0001-WIP-support-OU-automatic-roles-20690.patch

Paul Marillonnet, 18 juillet 2018 17:55

Voir les différences: en ligne côte à côte

Subject: [PATCH] WIP support OU automatic roles (#20690)

 src/authentic2/a2_rbac/apps.py            |  15 +-
 src/authentic2/a2_rbac/models.py          | 165 +++++++++++-----------
 src/authentic2/a2_rbac/signal_handlers.py |  18 +++
 tests/test_a2_rbac.py                     |  41 ++++++
 4 files changed, 156 insertions(+), 83 deletions(-)

         def ready(self):
             from . import signal_handlers, models
             from django.db.models.signals import post_save, post_migrate, pre_save, \
                 post_delete
                 post_delete, m2m_changed
             from django.contrib.contenttypes.models import ContentType
             from django.contrib.auth import get_user_model
             from authentic2.models import Service
             from authentic2.a2_rbac.models import OrganizationalUnit
             User = get_user_model()
             #xxx missing user pre save here
             # update ou roles on user post save
             post_save.connect(
                 signal_handlers.update_roles_on_user_post_save,
                 sender=User)
             # update ou roles on OU automatic roles changes
             m2m_changed.connect(
                 signal_handlers.update_roles_on_ou_automatic_roles_changed,
                 sender=OrganizationalUnit.automatic_roles.through)
             # update rbac on save to contenttype, ou and roles
             post_save.connect(
                 signal_handlers.update_rbac_on_ou_post_save,

     from . import managers, fields
     class OrganizationalUnit(OrganizationalUnitAbstractBase):
         username_is_unique = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Username is unique'))
         email_is_unique = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Email is unique'))
         default = fields.UniqueBooleanField(
             verbose_name=_('Default organizational unit'))
         validate_emails = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Validate emails'))
         admin_perms = GenericRelation(rbac_utils.get_permission_model_name(),
                                       content_type_field='target_ct',
                                       object_id_field='target_id')
         objects = managers.OrganizationalUnitManager()
         class Meta:
             verbose_name = _('organizational unit')
             verbose_name_plural = _('organizational units')
             ordering = ('name',)
             unique_together = (
                 ('name',),
                 ('slug',),
+            )
         def clean(self):
             # if we set this ou as the default one, we must unset the other one if
             # there is
             if self.default:
                 qs = self.__class__.objects.filter(default=True)
                 if self.pk:
                     qs = qs.exclude(pk=self.pk)
                 qs.update(default=None)
             if self.pk and not self.default \
                and self.__class__.objects.get(pk=self.pk).default:
                 raise ValidationError(_('You cannot unset this organizational '
                                         'unit as the default, but you can set '
                                         'another one as the default.'))
             super(OrganizationalUnit, self).clean()
         def get_admin_role(self):
             '''Get or create the generic admin role for this organizational
                unit.
             '''
             name = _('Managers of "{ou}"').format(ou=self)
             slug = '_a2-managers-of-{ou.slug}'.format(ou=self)
             return Role.objects.get_admin_role(
                 instance=self, name=name, slug=slug, operation=VIEW_OP,
                 update_name=True, update_slug=True)
         def delete(self, *args, **kwargs):
             Permission.objects.filter(ou=self).delete()
             return super(OrganizationalUnitAbstractBase, self).delete(*args, **kwargs)
         def natural_key(self):
             return [self.slug]
         @classmethod
         @GlobalCache(timeout=5)
         def cached(cls):
             return cls.objects.all()
         def export_json(self):
             return {
                 'uuid': self.uuid, 'slug': self.slug, 'name': self.name,
                 'description': self.description, 'default': self.default,
                 'email_is_unique': self.email_is_unique,
                 'username_is_unique': self.username_is_unique,
                 'validate_emails': self.validate_emails
+            }
     OrganizationalUnit._meta.natural_key = [['uuid'], ['slug'], ['name']]
     class Permission(PermissionAbstractBase):
         class Meta:
             verbose_name = _('permission')
-...
+    ]
     class OrganizationalUnit(OrganizationalUnitAbstractBase):
         username_is_unique = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Username is unique'))
         email_is_unique = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Email is unique'))
         default = fields.UniqueBooleanField(
             verbose_name=_('Default organizational unit'))
         validate_emails = models.BooleanField(
             blank=True,
             default=False,
             verbose_name=_('Validate emails'))
         automatic_roles = models.ManyToManyField(Role)
         admin_perms = GenericRelation(rbac_utils.get_permission_model_name(),
                                       content_type_field='target_ct',
                                       object_id_field='target_id')
         objects = managers.OrganizationalUnitManager()
         class Meta:
             verbose_name = _('organizational unit')
             verbose_name_plural = _('organizational units')
             ordering = ('name',)
             unique_together = (
                 ('name',),
                 ('slug',),
+            )
         def clean(self):
             # if we set this ou as the default one, we must unset the other one if
             # there is
             if self.default:
                 qs = self.__class__.objects.filter(default=True)
                 if self.pk:
                     qs = qs.exclude(pk=self.pk)
                 qs.update(default=None)
             if self.pk and not self.default \
                and self.__class__.objects.get(pk=self.pk).default:
                 raise ValidationError(_('You cannot unset this organizational '
                                         'unit as the default, but you can set '
                                         'another one as the default.'))
             super(OrganizationalUnit, self).clean()
         def get_admin_role(self):
             '''Get or create the generic admin role for this organizational
                unit.
             '''
             name = _('Managers of "{ou}"').format(ou=self)
             slug = '_a2-managers-of-{ou.slug}'.format(ou=self)
             return Role.objects.get_admin_role(
                 instance=self, name=name, slug=slug, operation=VIEW_OP,
                 update_name=True, update_slug=True)
         def delete(self, *args, **kwargs):
             Permission.objects.filter(ou=self).delete()
             return super(OrganizationalUnitAbstractBase, self).delete(*args, **kwargs)
         def natural_key(self):
             return [self.slug]
         @classmethod
         @GlobalCache(timeout=5)
         def cached(cls):
             return cls.objects.all()
         def export_json(self):
             return {
                 'uuid': self.uuid, 'slug': self.slug, 'name': self.name,
                 'description': self.description, 'default': self.default,
                 'email_is_unique': self.email_is_unique,
                 'username_is_unique': self.username_is_unique,
                 'validate_emails': self.validate_emails
+            }
     OrganizationalUnit._meta.natural_key = [['uuid'], ['slug'], ['name']]
     class RoleParenting(RoleParentingAbstractBase):
         class Meta(RoleParentingAbstractBase.Meta):
             verbose_name = _('role parenting relation')

