commit 9d2ea09d8290948fd212a315a33b11841852705f
author Tony Mack <tmack@cs.princeton.edu> Wed Apr 29 12:23:10 2015 -0400
committer Tony Mack <tmack@cs.princeton.edu> Wed Apr 29 12:23:10 2015 -0400
tree 4556e630cec62759f82cb36072cb470b3dc99ea6
parent 9396bbfe0b410935537296374343a9cdb6c94284

add service permissions

xos/core/models/service.py

diff --git a/xos/core/models/service.py b/xos/core/models/service.py
index f7259ae..6dd67a0 100644
--- a/xos/core/models/service.py
+++ b/xos/core/models/service.py
@@ -28,11 +28,54 @@
 
     def __unicode__(self): return u'%s' % (self.name)
 
+    def can_update(self, user):
+        return user.can_update_service(self, allow=['admin'])
+     
+
 class ServiceAttribute(PlCoreBase):
     name = models.SlugField(help_text="Attribute Name", max_length=128)
     value = StrippedCharField(help_text="Attribute Value", max_length=1024)
     service = models.ForeignKey(Service, related_name='serviceattributes', help_text="The Service this attribute is associated with")
 
+class ServiceRole(PlCoreBase):
+    ROLE_CHOICES = (('admin','Admin'),)
+    role = StrippedCharField(choices=ROLE_CHOICES, unique=True, max_length=30)
+
+    def __unicode__(self):  return u'%s' % (self.role)
+
+class ServicePrivilege(PlCoreBase):
+    user = models.ForeignKey('User', related_name='serviceprivileges')
+    service = models.ForeignKey('Service', related_name='serviceprivileges')
+    role = models.ForeignKey('ServiceRole',related_name='serviceprivileges')
+
+    class Meta:
+        unique_toggether =  ('user', 'service', 'role')
+
+    def __unicode__(self):  return u'%s %s %s' % (self.service, self.user, self.role)
+
+    def can_update(self, user):
+        if not self.service.enabled:
+            raise PermissionDenied, "Cannot modify permission(s) of a disabled service"
+        return self.service.can_update(user)
+
+    def save(self, *args, **kwds):
+        if not self.service.enabled:
+            raise PermissionDenied, "Cannot modify permission(s) of a disabled service"
+        super(ServicePrivilege, self).save(*args, **kwds)
+
+    def delete(self, *args, **kwds):
+        if not self.service.enabled:
+            raise PermissionDenied, "Cannot modify permission(s) of a disabled service"
+        super(ServicePrivilege, self).delete(*args, **kwds)                    
+    
+    @staticmethod
+    def select_by_user(user):
+        if user.is_admin:
+            qs = ServicePrivilege.objects.all()
+        else:
+            qs = SitePrivilege.objects.filter(user=user)
+        return qs        
+
 class Tenant(PlCoreBase):
     """ A tenant is a relationship between two entities, a subscriber and a
         provider.

xos/core/models/user.py

diff --git a/xos/core/models/user.py b/xos/core/models/user.py
index e34abdb..e62d6db 100644
--- a/xos/core/models/user.py
+++ b/xos/core/models/user.py
@@ -314,6 +314,15 @@
             return True
         return False
 
+    def can_update_service(self, service, allow=[]):
+        from core.models.service import ServicePrivilege
+        if self.can_update_root():
+            return True
+        if ServicePrivilege.objects.filter(
+            service=service, user=self, role__role__in=['admin', 'Admin']+allow):
+            return True
+        return False           
+
     @staticmethod
     def select_by_user(user):
         if user.is_admin: