0001-manager-make-select2-fields-use-direct-widget-refere.patch
| src/authentic2/manager/views.py | ||
|---|---|---|
| 46 | 46 |
from authentic2.decorators import json as json_view |
| 47 | 47 |
from authentic2 import hooks |
| 48 | 48 | |
| 49 |
from . import app_settings, utils, forms |
|
| 49 |
from . import app_settings, utils, forms, widgets
|
|
| 50 | 50 | |
| 51 | 51 | |
| 52 | 52 |
# https://github.com/MongoEngine/django-mongoengine/blob/master/django_mongoengine/views/edit.py |
| ... | ... | |
| 679 | 679 |
'''Overrided default django-select2 view to enforce security checks on Select2 AJAX requests.''' |
| 680 | 680 | |
| 681 | 681 |
def get_widget_or_404(self): |
| 682 |
widget = super(Select2View, self).get_widget_or_404() |
|
| 682 |
field_id = self.kwargs.get('field_id', self.request.GET.get('field_id', None))
|
|
| 683 |
if not field_id or not hasattr(widgets, field_id): |
|
| 684 |
raise Http404('Missing or unknown "field_id" provided.')
|
|
| 685 |
widget = getattr(widgets, field_id)() |
|
| 686 |
widget.queryset = widget.get_queryset() |
|
| 683 | 687 |
widget.view = self |
| 684 | 688 |
if hasattr(widget, 'security_check'): |
| 685 | 689 |
if not widget.security_check(self.request, *self.args, **self.kwargs): |
| 686 | 690 |
raise PermissionDenied |
| 687 | 691 |
return widget |
| 688 | 692 | |
| 693 | ||
| 689 | 694 |
select2 = Select2View.as_view() |
| 690 | 695 | |
| 691 | 696 | |
| src/authentic2/manager/widgets.py | ||
|---|---|---|
| 80 | 80 |
return label |
| 81 | 81 | |
| 82 | 82 | |
| 83 |
class ChooseUserWidget(SecurityCheckMixin, ModelSelect2Widget): |
|
| 83 |
class SimpleModelSelect2Widget(ModelSelect2Widget): |
|
| 84 |
def build_attrs(self, *args, **kwargs): |
|
| 85 |
attrs = super(SimpleModelSelect2Widget, self).build_attrs(*args, **kwargs) |
|
| 86 |
attrs['data-field_id'] = self.__class__.__name__ |
|
| 87 |
return attrs |
|
| 88 | ||
| 89 | ||
| 90 |
class SimpleModelSelect2MultipleWidget(ModelSelect2MultipleWidget): |
|
| 91 |
def build_attrs(self, *args, **kwargs): |
|
| 92 |
attrs = super(SimpleModelSelect2MultipleWidget, self).build_attrs(*args, **kwargs) |
|
| 93 |
attrs['data-field_id'] = self.__class__.__name__ |
|
| 94 |
return attrs |
|
| 95 | ||
| 96 | ||
| 97 |
class ChooseUserWidget(SecurityCheckMixin, SimpleModelSelect2Widget): |
|
| 84 | 98 |
model = get_user_model() |
| 85 | 99 |
search_fields = [ |
| 86 | 100 |
'username__icontains', 'first_name__icontains', |
| ... | ... | |
| 91 | 105 |
return utils.label_from_user(user) |
| 92 | 106 | |
| 93 | 107 | |
| 94 |
class ChooseUsersWidget(SecurityCheckMixin, ModelSelect2MultipleWidget): |
|
| 108 |
class ChooseUsersWidget(SecurityCheckMixin, SimpleModelSelect2MultipleWidget):
|
|
| 95 | 109 |
model = get_user_model() |
| 96 | 110 |
search_fields = [ |
| 97 | 111 |
'username__icontains', 'first_name__icontains', |
| ... | ... | |
| 102 | 116 |
return utils.label_from_user(user) |
| 103 | 117 | |
| 104 | 118 | |
| 105 |
class ChooseRoleWidget(RoleLabelMixin, SecurityCheckMixin, ModelSelect2Widget): |
