0001-manager-prevent-changing-ldap-sychronised-role-affec.patch
| src/authentic2/manager/role_views.py | ||
|---|---|---|
| 16 | 16 | |
| 17 | 17 |
import json |
| 18 | 18 | |
| 19 |
from django.conf import settings |
|
| 19 | 20 |
from django.core.exceptions import PermissionDenied |
| 20 | 21 |
from django.utils.translation import ugettext_lazy as _ |
| 21 | 22 |
from django.views.generic import FormView, TemplateView |
| ... | ... | |
| 194 | 195 |
ctx['admin_roles'] = views.filter_view(self.request, |
| 195 | 196 |
self.object.get_admin_role().children(include_self=False, |
| 196 | 197 |
annotate=True)) |
| 198 |
mappings = getattr(settings, 'LDAP_AUTH_SETTINGS', [{}])[0].get('group_to_role_mapping', [])
|
|
| 199 |
if mappings: |
|
| 200 |
ctx['from_ldap'] = any(role for mapping in mappings for role in mapping[1] |
|
| 201 |
if role == self.object.name) |
|
| 197 | 202 |
return ctx |
| 198 | 203 | |
| 199 | 204 |
members = RoleMembersView.as_view() |
| src/authentic2/manager/tables.py | ||
|---|---|---|
| 122 | 122 |
'indeterminate{%% endif %%}"'
|
| 123 | 123 |
' name="role-{{ record.pk }}" type="checkbox" {%% if record.member %%}checked{%% endif %%} '
|
| 124 | 124 |
'{%% if not record.has_perm %%}disabled '
|
| 125 |
'title="{%% trans "%s" %%}"{%% endif %%}/>' % ugettext_noop('You are not authorized to manage this role'),
|
|
| 125 |
'title="{%% trans "%s" %%}"{%% endif %%} '
|
|
| 126 |
'{%% if record.from_ldap %%}disabled '
|
|
| 127 |
'title="{%% trans "%s" %%}"{%% endif %%}/>' % (ugettext_noop('You are not authorized to manage this role'), ugettext_noop('This role is synchronised from LDAP, modification is not allowed.')),
|
|
| 126 | 128 |
verbose_name=_('Member'),
|
| 127 | 129 |
order_by=('member', 'via', 'name'))
|
| 128 | 130 | |
| src/authentic2/manager/templates/authentic2/manager/user_roles_table.html | ||
|---|---|---|
| 7 | 7 |
<th></th> |
| 8 | 8 |
{% endblock %}
|
| 9 | 9 |
{% block table.tbody.last.column %}
|
| 10 |
<td>{% if table.context.view.can_change and row.record.member %}<a class="icon-remove-sign js-remove-object" data-confirm="{% blocktrans with name=row.record.name username=table.context.object.get_full_name %}Do you really want to remove role "{{ name }}" from user "{{ username }}" ?{% endblocktrans %}" href="#" data-pk-arg="role"></a>{% endif %}</td>
|
|
| 10 |
<td> |
|
| 11 |
{% if table.context.view.can_change and row.record.member %}
|
|
| 12 |
<a class="icon-remove-sign {% if row.record.from_ldap %} disabled {% else %} js-remove-object {% endif %}" data-confirm="{% blocktrans with name=row.record.name username=table.context.object.get_full_name %}Do you really want to remove role "{{ name }}" from user "{{ username }}" ?{% endblocktrans %}" href="#" data-pk-arg="role" title="{% if row.record.from_ldap %}{% trans "This role is synchronised from LDAP, modification is not allowed." %}{% endif %}"></a>
|
|
| 13 |
{% endif %}
|
|
| 14 |
</td> |
|
| 11 | 15 |
{% endblock %}
|
| 12 | 16 |
{% endif %}
|
| src/authentic2/manager/user_views.py | ||
|---|---|---|
| 19 | 19 |
import collections |
| 20 | 20 |
import operator |
| 21 | 21 | |
| 22 |
from django.conf import settings |
|
| 22 | 23 |
from django.db import models |
| 23 | 24 |
from django.utils.translation import ugettext_lazy as _, ugettext |
| 24 | 25 |
from django.utils.html import format_html |
| ... | ... | |
| 557 | 558 |
manageable_ids = map(str, qs2.values_list('pk', flat=True))
|
| 558 | 559 |
qs = qs.extra(select={'has_perm': 'a2_rbac_role.id in (%s)' % ', '.join(manageable_ids)})
|
| 559 | 560 |
qs = qs.exclude(slug__startswith='_a2-managers-of-role') |
| 560 |
return qs |
|
| 561 | 561 |
else: |
| 562 |
return self.object.roles_and_parents() |
|
| 562 |
qs = self.object.roles_and_parents() |
|
| 563 |
qs = self.indicate_ldap_roles(qs) |
|
| 564 |
return qs |
|
| 565 | ||
| 566 |
def indicate_ldap_roles(self, qs): |
|
| 567 |
mappings = getattr(settings, 'LDAP_AUTH_SETTINGS', [{}])[0].get('group_to_role_mapping', [])
|
|
| 568 |
if mappings: |
|
| 569 |
role_names = [role for mapping in mappings for role in mapping[1]] |
|
| 570 |
roles = qs.filter(name__in=role_names) |
|
| 571 |
role_ids = map(str, roles.values_list('pk', flat=True))
|
|
| 572 |
qs = qs.extra(select={'from_ldap': 'a2_rbac_role.id in (%s)' % ', '.join(role_ids)})
|
|
| 573 |
return qs |
|
| 563 | 574 | |
| 564 | 575 |
def get_table_data(self): |
| 565 | 576 |
qs = super(UserRolesView, self).get_table_data() |
| tests/test_ldap.py | ||
|---|---|---|
| 345 | 345 |
assert response.context['user'].roles.count() == 1 |
| 346 | 346 | |
| 347 | 347 | |
| 348 |
def test_group_to_role_mapping_modify_disabled(slapd, settings, db, app, admin, simple_user): |
|
| 349 |
from authentic2.a2_rbac.models import Role |
|
| 350 | ||
| 351 |
role = Role.objects.get_or_create(name='Role2', ou=simple_user.ou)[0] |
|
| 352 |
simple_user.roles.add(role) |
|
| 353 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
| 354 |
'url': [slapd.ldap_url], |
|
| 355 |
'basedn': u'o=ôrga', |
|
| 356 |
'use_tls': False, |
|
| 357 |
'group_to_role_mapping': [ |
|
| 358 |
['cn=group2,o=ôrga', ['Role2']], |
|
| 359 |
], |
|
| 360 |
}] |
|
| 361 |
utils.login(app, admin, '/manage/') |
|
| 362 | ||
| 363 |
response = app.get('/manage/users/%s/roles/?search-ou=all' % simple_user.pk)
|
|
| 364 |
q = response.pyquery.remove_namespaces() |
|
| 365 |
assert q('table tbody td.name').text() == 'Role2'
|
|
| 366 |
assert q('table tbody td .disabled')
|
|
| 367 | ||
| 368 |
response = app.get('/manage/users/%s/roles/?search-ou=%s' % (simple_user.pk, simple_user.ou.pk))
|
|
| 369 |
q = response.pyquery.remove_namespaces() |
|
| 370 |
assert q('table tbody td.name').text() == 'Role2'
|
|
| 371 |
assert q('table tbody td.member input').attr('disabled')
|
|
| 372 | ||
| 373 | ||
| 348 | 374 |
def test_group_su(slapd, settings, client, db): |
| 349 | 375 |
from django.contrib.auth.models import Group |
| 350 | 376 | |
| 351 |
- |
|