def get_subordinate_groups(user, site): """ Similar to get_subordinate_users, but returns queryset of Groups instead of Users. """ from cms.utils.page_permissions import get_change_permissions_id_list try: user_level = get_user_permission_level(user, site) except NoPermissionsException: # user has no Global or Page permissions. # return only groups created by user # whose page permission record has no page attached. groups = ( Group .objects .filter( Q(pageusergroup__created_by=user) & Q(pagepermission__page__isnull=True) ) .distinct() ) # no permission no records # page_id_allow_list is empty return groups if user_level == ROOT_USER_LEVEL: return Group.objects.all() page_id_allow_list = get_change_permissions_id_list(user, site, check_global=False) return Group.objects.distinct().filter( (Q(pagepermission__page__id__in=page_id_allow_list) & Q(pagepermission__page__depth__gte=user_level)) | (Q(pageusergroup__created_by=user) & Q(pagepermission__page__isnull=True)) )
def get_subordinate_users(user, site): """ Returns users queryset, containing all subordinate users to given user including users created by given user and not assigned to any page. Not assigned users must be returned, because they shouldn't get lost, and user should still have possibility to see them. Only users created_by given user which are on the same, or lover level are returned. If user haves global permissions or is a superuser, then he can see all the users. This function is currently used in PagePermissionInlineAdminForm for limit users in permission combobox. Example: A,W level 0 / \ user B,GroupE level 1 Z / \ C,X D,Y,W level 2 Rules: W was created by user, Z was created by user, but is not assigned to any page. Will return [user, C, X, D, Y, Z]. W was created by user, but is also assigned to higher level. """ from cms.utils.page_permissions import get_change_permissions_id_list try: user_level = get_user_permission_level(user, site) except NoPermissionsException: # user has no Global or Page permissions. # return only staff users created by user # whose page permission record has no page attached. qs = get_user_model().objects.distinct().filter( Q(is_staff=True) & Q(pageuser__created_by=user) & Q(pagepermission__page=None) ) qs = qs.exclude(pk=user.pk).exclude(groups__user__pk=user.pk) return qs if user_level == ROOT_USER_LEVEL: return get_user_model().objects.all() page_id_allow_list = get_change_permissions_id_list(user, site, check_global=False) # normal query qs = get_user_model().objects.distinct().filter( Q(is_staff=True) & (Q(pagepermission__page__id__in=page_id_allow_list) & Q(pagepermission__page__depth__gte=user_level)) | (Q(pageuser__created_by=user) & Q(pagepermission__page=None)) ) qs = qs.exclude(pk=user.pk).exclude(groups__user__pk=user.pk) return qs
def subordinate_to_user(self, user, site): """Get all page permission objects on which user/group is lover in hierarchy then given user and given user can change permissions on them. !IMPORTANT, but exclude objects with given user, or any group containing this user - he can't be able to change his own permissions, because if he does, and removes some permissions from himself, he will not be able to add them anymore. Example: A / \ user B,E / \ C,X D,Y Gives permission nodes C,X,D,Y under user, so he can edit permissions if he haves can_change_permission. Example: A,Y / \ user B,E,X / \ C,X D,Y Gives permission nodes C,D under user, so he can edit, but not anymore to X,Y, because this users are on the same level or higher in page hierarchy. (but only if user have can_change_permission) Example: A / \ user B,E / \ \ C,X D,Y user / \ I J,A User permissions can be assigned to multiple page nodes, so merge of all of them is required. In this case user can see permissions for users C,X,D,Y,I,J but not A, because A user in higher in hierarchy. If permission object holds group, this permission object can be visible to user only if all of the group members are lover in hierarchy. If any of members is higher then given user, this entry must stay invisible. If user is superuser, or haves global can_change_permission permissions, show him everything. Result of this is used in admin for page permissions inline. """ # get user level from cms.utils.permissions import get_user_permission_level from cms.utils.page_permissions import get_change_permissions_id_list try: user_level = get_user_permission_level(user, site) except NoPermissionsException: return self.none() if user_level == ROOT_USER_LEVEL: return self.all() # get all permissions page_id_allow_list = get_change_permissions_id_list(user, site, check_global=False) # get permission set, but without objects targeting user, or any group # in which he can be qs = self.filter( page__id__in=page_id_allow_list, page__node__depth__gte=user_level, ) qs = qs.exclude(user=user).exclude(group__user=user) return qs
def subordinate_to_user(self, user, site): """Get all page permission objects on which user/group is lover in hierarchy then given user and given user can change permissions on them. !IMPORTANT, but exclude objects with given user, or any group containing this user - he can't be able to change his own permissions, because if he does, and removes some permissions from himself, he will not be able to add them anymore. Example: A / \ user B,E / \ C,X D,Y Gives permission nodes C,X,D,Y under user, so he can edit permissions if he haves can_change_permission. Example: A,Y / \ user B,E,X / \ C,X D,Y Gives permission nodes C,D under user, so he can edit, but not anymore to X,Y, because this users are on the same level or higher in page hierarchy. (but only if user have can_change_permission) Example: A / \ user B,E / \ \ C,X D,Y user / \ I J,A User permissions can be assigned to multiple page nodes, so merge of all of them is required. In this case user can see permissions for users C,X,D,Y,I,J but not A, because A user in higher in hierarchy. If permission object holds group, this permission object can be visible to user only if all of the group members are lover in hierarchy. If any of members is higher then given user, this entry must stay invisible. If user is superuser, or haves global can_change_permission permissions, show him everything. Result of this is used in admin for page permissions inline. """ # get user level from cms.utils.permissions import get_user_permission_level from cms.utils.page_permissions import get_change_permissions_id_list try: user_level = get_user_permission_level(user, site) except NoPermissionsException: return self.none() if user_level == ROOT_USER_LEVEL: return self.all() # get all permissions page_id_allow_list = get_change_permissions_id_list(user, site, check_global=False) # get permission set, but without objects targeting user, or any group # in which he can be qs = self.filter(page__id__in=page_id_allow_list, page__depth__gte=user_level) qs = qs.exclude(user=user).exclude(group__user=user) return qs