S3Permission: fix inconsistency with table rules (restricted tables

should never fall back to the page rule), BRCMS: fix realm entity,
update permissions, allow OrgGroupAdmin to manage global taxonomies

VERSION

@@ -1 +1 @@
-nursix-dev-2804-g1178a62 (2019-04-09 11:41:44)
+nursix-dev-2805-g3622f57 (2019-04-09 15:58:59)

controllers/br.py

@@ -20,8 +20,12 @@ def index():
 def index_alt():
     """ Default Module Homepage """
 
-    # Just redirect to list of current cases
-    s3_redirect_default(URL(f="person", vars={"closed": "0"}))
+    from gluon import current
+    if current.auth.s3_has_permission("read", "pr_person", c="br", f="person"):
+        # Just redirect to list of current cases
+        s3_redirect_default(URL(f="person", vars={"closed": "0"}))
+
+    return {"module_name": settings.modules["br"].name_nice}
 
 # =============================================================================
 # Case File and Component Tabs

languages/de.py

@@ -523,6 +523,8 @@
 'Assigned to me': 'Mir zugeordnet',
 'Assigned to': 'Zugeordnet zu',
 'Assigned': 'Zugeordnet',
+'Assistance Statuses': 'Maßnahmenstatus',
+'Assistance Types': 'Maßnahmenarten',
 'Assume this event type if no type was specified for an event': 'Diesen Ereignistyp annehmen wenn für ein Ereignis kein Typ angegeben wurde',
 'Asylum Application': 'Asylantrag',
 'Asylum Process': 'Asylverfahren',
@@ -740,6 +742,7 @@
 'Capturing the projects each organization is providing and where': 'Erfassen der Projekte, die von jeder Organisation bereitgestellt werden und wo',
 'Cardiology': 'Kardiologie',
 'Cargo Pier Depth': 'Wassertiefe Frachtpier',
+'Case Activity Statuses': 'Aktivitätsstatus',
 'Case Archived': 'Fall Archiviert',
 'Case Closed': 'Fall Abgeschlossen',
 'Case Consulting': 'Fallberatung',
@@ -748,6 +751,7 @@
 'Case Flag added': 'Fall Flagge hinzugefügt',
 'Case Flag updated': 'Fall Flagge aktualisiert',
 'Case Flags': 'Fall Flaggen',
+'Case Management': 'Fallmanagement',
 'Case Number': 'Fallnummer',
 'Case Statistic': 'Fallstatistik',
 'Case Status upon Completion': 'Fallstatus nach Durchführung',
@@ -4915,6 +4919,7 @@
 'The server did not receive a timely response from another server that it was accessing to fill the request by the browser.': 'Der Server hat keine rechtzeitige Antwort von einem anderen Server erhalten, um die Anfrage des Clients beantworten zu können.',
 'The server received an incorrect response from another server that it was accessing to fill the request by the browser.': 'Der Server hat eine ungültige Antwort von einem anderen Server erhalten, dass er zugreift um die Anfrage vom Browser zu erfüllen.',
 'The site where this position is based.': 'Das Gelände auf dem dieser Standort/Gebiet liegt.',
+'The staff member managing this activity': 'Der für diese Aktivität zuständige Mitarbeiter',
 'The staff responsibile for Facilities can make Requests for assistance. Commitments can be made against these Requests however the requests remain open until the requestor confirms that the request is complete.': 'Die zuständigen Mitarbeiter für Anlagen können Hilfe anfordern. Bezüglich dieser Anfragen können Zusagen gemacht werden. Diese bleiben solange offen, bis der Anforderer bestätigt, dass die Anfrage erfüllt ist.',
 'The subject event no longer poses a threat or concern and any follow on action is described in <instruction>': 'Das genannte Ereignis stellt keine Bedrohung oder Sorge mehr dar und jede nachfolgende Aktion is unter <instruction> beschrieben.',
 'The time at which the Event started.': 'Die Zeit zu der das Ereignis startete.',

modules/s3/s3aaa.py

@@ -492,7 +492,8 @@ def login_bare(self, username, password):
         return False
 
     # -------------------------------------------------------------------------
-    def set_cookie(self):
+    @staticmethod
+    def set_cookie():
         """
             Set a Cookie to the client browser so that we know this user has
             registered & so we should present them with a login form instead
@@ -4773,18 +4774,17 @@ def s3_has_membership(self, group_id=None, user_id=None, role=None):
         except:
             group_id = self.id_group(group_id) # interpret group_id as a role
 
