0001-api-add-parameters-to-filter-users-by-allowed-servic.patch
src/authentic2/api_views.py | ||
---|---|---|
27 | 27 | |
28 | 28 |
from .custom_user.models import User |
29 | 29 |
from . import utils, decorators, attribute_kinds, app_settings, hooks |
30 |
from .models import Attribute, PasswordReset |
|
30 |
from .models import Attribute, PasswordReset, Service
|
|
31 | 31 |
from .a2_rbac.utils import get_default_ou |
32 | 32 | |
33 | 33 | |
... | ... | |
548 | 548 |
if self.request.method == 'GET': |
549 | 549 |
qs = qs.prefetch_related('attribute_values', 'attribute_values__attribute') |
550 | 550 |
qs = self.request.user.filter_by_perm(['custom_user.view_user'], qs) |
551 |
# filter users authorized for a specified service |
|
552 |
if 'service-slug' in self.request.GET and 'service-ou' in self.request.GET: |
|
553 |
service_slug = self.request.GET['service-slug'] |
|
554 |
service_ou = self.request.GET['service-ou'] |
|
555 |
service = Service.objects.filter(slug=service_slug, ou__slug=service_ou).prefetch_related('authorized_roles').first() |
|
556 |
if service and service.authorized_roles.all(): |
|
557 |
qs = qs.filter(roles__in=service.authorized_roles.children()) |
|
558 |
qs = qs.distinct() |
|
551 | 559 |
new_qs = hooks.call_hooks_first_result('api_modify_queryset', self, qs) |
552 | 560 |
if new_qs is not None: |
553 | 561 |
return new_qs |
src/authentic2/migrations/0018_auto_20170524_0842.py | ||
---|---|---|
33 | 33 |
migrations.AddField( |
34 | 34 |
model_name='service', |
35 | 35 |
name='authorized_roles', |
36 |
field=models.ManyToManyField(related_name='authorized_roles', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),
|
|
36 |
field=models.ManyToManyField(related_name='allowed_services', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),
|
|
37 | 37 |
), |
38 | 38 |
] |
src/authentic2/models.py | ||
---|---|---|
335 | 335 |
authorized_roles = models.ManyToManyField( |
336 | 336 |
get_role_model_name(), verbose_name=_('authorized services'), |
337 | 337 |
through='AuthorizedRole', through_fields=('service', 'role'), |
338 |
related_name='authorized_roles', blank=True)
|
|
338 |
related_name='allowed_services', blank=True)
|
|
339 | 339 |
unauthorized_url = models.URLField( |
340 | 340 |
verbose_name=_('callback url when unauthorized'), |
341 | 341 |
max_length=256, null=True, blank=True) |
... | ... | |
377 | 377 |
def authorize(self, user): |
378 | 378 |
if not self.authorized_roles.exists(): |
379 | 379 |
return True |
380 |
if user.roles_and_parents().filter(authorized_roles=self).exists():
|
|
380 |
if user.roles_and_parents().filter(allowed_services=self).exists():
|
|
381 | 381 |
return True |
382 | 382 |
raise ServiceAccessDenied(service=self) |
383 | 383 |
tests/test_api.py | ||
---|---|---|
141 | 141 |
assert resp.json['next'] is None |
142 | 142 | |
143 | 143 | |
144 |
def test_api_users_list_by_authorized_service(app, superuser): |
|
145 |
from authentic2.models import Service |
|
146 | ||
147 |
app.authorization = ('Basic', (superuser.username, superuser.username)) |
|
148 |
User = get_user_model() |
|
149 |
Role = get_role_model() |
|
150 | ||
151 |
user1 = User.objects.create(username='user1') |
|
152 |
user2 = User.objects.create(username='user2') |
|
153 |
user3 = User.objects.create(username='user3') |
|
154 | ||
155 |
role1 = Role.objects.create(name='role1') |
|
156 |
role2 = Role.objects.create(name='role2') |
|
157 |
role1.add_child(role2) |
|
158 |
user1.roles = [role1] |
|
159 |
user2.roles = [role2] |
|
160 | ||
161 |
service1 = Service.objects.create(ou=get_default_ou(), name='service1', slug='service1') |
|
162 |
service1.add_authorized_role(role1) |
|
163 | ||
164 |
service2 = Service.objects.create(ou=get_default_ou(), name='service2', slug='service2') |
|
165 | ||
166 |
resp = app.get('/api/users/') |
|
167 |
assert len(resp.json['results']) == 4 |
|
168 | ||
169 |
resp = app.get('/api/users/?service-ou=default&service-slug=service1') |
|
170 |
assert len(resp.json['results']) == 2 |
|
171 |
assert set(user['username'] for user in resp.json['results']) == set(['user1', 'user2']) |
|
172 | ||
173 |
resp = app.get('/api/users/?service-ou=default&service-slug=service2') |
|
174 |
assert len(resp.json['results']) == 4 |
|
175 | ||
176 | ||
144 | 177 |
def test_api_users_create(settings, app, api_user): |
145 | 178 |
from django.contrib.auth import get_user_model |
146 | 179 |
from authentic2.models import Attribute, AttributeValue |
147 |
- |