Filtering a document queryset on the ACL/role name

[LeVon Smoker]

How can I do this? I intend to make my own version of the mountindex command that would allow filtering documents based on a role. I assume it's like filtering on a Generic Relation, but I can't figure it out...

https://docs.djangoproject.com/en/1.11/ref/contrib/contenttypes/#django.contrib.contenttypes.fields.GenericRelation

[LeVon Smoker]

I figured it out eventually. In the mirroring/management/commands/mountindex.py, I added...

acls = AccessControlList.objects.filter(role__label='My Role', permissions__name='document_view')
queryset = queryset.filter(acls__in=acls)

[Roberto Rosario]

Makes sense to filter documents. An ideal solution would be to correlation the OS username to a Mayan user to inherit the permission. Or in the mean time a filtering method via the mountindex command line to avoid needing to change the code. Your question brings an interesting proposition to the mountindex feature.

[LeVon Smoker]

I ended up creating my own version of the mountindex management command in a custom app

[LeVon Smoker]

And it would be neat to have some document info/metadata be made available as extended file attributes through listxattr and getxattr...

[Roberto Rosario]

That is a fantastic idea and a good candidate for a MERC proposal (http://docs.mayan-edms.com/en/stable/mercs/)

Some tip when working with the permission system.

These don't directly apply to the mountindex command since we don't have a way to know which user is accesing the mounted index. But for the normal web stuff here is how to filter data:

Don't specify the role label or the permission name, the role label might get updated by another user and the permission name could change between releases (unlikely but possible). Use the filter_by_access method of the AccessControlList manager.

        filtered_queryset = AccessControlList.objects.filter_by_access(

            permission=permission_document_view, user=self.request.user,

            queryset=queryset

        )

The permission is obtiained by importing from the .permissions.py module found in each app. This code here filters the queryset of documents and allows only those for this the user currently logged (obtained from self.request, the HTTP request object). The filter code first check if the use has the global permission assigned (document view for all documents). And then iterates over all the groups and roles to which the user belongs as an user can inherit the permission by subscription to a role or an ACL. If the are no permissions in any of the user's roles, the queryset is returned empty.

If you just want to know if an user can or cannot to an action use the "check_access" method. 

        AccessControlList.objects.check_access(

            permissions=permission_document_view, user=request.user,

            obj=self.document

        )

If works in the same way. First check for a global permission and then for the permission in each role and then for the ACLs. If not permission is found the method raised the PERMISSION_DENIED expection and the user interface redirects to the insufficient permission template.

It would be great to find a way to find which OS user is trying to access a document from a mounted index and correlate with the Mayan user in the database to be able to do dynamic filesystem filtering.