Projet

Général

Profil

0006-manager-handle-special-cases-of-access-control-33515.patch

Valentin Deniaud, 28 mai 2019 17:24

Télécharger (3,32 ko)

Voir les différences: 

Subject: [PATCH 6/8] manager: handle special cases of access control (#33515)

Making use of the new could_{action} attribute previously introduced.

 src/authentic2/manager/ou_views.py   | 2 +-
 src/authentic2/manager/role_views.py | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)
src/authentic2/manager/ou_views.py
63 63 

  		




  64
  64
  
    
    def authorize(self, request, *args, **kwargs):

  		




  65
  65
  
    
        super(OrganizationalUnitDetailView, self).authorize(request, *args, **kwargs)

  		




  66
  
  
    
        self.can_delete = self.can_delete and not self.object.default

  		




  
  66
  
    
        self.could_delete = self.could_delete and not self.object.default

  		




  67
  67
  
    

  		




  68
  68
  
    
detail = OrganizationalUnitDetailView.as_view()

  		




  69
  69
  
    

  		












  

    
      src/authentic2/manager/role_views.py
    
  





  27
  27
  
    
from django.core.urlresolvers import reverse

  		




  28
  28
  
    
from django.contrib.auth import get_user_model

  		




  29
  29
  
    

  		




  
  30
  
    
from django_rbac.exceptions import InsufficientAuthLevel

  		




  30
  31
  
    
from django_rbac.utils import get_role_model, get_permission_model, get_ou_model

  		




  31
  32
  
    

  		




  32
  33
  
    
from authentic2.utils import redirect

  		




  ......




  79
  80
  
    

  		




  80
  81
  
    
    def authorize(self, request, *args, **kwargs):

  		




  81
  82
  
    
        super(RolesView, self).authorize(request, *args, **kwargs)

  		




  82
  
  
    
        self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))

  		




  
  83
  
    
        self.could_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))

  		




  83
  84
  
    

  		




  84
  85
  
    

  		




  85
  86
  
    
listing = RolesView.as_view()

  		




  ......




  176
  177
  
    
                    hooks.call_hooks('event', name='manager-remove-role-member',

  		




  177
  178
  
    
                                     user=self.request.user, role=self.object, member=user)

  		




  178
  179
  
    
        else:

  		




  
  180
  
    
            if self.could_change:

  		




  
  181
  
    
                raise InsufficientAuthLevel

  		




  179
  182
  
    
            messages.warning(self.request, _('You are not authorized'))

  		




  180
  183
  
    
        return super(RoleMembersView, self).form_valid(form)

  		




  181
  184
  
    

  		




  ......




  205
  208
  
    

  		




  206
  209
  
    
    def post(self, request, *args, **kwargs):

  		




  207
  210
  
    
        if not self.can_delete:

  		




  
  211
  
    
            if self.could_delete:

  		




  
  212
  
    
                raise InsufficientAuthLevel

  		




  208
  213
  
    
            raise PermissionDenied

  		




  209
  214
  
    
        return super(RoleDeleteView, self).post(request, *args, **kwargs)

  		




  210
  215
  
    

  		




  ......




  259
  264
  
    
                        hooks.call_hooks('event', name='manager-remove-permission',

  		




  260
  265
  
    
                                         user=self.request.user, role=self.object, permission=perm)

  		




  261
  266
  
    
        else:

  		




  
  267
  
    
            if self.could_change:

  		




  
  268
  
    
                raise InsufficientAuthLevel

  		




  262
  269
  
    
            messages.warning(self.request, _('You are not authorized'))

  		




  263
  270
  
    
        return super(RolePermissionsView, self).form_valid(form)

  		




  264
  271
  
    

  		




  265
  
  
    
-