Projet

Général

Profil

0002-django_rbac-allow-filtering-user-roles-by-auth-level.patch

Valentin Deniaud, 28 mai 2019 17:24

Télécharger (1,61 ko)

Voir les différences: 

Subject: [PATCH 2/8] django_rbac: allow filtering user roles by auth level
 (#33515)

Be careful about role inheritance.
A role with authentication level 2 which is inherited from a role with
auth level 1 should be given only to a user with auth level 2. This
simply means a user must not have any role that is superior to their
authentication level.
Moreover, a role with auth level 1 which is inherited from a role with
auth level 2 should be given only to a user with auth level 2. That is
why we filter roles away based on auth level before looking for parents.

 src/django_rbac/managers.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
src/django_rbac/managers.py
103 103 

  		




  104
  104
  
    

  		




  105
  105
  
    
class RoleQuerySet(query.QuerySet):

  		




  106
  
  
    
    def for_user(self, user):

  		




  107
  
  
    
        return self.filter(members=user).parents().distinct()

  		




  
  106
  
    
    def for_user(self, user, max_auth_level=None):

  		




  
  107
  
    
        qs = self.filter(members=user)

  		




  
  108
  
    
        if max_auth_level:

  		




  
  109
  
    
            qs = qs.filter(auth_level__lte=max_auth_level)

  		




  
  110
  
    
        qs = qs.parents()

  		




  
  111
  
    
        if max_auth_level:

  		




  
  112
  
    
            qs = qs.filter(auth_level__lte=max_auth_level)

  		




  
  113
  
    
        return qs.distinct()

  		




  108
  114
  
    

  		




  109
  115
  
    
    def parents(self, include_self=True, annotate=False):

  		




  110
  116
  
    
        qs = self.model.objects.filter(child_relation__child__in=self)

  		




  111
  
  
    
-