def security (db, ** kw) :
roles = [ ("SupportAdmin", "Customer support department") ]
# classname allowed to view / edit
classes = \
[ ("sup_status", ["User"], [])
, ("sup_prio", ["User"], [])
, ("sup_type", ["User"], [])
, ("sup_warranty", ["User"], [])
, ("sup_execution", ["User"], [])
, ("business_unit", ["User"], [])
, ("product", ["User"], [])
, ("support", ["SupportAdmin"], ["SupportAdmin"])
, ("customer", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("contact", ["User", "SupportAdmin"], ["SupportAdmin"])
, ("mailgroup", ["User", "SupportAdmin"], ["SupportAdmin", "IT"])
, ("sup_classification",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("customer_agreement",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("analysis_result",
["User", "SupportAdmin"], ["SupportAdmin"])
, ("return_type",
["User", "SupportAdmin"], ["SupportAdmin"])
]
if 'adr_type' in db.classes :
classes.append (( "adr_type"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
classes.append (( "adr_type_cat"
, ["User", "SupportAdmin"]
, ["SupportAdmin"]
))
prop_perms = []
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
db.security.addPermissionToRole ('User', 'Create', 'support')
db.security.addPermissionToRole ('SupportAdmin', 'Create', 'support')
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('View',))
exc_props = dict.fromkeys (('first_reply', 'satisfied'))
props = dict (db.support.properties)
for p in exc_props :
del props [p]
schemadef.register_confidentiality_check \
(db, 'User', 'support', ('Edit',), * props.keys ())
schemadef.register_nosy_classes (db, ['support'])
schemadef.add_search_permission (db, 'support', 'User')
def security (db, ** kw) :
roles = ( ("Doc_Admin", "Admin for documents (e.g. QM)")
, ("Nosy", "Allowed on nosy list")
)
prop_perms = (("department", "Edit", ("Doc_Admin", ), ("doc_num", )), )
classes = \
( ("doc" , ("User",), ("Doc_Admin", "User"))
, ("artefact" , ("User",), ("Doc_Admin",))
, ("product_type", ("User",), ("Doc_Admin",))
, ("reference" , ("User",), ("Doc_Admin",))
, ("doc_status" , ("User",), ("Doc_Admin",))
)
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
schemadef.register_nosy_classes (db, ['doc'])
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
]
# classname allowed to view / edit
classes = \
[ ("issue", ["Issue_Admin"], ["Issue_Admin"])
, ("status", ["User"], ["Issue_Admin"])
, ("prio", ["User"], ["Issue_Admin"])
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, ())
schemadef.register_nosy_classes (db, ['issue'])
db.security.addPermissionToRole ('User', 'Create', 'issue')
schemadef.add_search_permission (db, 'issue', 'User')
def security (db, ** kw) :
""" See the configuration and customisation document for information
about security setup.
