def test_copy_permissions_to_batches_unhydrated_project(self): # Verify that Project.copy_permissions_to_batches() works with # a Project model instance that is only "hydrated" with the # 'id' field. Behavior related to this Issue: # # https://github.com/hltcoe/turkle/issues/136 project = Project.objects.create( custom_permissions=True, login_required=True, ) group = Group.objects.create(name='testgroup') assign_perm('can_work_on', group, project) batch = Batch.objects.create( custom_permissions=False, login_required=False, project=project, ) self.assertFalse('can_work_on_batch' in get_group_perms(group, batch)) unhydrated_project = Project.objects.only('id', 'custom_permissions', 'login_required')\ .get(id=project.id) unhydrated_project.copy_permissions_to_batches() batch.refresh_from_db() self.assertTrue(batch.custom_permissions) self.assertTrue(batch.login_required) self.assertTrue('can_work_on_batch' in get_group_perms(group, batch))
def test_direct_perms_only(self): admin = User.objects.create(username='******', is_superuser=True) self.user1.groups.add(self.group1) self.user2.groups.add(self.group1) assign_perm("change_contenttype", self.user1, self.obj1) assign_perm("delete_contenttype", admin, self.obj1) assign_perm("delete_contenttype", self.group1, self.obj1) expected = set([self.user1, self.user2, admin]) result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=True) self.assertEqual(set(result), expected) self.assertEqual(set(get_user_perms(self.user1, self.obj1)), set(['change_contenttype'])) self.assertEqual(set(get_user_perms(self.user2, self.obj1)), set([])) self.assertEqual(set(get_user_perms(admin, self.obj1)), set(['delete_contenttype'])) result = get_users_with_perms(self.obj1, with_superusers=False, with_group_users=False) expected = set([self.user1, admin]) self.assertEqual(set(result), expected) self.assertEqual(set(get_group_perms(self.user1, self.obj1)), set(['delete_contenttype'])) self.assertEqual(set(get_group_perms(self.user2, self.obj1)), set(['delete_contenttype'])) self.assertEqual(set(get_group_perms(self.group1, self.obj1)), set(['delete_contenttype'])) self.assertEqual(set(get_group_perms(self.group2, self.obj1)), set([])) self.assertEqual(set(get_group_perms(admin, self.obj1)), set([])) self.assertEqual(set(get_perms(admin, self.obj1)), set(['add_contenttype', 'change_contenttype', 'delete_contenttype'])) self.assertEqual(set(get_perms(self.user1, self.obj1)), set(['change_contenttype', 'delete_contenttype'])) self.assertEqual(set(get_perms(self.user2, self.obj1)), set(['delete_contenttype'])) self.assertEqual(set(get_perms(self.group1, self.obj1)), set(['delete_contenttype'])) self.assertEqual(set(get_perms(self.group2, self.obj1)), set([]))
def get(self, request): nodegroup_ids = JSONDeserializer().deserialize( request.GET.get('nodegroupIds')) identityId = request.GET.get('identityId') identityType = request.GET.get('identityType') ret = [] if identityType == 'group': identity = Group.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in get_group_perms(identity, nodegroup)] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) else: identity = User.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in get_user_perms(identity, nodegroup)] # only get the group perms ("defaults") if no user defined object settings have been saved if len(perms) == 0: perms = [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in set(get_group_perms(identity, nodegroup)) ] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) return JSONResponse(ret)
def update__permissions_read(sender, instance, action, **kwargs): if instance.read_groups.all(): if action == 'pre_remove': for group in instance.read_groups.all(): if 'view_expressionstudy' in get_group_perms(group, instance): remove_perm('view_expressionstudy', group, instance) if action == 'post_add': for group in instance.read_groups.all(): if 'view_project' not in get_group_perms(group, instance): assign_perm('view_expressionstudy', group, instance)
