ScoDoc/app/scodoc/sco_permissions_check.py

105 lines
3.5 KiB
Python
Raw Permalink Normal View History

# -*- mode: python -*-
# -*- coding: utf-8 -*-
"""Functions checking permissions for some common operations
"""
from flask import g
from flask_login import current_user
from app import db
2021-08-22 13:24:36 +02:00
from app.auth.models import User
import app.scodoc.notesdb as ndb
from app.scodoc.sco_permissions import Permission
from app.scodoc import html_sco_header
from app.scodoc import sco_etud
from app.scodoc import sco_exceptions
def can_suppress_annotation(annotation_id):
"""True if current user can suppress this annotation
Seuls l'auteur de l'annotation et le chef de dept peuvent supprimer
une annotation.
"""
cnx = ndb.GetDBConnexion()
annos = sco_etud.etud_annotations_list(cnx, args={"id": annotation_id})
if len(annos) != 1:
raise sco_exceptions.ScoValueError("annotation inexistante !")
anno = annos[0]
2021-08-10 17:12:10 +02:00
return (current_user.user_name == anno["author"]) or current_user.has_permission(
Permission.EtudAddAnnotations
2021-08-10 17:12:10 +02:00
)
def can_edit_suivi():
"""Vrai si l'utilisateur peut modifier les informations de suivi sur la page etud" """
return current_user.has_permission(Permission.EtudChangeAdr)
def is_chef_or_diretud(sem): # remplacé par formsemestre.est_chef_or_diretud
"Vrai si utilisateur est admin, chef dept ou responsable du semestre"
if (
current_user.has_permission(Permission.EditFormSemestre)
2021-08-22 13:24:36 +02:00
or current_user.id in sem["responsables"]
):
return True
return False
def check_access_diretud(
formsemestre_id, required_permission=Permission.EditFormSemestre
):
"""Check if access granted: responsable or EditFormSemestre
Return True|False, HTML_error_page
"""
2021-06-21 10:17:16 +02:00
from app.scodoc import sco_formsemestre
2021-08-19 10:28:35 +02:00
sem = sco_formsemestre.get_formsemestre(formsemestre_id)
2021-07-29 16:58:18 +02:00
header = html_sco_header.sco_header(page_title="Accès interdit")
footer = html_sco_header.sco_footer()
2021-08-22 13:24:36 +02:00
if (current_user.id not in sem["responsables"]) and not current_user.has_permission(
required_permission
):
return (
False,
"\n".join(
[
header,
"<h2>Opération non autorisée pour %s</h2>" % current_user,
"<p>Responsable de ce semestre : <b>%s</b></p>"
2021-08-22 13:24:36 +02:00
% ", ".join(
[
db.session.get(User, i).get_prenomnom()
for i in sem["responsables"]
]
2021-08-22 13:24:36 +02:00
),
footer,
]
),
)
else:
return True, ""
2021-06-21 10:17:16 +02:00
2022-08-25 12:47:57 +02:00
def can_handle_passwd(user: User, allow_admindepts=False) -> bool:
"""True if the current user can see or change passwd info of user.
If allow_admindepts, allow Admin from all depts (so they can view users from other depts
and add roles to them).
user is a User instance.
"""
if not user:
return False
if current_user.is_administrator():
return True # super admin
# Anyone can change his own passwd (or see his informations)
if user.user_name == current_user.user_name:
return True
# If don't have permission in the current dept, abort
if not current_user.has_permission(Permission.UsersAdmin, g.scodoc_dept):
return False
# Now check that current_user can manage users from this departement
if not current_user.dept:
return True # if no dept, can access users from all depts !
if (current_user.dept == user.dept) or allow_admindepts:
return True
2022-08-25 12:47:57 +02:00
return False