"""
roles = \
[ ("Board", "Approvals over certain limits")
, ("Nosy", "Nosy list")
, ("Finance", "Finance-related approvals")
, ("HR", "Approvals for staff/subcontracting")
, ("HR-Approval", "Approvals for HR-related issues")
, ("IT-Approval", "Approve IT-Related PRs")
, ("Procurement", "Procurement department")
, ("Procurement-Admin", "Procurement administration")
, ("Procure-Approval", "Procurement approvals")
, ("Quality", "Approvals for Safety issues")
, ("Subcontract", "Approvals for staff/subcontracting")
, ("PR-View", "See all Purchase Requests")
, ("Measurement-Approval", "Responsible for Measurement-Equipment")
, ("Training-Approval", "Approvals for Training")
, ("Subcontract-Org", "Approvals for Subcontracting")
, ("CISO", "Editing of Security Tables")
]
# classname allowed to view / edit
classes = \
[ ("department", ["User"], [])
, ("infosec_level", ["User"], ["Procurement-Admin"])
, ("location", ["User"], [])
, ("organisation", ["User"], [])
, ("org_location", ["User"], [])
, ("part_of_budget", ["User"], [])
, ("pr_approval_config", ["Procurement"], ["Procurement-Admin"])
, ("pr_approval_order", ["Procurement"], ["Procurement-Admin"])
, ("pr_approval", ["Procurement","PR-View"], [])
, ("pr_approval_status", ["User"], [])
, ("pr_currency", ["User"], ["Procurement-Admin"])
, ("pr_status", ["User"], [])
, ("pr_supplier", ["User"], ["Procurement-Admin"])
, ("pr_rating_category", ["User"], ["Procurement-Admin"])
, ("pr_supplier_rating", ["User"], ["Procurement-Admin"])
, ("purchase_type", ["User"], ["Procurement-Admin"])
, ("terms_conditions", ["User"], [])
, ("time_project", ["User"], [])
, ("user", ["Procurement-Admin"], [])
, ("purchase_request", ["PR-View"], [])
, ("pr_offer_item", ["PR-View"], [])
, ("internal_order", ["User"], [])
, ("pr_ext_resource", ["User"], [])
, ("security_req_group", ["User"], ["Procurement-Admin", "CISO"])
, ("product_group", ["User"], ["Procurement-Admin"])
, ("pg_category", ["User"], ["Procurement-Admin"])
, ("supplier_risk_category", ["User"], [])
, ("purchase_risk_type", ["User"], [])
, ("pr_supplier_risk", ["User"], ["Procurement-Admin", "CISO"])
, ("payment_type", ["User"], [])
, ("purchase_security_risk", ["User"], [])
]
prop_perms = \
[ ( "user", "Edit", ["Procurement-Admin"]
, ("roles", "password", "substitute", "subst_until", "clearance_by")
)
, ( "user", "View", ["User"]
, ("username", "id", "realname", "status")
)
, ( "user", "Edit", ["Procurement-Admin"]
, ("want_no_messages",)
)
# Allow anybody to edit purchase_request but do not allow change
# (in reactor): This is used for ordering actions in the web
# interface via links (!)
, ( "pr_approval", "Edit", ["User"]
, ("purchase_request", "date")
)
, ( "purchase_request", "Edit", ["Procurement", "Procurement-Admin"]
, ("renew_until",)
)
, ( "time_project", "Edit", ["Procurement"]
, ("deputy_gets_mail",)
)
, ( "sap_cc", "Edit", ["Procurement"]
, ("deputy_gets_mail",)
)
, ( "pr_approval_order", "View", ["User"]
, ("role", "id")
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
# Retire/Restore permission for pr_approval_order
for n in 'Retire', 'Restore' :
p = db.security.addPermission \
( name = n
, klass = 'pr_approval_order'
)
db.security.addPermissionToRole ('Procurement-Admin', p)
tp_properties = \
( 'name', 'description', 'responsible', 'deputy', 'organisation'
, 'status', 'id'
, 'creation', 'creator', 'activity', 'actor'
)
# Search permission
p = db.security.addPermission \
( name = 'Search'
, klass = 'time_project'
, properties = tp_properties
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'user'
)
db.security.addPermissionToRole ('Procurement-Admin', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'purchase_request'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_approval'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_offer_item'
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Search'
, klass = 'pr_approval_order'
)
db.security.addPermissionToRole ('User', p)
db.security.addPermissionToRole ('User', 'Create', 'pr_offer_item')
db.security.addPermissionToRole ('User', 'Create', 'purchase_request')
fixdoc = schemadef.security_doc_from_docstring
def pr_pt_role (db, userid, itemid) :
""" Users are allowed if they have one of the view roles
of the purchase type or one of the (forced) approval roles.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
if not pr.purchase_type :
return False
pt = db.purchase_type.getnode (pr.purchase_type)
roles = set (pt.pr_view_roles)
roles.update (pt.pr_roles)
roles.update (pt.pr_forced_roles)