-        if self.s3_has_role(group_id):
-            r = True
-        else:
-            r = False
+        has_role = self.s3_has_role(group_id)
 
         log = self.messages.has_membership_log
         if log:
             if not user_id and self.user:
                 user_id = self.user.id
-            self.log_event(log, dict(user_id=user_id,
-                                     group_id=group_id, check=r))
-        return r
+            self.log_event(log, {"user_id": user_id,
+                                 "group_id":group_id,
+                                 "check": has_role,
+                                 })
+        return has_role
 
     # Override original method
     has_membership = s3_has_membership
@@ -4878,7 +4878,8 @@ def s3_session_owns(self, table, record_id):
         return False
 
     # -------------------------------------------------------------------------
-    def s3_clear_session_ownership(self, table=None, record_id=None):
+    @staticmethod
+    def s3_clear_session_ownership(table=None, record_id=None):
         """
             Removes session ownership for a record
 
@@ -5243,7 +5244,8 @@ def set_realm_entity(self, table, records, entity=0, force_update=False):
         return
 
     # -------------------------------------------------------------------------
-    def get_realm_entity(self, table, record, entity=0):
+    @staticmethod
+    def get_realm_entity(table, record, entity=0):
         """
             Lookup the realm entity for a record
 
@@ -5296,7 +5298,8 @@ def get_realm_entity(self, table, record, entity=0):
         return realm_entity
 
     # -------------------------------------------------------------------------
-    def update_shared_fields(self, table, record, **data):
+    @staticmethod
+    def update_shared_fields(table, record, **data):
         """
             Update the shared fields in data in all super-entity rows linked
             with this record.
@@ -5315,7 +5318,7 @@ def update_shared_fields(self, table, record, **data):
         if not isinstance(super_entities, (list, tuple)):
             super_entities = [super_entities]
 
-        tables = dict()
+        tables = {}
         load = s3db.table
         super_key = s3db.super_key
         for se in super_entities:
@@ -5867,7 +5870,8 @@ def delete_acl(self, group,
     # -------------------------------------------------------------------------
     # Record Ownership
     # -------------------------------------------------------------------------
-    def get_owners(self, table, record):
+    @staticmethod
+    def get_owners(table, record):
         """
             Get the entity/group/user owning a record
 
@@ -5977,11 +5981,7 @@ def is_owner(self, table, record, owners=None, strict=False):
                 record_id = record[table._id.name]
             else:
                 record_id = record
-            if auth.s3_session_owns(table, record_id):
-                # Session owns record
-                return True
-            else:
-                return False
+            return auth.s3_session_owns(table, record_id)
 
         # Individual record ownership
         if owner_user and owner_user == user_id:
@@ -6004,10 +6004,7 @@ def is_owner(self, table, record, owners=None, strict=False):
                     append(r)
 
         # Ownership based on user role
-        if owner_group and owner_group in roles:
-            return True
-        else:
-            return False
+        return bool(owner_group and owner_group in roles)
 
     # -------------------------------------------------------------------------
     def owner_query(self,
@@ -6126,7 +6123,8 @@ def owner_query(self,
         return query
 
     # -------------------------------------------------------------------------
-    def realm_query(self, table, entities):
+    @staticmethod
+    def realm_query(table, entities):
         """
             Returns a query to select the records owned by one of the entities.
 
@@ -7028,21 +7026,22 @@ def rule_type(r):
 
         # Default page ACL
         if "c" in acl:
-            if "f" in acl:
-                default_page_acl = acl["f"]
-            else:
-                default_page_acl = acl["c"]
+            default_page_acl = acl["f"] if "f" in acl else acl["c"]
         elif page_restricted:
             default_page_acl = NONE
         else:
             default_page_acl = ALL
 
         # Default table ACL
         if "t" in acl:
+            # If we have a table rule, apply it
             default_table_acl = acl["t"]
-        elif table_restricted:
-            default_table_acl = default_page_acl if page_restricted else NONE
+        elif self.use_tacls and table_restricted:
+            # A restricted table is not accessible on any page without an
+            # explicit table rule (once explicit => always explicit!)
+            default_table_acl = NONE
         else:
+            # An unrestricted table is accessible under the page rule
             default_table_acl = default_page_acl if page_restricted else ALL
 
         # No ACLs inevitably causes a "no applicable ACLs" permission failure,