add site read only mode (wip) (#24)

CHANGELOG.rst

@@ -19,6 +19,10 @@ Added
     - App setting ``user_modifiable`` validation (#1536)
     - ``AppSettingAPI.get_all_by_scope()`` helper (#1534)
     - ``removeroles`` management command (#1391, #1541)
+    - Site read only mode (#21)
+    - ``site_read_only`` site app setting (#21)
+    - ``is_site_writable()`` rule predicate (#21)
+    - ``PermissionTestMixin.set_site_read_only()`` helper (#21)
 
 Changed
 -------

docs/source/major_changes.rst

@@ -16,6 +16,7 @@ v1.1.0 (WIP)
 Release Highlights
 ==================
 
+- Add site read-only mode
 - Add removeroles management command
 - Add app setting type constants
 - Add app setting definition as objects

projectroles/app_settings.py

@@ -131,6 +131,18 @@
         user_modifiable=True,
         global_edit=True,
     ),
+    PluginAppSettingDef(
+        name='site_read_only',
+        scope=APP_SETTING_SCOPE_SITE,
+        type=APP_SETTING_TYPE_BOOLEAN,
+        default=False,
+        label='Site read-only mode',
+        description='Set site in read-only mode. Data altering operations will '
+        'be prohibited. Mode must be explicitly unset to allow data'
+        'modification.',
+        user_modifiable=True,
+        global_edit=False,
+    ),
 ]
 
 

projectroles/rules.py

@@ -2,8 +2,13 @@
 
 from django.conf import settings
 
+from projectroles.app_settings import AppSettingAPI
 from projectroles.models import RoleAssignment, SODAR_CONSTANTS
 
+
+app_settings = AppSettingAPI()
+
+
 # SODAR constants
 PROJECT_ROLE_OWNER = SODAR_CONSTANTS['PROJECT_ROLE_OWNER']
 PROJECT_ROLE_DELEGATE = SODAR_CONSTANTS['PROJECT_ROLE_DELEGATE']
@@ -108,7 +113,9 @@ def has_roles(user):
 @rules.predicate
 def is_modifiable_project(user, obj):
     """Whether or not project metadata is modifiable"""
-    return False if obj.is_remote() else True
+    if obj.is_remote() or app_settings.get('projectroles', 'site_read_only'):
+        return False
+    return True
 
 
 @rules.predicate
@@ -117,16 +124,20 @@ def can_modify_project_data(user, obj):
     Whether or not project app data can be modified, due to e.g. project
     archiving status.
     """
-    return not obj.archive
+    return not obj.archive and not app_settings.get(
+        'projectroles', 'site_read_only'
+    )
 
 
 @rules.predicate
 def can_create_projects(user, obj):
-    """Whether or not new projects can be generated on the site"""
+    """Whether or not new projects can be created on the site"""
     if settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET and (
         not settings.PROJECTROLES_TARGET_CREATE or (obj and obj.is_remote())
     ):
         return False
+    if app_settings.get('projectroles', 'site_read_only'):
+        return False
     return True
 
 
@@ -154,6 +165,12 @@ def is_target_site():
     return settings.PROJECTROLES_SITE_MODE == SITE_MODE_TARGET
 
 
+@rules.predicate
+def is_site_writable():
+    """Return True if site has not been set in read-only mode"""
+    return not app_settings.get('projectroles', 'site_read_only')
+
+
 # Combined predicates ----------------------------------------------------------
 
 
@@ -186,18 +203,21 @@ def is_target_site():
 # Allow project updating
 rules.add_perm(
     'projectroles.update_project',
-    is_project_update_user,
+    is_project_update_user & is_site_writable,
 )
 
 # Allow creation of projects
 rules.add_perm(
     'projectroles.create_project', is_project_create_user & can_create_projects
 )
 
+# Allow viewing PROJECT scope settings
+rules.add_perm('projectroles.view_project_settings', is_project_update_user)
+
 # Allow updating project settings
 rules.add_perm(
     'projectroles.update_project_settings',
-    is_role_update_user & is_modifiable_project,
+    is_project_update_user & is_modifiable_project,
 )
 
 # Allow viewing project roles
@@ -241,3 +261,9 @@ def is_target_site():
 rules.add_perm(
     'projectroles.view_hidden_projects', rules.is_superuser | is_project_owner
 )
+
+# Allow starring/unstarring a project
+rules.add_perm(
+    'projectroles.star_project',
+    (can_view_project | has_category_child_role) & is_site_writable,
+)