for r in roles :
if prlib.has_pr_role (db, userid, r) :
return True
return False
# end def pr_pt_role
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = pr_pt_role
, description = fixdoc (pr_pt_role.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = pr_pt_role
, description = fixdoc (pr_pt_role.__doc__)
, properties =
( 'sap_reference', 'terms_conditions', 'frame_purchase'
, 'frame_purchase_end', 'nosy', 'messages', 'purchasing_agents'
, 'internal_order', 'special_approval', 'payment_type'
)
)
db.security.addPermissionToRole ('User', p)
def pt_role_offer_item (db, userid, itemid) :
""" Users are allowed to view if they have one of the view roles
of the purchase type
"""
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return pr_pt_role (db, userid, pr.id)
# end def pt_role_offer_item
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = pt_role_offer_item
, description = fixdoc (pt_role_offer_item.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = pt_role_offer_item
, description = fixdoc (pt_role_offer_item.__doc__)
, properties =
( 'add_to_las'
, 'supplier'
, 'pr_supplier'
, 'is_asset'
, 'payment_type'
, 'internal_order'
)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, properties =
( 'add_to_las'
,
)
)
db.security.addPermissionToRole ('CISO', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, properties =
( 'add_to_las'
, 'supplier'
, 'pr_supplier'
, 'creation'
, 'creator'
, 'activity'
, 'actor'
)
)
db.security.addPermissionToRole ('CISO', p)
def view_role_approval (db, userid, itemid) :
""" Users are allowed to view if they have one of the view roles
of the purchase type
"""
sp = db.pr_approval.getnode (itemid)
pr = db.purchase_request.getnode (sp.purchase_request)
if pr is None :
return False
return pr_pt_role (db, userid, pr.id)
# end def view_role_approval
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = view_role_approval
, description = fixdoc (view_role_approval.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approver_non_finance (db, userid, itemid) :
""" Approvers are allowed if not finance and PR not yet approved
by finance.
"""
if not itemid or itemid < 1 :
return False
# User may not change
if own_pr (db, userid, itemid) :
return False
# Finance may not change
if common.user_has_role (db, userid, 'finance') :
return False
pr = db.purchase_request.getnode (itemid)
st_approving = db.pr_status.lookup ('approving')
if pr.status != st_approving :
return False
un = db.pr_approval_status.lookup ('undecided')
ap = db.pr_approval.filter (None, dict (purchase_request = itemid))
for id in ap :
a = db.pr_approval.getnode (id)
# already signed by finance?
finance = db.pr_approval_order.lookup ('finance')
if a.status != un and a.role_id == finance :
return False
return linked_pr (db, userid, itemid)
# end def approver_non_finance
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approver_non_finance
, description = fixdoc (approver_non_finance.__doc__)
, properties =
( 'continuous_obligation', 'intended_duration', 'contract_term')
)
db.security.addPermissionToRole ('User', p)
def approver_non_finance_offer (db, userid, itemid) :
""" Approvers are allowed if not finance and PR not yet approved
by finance.
"""
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return approver_non_finance (db, userid, pr.id)
# end def approver_non_finance_offer
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = approver_non_finance_offer
, description = fixdoc (approver_non_finance_offer.__doc__)
, properties = ( 'vat',)
)
db.security.addPermissionToRole ('User', p)
def own_pr (db, userid, itemid) :
""" User is allowed permission on their own PRs if either creator or
requester or supervisor of requester.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
if pr.creator == userid or pr.requester == userid :
return True
sup = db.user.get (pr.requester, 'supervisor')
if sup and sup == userid :
return True
return False
# end def own_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = own_pr
, description = fixdoc (own_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = own_pr
, description = fixdoc (own_pr.__doc__)
, properties = ('messages', 'nosy', 'files', 'renew_until')
)
db.security.addPermissionToRole ('User', p)
def open_or_approving (db, userid, itemid) :
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
pr = db.purchase_request.getnode (itemid)
if pr.status in (st_open, st_approving) :
return True
return False
# end def open_or_approving
def cancel_own_pr (db, userid, itemid) :
""" User is allowed to cancel their own PR.
