Add role permissions

seahub/api2/authentication.py

@@ -6,10 +6,10 @@ from rest_framework.exceptions import APIException
 
 import seaserv
 from seahub.base.accounts import User
-from seahub.constants import GUEST_USER
 from seahub.api2.models import Token, TokenV2
 from seahub.api2.utils import get_client_ip
 from seahub.utils import within_time_range
+from seahub.utils.user_permissions import populate_user_permissions
 try:
     from seahub.settings import MULTI_TENANCY
 except ImportError:
@@ -65,16 +65,6 @@ class TokenAuthentication(BaseAuthentication):
 
         return self.authenticate_v1(request, key)
 
-    def _populate_user_permissions(self, user):
-        """Disable some operations if ``user`` is a guest.
-        """
-        if user.role == GUEST_USER:
-            user.permissions.can_add_repo = lambda: False
-            user.permissions.can_add_group = lambda: False
-            user.permissions.can_view_org = lambda: False
-            user.permissions.can_use_global_address_book = lambda: False
-            user.permissions.can_generate_shared_link = lambda: False
-
     def authenticate_v1(self, request, key):
         try:
             token = Token.objects.get(key=key)
@@ -91,7 +81,7 @@ class TokenAuthentication(BaseAuthentication):
             if orgs:
                 user.org = orgs[0]
 
-        self._populate_user_permissions(user)
+        populate_user_permissions(user)
 
         if user.is_active:
             return (user, token)
@@ -116,7 +106,7 @@ class TokenAuthentication(BaseAuthentication):
             if orgs:
                 user.org = orgs[0]
 
-        self._populate_user_permissions(user)
+        populate_user_permissions(user)
 
         if user.is_active:
             need_save = False

seahub/base/accounts.py

@@ -6,14 +6,16 @@ from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 from django.contrib.sites.models import RequestSite
 from django.contrib.sites.models import Site
-
-from seahub.auth import login
-from registration import signals
 import seaserv
 from seaserv import ccnet_threaded_rpc, unset_repo_passwd, is_passwd_set, \
     seafile_api
+from constance import config
+from registration import signals
 
+from seahub.auth import login
+from seahub.constants import DEFAULT_USER
 from seahub.profile.models import Profile, DetailedProfile
+from seahub.role_permissions.utils import get_enabled_role_permissions_by_role
 from seahub.utils import is_valid_username, is_user_password_strong, \
     clear_token, get_system_admins
 from seahub.utils.mail import send_html_email_with_dj_template, MAIL_PRIORITY
@@ -27,8 +29,6 @@ try:
 except ImportError:
     MULTI_TENANCY = False
 
-from constance import config
-
 UNUSABLE_PASSWORD = '!' # This will never be a valid hash
 
 class UserManager(object):
@@ -102,22 +102,44 @@ class UserPermissions(object):
         self.user = user
 
     def can_add_repo(self):
-        return True
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_add_repo']
 
     def can_add_group(self):
-        return True
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_add_group']
 
     def can_generate_shared_link(self):
-        return True
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_generate_shared_link']
 
     def can_use_global_address_book(self):
-        return True
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_use_global_address_book']
 
     def can_view_org(self):
         if MULTI_TENANCY:
             return True if self.user.org is not None else False
 
-        return False if CLOUD_MODE else True
+        if CLOUD_MODE:
+            return False
+
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_view_org']
+
+    def can_drag_drop_folder_to_sync(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_drag_drop_folder_to_sync']
+
+    def can_connect_with_android_clients(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_connect_with_android_clients']
+
+    def can_connect_with_ios_clients(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_connect_with_ios_clients']
+
+    def can_connect_with_desktop_clients(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_connect_with_desktop_clients']
+
+    def can_invite_guest(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_invite_guest']
+
+    def can_export_files_via_mobile_client(self):
+        return get_enabled_role_permissions_by_role(DEFAULT_USER)['can_export_files_via_mobile_client']
+
 
 class User(object):
     is_staff = False

seahub/role_permissions/admin.py

@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.

seahub/role_permissions/models.py

@@ -0,0 +1,3 @@
+from django.db import models
+
+# Create your models here.

