0003-a2_rbac-update-role-admins-using-post_migrate-signal.patch
| src/authentic2/a2_rbac/apps.py | ||
|---|---|---|
| 50 | 50 |
post_migrate.connect( |
| 51 | 51 |
signal_handlers.post_migrate_update_rbac, |
| 52 | 52 |
sender=self) |
| 53 |
post_migrate.connect( |
|
| 54 |
signal_handlers.post_migrate_update_role_admins, |
|
| 55 |
sender=self) |
|
| src/authentic2/a2_rbac/management.py | ||
|---|---|---|
| 19 | 19 |
from django.utils.text import slugify |
| 20 | 20 |
from django.contrib.contenttypes.models import ContentType |
| 21 | 21 | |
| 22 |
from django_rbac.models import ADMIN_OP |
|
| 22 | 23 |
from django_rbac.utils import get_role_model, get_ou_model |
| 23 | 24 | |
| 24 | 25 |
from ..utils import get_fk_model |
| 25 | 26 |
from . import utils, app_settings |
| 27 |
from .models import MANAGE_MEMBERS_OP |
|
| 26 | 28 | |
| 27 | 29 | |
| 28 | 30 |
def update_ou_admin_roles(ou): |
| ... | ... | |
| 141 | 143 |
ct_admin_role.permissions.add(view_user_perm) |
| 142 | 144 |
ct_admin_role.permissions.add(search_ou_perm) |
| 143 | 145 |
ct_admin_role.add_child(admin_role) |
| 146 | ||
| 147 | ||
| 148 |
def update_user_admin_roles_permission(): |
|
| 149 |
roles = get_role_model().objects.filter(slug__startswith='_a2-managers-of-role', |
|
| 150 |
permissions__operation__slug=ADMIN_OP.slug) |
|
| 151 |
for role in roles: |
|
| 152 |
old_perm = role.permissions.get(operation__slug=ADMIN_OP.slug) |
|
| 153 |
administered_role = old_perm.target |
|
| 154 |
admin_role = administered_role.get_admin_role() |
|
| 155 |
new_perm = admin_role.permissions.get(operation__slug=MANAGE_MEMBERS_OP.slug) |
|
| 156 |
admin_role.delete() |
|
| 157 |
role.admin_scope_id = new_perm.pk |
|
| 158 |
role.save() |
|
| 159 |
role.permissions.remove(old_perm) |
|
| 160 |
role.permissions.add(new_perm) |
|
| 161 |
assert role.pk == administered_role.get_admin_role().pk |
|
| src/authentic2/a2_rbac/signal_handlers.py | ||
|---|---|---|
| 98 | 98 |
get_operation(ACTIVATE_OP) |
| 99 | 99 |
get_operation(CHANGE_EMAIL_OP) |
| 100 | 100 |
get_operation(MANAGE_MEMBERS_OP) |
| 101 | ||
| 102 | ||
| 103 |
def post_migrate_update_role_admins(app_config, verbosity=2, interactive=True, |
|
| 104 |
using=DEFAULT_DB_ALIAS, **kwargs): |
|
| 105 |
from .management import update_user_admin_roles_permission |
|
| 106 |
update_user_admin_roles_permission() |
|
| tests/test_a2_rbac.py | ||
|---|---|---|
| 28 | 28 |
from django.core.management import call_command |
| 29 | 29 | |
| 30 | 30 |
from authentic2.a2_rbac.models import Role, OrganizationalUnit as OU, RoleAttribute |
| 31 |
from authentic2.a2_rbac.utils import get_default_ou |
|
| 31 |
from authentic2.a2_rbac.utils import get_default_ou, get_view_user_perm
|
|
| 32 | 32 |
from authentic2.a2_rbac.models import ( |
| 33 | 33 |
Role, |
| 34 | 34 |
Permission, |
| ... | ... | |
| 493 | 493 | |
| 494 | 494 |
# 5 global roles and 4 ou roles for both ous |
| 495 | 495 |
assert Role.objects.count() == 5 + 4 + 4 |
| 496 | ||
| 497 | ||
| 498 |
def test_update_role_admins_perm(transactional_db, simple_user): |
|
| 499 |
from django.core.management.sql import emit_post_migrate_signal |
|
| 500 | ||
| 501 |
role = Role.objects.create(name='hop') |
|
| 502 |
old_admin_role = Role.objects.get_admin_role( |
|
| 503 |
role, ou=role.ou, |
|
| 504 |
name='Managers of role "{role}"'.format(
|
|
| 505 |
role=role), |
|
| 506 |
slug='_a2-managers-of-role-{role}'.format(
|
|
| 507 |
role=role), |
|
| 508 |
permissions=(get_view_user_perm(),), |
|
| 509 |
self_administered=True, |
|
| 510 |
update_name=True, |
|
| 511 |
update_slug=True, |
|
| 512 |
create=True) |
|
| 513 |
simple_user.roles.add(old_admin_role) |
|
| 514 | ||
| 515 |
emit_post_migrate_signal(verbosity=0, interactive=False, db='default', created_models=[]) |
|
| 516 |
assert simple_user.get_all_permissions(role) == \ |
|
| 517 |
{'a2_rbac.manage_members_role', 'a2_rbac.search_role', 'a2_rbac.view_role'}
|
|
| 496 |
- |
|