entrouvert
/
authentic2-cut
16
0
Fork 0
Code Issues Pull Requests Releases Activity

add role hierarchy

This commit is contained in:
Benjamin Dauvergne 2017-06-22 09:26:41 +02:00
parent caa28f1ed0
commit ec7bee3971
3 changed files with 203 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/authentic2_cut/__init__.py
View File

@ -43,7 +43,8 @@ class AppConfig(django.apps.AppConfig):
sender=get_ou_model())
def ou_post_save(self, sender, instance, raw, created, **kwargs):
return
from .utils import update_roles
update_roles()
def get_a2_manager_actions(self, model=None, **kwargs):
'''Retourne des actions utilisateurs pour la gestion France Connect'''

3
src/authentic2_cut/custom_settings.py Normal file
View File

@ -0,0 +1,3 @@
A2_MANAGER_SHOW_INTERNAL_ROLES = True
A2_MANAGER_ROLE_MEMBERS_FROM_OU = True
A2_RBAC_MANAGED_CONTENT_TYPES = ()

198
src/authentic2_cut/utils.py Normal file
View File

@ -0,0 +1,198 @@
# -*- coding: utf-8 -*-
from django.contrib.contenttypes.models import ContentType
from django.contrib.auth import get_user_model
from django_rbac.utils import get_ou_model, get_role_model, get_operation, get_permission_model
from django_rbac.models import CHANGE_OP, SEARCH_OP, ADD_OP, VIEW_OP, DELETE_OP, ADMIN_OP
from authentic2.a2_rbac.models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP
OU = get_ou_model()
Role = get_role_model()
Permission = get_permission_model()
User = get_user_model()
ROLE_TEMPLATES = [
{
'name': u'Administrateur CUT - création',
'slug': '_a2-cut-create',
'operations': [ADD_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - recherche',
'slug': '_a2-cut-search',
'operations': [SEARCH_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - lecture',
'slug': '_a2-cut-view',
'operations': [VIEW_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - modification',
'slug': '_a2-cut-change',
'operations': [CHANGE_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - suppression',
'slug': '_a2-cut-delete',
'operations': [DELETE_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - mot de passe',
'slug': '_a2-cut-passwords',
'operations': [RESET_PASSWORD_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - suspension',
'slug': '_a2-cut-activate',
'operations': [ACTIVATE_OP],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - validation',
'slug': '_a2-cut-validate',
'operations': [],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT - fc',
'slug': '_a2-cut-fc',
'operations': [],
'target': 'user_ct',
'scope': 'ou_usagers',
},
{
'name': u'Administrateur CUT',
'slug': '_a2-cut-admin-usagers',
'role_parents': [
'_a2-cut-create',
'_a2-cut-search',
'_a2-cut-view',
'_a2-cut-change',
'_a2-cut-delete',
'_a2-cut-passwords',
'_a2-cut-activate',
'_a2-cut-validate',
'_a2-cut-fc',
]
},
{
'name': u'Utilisateurs',
'slug': '_a2-cut-admin-users',
'operations': [ADMIN_OP],
'target': 'user_ct',
'scope': 'self',
'child': 'ou_territoire',
},
{
'name': u'Rôles',
'slug': '_a2-cut-admin-roles',
'operations': [ADMIN_OP],
'target': 'role_ct',
'scope': 'self',
'child': 'ou_territoire',
},
{
'name': u'Administrateur lecteur',
'slug': '_a2-cut-admin-view-only',
'operations': [VIEW_OP],
'target': 'user_ct',
'scope': 'self',
'child': 'ou_territoire',
},
{
'name': u'Administrateur',
'slug': '_a2-cut-admin',
'role_parents': [
'_a2-cut-admin-users',
'_a2-cut-admin-roles'
]
},
]
def update_roles():
default_ou = OU.objects.get(default=True)
if default_ou.slug != 'usagers':
default_ou.default = False
default_ou.save()
ou_usagers, created = OU.objects.get_or_create(
slug='usagers',
defaults={
'name': u'Usagers',
'default': True
}
)
ou_territoire, created = OU.objects.get_or_create(
name=u'Territoire',
slug='territoire',
defaults={
'name': u'Territoire',
}
)
ct_ct = ContentType.objects.get_for_model(ContentType)
user_ct = ContentType.objects.get_for_model(User)
role_ct = ContentType.objects.get_for_model(Role)
roles = {}
def handle_ou(ou, ou_usagers, ou_territoire, user_ct, role_ct, **kwargs):
if ou.slug == 'usagers':
return
for tpl in ROLE_TEMPLATES:
role, created = Role.objects.get_or_create(
slug=tpl['slug'],
ou=ou,
defaults={
'name': tpl['name']
}
)
roles[(ou, tpl['slug'])] = role
if tpl.get('operations'):
target_ct = vars()[tpl['target']]
if tpl['scope'] == 'self':
scope = ou
else:
scope = vars()[tpl['scope']]
permissions = []
for operation in tpl['operations']:
op = get_operation(operation)
permission, created = Permission.objects.get_or_create(
operation=op,
ou=scope,
target_ct=ct_ct,
target_id=target_ct.pk)
permissions.append(permission)
role.permissions = permissions
role.add_self_administration()
if tpl.get('child') and ou.slug != tpl.get('child'):
child_ou = vars()[tpl['child']]
child_role = Role.objects.get(
ou=child_ou,
slug=tpl['slug'])
role.add_child(child_role)
if 'role_parents' in tpl:
for role_parent in tpl['role_parents']:
role.add_parent(roles[(ou, role_parent)])
slugs = [tpl['slug'] for tpl in ROLE_TEMPLATES]
Role.objects.filter(slug__startswith='_a2-cut').exclude(slug__in=slugs).delete()
handle_ou(ou_territoire, **vars())
for ou in OU.objects.exclude(slug__in=['usagers', 'territoire']):
handle_ou(**vars())