def get(self, request):
"""
List all roles.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:return: Response containing a list of roles
:rtype: django.http.HttpResponse
"""
role_query_manager = factory.role_query_manager()
user_query_manager = factory.user_query_manager()
permissions_manager = factory.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [u['login'] for u in
user_query_manager.find_users_belonging_to_role(role['id'])]
resource_permission = {}
# isolate schema change
if role['permissions']:
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
for o in operations]
role['permissions'] = resource_permission
link = {'_href': reverse('role_resource',
kwargs={'role_id': role['id']})}
role.update(link)
return generate_json_response_with_pulp_encoder(roles)
def GET(self):
role_query_manager = managers.role_query_manager()
user_query_manager = managers.user_query_manager()
permissions_manager = managers.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [
u['login'] for u in
user_query_manager.find_users_belonging_to_role(role['id'])
]
resource_permission = {}
# isolate schema change
if role['permissions']:
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [
permissions_manager.operation_value_to_name(o)
for o in operations
]
role['permissions'] = resource_permission
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def test_syntactic_sugar_methods(self):
"""
Tests the syntactic sugar methods for retrieving specific managers.
"""
# Setup
factory.initialize()
# Test
self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
self.assertTrue(isinstance(factory.role_manager(), RoleManager))
self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
self.assertTrue(isinstance(factory.user_manager(), UserManager))
self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
self.assertTrue(isinstance(factory.repo_unit_association_manager(),
RepoUnitAssociationManager))
self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
self.assertTrue(isinstance(factory.content_manager(), ContentManager))
self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def get(self, request, role_id):
"""
Retrieve a specific role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the role
:rtype: django.http.HttpResponse
:raises: MissingResource if role ID does not exist
"""
role = factory.role_query_manager().find_by_id(role_id)
if role is None:
raise pulp_exceptions.MissingResource(role_id)
role["users"] = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
permissions_manager = factory.permission_manager()
# isolate schema change
resource_permission = {}
for item in role["permissions"]:
resource = item["resource"]
operations = item.get("permission", [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]
role["permissions"] = resource_permission
link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
role.update(link)
return generate_json_response_with_pulp_encoder(role)
def GET(self, role_id):
role = managers.role_query_manager().find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [
u['login'] for u in managers.user_query_manager().
find_users_belonging_to_role(role['id'])
]
permissions_manager = managers.permission_manager()
# isolate schema change
resource_permission = {}
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [
permissions_manager.operation_value_to_name(o)
for o in operations
]
role['permissions'] = resource_permission
role.update(serialization.link.current_link_obj())
return self.ok(role)
def get(self, request):
"""
List all roles.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:return: Response containing a list of roles
:rtype: django.http.HttpResponse
"""
role_query_manager = factory.role_query_manager()
permissions_manager = factory.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
role["users"] = users
resource_permission = {}
# isolate schema change
if role["permissions"]:
for item in role["permissions"]:
resource = item["resource"]
operations = item.get("permission", [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]
role["permissions"] = resource_permission
link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
role.update(link)
return generate_json_response_with_pulp_encoder(roles)
def test_syntactic_sugar_methods(self):
"""
Tests the syntactic sugar methods for retrieving specific managers.
"""
# Setup
factory.initialize()
# Test
self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
self.assertTrue(isinstance(factory.role_manager(), RoleManager))
self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
self.assertTrue(isinstance(factory.user_manager(), UserManager))
self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager))
self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
self.assertTrue(isinstance(factory.content_manager(), ContentManager))
self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
def GET(self):
role_query_manager = managers.role_query_manager()
user_query_manager = managers.user_query_manager()
permissions_manager = managers.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [u['login'] for u in
user_query_manager.find_users_belonging_to_role(role['id'])]
resource_permission = {}
# isolate schema change
if role['permissions']:
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
for o in operations]
role['permissions'] = resource_permission
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def get(self, request, role_id):
"""
Retrieve a specific role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the role
:rtype: django.http.HttpResponse
:raises: MissingResource if role ID does not exist
"""
role = factory.role_query_manager().find_by_id(role_id)
if role is None:
raise pulp_exceptions.MissingResource(role_id)
role['users'] = [u['login'] for u in
factory.user_query_manager().find_users_belonging_to_role(role['id'])]
permissions_manager = factory.permission_manager()
# isolate schema change
resource_permission = {}
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
for o in operations]
role['permissions'] = resource_permission
link = {'_href': reverse('role_resource',
kwargs={'role_id': role['id']})}
role.update(link)
return generate_json_response_with_pulp_encoder(role)
def remove_user_from_role(role_id, login):
"""
Remove a user from a role. This has the side-effect of revoking all the
permissions granted to the role from the user, unless the permissions are
also granted by another role.
