Projet

Général

Profil

0001-api-add-parameters-to-filter-users-by-allowed-servic.patch

Benjamin Dauvergne, 03 mai 2018 16:57

Télécharger (4,94 ko)

Voir les différences: 

Subject: [PATCH] api: add parameters to filter users by allowed services
 (fixes #22377)


 src/authentic2/api_views.py                   |  8 ++++++
 .../migrations/0018_auto_20170524_0842.py     |  2 +-
 src/authentic2/models.py                      |  4 +--
 tests/test_api.py                             | 28 +++++++++++++++++++
 4 files changed, 39 insertions(+), 3 deletions(-)
src/authentic2/api_views.py
548 548 
        if self.request.method == 'GET':
549 549 
            qs = qs.prefetch_related('attribute_values', 'attribute_values__attribute')
550 550 
        qs = self.request.user.filter_by_perm(['custom_user.view_user'], qs)
551 
        # filter users authorized for a specified service
552 
        if 'service-slug' in self.request.GET and 'service-ou' in self.request.GET:
553 
            service_slug = self.request.GET['service-slug']
554 
            service_ou = self.request.GET['service-ou']
555 
            qs = (qs.filter(roles__allowed_services__slug=service_slug, roles__allowed_services__ou__slug=service_ou)
556 
                  | qs.filter(roles__parent_relation__parent__allowed_services__slug=service_slug,
557 
                              roles__parent_relation__parent__allowed_services__ou__slug=service_ou))
558 
            qs = qs.distinct()
551 559 
        new_qs = hooks.call_hooks_first_result('api_modify_queryset', self, qs)
552 560 
        if new_qs is not None:
553 561 
            return new_qs
src/authentic2/migrations/0018_auto_20170524_0842.py
33 33 
        migrations.AddField(
34 34 
            model_name='service',
35 35 
            name='authorized_roles',
36 
            field=models.ManyToManyField(related_name='authorized_roles', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),
36 
            field=models.ManyToManyField(related_name='allowed_services', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),
37 37 
        ),
38 38 
    ]
src/authentic2/models.py
335 335 
    authorized_roles = models.ManyToManyField(
336 336 
        get_role_model_name(), verbose_name=_('authorized services'),
337 337 
        through='AuthorizedRole', through_fields=('service', 'role'),
338 
        related_name='authorized_roles', blank=True)
338 
        related_name='allowed_services', blank=True)
339 339 
    unauthorized_url = models.URLField(
340 340 
        verbose_name=_('callback url when unauthorized'),
341 341 
        max_length=256, null=True, blank=True)
......
377 377 
    def authorize(self, user):
378 378 
        if not self.authorized_roles.exists():
379 379 
            return True
380 
        if user.roles_and_parents().filter(authorized_roles=self).exists():
380 
        if user.roles_and_parents().filter(allowed_services=self).exists():
381 381 
            return True
382 382 
        raise ServiceAccessDenied(service=self)
383 383 

  		












  

    
      tests/test_api.py
    
  





  141
  141
  
    
    assert resp.json['next'] is None

  		




  142
  142
  
    

  		




  143
  143
  
    

  		




  
  144
  
    
def test_api_users_list_by_authorized_service(app, superuser):

  		




  
  145
  
    
    from authentic2.models import Service

  		




  
  146
  
    

  		




  
  147
  
    
    app.authorization = ('Basic', (superuser.username, superuser.username))

  		




  
  148
  
    
    User = get_user_model()

  		




  
  149
  
    
    Role = get_role_model()

  		




  
  150
  
    

  		




  
  151
  
    
    user1 = User.objects.create(username='user1')

  		




  
  152
  
    
    user2 = User.objects.create(username='user2')

  		




  
  153
  
    
    user3 = User.objects.create(username='user3')

  		




  
  154
  
    

  		




  
  155
  
    
    role1 = Role.objects.create(name='role1')

  		




  
  156
  
    
    role2 = Role.objects.create(name='role2')

  		




  
  157
  
    
    role1.add_child(role2)

  		




  
  158
  
    
    user1.roles = [role1]

  		




  
  159
  
    
    user2.roles = [role2]

  		




  
  160
  
    

  		




  
  161
  
    
    service = Service.objects.create(ou=get_default_ou(), name='service', slug='service')

  		




  
  162
  
    
    service.add_authorized_role(role1)

  		




  
  163
  
    

  		




  
  164
  
    
    resp = app.get('/api/users/')

  		




  
  165
  
    
    assert len(resp.json['results']) == 4

  		




  
  166
  
    

  		




  
  167
  
    
    resp = app.get('/api/users/?service-ou=default&service-slug=service')

  		




  
  168
  
    
    assert len(resp.json['results']) == 2

  		




  
  169
  
    
    assert set(user['username'] for user in resp.json['results']) == set(['user1', 'user2'])

  		




  
  170
  
    

  		




  
  171
  
    

  		




  144
  172
  
    
def test_api_users_create(settings, app, api_user):

  		




  145
  173
  
    
    from django.contrib.auth import get_user_model

  		




  146
  174
  
    
    from authentic2.models import Attribute, AttributeValue

  		




  147
  
  
    
-