anoopmb
/
frappe
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
4460 提交
1 分支
314 MiB
 
 
 
 
 
 
目录树: 3968f66d5f
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '3968f66d5f'
${ noResults }
frappe/webnotes/permissions.py

150 行
4.4 KiB
原始文件 Blame 文件历史 

  1. # Copyright (c) 2013, Web Notes Technologies Pvt. Ltd. and Contributors

  2. # MIT License. See license.txt

  3. 

  4. from __future__ import unicode_literals

  5. import webnotes

  6. from webnotes import _, msgprint, _dict

  7. from webnotes.utils import cint

  8. 

  9. def check_admin_or_system_manager():

  10. 	if ("System Manager" not in webnotes.get_roles()) and \

  11. 	 	(webnotes.session.user!="Administrator"):

  12. 		msgprint("Only Allowed for Role System Manager or Administrator", raise_exception=True)

  13. 		

  14. def has_permission(doctype, ptype="read", refdoc=None, verbose=True):

  15. 	"""check if user has permission"""

  16. 	if webnotes.conn.get_value("DocType", doctype, "istable")==1:

  17. 		return True

  18. 	

  19. 	meta = webnotes.get_doctype(doctype)

  20. 	

  21. 	if ptype=="submit" and not cint(meta[0].is_submittable):

  22. 		return False

  23. 	

  24. 	if ptype=="import" and not cint(meta[0].allow_import):

  25. 		return False

  26. 	

  27. 	if webnotes.session.user=="Administrator":

  28. 		return True

  29. 	

  30. 	# get user permissions

  31. 	perms = get_user_perms(meta, ptype)

  32. 	

  33. 	if not perms:

  34. 		return False

  35. 	elif refdoc:

  36. 		if isinstance(refdoc, basestring):

  37. 			refdoc = webnotes.doc(meta[0].name, refdoc)

  38. 		

  39. 		if (has_only_permitted_data(meta, refdoc, verbose=verbose) and has_match(perms, refdoc)):

  40. 			return True

  41. 		else:

  42. 			return False

  43. 	else:

  44. 		return True

  45. 		

  46. def get_user_perms(meta, ptype, user=None):

  47. 	user_roles = webnotes.get_roles(user)

  48. 	

  49. 	return [p for p in meta.get({"doctype": "DocPerm"})

  50. 			if cint(p.get(ptype))==1 and cint(p.permlevel)==0 and (p.role=="All" or p.role in user_roles)]

  51. 

  52. def has_only_permitted_data(meta, refdoc, verbose=True):

  53. 	from webnotes.defaults import get_restrictions

  54. 	restrictions = get_restrictions()

  55. 	if not restrictions:

  56. 		return True

  57. 	

  58. 	fields_to_check = meta.get_restricted_fields(restrictions.keys())

  59. 	

  60. 	has_restricted_data = False

  61. 	for df in fields_to_check:

  62. 		if refdoc.get(df.fieldname) and refdoc.get(df.fieldname) not in restrictions[df.options]:

  63. 			if verbose:

  64. 				msg = "{not_allowed}: {doctype} {having} {label} = {value}".format(

  65. 					not_allowed=_("Sorry, you are not allowed to access"), doctype=_(df.options),

  66. 					having=_("having"), label=_(df.label), value=refdoc.get(df.fieldname))

  67. 			

  68. 				if refdoc.parentfield:

  69. 					msg = "{doctype}, {row} #{idx}, ".format(doctype=_(refdoc.doctype),

  70. 						row=_("Row"), idx=refdoc.idx) + msg

  71. 			

  72. 				msgprint(msg)

  73. 			

  74. 			has_restricted_data = True

  75. 	

  76. 	# check all restrictions before returning

  77. 	return False if has_restricted_data else True

  78. 

  79. def has_match(perms, refdoc):

  80. 	"""check owner match (if exists)"""

  81. 	for p in perms:

  82. 		if p.get("match")=="owner":

  83. 			if refdoc.get("owner")==webnotes.local.session.user:

  84. 				# owner matches :)

  85. 				return True

  86. 		else:

  87. 			# found a permission without owner match :)

  88. 			return True

  89. 	

  90. 	# no match :(

  91. 	return False

  92. 	

  93. def can_restrict_user(user, doctype, docname=None):

  94. 	if not can_restrict(doctype, docname):

  95. 		return False

  96. 		

  97. 	meta = webnotes.get_doctype(doctype)

  98. 	

  99. 	# check if target user does not have restrict permission

  100. 	if has_only_non_restrict_role(meta, user):

  101. 		return True

  102. 	

  103. 	return False

  104. 	

  105. def can_restrict(doctype, docname=None):

  106. 	# System Manager can always restrict

  107. 	if "System Manager" in webnotes.get_roles():

  108. 		return True

  109. 

  110. 	meta = webnotes.get_doctype(doctype)

  111. 	

  112. 	# check if current user has read permission for docname

  113. 	if docname and not has_permission(doctype, "read", docname):

  114. 		return False

  115. 

  116. 	# check if current user has a role with restrict permission

  117. 	if not has_restrict_permission(meta):

  118. 		return False

  119. 	

  120. 	return True

  121. 	

  122. def has_restrict_permission(meta=None, user=None):

  123. 	return any((perm for perm in get_user_perms(meta, "read", user)

  124. 		if cint(perm.restrict)==1))

  125. 	

  126. def has_only_non_restrict_role(meta, user):

  127. 	# check if target user does not have restrict permission

  128. 	if has_restrict_permission(meta, user):

  129. 		return False

  130. 	

  131. 	# and has non-restrict role

  132. 	return any((perm for perm in get_user_perms(meta, "read", user)

  133. 		if cint(perm.restrict)==0))

  134. 

  135. def can_import(doctype, raise_exception=False):

  136. 	if not ("System Manager" in webnotes.get_roles() or has_permission(doctype, "import")):

  137. 		if raise_exception:

  138. 			raise webnotes.PermissionError("You are not allowed to import: {doctype}".format(doctype=doctype))

  139. 		else:

  140. 			return False

  141. 	return True

  142. 	

  143. def can_export(doctype, raise_exception=False):

  144. 	if not ("System Manager" in webnotes.get_roles() or has_permission(doctype, "export")):

  145. 		if raise_exception:

  146. 			raise webnotes.PermissionError("You are not allowed to export: {doctype}".format(doctype=doctype))

  147. 		else:

  148. 			return False

  149. 	return True

  150.