Some tip when working with the permission system.
These don't directly apply to the mountindex command since we don't have a way to know which user is accesing the mounted index. But for the normal web stuff here is how to filter data:
Don't specify the role label or the permission name, the role label might get updated by another user and the permission name could change between releases (unlikely but possible). Use the filter_by_access method of the AccessControlList manager.
filtered_queryset = AccessControlList.objects.filter_by_access(
permission=permission_document_view, user=self.request.user,
queryset=queryset
)
The permission is obtiained by importing from the .permissions.py module found in each app. This code here filters the queryset of documents and allows only those for this the user currently logged (obtained from self.request, the HTTP request object). The filter code first check if the use has the global permission assigned (document view for all documents). And then iterates over all the groups and roles to which the user belongs as an user can inherit the permission by subscription to a role or an ACL. If the are no permissions in any of the user's roles, the queryset is returned empty.
If you just want to know if an user can or cannot to an action use the "check_access" method.
AccessControlList.objects.check_access(
permissions=permission_document_view, user=request.user,
obj=self.document
)
If works in the same way. First check for a global permission and then for the permission in each role and then for the ACLs. If not permission is found the method raised the PERMISSION_DENIED expection and the user interface redirects to the insufficient permission template.
It would be great to find a way to find which OS user is trying to access a document from a mounted index and correlate with the Mayan user in the database to be able to do dynamic filesystem filtering.