adding initial migrations to create custom permissions and grant them to groups and users

1771d546 · Tanner Prestegard · GraceDB · 7fcc6e39 · 1771d546 · 1771d546
Commit 1771d546 authored 7 years ago by Tanner Prestegard Committed by GraceDB 7 years ago
--- a/migrations/auth/0009_set_auth_user_charset.py
+++ b/migrations/auth/0009_set_auth_user_charset.py
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-11-06 15:15
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+from django.contrib.auth.models import User
+
+# Sets the auth_user table to use utf-8 for the
+# charset and collation.  Otherwise you can get annoying warnings
+# like 'incorrect string value from the Django mysql backend when
+# saving users with accented characters in their names.
+#
+# We don't use the "correct" format for inserting parameters in the raw
+# SQL query, but that's because apparently you can't do that with the
+# table name itself.  I don't see how there could be an SQL injection attack
+# through the migrations, so I'm going to pronounce this safe.
+
+# Table name
+TABLE_NAME = User._meta.db_table
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0008_auto_20171020_1045'),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            ["ALTER TABLE {table_name} DEFAULT CHARACTER SET UTF8".format(
+                table_name=TABLE_NAME)],
+            ["ALTER TABLE {table_name} CONVERT TO CHARACTER SET UTF8".format(
+                table_name=TABLE_NAME)],
+        )
+    ]
--- a/migrations/auth/0009_initial_group_data.py
+++ b/migrations/auth/0009_initial_group_data.py
@@ -40,7 +40,7 @@ def remove_groups(apps, schema_editor):
 class Migration(migrations.Migration):

    dependencies = [
-        ('auth', '0008_auto_20171020_1045'),
+        ('auth', '0009_set_auth_user_charset'),
    ]