:param role_id: role identifier
:type role_id: str
:param login: name of user
:type login: str
:raise MissingResource: if the given role or user does not exist
"""
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
user = model.User.objects.get_or_404(login=login)
if role_id == SUPER_USER_ROLE and user_controller.is_last_super_user(login):
raise PulpDataException(
_('%(role)s cannot be empty, and %(login)s is the last member') %
{'role': SUPER_USER_ROLE, 'login': login})
if role_id not in user.roles:
return
user.roles.remove(role_id)
user.save()
for item in role['permissions']:
other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
user_ops = _operations_not_granted_by_roles(item['resource'],
item['permission'],
other_roles)
factory.permission_manager().revoke(item['resource'], login, user_ops)
def setUp(self):
super(PermissionManagerTests, self).setUp()
self.alpha_num = string.letters + string.digits
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.role_manager.ensure_super_user_role()
manager_factory.principal_manager().clear_principal()
def setUp(self):
super(AuthControllersTests, self).setUp()
self.user_manager = manager_factory.user_manager()
self.user_query_manager = manager_factory.user_query_manager()
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.password_manager = manager_factory.password_manager()
self.role_manager.ensure_super_user_role()
self.user_manager.ensure_admin()
def setUp(self):
super(RoleManagerTests, self).setUp()
self.alpha_num = string.letters + string.digits
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager()
self.role_manager.ensure_super_user_role()
manager_factory.principal_manager().clear_principal()
def setUp(self):
super(AuthControllersTests, self).setUp()
self.user_manager = manager_factory.user_manager()
self.user_query_manager = manager_factory.user_query_manager()
self.role_manager = manager_factory.role_manager()
self.role_query_manager = manager_factory.role_query_manager()
self.permission_manager = manager_factory.permission_manager()
self.permission_query_manager = manager_factory.permission_query_manager(
)
self.password_manager = manager_factory.password_manager()
self.role_manager.ensure_super_user_role()
self.user_manager.ensure_admin()
def remove_permissions_from_role(role_id, resource, operations):
"""
Remove permissions from a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to revoke permissions from
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being revoked
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = factory.user_query_manager().find_users_belonging_to_role(
role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(
role, user['roles'])
user_ops = _operations_not_granted_by_roles(
resource, operations, other_roles)
factory.permission_manager().revoke(resource, user['login'],
user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
role['permissions'].remove(resource_permission)
Role.get_collection().save(role, safe=True)
def GET(self):
role_query_manager = managers.role_query_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [u['login'] for u in
managers.user_query_manager().find_users_belonging_to_role(role['id'])]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [operation_to_name(o)
for o in operations]
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def GET(self, role_id):
role = managers.role_query_manager().find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [u['login'] for u in
managers.user_query_manager().find_users_belonging_to_role(role['id'])]
permissions_manager = managers.permission_manager()
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [permissions_manager.operation_value_to_name(o)
for o in operations]
role.update(serialization.link.current_link_obj())
return self.ok(role)
def remove_permissions_from_role(role_id, resource, operations):
"""
Remove permissions from a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to revoke permissions from
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being revoked
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = factory.user_query_manager().find_users_belonging_to_role(role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
user_ops = _operations_not_granted_by_roles(resource,
operations,
other_roles)
factory.permission_manager().revoke(resource, user['login'], user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
role['permissions'].remove(resource_permission)
Role.get_collection().save(role, safe=True)
def remove_permissions_from_role(self, role_id, resource, operations):
"""
Remove permissions from a role.
