0001-manager-add-manage-members-permission-for-role-admin.patch
src/authentic2/a2_rbac/models.py | ||
---|---|---|
221 | 221 |
self_administered=True, |
222 | 222 |
update_name=True, |
223 | 223 |
update_slug=True, |
224 |
create=create) |
|
224 |
create=create, |
|
225 |
operation=MANAGE_MEMBERS_OP) |
|
225 | 226 |
return admin_role |
226 | 227 | |
227 | 228 |
def validate_unique(self, exclude=None): |
... | ... | |
393 | 394 |
RESET_PASSWORD_OP = Operation(name=_('Reset password'), slug='reset_password') |
394 | 395 |
ACTIVATE_OP = Operation(name=_('Activate'), slug='activate') |
395 | 396 |
CHANGE_EMAIL_OP = Operation(name=_('Change email'), slug='change_email') |
397 |
MANAGE_MEMBERS_OP = Operation(name=_('Manage role members'), slug='manage_members') |
src/authentic2/a2_rbac/signal_handlers.py | ||
---|---|---|
86 | 86 | |
87 | 87 |
def create_default_permissions(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, |
88 | 88 |
**kwargs): |
89 |
from .models import CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP |
|
89 |
from .models import (CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP, |
|
90 |
MANAGE_MEMBERS_OP) |
|
90 | 91 | |
91 | 92 |
if not router.allow_migrate(using, get_ou_model()): |
92 | 93 |
return |
... | ... | |
96 | 97 |
get_operation(RESET_PASSWORD_OP) |
97 | 98 |
get_operation(ACTIVATE_OP) |
98 | 99 |
get_operation(CHANGE_EMAIL_OP) |
100 |
get_operation(MANAGE_MEMBERS_OP) |
src/authentic2/manager/role_views.py | ||
---|---|---|
77 | 77 |
kwargs['queryset'] = self.get_queryset() |
78 | 78 |
return kwargs |
79 | 79 | |
80 |
def authorize(self, request, *args, **kwargs): |
|
81 |
super(RolesView, self).authorize(request, *args, **kwargs) |
|
82 |
self.can_add = bool(request.user.ous_with_perm('a2_rbac.add_role')) |
|
83 | ||
84 | ||
85 | 80 |
listing = RolesView.as_view() |
86 | 81 | |
87 | 82 |
src/authentic2/manager/templates/authentic2/manager/role_members.html | ||
---|---|---|
53 | 53 |
{% include "authentic2/manager/export_include.html" with export_view_name="a2-manager-role-members-export" %} |
54 | 54 | |
55 | 55 |
{% if view.can_change %} |
56 |
<form method="post" class="manager-m2m-add-form"> |
|
56 |
<form method="post" class="manager-m2m-add-form" id="add-user">
|
|
57 | 57 |
{% csrf_token %} |
58 | 58 |
{{ form }} |
59 | 59 |
<button>{% trans "Add" %}</button> |
src/authentic2/settings.py | ||
---|---|---|
331 | 331 |
'change': ['view', 'search'], |
332 | 332 |
'delete': ['view', 'search'], |
333 | 333 |
'add': ['view', 'search'], |
334 |
'manage_members': ['change', 'view', 'search', 'delete'], |
|
334 | 335 |
} |
335 | 336 | |
336 | 337 |
SILENCED_SYSTEM_CHECKS = ["auth.W004"] |
tests/test_a2_rbac.py | ||
---|---|---|
62 | 62 |
# There should be two more permissions the admin permission on the role |
63 | 63 |
# and the admin permission on the admin role |
64 | 64 |
admin_perm = Permission.objects.by_target(new_role) \ |
65 |
.get(operation__slug='admin')
|
|
65 |
.get(operation__slug='manage_members')
|
|
66 | 66 |
admin_role = Role.objects.get( |
67 | 67 |
admin_scope_ct=ContentType.objects.get_for_model(admin_perm), |
68 | 68 |
admin_scope_id=admin_perm.pk) |
tests/test_manager.py | ||
---|---|---|
896 | 896 | |
897 | 897 |
user = User.objects.get(id=simple_user.id) |
898 | 898 |
assert not user.email_verified |
899 | ||
900 | ||
901 |
def test_manager_role_admin_permissions(app, simple_user): |
|
902 |
administered_role = Role.objects.create(name='Coucou') |
|
903 |
admin_role = administered_role.get_admin_role() |
|
904 |
simple_user.roles.add(admin_role) |
|
905 |
login(app, simple_user, '/manage/') |
|
906 | ||
907 |
response = app.get('/manage/roles/%s/' % administered_role.pk) |
|
908 |
form = response.forms['add-user'] |
|
909 |
form['user'].force_value(simple_user.pk) |
|
910 |
response = form.submit().follow() |
|
911 |
assert administered_role in simple_user.roles.all() |
|
912 | ||
913 |
response = app.get('/manage/roles/add/', status=403) |
|
899 |
- |