PageRenderTime 59ms CodeModel.GetById 33ms RepoModel.GetById 0ms app.codeStats 0ms

/cms/admin/permissionadmin.py

https://github.com/mthornhill/django-cms
Python | 174 lines | 135 code | 6 blank | 33 comment | 2 complexity | 60447d01a84283c1b2de2e535867d194 MD5 | raw file
  1. # -*- coding: utf-8 -*-
  2. from copy import deepcopy
  3. from django.conf import settings
  4. from django.template.defaultfilters import title
  5. from django.utils.translation import ugettext as _
  6. from django.contrib import admin
  7. from cms.exceptions import NoPermissionsException
  8. from cms.models import Page, PagePermission, GlobalPagePermission, PageUser
  9. from cms.utils.permissions import get_user_permission_level
  10. from cms.admin.forms import (GlobalPagePermissionAdminForm,
  11. PagePermissionInlineAdminForm, ViewRestrictionInlineAdminForm)
  12. PAGE_ADMIN_INLINES = []
  13. class PagePermissionInlineAdmin(admin.TabularInline):
  14. model = PagePermission
  15. # use special form, so we can override of user and group field
  16. form = PagePermissionInlineAdminForm
  17. classes = ['collapse', 'collapsed']
  18. exclude = ['can_view']
  19. def queryset(self, request):
  20. """
  21. Queryset change, so user with global change permissions can see
  22. all permissions. Otherwise can user see only permissions for
  23. peoples which are under him (he can't see his permissions, because
  24. this will lead to violation, when he can add more power to itself)
  25. """
  26. # can see only permissions for users which are under him in tree
  27. ### here a exception can be thrown
  28. try:
  29. qs = PagePermission.objects.subordinate_to_user(request.user)
  30. return qs.filter(can_view=False)
  31. except NoPermissionsException:
  32. return self.objects.get_empty_query_set()
  33. def get_formset(self, request, obj=None, **kwargs):
  34. """
  35. Some fields may be excluded here. User can change only
  36. permissions which are available for him. E.g. if user does not haves
  37. can_publish flag, he can't change assign can_publish permissions.
  38. """
  39. exclude = self.exclude or []
  40. if obj:
  41. if not obj.has_add_permission(request):
  42. exclude.append('can_add')
  43. if not obj.has_delete_permission(request):
  44. exclude.append('can_delete')
  45. if not obj.has_publish_permission(request):
  46. exclude.append('can_publish')
  47. if not obj.has_advanced_settings_permission(request):
  48. exclude.append('can_change_advanced_settings')
  49. if not obj.has_move_page_permission(request):
  50. exclude.append('can_move_page')
  51. if not settings.CMS_MODERATOR or not obj.has_moderate_permission(request):
  52. exclude.append('can_moderate')
  53. formset_cls = super(PagePermissionInlineAdmin, self
  54. ).get_formset(request, obj=None, exclude=exclude, *kwargs)
  55. qs = self.queryset(request)
  56. if obj is not None:
  57. qs = qs.filter(page=obj)
  58. formset_cls._queryset = qs
  59. return formset_cls
  60. class ViewRestrictionInlineAdmin(PagePermissionInlineAdmin):
  61. extra = 1
  62. form = ViewRestrictionInlineAdminForm
  63. verbose_name = _("View restriction")
  64. verbose_name_plural = _("View restrictions")
  65. exclude = [
  66. 'can_add', 'can_change', 'can_delete', 'can_view',
  67. 'can_publish', 'can_change_advanced_settings', 'can_move_page',
  68. 'can_moderate', 'can_change_permissions'
  69. ]
  70. def get_formset(self, request, obj=None, **kwargs):
  71. """
  72. Some fields may be excluded here. User can change only permissions
  73. which are available for him. E.g. if user does not haves can_publish
  74. flag, he can't change assign can_publish permissions.
  75. """
  76. formset_cls = super(PagePermissionInlineAdmin, self).get_formset(request, obj, **kwargs)
  77. qs = self.queryset(request)
  78. if obj is not None:
  79. qs = qs.filter(page=obj)
  80. formset_cls._queryset = qs
  81. return formset_cls
  82. def queryset(self, request):
  83. """
  84. Returns a QuerySet of all model instances that can be edited by the
  85. admin site. This is used by changelist_view.
  86. """
  87. qs = PagePermission.objects.subordinate_to_user(request.user)
  88. return qs.filter(can_view=True)
  89. class GlobalPagePermissionAdmin(admin.ModelAdmin):
  90. list_display = ['user', 'group', 'can_change', 'can_delete', 'can_publish', 'can_change_permissions']
  91. list_filter = ['user', 'group', 'can_change', 'can_delete', 'can_publish', 'can_change_permissions']
  92. form = GlobalPagePermissionAdminForm
  93. search_fields = ('user__username', 'user__first_name', 'user__last_name', 'group__name')
  94. exclude = []
  95. list_display.append('can_change_advanced_settings')
  96. list_filter.append('can_change_advanced_settings')
  97. if settings.CMS_MODERATOR:
  98. list_display.append('can_moderate')
  99. list_filter.append('can_moderate')
  100. else:
  101. exclude.append('can_moderate')
  102. class GenericCmsPermissionAdmin(object):
  103. """
  104. Custom mixin for permission-enabled admin interfaces.
  105. """
  106. def update_permission_fieldsets(self, request, obj=None):
  107. """
  108. Nobody can grant more than he haves, so check for user permissions
  109. to Page and User model and render fieldset depending on them.
  110. """
  111. fieldsets = deepcopy(self.fieldsets)
  112. perm_models = (
  113. (Page, _('Page permissions')),
  114. (PageUser, _('User & Group permissions')),
  115. (PagePermission, _('Page permissions management')),
  116. )
  117. for i, perm_model in enumerate(perm_models):
  118. model, title = perm_model
  119. opts, fields = model._meta, []
  120. name = model.__name__.lower()
  121. for t in ('add', 'change', 'delete'):
  122. fn = getattr(opts, 'get_%s_permission' % t)
  123. if request.user.has_perm(opts.app_label + '.' + fn()):
  124. fields.append('can_%s_%s' % (t, name))
  125. if fields:
  126. fieldsets.insert(2 + i, (title, {'fields': (fields,)}))
  127. return fieldsets
  128. def _has_change_permissions_permission(self, request):
  129. """
  130. User is able to add/change objects only if he haves can change
  131. permission on some page.
  132. """
  133. try:
  134. user_level = get_user_permission_level(request.user)
  135. except NoPermissionsException:
  136. return False
  137. return True
  138. def has_add_permission(self, request):
  139. return self._has_change_permissions_permission(request) and \
  140. super(self.__class__, self).has_add_permission(request)
  141. def has_change_permission(self, request, obj=None):
  142. return self._has_change_permissions_permission(request) and \
  143. super(self.__class__, self).has_change_permission(request, obj)
  144. if settings.CMS_PERMISSION:
  145. admin.site.register(GlobalPagePermission, GlobalPagePermissionAdmin)
  146. PAGE_ADMIN_INLINES.extend([
  147. ViewRestrictionInlineAdmin,
  148. PagePermissionInlineAdmin,
  149. ])