0006-manager-handle-special-cases-of-access-control-33515.patch
| src/authentic2/manager/ou_views.py | ||
|---|---|---|
| 63 | 63 | |
| 64 | 64 |
def authorize(self, request, *args, **kwargs): |
| 65 | 65 |
super(OrganizationalUnitDetailView, self).authorize(request, *args, **kwargs) |
| 66 |
self.can_delete = self.can_delete and not self.object.default
|
|
| 66 |
self.could_delete = self.could_delete and not self.object.default
|
|
| 67 | 67 | |
| 68 | 68 |
detail = OrganizationalUnitDetailView.as_view() |
| 69 | 69 | |
| src/authentic2/manager/role_views.py | ||
|---|---|---|
| 27 | 27 |
from django.core.urlresolvers import reverse |
| 28 | 28 |
from django.contrib.auth import get_user_model |
| 29 | 29 | |
| 30 |
from django_rbac.exceptions import InsufficientAuthLevel |
|
| 30 | 31 |
from django_rbac.utils import get_role_model, get_permission_model, get_ou_model |
| 31 | 32 | |
| 32 | 33 |
from authentic2.utils import redirect |
| 33 | 34 |
from authentic2 import hooks, data_transfer |
| 34 | 35 | |
| 35 |
from . import tables, views, resources, forms, app_settings |
|
| 36 |
from . import tables, views, resources, forms, app_settings, utils
|
|
| 36 | 37 | |
| 37 | 38 | |
| 38 | 39 |
class RolesMixin(object): |
| ... | ... | |
| 79 | 80 | |
| 80 | 81 |
def authorize(self, request, *args, **kwargs): |
| 81 | 82 |
super(RolesView, self).authorize(request, *args, **kwargs) |
| 82 |
self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))
|
|
| 83 |
self.could_add = bool(request.user.ous_with_perm('a2_rbac.add_role'))
|
|
| 83 | 84 | |
| 84 | 85 | |
| 85 | 86 |
listing = RolesView.as_view() |
| ... | ... | |
| 176 | 177 |
hooks.call_hooks('event', name='manager-remove-role-member',
|
| 177 | 178 |
user=self.request.user, role=self.object, member=user) |
| 178 | 179 |
else: |
| 180 |
if self.could_change: |
|
| 181 |
return utils.increase_auth_level(self.request) |
|
| 179 | 182 |
messages.warning(self.request, _('You are not authorized'))
|
| 180 | 183 |
return super(RoleMembersView, self).form_valid(form) |
| 181 | 184 | |
| ... | ... | |
| 205 | 208 | |
| 206 | 209 |
def post(self, request, *args, **kwargs): |
| 207 | 210 |
if not self.can_delete: |
| 211 |
if self.could_delete: |
|
| 212 |
return utils.increase_auth_level(self.request) |
|
| 208 | 213 |
raise PermissionDenied |
| 209 | 214 |
return super(RoleDeleteView, self).post(request, *args, **kwargs) |
| 210 | 215 | |
| ... | ... | |
| 259 | 264 |
hooks.call_hooks('event', name='manager-remove-permission',
|
| 260 | 265 |
user=self.request.user, role=self.object, permission=perm) |
| 261 | 266 |
else: |
| 267 |
if self.could_change: |
|
| 268 |
return utils.increase_auth_level(self.request) |
|
| 262 | 269 |
messages.warning(self.request, _('You are not authorized'))
|
| 263 | 270 |
return super(RolePermissionsView, self).form_valid(form) |
| 264 | 271 | |
| src/authentic2/manager/utils.py | ||
|---|---|---|
| 17 | 17 |
from django_rbac.utils import get_ou_model |
| 18 | 18 | |
| 19 | 19 |
from authentic2.decorators import GlobalCache |
| 20 |
from authentic2.utils import login_require |
|
| 20 | 21 | |
| 21 | 22 | |
| 22 | 23 |
def label_from_user(user): |
| ... | ... | |
| 40 | 41 |
@GlobalCache(timeout=10) |
| 41 | 42 |
def get_ou_count(): |
| 42 | 43 |
return get_ou_model().objects.count() |
| 44 | ||
| 45 | ||
| 46 |
def increase_auth_level(request): |
|
| 47 |
current_auth_level = request.session.get('auth_level', 1)
|
|
| 48 |
return login_require(request, params={'auth_level': current_auth_level + 1})
|
|
| src/authentic2/manager/views.py | ||
|---|---|---|
| 43 | 43 | |
| 44 | 44 |
from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext |
| 45 | 45 |
from authentic2.forms.profile import modelform_factory |
| 46 |
from authentic2.utils import redirect, batch_queryset, login_require
|
|
| 46 |
from authentic2.utils import redirect, batch_queryset |
|
| 47 | 47 |
from authentic2.decorators import json as json_view |
| 48 | 48 |
from authentic2 import hooks |
| 49 | 49 | |
| ... | ... | |
| 150 | 150 |
try: |
| 151 | 151 |
response = self.authorize(request, *args, **kwargs) |
| 152 | 152 |
except InsufficientAuthLevel: |
| 153 |
current_auth_level = request.session.get('auth_level', 1)
|
|
| 154 |
return login_require(request, params={'auth_level': current_auth_level + 1})
|
|
| 153 |
return utils.increase_auth_level(request) |
|
| 155 | 154 |
if response is not None: |
| 156 | 155 |
return response |
| 157 | 156 |
return super(PermissionMixin, self).dispatch(request, *args, **kwargs) |
| 158 |
- |
|