def update__permissions_write(sender, instance, action, **kwargs): if instance.edit_groups.all(): if action == 'pre_remove': for group in instance.edit_groups.all(): if 'change_project' in get_group_perms(group, instance): remove_perm('change_expressionstudy', group, instance) if action == 'post_add': for group in instance.edit_groups.all(): if 'change_expressionstudy' not in get_group_perms(group, instance): assign_perm('change_expressionstudy', group, instance)
def perform_create(self, serializer): task_template = serializer.validated_data['template'] if ('view_tasktemplate' in get_group_perms(self.request.user, task_template) or self.request.user.groups.filter(name='admin').exists()): if ('change_tasktemplate' in get_group_perms(self.request.user, task_template) or self.request.user.groups.filter(name='admin').exists()): instance = serializer.save() self.clone_group_permissions(instance.template, instance) else: raise PermissionDenied('You do not have permission to create this') else: raise NotFound()
def test_algorithm_groups_permissions_are_assigned(): alg = AlgorithmFactory() editors_perms = get_group_perms(alg.editors_group, alg) assert "view_algorithm" in editors_perms assert "change_algorithm" in editors_perms assert "execute_algorithm" in editors_perms users_perms = get_group_perms(alg.users_group, alg) assert "view_algorithm" in users_perms assert "change_algorithm" not in users_perms assert "execute_algorithm" in users_perms
def get(self, request): if self.action == 'get_permission_manager_data': identities = [] for group in Group.objects.all(): identities.append({ 'name': group.name, 'type': 'group', 'id': group.pk, 'default_permissions': group.permissions.all() }) for user in User.objects.filter(is_superuser=False): groups = [] default_perms = [] for group in user.groups.all(): groups.append(group.name) default_perms = default_perms + list(group.permissions.all()) identities.append({'name': user.email or user.username, 'groups': ', '.join(groups), 'type': 'user', 'id': user.pk, 'default_permissions': set(default_perms)}) content_type = ContentType.objects.get_for_model(models.NodeGroup) nodegroup_permissions = Permission.objects.filter(content_type=content_type) ret = {'identities': identities, 'permissions': nodegroup_permissions} return JSONResponse(ret) nodegroup_ids = JSONDeserializer().deserialize(request.GET.get('nodegroupIds')) identityId = request.GET.get('identityId') identityType = request.GET.get('identityType') ret = [] if identityType == 'group': identity = Group.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{'codename': codename, 'name': self.get_perm_name( codename).name} for codename in get_group_perms(identity, nodegroup)] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) else: identity = User.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{'codename': codename, 'name': self.get_perm_name( codename).name} for codename in get_user_perms(identity, nodegroup)] # only get the group perms ("defaults") if no user defined object settings have been saved if len(perms) == 0: perms = [{'codename': codename, 'name': self.get_perm_name( codename).name} for codename in set(get_group_perms(identity, nodegroup))] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) return JSONResponse(ret)
def test_assign_permissions(times, user, service): available_permissions = [item[0] for item in Service._meta.permissions] # assign_permissions expects a Group and a Service exist with the same name. group = GroupFactory(name=service.name) user.groups.add(group) for permission in available_permissions: assert not user.has_perm(permission, service) assert permission not in get_group_perms(group, service) for i in range(times): assign_permissions([group]) for permission in available_permissions: assert user.has_perm(permission, service) assert permission in get_group_perms(group, service)