"""
if not own_pr (db, userid, itemid) :
return False
return open_or_approving (db, userid, itemid)
# end def cancel_own_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = cancel_own_pr
, description = fixdoc (cancel_own_pr.__doc__)
, properties = ('status', 'messages', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def edit_pr_justification (db, userid, itemid) :
""" User is allowed to edit PR Justification
if the PR has appropriate status
and the user is creator or owner of the PR or has one of the
view roles.
"""
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
st_rejected = db.pr_status.lookup ('rejected')
st_approved = db.pr_status.lookup ('approved')
stati = (st_open, st_approving, st_rejected, st_approved)
pr = db.purchase_request.getnode (itemid)
if pr.status not in stati :
return False
if own_pr (db, userid, itemid) :
return True
if pr_pt_role (db, userid, itemid) :
return True
return False
# end def edit_pr_justification
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = edit_pr_justification
, description = fixdoc (edit_pr_justification.__doc__)
, properties = ('pr_justification',)
)
db.security.addPermissionToRole ('User', p)
def cancel_open_pr (db, userid, itemid) :
""" User is allowed to cancel a PR if it is open
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return True
return False
# end def cancel_own_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = cancel_open_pr
, description = fixdoc (cancel_open_pr.__doc__)
, properties = ('status', 'messages')
)
db.security.addPermissionToRole ('Procurement-Admin', p)
def approving_or_approved (db, userid, itemid) :
""" User is allowed to reject PR in state approving or approved
"""
st_approving = db.pr_status.lookup ('approving')
st_approved = db.pr_status.lookup ('approved')
pr = db.purchase_request.getnode (itemid)
if pr.status in (st_approving, st_approved) :
return True
return False
# end def approving_or_approved
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approving_or_approved
, description = fixdoc (approving_or_approved.__doc__)
, properties = ('status', 'messages')
)
for r in prlib.reject_roles :
db.security.addPermissionToRole (r, p)
def reopen_rejected_pr (db, userid, itemid) :
""" User is allowed to reopen their own rejected PR.
"""
if not own_pr (db, userid, itemid) :
return False
st_rejected = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_rejected :
return True
return False
# end def reopen_rejected_pr
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = reopen_rejected_pr
, description = fixdoc (reopen_rejected_pr.__doc__)
, properties = ('status', 'messages', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def own_pr_and_open_or_rej (db, userid, itemid) :
""" User is allowed to edit their own PRs (creator or requester
or supervisor of requester) while PR is open or rejected.
"""
if not own_pr (db, userid, itemid) :
return False
open = db.pr_status.lookup ('open')
rej = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status == open or pr.status == rej :
return True
return False
# end def own_pr_and_open_or_rej
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = own_pr_and_open_or_rej
, description = fixdoc (own_pr_and_open_or_rej.__doc__)
)
db.security.addPermissionToRole ('User', p)
def linked_pr (db, userid, itemid) :
""" Users are allowed if an approval from them is
linked to the PR.
"""
if not itemid or itemid < 1 :
return False
pr = db.purchase_request.getnode (itemid)
ap = db.pr_approval.filter (None, dict (purchase_request = itemid))
for id in ap :
a = db.pr_approval.getnode (id)
# User or deputy or delegated?
if userid in common.approval_by (db, a.user) :
return True
if userid in common.approval_by (db, a.deputy) :
return True
if a.role_id and prlib.has_pr_role (db, userid, a.role_id) :
return True
return False
# end def linked_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = linked_pr
, description = fixdoc (linked_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = linked_pr
, description = fixdoc (linked_pr.__doc__)
, properties = ('messages', 'nosy', 'files')
)
db.security.addPermissionToRole ('User', p)
def pending_approval (db, userid, itemid) :
""" Users are allowed to edit message if a pending
approval from them is linked to the PR.
"""
if not linked_pr (db, userid, itemid) :
return False
if open_or_approving (db, userid, itemid) :
return True
# Also allow for reject because message is tried to attach twice
# We allow this only for some time (5 min after last change)
st_reject = db.pr_status.lookup ('rejected')
pr = db.purchase_request.getnode (itemid)
if pr.status != st_reject :
return False
now = date.Date ('.')
if pr.activity + date.Interval ('00:05:00') > now :
return True
return False
# end def pending_approval
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = pending_approval
, description = fixdoc (pending_approval.__doc__)
, properties = ('messages', 'nosy', 'files')
)
db.security.addPermissionToRole ('User', p)
def linked_to_pr (db, userid, itemid) :
""" Users are allowed to view if approval is linked to viewable PR.
