Skip to content

onconova.core.auth.models

CanManageCasesProperty

Bases: AnnotationGetterMixin, QueryableProperty

A queryable property that determines whether a user can manage cases.

This property evaluates several conditions to grant case management permissions: - The user is a service account. - The user has an access level greater than or equal to 2. - The user is a superuser. - The user has a valid ProjectDataManagerGrant.

Returns:

Type Description
bool

Boolean indicating if the user can manage cases.

get_annotation(cls)

Source code in onconova/core/auth/models.py 
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
def get_annotation(self, cls):
    from onconova.research.models.project import ProjectDataManagerGrant

    return Case(
        When(is_service_account=True, then=True),
        When(
            Q(access_level__gte=2)
            | Q(is_superuser=True)
            | Exists(
                ProjectDataManagerGrant.objects.filter(
                    member=OuterRef("pk"), is_valid=True
                )[:1]
            ),
            then=True,
        ),
        default=False,
        output_field=models.BooleanField(),
    )

QueryablePropertiesUserManager

Bases: UserManager, QueryablePropertiesManager

Custom user manager that combines the functionality of UserManager and QueryablePropertiesManager.

This manager enables querying user properties using advanced queryable properties features, while retaining all standard user management capabilities.

Inherits

UserManager: Provides standard user management operations. QueryablePropertiesManager: Adds support for queryable properties on user models.

User

Bases: AbstractUser

Custom User model extending Django's AbstractUser, with additional fields and properties for access control and user metadata.

Attributes:

Name Type Description
id UUIDField

Primary key, unique identifier for the user.
full_name AnnotationProperty

Computed full name from first and last name, or username if missing.
is_service_account BooleanField

Indicates if the user is a technical service account.
title CharField

Personal title of the user.
organization CharField

Organization to which the user belongs.
department CharField

Department within the organization.
access_level IntegerField

Numeric access level (0-4) representing user permissions.
role MappingProperty

Maps access_level to a human-readable role.
is_provided AnnotationProperty

Indicates if the user's identity is provided by an external provider.
provider AnnotationProperty

Name of the external provider if applicable.
can_view_cases AnnotationProperty

Indicates if the user can view cases (min_access_level=1).
can_view_projects AnnotationProperty

Indicates if the user can view projects (min_access_level=1).
can_view_cohorts AnnotationProperty

Indicates if the user can view cohorts (min_access_level=1).
can_view_users AnnotationProperty

Indicates if the user can view users (min_access_level=1).
can_view_datasets AnnotationProperty

Indicates if the user can view datasets (min_access_level=1).
can_export_data AnnotationProperty

Indicates if the user can export data (min_access_level=2).
can_manage_projects AnnotationProperty

Indicates if the user can manage projects (min_access_level=2).
can_delete_projects AnnotationProperty

Indicates if the user can delete projects (min_access_level=3).
can_delete_cohorts AnnotationProperty

Indicates if the user can delete cohorts (min_access_level=3).
can_delete_datasets AnnotationProperty

Indicates if the user can delete datasets (min_access_level=3).
can_manage_users AnnotationProperty

Indicates if the user can manage users (min_access_level=3).
is_system_admin AnnotationProperty

Indicates if the user is a system administrator (min_access_level=4).
can_manage_cases CanManageCasesProperty

Indicates if the user can manage patient data.