def test_group_create_with_permissions(self, django_app, groups, manager): response = django_app.get(reverse("core:group_add"), user=manager) form = response.form group_name = "Testgroup" form["name"] = group_name form["users"].force_value([manager.id]) form["can_view_past_event"] = True form["is_planning_group"] = True form["publish_event_for_group"].select_multiple(texts=["Volunteers"]) form["is_hr_group"] = True form["is_management_group"] = True response = form.submit() assert response.status_code == 302 group = Group.objects.get(name=group_name) assert set(group.user_set.all()) == {manager} assert group.permissions.filter(codename="view_past_event").exists() assert group.permissions.filter(codename="add_event").exists() assert "publish_event_for_group" in get_group_perms( group, Group.objects.get(name="Volunteers")) assert group.permissions.filter(codename="add_userprofile").exists() assert group.permissions.filter(codename="change_userprofile").exists() assert group.permissions.filter(codename="delete_userprofile").exists() assert group.permissions.filter(codename="view_userprofile").exists() assert group.permissions.filter(codename="add_group").exists() assert group.permissions.filter(codename="change_group").exists() assert group.permissions.filter(codename="delete_group").exists() assert group.permissions.filter(codename="view_group").exists()
def get_user_permissions(self, nodegroup=None): """ get's a list of object level permissions allowed for a all users returns an object of the form: .. code-block:: python { 'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions 'default': {'codename': permssion codename, 'name': permission name} # A list of group based object level permissions or model level permissions } Keyword Arguments: nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object """ ret = [] for user in User.objects.all(): perms = { 'local': [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_user_perms(user, nodegroup)], 'default': set() } for group in user.groups.all(): codenames = set(get_group_perms(group, nodegroup)) if len(codenames) == 0: codenames = set([item.codename for item in group.permissions.all()]) perms['default'].update(codenames) perms['default'] = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in perms['default']] if len(perms['default']) > 0: ret.append({'username': user.email or user.username, 'email': user.email, 'perms': perms, 'type': 'user', 'id': user.pk}) return ret
def obj_perms_manage_group_view(self, request, object_pk, group_id): """ Manages selected groups' permissions for current object. """ if not self.has_change_permission(request, None): post_url = reverse('admin:index', current_app=self.admin_site.name) return redirect(post_url) group = get_object_or_404(Group, id=group_id) obj = get_object_or_404(self.get_queryset(request), pk=object_pk) form_class = self.get_obj_perms_manage_group_form(request) form = form_class(group, obj, request.POST or None) if request.method == 'POST' and form.is_valid(): form.save_obj_perms() msg = gettext("Permissions saved.") messages.success(request, msg) info = ( self.admin_site.name, self.model._meta.app_label, self.model._meta.model_name, ) url = reverse('%s:%s_%s_permissions_manage_group' % info, args=[obj.pk, group.id]) return redirect(url) context = self.get_obj_perms_base_context(request, obj) context['group_obj'] = group context['group_perms'] = get_group_perms(group, obj) context['form'] = form request.current_app = self.admin_site.name return render(request, self.get_obj_perms_manage_group_template(), context)
def get_permissions(self, user): # Overrides guardian mixin - doesn't return view_preprint perms, and # returns readable perms instead of literal perms if isinstance(user, AnonymousUser): return [] perms = ['read_preprint', 'write_preprint', 'admin_preprint'] user_perms = sorted(set(get_group_perms(user, self)).intersection(perms), key=perms.index) return [perm.split('_')[0] for perm in user_perms]
def get_permission_to_node(self, node): """ Returns the permission this OSF group has to the given node :param node: Node object """ perms = get_group_perms(self.member_group, node) return reduce_permissions(perms) if perms else None
def test_copy_project_permissions_no_custom_permissions(self): project = Project.objects.create( custom_permissions=False, login_required=False, ) group = Group.objects.create(name='testgroup') assign_perm('can_work_on', group, project) batch = Batch.objects.create( custom_permissions=True, login_required=True, project=project, ) self.assertFalse('can_work_on_batch' in get_group_perms(group, batch)) batch.copy_project_permissions() self.assertFalse(batch.custom_permissions) self.assertFalse(batch.login_required) self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
