diff --git a/app/auth/models.py b/app/auth/models.py index 57622ba8..85b9243b 100644 --- a/app/auth/models.py +++ b/app/auth/models.py @@ -10,7 +10,7 @@ import json import os from time import time -from flask import current_app, url_for +from flask import current_app, url_for, g from flask_login import UserMixin, AnonymousUserMixin from werkzeug.security import generate_password_hash, check_password_hash @@ -127,7 +127,7 @@ class User(UserMixin, db.Model): return user # Permissions management: - def has_permission(self, perm, dept): + def has_permission(self, perm, dept=False): """Check if user has permission `perm` in given `dept`. Emulate Zope `has_permission`` @@ -135,6 +135,8 @@ class User(UserMixin, db.Model): perm: integer, one of the value defined in Permission class. context: """ + if dept is False: + dept = g.scodoc_dept # les role liés à ce département, et les roles avec dept=None (super-admin) roles_in_dept = ( UserRole.query.filter_by(user_id=self.id) diff --git a/app/decorators.py b/app/decorators.py index 93feccc7..e4867cd2 100644 --- a/app/decorators.py +++ b/app/decorators.py @@ -37,11 +37,13 @@ class ZRequest(object): "Emulating Zope 2 REQUEST" def __init__(self): - self.URL = request.base_url + self.URL = request.base_url.encode( + "utf-8" + ) # necessaire pour ScoDoc 8 en Python 2 self.URL0 = self.URL - self.BASE0 = request.url_root - self.QUERY_STRING = request.query_string - self.REQUEST_METHOD = request.method + self.BASE0 = request.url_root.encode("utf-8") + self.QUERY_STRING = request.query_string.encode("utf-8") + self.REQUEST_METHOD = request.method.encode("utf-8") self.AUTHENTICATED_USER = current_user if request.method == "POST": self.form = request.form diff --git a/app/scodoc/ZScoUsers.py b/app/scodoc/ZScoUsers.py index 8429bd66..6f226a94 100644 --- a/app/scodoc/ZScoUsers.py +++ b/app/scodoc/ZScoUsers.py @@ -49,15 +49,7 @@ from gen_tables import GenTable import scolars import sco_cache import sco_users -from sco_permissions import ( - ScoEditAllEvals, - ScoEditAllNotes, - ScoImplement, - ScoSuperAdmin, - ScoUsersAdmin, - ScoUsersView, - ScoView, -) + from sco_exceptions import ( AccessDenied, ScoException, diff --git a/app/scodoc/debug.py b/app/scodoc/debug.py index 48e992b7..feb315ee 100644 --- a/app/scodoc/debug.py +++ b/app/scodoc/debug.py @@ -86,7 +86,7 @@ class FakeUser: def __str__(self): return self.name - def has_permission(self, op, context): + def has_permission(self, op, dept): return True def has_role(self, role): diff --git a/app/scodoc/html_sco_header.py b/app/scodoc/html_sco_header.py index c45b25bb..13ad4186 100644 --- a/app/scodoc/html_sco_header.py +++ b/app/scodoc/html_sco_header.py @@ -28,6 +28,7 @@ import cgi import sco_utils as scu +from notes_log import log import html_sidebar import VERSION @@ -312,7 +313,9 @@ def sco_header( # Avertissement si mot de passe à changer if user_check: authuser = REQUEST.AUTHENTICATED_USER - passwd_temp = context.Users.user_info(user_name=str(authuser))["passwd_temp"] + # passwd_temp = context.Users.user_info(user_name=str(authuser))["passwd_temp"] + log("XXX TODO: Users.user_info") + passwd_temp = False # XXX TODO if passwd_temp: H.append( """
Pour signaler, annuler ou justifier une absence, choisissez d'abord l'étudiant concerné:
