Projet

Général

Profil

0001-api-add-parameters-to-filter-users-by-allowed-servic.patch

Benjamin Dauvergne, 03 juillet 2018 00:53

Télécharger (5,43 ko)

Voir les différences: 

Subject: [PATCH] api: add parameters to filter users by allowed services
 (fixes #22377)


 src/authentic2/api_views.py                   | 10 +++++-
 .../migrations/0018_auto_20170524_0842.py     |  2 +-
 src/authentic2/models.py                      |  4 +--
 tests/test_api.py                             | 33 +++++++++++++++++++
 4 files changed, 45 insertions(+), 4 deletions(-)
src/authentic2/api_views.py
27 27 

  		




  28
  28
  
    
from .custom_user.models import User

  		




  29
  29
  
    
from . import utils, decorators, attribute_kinds, app_settings, hooks

  		




  30
  
  
    
from .models import Attribute, PasswordReset

  		




  
  30
  
    
from .models import Attribute, PasswordReset, Service

  		




  31
  31
  
    
from .a2_rbac.utils import get_default_ou

  		




  32
  32
  
    

  		




  33
  33
  
    

  		




  ......




  548
  548
  
    
        if self.request.method == 'GET':

  		




  549
  549
  
    
            qs = qs.prefetch_related('attribute_values', 'attribute_values__attribute')

  		




  550
  550
  
    
        qs = self.request.user.filter_by_perm(['custom_user.view_user'], qs)

  		




  
  551
  
    
        # filter users authorized for a specified service

  		




  
  552
  
    
        if 'service-slug' in self.request.GET and 'service-ou' in self.request.GET:

  		




  
  553
  
    
            service_slug = self.request.GET['service-slug']

  		




  
  554
  
    
            service_ou = self.request.GET['service-ou']

  		




  
  555
  
    
            service = Service.objects.filter(slug=service_slug, ou__slug=service_ou).prefetch_related('authorized_roles').first()

  		




  
  556
  
    
            if service and service.authorized_roles.all():

  		




  
  557
  
    
                qs = qs.filter(roles__in=service.authorized_roles.children())

  		




  
  558
  
    
                qs = qs.distinct()

  		




  551
  559
  
    
        new_qs = hooks.call_hooks_first_result('api_modify_queryset', self, qs)

  		




  552
  560
  
    
        if new_qs is not None:

  		




  553
  561
  
    
            return new_qs

  		












  

    
      src/authentic2/migrations/0018_auto_20170524_0842.py
    
  





  33
  33
  
    
        migrations.AddField(

  		




  34
  34
  
    
            model_name='service',

  		




  35
  35
  
    
            name='authorized_roles',

  		




  36
  
  
    
            field=models.ManyToManyField(related_name='authorized_roles', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),

  		




  
  36
  
    
            field=models.ManyToManyField(related_name='allowed_services', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),

  		




  37
  37
  
    
        ),

  		




  38
  38
  
    
    ]

  		












  

    
      src/authentic2/models.py
    
  





  335
  335
  
    
    authorized_roles = models.ManyToManyField(

  		




  336
  336
  
    
        get_role_model_name(), verbose_name=_('authorized services'),

  		




  337
  337
  
    
        through='AuthorizedRole', through_fields=('service', 'role'),

  		




  338
  
  
    
        related_name='authorized_roles', blank=True)

  		




  
  338
  
    
        related_name='allowed_services', blank=True)

  		




  339
  339
  
    
    unauthorized_url = models.URLField(

  		




  340
  340
  
    
        verbose_name=_('callback url when unauthorized'),

  		




  341
  341
  
    
        max_length=256, null=True, blank=True)

  		




  ......




  377
  377
  
    
    def authorize(self, user):

  		




  378
  378
  
    
        if not self.authorized_roles.exists():

  		




  379
  379
  
    
            return True

  		




  380
  
  
    
        if user.roles_and_parents().filter(authorized_roles=self).exists():

  		




  
  380
  
    
        if user.roles_and_parents().filter(allowed_services=self).exists():

  		




  381
  381
  
    
            return True

  		




  382
  382
  
    
        raise ServiceAccessDenied(service=self)

  		




  383
  383
  
    

  		












  

    
      tests/test_api.py
    
  





  141
  141
  
    
    assert resp.json['next'] is None

  		




  142
  142
  
    

  		




  143
  143
  
    

  		




  
  144
  
    
def test_api_users_list_by_authorized_service(app, superuser):

  		




  
  145
  
    
    from authentic2.models import Service

  		




  
  146
  
    

  		




  
  147
  
    
    app.authorization = ('Basic', (superuser.username, superuser.username))

  		




  
  148
  
    
    User = get_user_model()

  		




  
  149
  
    
    Role = get_role_model()

  		




  
  150
  
    

  		




  
  151
  
    
    user1 = User.objects.create(username='user1')

  		




  
  152
  
    
    user2 = User.objects.create(username='user2')

  		




  
  153
  
    
    user3 = User.objects.create(username='user3')

  		




  
  154
  
    

  		




  
  155
  
    
    role1 = Role.objects.create(name='role1')

  		




  
  156
  
    
    role2 = Role.objects.create(name='role2')

  		




  
  157
  
    
    role1.add_child(role2)

  		




  
  158
  
    
    user1.roles = [role1]

  		




  
  159
  
    
    user2.roles = [role2]

  		




  
  160
  
    

  		




  
  161
  
    
    service1 = Service.objects.create(ou=get_default_ou(), name='service1', slug='service1')

  		




  
  162
  
    
    service1.add_authorized_role(role1)

  		




  
  163
  
    

  		




  
  164
  
    
    service2 = Service.objects.create(ou=get_default_ou(), name='service2', slug='service2')

  		




  
  165
  
    

  		




  
  166
  
    
    resp = app.get('/api/users/')

  		




  
  167
  
    
    assert len(resp.json['results']) == 4

  		




  
  168
  
    

  		




  
  169
  
    
    resp = app.get('/api/users/?service-ou=default&service-slug=service1')

  		




  
  170
  
    
    assert len(resp.json['results']) == 2

  		




  
  171
  
    
    assert set(user['username'] for user in resp.json['results']) == set(['user1', 'user2'])

  		




  
  172
  
    

  		




  
  173
  
    
    resp = app.get('/api/users/?service-ou=default&service-slug=service2')

  		




  
  174
  
    
    assert len(resp.json['results']) == 4

  		




  
  175
  
    

  		




  
  176
  
    

  		




  144
  177
  
    
def test_api_users_create(settings, app, api_user):

  		




  145
  178
  
    
    from django.contrib.auth import get_user_model

  		




  146
  179
  
    
    from authentic2.models import Attribute, AttributeValue

  		




  147
  
  
    
-