diff --git a/config/settings/base.py b/config/settings/base.py
index 1f9650b7..495bac91 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -392,8 +392,14 @@
"task": "documentcloud.addons.tasks.dispatch_events",
"schedule": crontab(minute="*/5"),
},
+ "permission_digest": {
+ "task": "documentcloud.users.tasks.permission_digest",
+ "schedule": crontab(day_of_week="mon", hour=7, minute=0),
+ },
}
+PERMISSIONS_DIGEST_EMAILS = env.list("PERMISSIONS_DIGEST_EMAILS", default=[])
+
# django-compressor
# ------------------------------------------------------------------------------
# https://django-compressor.readthedocs.io/en/latest/quickstart/#installation
diff --git a/documentcloud/templates/users/email/permissions.html b/documentcloud/templates/users/email/permissions.html
new file mode 100644
index 00000000..83076e79
--- /dev/null
+++ b/documentcloud/templates/users/email/permissions.html
@@ -0,0 +1,70 @@
+{% extends "core/email/base.html" %}
+
+{% block body %}
+ DocumentCloud Permissions Digest
+
+ Superusers
+ The following users are implicitly granted all permissions:
+
+
+ Staff
+ The following users are may access the Django backend:
+
+
+ Groups
+
+ All groups and which users they include. You may check the permissions
+ they grant on the backend.
+
+ {% for group in groups %}
+
+
+ {% endfor %}
+
+ {% if user_permissions %}
+ Individual Permissions
+
+ The following users are assigned individual permissions. All permissions
+ should be assigned through groups.
+
+
+ {% endif %}
+
+{% endblock %}
diff --git a/documentcloud/users/mail.py b/documentcloud/users/mail.py
new file mode 100644
index 00000000..18fbc6a9
--- /dev/null
+++ b/documentcloud/users/mail.py
@@ -0,0 +1,33 @@
+# Django
+from django.conf import settings
+from django.contrib.auth.models import Group
+
+# Standard Library
+from datetime import date
+
+# DocumentCloud
+from documentcloud.core.mail import Email
+from documentcloud.users.models import User
+
+
+class PermissionsDigest(Email):
+ """A digest that provides an overview of who has what permissions"""
+
+ template = "users/email/permissions.html"
+
+ def __init__(self, **kwargs):
+ kwargs["subject"] = f"{date.today()} DocumentCloud Permissions Digest"
+ kwargs["to"] = settings.PERMISSIONS_DIGEST_EMAILS
+ kwargs["extra_context"] = self.get_context()
+ super().__init__(**kwargs)
+
+ def get_context(self):
+ return {
+ "superusers": User.objects.filter(is_superuser=True),
+ "staff": User.objects.filter(is_staff=True),
+ "groups": Group.objects.prefetch_related("user_set"),
+ "user_permissions": User.user_permissions.through.objects.select_related(
+ "user",
+ "permission",
+ ),
+ }
diff --git a/documentcloud/users/tasks.py b/documentcloud/users/tasks.py
new file mode 100644
index 00000000..758e637c
--- /dev/null
+++ b/documentcloud/users/tasks.py
@@ -0,0 +1,10 @@
+# Django
+from celery import shared_task
+
+# DocumentCloud
+from documentcloud.users.mail import PermissionsDigest
+
+
+@shared_task
+def permission_digest():
+ PermissionsDigest().send()