""" ) H.append(sco_find_etud.form_search_etud(context, REQUEST)) - if authuser.has_permission(Permission.ScoAbsChange, context): + if authuser.has_permission(Permission.ScoAbsChange): H.extend( ( """Etudiant%s non inscrit%s" % (info["ne"], info["ne"])] - if authuser.has_permission(Permission.ScoEtudInscrit, context): + if authuser.has_permission(Permission.ScoEtudInscrit): l.append( 'inscrire' % (scu.ScoURL(), etudid) @@ -510,19 +510,19 @@ def menus_etud(context, REQUEST=None): "title": "Changer la photo", "endpoint": "scolar.formChangePhoto", "args": {"etudid": etud["etudid"]}, - "enabled": authuser.has_permission(Permission.ScoEtudChangeAdr, context), + "enabled": authuser.has_permission(Permission.ScoEtudChangeAdr), }, { "title": "Changer les données identité/admission", "endpoint": "scolar.etudident_edit_form", "args": {"etudid": etud["etudid"]}, - "enabled": authuser.has_permission(Permission.ScoEtudInscrit, context), + "enabled": authuser.has_permission(Permission.ScoEtudInscrit), }, { "title": "Supprimer cet étudiant...", "endpoint": "scolar.etudident_delete", "args": {"etudid": etud["etudid"]}, - "enabled": authuser.has_permission(Permission.ScoEtudInscrit, context), + "enabled": authuser.has_permission(Permission.ScoEtudInscrit), }, { "title": "Voir le journal...", diff --git a/app/scodoc/sco_permissions.py b/app/scodoc/sco_permissions.py index 4bdd29a3..5787dc14 100644 --- a/app/scodoc/sco_permissions.py +++ b/app/scodoc/sco_permissions.py @@ -5,10 +5,6 @@ used by auth """ -import notesdb as ndb -import scolars -import sco_formsemestre - # Définition des permissions: ne pas changer les numéros ou l'ordre des lignes ! _SCO_PERMISSIONS = ( # permission bit, symbol, description @@ -63,6 +59,11 @@ class Permission: Permission.init_permissions() +import notesdb as ndb +import scolars +import sco_formsemestre + + def can_suppress_annotation(context, annotation_id, REQUEST): """True if current user can suppress this annotation Seuls l'auteur de l'annotation et le chef de dept peuvent supprimer @@ -78,15 +79,15 @@ def can_suppress_annotation(context, annotation_id, REQUEST): # c'est pourquoi on teste aussi ScoEtudInscrit (normalement détenue par le chef) return ( (str(authuser) == anno["zope_authenticated_user"]) - or authuser.has_permission(Permission.ScoEtudSupprAnnotations, context) - or authuser.has_permission(Permission.ScoEtudInscrit, context) + or authuser.has_permission(Permission.ScoEtudSupprAnnotations) + or authuser.has_permission(Permission.ScoEtudInscrit) ) def can_edit_suivi(context, REQUEST=None): """Vrai si l'utilisateur peut modifier les informations de suivi sur la page etud" """ authuser = REQUEST.AUTHENTICATED_USER - return authuser.has_permission(Permission.ScoEtudChangeAdr, context) + return authuser.has_permission(Permission.ScoEtudChangeAdr) def can_validate_sem(context, REQUEST, formsemestre_id): @@ -107,13 +108,13 @@ def can_edit_pv(context, REQUEST, formsemestre_id): # Autorise les secrétariats, repérés via la permission ScoEtudChangeAdr # (ceci nous évite d'ajouter une permission Zope aux installations existantes) authuser = REQUEST.AUTHENTICATED_USER - return authuser.has_permission(Permission.ScoEtudChangeAdr, context) + return authuser.has_permission(Permission.ScoEtudChangeAdr) def is_chef_or_diretud(context, REQUEST, sem): "Vrai si utilisateur est admin, chef dept ou responsable du semestre" authuser = REQUEST.AUTHENTICATED_USER - if authuser.has_permission(Permission.ScoImplement, context): + if authuser.has_permission(Permission.ScoImplement): return