def get_perms(self, identity, type, obj, perms): if type == "user": identity_perms = get_user_perms(identity, obj) else: identity_perms = get_group_perms(identity, obj) res = [] for perm in identity_perms: res += list(filter(lambda x: (x["codename"] == perm), perms)) return res
def perform_create(self, serializer): # Ensure the user has the correct permissions on the Project # to add a product to it. project = serializer.validated_data['project'] if 'view_project' in get_group_perms(self.request.user, project): instance = serializer.save(created_by=self.request.user) self.clone_group_permissions(instance.project, instance) else: raise ValidationError('You do not have permission to create this')
def get(self, request): if self.action == "get_permission_manager_data": identities = [] for group in Group.objects.all(): identities.append({"name": group.name, "type": "group", "id": group.pk, "default_permissions": group.permissions.all()}) for user in User.objects.filter(is_superuser=False): groups = [] default_perms = [] for group in user.groups.all(): groups.append(group.name) default_perms = default_perms + list(group.permissions.all()) identities.append( { "name": user.email or user.username, "groups": ", ".join(groups), "type": "user", "id": user.pk, "default_permissions": set(default_perms), } ) content_type = ContentType.objects.get_for_model(models.NodeGroup) nodegroup_permissions = Permission.objects.filter(content_type=content_type) ret = {"identities": identities, "permissions": nodegroup_permissions} return JSONResponse(ret) nodegroup_ids = JSONDeserializer().deserialize(request.GET.get("nodegroupIds")) identityId = request.GET.get("identityId") identityType = request.GET.get("identityType") ret = [] if identityType == "group": identity = Group.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [ {"codename": codename, "name": self.get_perm_name(codename).name} for codename in get_group_perms(identity, nodegroup) ] ret.append({"perms": perms, "nodegroup_id": nodegroup_id}) else: identity = User.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [ {"codename": codename, "name": self.get_perm_name(codename).name} for codename in get_user_perms(identity, nodegroup) ] # only get the group perms ("defaults") if no user defined object settings have been saved if len(perms) == 0: perms = [ {"codename": codename, "name": self.get_perm_name(codename).name} for codename in set(get_group_perms(identity, nodegroup)) ] ret.append({"perms": perms, "nodegroup_id": nodegroup_id}) return JSONResponse(ret)
def perform_create(self, serializer): # Ensure that only workflows that the user has permissions # for are able to be used. # TODO: Check for permissions on product statuses? workflow = serializer.validated_data['workflow'] if 'view_workflow' in get_group_perms(self.request.user, workflow): instance = serializer.save(started_by=self.request.user) # Inherit workflow group permissions self.clone_group_permissions(instance.workflow, instance) else: raise ValidationError('You do not have permission to create this')
def perform_create(self, serializer): # Ensure the user has the correct permissions on the Project # to add a product to it. project = serializer.validated_data['project'] if ('change_project' in get_group_perms(self.request.user, project) or self.request.user.groups.filter(name='admin').exists()): instance = serializer.save(created_by=self.request.user) self.clone_group_permissions(instance.project, instance) else: raise ValidationError('You do not have permission to create this') plugins = [p(instance) for p in ProductPluginProvider.plugins] for p in plugins: p.create()
