| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 |
- from django import forms
- from django.contrib.auth import get_user_model
- from django.core.exceptions import PermissionDenied
- from django.http import Http404
- from django.utils.translation import gettext_lazy as _
- from ..acl import algebra
- from ..acl.decorators import return_boolean
- from ..admin.forms import YesNoSwitch
- from ..users.models import AnonymousUser
- from .models import Category, CategoryRole, RoleCategoryACL
- class PermissionsForm(forms.Form):
- legend = _("Category access")
- can_see = YesNoSwitch(label=_("Can see category"))
- can_browse = YesNoSwitch(label=_("Can see category contents"))
- def change_permissions_form(role):
- if isinstance(role, CategoryRole):
- return PermissionsForm
- else:
- return None
- def build_acl(acl, roles, key_name):
- new_acl = {"visible_categories": [], "browseable_categories": [], "categories": {}}
- new_acl.update(acl)
- roles = get_categories_roles(roles)
- for category in Category.objects.all_categories():
- build_category_acl(new_acl, category, roles, key_name)
- return new_acl
- def get_categories_roles(roles):
- queryset = RoleCategoryACL.objects.filter(role__in=roles)
- queryset = queryset.select_related("category_role")
- roles = {}
- for acl_relation in queryset.iterator():
- role = acl_relation.category_role
- roles.setdefault(acl_relation.category_id, []).append(role)
- return roles
- def build_category_acl(acl, category, categories_roles, key_name):
- if category.level > 1:
- if category.parent_id not in acl["visible_categories"]:
- # dont bother with child categories of invisible parents
- return
- elif not acl["categories"][category.parent_id]["can_browse"]:
- # parent's visible, but its contents aint
- return
- category_roles = categories_roles.get(category.pk, [])
- final_acl = {"can_see": 0, "can_browse": 0}
- algebra.sum_acls(
- final_acl,
- roles=category_roles,
- key=key_name,
- can_see=algebra.greater,
- can_browse=algebra.greater,
- )
- if final_acl["can_see"]:
- acl["visible_categories"].append(category.pk)
- acl["categories"][category.pk] = final_acl
- if final_acl["can_browse"]:
- acl["browseable_categories"].append(category.pk)
- def add_acl_to_category(user_acl, target):
- target.acl["can_see"] = can_see_category(user_acl, target)
- target.acl["can_browse"] = can_browse_category(user_acl, target)
- def serialize_categories_acls(user_acl):
- categories_acl = []
- for category, acl in user_acl.pop("categories").items():
- if acl["can_browse"]:
- categories_acl.append(
- {
- "id": category,
- "can_start_threads": acl.get("can_start_threads", False),
- "can_reply_threads": acl.get("can_reply_threads", False),
- "can_pin_threads": acl.get("can_pin_threads", 0),
- "can_hide_threads": acl.get("can_hide_threads", 0),
- "can_close_threads": acl.get("can_close_threads", False),
- }
- )
- user_acl["categories"] = categories_acl
- def register_with(registry):
- registry.acl_annotator(Category, add_acl_to_category)
- registry.user_acl_serializer(serialize_categories_acls)
- def allow_see_category(user_acl, target):
- try:
- category_id = target.pk
- except AttributeError:
- category_id = int(target)
- if not category_id in user_acl["visible_categories"]:
- raise Http404()
- can_see_category = return_boolean(allow_see_category)
- def allow_browse_category(user_acl, target):
- target_acl = user_acl["categories"].get(target.id, {"can_browse": False})
- if not target_acl["can_browse"]:
- message = _('You don\'t have permission to browse "%(category)s" contents.')
- raise PermissionDenied(message % {"category": target.name})
- can_browse_category = return_boolean(allow_browse_category)
|