seahub/role_permissions/settings.py

@@ -0,0 +1,45 @@
+import logging
+
+from django.conf import settings
+
+from seahub.constants import DEFAULT_USER
+
+# Get an instance of a logger
+logger = logging.getLogger(__name__)
+
+DEFAULT_ENABLED_ROLE_PERMISSIONS = {
+    DEFAULT_USER: {
+        'can_add_repo': True,
+        'can_add_group': True,
+        'can_view_org': True,
+        'can_use_global_address_book': True,
+        'can_generate_shared_link': True,
+        'can_invite_guest': False,
+        # followings are not implemented yet
+        'can_drag_drop_folder_to_sync': True,
+        'can_connect_with_android_clients': True,
+        'can_connect_with_ios_clients': True,
+        'can_connect_with_desktop_clients': True,
+        'can_export_files_via_mobile_client': True,
+    },
+}
+
+_default_role_perms = DEFAULT_ENABLED_ROLE_PERMISSIONS.copy()
+_default_role_perms.update(settings.ENABLED_ROLE_PERMISSIONS)  # merge outter dict
+
+def get_enabled_role_permissions():
+    ret = {}
+    for role, perms in _default_role_perms.iteritems():
+        default_perms = _default_role_perms['default'].copy()
+        default_perms.update(perms)      # merge inner dict
+        ret[role] = default_perms
+
+        # check role permission syntax
+        for k in default_perms.keys():
+            if k not in DEFAULT_ENABLED_ROLE_PERMISSIONS[DEFAULT_USER].keys():
+                print '"%s" is not valid permission, please review the ENABLED_ROLE_PERMISSIONS setting.' % k
+                logger.warn('"%s" is not valid permission, please review the ENABLED_ROLE_PERMISSIONS setting.' % k)
+
+    return ret
+
+ENABLED_ROLE_PERMISSIONS = get_enabled_role_permissions()

seahub/role_permissions/utils.py

@@ -0,0 +1,18 @@
+from .settings import ENABLED_ROLE_PERMISSIONS
+from seahub.constants import DEFAULT_USER
+
+def get_available_roles():
+    """Get available roles defined in `ENABLED_ROLE_PERMISSIONS`.
+    """
+    return ENABLED_ROLE_PERMISSIONS.keys()
+
+def get_enabled_role_permissions_by_role(role):
+    """Get permissions dict(perm_name: bool) of a role.
+    """
+    if not role:
+        role = DEFAULT_USER
+
+    if role not in ENABLED_ROLE_PERMISSIONS.keys():
+        assert False, '%s is not a valid role' % role
+
+    return ENABLED_ROLE_PERMISSIONS[role]

seahub/role_permissions/views.py

@@ -0,0 +1,3 @@
+from django.shortcuts import render
+
+# Create your views here.

seahub/settings.py

@@ -503,6 +503,30 @@ ENABLE_GLOBAL_ADDRESSBOOK = True
 #####################
 ENABLE_FOLDER_PERM = False
 
+####################
+# Role permissions #
+####################
+# default permissions:
+# 'default': {
+#     'can_add_repo': True,
+#     'can_add_group': True,
+#     'can_view_org': True,
+#     'can_user_global_address_book': True,
+#     'can_generate_shared_link': True,
+#     'can_invite_guest': False,
+# }
+from seahub.constants import GUEST_USER
+ENABLED_ROLE_PERMISSIONS = {
+    GUEST_USER: {
+        'can_add_repo': False,
+        'can_add_group': False,
+        'can_view_org': False,
+        'can_use_global_address_book': False,
+        'can_generate_shared_link': False,
+        'can_invite_guest': False,
+    },
+}
+
 #####################
 # Sudo Mode #
 #####################

seahub/templates/sysadmin/useradmin_table.html

@@ -46,14 +46,19 @@
             <div class="user-role">
                 {% if user.is_guest %}
                     <span class="user-role-cur-value">{% trans "Guest" %}</span>
-                {% else %}
+                {% elif user.is_default %}
                     <span class="user-role-cur-value">{% trans "Default" %}</span>
+                {% else %}
+                    <span class="user-role-cur-value">{{user.role}}</span>
                 {% endif %}
                 <span title="{% trans "Edit"%}" class="user-role-edit-icon sf2-icon-edit op-icon vh"></span>
             </div>
             <select name="role" class="user-role-select hide">
-                <option value={{default_user}} {%if not user.is_guest %}selected="selected"{% endif %}>{% trans "Default" %}</option>
+                <option value={{default_user}} {%if user.is_default %}selected="selected"{% endif %}>{% trans "Default" %}</option>
                 <option value={{guest_user}} {%if user.is_guest %}selected="selected"{% endif %}>{% trans "Guest"%}</option>
+                {% for role in extra_user_roles %}
+                <option value={{role}} {%if user.role == role %}selected="selected"{% endif %}>{{ role }}</option>
+                {% endfor %}
             </select>
         {% else %}
         --