"""
if not itemid or itemid < 1 :
return False
ap = db.pr_approval.getnode (itemid)
pr = ap.purchase_request
if own_pr (db, userid, pr) :
return True
if linked_pr (db, userid, pr) :
return True
return False
# end def linked_to_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = linked_to_pr
, description = fixdoc (linked_to_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approval_undecided (db, userid, itemid) :
""" User is allowed to change status of undecided approval if
they are the owner/deputy or have appropriate role.
In addition this is allowed if they have a delegated
approval or are an active substitute.
We also allow pr.status to be 'rejected': This cannot change
the outcome (once approved or rejected the pr.status cannot
change) but allows for race condition when someone has
several approvals in a single mask and one of that approvals
changed the PR to rejected before the others were processed.
"""
if not itemid or itemid < 1 :
return False
ap = db.pr_approval.getnode (itemid)
pr = db.purchase_request.getnode (ap.purchase_request)
und = db.pr_approval_status.lookup ('undecided')
st_open = db.pr_status.lookup ('open')
st_approving = db.pr_status.lookup ('approving')
st_reject = db.pr_status.lookup ('rejected')
if ( ap.status == und
and ( userid in common.approval_by (db, ap.user)
or userid in common.approval_by (db, ap.deputy)
or (ap.role_id and prlib.has_pr_role (db, userid, ap.role_id))
)
and pr.status in (st_open, st_approving, st_reject)
) :
return True
return False
# end def approval_undecided
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_approval'
, check = approval_undecided
, description = fixdoc (approval_undecided.__doc__)
, properties = ('status', 'msg')
)
db.security.addPermissionToRole ('User', p)
def get_pr_from_offer_item (db, itemid) :
prs = db.purchase_request.filter (None, dict (offer_items = itemid))
if len (prs) == 0 :
return None
assert len (prs) == 1
return db.purchase_request.getnode (prs [0])
# end def get_pr_from_offer_item
def linked_from_pr (db, userid, itemid) :
""" Users are allowed to view if offer is linked from PR.
"""
if not itemid or itemid < 1 :
return True
off = db.pr_offer_item.getnode (itemid)
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
if own_pr (db, userid, pr.id) :
return True
if linked_pr (db, userid, pr.id) :
return True
return False
# end def linked_from_pr
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = linked_from_pr
, description = fixdoc (linked_from_pr.__doc__)
)
db.security.addPermissionToRole ('User', p)
def add_to_las_false (db, userid, itemid) :
""" Allow setting add_to_las from 'None' for orphanes offer items.
"""
if itemid is None :
return False
oi = db.pr_offer_item.getnode (itemid)
pr = get_pr_from_offer_item (db, itemid)
if pr is not None :
return False
if oi.add_to_las is None :
return True
return False
# end def add_to_las_false
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = add_to_las_false
, description = fixdoc (add_to_las_false.__doc__)
, properties = ('add_to_las',)
)
db.security.addPermissionToRole ('User', p)
def linked_and_editable (db, userid, itemid) :
""" Users are allowed to edit if offer is linked from PR and PR
is editable.