True # admin, chef dept uid = str(authuser) if uid in sem["responsables"]: diff --git a/app/scodoc/sco_saisie_notes.py b/app/scodoc/sco_saisie_notes.py index 1329d11a..732952ca 100644 --- a/app/scodoc/sco_saisie_notes.py +++ b/app/scodoc/sco_saisie_notes.py @@ -76,12 +76,12 @@ def can_edit_notes(context, authuser, moduleimpl_id, allow_ens=True): if sco_parcours_dut.formsemestre_has_decisions(context, sem["formsemestre_id"]): # il y a des décisions de jury dans ce semestre ! return ( - authuser.has_permission(Permission.ScoEditAllNotes, context) + authuser.has_permission(Permission.ScoEditAllNotes) or uid in sem["responsables"] ) else: if ( - (not authuser.has_permission(Permission.ScoEditAllNotes, context)) + (not authuser.has_permission(Permission.ScoEditAllNotes)) and uid != M["responsable_id"] and uid not in sem["responsables"] ): diff --git a/app/scodoc/sco_synchro_etuds.py b/app/scodoc/sco_synchro_etuds.py index 68ceb2c8..71bd12a3 100644 --- a/app/scodoc/sco_synchro_etuds.py +++ b/app/scodoc/sco_synchro_etuds.py @@ -91,7 +91,7 @@ def formsemestre_synchro_etuds( sem["etape_apo_str"] = sco_formsemestre.formsemestre_etape_apo_str(sem) # Write access ? authuser = REQUEST.AUTHENTICATED_USER - if not authuser.has_permission(Permission.ScoEtudInscrit, context): + if not authuser.has_permission(Permission.ScoEtudInscrit): read_only = True if read_only: submitted = False diff --git a/app/scodoc/sco_tag_module.py b/app/scodoc/sco_tag_module.py index a8c1a8c4..074a85ad 100644 --- a/app/scodoc/sco_tag_module.py +++ b/app/scodoc/sco_tag_module.py @@ -237,7 +237,7 @@ def module_tag_set(context, module_id="", taglist=[], REQUEST=None): authuser = REQUEST.AUTHENTICATED_USER tag_editable = authuser.has_permission( ScoEditFormationTags, context - ) or authuser.has_permission(Permission.ScoChangeFormation, context) + ) or authuser.has_permission(Permission.ScoChangeFormation) if not tag_editable: raise AccessDenied("Modification des tags impossible pour %s" % authuser) # diff --git a/app/scodoc/sco_ue_external.py b/app/scodoc/sco_ue_external.py index 51855dd6..faf8d066 100644 --- a/app/scodoc/sco_ue_external.py +++ b/app/scodoc/sco_ue_external.py @@ -81,7 +81,7 @@ def external_ue_create( sem = sco_formsemestre.get_formsemestre(context, formsemestre_id) # Contrôle d'accès: authuser = REQUEST.AUTHENTICATED_USER - if not authuser.has_permission(Permission.ScoImplement, context): + if not authuser.has_permission(Permission.ScoImplement): if not sem["resp_can_edit"] or str(authuser) not in sem["responsables"]: raise AccessDenied("vous n'avez pas le droit d'effectuer cette opération") # @@ -210,7 +210,7 @@ def external_ue_create_form(context, formsemestre_id, etudid, REQUEST=None): sem = sco_formsemestre.get_formsemestre(context, formsemestre_id) # Contrôle d'accès: authuser = REQUEST.AUTHENTICATED_USER - if not authuser.has_permission(Permission.ScoImplement, context): + if not authuser.has_permission(Permission.ScoImplement): if not sem["resp_can_edit"] or str(authuser) not in sem["responsables"]: raise AccessDenied("vous n'avez pas le droit d'effectuer cette opération") diff --git a/app/scodoc/sco_utils.py b/app/scodoc/sco_utils.py index 43b87929..aec571c4 100644 --- a/app/scodoc/sco_utils.py +++ b/app/scodoc/sco_utils.py @@ -330,7 +330,7 @@ def get_dept_id(): def get_db_cnx_string(): - return "SCO" + g.scodoc_dept + return "dbname=SCO" + g.scodoc_dept def ScoURL():