Projet

Général

Profil

0001-manager-do-not-use-has_any_perm-to-get-add-permissio.patch

Benjamin Dauvergne, 08 décembre 2017 00:55

Télécharger (1,32 ko)

Voir les différences: 

Subject: [PATCH] manager: do not use has_any_perm() to get add permission on
 roles (fixes #20512)

This is a temporary fix, the real fix would be to create a real permission to
manage members of a roles so that role's admin roles would not have the admin
permission but the manage-members permission, so that for an user which can just
manager members of a role, request.user.has_any_perm('a2_rbac.add_role') would
return False, currently it returns True but it has no meaning.

 src/authentic2/manager/role_views.py | 5 +++++
 1 file changed, 5 insertions(+)
src/authentic2/manager/role_views.py
62 62 
        kwargs['queryset'] = self.get_queryset()
63 63 
        return kwargs
64 64 

  		




  
  65
  
    
    def authorize(self, request, *args, **kwargs):

  		




  
  66
  
    
        super(RolesView, self).authorize(request, *args, **kwargs)

  		




  
  67
  
    
        self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))

  		




  
  68
  
    

  		




  
  69
  
    

  		




  65
  70
  
    
listing = RolesView.as_view()

  		




  66
  71
  
    

  		




  67
  72
  
    

  		




  68
  
  
    
-