import rules # Predicates @rules.predicate def is_book_author(user, book): if not book: return False return book.author == user @rules.predicate def is_boss(user): return user.is_superuser is_editor = rules.is_group_member('editors') # Rules rules.add_rule('change_book', is_book_author | is_editor) rules.add_rule('delete_book', is_book_author) rules.add_rule('create_book', is_boss) # Permissions rules.add_perm('testapp.change_book', is_book_author | is_editor) rules.add_perm('testapp.delete_book', is_book_author)
def review_in_progress(user, obj: Review): if obj: if obj.status in [Review.NEW, Review.IN_PROGRESS]: return True elif obj.status in [Review.ACCEPTED, Review.DECLINED]: return False @rules.predicate def content_review_in_progress(user, obj: Content): review = getattr(obj, "review", None) return review_in_progress(user, review) is_authenticated = rules.is_authenticated is_bsb_reviewer = rules.is_group_member("BSB-Reviewer") is_tuhh_reviewer = rules.is_group_member("TUHH-Reviewer") def can_assign_reviewer(user, content: Content): return is_bsb_reviewer(user) or is_tuhh_reviewer(user) def check_content_for_review(user, content: Content): if is_bsb_reviewer(user) and isinstance(content, TeachingModule): return True elif is_tuhh_reviewer(user) and (isinstance(content, Tool) or isinstance(content, Trend)): return True else: return False
import rules is_faculty = rules.is_group_member('faculty') can_access_media_files = is_faculty | rules.is_superuser has_faculty_privilege = is_faculty | rules.is_superuser can_access_unreleased_problems = has_faculty_privilege @rules.predicate def can_access_problem(user, problem): return problem.released or can_access_unreleased_problems(user) @rules.predicate def can_view_submit(user, submit): return has_faculty_privilege(user) or submit.user == user rules.add_rule('is_faculty', is_faculty) rules.add_rule('can_access_media_files', can_access_media_files) rules.add_rule('can_access_unreleased_problems', can_access_unreleased_problems) rules.add_rule('can_access_problem', can_access_problem) rules.add_rule('can_view_submit', can_view_submit)
if project_user is None: return False else: return True @rules.predicate def is_own_profile(user, platform_user_object): if platform_user_object is None: return False if user.id == platform_user_object.id: return True else: return False @rules.predicate def is_own_vote(user, vote_object): if vote_object is None: return False if user.id == vote_object.user.id: return True else: return False is_admin = rules.is_group_member('admin') is_default_user = rules.is_group_member('standard') can_change_user = is_admin | is_own_profile
def remittance_less_than_usd1500(user, remittance): return remittance.amount < 150000 @rules.predicate def remittance_cash_incentive_paid(user, remittance): return not remittance.check_unpaid_cash_incentive() @rules.predicate def is_thirdparty_exchange_house(user, remittance): return remittance.exchange.name != 'SWIFT' #is_branch_report_user = rules.is_group_member('branch user') is_branch_remittance_user = rules.is_group_member( 'Branch Remittance Info Submission User') is_branch_report_observer_user = rules.is_group_member( 'Branch Report Observer User') is_booth_remittance_user = rules.is_group_member( 'Booth Remittance Info Submission User') is_booth_report_observer_user = rules.is_group_member( 'Booth Report Observer User') is_ho_settlement_user = rules.is_group_member('HO Settlement User') is_ho_report_user = rules.is_group_member('HO Report Observer User') can_change_benifciary_of_remittance = rules.is_group_member( 'Change remittance benificiary') is_api_user = rules.is_group_member('API User') #is_super = rules.is_superuser(user) """@rules.predicate def is_same_domain_user(user,request):
def can_view_project(user, project): if not project: return False return rules.is_group_member(f'projman-{project.namespace}')(user)