Methods:

Name Description
construct_permission_field_from_access_level

Static method to construct permission annotation properties based on access level.
__str__

Returns the username as string representation.
save

Ensures superusers have the highest access level before saving.
Constraints

access_level must be between 0 and 4 (inclusive).

access_level class-attribute instance-attribute

can_delete_cohorts class-attribute instance-attribute

can_delete_datasets class-attribute instance-attribute

can_delete_projects class-attribute instance-attribute

can_export_data class-attribute instance-attribute

can_manage_cases class-attribute instance-attribute

can_manage_projects class-attribute instance-attribute

can_manage_users class-attribute instance-attribute

can_view_cases class-attribute instance-attribute

can_view_cohorts class-attribute instance-attribute

can_view_datasets class-attribute instance-attribute

can_view_projects class-attribute instance-attribute

can_view_users class-attribute instance-attribute

department class-attribute instance-attribute

external_source class-attribute instance-attribute

external_source_id class-attribute instance-attribute

full_name class-attribute instance-attribute

id class-attribute instance-attribute

is_provided class-attribute instance-attribute

is_service_account class-attribute instance-attribute

is_system_admin class-attribute instance-attribute

objects class-attribute instance-attribute

organization class-attribute instance-attribute

provider class-attribute instance-attribute

role class-attribute instance-attribute

shareable class-attribute instance-attribute

title class-attribute instance-attribute

AccessRoles

Bases: TextChoices

Enumeration of access roles within the system.

Attributes:

Name Type Description
EXTERNAL

Represents an external user with limited access.
MEMBER

Represents a standard member with regular access.
PROJECT_MANAGER

Represents a user with project management privileges.
PLATFORM_MANAGER

Represents a user with platform management privileges.
SYSTEM_ADMIN

Represents a system administrator with full access.

EXTERNAL class-attribute instance-attribute

MEMBER class-attribute instance-attribute

PLATFORM_MANAGER class-attribute instance-attribute

PROJECT_MANAGER class-attribute instance-attribute

SYSTEM_ADMIN class-attribute instance-attribute

Meta

constraints class-attribute instance-attribute

__str__()

Source code in onconova/core/auth/models.py 
279
280
def __str__(self):
    return self.username

construct_permission_field_from_access_level(min_access_level, action) staticmethod

Constructs an annotation property representing a permission field based on the minimum access level and action.

Parameters:

Name Type Description Default

min_access_level

int

The minimum required access level for the permission.

 required

action

str

The action for which the permission is being checked (e.g., 'edit', 'delete').

 required

Returns:

Type Description
AnnotationProperty

An annotation property that evaluates to True if the user's access level is greater than or equal to the specified minimum or if the user is a superuser; otherwise, False. The property is annotated with a verbose name describing the action.
Source code in onconova/core/auth/models.py 
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
@staticmethod
def construct_permission_field_from_access_level(min_access_level, action):
    """
    Constructs an annotation property representing a permission field based on the minimum access level and action.

    Args:
        min_access_level (int): The minimum required access level for the permission.
        action (str): The action for which the permission is being checked (e.g., 'edit', 'delete').

    Returns:
        (AnnotationProperty): An annotation property that evaluates to True if the user's access level is greater than or equal to the specified minimum or if the user is a superuser; otherwise, False. The property is annotated with a verbose name describing the action.
    """
    return AnnotationProperty(
        verbose_name=_(f"Can {action}"),
        annotation=Case(
            When(
                Q(access_level__gte=min_access_level) | Q(is_superuser=True),
                then=True,
            ),
            default=False,
            output_field=models.BooleanField(),
        ),
    )

save(*args, **kwargs)

Saves the current instance to the database.

If the user is a superuser, sets the access_level to 4 before saving. Calls the parent class's save method to perform the actual save operation.

Parameters:

Name Type Description Default

args

tuple

Variable length argument list.

 ()

kwargs

dict

Arbitrary keyword arguments.

 {}
Source code in onconova/core/auth/models.py 
282
283
284
285
286
287
288
289
290
291
292
293
294
295
def save(self, *args, **kwargs):
    """
    Saves the current instance to the database.

    If the user is a superuser, sets the access_level to 4 before saving.
    Calls the parent class's save method to perform the actual save operation.

    Args:
        args (tuple): Variable length argument list.
        kwargs (dict): Arbitrary keyword arguments.
    """
    if self.is_superuser:
        self.access_level = 4
    super().save(*args, **kwargs)
runner