seahub/utils/user_permissions.py

@@ -0,0 +1,26 @@
+from seahub.constants import DEFAULT_USER, GUEST_USER
+from seahub.utils import is_pro_version
+
+def populate_user_permissions(user):
+    if is_pro_version():
+        from seahub_extra.auth_extra.utils import populate_user_permissions
+        populate_user_permissions(user)
+    else:
+        # use default user permissions
+        pass
+
+def get_basic_user_roles():
+    """Get predefined user roles.
+    """
+    return [DEFAULT_USER, GUEST_USER]
+
+def get_user_role(user):
+    """Get a user's role.
+    """
+    if user.role is None or user.role == '' or user.role == DEFAULT_USER:
+        return DEFAULT_USER
+
+    if user.role == GUEST_USER:
+        return GUEST_USER
+
+    return user.role            # custom user role

seahub/views/sysadmin.py

@@ -34,6 +34,7 @@ from seahub.auth import authenticate
 from seahub.auth.decorators import login_required, login_required_ajax
 from seahub.constants import GUEST_USER, DEFAULT_USER
 from seahub.institutions.models import Institution, InstitutionAdmin
+from seahub.role_permissions.utils import get_available_roles
 from seahub.utils import IS_EMAIL_CONFIGURED, string2list, is_valid_username, \
     is_pro_version, send_html_email, get_user_traffic_list, get_server_id, \
     clear_token, gen_file_get_url, is_org_context, handle_virus_record, \
@@ -45,6 +46,8 @@ from seahub.utils.licenseparse import parse_license
 from seahub.utils.sysinfo import get_platform_name
 from seahub.utils.mail import send_html_email_with_dj_template
 from seahub.utils.ms_excel import write_xls
+from seahub.utils.user_permissions import (get_basic_user_roles,
+                                           get_user_role)
 from seahub.views.ajax import (get_related_users_by_org_repo,
                                get_related_users_by_repo)
 from seahub.views import get_system_default_repo_id, gen_path_link
@@ -267,10 +270,8 @@ def sys_user_admin(request):
         _populate_user_quota_usage(user)
 
         # check user's role
-        if user.role == GUEST_USER:
+        user.is_guest = True if get_user_role(user) == GUEST_USER else False
-            user.is_guest = True
+        user.is_default = True if get_user_role(user) == DEFAULT_USER else False
-        else:
-            user.is_guest = False
 
         # populate user last login time
         user.last_login = None
@@ -288,6 +289,8 @@ def sys_user_admin(request):
     platform = get_platform_name()
     server_id = get_server_id()
     pro_server = 1 if is_pro_version() else 0
+    extra_user_roles = [x for x in get_available_roles()
+                        if x not in get_basic_user_roles()]
 
     return render_to_response(
         'sysadmin/sys_useradmin.html', {
@@ -305,6 +308,7 @@ def sys_user_admin(request):
             'is_pro': is_pro_version(),
             'pro_server': pro_server,
             'enable_user_plan': enable_user_plan,
+            'extra_user_roles': extra_user_roles,
         }, context_instance=RequestContext(request))
 
 @login_required

tests/seahub/base/test_accounts.py

@@ -15,3 +15,19 @@ class UserTest(BaseTestCase):
         assert len(Email.objects.all()) > 0
         # email = Email.objects.all()[0]
         # print email.html_message
+
+
+class UserPermissionsTest(BaseTestCase):
+    def test_permissions(self):
+        assert self.user.permissions.can_add_repo() is True
+        assert self.user.permissions.can_add_group() is True
+        assert self.user.permissions.can_generate_shared_link() is True
+        assert self.user.permissions.can_use_global_address_book() is True
+        assert self.user.permissions.can_view_org() is True
+        assert self.user.permissions.can_drag_drop_folder_to_sync() is True
+        assert self.user.permissions.can_connect_with_android_clients() is True
+        assert self.user.permissions.can_connect_with_ios_clients() is True
+        assert self.user.permissions.can_connect_with_desktop_clients() is True
+        assert self.user.permissions.can_invite_guest() is False
+
+        assert self.user.permissions.can_export_files_via_mobile_client() is True