0005-a2_rbac-add-ROLE_ADMIN_RESTRICT_TO_OU_USERS-setting-.patch
| src/authentic2/a2_rbac/app_settings.py | ||
|---|---|---|
| 20 | 20 |
class AppSettings(object): |
| 21 | 21 |
__DEFAULTS = dict( |
| 22 | 22 |
MANAGED_CONTENT_TYPES=None, |
| 23 |
ROLE_ADMIN_RESTRICT_TO_OU_USERS=False, |
|
| 23 | 24 |
) |
| 24 | 25 | |
| 25 | 26 |
def __init__(self, prefix): |
| src/authentic2/a2_rbac/models.py | ||
|---|---|---|
| 39 | 39 | |
| 40 | 40 |
from authentic2.decorators import GlobalCache |
| 41 | 41 | |
| 42 |
from . import managers, fields |
|
| 42 |
from . import managers, fields, app_settings
|
|
| 43 | 43 | |
| 44 | 44 | |
| 45 | 45 |
@six.python_2_unicode_compatible |
| ... | ... | |
| 205 | 205 | |
| 206 | 206 |
def get_admin_role(self, create=True): |
| 207 | 207 |
from . import utils |
| 208 | ||
| 209 |
if app_settings.ROLE_ADMIN_RESTRICT_TO_OU_USERS: |
|
| 210 |
view_user_perm = utils.get_view_user_perm(ou=self.ou) |
|
| 211 |
else: |
|
| 212 |
view_user_perm = utils.get_view_user_perm() |
|
| 213 | ||
| 208 | 214 |
admin_role = self.__class__.objects.get_admin_role( |
| 209 | 215 |
self, ou=self.ou, |
| 210 | 216 |
name=_('Managers of role "{role}"').format(
|
| 211 | 217 |
role=six.text_type(self)), |
| 212 | 218 |
slug='_a2-managers-of-role-{role}'.format(
|
| 213 | 219 |
role=slugify(six.text_type(self))), |
| 214 |
permissions=(utils.get_view_user_perm(),),
|
|
| 220 |
permissions=(view_user_perm,),
|
|
| 215 | 221 |
self_administered=True, |
| 216 | 222 |
update_name=True, |
| 217 | 223 |
update_slug=True, |
| tests/test_a2_rbac.py | ||
|---|---|---|
| 33 | 33 |
from authentic2.utils import get_hex_uuid |
| 34 | 34 | |
| 35 | 35 | |
| 36 |
from utils import login |
|
| 37 | ||
| 38 | ||
| 36 | 39 |
def test_update_rbac(db): |
| 37 | 40 |
# 3 content types managers and 1 global manager |
| 38 | 41 |
assert Role.objects.count() == 4 |
| ... | ... | |
| 394 | 397 | |
| 395 | 398 |
assert ar1.name == 'Managers of role "r1ter"' |
| 396 | 399 |
assert ar1.slug == '_a2-managers-of-role-r1ter' |
| 400 | ||
| 401 | ||
| 402 |
def test_admin_role_user_view(settings, app, admin, simple_user, ou1, user_ou1, role_ou1): |
|
| 403 |
role_ou1.get_admin_role().members.add(simple_user) |
|
| 404 | ||
| 405 |
# Default: all users are visible |
|
| 406 |
response = login(app, simple_user, '/manage/roles/') |
|
| 407 |
response = response.click('role_ou1')
|
|
| 408 |
select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url']
|
|
| 409 |
select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id']
|
|
| 410 | ||
| 411 |
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''})
|
|
| 412 |
assert select2_response.json['more'] is False |
|
| 413 |
assert (set(result['id'] for result in select2_response.json['results']) |
|
| 414 |
== set([simple_user.id, user_ou1.id, admin.id])) |
|
| 415 | ||
| 416 |
# with A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS after a reload of the admin |
|
| 417 |
# page, we should only see user from the same OU as the role |
|
| 418 |
settings.A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS = True |
|
| 419 |
response = app.get('/manage/roles/')
|
|
| 420 |
response = response.click('role_ou1')
|
|
| 421 |
select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url']
|
|
| 422 |
select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id']
|
|
| 423 |
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''})
|
|
| 424 |
assert select2_response.json['more'] is False |
|
| 425 |
assert (set(result['id'] for result in select2_response.json['results']) |
|
| 426 |
== set([user_ou1.id])) |
|
| 397 |
- |
|