Doc_Admin", "Admin for documents (e.g. QM)")
, ("Nosy", "Allowed on nosy list")
)
prop_perms = (("department", "Edit", ("Doc_Admin", ), ("doc_num", )), )
classes = \
( ("doc" , ("User",), ("Doc_Admin", "User"))
, ("artefact" , ("User",), ("Doc_Admin",))
, ("product_type", ("User",), ("Doc_Admin",))
, ("reference" , ("User",), ("Doc_Admin",))
, ("doc_status" , ("User",), ("Doc_Admin",))
)
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
schemadef.register_nosy_classes (db, ['doc'])
def security (db, ** kw) :
roles = \
[ ("Type" , "Allowed to add/change type codes")
, ("Adr_Readonly" , "Allowed to read address and contact data")
]
classes = \
[ ("adr_type" , ["User", "Adr_Readonly"], ["Type"])
, ("adr_type_cat" , ["User", "Adr_Readonly"], ["Type"])
, ("valid" , ["User", "Adr_Readonly"], [])
]
if 'address' in db.classes :
classes.append (("address", ["Adr_Readonly"], []))
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, [])
db.security.addPermissionToRole ('Adr_Readonly', 'Web Access')
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
]
# classname allowed to view / edit
classes = \
[ ("issue", ["Issue_Admin"], ["Issue_Admin"])
, ("status", ["User"], ["Issue_Admin"])
, ("prio", ["User"], ["Issue_Admin"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, ())
schemadef.register_nosy_classes (db, ['issue'])
db.security.addPermissionToRole ('User', 'Create', 'issue')
schemadef.add_search_permission (db, 'issue', 'User')
def security (db, ** kw) :
roles = \
[ ("KPM-Admin", "Admin for KPM multiselect fields")
]
# classname allowed to view / edit
classes = \
[ ("fault_frequency", ["User"], [])
, ("kpm_function", ["User"], ["KPM-Admin"])
, ("kpm_hw_variant", ["User"], ["KPM-Admin"])
, ("kpm_occurrence", ["User"], ["KPM-Admin"])
, ("kpm_release", ["User"], ["KPM-Admin"])
, ("kpm_tag", ["User"], ["KPM-Admin"])
, ("kpm", ["User"], ["User"])
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("Controlling", "Controlling")
]
# classname allowed to view / edit
classes = \
[ ("organisation", ["User"], ["Controlling"])
]
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("HR", "Human Resources team")
, ("HR-Org-Location", "Human Resources team in this Org-Location")
, ("Controlling", "Controlling")
, ("Office", "Member of Office")
, ("Facility", "Role to edit room assignments")
]
# classname allowed to view / edit
classes = \
[ ("department", ["User"], ["Controlling"])
, ("location", ["User"], ["HR"])
, ("organisation", ["User"], ["HR", "Controlling"])
, ("org_location", ["User"], ["HR"])
, ("room", ["User"], ["HR", "Office", "Facility"])
, ("sex", ["User"], [])
# , ("user", See below -- individual fields)
]
prop_perms = \
[ ( "user", "View", ["Controlling"], ("roles",))
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
# HR should be able to create new users:
db.security.addPermissionToRole ("HR", "Create", "user")
# Retire/Restore permission for room
for perm in 'Retire', 'Restore' :
p = db.security.addPermission \
( name = perm
, klass = 'room'
)
for role in ("HR", "Office", "Facility") :
db.security.addPermissionToRole (role, p)
def security (db, ** kw) :
classes = \
[ ("ham_call", ["User"], ["User"])
, ("ham_mode", ["User"], ["User"])
, ("ham_band", ["User"], ["User"])
, ("qsl_type", ["User"], ["User"])
, ("qsl_status", ["User"], ["User"])
, ("antenna", ["User"], ["User"])
, ("continent", ["User"], ["User"])
, ("dxcc_entity", ["User"], ["User"])
, ("qsl", ["User"], ["User"])
, ("qso", ["User"], ["User"])
, ("user", ["User"], ["Admin"])
]
prop_perms = \
[ ( "user", "View", ["User"], ("call",))
]
schemadef.register_class_permissions (db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("PBX", "Allowed to edit pbx data")
]
classes = \
[ ("sip_device", ["PBX"], ["PBX"])
]
prop_perms = \
[ ("sip_device", "View", ["User"]
, ("name", "id")
)
, ("user", "View", ["PBX", "User"]
, ("sip_device",)
)
, ("user", "Edit", ["PBX"]
, ("sip_device",)
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
def security(db, **kw):
roles = \
[ ("Contact" , "Allowed to add/change address data")
]
classes = \
[ ("file", ["User", "Adr_Readonly"], ["User"])
, ("msg", ["User", "Adr_Readonly"], ["User"])
, ("address", ["Contact", "Adr_Readonly", "User"], ["User"])
, ("contact", ["Contact", "Adr_Readonly", "User"], ["Contact"])
, ("weekday", ["Contact", "Adr_Readonly", "User"], [])
, ("opening_hours", ["Contact", "Adr_Readonly", "User"], ["User"])
]
prop_perms = \
[ ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "clearance_by", "creation", "creator", "department"
, "firstname", "id", "job_description", "lastname"
, "lunch_duration", "lunch_start", "nickname"
, "pictures", "position", "queries", "realname", "room", "sex"