         if get_ou_model().objects.count() < 2:
             update_ous_admin_roles()
     #xxx missing pre save here
     def update_roles_on_user_post_save(sender, instance, created, raw, **kwargs):
         if instance.ou:
             for role in instance.ou.automatic_roles:
                 if role not in instance.roles:
                     instance.roles.add(role)
     def update_roles_on_ou_automatic_roles_changed(sender, instance, action, reverse, pk_set, **kwargs):
         from django.contrib.auth import get_user_model
         if not reverse:
             if action == 'post_add':
                 set_change = 'add'
             elif action in ('post_removed', 'post_clear'):
                 set_change = 'delete'
             users = get_user_model().objects.filter(ou=instance)
             for user in users:
                 set_op = gettattr(user.roles, set_change)
                 set_op(pk_set)
     def update_service_role_ou(sender, instance, created, raw, **kwargs):
         get_role_model().objects.filter(service=instance).update(ou=instance.ou)

         assert ou_dict['email_is_unique'] == ou.email_is_unique
         assert ou_dict['default'] == ou.default
         assert ou_dict['validate_emails'] == ou.validate_emails
     def test_ou_automatic_roles_m2m_changed(db, ou_rando, role_ou1, role_ou2, simple_user):
         simple_user.ou = ou_rando
         simple_user.save()
         assert role_ou1 not in simple_user.roles
         assert role_ou2 not in simple_user.roles
         ou_rando.automatic_roles.add(role_ou1)
         ou_rando.automatic_roles.add(role_ou2)
         assert role_ou1 in simple_user.roles
         assert role_ou2 in simple_user.roles
         ou_rando.automatic_roles.remove(role_ou1)
         assert role_ou1 not in simple_user.roles
         ou_rando.automatic_roles.clear()
         assert role_ou2 not in simple_user.roles
     def test_ou_automatic_roles_user_changed(db, user_ou1, user_ou2, role_ou1, role_ou2, ou1, ou2):
         assert ou1.automatic_roles in user_ou1.roles
         user_ou1.ou = ou2
         user_ou1.save()
         assert ou2.automatic_roles in user_ou1.roles
     def test_ou_automatic_roles_no_sidefx(db, user_ou1, user_ou2, role_ou1, role_ou2, ou1, ou2):
         assert role_ou1 in user_ou1.roles
         ou1.automatic_roles.add(role1)
         ou1.save()
         ou1.automatic_roles.remove(role1)
         ou1.save()
         assert role_ou1 in user_ou1.roles
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-WIP-support-OU-automatic-roles-20690.patch