add role hierarchy
This commit is contained in:
parent
caa28f1ed0
commit
ec7bee3971
|
@ -43,7 +43,8 @@ class AppConfig(django.apps.AppConfig):
|
|||
sender=get_ou_model())
|
||||
|
||||
def ou_post_save(self, sender, instance, raw, created, **kwargs):
|
||||
return
|
||||
from .utils import update_roles
|
||||
update_roles()
|
||||
|
||||
def get_a2_manager_actions(self, model=None, **kwargs):
|
||||
'''Retourne des actions utilisateurs pour la gestion France Connect'''
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
A2_MANAGER_SHOW_INTERNAL_ROLES = True
|
||||
A2_MANAGER_ROLE_MEMBERS_FROM_OU = True
|
||||
A2_RBAC_MANAGED_CONTENT_TYPES = ()
|
|
@ -0,0 +1,198 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
from django.contrib.contenttypes.models import ContentType
|
||||
from django.contrib.auth import get_user_model
|
||||
from django_rbac.utils import get_ou_model, get_role_model, get_operation, get_permission_model
|
||||
from django_rbac.models import CHANGE_OP, SEARCH_OP, ADD_OP, VIEW_OP, DELETE_OP, ADMIN_OP
|
||||
from authentic2.a2_rbac.models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP
|
||||
|
||||
OU = get_ou_model()
|
||||
Role = get_role_model()
|
||||
Permission = get_permission_model()
|
||||
User = get_user_model()
|
||||
|
||||
ROLE_TEMPLATES = [
|
||||
{
|
||||
'name': u'Administrateur CUT - création',
|
||||
'slug': '_a2-cut-create',
|
||||
'operations': [ADD_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - recherche',
|
||||
'slug': '_a2-cut-search',
|
||||
'operations': [SEARCH_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - lecture',
|
||||
'slug': '_a2-cut-view',
|
||||
'operations': [VIEW_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - modification',
|
||||
'slug': '_a2-cut-change',
|
||||
'operations': [CHANGE_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - suppression',
|
||||
'slug': '_a2-cut-delete',
|
||||
'operations': [DELETE_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - mot de passe',
|
||||
'slug': '_a2-cut-passwords',
|
||||
'operations': [RESET_PASSWORD_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - suspension',
|
||||
'slug': '_a2-cut-activate',
|
||||
'operations': [ACTIVATE_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - validation',
|
||||
'slug': '_a2-cut-validate',
|
||||
'operations': [],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT - fc',
|
||||
'slug': '_a2-cut-fc',
|
||||
'operations': [],
|
||||
'target': 'user_ct',
|
||||
'scope': 'ou_usagers',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur CUT',
|
||||
'slug': '_a2-cut-admin-usagers',
|
||||
'role_parents': [
|
||||
'_a2-cut-create',
|
||||
'_a2-cut-search',
|
||||
'_a2-cut-view',
|
||||
'_a2-cut-change',
|
||||
'_a2-cut-delete',
|
||||
'_a2-cut-passwords',
|
||||
'_a2-cut-activate',
|
||||
'_a2-cut-validate',
|
||||
'_a2-cut-fc',
|
||||
]
|
||||
},
|
||||
{
|
||||
'name': u'Utilisateurs',
|
||||
'slug': '_a2-cut-admin-users',
|
||||
'operations': [ADMIN_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'self',
|
||||
'child': 'ou_territoire',
|
||||
},
|
||||
{
|
||||
'name': u'Rôles',
|
||||
'slug': '_a2-cut-admin-roles',
|
||||
'operations': [ADMIN_OP],
|
||||
'target': 'role_ct',
|
||||
'scope': 'self',
|
||||
'child': 'ou_territoire',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur lecteur',
|
||||
'slug': '_a2-cut-admin-view-only',
|
||||
'operations': [VIEW_OP],
|
||||
'target': 'user_ct',
|
||||
'scope': 'self',
|
||||
'child': 'ou_territoire',
|
||||
},
|
||||
{
|
||||
'name': u'Administrateur',
|
||||
'slug': '_a2-cut-admin',
|
||||
'role_parents': [
|
||||
'_a2-cut-admin-users',
|
||||
'_a2-cut-admin-roles'
|
||||
]
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
def update_roles():
|
||||
default_ou = OU.objects.get(default=True)
|
||||
if default_ou.slug != 'usagers':
|
||||
default_ou.default = False
|
||||
default_ou.save()
|
||||
|
||||
ou_usagers, created = OU.objects.get_or_create(
|
||||
slug='usagers',
|
||||
defaults={
|
||||
'name': u'Usagers',
|
||||
'default': True
|
||||
}
|
||||
)
|
||||
|
||||
ou_territoire, created = OU.objects.get_or_create(
|
||||
name=u'Territoire',
|
||||
slug='territoire',
|
||||
defaults={
|
||||
'name': u'Territoire',
|
||||
}
|
||||
)
|
||||
|
||||
ct_ct = ContentType.objects.get_for_model(ContentType)
|
||||
user_ct = ContentType.objects.get_for_model(User)
|
||||
role_ct = ContentType.objects.get_for_model(Role)
|
||||
|
||||
roles = {}
|
||||
|
||||
def handle_ou(ou, ou_usagers, ou_territoire, user_ct, role_ct, **kwargs):
|
||||
if ou.slug == 'usagers':
|
||||
return
|
||||
for tpl in ROLE_TEMPLATES:
|
||||
role, created = Role.objects.get_or_create(
|
||||
slug=tpl['slug'],
|
||||
ou=ou,
|
||||
defaults={
|
||||
'name': tpl['name']
|
||||
}
|
||||
)
|
||||
roles[(ou, tpl['slug'])] = role
|
||||
if tpl.get('operations'):
|
||||
target_ct = vars()[tpl['target']]
|
||||
if tpl['scope'] == 'self':
|
||||
scope = ou
|
||||
else:
|
||||
scope = vars()[tpl['scope']]
|
||||
permissions = []
|
||||
for operation in tpl['operations']:
|
||||
op = get_operation(operation)
|
||||
permission, created = Permission.objects.get_or_create(
|
||||
operation=op,
|
||||
ou=scope,
|
||||
target_ct=ct_ct,
|
||||
target_id=target_ct.pk)
|
||||
permissions.append(permission)
|
||||
role.permissions = permissions
|
||||
role.add_self_administration()
|
||||
if tpl.get('child') and ou.slug != tpl.get('child'):
|
||||
child_ou = vars()[tpl['child']]
|
||||
child_role = Role.objects.get(
|
||||
ou=child_ou,
|
||||
slug=tpl['slug'])
|
||||
role.add_child(child_role)
|
||||
if 'role_parents' in tpl:
|
||||
for role_parent in tpl['role_parents']:
|
||||
role.add_parent(roles[(ou, role_parent)])
|
||||
slugs = [tpl['slug'] for tpl in ROLE_TEMPLATES]
|
||||
Role.objects.filter(slug__startswith='_a2-cut').exclude(slug__in=slugs).delete()
|
||||
handle_ou(ou_territoire, **vars())
|
||||
for ou in OU.objects.exclude(slug__in=['usagers', 'territoire']):
|
||||
handle_ou(**vars())
|
Loading…
Reference in New Issue