Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add or remove permissions from groups as defined by the RuleSet links

Browse Source 
- Only runs when the group is changed
- Does not add permissions if they already exist
- Does not remove permissions if they do not exist
This commit is contained in:
Oliver Walters 2020-10-04 12:18:31 +11:00
parent d5c0c12d78
commit c19c014f55
2 changed files with 73 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
InvenTree/users/models.py
View File

@ -1,6 +1,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from django.contrib.auth.models import Group from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
from django.db import models from django.db import models
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
@ -172,16 +173,35 @@ class RuleSet(models.Model):
return self.RULESET_MODELS.get(self.name, []) return self.RULESET_MODELS.get(self.name, [])
def update_group_roles(group): def update_group_roles(group, debug=False):
""" """
Update group roles:
a) Ensure default roles are assigned to each group. Iterates through all of the RuleSets associated with the group,
b) Ensure group permissions are correctly updated and assigned and ensures that the correct permissions are either applied or removed from the group.
This function is called under the following conditions:
a) Whenever the InvenTree database is launched
b) Whenver the group object is updated
The RuleSet model has complete control over the permissions applied to any group.
""" """
# List of permissions already associated with this group # List of permissions already associated with this group
group_permissions = '??????' group_permissions = set()
# Iterate through each permission already assigned to this group,
# and create a simplified permission key string
for p in group.permissions.all():
(permission, app, model) = p.natural_key()
permission_string = '{app}.{perm}'.format(
app=app,
perm=permission
)
group_permissions.add(permission_string)
# List of permissions which must be added to the group # List of permissions which must be added to the group
permissions_to_add = set() permissions_to_add = set()
@ -199,7 +219,7 @@ def update_group_roles(group):
allowed - Whether or not the action is allowed allowed - Whether or not the action is allowed
""" """
if not action in ['view', 'add', 'change', 'delete']: if action not in ['view', 'add', 'change', 'delete']:
raise ValueError("Action {a} is invalid".format(a=action)) raise ValueError("Action {a} is invalid".format(a=action))
permission_string = RuleSet.get_model_permission_string(model, action) permission_string = RuleSet.get_model_permission_string(model, action)
@ -210,12 +230,15 @@ def update_group_roles(group):
if permission_string in permissions_to_delete: if permission_string in permissions_to_delete:
permissions_to_delete.remove(permission_string) permissions_to_delete.remove(permission_string)
if permission_string not in group_permissions:
permissions_to_add.add(permission_string) permissions_to_add.add(permission_string)
else: else:
# A forbidden action will be ignored if we have already allowed it # A forbidden action will be ignored if we have already allowed it
if permission_string not in permissions_to_add: if permission_string not in permissions_to_add:
if permission_string in group_permissions:
permissions_to_delete.add(permission_string) permissions_to_delete.add(permission_string)
# Get all the rulesets associated with this group # Get all the rulesets associated with this group
@ -240,12 +263,46 @@ def update_group_roles(group):
add_model(model, 'change', ruleset.can_change) add_model(model, 'change', ruleset.can_change)
add_model(model, 'delete', ruleset.can_delete) add_model(model, 'delete', ruleset.can_delete)
# TODO - Update permissions here def get_permission_object(permission_string):
"""
Find the permission object in the database,
from the simplified permission string
# TODO - Update group permissions Args:
permission_string - a simplified permission_string e.g. 'part.view_partcategory'
print("To add:", permissions_to_add) Returns the permission object in the database associated with the permission string
print("To delete:", permissions_to_delete) """
(app, perm) = permission_string.split('.')
(permission_name, model) = perm.split('_')
content_type = ContentType.objects.get(app_label=app, model=model)
permission = Permission.objects.get(content_type=content_type, codename=perm)
return permission
# Add any required permissions to the group
for perm in permissions_to_add:
permission = get_permission_object(perm)
group.permissions.add(permission)
if debug:
print(f"Adding permission {perm} to group {group.name}")
# Remove any extra permissions from the group
for perm in permissions_to_delete:
permission = get_permission_object(perm)
group.permissions.remove(permission)
if debug:
print(f"Removing permission {perm} from group {group.name}")
@receiver(post_save, sender=Group) @receiver(post_save, sender=Group)

1
InvenTree/users/tests.py
View File

@ -76,7 +76,6 @@ class RuleSetModelTest(TestCase):
print("{n} is not a valid database table".format(n=m)) print("{n} is not a valid database table".format(n=m))
errors += 1 errors += 1
missing_models = [] missing_models = []
for model in available_tables: for model in available_tables: