0003-a2_rbac-add-ROLE_ADMIN_RESTRICT_TO_OU_USERS-setting-.patch
src/authentic2/a2_rbac/app_settings.py | ||
---|---|---|
20 | 20 |
class AppSettings(object): |
21 | 21 |
__DEFAULTS = dict( |
22 | 22 |
MANAGED_CONTENT_TYPES=None, |
23 |
ROLE_ADMIN_RESTRICT_TO_OU_USERS=False, |
|
23 | 24 |
) |
24 | 25 | |
25 | 26 |
def __init__(self, prefix): |
src/authentic2/a2_rbac/models.py | ||
---|---|---|
39 | 39 | |
40 | 40 |
from authentic2.decorators import GlobalCache |
41 | 41 | |
42 |
from . import managers, fields |
|
42 |
from . import managers, fields, app_settings
|
|
43 | 43 | |
44 | 44 | |
45 | 45 |
@six.python_2_unicode_compatible |
... | ... | |
205 | 205 | |
206 | 206 |
def get_admin_role(self, create=True): |
207 | 207 |
from . import utils |
208 | ||
209 |
if app_settings.ROLE_ADMIN_RESTRICT_TO_OU_USERS: |
|
210 |
view_user_perm = utils.get_view_user_perm(ou=self.ou) |
|
211 |
else: |
|
212 |
view_user_perm = utils.get_view_user_perm() |
|
213 | ||
208 | 214 |
admin_role = self.__class__.objects.get_admin_role( |
209 | 215 |
self, ou=self.ou, |
210 | 216 |
name=_('Managers of role "{role}"').format( |
211 | 217 |
role=six.text_type(self)), |
212 | 218 |
slug='_a2-managers-of-role-{role}'.format( |
213 | 219 |
role=slugify(six.text_type(self))), |
214 |
permissions=(utils.get_view_user_perm(),),
|
|
220 |
permissions=(view_user_perm,),
|
|
215 | 221 |
self_administered=True, |
216 | 222 |
update_name=True, |
217 | 223 |
update_slug=True, |
tests/test_a2_rbac.py | ||
---|---|---|
33 | 33 |
from authentic2.utils import get_hex_uuid |
34 | 34 | |
35 | 35 | |
36 |
from utils import login |
|
37 | ||
38 | ||
36 | 39 |
def test_update_rbac(db): |
37 | 40 |
# 3 content types managers and 1 global manager |
38 | 41 |
assert Role.objects.count() == 4 |
... | ... | |
394 | 397 | |
395 | 398 |
assert ar1.name == 'Managers of role "r1ter"' |
396 | 399 |
assert ar1.slug == '_a2-managers-of-role-r1ter' |
400 | ||
401 | ||
402 |
def test_admin_role_user_view(settings, app, admin, simple_user, ou1, user_ou1, role_ou1): |
|
403 |
role_ou1.get_admin_role().members.add(simple_user) |
|
404 | ||
405 |
# Default: all users are visible |
|
406 |
response = login(app, simple_user, '/manage/roles/') |
|
407 |
response = response.click('role_ou1') |
|
408 |
select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url'] |
|
409 |
select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id'] |
|
410 | ||
411 |
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''}) |
|
412 |
assert select2_response.json['more'] is False |
|
413 |
assert (set(result['id'] for result in select2_response.json['results']) |
|
414 |
== set([simple_user.id, user_ou1.id, admin.id])) |
|
415 | ||
416 |
# with A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS after a reload of the admin |
|
417 |
# page, we should only see user from the same OU as the role |
|
418 |
settings.A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS = True |
|
419 |
response = app.get('/manage/roles/') |
|
420 |
response = response.click('role_ou1') |
|
421 |
select2_url = response.pyquery('select#id_user')[0].attrib['data-ajax--url'] |
|
422 |
select2_field_id = response.pyquery('select#id_user')[0].attrib['data-field_id'] |
|
423 |
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': ''}) |
|
424 |
assert select2_response.json['more'] is False |
|
425 |
assert (set(result['id'] for result in select2_response.json['results']) |
|
426 |
== set([user_ou1.id])) |
|
397 |
- |