"""
if not itemid or itemid < 1 :
return True
if not linked_from_pr (db, userid, itemid) :
return False
pr = get_pr_from_offer_item (db, itemid)
if pr is None :
return False
return own_pr_and_open_or_rej (db, userid, pr.id)
# end def linked_and_editable
p = db.security.addPermission \
( name = 'Edit'
, klass = 'pr_offer_item'
, check = linked_and_editable
, description = fixdoc (linked_and_editable.__doc__)
)
db.security.addPermissionToRole ('User', p)
def approved_or_ordered (db, userid, itemid) :
""" User with view role is allowed editing if status
is 'approved' or 'ordered'
"""
if not pr_pt_role (db, userid, itemid) :
return False
pr = db.purchase_request.getnode (itemid)
stati = []
for n in ('approved', 'ordered') :
try :
st = db.pr_status.lookup (n)
stati.append (st)
except KeyError :
pass
if pr.status in stati :
return True
return False
# end def approved_or_ordered
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = approved_or_ordered
, description = fixdoc (approved_or_ordered.__doc__)
, properties = ('status', 'messages', 'files', 'nosy')
)
db.security.addPermissionToRole ('User', p)
schemadef.register_nosy_classes (db, ['purchase_request'])
def user_on_nosy (db, userid, itemid) :
""" User is allowed if on the nosy list
"""
pr = db.purchase_request.getnode (itemid)
if userid in pr.nosy :
return True
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = user_on_nosy
, description = fixdoc (user_on_nosy.__doc__)
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = user_on_nosy
, description = fixdoc (user_on_nosy.__doc__)
, properties = ('messages', 'files', 'nosy')
)
db.security.addPermissionToRole ('User', p)
def user_on_nosy_approval (db, userid, itemid) :
""" User is allowed if on the nosy list of the PR
"""
ap = db.pr_approval.getnode (itemid)
return user_on_nosy (db, userid, ap.purchase_request)
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_approval'
, check = user_on_nosy_approval
, description = fixdoc (user_on_nosy_approval.__doc__)
)
db.security.addPermissionToRole ('User', p)
def user_on_nosy_offer (db, userid, itemid) :
""" User is allowed if on the nosy list of the PR
"""
if not itemid or itemid < 1 :
return True
prs = db.purchase_request.filter (None, dict (offer_items = itemid))
assert len (prs) <= 1
if prs :
return user_on_nosy (db, userid, prs [0])
return False
# end def user_on_nosy
p = db.security.addPermission \
( name = 'View'
, klass = 'pr_offer_item'
, check = user_on_nosy_offer
, description = fixdoc (user_on_nosy_offer.__doc__)
)
db.security.addPermissionToRole ('User', p)
def view_pr_risks (db, userid, itemid) :
""" User is allowed to view special risks
if the PR has appropriate status
and the user is creator or owner of the PR or has one of the
view roles.
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return False
if own_pr (db, userid, itemid) :
return True
if pr_pt_role (db, userid, itemid) :
return True
return False
# end def view_pr_risks
p = db.security.addPermission \
( name = 'View'
, klass = 'purchase_request'
, check = view_pr_risks
, description = fixdoc (view_pr_risks.__doc__)
, properties = ('pr_risks',)
)
db.security.addPermissionToRole ('User', p)
def edit_pr_risks (db, userid, itemid) :
""" User is allowed to edit special risks
if the PR has appropriate status.
"""
st_open = db.pr_status.lookup ('open')
pr = db.purchase_request.getnode (itemid)
if pr.status == st_open :
return False
return True
# end def edit_pr_risks
p = db.security.addPermission \
( name = 'Edit'
, klass = 'purchase_request'
, check = edit_pr_risks
, description = fixdoc (edit_pr_risks.__doc__)
, properties = ('pr_risks',)
)
db.security.addPermissionToRole ('Procurement', p)
p = db.security.addPermission \
( name = 'View'
, klass = 'user'
, check = schemadef.own_user_record
, description = "Users are allowed to view some of their details"
, properties = ('supervisor', 'clearance_by', 'want_no_messages')
)
db.security.addPermissionToRole ('User', p)
def security (db, ** kw) :
roles = \
[ ("IT", "IT-Department")
, ("ITView", "View but not change IT data")