def test_copy_permissions_to_batches_no_custom_permissions(self): project = Project.objects.create( custom_permissions=False, login_required=False, ) group = Group.objects.create(name='testgroup') assign_perm('can_work_on', group, project) batch = Batch.objects.create( custom_permissions=True, login_required=True, project=project, ) self.assertFalse('can_work_on_batch' in get_group_perms(group, batch)) project.copy_permissions_to_batches() batch.refresh_from_db() self.assertFalse(batch.custom_permissions) self.assertFalse(batch.login_required) # Custom permissions are not copied from Project to Batch if # project.custom_permissions is False self.assertFalse('can_work_on_batch' in get_group_perms(group, batch))
def has_permission(self, user, permission): """Returns whether the user has the given permission to the OSFGroup :param user: Auth object :param role: member/manange permission :return Boolean """ if not user or user.is_anonymous: return False # Using get_group_perms to get permissions that are inferred through # group membership - not inherited from superuser status return '{}_{}'.format(permission, 'group') in get_group_perms(user, self)
def copy_project_permissions(self): """Copy 'permission' settings from associated Project to this Batch Copies: - `custom_permissions` flag - `login_required` flag - group-level access permissions """ self.custom_permissions = self.project.custom_permissions self.login_required = self.project.login_required if self.custom_permissions: for group in get_groups_with_perms(self.project): if 'can_work_on' in get_group_perms(group, self.project): assign_perm('can_work_on_batch', group, self)
def assign_tmpl_perms(request, perms, groups, tmpl_inst): user = request.user biz = tmpl_inst.business if user.has_perm('manage_business', biz): # 先删除所有有当前要授权权限的分组的权限 perm_groups = get_groups_with_perms(tmpl_inst) for group in perm_groups: perm_list = get_group_perms(group, tmpl_inst) for perm in perm_list: if perm in perms: remove_perm(perm, group, tmpl_inst) # 给当前有权限的分组授权 for perm, group in itertools.product(perms, groups): assign_perm(perm, group, tmpl_inst) else: return HttpResponseForbidden()
def get_user_permissions(self, nodegroup=None): """ get's a list of object level permissions allowed for a all users returns an object of the form: .. code-block:: python { 'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions 'default': {'codename': permssion codename, 'name': permission name} # A list of group based object level permissions or model level permissions } Keyword Arguments: nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object """ ret = [] for user in User.objects.all(): perms = { 'local': [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in get_user_perms(user, nodegroup)], 'default': set() } for group in user.groups.all(): codenames = set(get_group_perms(group, nodegroup)) if len(codenames) == 0: codenames = set( [item.codename for item in group.permissions.all()]) perms['default'].update(codenames) perms['default'] = [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in perms['default']] if len(perms['default']) > 0: ret.append({ 'username': user.email or user.username, 'email': user.email, 'perms': perms, 'type': 'user', 'id': user.pk }) return ret
def copy_permissions_to_batches(self): """Copy permissions from this Project to all associated Batches Copies: - `custom_permissions` flag - `login_required` flag - group-level access permissions """ self.batch_set.update( custom_permissions=self.custom_permissions, login_required=self.login_required, ) if self.custom_permissions: for group in get_groups_with_perms(self): if 'can_work_on' in get_group_perms(group, self): batches = self.batch_set.all() GroupObjectPermission.objects.bulk_assign_perm( 'can_work_on_batch', group, batches)
def no_save_subscription_if_dont_have_permissions(sender, instance, **kwargs): """ Stop saving individual or group subscription if user or group don't have permissions to subscribe to the alarm :param sender: Subscription """ user = instance.user if instance.user else None group = instance.group if instance.group else None if user: if 'can_subscribe' not in get_user_perms(user, instance.alarm): raise ValidationError( "User don't have permissions to subscribe to this alarm") elif group: if 'can_subscribe' not in get_group_perms(group, instance.alarm): raise ValidationError( "Group don't have permissions to subscribe to this alarm") else: raise ValidationError("BAD REQUEST. Check your selections.")