, "status", "subst_active", "subst_until", "substitute"
, "supervisor", "timezone"
, "title", "username", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path"
)
)
, ( "user", "View", ["Adr_Readonly"]
, ( "username", "realname")
)
]
schemadef.register_roles(db, roles)
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details \
(db, 'User', 'Edit', 'address', 'alternate_addresses')
schemadef.allow_user_details \
(db, 'Adr_Readonly', 'Edit', 'address', 'alternate_addresses')
, "clearance_by", "creation", "creator", "department"
, "firstname", "job_description", "lastname"
, "id", "lunch_duration", "lunch_start", "nickname"
, "pictures", "position", "queries", "realname", "room", "sex"
, "status", "subst_active", "substitute", "supervisor", "timezone"
, "title", "username", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path", "tt_lines"
)
)
]
# For PGP-Processing we need a role
schemadef.register_roles \
( db
, [ ('PGP', 'Roles that require PGP')
, ('IT', 'IT: edit some permissions')
]
)
schemadef.register_class_permissions(db, classes, prop_perms)
schemadef.allow_user_details(db, 'User', 'Edit')
# the following is further checked in an auditor:
db.security.addPermissionToRole('User', 'Create', 'time_wp')
# editing of roles:
for r in "HR", :
db.security.addPermissionToRole(r, 'Web Roles')
# oh, g'wan, let anonymous access the web interface too
# NOT really !!!
db.security.addPermissionToRole('Anonymous', 'Web Access')
# Purpose
# Specify the DB-Schema for legalclient
# Link this file to schema.py
#--
#
import sys, os
sys.path.insert(0, os.path.join(db.config.HOME, 'lib'))
from schemacfg import schemadef
# sub-schema definitins to include
# Note: order matters, core is always last.
schemas = \
( 'legalclient'
, 'core'
)
importer = schemadef.Importer(globals(), schemas)
del sys.path[0:1]
importer.update_security()
classes = [("user", ["User"], [])]
schemadef.register_class_permissions(db, classes, [])
schemadef.allow_user_details(db, 'User', 'Edit')
# oh, g'wan, let anonymous access the web interface too
# NOT really !!!
db.security.addPermissionToRole('Anonymous', 'Web Access')
def security (db, ** kw) :
roles = \
[ ("Dom-User-Edit-GTT", "Edit/Create users with specific AD domain")
, ("Dom-User-Edit-HR", "Edit users with specific AD domain")
, ("Dom-User-Edit-Office", "Edit users with specific AD domain")
, ("Dom-User-Edit-Facility", "Edit users with specific AD domain")
, ("IT", "IT-Department")
]
schemadef.register_roles (db, roles)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', 'Create', 'user')
# Editable user fields for the Domain-User-Edit roles
user_props = \
[ 'contacts'
, 'csv_delimiter'
, 'entry_date'
, 'firstname'
, 'hide_message_files'
, 'job_description'
, 'lastname'
, 'lunch_duration'
, 'lunch_start'
, 'nickname'
, 'pictures'
, 'position_text'
, 'room'
, 'sex'
, 'status'
, 'subst_active'
, 'substitute'
, 'supervisor'
, 'timezone'
, 'tt_lines'
, 'vie_user'
]
user_props_hr = user_props + \
['clearance_by', 'roles', 'reduced_activity_list']
user_props_gtt = user_props + \
['username', 'sync_foreign_key', 'department_temp']
user_props_office = ['contacts', 'position_text', 'room']
user_props_facility = ['room']
role_perms = \
[ ("Dom-User-Edit-GTT", user_props_gtt)
, ("Dom-User-Edit-HR", user_props_hr)
, ("Dom-User-Edit-Office", user_props_office)
, ("Dom-User-Edit-Facility", user_props_facility)
]
classes = \
[ ( "domain_permission"
, ["IT"]
, ["IT"]
)
]
if 'contract_type' in db.classes :
classes.append \
( ( "contract_type"
, ["Dom-User-Edit-GTT", "Dom-User-Edit-HR"]
, []
)
)
if 'user_contact' in db.classes :
for role, x in role_perms [:3] :
classes.append \
( ( "user_contact"
, []
, [role]
)
)
db.security.addPermissionToRole (role, 'Create', 'user_contact')
prop_perms = []
schemadef.register_class_permissions (db, classes, prop_perms)
fixdoc = schemadef.security_doc_from_docstring
if 'user_dynamic' in db.classes :
def user_dynamic_dom (db, userid, itemid) :
""" May only view/edit records with the correct domain
"""
dyn = db.user_dynamic.getnode (itemid)
user = db.user.getnode (dyn.user)
return check_domain_permission (db, userid, user.ad_domain)
# end def user_dynamic_dom
for role in ("Dom-User-Edit-GTT", "Dom-User-Edit-HR") :
db.security.addPermissionToRole (role, 'Create', 'user_dynamic')
for perm in ('View', 'Edit') :
p = db.security.addPermission \
( name = perm
, klass = 'user_dynamic'
, check = user_dynamic_dom
, description = fixdoc (user_dynamic_dom.__doc__)
)
db.security.addPermissionToRole (role, p)
def domain_access_user (db, userid, itemid) :
""" Users may view/edit user records for ad_domain for which they
are in the domain_permission for the user.
