This repository has been archived by the owner on Jun 29, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
/
perms.py
191 lines (160 loc) · 6.72 KB
/
perms.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
# coding=utf-8
"""
"""
from permission.logics import PermissionLogic
from permission.logics import AuthorPermissionLogic
class PersonaPermissionLogic(PermissionLogic):
"""
Permission logics which check the user's role and return corresponding
permission
"""
def _has_add_perm(self, user_obj, perm, obj):
# ゼーレ権限以上のスタッフのみ手作業でユーザーを追加可能
# (ユーザーの手動追加はAdminページのみで可能)
return user_obj.role in ('adam', 'seele',)
def _has_change_perm(self, user_obj, perm, obj):
# 自分自身のPersonaのみ編集権限を持つ
if obj is None:
# Non object permission
return user_obj.is_member
else:
return (obj == user_obj and user_obj.is_member)
def _has_delete_perm(self, user_obj, perm, obj):
# スーパーユーザー以外は削除権限を持たない
return False
def _has_activate_perm(self, user_obj, perm, obj):
# ネルフ権限以上のスタッフのみ手作業でユーザーのアクティベイト
# が可能(Adminページ限定)
return user_obj.role in ('seele', 'nerv',)
def _has_view_retired_perm(self, user_obj, perm, obj):
return user_obj.role in ('children', 'seele', 'nerv')
def _has_assign_role_perm(self, user_obj, perm, obj):
# ゼーレ権限以上の場合のみ役職を変更することができる
return user_obj.role in ('seele',)
def has_perm(self, user_obj, perm, obj=None):
if not user_obj.is_authenticated():
return False
permission_methods = {
'personas.add_persona': self._has_add_perm,
'personas.change_persona': self._has_change_perm,
'personas.delete_persona': self._has_delete_perm,
'personas.activate_persona': self._has_activate_perm,
'personas.assign_role_persona': self._has_assign_role_perm,
'personas.view_retired_persona': self._has_view_retired_perm,
}
if perm in permission_methods:
return permission_methods[perm](user_obj, perm, obj)
return False
class BaseRolePermissionLogic(PermissionLogic):
"""
Permission logic class for role based permission system
It is checked by user_obj.role
"""
role_names = []
def __init__(self,
any_permission=False,
add_permission=False,
change_permission=False,
delete_permission=False):
"""
Constructor
Parameters
----------
any_permission : boolean
True for give any permission of the specified object or model to
the role. Default value will be `False`
add_permission : boolean
True for give add permission of the specified model to the role.
Default value will be 'False'
change_permission : boolean
True for give change permission of the specified object to the
role. Default value will be 'False'
delete_permission : boolean
True for give delete permission of the specified object to the
role. Default value will be 'False'
"""
self.any_permission = any_permission
self.add_permission = add_permission
self.change_permission = change_permission
self.delete_permission = delete_permission
def has_perm(self, user_obj, perm, obj=None):
"""
Check if user have permission (of object)
It is determined from the `user_obj.role`.
If no object is specified, if any_permission is True it returns
``True``. if else returns ``False``.
If an object is specified, it will return ``True`` if the user's role
is contained in ``role_names``.
Parameters
----------
user_obj : django user model instance
A django user model instance which be checked
perm : string
`app_label.codename` formatted permission string
obj : None or django model instance
None or django model instance for object permission
Returns
-------
boolean
Wheter the specified user have specified permission (of specified
object).
"""
add_name = self.get_full_permission_string('add')
change_name = self.get_full_permission_string('change')
delete_name = self.get_full_permission_string('delete')
if not user_obj.is_active:
return False
role = getattr(user_obj, 'role', None)
if obj is None:
if self.any_permission and role in self.role_names:
return True
if self.add_permission and perm == add_name:
if role and role in self.role_names:
return True
return False
else:
if role and role in self.role_names:
if self.any_permission:
# have any kind of permissions to the obj
return True
if self.change_permission and perm == change_name:
return True
if self.delete_permission and perm == delete_name:
return True
return False
class ChildrenPermissionLogic(BaseRolePermissionLogic):
"""
Permission logic class to allow permissions to over `Children` role user.
"""
role_names = ['adam', 'seele', 'nerv', 'children']
class NervPermissionLogic(BaseRolePermissionLogic):
"""
Permission logic class to allow permissions to over `Nerv`(staff) role user
"""
role_names = ['adam', 'seele', 'nerv']
class SeelePermissionLogic(BaseRolePermissionLogic):
"""
Permission logic class to allow permissions to over `Seele` role user.
"""
role_names = ['adam', 'seele']
class AdamPermissionLogic(BaseRolePermissionLogic):
"""
Permission logic class to allow permissions to over `Adam`(superuser) role
user
"""
role_names = ['adam']
class KawazAuthorPermissionLogic(AuthorPermissionLogic):
"""
Kawaz用AuthorPermissionLogic
Kawazの仕様では、willeがauthorになることは現段階ではない。
通常のAuthorPermissionLogicを利用すると、willeであっても
ログインユーザーであればモデルパーミッションがTrueになり
使い勝手が悪い
そのため、wille以下の場合はFalseが返るようにした
"""
role_names = ['adam', 'seele', 'nerv', 'children']
def has_perm(self, user_obj, perm, obj=None):
if (user_obj.is_authenticated() and
user_obj.role not in self.role_names):
return False
return super().has_perm(user_obj, perm, obj)