def check_resource_instance_permissions(user, resourceid, permission): """ Checks if a user has permission to access a resource instance Arguments: user -- the user to check resourceid -- the id of the resource permission -- the permission codename (e.g. 'view_resourceinstance') for which to check """ result = {} try: resource = ResourceInstance.objects.get(resourceinstanceid=resourceid) result["resource"] = resource all_perms = get_perms(user, resource) if len(all_perms) == 0: # no permissions assigned. permission implied result["permitted"] = "unknown" return result else: user_permissions = get_user_perms(user, resource) if "no_access_to_resourceinstance" in user_permissions: # user is restricted result["permitted"] = False return result elif permission in user_permissions: # user is permitted result["permitted"] = True return result group_permissions = get_group_perms(user, resource) if "no_access_to_resourceinstance" in group_permissions: # group is restricted - no user override result["permitted"] = False return result elif permission in group_permissions: # group is permitted - no user override result["permitted"] = True return result if permission not in all_perms: # neither user nor group explicitly permits or restricts. result["permitted"] = False # restriction implied return result except ObjectDoesNotExist: return None return result
def obj_perms_manage_group_view(self, request, object_pk, group_id): """ Manages selected groups' permissions for current object. """ if not self.has_change_permission(request, None): post_url = reverse('admin:index', current_app=self.admin_site.name) return redirect(post_url) group = get_object_or_404(Group, id=group_id) obj = get_object_or_404(self.get_queryset(request), pk=object_pk) form_class = self.get_obj_perms_manage_group_form(request) form = form_class(group, obj, request.POST or None) if request.method == 'POST' and form.is_valid(): form.save_obj_perms() msg = ugettext("Permissions saved.") messages.success(request, msg) info = ( self.admin_site.name, self.model._meta.app_label, get_model_name(self.model) ) url = reverse( '%s:%s_%s_permissions_manage_group' % info, args=[obj.pk, group.id] ) return redirect(url) context = self.get_obj_perms_base_context(request, obj) context['group_obj'] = group context['group_perms'] = get_group_perms(group, obj) context['form'] = form request.current_app = self.admin_site.name if django.VERSION >= (1, 10): return render(request, self.get_obj_perms_manage_group_template(), context) return render_to_response(self.get_obj_perms_manage_group_template(), context, RequestContext(request))
def test_group_edit(self, django_app, groups, manager): group = manager.groups.first() response = django_app.get(reverse("core:group_edit", kwargs={"pk": group.id}), user=manager) form = response.form group_name = "New name" form["name"] = group_name form["users"].force_value([manager.id]) form["can_view_past_event"] = False form["is_planning_group"] = False form["publish_event_for_group"].select_multiple(texts=["Volunteers"]) response = form.submit() assert response.status_code == 302 group.refresh_from_db() assert group.name == group_name assert set(group.user_set.all()) == {manager} assert not group.permissions.filter( codename="view_past_event").exists() assert not group.permissions.filter(codename="add_event").exists() assert "publish_event_for_group" not in get_group_perms( group, Group.objects.get(name="Volunteers"))
def inner_decorator(request, roles=roles, *args, **kwargs): p = Project.objects.get(pk=kwargs['project_id']) u = request.user has_role = check_user_role(u, p, roles) is_token_authenticated = getattr(request, '_is_token_authenticated', False) # If a request is authenticated through an API token permissions are # required, endpoints that require write/annotate permissions also # need to have the TokenAnnotate permission. This is enforced also # for admin accounts. if is_token_authenticated and not contains_read_roles(roles) and \ settings.REQUIRE_EXTRA_TOKEN_PERMISSIONS: has_role = 'can_annotate_with_token' in get_user_perms(u, p) or \ 'can_annotate_with_token' in get_group_perms(u, p) if has_role: # The user can execute the function. return f(request, *args, **kwargs) else: msg = "User '{}' with ID {} does not have the required permissions in " \ "project {}".format(u.username, u.id, int(kwargs['project_id'])) raise PermissionError(msg)