, ("Nosy", "Allowed on nosy list")
, ("Sec-Incident-Responsible", "Responsible for Security-Incident")
, ("Sec-Incident-Nosy", "Nosy-List for Security-Incident")
]
# classname allowed to view / edit
classes = \
[ ("it_category", ["User"], ["IT"])
, ("it_int_prio", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_issue_status", ["User"], [])
, ("it_issue", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_prio", ["User"], [])
, ("it_project", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_project_status", ["User"], [])
, ("it_request_type", ["User"], ["IT"])
]
prop_perms = \
[ ( "file", "Edit", ["IT"]
, ("type", "name")
)
, ( "location", "Edit", ["IT"]
, ("domain_part",)
)
, ( "organisation", "Edit", ["IT"]
, ("domain_part",)
)
, ( "user", "Edit", ["IT"]
, ( "address", "alternate_addresses", "nickname"
, "password", "timezone", "username"
)
)
, ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "creation", "creator", "id", "queries", "realname"
, "status", "timezone", "username"
)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def is_responsible (db, userid, itemid) :
"""Determine whether the user is responsible for an issue
"""
return db.it_issue.get (itemid, 'responsible') == userid
# end def is_responsible
def responsible_or_stakeholder (db, userid, itemid) :
"""Determine whether the user is responsible for or the
stakeholder of an issue
"""
return \
( db.it_issue.get (itemid, 'responsible') == userid
or db.it_issue.get (itemid, 'stakeholder') == userid
)
# end def responsible_or_stakeholder
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = responsible_or_stakeholder
, description = \
"User is allowed to edit several fields if he is "
"Stakeholder/Responsible for an it_issue"
, properties = ('deadline', 'status', 'title')
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = is_responsible
, description = \
"User is allowed to edit several fields if he is "
"Responsible for an it_issue"
, properties = ('responsible',)
)
db.security.addPermissionToRole ('User', p)
db.security.addPermissionToRole ('User', 'Create', 'it_issue')
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('Edit',), "messages", "files", "nosy")
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('Edit',), "messages", "files", "nosy")
schemadef.register_nosy_classes (db, ['it_issue', 'it_project'])
schemadef.add_search_permission (db, 'it_issue', 'User')
schemadef.add_search_permission (db, 'it_project', 'User')
def security (db, ** kw) :
roles = \
[ ("IT", "IT-Department")
, ("ITView", "View but not change IT data")
, ("Nosy", "Allowed on nosy list")
, ("Sec-Incident-Responsible", "Responsible for Security-Incident")
, ("Sec-Incident-Nosy", "Nosy-List for Security-Incident")
]
# classname allowed to view / edit
classes = \
[ ("it_category", ["User"], ["IT"])
, ("it_int_prio", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_issue_status", ["User"], [])
, ("it_issue", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_prio", ["User"], [])
, ("it_project", [ "IT", "ITView"
, "Sec-Incident-Nosy"
, "Sec-Incident-Responsible"], ["IT"])
, ("it_project_status", ["User"], [])
, ("it_request_type", ["User"], ["IT"])
]
prop_perms = \
[ ( "file", "Edit", ["IT"]
, ("type", "name")
)
, ( "location", "Edit", ["IT"]
, ("domain_part",)
)
, ( "org_location", "Edit", ["IT"]
, ("smb_domain", "dhcp_server", "domino_dn")
)
, ( "organisation", "Edit", ["IT"]
, ("domain_part",)
)
, ( "user", "Edit", ["IT"]
, ( "address", "alternate_addresses", "nickname"
, "password", "timezone", "username"
, "is_lotus_user", "sync_with_ldap", "group"
, "secondary_groups", "uid", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path", "samba_kickoff_time"
, "samba_lm_password", "samba_logon_script", "samba_nt_password"
, "samba_profile_path", "samba_pwd_can_change", "samba_pwd_last_set"
, "samba_pwd_must_change", "user_password", "shadow_last_change"
, "shadow_min", "shadow_max", "shadow_warning", "shadow_inactive"
, "shadow_expire", "shadow_used"
)
)
, ( "user", "View", ["User"]