import rules from rules import is_superuser # An full admin is also a restricted admin logically speaking, but full admins only belong to the full admin group. # Therefore, writing is_mygym_restricted_admin to detect whether a full admin is at least a restricted admin won't work! from flexipages.constants import FLEXIPAGES_EDITOR_GROUP_NAME, FLEXIPAGES_SITE_DESIGNER_GROUP_NAME, FLEXIPAGES_ADMIN_GROUP_NAME is_cms_admin = rules.is_group_member(FLEXIPAGES_ADMIN_GROUP_NAME) is_cms_editor = rules.is_group_member(FLEXIPAGES_EDITOR_GROUP_NAME) is_cms_designer = rules.is_group_member(FLEXIPAGES_SITE_DESIGNER_GROUP_NAME) # Special general managers. # NB: It is required to be able to manage notifications in order to fully manage events (i.e. create and send # invitation, reminders, schedule, etc.). Therefore, any events manager is can implicitly manage notifications. can_edit_content = is_superuser or is_cms_admin or is_cms_designer or is_cms_editor, can_edit_template = is_superuser or is_cms_designer, can_edit_page = is_superuser or is_cms_admin # Standard permissions. rules.add_perm('flexipages.add_page', can_edit_page) rules.add_perm('flexipages.change_page', can_edit_page) rules.add_perm('flexipages.delete_page', can_edit_page) rules.add_perm('flexipages.view_page', can_edit_content) rules.add_perm('flexipages.add_pageitem', can_edit_content) rules.add_perm('flexipages.change_pageitem', can_edit_content)
def is_reviewer(self): # todo: rewrite this as rule return (self.is_superuser or rules.is_group_member("BSB-Reviewer")(self) or rules.is_group_member("TUHH-Reviewer")(self))
def is_reviewer(self): # todo: rewrite this as rule return self.is_superuser or rules.is_group_member('BSB-Reviewer')(self) or \ rules.is_group_member('TUHH-Reviewer')(self)
# Check for objects which have a direct flag: if hasattr(obj, "suppressed"): return not obj.suppressed # Normally, suppression is recorded in the 'meta' model attached to # a 'revision' that collects 'versions' of one or more models that were # changed under revision tracking. if not hasattr(obj, "revision"): return False if not hasattr(obj.revision, "meta"): return False return not getattr(obj.revision.meta, "suppressed", False) # User group based permissions is_administrator = rules.is_group_member("Administrators") is_bureaucrat = rules.is_group_member("Bureaucrats") is_oversighter = rules.is_group_member("Oversighters") is_patroller = rules.is_group_member("Patrollers") is_admin_or_crat = is_bureaucrat | is_administrator is_admin_or_oversighter = is_oversighter | is_administrator is_admin_or_patroller = is_patroller | is_administrator # Convenience permission combinations is_authed = rules.is_authenticated is_creator_or_admin = is_authed & (is_creator | is_administrator) is_creator_or_oversighter = is_authed & (is_creator | is_admin_or_oversighter) is_obj_user_or_admin = is_authed & (is_obj_user | is_administrator) is_self_or_admin = is_authed & (is_self | is_administrator) not_suppressed_or_is_oversighter = is_not_suppressed | is_admin_or_oversighter
# By default we do not show suggestion on the start-project page PROJECT_SUGGESTIONS = False # Social share options in project/fundraiser detail SHARE_OPTIONS = { 'twitter': True, 'facebook': True, 'linkedin': False, 'embedded': False, 'link': False, 'flyer': False } SHOW_DONATION_AMOUNTS = True EXPORTDB_PERMISSION = rules.is_group_member('Staff') | rules.is_superuser # Salesforce connection settings SALESFORCE_QUERY_TIMEOUT = 15 REQUESTS_MAX_RETRIES = 0 SF_LAZY_CONNECT = True SOCIAL_AUTH_FACEBOOK_PROFILE_EXTRA_PARAMS = { 'fields': 'id,name,email,first_name,last_name,link', # needed starting from protocol v2.4 } SURVEYGIZMO_API_TOKEN = '' SURVEYGIZMO_API_SECRET = '' GEOPOSITION_GOOGLE_MAPS_API_KEY = ''
"""Permissions for accessing prize related resources and info These permissions are kept in memory, they do not need to be stored in the db """ import logging import rules from profiles import rules as profile_rules logger = logging.getLogger(__name__) is_competition_moderator = rules.is_group_member("competition_moderators") rules.add_perm("prizes", is_competition_moderator) for perm, predicate in { "can_list_competitions": profile_rules.is_privileged_user, "can_list_own_competitions": profile_rules.is_end_user, "view_sponsor": is_competition_moderator, "add_sponsor": is_competition_moderator, "change_sponsor": is_competition_moderator, "view_competition": is_competition_moderator, "add_prize": is_competition_moderator, "change_prize": is_competition_moderator, "view_prize": is_competition_moderator, "add_competition": is_competition_moderator, "change_competition": is_competition_moderator,