def handle(self, *args, **options): analysis_read_perm = Analysis.get_read_perm() analysis_write_perm = Analysis.get_write_perm() variant_tag_read_perm = VariantTag.get_read_perm() variant_tag_write_perm = VariantTag.get_write_perm() PERM_CONVERTER = { analysis_read_perm: variant_tag_read_perm, analysis_write_perm: variant_tag_write_perm, } num_tags = 0 for variant_tag in VariantTag.objects.filter(analysis__isnull=False): # Convert existing analysis permissions for group in get_groups_with_perms(variant_tag.analysis): for old_perm in get_group_perms(group, variant_tag.analysis): perm = PERM_CONVERTER[old_perm] assign_perm(perm, group, variant_tag) # Default permissions for user assign_permission_to_user_and_groups(variant_tag.user, variant_tag) num_tags += 1 print(f"Set permission on {num_tags} tags")
def get_perms(request, biz_cc_id): template_id = request.GET.get('template_id') try: template = TaskTemplate.objects.get(pk=template_id, business__cc_id=biz_cc_id) except TaskTemplate.DoesNotExist: return HttpResponseForbidden() fill_params_groups = [] execute_task_groups = [] groups = get_groups_with_perms(template) # 获取有权限的分组列表 for group in groups: perm_list = get_group_perms(group, template) for perm in perm_list: if perm == FILL_PARAMS_PERM_NAME: fill_params_groups.append( {"show_name": group.name.split("\x00")[-1]}) elif perm == EXECUTE_TASK_PERM_NAME: execute_task_groups.append( {"show_name": group.name.split("\x00")[-1]}) # 获取有权限的人员列表 users = get_users_with_perms(template) for user in users: perm_list = get_user_perms(user, template) for perm in perm_list: if perm == FILL_PARAMS_PERM_NAME: fill_params_groups.append({"show_name": user.username}) elif perm == EXECUTE_TASK_PERM_NAME: execute_task_groups.append({"show_name": user.username}) ctx = { 'result': True, 'data': { 'fill_params_groups': fill_params_groups, 'execute_task_groups': execute_task_groups, } } return JsonResponse(ctx)
def get_group_permissions(self, nodegroup=None): """ get's a list of object level permissions allowed for a all groups returns an object of the form: .. code-block:: python { 'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions 'default': {'codename': permssion codename, 'name': permission name} # A list of model level permissions } Keyword Arguments: nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object """ ret = [] for group in Group.objects.all(): perms = { 'local': [{ 'codename': codename, 'name': self.get_perm_name(codename).name } for codename in get_group_perms(group, nodegroup)], 'default': [{ 'codename': item.codename, 'name': item.name } for item in group.permissions.all()] } if len(perms['default']) > 0: ret.append({ 'name': group.name, 'perms': perms, 'type': 'group', 'id': group.pk }) return ret
def get_obj_perms_field_initial(self): perms = get_group_perms(self.group, self.obj) return perms
def get_group_permissions(self, nodegroup=None): """ get's a list of object level permissions allowed for a all groups returns an object of the form: .. code-block:: python { 'local': {'codename': permssion codename, 'name': permission name} # A list of object level permissions 'default': {'codename': permssion codename, 'name': permission name} # A list of model level permissions } Keyword Arguments: nodegroup -- the NodeGroup object instance to use to check for permissions on that particular object """ ret = [] for group in Group.objects.all(): perms = { 'local': [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_group_perms(group, nodegroup)], 'default': [{'codename': item.codename, 'name': item.name} for item in group.permissions.all()] } if len(perms['default']) > 0: ret.append({'name': group.name, 'perms': perms, 'type': 'group', 'id': group.pk}) return ret
def get(self, request): nodegroup_ids = JSONDeserializer().deserialize(request.GET.get('nodegroupIds')) identityId = request.GET.get('identityId') identityType = request.GET.get('identityType') ret = [] if identityType == 'group': identity = Group.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_group_perms(identity, nodegroup)] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) else: identity = User.objects.get(pk=identityId) for nodegroup_id in nodegroup_ids: nodegroup = models.NodeGroup.objects.get(pk=nodegroup_id) perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in get_user_perms(identity, nodegroup)] # only get the group perms ("defaults") if no user defined object settings have been saved if len(perms) == 0: perms = [{'codename': codename, 'name': self.get_perm_name(codename).name} for codename in set(get_group_perms(identity, nodegroup))] ret.append({'perms': perms, 'nodegroup_id': nodegroup_id}) return JSONResponse(ret)