def remove_community_member(community, membership, **kwargs):
if not community.folder:
return
user = membership.user
roles = set(security.get_roles(user, community.folder, no_group_roles=True))
roles &= VALID_ROLES # ensure we don't remove roles not managed by us
for role in roles:
security.ungrant_role(user, role, community.folder)
reindex_tree(community.folder)
def remove_community_member(community, membership, **kwargs):
if not community.folder:
return
user = membership.user
roles = set(security.get_roles(user, community.folder, no_group_roles=True))
roles &= VALID_ROLES # ensure we don't remove roles not managed by us
for role in roles:
security.ungrant_role(user, role, community.folder)
reindex_tree(community.folder)
def new_community_member(community, membership, is_new, **kwargs):
if not community.folder:
return
role = membership.role
user = membership.user
local_role = Writer if community.type == "participative" else Reader
if role == Manager:
local_role = Manager
current_roles = set(security.get_roles(user, community.folder, no_group_roles=True))
current_roles &= VALID_ROLES # ensure we don't remove roles not managed
# by us
for role_to_ungrant in current_roles - {local_role}:
security.ungrant_role(user, role_to_ungrant, community.folder)
if local_role not in current_roles:
security.grant_role(user, local_role, community.folder)
reindex_tree(community.folder)
def new_community_member(community, membership, is_new, **kwargs):
if not community.folder:
return
role = membership.role
user = membership.user
local_role = Writer if community.type == "participative" else Reader
if role == Manager:
local_role = Manager
current_roles = set(
security.get_roles(user, community.folder, no_group_roles=True))
current_roles &= VALID_ROLES # ensure we don't remove roles not managed
# by us
for role_to_ungrant in current_roles - {local_role}:
security.ungrant_role(user, role_to_ungrant, community.folder)
if local_role not in current_roles:
security.grant_role(user, local_role, community.folder)
reindex_tree(community.folder)
def permissions_update(folder_id):
folder = repository.get_folder_by_id(folder_id)
check_manage_access(folder)
has_permission = security.has_permission
action = request.form.get("action")
if action in ("activate_inheritance", "deactivate_inheritance"):
inherit_security = (action == "activate_inheritance")
if not (inherit_security
or has_permission(g.user, 'manage', folder, inherit=False)):
# don't let user shoot himself in the foot
flash(
_('You must have the "manager" local role on this folder in '
'order to deactivate inheritance.'), 'error')
return redirect(
url_for(".permissions",
folder_id=folder_id,
community_id=folder.community.slug))
security.set_inherit_security(folder, inherit_security)
db.session.add(folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(".permissions",
folder_id=folder_id,
community_id=folder.community.slug))
elif action == "add-user-role":
role = request.form.get("role").lower()
user_id = int(request.form.get("user"))
user = User.query.get(user_id)
security.grant_role(user, role, folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(".permissions",
folder_id=folder_id,
community_id=folder.community.slug))
elif action == "add-group-role":
role = request.form.get("role").lower()
group_id = int(request.form.get("group"))
group = Group.query.get(group_id)
security.grant_role(group, role, folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(".permissions",
folder_id=folder_id,
community_id=folder.community.slug))
else:
action, args = request.form.items()[0]
role, object_id = args.split(":")
role = role.lower()
object_id = int(object_id)
if action == 'delete-user-role':
user = User.query.get(object_id)
# remove role in a subtransaction, to prevent manager shoot himself in the
# foot
transaction = db.session.begin_nested()
security.ungrant_role(user, role, folder)
if (user == g.user and role == 'manager' and not has_permission(
g.user, 'manage', folder, inherit=True)):
transaction.rollback()
flash(
_('Cannot remove "manager" local role for yourself: you '
'don\'t have "manager" role (either by security inheritance '
'or by group membership)'), 'error')
else:
reindex_tree(folder)
transaction.commit()
flash(
_("Role {role} for user {user} removed on folder {folder}"