import rules from rules import predicate, is_group_member, is_authenticated #################################################################################################### # Predicates is_moderator = is_group_member('moderators') is_admin = is_group_member('administrators') is_admin_or_mod = is_admin | is_admin @predicate def is_object_public(user, object): return object.is_public @predicate def is_owner(user, object): return object.owner.pk is user.pk @predicate def is_parent_public(user, object): return object._parent.is_public @predicate def is_parent_owner(user, object): return object._parent.owner.pk is user.pk
if business is None: return False return user.municipality_set.filter(pk=business.region.municipality.pk).exists() @rules.predicate def is_muni_admin(user): """ Is an admin of SOME municipality """ logger.debug(f"Predicate {is_muni_admin.__name__}") return user.is_staff and user.municipality_set.exists() is_integration_admin = rules.is_group_member("Integration Admins") is_muni_or_integration_admin = is_integration_admin | is_muni_admin is_business_muni_or_integration_admin = is_integration_admin | is_business_muni_admin rules.add_perm("portal", rules.always_allow) rules.add_perm("portal.view_business", rules.always_allow) # This rule can't restrict addition of business to the munis the user can # admin so we rely on that being enforced in the ModelAdmin. rules.add_perm("portal.add_business", is_muni_or_integration_admin) rules.add_perm("portal.change_business", is_business_muni_or_integration_admin) rules.add_perm("portal.delete_business", is_business_muni_or_integration_admin) rules.add_perm("portal.add_businessmembership", is_business_muni_or_integration_admin) rules.add_perm( "portal.change_businessmembership", is_business_muni_or_integration_admin ) rules.add_perm("portal.view_businessmembership", rules.always_allow)
import rules # Predicates @rules.predicate def is_book_author(user, book): if not book: return False return book.author == user @rules.predicate def is_boss(user): return user.is_superuser is_editor = rules.is_group_member("editors") # Rules rules.add_rule("change_book", is_book_author | is_editor) rules.add_rule("delete_book", is_book_author) rules.add_rule("create_book", is_boss) # Permissions rules.add_perm("testapp.change_book", is_book_author | is_editor) rules.add_perm("testapp.delete_book", is_book_author)
import rules logger = logging.getLogger(__name__) @rules.predicate def is_owner(user, obj): return obj.owner == user @rules.predicate def is_profile_owner(user, profile_obj): return user.profile == profile_obj if user.is_authenticated else False @rules.predicate def has_profile(user): return bool(user.profile) if user.is_authenticated else False is_end_user = rules.is_group_member("end_users") is_privileged_user = rules.is_group_member("privileged_users") for perm, predicate in { "can_list_users": is_privileged_user, "can_create_profile": ~has_profile, "can_view_profile": has_profile, "can_edit_profile": has_profile & is_profile_owner, }.items(): rules.add_perm("profiles.{}".format(perm), predicate)
def review_in_progress(user, obj: Review): if obj: if obj.status in [Review.NEW, Review.IN_PROGRESS]: return True elif obj.status in [Review.ACCEPTED, Review.DECLINED]: return False @rules.predicate def content_review_in_progress(user, obj: Content): review = getattr(obj, 'review', None) return review_in_progress(user, review) is_authenticated = rules.is_authenticated is_bsb_reviewer = rules.is_group_member('BSB-Reviewer') is_tuhh_reviewer = rules.is_group_member('TUHH-Reviewer') def can_assign_reviewer(user, content: Content): return is_bsb_reviewer(user) or is_tuhh_reviewer(user) def check_content_for_review(user, content: Content): if is_bsb_reviewer(user) and isinstance(content, TeachingModule): return True elif is_tuhh_reviewer(user) and (isinstance(content, Tool) or isinstance(content, Trend)): return True else: return False
from __future__ import absolute_import import rules @rules.predicate def is_author(user, authored_object): print("Testing {} for authorship of {}".format(user, authored_object)) if authored_object is None: return None return user.pk == authored_object.author.pk is_manager = rules.is_group_member('manager') is_editor = rules.is_group_member('editor') | is_manager is_author_group = rules.is_group_member('author') | is_editor
from rules import is_group_member, predicate # BASIC ACCESS RULES @predicate def is_author(user, obj=None): if obj: return obj.author == user else: return False is_moderator = is_group_member('moderators') is_editor = is_group_member('editors') is_owner_or_moderator = is_author | is_editor | is_moderator is_owner_or_editor = is_author | is_editor
