From 977b457d5ce7661e8b4680d5543ad4d31063dcf1 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Tue, 25 Jun 2024 17:29:02 +0200
Subject: ogcp: add user permission mechanism

Add a new user permission system to control the allowed operations
accessible from each account.

Add a permission matrix editable through the user/add and user/edit
views. The permission matrix has client, center, room, folder, image
and repository as permission targets and add, update and delete as
permission types.

Restrict each view based on the user permissions, hide all actions
from not autheticated users.

permissions defined in the class UserForm.

Serialize each user permissions into ogcp.json as:
{
  ...
  "USERS" [
    {
      "USER": "admin"
      ...
      "PERMISSIONS": {
        "CLIENT": {
          "ADD": true,
          "UPDATE": true,
          "DELETE": true,
        },
        ... <- same structure for "CENTER", "ROOM", "FOLDER", "IMAGE"
               and "REPOSITORY"
      }
    },
    ...
  ],
  ...
}

Grant all the permissions to old user configuration to not disrupt their
workflow. The administrator will need to assign the permissions for each
user.

Ignore scope and permission restrictions for admin users.

Save permissions and scopes even if the user is admin to account for the
case of a temporal admin promotion without losing the previous
configuration.

Use template inheritance for add_user.html and edit_user.html to prevent
big code duplication with the new HTML code to render the permission
matrix.

Make user administration an admin only feature.

Define methods get_permission and target_is_disabled to improve readability
in template conditionals that disable features based on user permissions.
---
 ogcp/models.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'ogcp/models.py')

diff --git a/ogcp/models.py b/ogcp/models.py
index d27b869..ef050ed 100644
--- a/ogcp/models.py
+++ b/ogcp/models.py
@@ -8,7 +8,18 @@
 from flask_login import UserMixin
 
 class User(UserMixin):
-    def __init__(self, username, scopes, admin):
+    def __init__(self, username, scopes, admin, permissions):
         self.id = username
         self.scopes = scopes
         self.admin = admin
+        self.permissions = permissions
+
+    def get_permission(self, target, action):
+        if self.admin or not target in self.permissions:
+            return True
+        return self.permissions[target].get(action, True)
+
+    def target_is_disabled(self, target):
+        if self.admin or not target in self.permissions or not self.permissions[target]:
+            return False
+        return all(value == False for value in self.permissions[target].values())
-- 
cgit v1.2.3-18-g5258