@type role_id: str
@param role_id: role identifier
@type resource: str
@param resource: resource path to revoke permissions from
@type operations: list of allowed operations being revoked
@param operations: list or tuple
@raise MissingResource: if the given role does not exist
"""
if role_id == self.super_user_role:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
current_ops = role['permissions'].get(resource, [])
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = factory.user_query_manager().find_users_belonging_to_role(
role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(
role, user['roles'])
user_ops = _operations_not_granted_by_roles(
resource, operations, other_roles)
factory.permission_manager().revoke(resource, user['login'],
user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
del role['permissions'][resource]
Role.get_collection().save(role, safe=True)
def GET(self):
role_query_manager = managers.role_query_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [
u['login'] for u in managers.user_query_manager().
find_users_belonging_to_role(role['id'])
]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [
operation_to_name(o) for o in operations
]
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def delete_role(role_id):
"""
Deletes the given role. This has the side-effect of revoking any permissions granted
to the role from the users in the role, unless those permissions are also granted
through another role the user is a memeber of.
:param role_id: identifies the role being deleted
:type role_id: str
:raise InvalidValue: if any of the fields are unacceptable
:raise MissingResource: if the given role does not exist
:raise PulpDataException: if role is a superuser role
"""
# Raise exception if role id is invalid
if role_id is None or not isinstance(role_id, basestring):
raise InvalidValue(['role_id'])
# Check whether role exists
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
# Make sure role is not a superuser role
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('Role %s cannot be changed') % role_id)
# Remove respective roles from users
users = factory.user_query_manager().find_users_belonging_to_role(
role_id)
for item in role['permissions']:
for user in users:
other_roles = factory.role_query_manager().get_other_roles(
role, user['roles'])
user_ops = _operations_not_granted_by_roles(
item['resource'], item['permission'], other_roles)
factory.permission_manager().revoke(item['resource'],
user['login'], user_ops)
for user in users:
user['roles'].remove(role_id)
factory.user_manager().update_user(user['login'],
Delta(user, 'roles'))
Role.get_collection().remove({'id': role_id}, safe=True)
def remove_permissions_from_role(self, role_id, resource, operations):
"""
Remove permissions from a role.
@type role_id: str
@param role_id: role identifier
@type resource: str
@param resource: resource path to revoke permissions from
@type operations: list of allowed operations being revoked
@param operations: list or tuple
@raise MissingResource: if the given role does not exist
"""
if role_id == self.super_user_role:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id' : role_id})
if role is None:
raise MissingResource(role_id)
current_ops = role['permissions'].get(resource, [])
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = factory.user_query_manager().find_users_belonging_to_role(role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
user_ops = _operations_not_granted_by_roles(resource,
operations,
other_roles)
factory.permission_manager().revoke(resource, user['login'], user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
del role['permissions'][resource]
Role.get_collection().save(role, safe=True)
def remove_user_from_role(self, role_id, login):
"""
Remove a user from a role. This has the side-effect of revoking all the
permissions granted to the role from the user, unless the permissions are
also granted by another role.
@type role_id: str
@param role_id: role identifier
@type login: str
@param login: name of user
@rtype: bool
@return: True on success
@raise MissingResource: if the given role or user does not exist
"""
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
user = User.get_collection().find_one({'login': login})
if user is None:
raise MissingResource(login)
if role_id == self.super_user_role and factory.user_query_manager(
).is_last_super_user(login):
raise PulpDataException(
_('%s cannot be empty, and %s is the last member') %
(self.super_user_role, login))
if role_id not in user['roles']:
return
user['roles'].remove(role_id)
User.get_collection().save(user, safe=True)
for resource, operations in role['permissions'].items():
other_roles = factory.role_query_manager().get_other_roles(
role, user['roles'])
user_ops = _operations_not_granted_by_roles(
resource, operations, other_roles)
factory.permission_manager().revoke(resource, login, user_ops)
def GET(self, role_id):
manager = managers.role_query_manager()
role = manager.find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [
u['login'] for u in managers.user_query_manager().
find_users_belonging_to_role(role['id'])
]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [
operation_to_name(o) for o in operations
]
role.update(serialization.link.current_link_obj())
return self.ok(role)
def remove_user_from_role(role_id, login):
"""
Remove a user from a role. This has the side-effect of revoking all the
permissions granted to the role from the user, unless the permissions are
also granted by another role.
