Source code for fsi.security

from __future__ import annotations

from onegov.core.security import Personal
from onegov.core.security.roles import (
    get_roles_setting as get_roles_setting_base)
from onegov.core.security.rules import has_permission_logged_in
from onegov.fsi import FsiApp
from onegov.fsi.models import CourseAttendee


from typing import TYPE_CHECKING
if TYPE_CHECKING:
    from morepath.authentication import Identity
    from onegov.core.security.roles import Intent

"""
Since FSI is mainly for internal use, a user must be logged in to see even
courses.
The standard has_permission_logged_in treats members almost like anon users

The idea for permission is the following:

Personal: beeing logged in by default, can be overwritten model wise
Private: also editor can access it
Secret: admins

"""


@FsiApp.replace_setting_section(section='roles')
[docs] def get_roles_setting() -> dict[str, set[type[Intent]]]: # NOTE: Without a supporter role for now return get_roles_setting_base()
@FsiApp.permission_rule(model=object, permission=Personal)
[docs] def local_is_logged_in( app: FsiApp, identity: Identity, model: object, permission: type[Personal] ) -> bool: return identity.role in ('admin', 'editor', 'member')
@FsiApp.permission_rule(model=CourseAttendee, permission=Personal)
[docs] def has_course_attendee_permission( app: FsiApp, identity: Identity, model: CourseAttendee, permission: type[Personal] ) -> bool: if identity.role == 'member': if model.user is None: return False return model.user.username == identity.userid return has_permission_logged_in(app, identity, model, permission)