feat(access): Enable Objects from global organization to be viewable by user with the permission

ref: #448 #459
2025-01-03 12:14:26 +09:30
parent 0d5f329146
commit dd72843ffb
5 changed files with 35 additions and 4 deletions
--- a/app/access/mixins/organization.py
+++ b/app/access/mixins/organization.py
@ -361,9 +361,19 @@ class OrganizationMixin:

            return has_permission

+        from settings.models.app_settings import AppSettings
+
+
+        app_settings = AppSettings.objects.get(
+            owner_organization = None
+        )
+
        for team in self.get_user_teams( user = self.request.user ):

-            if team.organization.id == int(organization):
+            if(
+                team.organization.id == int(organization)
+                or getattr(app_settings.global_organization, 'id', 0) == int(organization)
+            ):

                for permission in team.permissions.all():

--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@ -276,6 +276,11 @@ class OrganizationPermissionMixin(

            object_organization: int = getattr(view.get_obj_organization( obj = obj ), 'id', None)

+            from settings.models.app_settings import AppSettings
+
+            app_settings = AppSettings.objects.get(
+                owner_organization = None
+            )

            if object_organization:

@ -283,6 +288,7 @@ class OrganizationPermissionMixin(
                    object_organization
                    in view.get_permission_organizations( view.get_permission_required() )
                    or request.user.is_superuser
+                    or getattr(app_settings.global_organization, 'id', 0) == int(object_organization)
                ):

                    return True
--- a/docs/projects/centurion_erp/user/access/index.md
+++ b/docs/projects/centurion_erp/user/access/index.md
@ -34,3 +34,11 @@ Unlike filesystem based permssions, Centurion ERP permissions are not inclusive,
 - To `view` an item you must have its corresponding `view` permission

 The exclusitvity is that each of the permissions listed above, dont include an assumed permission. For instance if you have the `add` permission for an item, you will not be able to view it. That would require the `view` permission.
+
+
+### Gloabl Organization
+
+If the webmaster has setup Centurion ERP to have a [global organization](../settings/app_settings.md#global-organization), as long as the user has the a `view` permission for the model in question in **any** organization, they will be able to view that item within the global organization. This is not the same for the other permissions: `add`, `change` and `delete`. To which they must be granted those permissions within the global organization exclusively.
+
+!!! tip
+    User `A` is in organization `A` and the webmaster has setup Centurion to use organization `B` as the global organization. If user `A` has been granted permission `itam.view_software` in organization `A` they will be able to view software within both organization `A` and `B`.
--- a/docs/projects/centurion_erp/user/settings/app_settings.md
+++ b/docs/projects/centurion_erp/user/settings/app_settings.md
@ -9,6 +9,13 @@ about: https://gitlab.com/nofusscomputing/infrastructure/configuration-managemen
 Application settings contain global settings that are applicable to the entire application. Only a super admin can change these settings.


+## Global Organization
+
+A Global organization is where **ALL** items that the webmaster has configured as global are placed. This Organization's purpose is the single location where items are saved to if they are set as global via the application settings.
+
+A global organizations permissions work slightly different than other organizations. Please see [permissions](../access/index.md#gloabl-organization) for more details.
+
+
 ## Global Software

 It's possible to enforce that all software is set as global. On defining this setting you must set an organization that the global software will be created in. Then when any software is created it will be set to global and saved to the global organization regardless of the users selected settings.
--- a/6
+++ b/6
@ -40,16 +40,16 @@ lint: markdown-mkdocs-lint

 test:
 	cd app
-	pytest --cov --cov-report term --cov-report xml:../artifacts/coverage_unit_functional.xml --cov-report html:../artifacts/coverage/unit_functional/ --junit-xml=../artifacts/unit_functional.JUnit.xml **/tests/unit **/tests/functional
+	pytest -s --cov --cov-report term --cov-report xml:../artifacts/coverage_unit_functional.xml --cov-report html:../artifacts/coverage/unit_functional/ --junit-xml=../artifacts/unit_functional.JUnit.xml **/tests/unit **/tests/functional

 test-functional:
 	cd app
-	pytest --cov --cov-report term --cov-report xml:../artifacts/coverage_functional.xml --cov-report html:../artifacts/coverage/functional/ --junit-xml=../artifacts/functional.JUnit.xml **/tests/functional
+	pytest -s --cov --cov-report term --cov-report xml:../artifacts/coverage_functional.xml --cov-report html:../artifacts/coverage/functional/ --junit-xml=../artifacts/functional.JUnit.xml **/tests/functional


 test-unit:
 	cd app
-	pytest --cov --cov-report term --cov-report xml:../artifacts/coverage_unit.xml --cov-report html:../artifacts/coverage/unit/ --junit-xml=../artifacts/unit.JUnit.xml **/tests/unit
+	pytest -s --cov --cov-report term --cov-report xml:../artifacts/coverage_unit.xml --cov-report html:../artifacts/coverage/unit/ --junit-xml=../artifacts/unit.JUnit.xml **/tests/unit