Source code for translator_directory.security

from onegov.core.security import Public, Personal
from onegov.core.security.roles import (
    get_roles_setting as get_roles_setting_base)
from onegov.file import File
from onegov.org.models import GeneralFileCollection, GeneralFile
from onegov.ticket import Ticket, TicketCollection
from onegov.translator_directory import TranslatorDirectoryApp
from onegov.translator_directory.collections.documents import (
    TranslatorDocumentCollection)
from onegov.translator_directory.models.translator import Translator
from onegov.translator_directory.models.ticket import AccreditationTicket
from onegov.translator_directory.models.ticket import TranslatorMutationTicket
from onegov.user import Auth


from typing import TYPE_CHECKING
if TYPE_CHECKING:
    from morepath.authentication import Identity, NoIdentity
    from onegov.core.security.roles import Intent

"""

The standard permission model is used and mapped as followed:
- Anonymous users can log in.
- Translators can view their own personal information and report changes.
- Members can additionally view the translators and their vouchers.
- Editors can additionally editor some informations of translators.
- Admins can do everything.

"""


@TranslatorDirectoryApp.setting_section(section="roles")
[docs] def get_roles_setting() -> dict[str, set[type['Intent']]]: result = get_roles_setting_base() result['translator'] = {Public} return result
@TranslatorDirectoryApp.permission_rule(model=object, permission=object)
[docs] def has_permission_logged_in( app: TranslatorDirectoryApp, identity: 'Identity', model: object, permission: object ) -> bool: if getattr(model, 'access', None) == 'private': if identity.role not in ('admin', 'editor'): return False if getattr(model, 'access', None) == 'member': if identity.role not in ('admin', 'editor', 'member', 'translator'): return False return permission in getattr(app.settings.roles, identity.role)
@TranslatorDirectoryApp.permission_rule(model=Auth, permission=object)
[docs] def restrict_auth_access( app: TranslatorDirectoryApp, identity: 'Identity', model: Auth, permission: object ) -> bool: if permission == Personal and identity.role == 'translator': return True return permission in getattr(app.settings.roles, identity.role)
@TranslatorDirectoryApp.permission_rule(model=Translator, permission=object)
[docs] def restrict_translator_access( app: TranslatorDirectoryApp, identity: 'Identity', model: Translator, permission: object ) -> bool: if model.for_admins_only and identity.role not in ('admin', 'translator'): return False if ( identity.role == 'translator' and identity.userid == model.email and permission == Personal ): return True return permission in getattr(app.settings.roles, identity.role)
@TranslatorDirectoryApp.permission_rule( model=Translator, permission=object, identity=None)
[docs] def restrict_translator_access_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: Translator, permission: object ) -> bool: if model.for_admins_only: return False return permission in app.settings.roles.anonymous
@TranslatorDirectoryApp.permission_rule( model=GeneralFileCollection, permission=object)
[docs] def restrict_general_file_coll_access( app: TranslatorDirectoryApp, identity: 'Identity', model: GeneralFileCollection, permission: object ) -> bool: return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=GeneralFileCollection, permission=object, identity=None)
[docs] def restrict_general_file_coll_access_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: GeneralFileCollection, permission: object ) -> bool: return False
@TranslatorDirectoryApp.permission_rule( model=File, permission=object)
[docs] def restrict_file_access( app: TranslatorDirectoryApp, identity: 'Identity', model: File, permission: object ) -> bool: return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=File, permission=object, identity=None)
[docs] def restrict_file_access_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: File, permission: object ) -> bool: return False
@TranslatorDirectoryApp.permission_rule( model=GeneralFile, permission=object)
[docs] def restrict_general_file_access( app: TranslatorDirectoryApp, identity: 'Identity', model: GeneralFile, permission: object ) -> bool: if not model.published: if identity.role not in ('admin', 'editor', 'member', 'translator'): return False return permission in getattr(app.settings.roles, identity.role)
@TranslatorDirectoryApp.permission_rule( model=GeneralFile, permission=object, identity=None)
[docs] def restrict_general_file_access_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: GeneralFile, permission: object ) -> bool: if not model.published: return False return permission == Public
@TranslatorDirectoryApp.permission_rule( model=TranslatorDocumentCollection, permission=object)
[docs] def restrict_translator_docs_coll_access( app: TranslatorDirectoryApp, identity: 'Identity', model: TranslatorDocumentCollection, permission: object ) -> bool: return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=TranslatorDocumentCollection, permission=object, identity=None)
[docs] def disable_translator_docs_coll_access_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: TranslatorDocumentCollection, permission: object ) -> bool: return False
@TranslatorDirectoryApp.permission_rule( model=TicketCollection, permission=object)
[docs] def restricts_ticket( app: TranslatorDirectoryApp, identity: 'Identity', model: TicketCollection, permission: object ) -> bool: return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=TicketCollection, permission=object, identity=None)
[docs] def restricts_ticket_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: TicketCollection, permission: object ) -> bool: return False
@TranslatorDirectoryApp.permission_rule(model=Ticket, permission=object)
[docs] def restrict_ticket( app: TranslatorDirectoryApp, identity: 'Identity', model: Ticket, permission: object ) -> bool: return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=Ticket, permission=object, identity=None)
[docs] def restrict_ticket_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: Ticket, permission: object ) -> bool: return False
@TranslatorDirectoryApp.permission_rule( model=AccreditationTicket, permission=object, identity=None)
[docs] def restrict_accreditation_ticket_anon( app: TranslatorDirectoryApp, identity: 'NoIdentity', model: AccreditationTicket, permission: object ) -> bool: return permission == Public
@TranslatorDirectoryApp.permission_rule( model=AccreditationTicket, permission=object)
[docs] def restrict_accreditation_ticket( app: TranslatorDirectoryApp, identity: 'Identity', model: AccreditationTicket, permission: object ) -> bool: if permission == Public: return True return identity.role == 'admin'
@TranslatorDirectoryApp.permission_rule( model=TranslatorMutationTicket, permission=object)
[docs] def restrict_translator_mutation_ticket( app: TranslatorDirectoryApp, identity: 'Identity', model: TranslatorMutationTicket, permission: object ) -> bool: if ( permission == Public and identity.role in ('editor', 'member', 'translator') and model.handler ): return model.handler.email == identity.userid return identity.role == 'admin'