"""
u = db.user.getnode (itemid)
return check_domain_permission (db, userid, u.ad_domain)
# end def domain_access_user
for role, props in role_perms :
for perm in 'Edit', 'View' :
p = db.security.addPermission \
( name = perm
, klass = 'user'
, check = domain_access_user
, description = fixdoc (domain_access_user.__doc__)
, properties = props
)
db.security.addPermissionToRole (role, p)
def domain_view_user_dynamic (db, userid, itemid) :
""" Users may view user_dynamic records for ad_domain for which
they are in the domain_permission for the user
"""
ud = db.user_dynamic.getnode (itemid)
u = db.user.getnode (ud.user)
return check_domain_permission (db, userid, u.ad_domain)
# end def domain_view_user_dynamic
p = db.security.addPermission \
( name = 'View'
, klass = 'user_dynamic'
, check = domain_view_user_dynamic
, description = fixdoc (domain_view_user_dynamic.__doc__)
)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', p)
db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user_dynamic'
)
db.security.addPermissionToRole ('Dom-User-Edit-GTT', p)
db.security.addPermissionToRole ('Dom-User-Edit-HR', p)
def security (db, ** kw) :
roles = \
[ ("Project", "Project Office")
, ("Project_View", "May view project data")
, ("Controlling", "Controlling")
, ("Procurement", "Purchasing/Procurement")
]
# classname
# allowed to view / edit
# For daily_record, time_record, additional restrictions apply
classes = \
[ ( "time_project_status"
, ["User"]
, ["Project"]
)
, ( "time_project"
, ["Project_View", "Project", "Controlling"]
, []
)
, ( "sap_cc"
, ["User"]
, []
)
]
prop_perms = \
[ ( "time_project", "Edit", ["Project"]
, ( "cost_center", "deputy", "description", "department", "name"
, "nosy", "organisation", "responsible", "status"
)
)
, ( "time_project", "Edit", ["Procurement"]
, ( "purchasing_agents"
, "deputy_gets_mail"
)
)
, ( "sap_cc", "Edit", ["Procurement"]
, ( "purchasing_agents"
, "deputy_gets_mail"
)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
fixdoc = schemadef.security_doc_from_docstring
p = db.security.addPermission \
( name = 'View'
, klass = 'time_project'
, check = sum_common.time_project_viewable
, description = fixdoc (sum_common.time_project_viewable.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'time_project'
)
db.security.addPermissionToRole ('Procurement', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'sap_cc'
)
db.security.addPermissionToRole ('Procurement', p)
db.security.addPermissionToRole ('Project', 'Create', 'time_project')
def security(db, **kw):
# classname allowed to view / edit
classes = [("legalclient", ["User"], ["User"])]
schemadef.register_class_permissions(db, classes, [])
def security (db, ** kw) :
user_roles = ["HR", "Office"]
if 'it' in db.security.role :
user_roles.append ("IT")
classes = \
( ("uc_type", ("User",), ("HR", "Office"))
, ("user_contact", ("HR", "Office"), ())
)
prop_perms = \
[ ( "user", "View", ["User", "HR", "Office"]
, ("contacts",)
)
]
if 'it' in db.security.role :
p = db.security.addPermission \
( name = 'Create'
, klass = 'user_contact'
, description = 'Create'
)
db.security.addPermissionToRole ('IT', p)
schemadef.register_class_permissions (db, classes, prop_perms)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user_contact'
, description = 'Search'
)
db.security.addPermissionToRole ('User', p)
def contact_visible (db, userid, itemid) :
"""User is allowed to view contact if he's the owner of the contact
or the contact is marked visible
"""
if not itemid or itemid < 1 :
return False
c = db.user_contact.getnode (itemid)
if userid == c.user :
return True
return c.visible
# end def contact_visible
def contact_visible_editable (db, userid, itemid) :
"""User is allowed to edit if he's the owner of the contact
"""
if not itemid or itemid < 1 :
return False
c = db.user_contact.getnode (itemid)
if userid == c.user :
return True
return False
# end def contact_visible_editable
fixdoc = schemadef.security_doc_from_docstring
p = db.security.addPermission \
( name = 'View'
, klass = 'user_contact'
, check = contact_visible
, description = fixdoc (contact_visible.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'user_contact'
, check = contact_visible_editable
, description = fixdoc (contact_visible_editable.__doc__)
, properties = ('visible',)
)
db.security.addPermissionToRole ('User', p)