:param role_id: role identifier
:type role_id: str
:param login: name of user
:type login: str
:raise MissingResource: if the given role or user does not exist
"""
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
user = User.get_collection().find_one({'login': login})
if user is None:
raise MissingResource(login)
if role_id == SUPER_USER_ROLE and factory.user_query_manager(
).is_last_super_user(login):
raise PulpDataException(
_('%(role)s cannot be empty, and %(login)s is the last member')
% {
'role': SUPER_USER_ROLE,
'login': login
})
if role_id not in user['roles']:
return
user['roles'].remove(role_id)
User.get_collection().save(user, safe=True)
for item in role['permissions']:
other_roles = factory.role_query_manager().get_other_roles(
role, user['roles'])
user_ops = _operations_not_granted_by_roles(
item['resource'], item['permission'], other_roles)
factory.permission_manager().revoke(item['resource'], login,
user_ops)
def remove_user_from_role(self, role_id, login):
"""
Remove a user from a role. This has the side-effect of revoking all the
permissions granted to the role from the user, unless the permissions are
also granted by another role.
@type role_id: str
@param role_id: role identifier
@type login: str
@param login: name of user
@rtype: bool
@return: True on success
@raise MissingResource: if the given role or user does not exist
"""
role = Role.get_collection().find_one({'id' : role_id})
if role is None:
raise MissingResource(role_id)
user = User.get_collection().find_one({'login' : login})
if user is None:
raise MissingResource(login)
if role_id == self.super_user_role and factory.user_query_manager().is_last_super_user(login):
raise PulpDataException(_('%s cannot be empty, and %s is the last member') %
(self.super_user_role, login))
if role_id not in user['roles']:
return
user['roles'].remove(role_id)
User.get_collection().save(user, safe=True)
for resource, operations in role['permissions'].items():
other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
user_ops = _operations_not_granted_by_roles(resource,
operations,
other_roles)
factory.permission_manager().revoke(resource, login, user_ops)
def GET(self, role_id):
role = managers.role_query_manager().find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [u['login'] for u in
managers.user_query_manager().find_users_belonging_to_role(role['id'])]
permissions_manager = managers.permission_manager()
# isolate schema change
resource_permission = {}
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
for o in operations]
role['permissions'] = resource_permission
role.update(serialization.link.current_link_obj())
return self.ok(role)
def delete_role(role_id):
"""
Deletes the given role. This has the side-effect of revoking any permissions granted
to the role from the users in the role, unless those permissions are also granted
through another role the user is a memeber of.
:param role_id: identifies the role being deleted
:type role_id: str
:raise InvalidValue: if any of the fields are unacceptable
:raise MissingResource: if the given role does not exist
:raise PulpDataException: if role is a superuser role
"""
# Raise exception if role id is invalid
if role_id is None or not isinstance(role_id, basestring):
raise InvalidValue(['role_id'])
# Check whether role exists
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
# Make sure role is not a superuser role
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('Role %s cannot be changed') % role_id)
# Remove respective roles from users
users = factory.user_query_manager().find_users_belonging_to_role(role_id)
for item in role['permissions']:
for user in users:
other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
user_ops = _operations_not_granted_by_roles(item['resource'],
item['permission'], other_roles)
factory.permission_manager().revoke(item['resource'], user['login'], user_ops)
for user in users:
user['roles'].remove(role_id)
factory.user_manager().update_user(user['login'], Delta(user, 'roles'))
Role.get_collection().remove({'id': role_id}, safe=True)