add permissions digest

config/settings/base.py

@@ -392,8 +392,14 @@
         "task": "documentcloud.addons.tasks.dispatch_events",
         "schedule": crontab(minute="*/5"),
     },
+    "permission_digest": {
+        "task": "documentcloud.users.tasks.permission_digest",
+        "schedule": crontab(day_of_week="mon", hour=7, minute=0),
+    },
 }
 
+PERMISSIONS_DIGEST_EMAILS = env.list("PERMISSIONS_DIGEST_EMAILS", default=[])
+
 # django-compressor
 # ------------------------------------------------------------------------------
 # https://django-compressor.readthedocs.io/en/latest/quickstart/#installation

documentcloud/templates/users/email/permissions.html

@@ -0,0 +1,70 @@
+{% extends "core/email/base.html" %}
+
+{% block body %}
+  <h1>DocumentCloud Permissions Digest</h1>
+
+  <h2>Superusers</h2>
+  <p>The following users are implicitly granted all permissions:</p>
+  <ul>
+    {% for user in superusers %}
+      <li>
+        <a href="{% url "admin:users_user_change" user.pk %}">
+          {{ user.username }}
+        </a>
+      </li>
+    {% endfor %}
+  </ul>
+
+  <h2>Staff</h2>
+  <p>The following users are may access the Django backend:</p>
+  <ul>
+    {% for user in staff %}
+      <li>
+        <a href="{% url "admin:users_user_change" user.pk %}">
+          {{ user.username }}
+        </a>
+      </li>
+    {% endfor %}
+  </ul>
+
+  <h2>Groups</h2>
+  <p>
+    All groups and which users they include.  You may check the permissions
+    they grant on the backend.
+  </p>
+  {% for group in groups %}
+    <h3>
+        <a href="{% url "admin:auth_group_change" group.pk %}">
+          {{ group.name }}
+        </a>
+    </h3>
+    <ul>
+      {% for user in group.user_set.all %}
+        <li>
+          <a href="{% url "admin:users_user_change" user.pk %}">
+            {{ user.username }}
+          </a>
+        </li>
+      {% endfor %}
+    </ul>
+  {% endfor %}
+
+  {% if user_permissions %}
+    <h2>Individual Permissions</h2>
+    <p>
+      The following users are assigned individual permissions.  All permissions
+      should be assigned through groups.
+    </p>
+    <ul>
+      {% for user_perm in user_permissions %}
+        <li>
+          <a href="{% url "admin:users_user_change" user_perm.user.pk %}">
+            {{ user_perm.user.username }}
+          </a> &mdash;
+          {{ user_perm.permission }}
+        </li>
+      {% endfor %}
+    </ul>
+  {% endif %}
+
+{% endblock %}

documentcloud/users/mail.py

@@ -0,0 +1,33 @@
+# Django
+from django.conf import settings
+from django.contrib.auth.models import Group
+
+# Standard Library
+from datetime import date
+
+# DocumentCloud
+from documentcloud.core.mail import Email
+from documentcloud.users.models import User
+
+
+class PermissionsDigest(Email):
+    """A digest that provides an overview of who has what permissions"""
+
+    template = "users/email/permissions.html"
+
+    def __init__(self, **kwargs):
+        kwargs["subject"] = f"{date.today()} DocumentCloud Permissions Digest"
+        kwargs["to"] = settings.PERMISSIONS_DIGEST_EMAILS
+        kwargs["extra_context"] = self.get_context()
+        super().__init__(**kwargs)
+
+    def get_context(self):
+        return {
+            "superusers": User.objects.filter(is_superuser=True),
+            "staff": User.objects.filter(is_staff=True),
+            "groups": Group.objects.prefetch_related("user_set"),
+            "user_permissions": User.user_permissions.through.objects.select_related(
+                "user",
+                "permission",
+            ),
+        }

documentcloud/users/tasks.py

@@ -0,0 +1,10 @@
+# Django
+from celery import shared_task
+
+# DocumentCloud
+from documentcloud.users.mail import PermissionsDigest
+
+
+@shared_task
+def permission_digest():
+    PermissionsDigest().send()