).format(role=role, user=user.name, folder=folder.name),
"success")
elif action == 'delete-group-role':
group = Group.query.get(object_id)
# remove role in a subtransaction, to prevent manager shoot himself in the
# foot
transaction = db.session.begin_nested()
security.ungrant_role(group, role, folder)
if (role == 'manager' and not has_permission(
g.user, 'manage', folder, inherit=True)):
transaction.rollback()
flash(
_('Cannot remove "manager" local role for group "{group}": you'
' don\'t have "manager" role by security inheritance or by '
'local role').format(group=group.name), 'error')
else:
flash(
_("Role {role} for group {group} removed on folder {folder}"
).format(role=role, group=group.name,
folder=folder.name), "success")
reindex_tree(folder)
transaction.commit()
db.session.commit()
return redirect(
url_for(".permissions",
folder_id=folder_id,
community_id=folder.community.slug))
def ungrant_all_roles_on_folder(self):
if self.folder:
role_assignments = security.get_role_assignements(self.folder)
for principal, role in role_assignments:
security.ungrant_role(principal, role, self.folder)
def permissions_update(folder_id):
folder = repository.get_folder_by_id(folder_id)
check_manage_access(folder)
has_permission = security.has_permission
action = request.form.get("action")
if action in ("activate_inheritance", "deactivate_inheritance"):
inherit_security = action == "activate_inheritance"
if not (
inherit_security
or has_permission(current_user, "manage", folder, inherit=False)
):
# don't let user shoot himself in the foot
flash(
_(
'You must have the "manager" local role on this folder in '
"order to deactivate inheritance."
),
"error",
)
return redirect(
url_for(
".permissions",
folder_id=folder_id,
community_id=folder.community.slug,
)
)
security.set_inherit_security(folder, inherit_security)
db.session.add(folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(
".permissions", folder_id=folder_id, community_id=folder.community.slug
)
)
elif action == "add-user-role":
role = request.form.get("role").lower()
user_id = int(request.form.get("user"))
user = User.query.get(user_id)
security.grant_role(user, role, folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(
".permissions", folder_id=folder_id, community_id=folder.community.slug
)
)
elif action == "add-group-role":
role = request.form.get("role").lower()
group_id = int(request.form.get("group"))
group = Group.query.get(group_id)
security.grant_role(group, role, folder)
reindex_tree(folder)
db.session.commit()
return redirect(
url_for(
".permissions", folder_id=folder_id, community_id=folder.community.slug
)
)
else:
action, args = request.form.items()[0]
role, object_id = args.split(":")
role = role.lower()
object_id = int(object_id)
if action == "delete-user-role":
user = User.query.get(object_id)
# remove role in a subtransaction, to prevent manager shoot himself in the
# foot
transaction = db.session.begin_nested()
security.ungrant_role(user, role, folder)
if (
user == current_user
and role == "manager"
and not has_permission(current_user, "manage", folder, inherit=True)
):
transaction.rollback()
flash(
_(
'Cannot remove "manager" local role for yourself: you '
'don\'t have "manager" role (either by security inheritance '
"or by group membership)"
),
"error",
)
else:
reindex_tree(folder)
transaction.commit()
flash(
_("Role {role} for user {user} removed on folder {folder}").format(
role=role, user=user.name, folder=folder.name
),
"success",
)
elif action == "delete-group-role":
group = Group.query.get(object_id)
# remove role in a subtransaction, to prevent manager shoot himself in the
# foot
transaction = db.session.begin_nested()
security.ungrant_role(group, role, folder)
if role == "manager" and not has_permission(
current_user, "manage", folder, inherit=True
):
transaction.rollback()
flash(
_(
'Cannot remove "manager" local role for group "{group}": you'
' don\'t have "manager" role by security inheritance or by '
"local role"
).format(group=group.name),
"error",
)
else:
flash(
_(
"Role {role} for group {group} removed on folder {folder}"
).format(role=role, group=group.name, folder=folder.name),
"success",
)
reindex_tree(folder)
transaction.commit()
db.session.commit()
return redirect(
url_for(
".permissions", folder_id=folder_id, community_id=folder.community.slug
)
)