    operations = [

--- a/migrations/auth/0011_add_executives_group_permissions.py
+++ b/migrations/auth/0011_add_executives_group_permissions.py
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-30 20:31
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+# Adds table-level permissions for executive group - 
+# allows the addition and deletion of row-level permissions.
+# Specifically, it's used to allow executives to expose/hide events
+# from other groups (currently LV-EM, maybe the public in the future)
+
+# Group names and permission codenames
+GROUPS = [
+    {
+        'name': 'executives',
+        'permissions': [
+            'add_groupobjectpermission',
+            'delete_groupobjectpermission',
+        ]
+    },
+]
+
+def add_perms(apps, schema_editor):
+    Group = apps.get_model('auth', 'Group')
+    Permission = apps.get_model('auth', 'Permission')
+
+    # Add permissions
+    for group_dict in GROUPS:
+        group, created = Group.objects.get_or_create(name=group_dict['name'])
+
+        for perm_codename in group_dict['permissions']:
+            p = Permission.objects.get(codename=perm_codename)
+            group.permissions.add(p)
+
+def remove_perms(apps, schema_editor):
+    Group = apps.get_model('auth', 'Group')
+    Permission = apps.get_model('auth', 'Permission')
+
+    # Remove permissions
+    for group_dict in GROUPS:
+        try:
+            group = Group.objects.get(name=group_dict['name'])
+        except Group.DoesNotExist:
+            print("Error getting group {0}, skipping permission removal" \
+                .format(group_dict['name']))
+            break
+
+        for perm_codename in group_dict['permissions']:
+            p = Permission.objects.get(codename=perm_codename)
+            group.permissions.remove(p)
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0010_initial_group_data'),
+        ('guardian', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.RunPython(add_perms, remove_perms)
+    ]
--- a/migrations/auth/0012_create_custom_permissions.py
+++ b/migrations/auth/0012_create_custom_permissions.py
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-27 19:57
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+# Creates custom table-level permissions for viewing events, adding events to
+# specific pipelines, and t90-ing grbevents.
+
+# Permission names, codenames, and corresponding content types
+PERMISSIONS = [
+    {
+        'name': 'Can view event',
+        'codename': 'view_event',
+        'content_type': {'app': 'gracedb', 'model': 'event'},
+    },
+    {
+        'name': 'Can view grbevent',
+        'codename': 'view_grbevent',
+        'content_type': {'app': 'gracedb', 'model': 'GrbEvent'},
+    },
+    {
+        'name': 'Can view coincinspiralevent',
+        'codename': 'view_coincinspiralevent',
+        'content_type': {'app': 'gracedb', 'model': 'CoincInspiralEvent'},
+    },
+    {
+        'name': 'Can view multiburstevent',
+        'codename': 'view_multiburstevent',
+        'content_type': {'app': 'gracedb', 'model': 'MultiBurstEvent'},
+    },
+    {
+        'name': 'Can view siminspiral',
+        'codename': 'view_siminspiralevent',
+        'content_type': {'app': 'gracedb', 'model': 'SimInspiralEvent'},
+    },
+    {
+        'name': 'Can view lalinferenceburstevent',
+        'codename': 'view_lalinferenceburstevent',
+        'content_type': {'app': 'gracedb', 'model': 'LalInferenceBurstEvent'},
+    },
+    {
+        'name': 'Can populate pipeline',
+        'codename': 'populate_pipeline',
+        'content_type': {'app': 'gracedb', 'model': 'Pipeline'},
+    },
+    {
+        'name': 'Can t90 grbevent',
+        'codename': 't90_grbevent',
+        'content_type': {'app': 'gracedb', 'model': 'GrbEvent'},
+    },
+]
+
+def create_permissions(apps, schema_editor):
+    Permission = apps.get_model('auth', 'Permission')
+    ContentType = apps.get_model('contenttypes', 'ContentType')
+
+    # Create permissions
+    for perm_dict in PERMISSIONS:
+        model = apps.get_model(perm_dict['content_type']['app'],
+            perm_dict['content_type']['model'])
+        ctype = ContentType.objects.get_for_model(model)
+        perm, created = Permission.objects.get_or_create(name=perm_dict['name'],
+            codename=perm_dict['codename'], content_type=ctype)
+
+def delete_permissions(apps, schema_editor):
+    Permission = apps.get_model('auth', 'Permission')
+    ContentType = apps.get_model('contenttypes', 'ContentType')
+
+    # Delete permissions
+    for perm_dict in PERMISSIONS:
+        try:
+            ctype = ContentType.objects.get(app_label=perm_dict['content_type']['app'],
+                model=perm_dict['content_type']['model'])
+            perm = Permission.objects.get(name=perm_dict['name'],
+                codename=perm_dict['codename'], content_type=ctype)
+        except ContentType.DoesNotExist:
+            print(("Error: can't get ContentType {0}.{1} to delete Permission "
+                "{2}, skipping").format(perm_dict['content_type']['app'],
+                perm_dict['content_type']['model'], perm_dict['codename']))
+            break
+        except Permission.DoesNotExist:
+            print("Error: can't get Permission {0} to delete, skipping".format(
+                perm_dict['codename']))
+            break
+            
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('gracedb', '0001_initial'),
+        ('auth', '0011_add_executives_group_permissions'),
+    ]
+
+    operations = [
+        migrations.RunPython(create_permissions, delete_permissions)
+    ]
--- a/migrations/auth/0013_add_user_t90_grbevent_permissions.py
+++ b/migrations/auth/0013_add_user_t90_grbevent_permissions.py
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-11-02 19:14
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+# Gives users table-level permissions to t90 grbevents.
+# List is based on what's currently in the production database (27 Oct 2017)
+
+# List of usernames
+USERS = [
+    'robert.coyne@LIGO.ORG',
+    'alexander.urban@LIGO.ORG',
+    'branson.stephens@LIGO.ORG',
+    'chance.norris@LIGO.ORG',
+    'xingjiang.zhu@LIGO.ORG',
+    'dipongkar.talukder@LIGO.ORG',
+    'eric.howell@LIGO.ORG',
+    'mark.poe@LIGO.ORG',
+    'david.coward@LIGO.ORG',
+]
+
+def add_perms(apps, schema_editor):
+    User = apps.get_model('auth', 'User')
+    Permission = apps.get_model('auth', 'Permission')
+
+    t90_perm = Permission.objects.get(codename='t90_grbevent')
+    for username in USERS:
+        user, created = User.objects.get_or_create(username=username)
+
+        # Add permission
+        user.user_permissions.add(t90_perm)
+
+def remove_perms(apps, schema_editor):
+    User = apps.get_model('auth', 'User')
+    Permission = apps.get_model('auth', 'Permission')
+
+    t90_perm = Permission.objects.get(codename='t90_grbevent')
+    for username in USERS:
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            print('User {0} not found to remove permissions, skipping' \
+                .format(username))
+            break
+
+        # Remove permission
+        if t90_perm in user.user_permissions.all():
+            user.user_permissions.remove(t90_perm)
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0012_create_custom_permissions'),
+    ]
+
+    operations = [
+        migrations.RunPython(add_perms, remove_perms)
+    ]
--- a/migrations/auth/0014_add_user_permissions_on_groupobjectpermissions.py
+++ b/migrations/auth/0014_add_user_permissions_on_groupobjectpermissions.py
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-11-02 19:26
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+# Gives users table-level permissions which allows the addition and deletion
+# of row-level permissions (again, used for exposing/hiding events).
+
+# List of usernames
+USERS = [
+    'min-a.cho@LIGO.ORG',
+    'gracedb.processor',
+]
+
+# List of permission codenames
+PERMS = [
+    'add_groupobjectpermission',
+    'delete_groupobjectpermission',
+]
+
+def add_perms(apps, schema_editor):
+    User = apps.get_model('auth', 'User')
+    Permission = apps.get_model('auth', 'Permission')
+
+    for username in USERS:
+        user, created = User.objects.get_or_create(username=username)
+
+        # Add permission
+        for perm in PERMS:
+            perm = Permission.objects.get(codename=perm)
+            user.user_permissions.add(perm)
+
+def remove_perms(apps, schema_editor):
+    User = apps.get_model('auth', 'User')
+    Permission = apps.get_model('auth', 'Permission')
+
+    perm_list = Permission.objects.filter(codename__in=PERMS)
+    for username in USERS:
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            print('User {0} not found to remove permissions, skipping' \
+                .format(username))
+            break
+ 
+        # Remove perms from user
+        for perm in perm_list:
+            if perm in user.user_permissions.all():
+                user.user_permissions.remove(perm)
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('guardian', '0001_initial'),
+        ('auth', '0013_add_user_t90_grbevent_permissions'),
+        ('ligoauth', '0003_initial_localuser_and_x509cert_data'),
+    ]
+
+    operations = [
+        migrations.RunPython(add_perms, remove_perms)
+    ]