def is_project_admin(user, project): if not project: return False return rules.is_group_member(f'projman-{project.namespace}-admin')(user)
""" Rules for permissions of ADG admins """ import rules from openedx.adg.lms.applications.constants import ADG_ADMIN_GROUP_NAME # Create rule for ADG specific admin is_adg_admin = rules.is_group_member(ADG_ADMIN_GROUP_NAME) # Show Applications section on home screen rules.add_perm('applications', rules.is_staff) # User Applications rules.add_perm('applications.view_userapplication', rules.is_staff) rules.add_perm('applications.change_userapplication', rules.is_staff) # Education rules.add_perm('applications.view_education', rules.is_staff) # Work Experience rules.add_perm('applications.view_workexperience', rules.is_staff) # Business Line rules.add_perm('applications.view_businessline', rules.is_staff) # References rules.add_perm('applications.view_reference', rules.is_staff)
('anonymous', 'Anonymous'), ('reward__name', 'Reward'), ('name', 'Name'), ('activity__funding__deadline', 'Activity date'), ('created', 'Donation date'), ('updated', 'Last update'), ), 'resource_class': 'bluebottle.exports.resources.DonationResource', 'title': _('Funding contributions'), }), ]) } EXPORTDB_CONFIRM_FORM = 'bluebottle.exports.forms.ExportDBForm' EXPORTDB_EXPORT_ROOT = os.path.join(MEDIA_ROOT, '%s', 'private', 'exports') EXPORTDB_PERMISSION = rules.is_group_member('Staff') | rules.is_superuser EXPORTDB_USE_CELERY = True EXPORTDB_EXPORT_MEDIA_URL = os.path.join(MEDIA_URL, 'private/exports') # maximum delta between from/to date for exports EXPORT_MAX_DAYS = 366 * 3 TOKEN_AUTH_SETTINGS = 'bluebottle.clients.properties' # FIXME: When caching is made tenant aware, re-enable fluent caching FLUENT_CONTENTS_CACHE_OUTPUT = False CACHE_MIDDLEWARE_SECONDS = 0 # Amounts shown in donation modal DONATION_AMOUNTS = {
if change is not None and change.domain not in user.domains.all(): return False return True @rules.predicate def is_not_domain_admin_of_own_domain(user): return user.domain not in user.domains.all() ADMINS = "admins" DOMAIN_ADMINS = "domainadmins" ACCOUNT_USERS = "accountusers" is_admin = rules.Predicate(rules.is_group_member(ADMINS)) is_domain_admin = rules.Predicate(rules.is_group_member(DOMAIN_ADMINS)) is_account_user = rules.Predicate( rules.is_group_member(ACCOUNT_USERS) | is_domain_admin & is_not_domain_admin_of_own_domain) rules.add_perm("djcyradm.is_admin", is_admin) rules.add_perm("djcyradm.is_domain_admin", is_domain_admin) rules.add_perm("djcyradm.is_account_user", is_account_user) rules.add_perm("djcyradm.is_in_djcyradm_group", is_admin | is_domain_admin | is_account_user) rules.add_perm('djcyradm.change_mailusers', is_admin & user_is_not_main_admin | is_domain_admin & is_domain_admin_of_domain)
post_migrate.connect(create_groups, weak=False) if settings.DJANGO_AUTH_TYPE == 'BASIC': from .auth_basic import create_user post_save.connect(create_user, sender=User) elif settings.DJANGO_AUTH_TYPE == 'LDAP': import django_auth_ldap.backend from .auth_ldap import create_user django_auth_ldap.backend.populate_user.connect(create_user) # AUTH PREDICATES has_admin_role = rules.is_group_member(str(AUTH_ROLE.ADMIN)) has_user_role = rules.is_group_member(str(AUTH_ROLE.USER)) has_annotator_role = rules.is_group_member(str(AUTH_ROLE.ANNOTATOR)) has_observer_role = rules.is_group_member(str(AUTH_ROLE.OBSERVER)) @rules.predicate def is_task_owner(db_user, db_task): # If owner is None (null) the task can be accessed/changed/deleted # only by admin. At the moment each task has an owner. return db_task.owner == db_user @rules.predicate def is_task_assignee(db_user, db_task): return db_task.assignee == db_user
from __future__ import absolute_import import rules #from .predicates import * ##@rules.predicate #def is_company_guest(user,company): # return user in company.managers.all() @rules.predicate def is_authenticated(user): return user.is_authenticated() @rules.predicate def is_editors_group(user): return user.groups.filter(name='CompanyEditors').exists() can_change_entry = rules.has_perm('company.views_entry') is_editors = rules.is_group_member('CompanyEditors') is_guest = rules.is_group_member('CompanyGuest') #rules.add_perm('Company', is_editors) rules.add_perm('company', rules.is_authenticated) rules.add_perm('company.views_entry', is_editors_group) #rules.add_perm('Company.change_Company12', is_company_manager) # | is_superuser