src/pyams_security/zmi/security.py
changeset 42 07229ac2497b
parent 34 b84b491ea8bd
child 44 b999bd4dd461
--- a/src/pyams_security/zmi/security.py	Wed May 20 12:31:27 2015 +0200
+++ b/src/pyams_security/zmi/security.py	Wed Jun 17 09:59:18 2015 +0200
@@ -16,25 +16,36 @@
 # import standard library
 
 # import interfaces
-from pyams_security.interfaces import IDefaultProtectionPolicy, IProtectedObject
+from pyams_form.interfaces.form import IInnerSubForm
+from pyams_security.interfaces import IDefaultProtectionPolicy, IProtectedObject, IRole
 from pyams_skin.layer import IPyAMSLayer
 from pyams_zmi.interfaces.menu import IPropertiesMenu
 from pyams_zmi.layer import IAdminLayer
+from z3c.form.interfaces import DISPLAY_MODE, INPUT_MODE
 
 # import packages
-from pyams_form.form import AJAXEditForm
+from pyams_form.form import AJAXEditForm, InnerEditForm
 from pyams_pagelet.pagelet import pagelet_config
-from pyams_skin.viewlet.menu import MenuItem
+from pyams_skin.viewlet.menu import MenuItem, MenuDivider
+from pyams_utils.adapter import adapter_config
+from pyams_utils.registry import get_utility
 from pyams_viewlet.viewlet import viewlet_config
 from pyams_zmi.form import AdminDialogEditForm
 from pyramid.view import view_config
 from z3c.form import field
+from zope.interface import Interface
 
 from pyams_security import _
 
 
+@viewlet_config(name='protected-object-roles.divider', context=IDefaultProtectionPolicy, layer=IAdminLayer,
+                manager=IPropertiesMenu, permission='system.view', weight=899)
+class ProtectedObjectRolesMenuDivider(MenuDivider):
+    """Protected object roles menu divider"""
+
+
 @viewlet_config(name='protected-object-roles.menu', context=IDefaultProtectionPolicy, layer=IAdminLayer,
-                manager=IPropertiesMenu, permission='system.view', weight=10)
+                manager=IPropertiesMenu, permission='system.view', weight=900)
 class ProtectedObjectRolesMenuItem(MenuItem):
     """Protected object roles menu item"""
 
@@ -49,32 +60,67 @@
 class ProtectedObjectRolesEditForm(AdminDialogEditForm):
     """Protected object roles edit form"""
 
-    @property
-    def title(self):
-        return self.context.title
+    legend = None
+    fieldset_class = 'no-padding'
+
+    fields = field.Fields(Interface)
+    ajax_handler = 'protected-object-roles.json'
+    edit_permission = None
+
 
-    legend = _("Edit local roles")
+@adapter_config(name='security.subform',
+                context=(IDefaultProtectionPolicy, IPyAMSLayer, ProtectedObjectRolesEditForm),
+                provides=IInnerSubForm)
+class ProtectedObjectSecuritySubform(InnerEditForm):
+    """Protected object security sub-form"""
+
+    legend = _("Security management")
     icon_css_class = 'fa fa-fw fa-key'
     label_css_class = 'control-label col-md-4'
     input_css_class = 'col-md-8'
 
-    ajax_handler = 'protected-object-roles.json'
-    edit_permission = 'system.manage'
-
-    @property
-    def fields(self):
-        fields = field.Fields(IProtectedObject) + \
-                 field.Fields(self.context.roles_interface)
-        return fields
+    fields = field.Fields(IProtectedObject)
+    edit_permission = 'security.manage'
+    weight = 1
 
     def updateWidgets(self, prefix=None):
-        super(ProtectedObjectRolesEditForm, self).updateWidgets()
+        super(ProtectedObjectSecuritySubform, self).updateWidgets()
         translate = self.request.localizer.translate
         self.widgets['everyone_permissions'].noValueMessage = translate(_("(inherit from parent)"))
         self.widgets['authenticated_permissions'].noValueMessage = translate(_("(inherit from parent)"))
 
 
+@adapter_config(name='roles.subform',
+                context=(IDefaultProtectionPolicy, IPyAMSLayer, ProtectedObjectRolesEditForm),
+                provides=IInnerSubForm)
+class ProtectedObjectRolesSubform(InnerEditForm):
+    """Protected object roles edit form"""
+
+    legend = _("Granted roles")
+    icon_css_class = 'fa fa-fw fa-users'
+
+    @property
+    def fields(self):
+        return field.Fields(self.context.roles_interface)
+
+    edit_permission = 'security.manage_roles'
+    weight = 2
+
+    def updateWidgets(self, prefix=None):
+        super(ProtectedObjectRolesSubform, self).updateWidgets(prefix)
+        if self.mode == DISPLAY_MODE:
+            return
+        principals = self.request.effective_principals
+        for widget in self.widgets.values():
+            widget.mode = DISPLAY_MODE
+            role = get_utility(IRole, name=widget.field.role_id)
+            if role.managers:
+                for manager in role.managers:
+                    if manager in principals:
+                        widget.mode = INPUT_MODE
+
+
 @view_config(name='protected-object-roles.json', context=IDefaultProtectionPolicy, request_type=IPyAMSLayer,
-             permission='system.manage', renderer='json', xhr=True)
+             permission='security.manage', renderer='json', xhr=True)
 class ProtectedObjectRolesAJAXEditForm(AJAXEditForm, ProtectedObjectRolesEditForm):
     """Protected object roles edit form, AJAX view"""