|
| 119 |
class ChooseRoleWidget(RoleLabelMixin, SecurityCheckMixin, SimpleModelSelect2Widget):
|
|
| 106 | 120 |
queryset = get_role_model().objects.exclude(slug__startswith='_') |
| 107 | 121 |
split_term_operator = operator.__and__ |
| 108 | 122 |
search_fields = [ |
| ... | ... | |
| 112 | 126 |
] |
| 113 | 127 | |
| 114 | 128 | |
| 115 |
class ChooseRolesWidget(RoleLabelMixin, SecurityCheckMixin, ModelSelect2MultipleWidget): |
|
| 129 |
class ChooseRolesWidget(RoleLabelMixin, SecurityCheckMixin, SimpleModelSelect2MultipleWidget):
|
|
| 116 | 130 |
queryset = get_role_model().objects.exclude(slug__startswith='_') |
| 117 | 131 |
split_term_operator = operator.__and__ |
| 118 | 132 |
search_fields = [ |
| ... | ... | |
| 122 | 136 |
] |
| 123 | 137 | |
| 124 | 138 | |
| 125 |
class ChooseRolesForChangeWidget(RoleLabelMixin, SecurityCheckMixin, ModelSelect2MultipleWidget): |
|
| 139 |
class ChooseRolesForChangeWidget(RoleLabelMixin, SecurityCheckMixin, SimpleModelSelect2MultipleWidget):
|
|
| 126 | 140 |
operations = ['change'] |
| 127 | 141 |
queryset = get_role_model().objects.all() |
| 128 | 142 |
split_term_operator = operator.__and__ |
| ... | ... | |
| 133 | 147 |
] |
| 134 | 148 | |
| 135 | 149 | |
| 136 |
class ChooseUserRoleWidget(RoleLabelMixin, SecurityCheckMixin, ModelSelect2Widget): |
|
| 150 |
class ChooseUserRoleWidget(RoleLabelMixin, SecurityCheckMixin, SimpleModelSelect2Widget):
|
|
| 137 | 151 |
operations = ['change'] |
| 138 | 152 |
model = get_role_model() |
| 139 | 153 |
search_fields = [ |
| tests/test_manager.py | ||
|---|---|---|
| 842 | 842 | |
| 843 | 843 | |
| 844 | 844 |
def test_roles_widget(admin, app, db): |
| 845 |
from django.core import signing |
|
| 846 | 845 |
from authentic2.manager.forms import ChooseRoleForm |
| 847 | 846 | |
| 848 | 847 |
login(app, admin, '/manage/') |
| ... | ... | |
| 855 | 854 | |
| 856 | 855 |
form = ChooseRoleForm() |
| 857 | 856 |
assert form.as_p() |
| 858 |
field_id = signing.dumps(id(form.fields['role'].widget))
|
|
| 857 |
field_id = form.fields['role'].widget.__class__.__name__
|
|
| 859 | 858 |
url = reverse('django_select2-json')
|
| 860 | 859 |
response = app.get(url, params={'field_id': field_id, 'term': 'Admin'})
|
| 861 | 860 |
assert len(response.json['results']) == 3 |
| ... | ... | |
| 868 | 867 | |
| 869 | 868 | |
| 870 | 869 |
def test_roles_for_change_widget(admin, app, db): |
| 871 |
from django.core import signing |
|
| 872 | 870 |
from authentic2.manager.forms import RolesForChangeForm |
| 873 | 871 | |
| 874 | 872 |
login(app, admin, '/manage/') |
| ... | ... | |
| 877 | 875 | |
| 878 | 876 |
form = RolesForChangeForm() |
| 879 | 877 |
assert form.as_p() |
| 880 |
field_id = signing.dumps(id(form.fields['roles'].widget))
|
|
| 878 |
field_id = form.fields['roles'].widget.__class__.__name__
|
|
| 881 | 879 |
url = reverse('django_select2-json')
|
| 882 | 880 |
response = app.get(url, params={'field_id': field_id, 'term': 'admin'})
|
| 883 | 881 |
assert len(response.json['results']) == 1 |
| 884 |
- |
|