, ( "activity", "actor", "address", "alternate_addresses"
, "clearance_by", "creation", "creator", "department"
, "firstname", "id", "job_description", "lastname"
, "lunch_duration", "lunch_start", "nickname"
, "pictures", "position", "queries", "realname", "room", "sex"
, "status", "subst_active", "subst_until", "substitute"
, "supervisor", "timezone"
, "title", "username", "home_directory", "login_shell"
, "samba_home_drive", "samba_home_path"
)
)
]
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
def is_responsible (db, userid, itemid) :
"""Determine whether the user is responsible for an issue
"""
return db.it_issue.get (itemid, 'responsible') == userid
# end def is_responsible
def responsible_or_stakeholder (db, userid, itemid) :
"""Determine whether the user is responsible for or the
stakeholder of an issue
"""
return \
( db.it_issue.get (itemid, 'responsible') == userid
or db.it_issue.get (itemid, 'stakeholder') == userid
)
# end def responsible_or_stakeholder
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = responsible_or_stakeholder
, description = \
"User is allowed to edit several fields if he is "
"Stakeholder/Responsible for an it_issue"
, properties = ('deadline', 'status', 'title')
)
db.security.addPermissionToRole ('User', p)
p = db.security.addPermission \
( name = 'Edit'
, klass = 'it_issue'
, check = is_responsible
, description = \
"User is allowed to edit several fields if he is "
"Responsible for an it_issue"
, properties = ('responsible',)
)
db.security.addPermissionToRole ('User', p)
db.security.addPermissionToRole ('User', 'Create', 'it_issue')
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_issue', ('Edit',), "messages", "files", "nosy")
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('View',))
schemadef.register_confidentiality_check \
(db, 'User', 'it_project', ('Edit',), "messages", "files", "nosy")
schemadef.register_nosy_classes (db, ['it_issue', 'it_project'])
schemadef.add_search_permission (db, 'it_issue', 'User')
schemadef.add_search_permission (db, 'it_project', 'User')
def security (db, ** kw) :
roles = \
[ ("Issue_Admin", "Admin for issue tracker")
, ("Nosy", "Allowed on nosy list")
, ("MsgEdit", "Allowed to edit message properties")
, ("MsgSync", "Allowed to sync message with ext. tracker")
]
# classname allowed to view / edit
classes = \
[ ("issue", ["Issue_Admin"], ["Issue_Admin"])
, ("area", ["User"], ["Issue_Admin"])
, ("category", ["User"], ["Issue_Admin"])
, ("kind", ["User"], ["Issue_Admin"])
, ("msg_keyword", ["User"], ["Issue_Admin"])
, ("prodcat", ["User"], [])
, ("status", ["User"], ["Issue_Admin"])
, ("status_transition", ["User"], ["Issue_Admin"])
, ("severity", ["User"], ["Issue_Admin"])
, ("safety_level", ["User"], ["Issue_Admin"])
, ("test_level", ["User"], ["Issue_Admin"])
]
prop_perms = \
[ ( "msg", "Edit", ["MsgEdit", "MsgSync"]
, ("date", "author", "keywords", "subject", "summary", "id")
)
, ( "msg", "Edit", ["User"]
, ("keywords",)
)
]
fixdoc = schemadef.security_doc_from_docstring
def responsible_for_category (db, userid, itemid) :
""" User is allowed to edit category if he is responsible for it.
"""
if int (itemid) < 0 :
return False
resp = db.category.get (itemid, 'responsible')
return userid == resp
# end def responsible_for_category
p = db.security.addPermission \
( name = 'Edit'
, klass = 'category'
, check = responsible_for_category
, description = fixdoc (responsible_for_category.__doc__)
, properties = ('nosy', 'default_part_of')
)
db.security.addPermissionToRole ('User', p)
schemadef.register_roles (db, roles)
schemadef.register_class_permissions (db, classes, prop_perms)
schemadef.register_nosy_classes (db, ['issue'])
db.security.addPermissionToRole ('User', 'Create', 'issue')
p = db.security.addPermission \
( name = 'Search'
, klass = 'msg'
, properties = ("date", "id")
)
db.security.addPermissionToRole ('MsgEdit', p)
db.security.addPermissionToRole ('MsgSync', p)
schemadef.register_confidentiality_check \
(db, 'User', 'issue', ('View', 'Edit'))
schemadef.add_search_permission (db, 'issue', 'User')